GRE tunnel with ipsec secret

winnerke · November 7, 2017, 1:30pm

hello , i have a question about GRE tunnels.

I’ve got a GRE tunnel setup perfectly , it’s working great.

now i want to encrypt this with the ipsec secret just for testing.

but i don’t know how to be honest. when i’m adding the same secret at both interfaces my connection breaks…

Anumrak · November 7, 2017, 2:37pm

Maybe you should add filter rules in order to allow udp 500,4500 traffic. Its ISAKMP and NAT-T that IPsec framework uses.

winnerke · November 8, 2017, 2:10pm

i added this on both sides of my GRE tunnel , but still does not work.
(i changed the dst-adresses to the end side of the tunnel)

add chain=forward action=accept protocol=udp dst-address=10.10.20.1 dst-port=500 in-interface=gre-tunnel1
add chain=forward action=accept protocol=udp dst-address=10.10.20.1 dst-port=4500 in-interface=gre-tunnel1

Anumrak · November 8, 2017, 2:16pm

winnerke:

i added this on both sides of my GRE tunnel , but still does not work.
(i changed the dst-adresses to the end side of the tunnel)
add chain=forward action=accept protocol=udp dst-address=10.10.20.1 dst-port=500 in-interface=gre-tunnel1
add chain=forward action=accept protocol=udp dst-address=10.10.20.1 dst-port=4500 in-interface=gre-tunnel1

Wrong chains. You need accepting not dst-address, but src-address of IP on other side in input chain. On other side same config. You need to accept input traffic, not any other.

winnerke · November 9, 2017, 12:56pm

this is my setup :

R1 – R2 – R3

there’s a tunnel from R1 to R3

on R1 i added :

add action=accept chain=input dst-port=500 in-interface=gre-tunnel1 protocol=udp
add action=accept chain=input dst-port=4500 in-interface=gre-tunnel1 protocol=udp

i did the same on R3

On R2 i did the same rule twice , on each side so i’m accepting from R1 and accepting from r3

still after this i"m getting errors in the log files :

Peer send packet for dead phase2
Failed to pre-process ph 2 packet

Anumrak · November 9, 2017, 1:58pm

Assign in-interface your global interface, not gre. Also assign src-address. Dont allow all world to access to you.

winnerke · November 10, 2017, 8:11am

i changed the in-interfaces to my main interfaces, but still they don’t work!
Keep getting error “Failed to pre-process ph2 packet.”

and my main GRE tunnel works without encryption. are there any other firewall rules except accepting port 500-4500 ?

edit :
after setting up my secret i’m getting ISAKMP-SA estalished with both my ip’s. but still does not work.

BlackVS · November 10, 2017, 8:30am

ROS version on both routers is the same?
Check and copy here dynamic rules created in the IP/IPSEC .
I remember that GRE channels with “password” not started in my case too (it was a long time ago - as only such ability added to GRE channels) - I just created proper ipsec static rules instead dynamic ones.

Anumrak · November 10, 2017, 8:38am

Set 6.40.4 and try again. In normal mode, you just assign same shared key at both sides and allow udp 500, 4500 in your routers, and it’s easy establish on aes-128-cbc with 1024 DH group key.

winnerke · November 10, 2017, 9:00am

R1 is a Cloud hosted router , it has version 6.40.4.
R3 is a RB3011, it has version 6.40.4

when i’m exporting my system settings i’m getting this from ipsec:

on R1
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=aes-128-cbc

on R3
/ip ipsec policy
set 0 disabled=yes

and checking the menu inside ip/ipsec
i have a peer, a remote peer , mode config = request only, proposals.
and only R3 has insatlled SAs , i’ve got none in r1

Anumrak · November 10, 2017, 9:22am

Let the default peer and policiy be enabled. Don’t create static records.

winnerke · November 10, 2017, 9:24am

after almost giving up i rebooted both devices and my tunnel worked… but now i’m checking my icmp message through the tunnel , but it’s not encrypted?

