Page 1 of 1

GRE on IPSec doesnt' work

Posted: Sat Aug 31, 2019 2:49 pm
by matiaszon
I have set up an GRE tunnel with IPSec (just added password to GRE configuration). Unfortunately, it doesn't work properly. When IPSec password is specified I can't reach other network no matter from which side. When IPSec pass is erased, it works without any problems. However, from time to time, it works nice even if IPSec pass is specified. On every time in ip > ipsec > active peers it shows routers are connected... What am I missing?

Re: GRE on IPSec doesnt' work

Posted: Sat Aug 31, 2019 3:56 pm
by pe1chl
Maybe firewall rule? For GRE/IPsec you need to accept on input:
- udp port 500
- protocol esp
- protocol gre with IPsec policy: in:ipsec

Re: GRE on IPSec doesnt' work

Posted: Sat Aug 31, 2019 4:00 pm
by matiaszon
Maybe firewall rule? For GRE/IPsec you need to accept on input:
- udp port 500
- protocol esp
- protocol gre with IPsec policy: in:ipsec
I have accepted:
- (17 udp) 500
- (17 udp) 4500
- (51 ipsec-ah)
- (50 ipsec-esp)

Could you please explain this Ipsec policy in:ipsec? You mean:
add action=accept chain=forward ipsec-policy=in,ipsec
If so, it was already there by default firewall from mikrotik. However, it wasn't working until I have set it up above. Strange.

Re: GRE on IPSec doesnt' work

Posted: Sat Aug 31, 2019 6:00 pm
by pe1chl
The rule you mentioned has chain=forward.
Maybe you made the same oversight in the other 3 rules?
It should be chain=input for this, not chain=forward. That is for plain IPsec tunnels only.

Re: GRE on IPSec doesnt' work

Posted: Mon Sep 02, 2019 8:44 pm
by matiaszon
The rule you mentioned has chain=forward.
Maybe you made the same oversight in the other 3 rules?
It should be chain=input for this, not chain=forward. That is for plain IPsec tunnels only.
I made new rule with ipsec input accept, but it didn't help. However, IPSec is connecting (I can see keys, and link established) but GRE interface is not running. When I disable IPSec in GRE config, then the interface works fine.

Re: GRE on IPSec doesnt' work

Posted: Mon Sep 02, 2019 9:17 pm
by pe1chl
Use "/export hide-sensitive file=config" to export your config and paste it here in a </> section.

Re: GRE on IPSec doesnt' work

Posted: Mon Sep 02, 2019 10:31 pm
by matiaszon
I think I know what the problem is. I have also L2TP server set up with IPSec and this is causing problems most probably.

Re: GRE on IPSec doesnt' work

Posted: Mon Sep 02, 2019 11:27 pm
by pe1chl
No, I have that as well and it works without problem (L2TP/IPsec accepting road warrior connections and GRE/IPsec to fixed peers).

Re: GRE on IPSec doesnt' work

Posted: Tue Sep 03, 2019 7:10 pm
by matiaszon
Well, I had to set up specifically IPSec for GRE tunnel. I couldn't just check IPSec option in GRE configuration, because it was working not properly with L2TP/IPSec config. Now it seems it works fine (for now - since yesterday).

Re: GRE on IPSec doesnt' work

Posted: Tue Sep 03, 2019 8:49 pm
by pe1chl
I don't have that problem here! GRE/IPsec works for me using the checkmark and input field in the GRE interface.
For L2TP/IPsec I use some specific IPsec configuration, but it was made long ago and I am not sure it is still necessary. It was only necessary to make L2TP/IPsec work from clients behind 2 levels of NAT, not to make it coexist with GRE/IPsec.