One more thing you can try is to keep original Cisco config (if it’s what worked before you added MT), enable IPSec logging on MT (in System->Logging), and check if you see anything interesting there. It’s not as friendly as the rest of RouterOS, but not too bad (as long as there aren’t multiple tunnels that turn it into one big mess with messages from all mixed together).

The confusing thing for me is how could IPSec on both sides agree on your original config, when you had policy only for 172.16.0.0/16 ↔ 172.20.0.0/16, but if Cisco had the same, it could never cover GRE between 1.1.1.1 and 2.2.2.2.

On the cisco side(ipsec debug), I see packets from MT => Cisco coming in:

#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
no errors listed…

@Sob: yeah, good idea, indeed as the original config was 100% fine, it might be a good idea to keep it as it is and to check on the MT side. Is there a way to display the logs on CLI?

I looked into the config again, and maybe I have a hint:

Here’s the config of the Cisco that is the other endpoint:


!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key address 2.2.2.2
crypto isakmp keepalive 10 periodic // I also removed this for the test yesterday
!
crypto ipsec transform-set TSET_MIKROTIK esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile MIKROTIK
set transform-set TSET_MIKROTIK
set pfs group5
!
interface Tunnel1
description TUNNEL TO MIKROTIK
ip address 172.30.1.1 255.255.255.0
ip mtu 1300
qos pre-classify
tunnel source 1.1.1.1
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile MIKROTIK


maybe I should play with that bold line and change it to tunnel mode gre ip instead…

I’m not familiar with Cisco config, and I can say that it seems less intuitive than RouterOS. But if I ask Google about “tunnel mode ipsec ipv4”, I see “VTI” all around, which is something that RouterOS doesn’t have.

Maybe it is time to first take a step back and remove the IPsec from the equation and see if you can get a plain GRE tunnel working correctly.
Once that works you are sure you have no routing or filtering issues and you can try adding an IPsec variant that works at both ends.
However, I’m sure that I had plain “GRE over IPsec transport” working (no tunnel) in Cisco, only it seems I did not keep any of those configs.
(at some point we had more than two sites and used the Cisco “nhrp” thing that makes that easier to configure)

There is a lot of whining to get VTI implemented in RouterOS. I’m sure that when that finally happens, the whining about “nhrp” will start. After all, those that want inter-operability with other manufacturer’s equipment will not rest before it basically is a clone of that.

@Sob: well, that depends of where you come from! Im my case it’s the opposite, I am quite comfortable with cisco IOS as I’ve been working with it for 15+ years, and it’s the MT RouterOS that I find less intuitive. The good thing is that the more you work with different vendors, the more comfortable you get with everything.I’s just a metter of time!

@pe1chl: I will review the complete config one more time, I’m thinking more and more that my “tunnel mode ipsec ipv4” command might have something to do with the problem. If it doesn’t solve it, then I guess you’re right, I should remove IPsec completely, establish a GRE tunnel and validate connectivity, and then implement IPsec again…

I’ll keep you posted of course, I’m sure this will help others in the future as well.
cheer

Denis

SOLVED!

Alright, I found the problem: It was indeed an issue between the generic GRE implementation used by MT and the based-on-GRE-ish VTI implementation by Cisco.

this works:

interface Tunnel1
description TUNNEL TO MIKROTIK
ip address 172.30.1.1 255.255.255.0
ip mtu 1300
qos pre-classify
tunnel source 1.1.1.1
tunnel destination 2.2.2.2
tunnel mode gre ip
tunnel protection ipsec profile MIKROTIK


I still need to figure out some details which of course I will share here.
What gave me the hint was that it could not be the IPSEC posing problems, as the SA’s were OK in both directions. that also ruled out ACL-related issues. As a consequence, the issue must have been on the tunnel itself, and the constant flapping was a good indicator.

I will review my config and play with different settings before sharing the final results.

Ok great!
And do you now have an IPsec profile operating in transport mode? Or still tunnel mode?
Transport mode is more efficient but it will not work when NAT-T is required.

