GRE+IPSec between 1100AHx4 and Cisco

RouterOS General
1

Hello.

I have trouble with establishment a GRE+IPSec tunnel between 1100AHx4 (RouterOS 7.18.2) and Cisco ISR4431.

The tunnel is working only when on the Mikrotik side I have MyID and RemoteID parameters in /ip/ipsec/identity set to auto.
I’ve tried address, fqdn as ID’s on both sides, but had no luck.
When I’m changing on Mikrotik ID (MyID, RemoteID or both, doesn’t matter) to address or fqdn the tunnel goes down (the values is being the same, I’ve checked many times)
An error is ipsec,error identity not found for peer: FQDN: or ipsec,error identity not found for peer: ADDR:, depends of ID type

What am I missing? Thanks in advance.

A simple topology:



\

  1. The Mikrotik side settings:

a) The GRE tunnel:

[admin@MikroTik] > /interface/gre/print
    Flags: X - disabled; R - running
     0  R name="gre-tunnel1" mtu=1400 actual-mtu=1400 local-address=0.0.0.0 remote-address=x.x.x.x dscp=inherit clamp-tcp-mss=yes dont-fragment=no allow-fast-path=yes

[admin@MikroTik] > /ip/address/print from=2
    Flags: X - disabled, I - invalid; D - dynamic; S - slave
     #     ADDRESS            NETWORK         INTERFACE
     0     172.17.15.90/30    172.17.15.88    gre-tunnel1

b) IPSec related settings:

[admin@MikroTik] > /ip/ipsec/proposal/print from=1
    Flags: X - disabled; * - default
     0    name="CISCO_PROPS_1" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=1d pfs-group=none

[admin@MikroTik] > /ip/ipsec/profile/print from=1
    Flags: * - default
     0   name="CISCO_CO" hash-algorithm=sha256 prf-algorithm=sha256 enc-algorithm=aes-128 dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=10s dpd-maximum-failures=2
    
[admin@MikroTik] > /ip/ipsec/peer/print from=0
    Flags: X - disabled; D - dynamic; R - responder
     0     ;;; CISCO_ISR1
           name="CISCO_ISR1" address=x.x.x.x/32 profile=CISCO_CO exchange-mode=ike2 send-initial-contact=yes

[admin@MikroTik] > /ip/ipsec/identity/print from=0
    Flags: D - dynamic; X - disabled
     0    peer=CISCO_ISR1 auth-method=pre-shared-key notrack-chain="prerouting" my-id=fqdn:mikrotik-test.local remote-id=fqdn:cisco.local secret="mikrotik-test" generate-policy=no

[admin@MikroTik] > /ip/ipsec/policy/print from=1
    Flags: T - template; B - backup; X - disabled, D - dynamic, I - invalid, A - active; * - default
     #      PEER           TUNNEL SRC-ADDRESS                                  DST-ADDRESS                                  PROTOCOL   ACTION  LEVEL    PH2-COUNT
     0      CISCO_ISR1     no     z.z.z.z/32                                   x.x.x.x/32                                   gre        encrypt require          0

c) It’s a new box meaning I’ve have no fancy configuration, just default route via ISP, no firewall or NAT is running.

  1. The Cisco side settings:
Interface Tunnel667
     description MIKROTIK-TEST
     ip address 172.17.15.89 255.255.255.252
     ip mtu 1400
     ip tcp adjust-mss 1360
     tunnel source GigabitEthernet0/1/0
     tunnel destination z.z.z.z
     tunnel protection ipsec profile mikrotik-ipsec
    end

crypto ikev2 keyring mikrotik-keyring
     peer mikrotik-test
      address z.z.z.z
      pre-shared-key mikrotik-test

crypto ikev2 profile mikrotik-test
     match identity remote fqdn mikrotik-test.local
     identity local fqdn cisco.local
     authentication remote pre-share
     authentication local pre-share
     keyring local mikrotik-keyring
     dpd 10 2 on-demand

crypto ipsec transform-set mikrotik-tset esp-aes esp-sha-hmac
     mode transport

crypto ipsec profile mikrotik-ipsec
     set transform-set mikrotik-tset
     set ikev2-profile mikrotik-test

