# MikroTik

{% hint style="info" %}

#### Connecting MikroTik with IKEv2

* Does not require on-premise public static IP
* IKEv2 configuration allows you to use MikroTik as the main router (which is connected to internet) or place it locally in your LAN behind the main router
  {% endhint %}

## Step 1 - Creating a new branch connection

[Log in to the GoodAccess **Control Panel**, and go to **Network** > **Clouds & Branches**.](https://app.goodaccess.com/branches/)

Click **+ Add new**, enter a **Name** (e.g., Prague Office), select the required **Gateway**, and define your local **Subnets** (using CIDR notation).

Choose **IKEv2** **Protocol**, and click **Submit** to create the connection, or **Continue** to define optional **Branch Segments** for finer access control.

Once the connection is created, locate it in the list and click the **Configuration Guide** button to retrieve the parameters and configuration files for your device.

{% hint style="info" %}
You may return to the configuration via the **Edit** button of your Branch at any time.
{% endhint %}

## Step 2 - Uploading the script and setup files

Download a script for MikroTik:

* [RouterOS v6 (6.46 and newer)](https://goodaccess-storage.b-cdn.net/mikrotik/ga-setup-branch.rsc)
* [RouterOS v7](https://goodaccess-storage.b-cdn.net/mikrotik/ga-setup-branch-v7.rsc)

Log in to your MikroTik device, and go to **Files**.

**Upload** the script and setup files from [Step 1 ](#step-1-creating-a-new-branch-connection)(extract the files first).

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FNWBLool8C8TRP9KuJov2%2FBranch_Connector_MikroTik_01.png?alt=media&#x26;token=59995660-514d-4151-b2de-1c6c29e7d60b" alt="Router&#x27;s graphical user interface (GUI) with labeled elements highlighting key steps to uploading files to MikroTik."><figcaption><p>Uploading the script and setup files</p></figcaption></figure>

## Step 3 - Setting up a site-to-site connection

{% hint style="danger" %}
**Please note:** Deploying the script on a already configured device could disrupt your existing setup. Please review the script thoroughly and ensure compatibility with your current configuration before deployment.
{% endhint %}

Go to **Terminal** and run the following script:

```
/import ga-setup-branch.rsc
```

Enter the credentials from GoodAccess [(Step 1)](#step-1-creating-a-new-branch-connection):

* **VPN username**
* **VPN password**
* **Gateway address**
* **Gateway subnet**
* **What is your local network** - Cloud/Branch subnet
* **What is CA certificate name** - Name of the CA Certificate file stored in your MikroTik files&#x20;

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FbhycOzoJeZRZcxcVjj27%2FBranch_Connector_MikroTik_02.png?alt=media&#x26;token=2e5e46f0-4771-4d0d-9f12-502a80fc21ae" alt="Router&#x27;s Terminal showing configuration of a site-to-site connection."><figcaption><p>Setting up the site-to-site connection</p></figcaption></figure>

Connection is established when the message "**Script file loaded and executed successfully**" appears.

You have now successfully connected your device to GoodAccess.

{% hint style="warning" %}
**Firewall rules**

Make sure that your device allows incoming connections from your **GoodAccess Gateway private subnet** on the following ports:

* **UDP 500**
* **UDP 4500**
  {% endhint %}

{% hint style="info" %}
**You may check the status of the connection in:**

* **GoodAccess:** Go to **Control Panel > Network > Clouds & Branches** to view the tunnel status. Use the **Test Connection** button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled).
* **MikroTik:** Go to **IP > IPSec > Policies and Active Peers**.
  {% endhint %}