Internet Key Exchange
A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman, lifetime, and key parameters. The IKE peer is configured with the supported IKE encryption, authentication, Diffie-Hellman, lifetime, and key parameters.Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
The address of the external interface for your customer gateway must be a static address.
Your customer gateway may reside behind a device performing network address translation (NAT). To ensure that NAT traversal (NAT-T) can function, you must use the corresponding IP as the "Local Address".
Create an IKE policy permitting traffic from your local subnet to the VPC subnet. Go to IP Tab --> IPsec --> Policies
1) Click on "+" button and select the General Tab
a. Src. Address: local subnet/mask
b. Dst. Address: AWS VPC subnet/mask
2) Click on Action Tab
a. Select Tunnel
b. SA Src. Address: xxx.xxx.xxx.xxx "MikroTik Public IP Address"
c. SA Dst. Address: yyy.yyy.yyy.yyy " AWS Public IP Address"
d. Proposal: ipsec-vpn-xxxxxxxx-x
e. Select Apply and Ok