Configure IPSec VPN between DigitalOcean and AWS using Mikrotik Cloud Hosted Router

Introduction

Establishing a secure and reliable communication channel between cloud environments is crucial for businesses in today’s interconnected digital landscape. This tutorial will guide you through the process of configuring an IPSec VPN between DigitalOcean (DO) and Amazon Web Services (AWS) using Mikrotik’s Cloud Hosted Router (CHR). These steps are designed to enable seamless and secure data transfer between your cloud infrastructures.

Prerequisites

Before you dive into the configuration steps, ensure you have the following prerequisites:

• A DigitalOcean account.
• Access to Mikrotik’s Cloud-Hosted Router Image
• An AWS account with access to the AWS Management Console

Step 1 - Configure Mikrotik CHR as a NAT Gateway

Begin by setting up and following the tutorial on Configure Mikrotik CHR as a NAT Gateway.

This foundational setup is critical as it lays the groundwork for establishing the Site-to-Site VPN connection.

Step 2 - Create a Customer Gateway in AWS

Log in to your AWS Management Console and navigate to VPC -> Customer gateways -> Create customer gateway.

AWS charges for Customer Gateways as long as they exist, whether used or not. For values not mentioned, leave them under their default option. Configure the following:

• Name tag: Example: “DO-Mikrotik-GW”
• BGP ASN: Example: 65000
• IP address: Your Droplet acting as the NAT address

Step 3 - Create a Virtual Private Gateway in AWS

You can create a Virtual Private Gateway by navigating to VPC -> Virtual private gateways -> Create virtual private gateway.

For values not mentioned, leave them under their default option. Configure the following:

• Name tag: “DO-Mikrotik-Virtual-Private-Gateway”
• Autonomous System Number (ASN): Select “Amazon default ASN”

Step 4 - Create a Site-to-Site VPN Connection

Create a Site-to-Site VPN by navigating to VPC -> VPN connections -> Create VPN connection.

Configure the following:

• Name tag: “DO-Mikrotik-GW”
• Target gateway type: Select “Virtual private gateway”
• Virtual private gateway: Select the previously created Virtual Private Gateway
• Customer gateway: Select “Existing”
• Customer gateway ID: Select the previously created Customer Gateway
• Routing options: Select “Dynamic (requires BGP)”
• Local IPv4 network CIDR: Your DigitalOcean VPC subnet (e.g., 192.168.80.0/24)
• Remote IPv4 network CIDR: Your AWS VPC subnet (e.g., 192.168.81.0/24)

Step 5 - Download AWS VPN Configuration

While the Site-to-Site VPN finishes its pending state and becomes available, we can download the configuration details you will need from AWS to configure the tunnel from the DigitalOcean side. Once the VPN connection is in the pending state, click the “Download Configuration” button to download the configuration details needed to set up the tunnel on the DigitalOcean side. Use the following options:

Use the following options:

• Select vendor: Mikrotik
• Select Platform: Router OS
• Select Software: Latest available version
• IKE version: ikev1

Step 6 - Configure the tunnel on the Mikrotik CHR

Log in to your previously configured Mikrotik CHR. There are multiple ways to log in (SSH , Web UI, Winbox [Desktop App]). AWS suggests using the Desktop App, but for this tutorial, you will use SSH to configure the IPSEC tunnel

Once logged in, you will copy values from the AWS guide and input them via the SSH console. You will need to repeat these steps for both tunnels:

a. Configure IPsec Proposal on Mikrotik CHR: Use the AWS configuration values to set up the IPsec proposal. Example:

Go to IP Tab --> IPsec --> Proposals

      a. Click on "+" button
      b. Name: ipsec-vpn-3rswpavcor47abarsn-0
      c. Auth. Algorithms: sha1
      d. Encr. Algorithms: aes-128-cbc
      e. Lifetime: 01:00:00
      f. PFS Group: modp1024
      g. Select Apply and Ok

You can configure the same by using the following command line on the Mikrotik, replace the <> values with the values indicated by the AWS configuration guide:

/ip ipsec proposal 
add auth-algorithms=<Auth. Algorithms> enc-algorithms=<Encr. Algorithms> lifetime=<Lifetime> pfs-group=<PFS Group> name="<AWS Proposed Name>"