GRE is in tunnel mode for the moment. I will check tonight is I can put it in transport mode or if it fails. I don’t yet know which one I end up using in production. IPsec is taking care of the encryption between the public IP’s of both endpoints and I don’t NAT anything on these interfaces, so it should be fine to use transport mode indeed. But on the other hand, I don’t think the additional header of tunnel mode would have a significant impact on performances. The WAN links are 500MB symmetric fiber on both sites, with an average of 30-50 Mbps traffic running across it…

Make sure you have a correct MTU on the GRE tunnel and some way to promote the use of smaller packets across the tunnel so that not everything has to be fragmented.
I personally use this mangle rule:

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn

It should also work with the “Clamp TCP MSS” option in the GRE tunnel config, but I prefer to have the visible rule with counter etc. The GRE tunnel option may be a bit faster and/or better work with FastTrack enabled.

Here’s a working example of a Mikrotik - Cisco IOS site-to-site VPN. I hope it will help some of you who, like me, struggled to make it work.
You have to use GRE tunnel mode, I was unable to make transport mode work!

MIKROTIK SIDE:

/interface gre
add allow-fast-path=no mtu=1300 name=gre-tunnel1 remote-address=1.1.1.1

/ip ipsec profile
add dh-group=modp1536 dpd-interval=30s dpd-maximum-failures=100 enc-algorithm=aes-256 lifetime=1h name=Profile_Cisco nat-traversal=no

/ip ipsec peer
add address=1.1.1.1/32 comment=“VPN to Cisco” local-address=2.2.2.2 name=Peer_Cisco profile=Profile_Cisco

/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=1h name=IPsec_Proposal_Cisco pfs-group=modp1536

/ip address
add address=172.30.1.2/30 comment=“GRE Tunnel to Cisco” interface=gre-tunnel1 network=172.30.1.0

/ip ipsec identity

CHOOSE A GOOD PWD, but make sure you don’t have a question mark “?” at the end, it will not be processed on the Cisco Endpoint! EXAMPLE:

add comment=CiscoPSK peer=Peer_Cisco secret=“PleaseUseABetterPassword”

/ip firewall filter
add action=accept chain=input comment=“Allow traffic from Cisco to Mikrotik” dst-address=2.2.2.2 src-address=1.1.1.1
add action=accept chain=output dst-address=1.1.1.1 src-address=2.2.2.2
#EXAMPLE: allow inbound traffic from the LAN behind distant Cisco Router to the local LAN behing the Mikrotik router. Also do the equivalent on your Cisco router.
add action=accept chain=input comment=“Allow traffic from Cisco LAN to MT LAN” dst-address=10.0.0.0/24 log=yes src-address=192.168.0.0/24

/ip ipsec identity
add comment=Porcelette peer=Peer_Cisco

/ip ipsec policy
add dst-address=195.146.240.235/32 peer=Peer_Cisco proposal=IPsec_Proposal_Cisco protocol=gre src-address=2.2.2.2/32 tunnel=yes

/ip route
add disabled=no distance=1 dst-address=<REMOTE_NET/MASK> gateway=gre-tunnel1 pref-src=“” routing-table=main suppress-hw-offload=no
#EXAMPLE:
add disabled=no distance=1 dst-address=192.168.0.0/24 gateway=gre-tunnel1 pref-src=“” routing-table=main suppress-hw-offload=no



CISCO SIDE:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key PleaseUseABetterPassword address 2.2.2.2 // => please change this with a PSK of your own!! remember, no question mark accepted at the end of the PSK!
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set TSET_MIKROTIK esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile MIKROTIK
set transform-set TSET_MIKROTIK
set pfs group5
!
interface Tunnel1
description TUNNEL TO MIKROTIK
ip address 172.30.1.1 255.255.255.252
ip mtu 1300 // => adapt accorting to your WAN link values
ip tcp adjust-mss 1260 // => adapt accorting to your WAN link values
qos pre-classify // => only needed if you do some QoS over the GRE Tunnel.
tunnel source 1.1.1.1
tunnel destination 2.2.2.2
tunnel mode gre ip // => this won’t apprear in the config since it’s the default setting.
tunnel protection ipsec profile MIKROTIK


That’s it! And no, you don’t need any NAT-ing exceptions if you already a have something like a masquarade NAT rule in place for allowing local (MT) clients to browse the Internet.