A bit of diagnostic:

  1. The working example, when on side I have both local and remote ID set to auto.
 2025-05-15 13:52:04 ipsec processing payload: ID_I
 2025-05-15 13:52:04 ipsec ID_I (FQDN): cisco.local
 2025-05-15 13:52:04 ipsec processing payload: ID_R (not found)
 2025-05-15 13:52:04 ipsec processing payload: AUTH
 2025-05-15 13:52:04 ipsec processing payloads: NOTIFY
 2025-05-15 13:52:04 ipsec   notify: INITIAL_CONTACT
 2025-05-15 13:52:04 ipsec   notify: USE_TRANSPORT_MODE
 2025-05-15 13:52:04 ipsec   notify: SET_WINDOW_SIZE
 2025-05-15 13:52:04 ipsec,debug 00000005
 2025-05-15 13:52:04 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
 2025-05-15 13:52:04 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
 2025-05-15 13:52:04 ipsec processing payload: AUTH
 2025-05-15 13:52:04 ipsec requested auth method: SKEY
 2025-05-15 13:52:04 ipsec,debug => peer's auth (size 0x20)
 2025-05-15 13:52:04 ipsec,debug 115a4221 fecb9e3e 3c5aee49 b9a176b2 5751a61a d2338bcf 46f31b70 e733cd41
 2025-05-15 13:52:04 ipsec,debug => auth nonce (size 0x18)
 2025-05-15 13:52:04 ipsec,debug ef0fc34e 2af03f57 c58dc202 f4e5cee9 89c8dfcc 00cd1231
 2025-05-15 13:52:04 ipsec,debug => SK_p (size 0x20)
 2025-05-15 13:52:04 ipsec,debug 3a4f382b af59a70b e2fa5a43 e1312fcb 32fdde21 c04445a9 a18d12e0 4fc6ebe5
 2025-05-15 13:52:04 ipsec,debug => idhash (size 0x20)
 2025-05-15 13:52:04 ipsec,debug 4aeb3a77 de324d52 14069878 f9c1c393 b39cdbe4 7c38b153 037f7712 d5518d87
 2025-05-15 13:52:04 ipsec,debug => calculated peer's AUTH (size 0x20)
 2025-05-15 13:52:04 ipsec,debug 115a4221 fecb9e3e 3c5aee49 b9a176b2 5751a61a d2338bcf 46f31b70 e733cd41
 2025-05-15 13:52:04 ipsec,info,account peer authorized: CISCO_ISR1 z.z.z.z[500]-x.x.x.x[500] d0d256ba30cc6b40:0650b47fc72acb49
 2025-05-15 13:52:04 ipsec initial contact
 2025-05-15 13:52:04 ipsec processing payloads: NOTIFY
 2025-05-15 13:52:04 ipsec   notify: INITIAL_CONTACT
 2025-05-15 13:52:04 ipsec   notify: USE_TRANSPORT_MODE
 2025-05-15 13:52:04 ipsec   notify: SET_WINDOW_SIZE
 2025-05-15 13:52:04 ipsec,debug 00000005
 2025-05-15 13:52:04 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
 2025-05-15 13:52:04 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
 2025-05-15 13:52:04 ipsec peer wants transport mode
 2025-05-15 13:52:04 ipsec processing payload: CONFIG
 2025-05-15 13:52:04 ipsec   attribute: internal IPv4 DNS
 2025-05-15 13:52:04 ipsec   attribute: internal IPv4 DNS
 2025-05-15 13:52:04 ipsec   attribute: internal IPv4 NBNS
 2025-05-15 13:52:04 ipsec   attribute: internal IPv4 NBNS
 2025-05-15 13:52:04 ipsec   attribute: internal IPv6 subnet
 2025-05-15 13:52:04 ipsec   attribute: internal IPv6 DNS
 2025-05-15 13:52:04 ipsec   attribute: internal IPv6 subnet
 2025-05-15 13:52:04 ipsec   attribute: application version size: 253
 2025-05-15 13:52:04 ipsec unknown config item: #7
 2025-05-15 13:52:04 ipsec   attribute: unknown 0x7003
 2025-05-15 13:52:04 ipsec   attribute: unknown 0x7000
