Hi Colleagues,
After reading the whole topic and testing using my own prod 
(âCRS326-24G-2S+â < GRE over IKEv2 tunnel > âHAPacâ) site it is still unclear for Me which firewall configuration expected to be âproperâ since fixing CVE-2014-8160 in RoS 6.45.1
My observations after update from RoS 6.44.3 to RoS 6.45.1 are the following:
- IKEv2 based tunnel works as expected, nothing changes
- HAPac can up GRE tunnel to CRS326-24G-2S+ without any issues
- CRS326-24G-2S+ canât up GRE tunnel to HAPac
- Adding of only ONE of the suggested in this topic rule â/ip firewall filter add chain=input action=accept protocol=gre ipsec-policy=in,ipsecâ or â/ip firewall raw add chain=prerouting action=notrack protocol=greâ for both ends doesnât help to bring up GRE tunnel from CRS326-24G-2S+ to HAPac
- Adding of BOTH of the mentioned rules in âfilter->inputâ and âraw->preroutingâ respectively helps to bring up GRE tunnel from CRS326-24G-2S+ to HAPac
According to http://forum.mikrotik.com/t/radius-server-not-working-in-2-8-11/127/1 âfilter->inputâ rule is obvious âMUST to HAVEâ for allowing new incoming GRE connections since RoS 6.45.1.
What about âraw->preroutingâ rule suggested in https://forum.mikrotik.com/viewtopic.php?f=21&t=149786&start=50#p737382 which also seems influences behavior of GRE in my setup?
Mikrotik guys and forum Gurus could you please provide neat answer on this matter?
Thank you!