good afternoon, I use a simple configuration between two Mikrotiks with public ipv4, and I just want to use ipsec between them
Mikrotik A
/ip ipsec peer
add name=peer1 passive=yes
/ip ipsec identity
add generate-policy=port-strict peer=peer1 remote-id=ignore secret=12345
Mikrotik B
/ip ipsec peer
add address=11.12.13.14/32 name=peer1
/ip ipsec identity
add peer=peer1 remote-id=ignore secret=12345
after that I see the installed SAs,
what policies and firewall do i need to add next?
For the firewall it’s easy - you add two rules allowing input from UDP 500 and 4500 and IPsec ESP on the IPsec server. For the policies it depends what subnets you want to route through the tunnel
doesn’t work 
, just want to use ipsec for all trafic between two mikrotik
introduction, there are two devices on the Internet with public IPv4, no NAT and masquerading, no local subnets,
both contain the same, minimal firewall
/ip firewall filter
add chain=input in-interface=ether1 src-address=200.12.10.40(or 195.33.45.11 on second) action=accept
add chain=input action=drop
STEP 1
Mikrotik A, public IP 195.33.45.11, responder
/ip ipsec peer
add exchange-mode=ike2 name=peer1 passive=yes
/ip ipsec identity
add peer=peer1 secret=12345
Mikrotik B, public IP 200.12.10.40, initiator
/ip ipsec peer
add address=195.33.45.11/32 exchange-mode=ike2 name=peer1
/ip ipsec identity
add peer=peer1 secret=12345
now i have negotiate phase 1 success
[admin@MikroTik] > /ip ipsec active-peers print
Flags: R - RESPONDER
Columns: ID, STATE, UPTIME, REMOTE-ADDRESS
0 R 200.12.10.40 established 6m38s 200.12.10.40
STEP 2
I understand that now I need to create a policy to install phase 2?
add to Mikrotik A
/ip ipsec policy
add dst-address=200.12.10.40 /32 peer=peer1 src-address=195.33.45.11/32
and add some Mikrotik B
/ip ipsec policy
add dst-address=195.33.45.11/32 peer=peer1 src-address=200.12.10.40 /32
after that in the terminal of each Mikrotik I see that phase 2 is successfully established, but there is no connection between Mikrotiks
A masquerade is always needed to access the internet:
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN ipsec-policy=out,none
And no local subnets sounds impossible since you need at least one for the VPN
This firewall is a bit too minimal for my taste - it could lead to unexpected guests in your network. Better use the default firewall + the rule from my previous post on the server.
Lastly, if you want to pass all traffic to the IPsec tunnel, you need to add following policies on both sites and remove others:
/ip ipsec policy
add action=none src-address="LAN_subnet" dst-address="LAN_subnet"
add action=none src-address="VPN_subnet" dst-address="VPN_subnet"
add action=unique proposal="IPsec_proposal" src-address=0.0.0.0/0 dst-address=0.0.0.0/0
It is very important to note that the order, in which I have written them, should be kept as to not lock yourself out of the router. Also, if there are multiple LAN subnets, they should be listed with action=none in the beginning, before the 0.0.0.0/0 policy
thanks for your answer, but the problem is that most of the examples on the Internet, including your answer, are examples for connecting networks, left and right subnet configuration,
in my case, as I already wrote, there are no subnets or vpn networks, this is a simple host to host configuration with transport mode, ex. https://www.strongswan.org/testing/testresults/ikev2/host2host-cert/
I tried to do all the steps described above on a my local network on two CHR and it worked, but I can’t do the same with two hosts on the Internet, maybe I’m facing some kind of limitation from one of the providers
I’ll try again this weekend, maybe I don’t understand something or I’m missing something
Yes, everything is exactly as I wrote above. one of the providers blocked traffic, moved Mikrotik to another provider and everything worked, there is a connection between the Mikrotiks.
There is one more small question left: if I connect a client 192.168.88.2 to one of the Mikrotiks, how can it access the other Mikrotik?