I’m a MT newbe and know only basic setup things, thus I’ve a question regarding GRE over IPSec configuration.
My office needs to have GRE o. IPSec tunnel to private APN (mobile internet access), so mobile terminals could reach servers in my office LAN.
I was given very little details from mobile provider with some examples how to configure, but on cisco devices.
Can someone please help me how to translate CISCO config to MT?
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp key KLUCZ_PreSharedKey address 212.2.102.235
!
crypto isakmp peer address 212.2.102.235
description POLKOMTEL
!
crypto ipsec transform-set gre esp-3des esp-sha-hmac
!
access-list 112 remark Polaczenie do Polkomtela
access-list 112 permit ip host eee.fff.ggg.hhh host 212.2.100.177
!
crypto map POLKOMTEL 10 ipsec-isakmp
description POLKOMTEL
set peer 212.2.102.235
set transform-set gre
set pfs group2
match address 112
!
interface Tunnel0
ip unnumbered FastEthernet4
tunnel source FastEthernet4
tunnel destination 212.2.100.177
!
interface FastEthernet4
description INTERNET
ip address aaa.bbb.ccc.ddd 255.255.255.252
crypto map POLKOMTEL
!
ip route iii.jjj.kkk.lll 255.255.255.0 Tunnel0
ip route 212.2.100.177 255.255.255.255 Tunnel0
!
================== LEGEND =====================
aaa.bbb.ccc.ddd - IPSec tunnnel end IP
eee.fff.ggg.hhh - GRE tunnel end IP (can be the same as for IPSec)
iii.jjj.kkk.lll - IP address rane inside GRE tunnel (address range inside APN).
212.2.102.235 - IPSec tunnnel end IP on Polkomtel side (mobile provider)
212.2.100.177 - GRE tunnel end IP on Polkomtel side (mobile provider)
My LAN is 192.168.3.0/24. Agreed APN is 192.168.8.0/23.
It was decided by provider that my IPSec and GRE tunnel end will be my WAN IP.
Since eee.fff.ggg.hhh is supposingly your public WAN IP which is up directly on your Mikrotik, there is no need to take special measures for NAT. If this is not the case, say so.
The GRE interface will look as follows: /interface gre add name=gre-polkomtel local-address=eee.fff.ggg.hhh remote-address=212.2.100.177
The following line is actually not necessary unless you’d want to use recursive next-hop search which requires that the gateway items of all routes involved are given as IP addresses: /ip address add address=aaa.bbb.ccc.ddd/30 interface=gre-polkomtel
iii.jjj.kkk.lll/24 in the following should probably be substituted by 192.168.8.0/23 if I’ve understood properly the part I’ve quited above: /ip route add dst-address=iii.jjj.kkk.lll/24 gateway=gre-polkomtel
The ip route 212.2.100.177 255.255.255.255 Tunnel0 part of the Cisco configuration makes little sense to me, except if they want to make sure that some route towards 212.2.100.177 is defined and thus the packet will be routed somewhere regardless the rest of your routing, so that the crypto-map could match on it and divert it to the IPsec tunnel. Any other route whose dst-address includes 212.2.100.177, including the default one, is sufficient for such purpose.
A separate headache is that GRE is handled very specifically by Mikrotik’s firewall and that the GRE keepalive mechanism is also specific. See this post regarding the keepalive, and bear in mind that unexpected GRE packets are labeled as connection-state=invalid by current RouterOS versions, so you have to make sure that a rule dropping invalid packets in chain input of /ip firewall filter doesn’t drop GRE packets. If you are not familiar with Mikrotik firewall, better post the export of your current one.