Gre Over IPsec Miktotik to MIKROTIK

metman · March 5, 2015, 8:52pm

hi
I try to make a tunnel between mikrotik-mikrotik
Gre over Ipsec
according to this pic
is it correct?

Ip public(2.185.1.1 - 2.185.2.2)
Lan (192.168.1.0 --192.168.226.0)
Gre (172.16.16.1 - 172.16.16.2)

after gre config Ip Peer is gre-ip or public-ip , In Policy Public or gre

shadowskippie · March 6, 2015, 6:39am

Why are you specifically using GRE

why don’t you just use L2TP with IPSEC over that.

metman · March 7, 2015, 3:02am

Hi
Why L2TP ?
L2TP or Gre or IPIP?
I try to connect 8 org in different cities by Public IP on internet?

ZeroByte · March 7, 2015, 3:32am

The only thing that looks off to me is the local/remote traffic selectors for IPSec. Those should match GRE src=localWan dst=remoteWan

IPSec won’t see the packets inside the GRE tunnel - only the GRE itself.

The nice thing about GRE over IPSec is that you can route any IP across the tunnel you like without having to change the IPSec traffic selectors. You can even run OSPF over the tunnels and all sites will automatically know how to reach all other sites. Easily supports hub-and-spoke topology - less configuration whenever a new site comes online.
etc.

metman · March 7, 2015, 6:58pm

IPIP tunnel is better or Gre tunnel over ipsec (for security)

all 8 point have mik.rb

internet : 2mb speed with ip public

2mb is enough?

now ping with 230ms..? why (by ipip/ipsec) very slow

ZeroByte · March 7, 2015, 7:55pm

Which model routerboard do you have? IPSEC can eat a lot of CPU.

metman · March 8, 2015, 5:10am

RB 750gl ic cities + RB2011UAS in main office

ZeroByte · March 8, 2015, 4:27pm

I could see a 2011 not being powerful enough if you have much traffic going between 8 sites at the same time, especially if all 8 sites are tunneling through the main site for Internet access.
Check your CPU utilization in system resources.

metman · March 9, 2015, 6:17pm

HI
I try to complete my design
but in my cities in left mik. routerboarad cannot ping cisco
i describe in below pic

ZeroByte · March 9, 2015, 6:44pm

I bet the Cisco has a default GW other than 192.168.226.11, and no static route for 195.132.57.0/24

Any host using 192.168.226.9 as the default GW will also be unable to reach PC1 if this is true.

Fix in cisco:
config t
ip route 195.132.57.2 255.255.255.0 192.168.226.11
ip route 172.151.1.0 255.255.255.252 192.168.226.11
end
(or use the correct netmask for the IPIP tunnel if it’s not a /30)

Any hosts on the other side of the Cisco will need correct routes as well.