When to use GRE tunnel with IPSec in 2022

RouterOS General
1

Hello,
Can somebody please explain / clarify me usage and purpose of GRE tunnel in scenario when organization has multiple locations/sites and using IPSec policies/peers between two Mikrotik routers as IKEv2.
Why not just use IPSec between locations? The year is 2022, RouterOS 7 is here etc. I still see some cases in practices that implement additional GRE interface/tunnel that handles all the “internal” traffic. Is it because of simpler and better management or what else could be the reason for this?

Thank you

2

I often use ipip-tunnels (alternative to GRE) sometimes for 4 reasons:

  1. I like to be able to use traceroute.
  2. You don’t need to add a tunnel policy for all subnets, just route them trough the tunnel.
  3. It makes more sense in the firewall to have an actual interface.
  4. I have a feeling that PMTU works better trough a routes tunnel, than a ipsec policy tunnel that just makes packets “appear” on the destination.

Then there is also issues to make stuff like management, NTP, Syslog work over a ipsec policy based tunnel.

3

if you need interfaces, you want to go with IPIP or GRE or something like that. e.g. if you want to use OSPF.

4

What topology you use, is up to you.

For the most part I’ve stopped using GRE tunnels because sometimes they just will not come up and I can not figure out why (many, many forum threads for issues with GRE tunnels).. Trying IP-in-IP (IPIP) tunnels as a replacement.

As for why.. Dead simple to setup.. IPSec key in the interface settings. Have RFC1918 /30 IPs on the tunnel interface (these may not even be needed), and in IP-Route (for the other side’s network), provide the destination as the other side’s /30 IP (or just the interface, as I said, the IPs may not even be needed).

5

Thanks for the info. In my case i do not see reason for having interface, tunnel, nor /30 ip subnet…
So reasons why to have tunnel are:

  1. possible to use /ip firewall with interface instead of ip
  2. possible to have /30 subnet so easier monitoring and testing
  3. … ?