GRE IPSec

RouterOS General
1

Hello! I managed to raise the GRE tunnel between the two routers. Local network pings. does not come out to raise IPSec. Here is a detailed hardware configuration. In what could be the problem?


СONFIG FOR SITE A


/ip firewall nat
add chain=srcnat action=masquerade out-interface=ppp-out1

/ip address
add address=192.168.1.1/24 interface=ether2


/interface gre add name=myGre remote-address=10.250.18.3 local-address=10.250.18.1

/ip address
add address=172.16.1.1/30 interface=myGre

/ip route
add dst-address=192.168.2.0/24 gateway=172.16.1.2





/ip ipsec peer
add address=10.250.18.3/32 port=500 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=
md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=
test send-initial-contact=yes

/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.2.0/24 dst-port=any
ipsec-protocols=esp level=require priority=0 proposal=default protocol=
all sa-dst-address=10.250.18.3 sa-src-address=10.250.18.1 src-address=
192.168.1.0/24 src-port=any tunnel=yes

/ip firewall nat
add action=accept chain=srcnat comment="NAT bypass" disabled=no dst-address=
192.168.0.0/16 out-interface=ppp-out1
add action=masquerade chain=srcnat comment="default PAT" disabled=no out-interface=
ppp-out1



[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=udp dst-port=500

1 chain=input action=accept protocol=ipsec-ah

2 chain=input action=accept protocol=ipsec-esp

3 ;;; default configuration
chain=input action=accept protocol=icmp

4 ;;; default configuration
chain=input action=accept connection-state=established

5 ;;; default configuration
chain=input action=accept connection-state=related




[admin@MikroTik] /ip> route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 10.112.112.133 1
1 ADC 10.112.112.133/32 10.250.18.3 ppp-out1 0
2 ADC 172.16.1.0/30 172.16.1.2 myGre 0
3 A S 192.168.1.0/24 172.16.1.1 1
4 ADC 192.168.2.0/24 192.168.2.1 bridge-local 0
[admin@MikroTik] /ip>
[admin@MikroTik] /ip ipsec peer> print
Flags: X - disabled
0 address=10.250.18.1/32 port=500 auth-method=pre-shared-key secret="test" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no
my-id-user-fqdn="" proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
[admin@MikroTik] /ip ipsec peer>
[admin@MikroTik] /ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.2.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=10.250.18.3 sa-dst-address=10.250.18.1 proposal=default priority=0
[admin@MikroTik] /ip ipsec policy>

2

  1. Peer needs to be for WAN IPs of both routers. You use the IPs inside the GRE tunnel. You need to encrypt the GRE tunnel itself.

  2. Policy should also be just the WAN IP of RB1 to WAN IP of RB2. Also should be in transport mode, not tunnel.

Watch this video to know how it all work http://gregsowell.com/?p=1290

3

Thx it works!!!))))