IPSEC over GRE Issue with Cisco Router

navidgharib · August 29, 2015, 2:49am

Hello, everybody,

We are currently trying to establish an IPSEC over GRE solution between our HQ and our partners. They have a CISCO router and we have a MT RB951G. The configurations are as follows:

Cisco side:

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp key **** address 172.16.30.1

crypto ipsec transform-set TEST esp-3des esp-md5-hmac
mode tunnel

crypto ipsec profile IPSEC
 set transform-set TEST

interface Tunnel0
 ip address 172.20.19.41 255.255.255.252
 tunnel source 172.16.30.2
 tunnel mode ipsec ipv4
 tunnel destination 172.16.30.1
 tunnel protection ipsec profile IPSEC



interface FastEthernet0/0
 ip address 172.16.30.2 255.255.255.0
 speed auto
 duplex full
!
interface FastEthernet0/1
 ip address 10.200.151.1 255.255.255.0
 speed auto
 duplex auto

Mikrotik side:

Interfaces:
Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS
 0  R  ether1                              ether            1500                  08:00:27:AD:08:79
 1     gre-tunnel1                       gre-tunnel       1476 65535

IP Addresses:
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   172.16.30.1/24     172.16.30.0     ether1
 1   172.20.19.42/30    172.20.19.0     gre-tunnel1

Peers:
0    address=172.16.30.2/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret="*******"
      generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no
      proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
      dpd-interval=2m dpd-maximum-failures=5

Policy:
1     src-address=172.20.19.42/32 src-port=any dst-address=172.20.19.41/32 dst-port=any protocol=all action=encrypt
       level=require ipsec-protocols=esp tunnel=yes sa-src-address=172.16.30.2 sa-dst-address=172.16.30.1
       proposal=default priority=0

Proposal:
0	* name="default" auth-algorithms=md5 enc-algorithms=3des lifetime=1d pfs-group=none

We don’t have access to the Cisco router thus we can’t modify configs on it, but our partner’s network guy assured me that his configs are good.
The goal here is that we want to have access to the 10.200.151.0/24 network from the Mikrotik router.
When there is just the GRE tunnel between the two routers, everything is working fine. I can ping the mentioned network from my Mikrotik router without any problem. But from the moment we activate the IPSEC protection I can still ping the other side of the tunnel (172.20.19.41) but I get timeouts when I try to access the 10.200.151.0/24 network.
Regarding the IPSEC protection, everything looks fine to me, the SA are properly installed.

Can anyone please point out what I’m doing wrong here?

Thank you in advance for your assistance.

N.