To use FrootVPN with the IPsec IKEv2 protocol on your Mikrotik device (version 6.46 and later), please follow the instructions below.


1.   Downloading the root Certificate Authority (CA) from this link to your PC.


2.   Login in to your Mikrotik. Typically this can be accessed via a web browser by entering 192.168.88.1 instead of url.




3.     Uploading the root CA downloaded at step 1 to the Mikrotik. 


Files -> Browse -> isrgrootx1.pem




4.     Importing the root CA certificate to the Mikrotik certificate storage.


System -> Certificates -> Import



5.     Setting up the IPsec tunnel.

5.1.  Creating a profile.


IP -> IPsec -> Profiles -> Add new



5.2.  Create a Proposals


IP -> IPsec -> Proposals -> Add new



5.3.  Create a policy group


IP -> IPsec -> Groups -> Add new



5.4.  Create a peer.

Server address you can get by this link at you FrootVPN account.


IP -> IPsec -> Peers -> Add new



5.5.   Create a policy for fixing an MTU issue with IPsec tunnel. 

Warning - Dst. Address must be from the same subnet as your Mikrotik is. For example if IP is 192.168.88.1 than Dst. Address must be 192.168.88.0/24, if IP is 192.168.0.1 than 192.168.0.0/24.


IP -> IPsec -> Policies -> Add new



5.6.  Create a main policy group template.


IP -> IPsec -> Policies -> Add new


5.7.  Choosing what will go through IPsec tunnel.


IP -> Firewall -> Address list -> Add new



If you want that only some IP's have access through IPsec tunnel, than create a few records for each.


5.8.  Create a new mode configuration.


IP -> IPsec -> Mode Configs -> Add  new



5.9.  Creating an identity (your login and password).


IP -> IPsec -> Identity -> Add new




To check is IPsec tunnel established.


1. IP -> IPsec -> Active Peers - here is the status of your connection

2. IP -> IPsec -> Installed SAs - here is SA for inbound and outbound channels.