OSPF over GRE tunnel and IPSEC VPN

razol · December 17, 2013, 12:11pm

Hello,
I just started my adventure with RouterOS. I have a RB2011UiAS-2HnD with 6.7 version of RouterOS.
In the headquarters of my company we have a Cisco 3800 with IOS Version 12.4(9)T7. I’m trying to set up a VPN connection with IPSEC and OSPF routing protocol used between this devices. I’m not sure if this is possible and if so, please help and show me an error in my configuration.

#Tunnel configuration in Cisco
interface Tunnel0
ip address 172.17.254.254 255.255.255.0
no ip redirects
ip mtu 1440
ip nat inside
ip virtual-reassembly
ip ospf authentication-key 7 ****************
ip ospf network broadcast
ip ospf priority 20
qos pre-classify
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 1000
tunnel protection ipsec profile VPN-ST

interface Loopback0
ip address 172.17.252.254 255.255.255.255

interface GigabitEthernet0/0
description LAN
ip address 10.0.0.2 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
service-policy output LAN_shape

interface GigabitEthernet0/1
description WAN
ip address PUBLIC_IP_ADDRESS_headquarters 255.255.255.224
ip nat outside
ip virtual-reassembly
crypto map Mapa_enc

#Cisco OSPF
router ospf 15
router-id 10.0.0.0
log-adjacency-changes
passive-interface GigabitEthernet0/1
passive-interface Vlan3
passive-interface Vlan4
network 10.0.0.0 0.0.0.255 area 0
network 10.1.0.0 0.0.0.255 area 1
network 172.17.252.254 0.0.0.0 area 0
network 172.17.254.0 0.0.0.255 area 0

#MikroTiK configuration
/ip address
add address=PUBLIC_IP_ADDRESS_OF_MY_LOCATION/30 interface=WAN network=MODEM_ADDRESS_OF_MY_LOCATION
add address=192.168.191.1/24 interface=lan_port_bridge network=192.168.191.0
add address=172.17.254.191/24 interface=GRE_TUNNEL_NAME network=172.17.254.0

/ip routes

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 MODEM_ADDRESS 1
1 ADC NETWORK_ADDRESS/30 MY_PUBLIC_ADDRESS WAN 0
2 ADC 172.17.254.0/24 172.17.254.191 GRE_TUNNEL_NAME 0
3 ADC 192.168.191.0/24 192.168.191.1 lan_port_bridge 0

/interface gre
add mtu=1440 name=Companyheadquarters remote-address=PUBLIC_IP_ADDRESS_headquarters

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des lifetime=8h
/ip ipsec peer
add address=PUBLIC_IP_ADDRESS_headquarters/32 dpd-interval=15s enc-algorithm=3des hash-algorithm=md5 lifetime=8h my-id-user-fqdn=PUBLIC_IP_ADDRESS_OF_MY_LOCATION secret=********
/ip ipsec policy
add dst-address=10.0.0.0/24 sa-dst-address=PUBLIC_IP_ADDRESS_headquarters sa-src-address=PUBLIC_IP_ADDRESS_OF_MY_LOCATION src-address=192.168.191.0/24 tunnel=yes
add dst-address=10.1.0.0/24 sa-dst-address=PUBLIC_IP_ADDRESS_headquarters sa-src-address=PUBLIC_IP_ADDRESS_OF_MY_LOCATION src-address=192.168.191.0/24 tunnel=yes

/routing ospf instance
set [ find default=yes ] router-id=192.168.191.0
/routing ospf interface
add authentication=simple authentication-key=******* interface=GRE_TUNNEL_NAME network-type=broadcast priority=0
/routing ospf network
add area=backbone network=192.168.191.0/24
add area=backbone network=172.17.254.0/24

VPN Tunnel with IPSEC looks like it works, I can ping local hosts on both sides (10.0.0.0/24 to 192.168.191.0/24 and vice versa). OSPF neighbors does not show any hosts in both side and does not receive any information. I know that the configuration may have been wrong on vpn connections stage, so please let me know if something looks wrong. Please help, any information would be very valuable for me. Thank you very much.