Special characters in the PSK indeed are “asking for trouble”. I use only upper/lowercase letters and digits. Normally a 32-character random password, I have a generator for that.
NAT exceptions indeed are required only when making direct IPsec tunnels, not when using GRE over IPsec. That is one of its advantages.
Note that on the MikroTik side you can considerably simplify configuration by omitting all the IPsec config and adding the PSK in the GRE tunnel setup.
The IPsec config will be generated dynamically.
But if that autogenerated config is compatible with the other side of course remains to be seen. It works fine between two MikroTik routers and you can see what it generates and possibly adapt the Cisco config at the other side.

hi you guys! i have exactly the same problem here and i really can’t figure it out! i found this thread and so did not create a new same topic. i’m gonna post my configs here, please help!
mikrotik:

# may/28/2022 09:20:52 by RouterOS 6.44.5
# software id = 0G7Y-54W3
#
# model = 951Ui-2HnD
# serial number = B8570BE4F3C7
/interface ethernet
set [ find default-name=ether1 ] name=ether1_toCisco
set [ find default-name=ether2 ] name=ether2_toLAN
set [ find default-name=ether4 ] name=ether4_toLaptop
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface gre
add !keepalive local-address=192.168.222.3 name=gre-tunnel1 remote-address=\
    192.168.222.2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
set [ find default=yes ] src-address-list=0
/ip ipsec peer
add address=192.168.222.2/32 name=MYSET
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=3des hash-algorithm=\
    md5 nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des lifetime=1d
/ip address
add address=192.168.222.3/30 interface=ether1_toCisco network=192.168.222.0
add address=192.168.0.2/30 interface=gre-tunnel1 network=192.168.0.0
add address=172.16.2.2/24 interface=ether2_toLAN network=172.16.2.0
/ip firewall address-list
add address=0.0.0.0/0 disabled=yes list=0
/ip firewall filter
add action=accept chain=input disabled=yes protocol=icmp
add action=accept chain=output disabled=yes protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat
/ip ipsec identity
add mode-config=request-only peer=MYSET secret=1234@qwer
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.222.2/32 dst-port=500 sa-dst-address=192.168.222.2 \
    sa-src-address=192.168.222.3 src-address=192.168.222.3/32 src-port=500 \
    tunnel=yes
/ip route
add distance=1 gateway=192.168.222.1
/system clock
set time-zone-name=Asia/Tehran
/system clock manual
set dst-delta=+03:30 time-zone=+03:30

cisco:

!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!

crypto isakmp key 1234@qwer address 192.168.222.3

crypto ipsec transform-set myset esp-3des esp-sha-hmac
 mode tunnel


crypto map VPN 10 ipsec-isakmp
 set peer 192.168.222.3
 set transform-set MYSET
 set pfs group2
 match address GREIPSEC
!

!
interface Tunnel1
 ip address 192.168.0.1 255.255.255.252
 tunnel source GigabitEthernet0/0/1.2
 tunnel destination 192.168.222.3
!

!
interface GigabitEthernet0/0/0.2
 crypto map VPN
!


!
ip access-list extended GREIPSEC
 permit ip 192.168.222.0 0.0.0.255 192.168.222.0 0.0.0.255
 permit gre 192.168.222.0 0.0.0.255 192.168.222.0 0.0.0.255
 permit icmp 192.168.222.0 0.0.0.255 192.168.222.0 0.0.0.255

kind regards.

Hi, have you figured it out yet or shall we look into it?