 2025-05-15 13:52:04 ipsec   attribute: unknown 0x7014
 2025-05-15 13:52:04 ipsec   attribute: unknown 0x7009
 2025-05-15 13:52:04 ipsec   attribute: unknown 0x7002
 2025-05-15 13:52:04 ipsec processing payload: SA
 2025-05-15 13:52:04 ipsec IKE Protocol: ESP
 2025-05-15 13:52:04 ipsec  proposal #1
 2025-05-15 13:52:04 ipsec   enc: aes128-cbc
 2025-05-15 13:52:04 ipsec   auth: sha1
 2025-05-15 13:52:04 ipsec processing payload: TS_I
 2025-05-15 13:52:04 ipsec x.x.x.x ip-proto:47
 2025-05-15 13:52:04 ipsec processing payload: TS_R
 2025-05-15 13:52:04 ipsec z.z.z.z ip-proto:47
 2025-05-15 13:52:04 ipsec candidate selectors: z.z.z.z ip-proto:47 <=> x.x.x.x ip-proto:47
 2025-05-15 13:52:04 ipsec searching for policy for selector: z.z.z.z ip-proto:47 <=> x.x.x.x ip-proto:47
 2025-05-15 13:52:04 ipsec using strict match: z.z.z.z <=> x.x.x.x ip-proto:47
 2025-05-15 13:52:04 ipsec matched proposal:
 2025-05-15 13:52:04 ipsec  proposal #1
 2025-05-15 13:52:04 ipsec   enc: aes128-cbc
 2025-05-15 13:52:04 ipsec   auth: sha1
 2025-05-15 13:52:04 ipsec acquired spi 0xc6b8898: CISCO_ISR1 z.z.z.z[500]-x.x.x.x[500] d0d256ba30cc6b40:0650b47fc72acb49
 2025-05-15 13:52:04 ipsec ike auth: finish
 2025-05-15 13:52:04 ipsec ID_R (ADDR4): z.z.z.z
  1. But when I change the remote ID (FQDN) to cisco.local it immediately stops working:
2025-05-15 13:54:35 ipsec ike auth: respond
 2025-05-15 13:54:35 ipsec processing payload: ID_I
 2025-05-15 13:54:35 ipsec ID_I (FQDN): cisco.local
 2025-05-15 13:54:35 ipsec processing payload: ID_R (not found)
 2025-05-15 13:54:35 ipsec processing payload: AUTH
 2025-05-15 13:54:35 ipsec,error identity not found for peer: FQDN: cisco.local
 2025-05-15 13:54:35 ipsec reply notify: AUTHENTICATION_FAILED
 2025-05-15 13:54:35 ipsec adding notify: AUTHENTICATION_FAILED
  1. When I’m trying to set the FQDN on the both ID’s it still doesn’t work:
2025-05-15 14:12:13 ipsec,debug 00000005
2025-05-15 14:12:13 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
2025-05-15 14:12:13 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
2025-05-15 14:12:13 ipsec ike auth: respond
2025-05-15 14:12:13 ipsec processing payload: ID_I
2025-05-15 14:12:13 ipsec ID_I (FQDN): cisco.local
2025-05-15 14:12:13 ipsec processing payload: ID_R (not found)
2025-05-15 14:12:13 ipsec processing payload: AUTH
2025-05-15 14:12:13 ipsec,error identity not found for peer: FQDN: cisco.local
2025-05-15 14:12:13 ipsec reply notify: AUTHENTICATION_FAILED
2025-05-15 14:12:13 ipsec adding notify: AUTHENTICATION_FAILED
2025-05-15 14:12:13 ipsec,debug => (size 0x8)
2025-05-15 14:12:13 ipsec,debug 00000008 00000018
2025-05-15 14:12:13 ipsec <- ike2 reply, exchange: AUTH:1 x.x.x.x[500] c676279fcb754d3e:6441345c869ed1b8
2025-05-15 14:12:13 ipsec,debug ===== sending 272 bytes from z.z.z.z[500] to x.x.x.x[500]
2025-05-15 14:12:13 ipsec,debug 1 times of 272 bytes message will be sent to x.x.x.x[500]
