We have a VPN network of a couple of MikroTik routers (CCR, RB750Gr3, RB951) using GRE over IPsec tunnels.
The GRE tunnels each have a /30 network and BGP is running over the tunnels to auto-route the subnets.
This works fine, but yesterday one of the involved ISPs had a major problem and IPv4 routing was not working,
causing our network to break apart.
During this mishap, IPv6 was working OK so I managed to restore connectivity by adding GRE6 over IPsec(v6)
tunnels, still with IPv4 /30 on them. So it is IPv4 over GRE6 over IPv6 between the routers, still with BGP to
route the IPv4 VPN.
I experimented a bit and realized there are two different ways to set this up:
1 - the GRE and GRE6 tunnels between two sites each get a different /30 and two BGP sessions are made,
possibly with some BGP route filter to set a preference for either of the paths.
2 - the GRE and GRE6 tunnels both get the same /30 and keepalive is enabled, resulting in two parallel tunnels
with the same endpoint addresses, and only a single BGP session.
The latter does not have the possibility of setting a preference for using IPv4 or IPv6 based tunnels, but we
do not really require that. I already set the MTU of the GRE tunnels to the lowest of the two, so the MTU would
not change when the route flaps to the other tunnel.
It appears to work well, in the routing table two gateway devices are shown, both indicated as reachable:
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
21 ADC 172.22.32.128/30 172.22.32.129 gre6-tunnel-nhw 0
gre-tunnel-nhw
27 ADb 172.23.0.0/16 172.22.32.130 200
Is this a supported configuration that can be safely used? or would it be preferable to use separate /30 nets?
I ask it because during the re-configuration, chaning the addresses, disabling/enabling tunnels, etc it
sometimes happened that two route lines are shown each with a different gateway and one of them active,
and normally it is shown as a combined route like the above.
Also during my experiments it happened once that querying the route table via snmpnetstat stopped working
on the central CCR (running 6.38.1), and I had to reboot it to fix that. Not sure what was happening there.
The other routers still are on 6.37.3 and I have not seen this problem (or the split/combined issue) there.
When it is not a safe configuration I can change to separate /30 networks but it requires some address
planning changes, so I would prefer to keep using this method when it is safe.