BGP over GRE

Hi everyone,

Is it possible to have a simple BGP over GRE (GRE running on top of IPSEC)

I do not have experience with BGP, only worked with OSPF / RIP before.

The setup is like this:

Main Office
Remote office router 1 (Main router ISP 1)
Remote office router 2 (Backup router ISP2)

There is a VRRP betwen router 1 and router 2 for hardware redundancy.

I have GRE running between Main and Backup router to the man office.

With OSPF it works without a problem (single area). the problem is that the people at the main office cannot use OSPF only BGP.

With BGP, using the default AS 65300 it only works between Main router and backup router.
If i add the Main Office in AS 65300, i set 2 peers with AS65300 for Main and Backup router, i do not get any routes in the routing table.

I only need the traffic to automatically go over the backup link in case the main one drop.s

Is BGP working over GRE?

If it does, can someone point me in the right direction?

If you can run TCP connection over the tunnel then of course you will be able to run BGP, too.

The Config i have:
Mikrotik Main
172.16.1.1/30 172.16.1.0 ether2
1.x.x.x./28 109.166.155.32 ether1 - WAN
192.168.88.1/24 192.168.88.0 ether5
172.16.10.2/30 172.16.10.0 MTMain-Client - this is the tunnel interface
172.16.255.3/32 172.16.255.1 loopback
192.168.88.1/24 192.168.88.0 VRRP1

Simple BGP:
/routing bgp instance
set default router-id=172.16.10.2
/routing bgp network
add network=172.16.10.0/30 synchronize=no
add network=192.168.88.0/24 synchronize=no
add network=172.16.1.0/30 synchronize=no
/routing bgp peer
add name=Client remote-address=172.16.10.1 remote-as=65300 ttl=default


Mikrotik client
10.10.10.1/24 10.10.10.0 ether3
2.x.x.x/30 62.217.243.108 ether8 - WAN
172.16.10.1/30 172.16.10.0 MTMain-Client tunel interface
172.16.255.1/32 172.16.255.3 loopback

/routing bgp instance
set default as=65300 router-id=172.16.10.1
/routing bgp network
add network=10.10.10.0/24 synchronize=no
add network=172.16.10.0/30 synchronize=no
/routing bgp peer
add name=MTMAin remote-address=172.16.10.2 remote-as=65300


Still there are no routes added in the routing table for iBGP.
If i connect over ethernet it works like a charm.

All i get in the logs:
09:25:51 route,bgp,info Failed to open TCP connection: Connection refused
09:25:51 route,bgp,info RemoteAddress=172.16.10.2
09:26:11 route,bgp,info TCP connection established
09:26:11 route,bgp,info RemoteAddress=172.16.10.2
09:26:11 route,bgp,info Connection closed
09:26:11 route,bgp,info RemoteAddress=172.16.10.2
09:26:31 route,bgp,info TCP connection established
09:26:31 route,bgp,info RemoteAddress=172.16.10.2
09:26:31 route,bgp,info Connection closed
09:26:31 route,bgp,info RemoteAddress=172.16.10.2
09:26:37 dhcp,info Wifi_Guest deassigned 10.10.30.43 from 38:2D:D1:AD:EC:C2
09:26:37 dhcp,info Wifi_Guest assigned 10.10.30.43 to 38:2D:D1:AD:EC:C2
09:26:51 route,bgp,info TCP connection established
09:26:51 route,bgp,info RemoteAddress=172.16.10.2
09:26:51 route,bgp,info Connection closed
09:26:51 route,bgp,info RemoteAddress=172.16.10.2
09:26:59 system,info,account user radu logged in from 109.166.155.34 via telnet
09:27:11 route,bgp,info TCP connection established
09:27:11 route,bgp,info RemoteAddress=172.16.10.2
09:27:11 route,bgp,info Connection closed
09:27:11 route,bgp,info RemoteAddress=172.16.10.2
09:27:31 route,bgp,info TCP connection established
09:27:31 route,bgp,info RemoteAddress=172.16.10.2
09:27:31 route,bgp,info Connection terminated
09:27:31 route,bgp,info RemoteAddress=172.16.10.2
09:28:50 system,info,account user radu logged in from 109.166.155.34 via telnet
09:29:57 dhcp,info Wifi_Guest deassigned 10.10.30.43 from 38:2D:D1:AD:EC:C2
09:30:01 dhcp,info Wifi_Guest assigned 10.10.30.43 to 38:2D:D1:AD:EC:C2
09:30:15 system,info,account user radu logged in from 109.166.155.34 via telnet

The peers are 172.16.10.1 AS 65300 and 172.16.10.2 AS 65300.
Being a GRE tunnel they are directly connected so a route should not be needed.

Any thoughts?

It appears that it works over GRE as long as it is not running over IPSEC.
Can someone tell me why BGP is not running when GRE is running over IPSEC?


this is the ipsec config:

/ip ipsec proposal
add disabled=yes enc-algorithms=3des name=MTMain

/ip ipsec peer
add address=1.x.x.x/32 disabled=yes dpd-interval=1m enc-algorithm=3des
local-address=2.x.x.x nat-traversal=no secret=“xxxxxxx”

/ip ipsec policy
add disabled=yes dst-address=172.16.10.2/32 level=unique proposal=MTMain
sa-dst-address=1.x.x.x sa-src-address=2.x.x.x src-address=
172.16.10.1/32 tunnel=yes


/ip ipsec proposal
add disabled=yes enc-algorithms=3des name=STA
/ip ipsec peer
add address=2.x.x.x/32 disabled=yes dpd-inter
local-address=1.x.x.x nat-traversal=no se
/ip ipsec policy
add disabled=yes dst-address=172.16.10.1/32 level=un
sa-dst-address=2.x.x.x sa-src-address=109
172.16.10.2/32 tunnel=yes


If someone knows please let me know

Thank you

I was running BGP over GRE over IPsec for a long time and it was always working without any problems.

When you are running BGP over GRE, what you have to pay attention to is the 'routing of IP’s for the GRE tunnel"…
Depending on what you are advertising (i.e. all of your prefixes), when BGP sessions come up, they can easily change routing for the GRE Tunnel IP’s to be routed via the BGP Session IP’s… thus collapsing the tunnel.

You have to add static IP routes for the GRE Tunnel IP’s and make sure that you are not creating a routing loop when the BGP session comes up.

Thank you for your reply.

The isssue was with how i set up the ip addresses on the IPSEC policies.

/ip ipsec policy
add disabled=yes dst-address=172.16.10.2/32 level=unique proposal=MTMain

I’ve changed the /32 address to the public ip and BGP starting working.