siuslawbb · March 10, 2014, 5:15pm

Razol, sorry nobody got back to you earlier! Try dropping your OSPF auth for now and wait until you get it up and running successfully. Also, ditch the broadcast type on OSPF and switch to P2P. A tiny bit more config to do, but you’ll get more reliability. The networks in OSPF are also different between your Cisco and MT, I’d check to make sure you have those config’d right. Also, I’d recommend setting your router ID to a loopback address on the MT and not within a network that you’re trying to pass over the tunnel.

eset · January 29, 2019, 1:58pm

When setting GRE you don’t need IPsec Policy with so many networks.

yusufsuleimanharuna · February 1, 2019, 11:27am

Hello,

I have a network with 2 Mikrotik Cloud Core routers (R1 and R2) directly connected; I’m running OSPF all in area 0.

Recently; I setup a new branch office with one Cloud Core router (R3) which is on another ISP and I want to Inter-connect the two site via gre-tunnel and run OSPF and MPLS.

The tunnel configuration is working fine and I implement OSPF area-1 on R1 and R3.

On R1; I redistribute-other OSPF Routes on instance 0 (Area 0 Instance) and redistribute-other OSPF Routes on instance 1 (Area 1 instance); all working fine. exchanging other routes.
On R1 I redistribute Connected Routers on instance 0 (Area 0 instance); its working fine; i can see connected routers redistributed to R2.
On R1 I redistribute Connected Routers on instance 1 (Area 1 instance); the routes will appear and disappear on R3 Routing Table and the gre-tunnel goes down and up again

Below is my router Configuration

R1 Configuration
gre-tunnel interface= 10.1.1.1/30
ether1 interface 10.100.0.1/30
loop0 interface 1.1.1.1/32

OSPF Area1 Networks
** 10.1.1.0/30 area 1

area 1 instance
** redistribute-other OSPF Routes
** redistribute Connected Routers

Area 0 Networks
** 10.100.0.0/30 area 0
** 1.1.1.1/32 area 0

area 0 instance
** redistribute-other OSPF Routes
** redistribute Connected Routers

R2 Configuration
ether1 10.100.0.2/30
loop0 interface 2.2.2.2/32

OSPF Area 0 Networks
** 10.100.0.0/30 area 0
** 2.2.2.2/32 area 0

R3 Configuration
gre-tunnel interface= 10.1.1.2/30
loop0 interface 3.3.3.3/32

OSPF Area1 Networks
** 10.1.1.0/30 area 1
** 3.3.3.3/32 area 1

pfoerster · February 2, 2019, 11:46am

You find a documented and running configuration here:
https://administrator.de/wissen/cisco-mikrotik-vpn-standort-vernetzung-dynamischem-routing-398932.html
The posted config there uses RIPv2 but it can easily be reconfigured for OSPF.
For the Cisco site:
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0.0.0.0
passive-interface default
no passive-interface Tunnel0
Or you can use a different way and assign all Interface a dedicated area:
interface Tunnel 0
description Tunnel to Mikrotik
ip address 10.2.0.5 255.255.255.252
ip ospf 1 area 0.0.0.0
!
interface Ethernet 1
ip address 10.1.0.1 255.255.255.0
ip ospf 1 area 0.0.0.0
!
router ospf 1
log-adjacency-changes
Both configs do the same.
The Mikrotik site is more or less self explaning.

yusufsuleimanharuna · February 5, 2019, 5:39am

Thank you for your support.

All routers are Mikrotik CCR. All configurations starting from the tunneling, OSPF to redistribute-Other OSFP routes are all working on area 0 instance and area 1 instance.
R1 is the Area Border Router; it is part of Area 0 and part of Area1 via gre-tunnel
R3 is in Area 1 and it has connected to R1 via gre-tunnel.

R1 is running two instances:
Backbone instance (Directly connected to R2) and Area 1 connected to R3 via gre-tunnel.

The main problem is; on R1 (ABR) instance area1; the moment I enabled “redistribute-connected”. The connected routes will appear and disappeared; the gre-tunnel will start going up and down. If I disabled “redistribute-connected” on instance area 1, then the link is back to normal. I can redistribute other ospf router and its working fine, only it is preventing me to redistribute connected.