OSPF and GRE IPSec tunnel

xeonz · January 14, 2016, 12:01pm

/routing ospf area
set [ find default=yes ] disabled=yes
add area-id=10.4.0.0 name=area-10.4.0.0
/routing ospf instance
set [ find default=yes ] in-filter="" out-filter="" router-id=10.4.0.0
/routing ospf network
add area=area-10.4.0.0 network=10.4.0.0/24
add area=area-10.4.0.0 network=172.18.0.0/20

/interface gre
add allow-fast-path=no !keepalive local-address=10.73.129.10 name=gre-tunnel1 remote-address=x.x.x.x

[admmk@MikroTik] > /ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                       
 0   ;;; default configuration
     10.4.0.1/24        10.4.0.0        ether2-master-local                                                                                             
 1   172.18.0.10/20     172.18.0.0      gre-tunnel1                                                                                                     
 2 D 10.73.129.10/24    10.73.129.0     ether1-inet1       

[admmk@MikroTik] > /routing ospf route print 
 # DST-ADDRESS        STATE          COST                                             GATEWAY         INTERFACE                                         
 0 10.4.0.0/24        intra-area     10                                               0.0.0.0         bridge-local                                      
 1 10.29.1.0/24       inter-area     14                                              
 2 10.29.2.0/24       inter-area     14                                              
 3 10.29.3.0/24       inter-area     14                                              
 ......and lot of 10.29.x.0/24 routes 
 
[admmk@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.73.129.254             1
 1 ADC  10.4.0.0/24        10.4.0.1        bridge-local              0
 2 A S  10.29.1.0/24                       gre-tunnel1               1
 3 ADC  10.73.129.0/24     10.73.129.10    ether1-inet1              0
 4 ADC  172.18.0.0/20      172.18.0.10     gre-tunnel1               0
[admmk@MikroTik] >

What’s wrong with ospf and routes? Router doesn’t install ospf routes at its routing table.

xeonz · January 14, 2016, 2:13pm

As we can see, LSA is ok:

[admmk@MikroTik] > /routing ospf lsa print
AREA                                                                               TYPE         ID             ORIGINATOR     SEQUENCE-NUMBER        AGE
area-10.4.0.0                                                                      router       1.39.45.2      1.39.45.2           0x80000003       1964
area-10.4.0.0                                                                      router       10.4.0.0       10.4.0.0            0x80000006        399
area-10.4.0.0                                                                      summary-n... 10.29.1.0      1.39.45.2           0x80000004       1964
area-10.4.0.0                                                                      summary-n... 10.29.2.0      1.39.45.2           0x80000004       1964
area-10.4.0.0                                                                      summary-n... 10.29.3.0      1.39.45.2           0x80000004       1964
... and so on.

ZeroByte · January 14, 2016, 2:57pm

It almost feels like a filter rule, although clearly there is no in-filter set. Try making a filter rule which just accepts everything, and then specifying that rule on the ospf instance.

I’m assuming that there is an ABR to the backbone area 0.0.0.0 somewhere on the other end of the GRE tunnel…

mrz · January 14, 2016, 3:02pm

What device is on the other side of the tunnel?

xeonz · January 15, 2016, 1:34pm

On other side is cisco router with ip unnumbered GRE interface. I think this is problem because of cisco set interface index at LSA but not ip address. And mikrotik does not have ip unnumbered interface.

mrz · January 15, 2016, 1:36pm

Yes, such setups are not supported in RouterOS.

xeonz · January 15, 2016, 1:41pm

It’s bad. I nearly setup up network with static (mikrotik) to dynamic VTI (cisco). And only this OSPF problem on mikrotik side does not allow to do this.

ZeroByte · January 15, 2016, 3:06pm

You can do an unnumbered ethernet interface between a Cisco and a Mikrotik, but it has to use static routing
(I’ll show how later)

Just for laughs, I tried to lab this unnumbered OSPF in GNS3.

Even Cisco routers won’t form OSPF adjacencies on unnumbered ethernet interfaces. They will on true ptp interfaces such as serial interfaces, but not unnumbered ethernet interfaces.

