IPsec/GRE One Way Traffic?

jonah1810 · June 27, 2023, 12:30am

Hello so I have an established gre/ipsec tunnel between my house and my office, I am trying to set up a second tunnel from a different location to the office, we will call it house 2

The gre/ipsec configuration for the second tunnel on the office router is identical(minus the ips) to the already working tunnels config on that router.

The gre/ipsec configuration on house 2 router is identical to house 1 router.

note: i’ve tested all of this with firewall on and off. same results.

The Issue: I can ping from the office gre tunnel ip (10.1.253.2) to the house 2 gre tunnel ip(10.1.253.1) but I cannot ping from House 2 router gre tunnel ip(10.1.253.1) back to the office gre tunnel ip(10.1.253.2)

When I did the aforementioned ping I ran a torch on the opposite end to see what was coming in. What i found was that on the working tunnel when i ping the opposite end of the tunnel as mentioned above, Src address would = gre tunnel ip (10.1.253.0/30) on the working side (or on my other link with different ips) But from the nonworking side (house 2 → Office) i could see the packet being received on the office router, BUT it’s src address was House 2 WAN ip, not the gre tunnel ip(10.1.253.1) which it should be…which is how my working tunnel behaves. why is my gre tunnel trying to source from my wan ip, which isnt even connected to the gre tunnel? Is this a bug? at first house 1 and house 2 were on same firmware, but now house 2 is on latest stable (7.10) even when i specify pings src address = 10.1.253.1 it still shows up as the house 2 wan ip on the other side.

House1 Router(working):rb4011

House2 Router(notworking):hapac3

Here is the House 2 router config, maybe you can find an error I could not.

# 2023-06-26 17:08:34 by RouterOS 7.10
/interface bridge
add name=bridge1
add name=loopback
/interface ethernet
set [ find default-name=ether1 ] comment="(WAN)"
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=2ghz-n configuration.mode=ap \
    .ssid=SJG-Fiber disabled=no
set [ find default-name=wifi2 ] channel.band=5ghz-ac .frequency=5180 .width=\
    20/40/80mhz configuration.mode=ap .ssid=SJG-Fiber-5Ghz disabled=no
/interface gre
add allow-fast-path=no local-address=House2WanIP name=gre-tunnel1 \
    remote-address=OfficeWAN
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-128 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp_pool2 ranges=10.10.253.10-10.10.253.200
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 lease-time=10m name=dhcp1
/routing ospf instance
add disabled=no in-filter-chain=ospf-in name=ospf-instance-1 \
    out-filter-chain=ospf-out redistribute="" router-id=10.255.255.253
/routing ospf area
add disabled=no instance=ospf-instance-1 name=backbone-v2
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge1 ingress-filtering=no interface=wifi1
add bridge=bridge1 ingress-filtering=no interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=gre-tunnel1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.10.253.1/24 interface=bridge1 network=10.10.253.0
add address=10.1.253.1/30 interface=gre-tunnel1 network=10.1.253.0
add address=10.255.255.253 interface=loopback network=10.255.255.253
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.253.0/24 dns-server=8.8.8.8 gateway=10.10.253.1
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.21
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add list=ddos-attackers
add list=ddos-target
add address=192.168.1.0/24 list=LAN
add address=10.10.0.0/16 list=LAN
add address=10.100.0.0/16 list=LAN
add address=10.1.0.0/16 list=LAN
add address=10.95.0.0/16 list=LAN
add address=10.99.0.0/16 list=LAN
add address=x.x.x.x/24 list=LAN
/ip firewall filter
add action=accept chain=input comment="Accept Jonah" src-address=\
    64.180.117.107
add action=accept chain=input comment="Accept Office" src-address=\
    23.160.240.0/24
add action=accept chain=forward comment="Accept Dst-Nat" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Accept Established,Related" \
    connection-state=established,related,untracked
add action=accept chain=forward comment="Accept IPsec" ipsec-policy=in,ipsec
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    disabled=yes
add action=drop chain=forward comment="Drop all else Not From LAN" disabled=\
    yes in-interface-list=!LAN
add action=drop chain=input comment="Drop all else Not From LAN" disabled=yes \
    in-interface-list=WAN src-address-list=!LAN
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-address=House2WanIP \
    dst-port=20-21 protocol=tcp src-address-type=local to-addresses=\
    10.10.253.122 to-ports=20-21
add action=dst-nat chain=dstnat disabled=yes dst-address=House2WanIP \
    dst-port=50000-50100 protocol=tcp to-addresses=10.10.253.0/24 to-ports=\
    50000-50100
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=\
    10.10.253.0/24 src-port=20-21 to-addresses=House2WanIP to-ports=20-21
add action=src-nat chain=srcnat to-addresses=House2WanIP
/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    disabled=yes dst-address=255.255.255.255 dst-port=67 in-interface-list=\
    LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
    yes in-interface-list=WAN src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
    yes dst-address-list=bad_ipv4 in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
    yes in-interface-list=WAN src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
    yes dst-address-list=bad_dst_ipv4 in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    disabled=yes in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" disabled=yes \
    dst-address-list=LAN in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" disabled=yes \
    in-interface-list=LAN src-address-list=!LAN
add action=drop chain=prerouting comment="defconf: drop bad UDP" disabled=yes \
    port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    disabled=yes jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    disabled=yes jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" disabled=yes \
    in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest" disabled=\
    yes
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
add action=drop chain=prerouting dst-address-list=ddos-target \
    src-address-list=ddos-attackers
/ip firewall service-port
set ftp ports=20,21
/ip route
add disabled=yes distance=1 dst-address=10.100.0.0/16 gateway=\
    10.1.253.2%gre-tunnel1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set www-ssl disabled=no
/routing bfd configuration
add disabled=no
/routing ospf interface-template
add area=backbone-v2 disabled=no interfaces=gre-tunnel1 networks=\
    10.1.253.0/30 priority=1 type=ptp
/system clock
set time-zone-name=America/Vancouver
/system logging
add disabled=yes topics=event
/system note
set show-at-login=no