Gre over ipsec

mafiosa · December 31, 2020, 11:16pm

In case of gre over ipsec what ipsec policy should I create? Does it need to be a 255(all) or 4(ip-encap) or 47 gre? I am configuring it between huawei and mikrotik. Huawei guide suggests to set up for ipsec acl for gre over ipsec.

msatter · January 1, 2021, 1:39am

http://forum.mikrotik.com/t/ipsec-equivalent-config-for-mikrotik-routeros/145646/1

sindy · January 1, 2021, 8:55am

Definitely not IP-ENCAP as GRE is a different protocol. Setting GRE is sufficient if Huawei supports that too, otherwise 255. The Huawei ACL 3000 in your other topic as linked by @msatter doesn’t specify any IP protocol, hence 255 (which is the default if you don’t specify any protocol) at Mikrotik side is a matching setting.

mafiosa · January 1, 2021, 9:02am

Definitely not > IP-ENCAP > as > GRE > is a different protocol. Setting > GRE > is sufficient if Huawei supports that too, otherwise 255. The Huawei ACL 3000 in your other topic as linked by @msatter doesn’t specify any IP protocol, hence 255 (which is the default if you don’t specify any protocol) at Mikrotik side is a matching setting.

Yes as per that guide from huawei the acl mentions:
acl number 3000 //Configure an ACL.
rule 0 permit ip source 1.2.1.1 0 destination 1.2.2.1 0

so when I set this acl to gre after permit instead of ip tunnel establishes but no traffic passes even though the tunnel is established.
Let me try with 255 on mikrotik end.

pe1chl · January 1, 2021, 10:15am

Of course you can do whatever you need to keep the other end happy. In MikroTik you can auto-create a policy (by just entering an IPsec key directly at the GRE interface settings) and it will automatically create the policy, and you can look at it.

mafiosa · January 1, 2021, 1:50pm

I found out that with 3DES and SHA1 and 255 tunnel establishes and traffic moves through it. Having issue with other cipher combinations. tunnel between huawei and mikrotik.

pe1chl · January 1, 2021, 8:15pm

That is quite common with incomplete or older IPsec implementations.
It is also the reason why this is still the default configuration. When you change it, you run the risk of problems.

nichky · January 2, 2021, 6:40am

@mafiosa

make your life easily, play specially with ipsec with same vendors devices.
I had unestablished tunnels with mikrotik on different version.
When i upgraded to later version bum everything works well.

i found dynamic routhing protocol are much more easy (i’m avoiding as much as possible) for establishing..ipsec is just weasting a time

mafiosa · January 2, 2021, 9:06am

I am using GRE over IPSec, so that I can use ospf between branches.

pe1chl · January 2, 2021, 10:12am

It should work well.
Another potential problem is to enable keepalive. Don’t do that at first. It can be incompatible.
With a routing protocol on top you probably don’t require the keepalive at all. When you want fast switchover use BFD instead.

mafiosa · January 2, 2021, 6:01pm

I am using GRE over IPSec, so that I can use ospf between branches.