For those interested, Cisco will let you make an unnumbered ethernet interface if it’s a sub-interface

interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ip ospf 100 area 0
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip unnumbered Loopback0
 ip ospf 100 area 0
!

Whenever I try to put FastEthernet0/0.1 into OSPF, however, I get this message:
*Jan 15 08:43:11.287: %OSPF-4-NO_IPADDRESS_ON_INT: No IP address for interface FastEthernet0/1.1

even though “show ip interface brief” →

Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES unset  up                    up  
FastEthernet0/0.1          2.2.2.2         YES TFTP   up                    up

To manually make an unnumbered interface, after setting up the Cisco’s interface as shown above, I then created a static route to the Mikrotik’s loop IP of 10.10.10.10/32

ip route 10.10.10.10 255.255.255.255 FastEthernet0/0.1

On the Mikrotik, you need to enable proxy-arp on the ethernet interface, and create a static route to the Cisco’s loopback IP of 2.2.2.2

/interface ethernet set 0 arp=proxy-arp
/interface bridge add name=lo0
/ip address add address=10.10.10.10/32 interface=lo0
/ip route add distance=1 dst-address=1.1.1.1/32 gateway=ether1 pref-src=10.10.10.10 scope=10

After this, the Mikrotik and the Cisco can ping each other’s loopback IP addresses. On the Mikrotik, if you set scope=10 on the “unnumbered” route, then you can easily use that as a destination hop IP for anything routing across ether1
e.g. /ip route add dst=0.0.0.0/0 gateway=2.2.2.2

But the reason OSPF won’t work from the Mikrotik’s perspective is that OSPF learns which interfaces it should use based on the classic “networks” model - meaning that you must specify an IP network range to define what area that range is in. Then any interfaces whose IP addresses fall within that range will be activated as OSPF interfaces in that area. Since there is only one true interface where the loop IP lives, the ethernet interface doesn’t belong to that area.

In Cisco, any ptp interfaces such as pppoe interfaces or serial interfaces will actually appear as members of that area, even though their address is unnumbered from the loop interface.

ZeroByte · January 15, 2016, 5:20pm

If the Mikrotik is the static IP host, and is the server, then you could use PPP over L2TP instead of GRE, and I’ve got OSPF running on this in GNS3.

On the Cisco, you need to have an IOS like advipservices, adventservices in order to use the virtual-pppX interface configuration…

Here’s the basic setup:

l2tp-class foo
!
pseudowire-class bar
  encapsulation l2tpv2
  ip local interface FastEthernet0/0
!
interface Virtual-PPP1
 ip address negotiated
 ip ospf 100 area 0
 ppp chap hostname r2
 ppp chap password 0 r2
 ppp pap sent-username r2 password 0 r2
 pseudowire 10.1.10.10 10 pw-class bar
!

The IP address after “pseudowire” in the Virtual-PPP1 configuration is the IP of the Mikrotik.

I specified the UID/PASS for both PAP and CHAP formats in the example - you can use just one in production.

On the Mikrotik, it’s pretty straightforward - the only thing I had to do different than a general user secret was to allow the MRU to be 1500. This may not be acceptable for you, and there may be a way to make the Cisco negotiate this value, but when I tried setting the MTU on the interface it refused to let me do so.

For OSPF to work easily, I chose a ppp address range for clients and added that as an OSPF network. The router then advertises its connected route(s) with the Mikrotik.

xeonz · January 20, 2016, 6:52am

Thank’s for advices. At the moment I’ve set up GRE keepalive and two static routes with different metric at mikrotik side. When there is no connection on main GRE link the GRE interface goes down, main GRE route becomes inactive and traffic switches to 2nd GRE. On Cisco side OSPF is working correctly and traffic switches with OSPF.

jhoncrew · February 10, 2016, 11:51am

You must control these requirements

Ensure that you meet these requirements before you attempt this configuration:

•Make sure that the tunnel works before you apply the crypto maps.

•Refer to Adjusting IP MTU, TCP MSS, and PMTUD on Windows and Sun Systems for information about possible Maximum Transmission Unit (MTU) issues.

Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. These are RFC 1918 leaving addresses which have been used in a lab environment.

Note: Crypto does not support the OSPF Router. You may have to install the VPN module in order for this to work.