IPsec

Site-to-Site IPsec IKEv2

# Phase 1 профиль
/ip/ipsec/profile/add name=ike2-profile \
    hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048

# Phase 2 proposal
/ip/ipsec/proposal/add name=ike2-proposal \
    auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048

# Peer
/ip/ipsec/peer/add address=203.0.113.1/32 \
    profile=ike2-profile exchange-mode=ike2

# Identity (PSK)
/ip/ipsec/identity/add peer=peer1 \
    auth-method=pre-shared-key secret="SuperSecretPSK"

# Policy
/ip/ipsec/policy/add \
    src-address=192.168.1.0/24 dst-address=192.168.2.0/24 \
    tunnel=yes \
    sa-src-address=198.51.100.1 sa-dst-address=203.0.113.1 \
    proposal=ike2-proposalRouterOS CLI

Проверка

# Статус SA
/ip/ipsec/active-peers/print
/ip/ipsec/installed-sa/printRouterOS CLI