Problems with GRE over IPSec between Cisco and RouterOS

xavierds · February 2, 2012, 4:49am

Hi,

At first since is my first post here I just want to thank you for your hard work and for your time to help me with this.

So I need to configure a site-to-site VPN between this 2 devices, and one of my requirements is to use a GRE tunnel.

I began with the configuration of the GRE tunnel in order to make some captures and to be able to verify the nat rules into the 2 routers, the configuration is just fine and I could ping between the 2 networks without any problems.

For the IPSec configuration I have been following this tutorial http://wiki.mikrotik.com/wiki/IPSec_VPN_with_Dynamic_Routing_/_Mikrotik_and_Cisco and making some changes in order to make it works on my network but I think I am making some mistakes somewhere.

So the configuration on my Cisco device is actually like this:

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key password address PublicIPB
!
crypto ipsec transform-set TransformRule esp-3des esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
 set peer PublicIPB
 set transform-set TransformRule
 set pfs group2
 match address vpnList
!
interface Tunnel0
 ip address 172.16.0.1 255.255.255.252
 tunnel source FastEthernet1/0
 tunnel destination PublicIPB
!
interface FastEthernet1/0
 ...
 crypto map vpn
!
ip route 192.168.47.0 255.255.255.0 Tunnel0
!
ip access-list extended vpnList
 permit gre host PublicIPA host PublicIPB

And that is the configuration on my RouterOS

peer ->   address=IPPUblicA/32 port=500 auth-method=pre-shared-key secret="password" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no my-id-user-fqdn="" proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0  dpd-interval=2m dpd-maximum-failures=5 

proposal -> name="IPSec" auth-algorithms=sha1 enc-algorithms=3des lifetime=1d pfs-group=modp1024

policy -> src-address=192.168.47.0/24 src-port=any dst-address=192.168.45.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=PublicIPB sa-dst-address=PublicIPA proposal=IPSec priority=0

After that I run a debug crypto isakmp into the Cisco router and I could see than is having some problems with the phase 2 of isakmp

003003: Feb 2 2012 05:40:01.897 ES: ISAKMP:(1015): retransmitting phase 2 QM_IDLE 1434079881 …
003004: Feb 2 2012 05:40:01.897 ES: ISAKMP (1015): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
003005: Feb 2 2012 05:40:01.897 ES: ISAKMP (1015): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
003006: Feb 2 2012 05:40:01.897 ES: ISAKMP:(1015): retransmitting phase 2 1434079881 QM_IDLE
003007: Feb 2 2012 05:40:01.897 ES: ISAKMP:(1015): sending packet to PublicIPB my_port 500 peer_port 500 (I) QM_IDLE
003008: Feb 2 2012 05:40:01.897 ES: ISAKMP:(1015):Sending an IKE IPv4 Packet.

So if I understand correctly my problem is between the TransformSet in the IOS and the proposal of the RouterOS but I could’t figure exactly where is my mistake.

I hope someone could help me in order to resolve this issue.

Regards,

xavierds · February 3, 2012, 1:50am

I’ve been working on it yesterday but is not working, I’ve made some changes but I am still facing this issue

005320: Feb 3 2012 02:33:30.648 ES: ISAKMP:(1019): processing HASH payload. message ID = -1275707629
005321: Feb 3 2012 02:33:30.648 ES: ISAKMP:(1019): processing SA payload. message ID = -1275707629
005322: Feb 3 2012 02:33:30.648 ES: ISAKMP:(1019):Checking IPSec proposal 1
005323: Feb 3 2012 02:33:30.648 ES: ISAKMP: transform 1, ESP_3DES
005324: Feb 3 2012 02:33:30.648 ES: ISAKMP: attributes in transform:
005325: Feb 3 2012 02:33:30.648 ES: ISAKMP: SA life type in seconds
005326: Feb 3 2012 02:33:30.648 ES: ISAKMP: SA life duration (basic) of 1800
005327: Feb 3 2012 02:33:30.652 ES: ISAKMP: encaps is 1 (Tunnel)
005328: Feb 3 2012 02:33:30.652 ES: ISAKMP: authenticator is HMAC-MD5
005329: Feb 3 2012 02:33:30.652 ES: ISAKMP: group is 2
005330: Feb 3 2012 02:33:30.652 ES: ISAKMP:(1019):atts are acceptable.
005331: Feb 3 2012 02:33:30.652 ES: ISAKMP:(1019): IPSec policy invalidated proposal with error 8
005332: Feb 3 2012 02:33:30.652 ES: ISAKMP:(1019): phase 2 SA policy not acceptable! (local > PublicIPA > remote > PublicIPB> )
005333: Feb 3 2012 02:33:30.652 ES: ISAKMP: set new node 1916914020 to QM_IDLE
005334: Feb 3 2012 02:33:30.652 ES: ISAKMP:(1019):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1223079752, message ID = 1916914020

Actually the configuration on my Mikrotik Router is like this

proposal:
name=“IPSec” auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-group=modp1024

peer:
address=> PublicIPA> /32 port=500 auth-method=pre-shared-key secret=“password” generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no my-id-user-fqdn=“” proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

policy:
src-address=> PublicIPB/32 > src-port=any dst-address=> PublicIPA/32 > dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp
tunnel=yes sa-src-address=> PublicIPB > sa-dst-address=> PublicIPA > proposal=IPSec priority=0

And on the Cisco Router like this

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cambiar address > PublicIPB
!
crypto ipsec transform-set TransformVPN esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer PublicIPB
set transform-set TransformVPN
set pfs group2
match address vpn
!
ip access-list extended vpn
permit gre host IPPublicA host IPPublicB

to finish I’m applying the crypto map into the interface with the IPPublicA

I hope someone could help me with this issue.

Regards

ckeener720 · July 12, 2012, 10:03pm

Did you try to set the tunnel mode to no?

Have you resolved this issue yet?

bryantabb · September 3, 2014, 6:59pm

Hi

Just looking at something just like this.

Anyone able to share working config ?

Thanks

StubArea51 · September 3, 2014, 7:46pm

IPSEC SAs have to match exactly (the Phase 2 SA debug from Cisco is letting you know they don’t) …even source and destination

This Cisco thread will help clarify the UID errors you are getting from the debug:

https://learningnetwork.cisco.com/thread/39333

give this a shot and let me know. If the MikroTik is going to initiate the IPSEC phase 1 and 2 exchange, then make sure the SA source is the Public IP on the MikroTik and the SA dest is the Public IP on the Cisco. The Cisco should follow the same flow - Source SA is the MikroTik and Dest SA is the Cisco.

MikroTik
tunnel=yes sa-src-address=PublicIPA sa-dst-address=PublicIPB proposal=IPSec priority=0Cisco
ip access-list extended vpnList
permit gre host PublicIPA host PublicIPB