2025-05-15 14:12:13 ipsec,info killing ike2 SA: CISCO_ISR1 z.z.z.z[500]-x.x.x.x[500] 6441345c869ed1b8:c676279fcb754d3e
2025-05-15 14:12:14 ipsec <- ike2 init retransmit request, exchange: SA_INIT:0 x.x.x.x[4500] 7c3532d9d49432e5:0000000000000000
2025-05-15 14:12:14 ipsec,debug ===== sending 432 bytes from z.z.z.z[4500] to x.x.x.x[4500]
2025-05-15 14:12:14 ipsec,debug 1 times of 436 bytes message will be sent to x.x.x.x[4500]
2025-05-15 14:12:19 ipsec acquire for policy: z.z.z.z <=> x.x.x.x ip-proto:47
2025-05-15 14:12:19 ipsec peer is IKEv2
2025-05-15 14:12:19 ipsec ike2 starting for: x.x.x.x
2025-05-15 14:12:19 ipsec adding payload: SA
2025-05-15 14:12:19 ipsec,debug => (size 0x30)
2025-05-15 14:12:19 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0080 03000008 02000005
2025-05-15 14:12:19 ipsec,debug 03000008 0300000c 00000008 0400000e
2025-05-15 14:12:19 ipsec adding payload: KE
2025-05-15 14:12:19 ipsec,debug => (first 0x100 of 0x108)
2025-05-15 14:12:19 ipsec,debug 00000108 000e0000 8c408978 cbb63618 9b96e9d9 0b99b38a 8847a3e4 38f429a6
2025-05-15 14:12:19 ipsec,debug 3d8c45f6 e8288727 05883c17 aa5aba1b 6988c826 68da163f cf5d039d a60133ac
2025-05-15 14:12:19 ipsec,debug a55f7ee6 8bbd02b3 ed1ece0d e82c493d 00277cfe 3134c2a1 f91f643c a5a95672
2025-05-15 14:12:19 ipsec,debug 50d690da 0a4b0ff9 19da2274 cccb656f 93b101c4 1b1942ea a6f1f933 ab58b3f7
2025-05-15 14:12:19 ipsec,debug f938cf08 646eceb2 85e45da0 ad8190d0 b84c6326 f8872647 efb574dc 6dd34f3b
2025-05-15 14:12:19 ipsec,debug 69fba6a7 538dd81e 81b60ed0 dff89daa 73dc344d a0a6c62d d6c63715 3d9ebc77
2025-05-15 14:12:19 ipsec,debug 794e6423 b06b12db 561e2e0c 1e0188e2 ccca7285 ba6efd33 181820db 2e5a0ff5
2025-05-15 14:12:19 ipsec,debug a4da9874 d3b5dd08 5aad2660 b53f8684 7951a344 b58e6980 df842fbf c24608c8
2025-05-15 14:12:19 ipsec adding payload: NONCE
2025-05-15 14:12:19 ipsec,debug => (size 0x1c)
2025-05-15 14:12:19 ipsec,debug 0000001c 4db74c2b 1924538d 42a712fa c74bae41 0e4bb036 c13ae4b7
2025-05-15 14:12:19 ipsec adding notify: NAT_DETECTION_SOURCE_IP
2025-05-15 14:12:19 ipsec,debug => (size 0x1c)
2025-05-15 14:12:19 ipsec,debug 0000001c 00004004 c104165c 548eb6fd e841075e 6fc25f7e b49b698b
2025-05-15 14:12:19 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
2025-05-15 14:12:19 ipsec,debug => (size 0x1c)
2025-05-15 14:12:19 ipsec,debug 0000001c 00004005 565eb38b a503677d 309e3bcc 2fce421a 0f5697b2
2025-05-15 14:12:19 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
2025-05-15 14:12:19 ipsec,debug => (size 0x8)
2025-05-15 14:12:19 ipsec,debug 00000008 0000402e
2025-05-15 14:12:19 ipsec <- ike2 request, exchange: SA_INIT:0 x.x.x.x[4500] c3a6b740f201321e:0000000000000000
2025-05-15 14:12:19 ipsec,debug ===== sending 432 bytes from z.z.z.z[4500] to x.x.x.x[4500]
2025-05-15 14:12:19 ipsec,debug 1 times of 436 bytes message will be sent to x.x.x.x[4500]
2025-05-15 14:12:20 ipsec acquire for policy: z.z.z.z <=> x.x.x.x ip-proto:47
2025-05-15 14:12:20 ipsec peer is IKEv2