Anumrak · November 10, 2017, 9:47am

It depends what you pinging. All you pinging that reachable behind gre IP, will be encrypted. If you pinging global IP wich is destination in configuration of the gre tunnel, icmp will be in clear form.

winnerke · November 10, 2017, 10:26am

when i wireshark my icmp messages , i can see my GRE header , so it should be encrypted but it aint

edit : when i disable my secret i can see my GRE header , when i enable my secret , my GRE header is not visible in wireshark?

Anumrak · November 10, 2017, 10:28am

Which interface did you sniff?

winnerke · November 10, 2017, 10:29am

sniffin from my R2 , not a specific interface

Anumrak · November 10, 2017, 10:39am

Give me your paste of
ip route export
ip route print

winnerke · November 10, 2017, 10:46am

ip route R1 :

/ip route
add distance=1 gateway=192.0.2.130@main routing-mark="customer 1"
add distance=1 dst-address=10.1.1.0/28 gateway=10.10.20.2@main routing-mark="customer 1"
add distance=1 gateway=192.0.2.130@main routing-mark=management
add distance=1 dst-address=192.0.2.0/28 gateway=10.10.20.2@main routing-mark=gre-tunnel
add distance=1 gateway=192.0.2.130
/ip route vrf
add interfaces=vlan-30,vlan-20,vlan-10 routing-mark="customer 1"
add interfaces=vlan-40 routing-mark=management

IP route print :

 0 A S  0.0.0.0/0                          192.0.2.130@main          1
 1 A S  10.1.1.0/28                        10.10.20.2@main           1
 2 ADC  192.0.2.0/27       192.0.2.1       vlan-10                   0
 3 ADC  192.0.2.32/27      192.0.2.33      vlan-20                   0
 4 ADC  192.0.2.64/27      192.0.2.65      vlan-30                   0
 5 A S  0.0.0.0/0                          192.0.2.130@main          1
 6 ADC  192.0.2.96/27      192.0.2.97      vlan-40                   0
 7 A S  192.0.2.0/28                       10.10.20.2@main           1
 8 A S  0.0.0.0/0                          192.0.2.130               1
 9 ADC  10.10.20.0/30      10.10.20.1      gre-tunnel1               0
10 ADC  192.0.2.128/27     192.0.2.129     vlan-50                   0

ip Route R2 :

/ip route
add distance=1 dst-address=192.0.2.104/32 gateway=10.10.20.1@main routing-mark=customer2
add distance=1 dst-address=192.0.2.0/27 gateway=10.10.20.1@main routing-mark=customer1
add distance=1 dst-address=192.0.2.32/27 gateway=10.10.20.1@main routing-mark=customer1
add distance=1 dst-address=192.0.2.64/27 gateway=10.10.20.1@main routing-mark=customer1
add distance=1 gateway=ether4
add distance=1 dst-address=192.0.2.0/24 gateway=10.10.10.1
/ip route vrf
add interfaces=vlan10-eth3 routing-mark=customer2
add interfaces=vlan20-eth3 routing-mark=customer1

ip route print :

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADC  192.0.2.0/28       192.0.2.1       vlan10-eth3               0
 1 A S  192.0.2.104/32                     10.10.20.1@main           1
 2 ADC  10.1.1.0/28        10.1.1.1        vlan20-eth3               0
 3 A S  192.0.2.0/27                       10.10.20.1@main           1
 4 A S  192.0.2.32/27                      10.10.20.1@main           1
 5 A S  192.0.2.64/27                      10.10.20.1@main           1
 6 A S  0.0.0.0/0                          ether4                    1
 7 ADC  10.0.0.0/28        10.0.0.1        bridge-vlan40             0
 8 ADC  10.10.10.0/30      10.10.10.2      ether4                    0
 9 ADC  10.10.20.0/30      10.10.20.2      gre-tunnel1               0
10 A S  192.0.2.0/24                       10.10.10.1                1

Anumrak · November 10, 2017, 10:54am

If you will ping 10.10.20.1(another side of gre), you see gre header?

winnerke · November 10, 2017, 12:06pm

Ping from 192.0.2.104 to 192.0.2.2 on the other end of the GRE tunnel gives me no GRE header when pinging with IPSec