Конфиг для Mikrotik (филиал)
/ip ipsec profile add name=myProfile dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
/ip ipsec peer add address= exchange-mode=ike2 profile=myProfile name=office
/ip ipsec identity add peer=office secret="MySuperSecret" generate-policy=port-override
/ip ipsec proposal add name=myProposal auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ip ipsec policy add src-address=192.168.88.0/24 dst-address=172.16.0.0/24 sa-src-address= sa-dst-address= tunnel=yes proposal=myProposal peer=office
/ip firewall filter add chain=input protocol=udp port=500,4500 action=accept
/ip firewall filter add chain=input protocol=ipsec-esp action=accept
Конфиг для CHR (центр)
/ip ipsec profile add name=myProfile dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
/ip ipsec peer add address= exchange-mode=ike2 profile=myProfile name=shop1
/ip ipsec identity add peer=shop1 secret="MySuperSecret" generate-policy=port-override
/ip ipsec proposal add name=myProposal auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ip ipsec policy add src-address=172.16.0.0/24 dst-address=192.168.88.0/24 sa-src-address= sa-dst-address= tunnel=yes proposal=myProposal peer=shop1
/ip firewall filter add chain=input protocol=udp port=500,4500 action=accept
/ip firewall filter add chain=input protocol=ipsec-esp action=accept
/ip firewall nat add chain=srcnat src-address=172.16.0.0/24 out-interface=isp action=masquerade