2025-05-15 14:12:20 ipsec ike2 starting for: x.x.x.x
2025-05-15 14:12:20 ipsec adding payload: SA
2025-05-15 14:12:20 ipsec,debug => (size 0x30)
2025-05-15 14:12:20 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0080 03000008 02000005
2025-05-15 14:12:20 ipsec,debug 03000008 0300000c 00000008 0400000e
2025-05-15 14:12:20 ipsec adding payload: KE
2025-05-15 14:12:20 ipsec,debug => (first 0x100 of 0x108)
2025-05-15 14:12:20 ipsec,debug 00000108 000e0000 aa7716de a8b421b8 c4361339 acb373a1 cac6928a e38d8129
2025-05-15 14:12:20 ipsec,debug 32914bb8 8f3ce831 c4d7cc08 aa563315 912b6000 3f0023fe 280eea44 b3f65154
2025-05-15 14:12:20 ipsec,debug 753323ef c088079e 7ee03252 18e8841b 595b8bc3 ddde7588 7a67f32e 5f2d4b43
2025-05-15 14:12:20 ipsec,debug c713facd c2068d68 51cf1370 52aa86c4 d2016d2b 483bcddc 0b3ff1d3 74398fd2
2025-05-15 14:12:20 ipsec,debug 9d5ca8a5 be6933ad db674c6b 441216d1 8887cfe7 13341f3d 8fea0ee4 42260823
2025-05-15 14:12:20 ipsec,debug 371f08a9 567bc8ad 77ad79bf 5a7ada48 cfc04998 5f2356a5 ca1436d7 391e09e4
2025-05-15 14:12:20 ipsec,debug a783e696 a6fcc336 90e40eba ce331932 50d977aa 7430dc09 3f33ced2 abd7ad2b
2025-05-15 14:12:20 ipsec,debug 5901684b 1df58a1b 7a1f1828 342fb1be 4d15c66d 1bbbb594 4019ac56 be4ccbbe
2025-05-15 14:12:20 ipsec adding payload: NONCE
2025-05-15 14:12:20 ipsec,debug => (size 0x1c)
2025-05-15 14:12:20 ipsec,debug 0000001c 8e47f582 c6d20323 cf5fd1db ac7cb017 4a8a391a 56d76d8d
2025-05-15 14:12:20 ipsec adding notify: NAT_DETECTION_SOURCE_IP
2025-05-15 14:12:20 ipsec,debug => (size 0x1c)
2025-05-15 14:12:20 ipsec,debug 0000001c 00004004 8eb0c69f 0ca5c215 c6d0630a 9661735f 71b00fe3
2025-05-15 14:12:20 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
2025-05-15 14:12:20 ipsec,debug => (size 0x1c)
2025-05-15 14:12:20 ipsec,debug 0000001c 00004005 c788c9e1 0d0587b2 baaa4e6a 1f90d53a 3b57111f
2025-05-15 14:12:20 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
2025-05-15 14:12:20 ipsec,debug => (size 0x8)
2025-05-15 14:12:20 ipsec,debug 00000008 0000402e
2025-05-15 14:12:20 ipsec <- ike2 request, exchange: SA_INIT:0 x.x.x.x[4500] ae9de8e6a11d32e7:0000000000000000
2025-05-15 14:12:20 ipsec,debug ===== sending 432 bytes from z.z.z.z[4500] to x.x.x.x[4500]
2025-05-15 14:12:20 ipsec,debug 1 times of 436 bytes message will be sent to x.x.x.x[4500]
2025-05-15 14:12:29 ipsec <- ike2 init retransmit request, exchange: SA_INIT:0 x.x.x.x[4500] ae9de8e6a11d32e7:0000000000000000
2025-05-15 14:12:29 ipsec,debug ===== sending 432 bytes from z.z.z.z[4500] to x.x.x.x[4500]
2025-05-15 14:12:29 ipsec,debug 1 times of 436 bytes message will be sent to x.x.x.x[4500]
2025-05-15 14:12:34 ipsec <- ike2 init retransmit request, exchange: SA_INIT:0 x.x.x.x[4500] ae9de8e6a11d32e7:0000000000000000
2025-05-15 14:12:34 ipsec,debug ===== sending 432 bytes from z.z.z.z[4500] to x.x.x.x[4500]
2025-05-15 14:12:34 ipsec,debug 1 times of 436 bytes message will be sent to x.x.x.x[4500]
2

