Need support with GRE over IPSec VPN

shaoranrch · August 22, 2014, 3:53pm

Hello there, currently i am in need for support regarding a VPN link i’ve stablished between our main office and a branch office, this is a really important link since the financial data is located in our main office and branch is always in the need of pulling it from our servers.

As of right now the link is stablished betwen a Cisco UC-520 and a Mikrotik CCR1036-12G-4S running v6.18
The VPN is GRE over IPSec using ESP and Transport mode.

Here’s the configuration for both routers:

CISCO (branch):

interface Tunnel0
 ip address 172.16.100.2 255.255.255.252
 keepalive 30 3
 tunnel source FastEthernet0/0
 tunnel destination Main_Office_PublicIP
 tunnel protection ipsec profile 100

crypto isakmp key 12345 address 0.0.0.0 0.0.0.0

crypto ipsec transform-set 100 esp-aes 256 esp-md5-hmac
 mode transport

crypto isakmp policy 100
 encr aes
 hash sha256
 authentication pre-share
 group 2
 lifetime 14400

crypto ipsec profile 100
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 7200
 set transform-set 100

Mikrotik (Main office):

/interface gre
add dscp=inherit keepalive=30 local-address=Main_Public_Address name=Tun0 remote-address=Branch_Public_Address

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add auth-algorithms=md5 enc-algorithms=aes-256-cbc lifetime=2h name=VPN1 pfs-group=none
/ip ipsec peer
add address=Branch_Public_Address/32 enc-algorithm=aes-128,aes-256 hash-algorithm=sha256 lifetime=4h \
    local-address=Main_Public_Address nat-traversal=no secret=12345
/ip ipsec policy
add dst-address=Branch_Public_Address/32 proposal=VPN1 protocol=gre sa-dst-address=:: sa-src-address=\
    :: src-address=Main_Public_Address/32

More information:
Both routers are performing NAT, although on both routers i either deny (cisco) or accept (mikrotik) traffic that’s either IPSEC-ESP, GRE or going to the private ip addresses that we use.

The problem:

I can see the SA starting and stablishing (phase 1 and phase 2), but seems as if randomly (and even though the SA are still on, or at least it looks like), the whole tunnel stops working, i check the connectivity by sshing via public ip addresses to the branch router and it works correctly so i know it’s not a reachability issue, sometimes i end manually the SAs on both routers and it works again, but yet again, sometimes that doesn’t work and i have to wait for a while or even reload the routers for it to work again.

I’d like if someone could check the config posted above and point me to any error, because i can’t seem to find it.

Thanks in advance for any help you could provide.

shaoranrch · August 22, 2014, 6:14pm

BUMP, anyone?

BartoszP · August 22, 2014, 6:32pm

Mikrotik opens tunell when it is needed. Maybe it is your problem…no traffic so tunnell is closed.
In Tool/Netwatch set ping to any address in main office and up and down scripts. It prevents VPN from beeing closed.

I used to set ping interval for value which is odd (eg. 61 sec.) and timeout for about 3 sec. to prevent false “downs”
if ping is occasionally longer than typical ones. Flushing ipsec’s installed-sa makes VPN to be reestablished.

See my script examples - to use short email sending version inside scripts you need to fill Tools/E-mail settings first.

/tool netwatch
down script
:local komunikat “VPN: $[/system identity get name], $[/system clock get time], $[/system clock get date], $[/ip address get [find interface=ETH1-WAN] address] - DOWN”;
/ip ipsec installed-sa flush;
/tool e-mail send to=…your mail… subject=$komunikat;
up script
:local komunikat “VPN: $[/system identity get name], $[/system clock get time], $[/system clock get date], $[/ip address get [find interface=ETH1-WAN] address] - UP”;
/tool e-mail send to=…yourmail… subject=$komunikat;

shaoranrch · August 22, 2014, 6:39pm

BartoszP:

Mikrotik opens tunell when it is needed. Maybe it is your problem…no traffic so tunnell is closed.
In Tool/Netwatch set ping to any address in main office and up and down scripts. It prevents VPN from beeing closed.

I used to set ping interval for value which is odd (eg. 61 sec.) and timeout for about 3 sec. to prevent false “downs”
if ping is occasionally longer than typical ones. Flushing ipsec’s installed-sa makes VPN to be reestablished.

See my script examples - to use short email sending version inside scripts you need to fill Tools/E-mail settings first.

/tool netwatch
down script
:local komunikat “VPN: $[/system identity get name], $[/system clock get time], $[/system clock get date], $[/ip address get [find interface=ETH1-WAN] address] - DOWN”;
/ip ipsec installed-sa flush;
/tool e-mail send to=…your mail… subject=$komunikat;
up script
:local komunikat “VPN: $[/system identity get name], $[/system clock get time], $[/system clock get date], $[/ip address get [find interface=ETH1-WAN] address] - UP”;
/tool e-mail send to=…yourmail… subject=$komunikat;

Thanks, i though that too, but the VPN also fails when there’s traffic going through, for instance the tunnel was sending and receiving roughly 400 kbps, everything perfect, then suddendly it stopped working. Checked connectivity with branch office through public IP, everything was ok, i did however reload the cisco router and everything worked again which is something that leads me to believe it’s a problem with the appliance but i really need to be sure that it isn’t my fault due to a misconfiguration