An example would look something like this:

/ip/ipsec/proposal 
add auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=1h pfs-group=modp1024 name="ipsec-vpn-3rswpavcor47abarsn-0"

b. Set Up IPsec Profile on Mikrotik CHR: You will skip the policy creation to prevent losing access to the firewall and configure the IPsec Profile instead, again the AWS example looks similar to this:

Go to IP Tab --> IPsec --> Profile

6) Click on "+" button
      a. Profile name: profile-vpn-3rswpavcor47abarsn-0
      b. Hash Algorith: sha1
      c. Encryption Algorithm: aes-128
      d. DH Group: modp1024
      e. Lifetime: 08:00:00
      f. DPD Interval: 10
      g. DPD Maximum Failures: 3
      h. Select Apply and Ok

You can configure the same by using the following command line on the Mikrotik, replace the <> values with the values indicated by AWS configuration guide:

/ip ipsec profile 
add name="<Profile name>" hash-algorithm=<Hash Algorith> enc-algorithm=<Encryption Algorithm> dh-group=<DH Group> lifetime=<Lifetime> dpd-interval=<DPD Interval> dpd-maximum-failures=<DPD Maximum Failures>

c. Create 1st IPsec tunnel Peer on Mikrotik CHR: Create the first peer. Skip the policy creation to prevent losing access to the firewall and configure the IPsec Profile instead, again the AWS example looks similar to this:

Go to IP Tab --> IPsec --> Peer

      a. Address: yyy.yyy.xxx.zzz
      b. Local Address: yyy.yyy.xxx.zzz
      c. Profile: profile-vpn-3rswpavcor47abarsn-0
      d. Exchange Mode: Main
      e. Select Apply and Ok

You can configure the same by using the following command line on the Mikrotik, replace the <> values with the values indicated by AWS configuration guide:

/ip ipsec peer 
add name="aws-ipsec-vpn-1" address=<Address>/32 local-address=<Local Address> exchange-mode=main send-initial-contact=yes profile="<Profile>"

d. Set Up IPsec Identity on Mikrotik CHR: Set up the IPsec identity with pre-shared key:

Go to IP Tab --> IPsec --> Identities

      a. Auth Method: Pre-Shared key
      b. Secret: xxxxxxxxxxxxxxxxxxxxxxx
      c. Select Apply and Ok

Configure the same using the following command line on the Mikrotik, replace the <> values with the values indicated by AWS configuration guide:

/ip ipsec identity 
add peer="aws-ipsec-vpn-1" auth-method=pre-shared-key secret="<Secret>"

e. Assign IP Address to WAN Interface: AWS provides us with the IP we must use for the P2P tunnel in the configuration file you received from them. Assign this to the WAN interface on the Mikrotik CHR; the AWS example looks similar to this:

Go to IP Tab --> Addresses

      a. Click on "+" button
      b. Address: 169.254.13.170/30
      b. Interface: Select the WAN/Outside interface
      c. Select Apply and Ok

You can configure it using the following command line on Mikrotik.

/ip address 
add address=<Address/Subnet> interface=wan

f. Configure IPsec Policy on Mikrotik CHR: Create IPsec policies for the P2P tunnel and the subnet tunnel.

You will not be using 0.0.0.0/0 as AWS suggests instead, you will create 2 policies one for the tunnel and one for the subnet you want to tunnel, the AWS example looks similar to this:

Go to IP Tab --> IPsec --> Policies

1) Click on "+" button and select the General Tab
      a. Src. Address: 0.0.0.0/0
      b. Dst. Address: 0.0.0.0/0

2) Click on Action Tab
      a. Select Tunnel
      b. SA Src. Address: yyy.yyy.xxx.zzz
      c. SA Dst. Address: yyy.yyy.xxx.zzz
      d. Proposal: ipsec-vpn-3rswpavcor47abarsn-0
      e. Select Apply and Ok


Customer gateway inside IP Address: yyy.yyy.xxx.zzz
Virtual Private gateway inside Address: yyy.yyy.xxx.zzz

You can configure the same by using the following command line on the Mikrotik.