Looks like the topology image is missing. Just edit the post and add it using the “Attachments” section in the lower left.

Anyway, it should be the default setting but can you try setting “match-by=remote-id” on the identity? Also, please export “/ip/ipsec” since it’s way easier to read than the printouts.

3

I’ve changed the initial post, the topology is very simple I want to two tunnels to be established from Mikrotik to two different Cisco ISR.
When ID’s set to auto on both identities the only first one is working (as long as any ID isn’t be changed to something)

As I can see “match-by=remote-id” is set by default already.

Here’s the export of IPSec part

 
/ip ipsec identity
add my-id=fqdn:mikrotik-test.local notrack-chain=prerouting peer=\
    CISCO_ISR1 remote-id=fqdn:cisco.local secret=mikrotik-test
add disabled=yes notrack-chain=prerouting peer=CISCO_ISR2 secret=\
    mikrotik-test
/ip ipsec policy
set 0 disabled=yes
add dst-address=x.x.x.x/32 peer=CISCO_ISR1 proposal=CISCO_PROPS_1 \
    protocol=gre src-address=z.z.z.z/32
add disabled=yes peer=CISCO_ISR2 proposal=CISCO_PROPS_1 protocol=gre

/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dh-group=modp2048 dpd-interval=10s dpd-maximum-failures=2 enc-algorithm=\
    aes-128 hash-algorithm=sha256 name=CISCO_CO prf-algorithm=sha256
/ip ipsec peer
add address=x.x.x.x/32 comment=CISCO_ISR1 exchange-mode=ike2 name=\
    CISCO_ISR1 profile=CISCO_CO
add address=y.y.y.y/32 comment=CISCO_ISR2 disabled=yes exchange-mode=\
    ike2 name=CISCO_ISR2 profile=CISCO_CO
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-128-cbc lifetime=1d name=CISCO_PROPS_1 pfs-group=none
4

Guys, any ideas how to debug this further? These Cisco ISR routers terminate without problems many tunnels to FG, Zyxel, PFsense (VTI + tunnel mode though) with exactly same logic.
Mikrotik clearly sees the peer advertisement but cannot find its identity for some reason. I assume it’s very popular setup and I’m missing some obvious part, but can’t figure it out.

identity not found for peer: FQDN: cisco.local
5

Hello again. I still has no luck with the simple (at the first glance) setup :frowning:

The diagram in the first post, IP addresses in this post:

  1. 1.1.1.1 - public IP configured on Mikrotik
  2. 2.2.2.2 - public IP configured on Cisco.

The L3 connectivity in place.

I’ve reset the Mikrotik, upgraded it to 7.19.1 (I tried all the “major” versions from 7.9 through 7.19.1) and configured it from scratch, just one tunnel to the one router and still has the same error.
No matter what : the FQDN, the ADDRESS is configured - the error is in place as long as the ID’s are not set to auto, when auto is configured the tunnel comes up.

