Community discussions

 
User avatar
matiaszon
Member
Member
Topic Author
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

GRE on IPSec doesnt' work

Sat Aug 31, 2019 2:49 pm

I have set up an GRE tunnel with IPSec (just added password to GRE configuration). Unfortunately, it doesn't work properly. When IPSec password is specified I can't reach other network no matter from which side. When IPSec pass is erased, it works without any problems. However, from time to time, it works nice even if IPSec pass is specified. On every time in ip > ipsec > active peers it shows routers are connected... What am I missing?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5915
Joined: Mon Jun 08, 2015 12:09 pm

Re: GRE on IPSec doesnt' work

Sat Aug 31, 2019 3:56 pm

Maybe firewall rule? For GRE/IPsec you need to accept on input:
- udp port 500
- protocol esp
- protocol gre with IPsec policy: in:ipsec
 
User avatar
matiaszon
Member
Member
Topic Author
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: GRE on IPSec doesnt' work

Sat Aug 31, 2019 4:00 pm

Maybe firewall rule? For GRE/IPsec you need to accept on input:
- udp port 500
- protocol esp
- protocol gre with IPsec policy: in:ipsec
I have accepted:
- (17 udp) 500
- (17 udp) 4500
- (51 ipsec-ah)
- (50 ipsec-esp)

Could you please explain this Ipsec policy in:ipsec? You mean:
add action=accept chain=forward ipsec-policy=in,ipsec
If so, it was already there by default firewall from mikrotik. However, it wasn't working until I have set it up above. Strange.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5915
Joined: Mon Jun 08, 2015 12:09 pm

Re: GRE on IPSec doesnt' work

Sat Aug 31, 2019 6:00 pm

The rule you mentioned has chain=forward.
Maybe you made the same oversight in the other 3 rules?
It should be chain=input for this, not chain=forward. That is for plain IPsec tunnels only.
 
User avatar
matiaszon
Member
Member
Topic Author
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: GRE on IPSec doesnt' work

Mon Sep 02, 2019 8:44 pm

The rule you mentioned has chain=forward.
Maybe you made the same oversight in the other 3 rules?
It should be chain=input for this, not chain=forward. That is for plain IPsec tunnels only.
I made new rule with ipsec input accept, but it didn't help. However, IPSec is connecting (I can see keys, and link established) but GRE interface is not running. When I disable IPSec in GRE config, then the interface works fine.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5915
Joined: Mon Jun 08, 2015 12:09 pm

Re: GRE on IPSec doesnt' work

Mon Sep 02, 2019 9:17 pm

Use "/export hide-sensitive file=config" to export your config and paste it here in a </> section.
 
User avatar
matiaszon
Member
Member
Topic Author
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: GRE on IPSec doesnt' work

Mon Sep 02, 2019 10:31 pm

I think I know what the problem is. I have also L2TP server set up with IPSec and this is causing problems most probably.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5915
Joined: Mon Jun 08, 2015 12:09 pm

Re: GRE on IPSec doesnt' work

Mon Sep 02, 2019 11:27 pm

No, I have that as well and it works without problem (L2TP/IPsec accepting road warrior connections and GRE/IPsec to fixed peers).
 
User avatar
matiaszon
Member
Member
Topic Author
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: GRE on IPSec doesnt' work

Tue Sep 03, 2019 7:10 pm

Well, I had to set up specifically IPSec for GRE tunnel. I couldn't just check IPSec option in GRE configuration, because it was working not properly with L2TP/IPSec config. Now it seems it works fine (for now - since yesterday).
 
pe1chl
Forum Guru
Forum Guru
Posts: 5915
Joined: Mon Jun 08, 2015 12:09 pm

Re: GRE on IPSec doesnt' work

Tue Sep 03, 2019 8:49 pm

I don't have that problem here! GRE/IPsec works for me using the checkmark and input field in the GRE interface.
For L2TP/IPsec I use some specific IPsec configuration, but it was made long ago and I am not sure it is still necessary. It was only necessary to make L2TP/IPsec work from clients behind 2 levels of NAT, not to make it coexist with GRE/IPsec.

Who is online

Users browsing this forum: No registered users and 30 guests