For each router, you need 3 things:
- the public IP, the hubs must have static IP addresses, the spokes can have dynamic
- a loopback IP, which will be used to "anchor" the GRE tunnel
- a /30 for each tunnel [*]
[*] I tried to use GRE as unnumbered but OSPF doesn't come up. Assigning an IP address works.
Here is the configuration for the hub:
- public IP: 10.0.0.01
- Loopback: 172.31.254.1/32
- GRE to spoke01: 172.30.255.1/30
Given that this is a lab environment, I added a route to 172.31.255.1/32 via ether1 - otherwise the IPSEC policy is never matched. In your environment, you may need it or it may be addressed by the default route.
/interface gre
add local-address=172.31.254.1 name=gre_spoke01 remote-address=172.31.255.1
/interface list
add name=VPN-Spokes
/ip ipsec peer
add exchange-mode=ike2 local-address=10.0.0.1 name=spokes passive=yes send-initial-contact=no
/ip ipsec policy group
add name=spokes
/routing ospf instance
add disabled=no name=main-ospf
/routing ospf area
add comment=Backbone disabled=no instance=main-ospf name=backbone
/interface list member
add interface=gre_spoke01 list=VPN-Spokes
/ip address
add address=192.168.90.1/24 comment=defconf interface=bridge network=192.168.90.0
add address=10.0.0.1/24 interface=ether1 network=10.0.0.0
add address=172.31.254.1 interface=lo network=172.31.254.1
add address=172.30.255.1/30 interface=gre_spoke01 network=172.30.255.0
/ip firewall filter
add action=accept chain=input dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input in-interface-list=VPN-Spokes protocol=ospf
add action=accept chain=forward in-interface-list=LAN out-interface-list=VPN-Spokes
add action=accept chain=forward in-interface-list=VPN-Spokes out-interface-list=LAN
/ip ipsec identity
add generate-policy=port-strict my-id=fqdn:hub01.lab.local peer=spokes policy-template-group=spokes remote-id=fqdn:spoke01.lab.local secret=myspokesaregreat
/ip ipsec policy
add dst-address=172.31.255.0/24 group=spokes src-address=172.31.254.1/32 template=yes
/ip route
add dst-address=172.31.255.0/24 gateway=ether1
/routing ospf interface-template
add area=backbone disabled=no interfaces=bridge passive
add area=backbone disabled=no interfaces=VPN-Spokes type=ptp
/system identity
set name=hub01
Here is the configuration for the spoke:
- public IP: 10.0.0.128
- Loopback: 172.31.255.1/32
- GRE to spoke01: 172.30.255.2/30
This is an older routeros that doesn't have a proper lo interface, so I added the loopback as a secondary address on the bridge interface. I added a routing filter rule to redistribute only the routes in 192.168.0.0/16, but not the loopback/tunnel IP.
/interface gre
add local-address=172.31.255.1 name=gre_spoke01 remote-address=172.31.254.1
/interface list
add name=VPN-Spokes
/ip ipsec peer
add address=10.0.0.1/32 exchange-mode=ike2 name=spokes
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/routing ospf instance
add disabled=no name=main-ospf out-filter-chain=ospfChain
/routing ospf area
add disabled=no instance=main-ospf name=backbone
/interface list member
add interface=gre_spoke01 list=VPN-Spokes
/ip address
add address=192.168.100.1/24 comment=defconf interface=bridge network=192.168.100.0
add address=10.0.0.128/24 interface=ether1 network=10.0.0.0
add address=172.31.255.1 interface=bridge network=172.31.255.1
add address=172.30.255.2/30 interface=gre_spoke01 network=172.30.255.0
/ip firewall filter
add action=accept chain=input in-interface-list=VPN-Spokes protocol=ospf
add action=accept chain=forward in-interface-list=LAN out-interface-list=VPN-Spokes
add action=accept chain=forward in-interface-list=VPN-Spokes out-interface-list=LAN
/ip ipsec identity
add my-id=fqdn:spoke01.lab.local peer=spokes remote-id=fqdn:hub01.lab.local secret=myspokesaregreat
/ip ipsec policy
add dst-address=172.31.254.1/32 peer=spokes src-address=172.31.255.1/32 tunnel=yes
/ip route
add dst-address=172.31.254.1/32 gateway=ether1
/routing filter rule
add chain=ospfChain rule="if (dst in 192.168.0.0/16) {accept;}"
/routing ospf interface-template
add area=backbone disabled=no interfaces=bridge passive
add area=backbone disabled=no interfaces=VPN-Spokes type=ptp
/system identity
set name=spoke01