In Mikrotik debug I see:

05-29 20:04:02 ipsec,error identity not found for peer: ADDR4: 2.2.2.2 [::]

This confirms that Mikrotik is receiving the identity as ADDR4: 2.2.2.2, exactly what should be matched with (as I understand):

remote-id=address remote-id-address=2.2.2.2

Yet it’s still rejecting it. Is it some sort of bug?

The Mikrotik part of config:


/interface gre
add !keepalive name=gre-tunnel1 remote-address=2.2.2.2

/ip address
add address=172.16.19.65/26 interface=bridge1 network=172.16.19.64
add address=172.17.15.90/30 interface=gre-tunnel1 network=172.17.15.88
add address=1.1.1.1/24 interface=ether1 network=1.1.1.0

/ip ipsec profile
add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=2 enc-algorithm=aes-128 name=ciscoisr
/ip ipsec peer
add address=2.2.2.2/32 exchange-mode=ike2 local-address=1.1.1.1 name=HUB profile=ciscoisr
/ip ipsec proposal
add enc-algorithms=aes-128-cbc lifetime=1d name=cisco_proposal1 pfs-group=none
/ip ipsec identity
add my-id=address:1.1.1.1 peer=HUB remote-id=address:2.2.2.2
/ip ipsec policy
set 0 disabled=yes
add dst-address=2.2.2.2/32 peer=HUB proposal=cisco_proposal1 protocol=gre src-address=1.1.1.1/32

The Cisco side:

crypto ikev2 proposal mikrotik-proposal
 encryption aes-cbc-128
 integrity sha1
 group 2
 !
crypto ikev2 keyring mikrotik-keyring
 peer mikrotik-test
  address 1.1.1.1
  pre-shared-key local mikrotik-test
  pre-shared-key remote mikrotik-test
  !
crypto ikev2 profile mikrotik-test
 match identity remote address 1.1.1.1 255.255.255.255
 identity local address 2.2.2.2
 authentication remote pre-share
 authentication local pre-share
 keyring local mikrotik-keyring
 dpd 10 2 on-demand
 !
crypto ipsec transform-set mikrotik-tset esp-aes esp-sha-hmac
 mode transport
 !
crypto ipsec profile mikrotik-ipsec
 set security-association lifetime seconds 86400
 set transform-set mikrotik-tset
 set ikev2-profile mikrotik-test
 tunnel protection ipsec profile mikrotik-ipsec
 !
interface Tunnel667
 ip address 172.17.15.89 255.255.255.252
 tunnel source GigabitEthernet0/1/0
 tunnel destination 1.1.1.1
 tunnel protection ipsec profile mikrotik-ipsec
6

I’ve investigated further and downgraded MikroTik to version 6.49.18, but the error still persists.
Version 6.49.18 doesn’t allow setting an address as the Remote ID, and I followed these steps:

  1. Set the Remote ID to an FQDN, but My ID was still configured as an address, changed the local ID on the Cisco side to an FQDN — the error remained: identity not found for peer: FQDN: cisco.local.
  2. Set “My ID” to “auto” on MikroTik, with the Remote ID remaining as FQDNthe tunnel came up and everything started working.
  3. Set “My ID” on MikroTik to FQDN, and on Cisco set the identity match to “remote FQDN” — the tunnel failed to establish.
  4. Set both “My ID” and “Remote ID” to “auto” — the tunnel came up and worked correctly.

Now back on version 7.19.1:

  1. I kept the working configuration with “My ID” set to “auto” and “Remote ID” to FQDN — the tunnel works.
  2. Since 7.19.1 supports matching by Remote ID as an address, I changed the Cisco config from FQDN to address and updated the Remote ID on MikroTik — the tunnel works. (“My ID” was still set to "auto)
  3. However, as soon as I change “My ID” from “auto” to anything else, the tunnel fails with an identity mismatch.

Conclusion:
It seems that the “My ID” setting is causing the identity mismatch, but I’m not exactly sure how.

