# MikroTik
{% hint style="info" %}
#### Connecting MikroTik with IKEv2
* Does not require on-premise public static IP
* IKEv2 configuration allows you to use MikroTik as the main router (which is connected to internet) or place it locally in your LAN behind the main router
{% endhint %}
## Step 1 - Creating a new branch connection
[Log in to the GoodAccess **Control Panel**, and go to **Network** > **Clouds & Branches**.](https://app.goodaccess.com/branches/)
Click **+ Add new**, enter a **Name** (e.g., Prague Office), select the required **Gateway**, and define your local **Subnets** (using CIDR notation).
Choose **IKEv2** **Protocol**, and click **Submit** to create the connection, or **Continue** to define optional **Branch Segments** for finer access control.
Once the connection is created, locate it in the list and click the **Configuration Guide** button to retrieve the parameters and configuration files for your device.
{% hint style="info" %}
You may return to the configuration via the **Edit** button of your Branch at any time.
{% endhint %}
## Step 2 - Uploading the script and setup files
Download a script for MikroTik:
* [RouterOS v6 (6.46 and newer)](https://goodaccess-storage.b-cdn.net/mikrotik/ga-setup-branch.rsc)
* [RouterOS v7](https://goodaccess-storage.b-cdn.net/mikrotik/ga-setup-branch-v7.rsc)
Log in to your MikroTik device, and go to **Files**.
**Upload** the script and setup files from [Step 1 ](#step-1-creating-a-new-branch-connection)(extract the files first).
Uploading the script and setup files
## Step 3 - Setting up a site-to-site connection
{% hint style="danger" %}
**Please note:** Deploying the script on a already configured device could disrupt your existing setup. Please review the script thoroughly and ensure compatibility with your current configuration before deployment.
{% endhint %}
Go to **Terminal** and run the following script:
```
/import ga-setup-branch.rsc
```
Enter the credentials from GoodAccess [(Step 1)](#step-1-creating-a-new-branch-connection):
* **VPN username**
* **VPN password**
* **Gateway address**
* **Gateway subnet**
* **What is your local network** - Cloud/Branch subnet
* **What is CA certificate name** - Name of the CA Certificate file stored in your MikroTik files
Setting up the site-to-site connection
Connection is established when the message "**Script file loaded and executed successfully**" appears.
You have now successfully connected your device to GoodAccess.
{% hint style="warning" %}
**Firewall rules**
Make sure that your device allows incoming connections from your **GoodAccess Gateway private subnet** on the following ports:
* **UDP 500**
* **UDP 4500**
{% endhint %}
{% hint style="info" %}
**You may check the status of the connection in:**
* **GoodAccess:** Go to **Control Panel > Network > Clouds & Branches** to view the tunnel status. Use the **Test Connection** button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled).
* **MikroTik:** Go to **IP > IPSec > Policies and Active Peers**.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://support.goodaccess.com/configuration-guides/branch-connector/mikrotik.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
