Hello guys, I have set up 2 mikrotik routers in 2 buildings of my work, both mikrotiks have Optical internet with static adress, I would like to set up simple VPN which will make those two locations like they are in LAN, can you help me with what to start ? Thanks in advance 
Have a look at the video on this page.
THANKS!! I have done it, its working, ping http access, everything except Windows Shares and I cant see Windows computers thru VPN on site 1 to site 2, whats up with that ? 
Did you set the correct srcnat input rules on your routers?
Make sure the Windoze machines have the correct gateway configured and the gateway is aware of the tunnel.
Src nat is set up correctly I think, I will paste it here, so on Site 1 Ip range is 192.168.0.0/24 , and on Site 2 is 192.168.2.0/24 ; src nat rule one site 1 :
0 chain=srcnat action=accept src-address=192.168.0.0/24
dst-address=192.168.2.0/24
Site 2
0 chain=srcnat action=accept src-address=192.168.2.0/24
dst-address=192.168.0.0/24
I think thats all allright, because I can see my PBX central fine, all IP cameras, everything else literaly, except windows shares and windows PCs in Windows Explorer.
What about Gateway ? How should I set it ? Pcs currently are getting IP,gateway and DNS from Mikrotik(mikrotik has DHCP server enabled)
umm..
now this seems strange.
Iāll check our situation and see if I can find anything that might be helpful for you.
About the gateway: I wasnāt aware your Mikrotik devices literally ARE your gateways - I somehow presumed a similar setup as we have where the IPsec gateways are merely normal members of the network and the default gateways redirect the traffic to theseā¦
Cheers
-Chris
Thanks for your answers, yes, my mikrotiks are my gateways on both site1 and site2, I think this is some windows issue, or not, idk.. I really need to get this solved
Update : I can MAP drives, but still cant see Microsoft neighbourhood ..
Ahā¦
Now weāre talking 
AFAIR MSās somehow awkward āNetwork Neighborhood Discoveryā is initiated on NetBIOS broadcast.
I would be more than surprised if that traffic was passing IPsec tunnels.
So Iād say āthis is by designā.
So its issue in microsofts netbios thing, not in my mikrotik ipsec tunneling? I cant do anything about that, right? And is there way to keep ipsec connection constantly online, so for example if nobody uses tunnel for some time, and then after I try to ping something thru vpn I dont get 1-2timeouts and than response?
The easier topic first: Keeping your tunnels alive:
Iād say this is a typical application for netwatch.
Yes, itās a Microsoft thing (and frankly, Iām glad it is like that - weāre connected to sixteen afilliate offices throughout the world. Iād go mad when I saw all their Windows stations here in Switzerlandā¦)
The only thing I could think of is a EOIP tunnel between both locations which logically moves all stations into the same L2 domain.
But I doubt that the administrative effort would justify this tiny bit of more convenience. Beware that there will be no (easy) way to determine which station is located in which officeā¦ Just think of your file servers hosting the userās roaming profilesā¦ almost all traffic would go through tunnelsā¦ Not too nice.
I guess the most frequently used feature is file sharing, right? And maybe thereās a SQL server in office A which needs to be accessed from office B.
In this case Iād rather suggest MS DFS-R and DFS-N to create a multi-location domain with local replication of commonly used shares under the umbrella of an enterprise-wide namespace (meaning that \yourdomain.lcl automagically points to the server closest to the client)ā¦
This can be perfectly incorporated with OSPF and BGP (as we do with the bementioned afilliate offices).
Hope that helps a little.
-Chris
First of all thanks alot for all your time and help! I will make that netwatch later today, I think there will be no problems. Now, for windows network, I acctualy need to mount some mount points from file server on Site 1 to Site 2, Which I will do with no problems, Neighbourhood is not so important to me, was just curious why its not working. Thanks again for all tips and I wish you guys all the best !
See you around, cheers.
-Aleksandar
UPDATE! :
Can you help me just one more thing ? I need help with Netwatch, I made script that will ping my site 1 Mikrotik from site 2 so connection stays awake all the time, script is :
/ping 192.168.0.1 interface=bridge-LAN count=10
And in Netwatch I made
host=192.168.0.1 timeout=999ms interval=20s since=apr/17/2014 20:31:35
status=down up-script="" down-script=ping
As I understood It should every 20sec execute my script called ping, but it doesnt. It only execute it if I manualy disable and enable netwatch rule. Can you help me with this ?
I think you misunderstood netwatch 
Your netwatch config already pings the host every 20 seconds.
And in case the host is unreachable itāll execute your script.
By using this netwatch config your tunnel will already stay alive.
The up and down scripts define actions to be taken when the monitored host changes itās state to down or up.
So it perfectly does what it is configured for.
You should probably configure notifications in these scripts.
Hope this clarifies it a bit.
Happy easter!
-Chris
Sent from my iPhone using Tapatalk