7

[]
No matter what : the FQDN, the ADDRESS is configured - the error is in place as long as the ID’s are not set to auto, when auto is configured the tunnel comes up.
[]

the auto mode is a fallback mechanism if the router can’t verify that remote peers identity by dns query.

can you nslookup cisco.local as 2.2.2.2 in your mt router if your lab don’t have that nameservers record? no. hence you can study your next steps.

have a good lab. good luck

8

Hello.
Thank you for reply. I don’t think the problem in the DNS lookup as I don’t use it in last example at all and Mikrotik cannot match not FQDN nor ADDR4 if the field “My ID” (not the field “Remote ID”!) has value different from auto.

As soon as I change it for example for address it is starting to complaint about identity.

identity not found for peer: ADDR4: 2.2.2.2
9

hi,

[*]
As soon as I change it for example for address it is starting to complaint about identity.

identity not found for peer: ADDR4: 2.2.2.2

[*]

that is because you don’t have any nameservers handle that 2.2.2.2 as your router doing reverse lookup query.

solution,

  1. create a dns server for your lab (both for forward and reverse lookup record). or,
  2. set a static dns entry in your router (just like you set /etc/hosts file)

example:

  1. /etc/hosts : aaa.local —> 2.2.2.2

  2. #(conf t)host aaa.local 2.2.2.2

  3. set your router dns server address. both

  4. query that aaa.local or 2.2.2.2. both forward and reverse.

  5. pings… by ip and fqdn.

if they are successful - you won’t see those my id remote id complaining again.

have a good lab👍🏻

10

Hi. Thank you for reply.

I’m not sure how to identities set to address and DNS-records are related to each other, but okay.
I’ve created static DNS-records on each router.

I can ping the remote and local address by the name on each router:

[admin@MikroTik] > ping mikrotik.local count=3
  SEQ HOST                                     SIZE TTL TIME       STATUS        
    0 1.1.1.1                                    56  64 207us     
    1 1.1.1.1                                    56  64 188us     
    2 1.1.1.1                                    56  64 183us     
    sent=3 received=3 packet-loss=0% min-rtt=183us avg-rtt=192us max-rtt=207us

[admin@MikroTik] > ping cisco.local count=3
  SEQ HOST                                     SIZE TTL TIME       STATUS        
    0 2.2.2.2                                    56 255 252us     
    1 2.2.2.2                                    56 255 334us     
    2 2.2.2.2                                    56 255 340us     
    sent=3 received=3 packet-loss=0% min-rtt=252us avg-rtt=308us max-rtt=340us 

cisco.router#ping mikrotik.local
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

cisco.router#ping cisco.local
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Now I’m trying to have a working tunnel with the field “My ID” not set to auto.

  1. The first scenario: Mikrotik “My ID” field is FQDN and “Remote ID” is address
/ip ipsec identity
add my-id=fqdn:mikrotik.local peer=HUB remote-id=address:2.2.2.2

crypto ikev2 profile mikrotik-test
 match identity remote fqdn mikrotik.local
 identity local address 2.2.2.2
 authentication remote pre-share
 authentication local pre-share
 keyring local mikrotik-keyring
 dpd 10 2 on-demand
 set ikev2-profile mikrotik-test

The error is the same:

identity not found for peer: ADDR4: 2.2.2.2

In this scenario the tunnel comes up if “My ID” set to auto and “Remote ID” set to either address or auto

  1. The second scenario. Identities on both sides are set to FQDN.
/ip ipsec identity
add my-id=fqdn:mikrotik.local peer=HUB remote-id=fqdn:cisco.local

crypto ikev2 profile mikrotik-test
 match identity remote fqdn mikrotik.local
 identity local fqdn cisco.local
 authentication remote pre-share
 authentication local pre-share
 keyring local mikrotik-keyring
 dpd 10 2 on-demand
 set ikev2-profile mikrotik-test

The error, obviously, changed from ADDR4 to FQND, but still exists:

identity not found for peer: FQDN: cisco.local

In this scenario the tunnel comes up if “My ID” set to auto and “Remote ID” set only to auto

I think the reason to this behaviour is not related to DNS.