/ip ipsec policy 

add dst-address=<Virtual Private gateway inside Address - 1 >/30 peer="<Peer Name created on previous step>" proposal="<Proposal>" src-address=<Customer gateway inside IP Address>/32 tunnel=yes

Now, create the tunnel for the subnets you will be sharing between both providers:

/ip/ipsec/policy 

add dst-address=<AWS VPC Net/subnet> peer="<Peer Name created on previous step>" proposal="<Proposal>" src-address=<DigitalOcean VPC Net/subnet> tunnel=yes

g. Open Firewall Rules on Mikrotik CHR: You must open the necessary firewall rules to allow AWS to connect via IPsec protocol. By adding the place-before=1, you add this rule above the first one you created on your NAT Gateway guide.

/ip firewall filter
add chain=input action=accept protocol=ipsec-esp src-address=<SA Dst. Address> dst-address=<Droplet Public IP> in-interface=wan place-before=1

add chain=input action=accept protocol=udp src-address=<SA Dst. Address> dst-address=<Droplet Public IP> in-interface=wan src-port=500 dst-port=500 place-before=1

add chain=input action=accept protocol=tcp src-address=<Virtual Private Gateway IP> dst-address=<Customer Gateway IP> dst-port=179 place-before=1

h. Configure BGP for Route Sharing: Configure Border Gateway Protocal routing protocol for route sharing between AWS and DO:

Go to Configure Routing --> BGP --> Instances
      a. Apply correct local AS
      b. Select APPLY

Go to Routing Tab --> BGP --> Peer

      a. Click on "+" button and select the General Tab
      b. Name: BGP-vpn-3rswpavcor47abarsn-0
      c. Remote Address: yyy.yyy.xxx.zzz
      d. Remote AS: 64512
      d. Hold Time: 30
      e. Keepalive Time: 10
      f. Select Apply and Ok

First you need to create an address list with your local network you want to expose to AWS.

/ip firewall address-list
add address=<Digital Ocean VPC Net/Subnet> list=vpc

Configure the same by using the following command line on the Mikrotik, use the values from the AWS BGP configuration section. The Mikrotik AS should match the one specified in the AWS portal at the time of Customer Gateway Creation, by default 65000 :

/routing bgp connection
add as=<65000> disabled=no hold-time=<Hold Time> keepalive-time=<Keepalive Time> local.role=ebgp name="<Name>" output.network=vpc remote.address=<Remote Address> .as=<Remote AS> routing-table=main

i. Add Firewall NAT Rule: Ensure traffic through the tunnel is not NAT by the WAN tunnel address, by adding a NAT rule to override this:

/ip firewall nat
add action=accept chain=srcnat dst-address=<AWS Subnet> log=yes src-address=<VPC Subnet> place-before=0

Step 7 - Verify Tunnel State

Check the tunnel state from both AWS and Mikrotik to ensure it is up and running:

/ip ipsec policy
print detail

output
Flags: T - template; B - backup; X - disabled, D - dynamic, I - invalid, A - active; * - default 
 0 T X* group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1      peer=peer-vpn-3rswpavcor47abarsn-0 tunnel=yes src-address=169.254.13.170/32 src-port=any dst-address=169.254.13.168/30 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=yyy.yyy.xxx.zzz
        sa-dst-address=yyy.yyy.xxx.zzz proposal=ipsec-vpn-3rswpavcor47abarsn-0 ph2-count=0 ph2-state=no-phase2 

 2   A  peer=peer-vpn-3rswpavcor47abarsn-0 tunnel=yes src-address=192.168.80.0/24 src-port=any dst-address=192.168.81.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=yyy.yyy.xxx.zzz 
        sa-dst-address=yyy.yyy.xxx.zzz proposal=ipsec-vpn-3rswpavcor47abarsn-0 ph2-count=2 ph2-state=established 

After establishing the first tunnel, repeat the Mikrotik configuration process for the second AWS tunnel to ensure redundancy.

Conclusion

In this tutorial, you learned how to configure an IPSec VPN between DigitalOcean and AWS using Mikrotik’s Cloud Hosted Router. These steps are designed to create a secure and efficient inter-cloud communication channel, essential for modern hybrid cloud architectures.