Mikrotik to PaloAlto - GRE over IPSec - Routing Problem

LifeGame · September 8, 2022, 1:56pm

Hi;

My ipsec and gre is working... traffic is routed via GRE. But ... all traffic to paloalto comes from 10.0.0.2(Mikrotik GRE adress 10.0.0.2/30). How can i fix it ? i need to see clients LAN ip adress.

Mikrotik v7.5 Conf;

/ip ipsec mode-config
set [ find default=yes ] src-address-list=local
/ip ipsec peer
add address=82.222.XXX.XXX/32 exchange-mode=ike2 local-address=5.26.XXX.XXX name=test
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h name=ike_crypto nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=1h pfs-group=modp2048
/ip ipsec identity
add peer=test
/ip ipsec policy
add dst-address=192.168.100.0/23 level=unique peer=test src-address=10.10.5.0/24 tunnel=yes

/interface gre
add allow-fast-path=no clamp-tcp-mss=no local-address=10.10.5.1 mtu=1400 name=gre remote-address=192.168.101.1

/ip firewall mangle
add action=route chain=prerouting passthrough=yes route-dst=10.0.0.1 src-address=10.10.5.0/24

/ip address/print

ADDRESS NETWORK INTERFACE

0 10.10.5.1/24 10.10.5.0 Bridge
1 10.0.0.2/30 10.0.0.0 gre
2 5.26.XXX.XXX/28 5.26.XXX.XXX WA

/ip route print

DST-ADDRESS GATEWAY DISTANCE

0 Xs 0.0.0.0/0 10.0.0.1 1
1 As 0.0.0.0/0 5.26.XXX.XXX 1
DAc 5.26.XXX.XXX/28 WAN 0
DAc 10.0.0.0/30 gre 0
DAc 10.10.5.0/24 Bridge 0

other routing method tried;
/ip firewall/mangle/prin
chain=prerouting action=mark-routing new-routing-mark=route_vpn passthrough=yes src-address=10.10.5.0/24 log=no log-prefix=""

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.1 pref-src="" routing-table=route_vpn scope=30 suppress-hw-offload=no target-scope=10

This is paloalto log.. actually real source 10.10.5.200 ..
source address is 10.0.0.2 in all logs..

Thanks..

mkx · September 8, 2022, 1:58pm

Do you have any NAT rules defined on MT?

LifeGame · September 8, 2022, 2:16pm

Yes but disabled

[admin@MikroTik] > ip firewall/nat/print
Flags: X - disabled, I - invalid; D - dynamic
0 X ;;; IPSec_NAT_Out
chain=srcnat action=accept src-address=10.10.5.0/24 dst-address=192.168.100.0/23 log=no log-prefix=“”
1 X ;;; IPSec_NAT_In
chain=srcnat action=accept src-address=192.168.100.0/23 dst-address=10.10.5.0/24 log=no log-prefix=“”
2 ;;; Internet
chain=srcnat action=masquerade log=no log-prefix=“”

mkx · September 8, 2022, 2:49pm

Rule #2 is not disabled. And I have a feeling it might be interfering because as it’s shown it masquerades just every traffic passing its routing engine (and that includes IPsec traffic).

LifeGame · September 8, 2022, 3:00pm

Yes.. You are right.. Traffic returns to normal when I turn off Masquerade rule but this time the client cannot access the internet..

Masquerade Enable (Check Reply Dst Address);

Masquerade Enable (Check Reply Dst Address);

mkx · September 8, 2022, 3:04pm

You have to make the masquerade rule less greedy. It might be simply the matter of setting out-interface property to only masquerade traffic flowing through your WAN interface. If MT’s WAN Interface is used as breakout to internet. If clients are supposed to break out to internet via palo alto, then it’s probably palo alto who should be doing the SRC-NAT for clients on MT side.

LifeGame · September 8, 2022, 3:29pm

I’m checking the pa side now !
Is there any other way to route lan traffic without using GRE? PaloAlto support only ipsec and GRE..

mkx · September 8, 2022, 3:41pm

Thete are many ways to build (secure) VPN over internet. If the other end ¶ only supports said combination, zhen other possibilities are out of the game obviously.
As soon as you configure GRE with IP address, it becomes a normal network interface from IP point of view and same principles apply as for usual interfaces (e.g. ethernet interface used as WAN interface or PPPoE interface).
And the above is true for both sides of the tunnel. PA has to know about MT’s LAN subnet so it can route traffic towards it via tunnel. Etc.

LifeGame · September 9, 2022, 9:49am

PA has 2 tunnel interface for this lab.
tunnel.2 → for GRE
tunnel.3 → for IPSec

Routing Policy 1
Destination : 10.10.5.1/32
Interface : tunnel.3

Routing Policy 2
Destination : 10.10.5.0/24
Interface : tunnel.2

After this routeing policy, all done !!! Finaly ! Thanks Bro !!!

This conf only working with Mikrotik v7.5. GRE is not working with 6.49

Now i need correct firewall rules for Mikrotik Mikrotik is different from other firewalls .

RiFF · September 16, 2022, 3:30pm

To be clear, PALO can terminate traffic with a policy-based VPN solution (you need to configure a proxy ID for traffic selectors in PALO). GRE is not only one option for MT ↔ PALO IPsec, but only one possible if you want build a route-based VPN solution with other vendors (because MikroTik still does not support VTI interfaces: /)

LifeGame · October 11, 2022, 5:52am

Actually this is only valid for IKE v1. If you use IKE v2, the tunnel is up without entering the proxy id…
In my tests;
IKE v1 : Must have proxy id on both sides.. MT ipsec policy src and dst address must same with PA Proxy ID
IKE v2: Even if proxy id is empty in PA, tunnel is up

With this rule i don’t need gre anymore;
/ip ipsec policy
add action=none dst-address=10.10.5.0/24 src-address=10.10.5.0/24
add dst-address=0.0.0.0/0 level=unique peer=ipsecpeer proposal=IPSec_Crypto
src-address=10.10.5.0/24 tunnel=yes

/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=0.0.0.0/0
src-address=10.10.5.0/24
add action=masquerade chain=srcnat out-interface-list=WAN