This article helps you configure an IPSec VPN between a Digi router using multiple traffic selectors and a Mikrotik router leveraging IPsec/IKEv2 policies on S2S VPN connections.
Below you can find an example of the IPSec IKEv2 configuration on the Digi router.
Since the device is equipped with only two Ethernet interfaces, we configure VLANs on the LAN-facing interface.
Next, we create two IP interfaces, each associated with the appropriate VLAN, and assign IP addresses.
Next, we add a new IPSec VPN tunnel name (Mikrotik in our case) and follow through the IPSec configuration step by step.
General and peer authentication type configurations:
We set firewall zone to internal, to avoid the additional firewall configuration between IPSec and local subnets. You can change this according to your needs.
Local and Remote endpoints configuration.
First policy is linked to the native VLAN interface.
We need to add two additional policy for every created VLAN’s subnet.
IKE Phase 1 and 2 configurations.
Next, we proceed to setting up IPSec VPN on a Mikrotik router.
All configuration is done in the „IP –> IPSec“ section using Winbox.
First we need to create the „IPsec Profile“ in which we define the IKE proposal:
in the next step, we create a new „IPSec Proposal“ for the phase 2 encryption:
For the peer configuration we only need to set the name, ip-address, ipsec profile and the „Exchange Mode“ to IKE2:
To set the authentication method, which is a „pre shared key“ in my case, we need to add a new „IPsec Identity“:
Then we define which networks need to talk to each other using the vpn tunnel:
In the last step we just need to select the „IPsec Proposal“ which we named „dal“, to use the correct encryption in phase 2 / esp.
Don’t forget to change level in IPSec policy Mikrotik to "unique", Mikrotik default is 'require'.
We see that the connection is established and works fine.
Last updated:
Aug 26, 2025