Hello everyone!
I’m having trouble setting up tunnels for a client.
I have a CCR1036-12G-4S Rev 2 running RouterOS 6.45.6. My client needs to establish a GRE tunnel over encrypted connection.
So, I create the GRE interface associated with my public facing IP and client’s Cisco RV340 WAN address.
add allow-fast-path=no !keepalive local-address=1.1.1.1 mtu=1400 name=gre-to-client remote-address=2.2.2.2
Then, I set up everything related to IPSec.
/ip ipsec profile
add dh-group=modp1536 enc-algorithm=3des lifetime=12h name=profile-client nat-traversal=no
/ip ipsec peer
add address=2.2.2.2/32 exchange-mode=ike2 local-address=1.1.1.1 name=peer-client passive=yes profile=profile-client send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add enc-algorithms=3des lifetime=6h name=proposal-client pfs-group=modp1536
/ip ipsec identity
add comment=client my-id=fqdn:my-id peer=peer-client remote-id=fqdn:client-id secret=SECRET
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 -----> this was suggested in a forum question but i'm not that sure!!!
add action=none dst-address=172.16.101.8/30 src-address=172.16.101.8/30
add dst-address=2.2.2.2/32 peer=peer-client proposal=proposal-client src-address=1.1.1.1/32
/ip ipsec settings
set accounting=no
Also, the GRE interfaces is assigned 172.16.101.10 on my side and 172.16.101.9 on client’s side.
As suggested also in forums, I explicitly avoid natting traffic from my side of lan to clien’s lan, and route with client’s lan destination is set up with client’s GRE interface address as next hop.
I cannot get traffic to flow!! IPSec tunnel get’s established, SA associations get created, I can see that in outbound direction, SA is counting up, but no traffic is coming inbound direction. I’m kind of lost, and cannot progress with this issue!!
Strange thing is I cannot ping my client’s GRE interface (I think that would be the first thing that I should be able to do, right?)
Any help will be much appreciated!
Thanks in advanced!