Community discussions

MikroTik App
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 166
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

OSPF over GRE/IPSec

Sun Feb 07, 2021 1:17 am

I'm currently experimenting with running OSPF over GRE/IPsec

IKE Phase 1 between 2 routers (R1 & R2) public IP addresses, PPPoE client interface - established
IKE Phase 2 IPSec (R1) 10.5.0.0/16 <--> (R2) 10.0.0.0/16 - established (this works fine and has done for some time)
GRE Tunnel established:
(R1) interface address 192.168.10.1/30 tunnel local: 10.5.0.254 remote: 10.0.0.254
(R2) interface address 192.168.10.2/30 tunnel local: 10.0.0.254 remote: 10.5.0.254
OSPF peer-to-peer link established between (R1) 192.168.10.1 & (R2) 192.168.10.2
OSPF connected routes (with filters) exchanged between routers:
172.25.5.0/24 - connected route on R1, OSPF route via 192.168.10.2 reachable via GRE interface on R2
172.25.0.0/24 - connected route on R2, OSPF route via 192.168.10.1 reachable via GRE interface on R1

IP Firewall Filter rules (amongst others):
R1 forward chain src: 10.5.0.0/16 dst: 172.25.0.0/24 action: accept
R2 input chain src: 10.5.0.0/16 dst: 172.25.0.0/24 action: accept
IP NAT rules (amongst others):
R1 srcnat chain src: 10.5.0.0/16 dst: 172.25.0.0/24 action: accept
R2 srcnat chain src: 172.25.0.0/24 dst: 10.5.0.0/16 action: accept

Tried to ping dst: 172.25.0.254 from src: 10.5.1.5
Using Torch on both R1 & R2, I see OSPF passing over the GRE interface, but I do not see the ICMP traffic from 10.5.1.5 on either router.
If I check the VLAN interface for 10.5.0.0/16, I see the traffic arriving on R1.

Any ideas? Am I missing something? Trying to achieve the impossible?

P.S. I have successfully established routing over OSPF between a direct physical Ethernet connection of R1 & R3..
R1: 192.168.32.1/30
R3: 192.168.32.2/30
10.5.0.0/16 on R1 has two way traffic flow with 192.168.100.0/24 on R3, connected routes exchanged both ways (with filters) between R1 & R3. R1 also advertising default route to R3 which is working.

So it seems I can manage OSPF over a direct connection, but when I try to add a tunnel into the mix, I'm failing...
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 166
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: OSPF over GRE/IPSec  [SOLVED]

Sun Feb 07, 2021 12:35 pm

User error!

The path I was trying to use for source and destination had asymmetric routing. The ICMP echo-request packets would pass over the GRE tunnel as expected, but the echo-reply responses would have gone through the existing Phase 2 definition on the IPSec tunnel.

Tested using source and destination subnets not associated with the existing Phase 2 and it's now working as expected.

That's late nights on a weekend after a long work week for you!
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
Funboy
just joined
Posts: 13
Joined: Tue Feb 23, 2021 2:38 pm

Re: OSPF over GRE/IPSec

Thu Feb 25, 2021 8:09 pm

Hello! I would like to do the same. This is my configuration: https://pastebin.com/QRAhCLT2
When i redistribute routes from one side the GRE tunnel disconnects.
What can be wrong ? Thank you for any help in advanced:)
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 166
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: OSPF over GRE/IPSec

Thu Feb 25, 2021 8:19 pm

You need to add route filters so that the local and remote addresses for the gre tunnel at both ends are not advertised out/received in as an OSPF route. You want them connected routes on each end only.
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
Funboy
just joined
Posts: 13
Joined: Tue Feb 23, 2021 2:38 pm

Re: OSPF over GRE/IPSec

Thu Feb 25, 2021 8:51 pm

You need to add route filters so that the local and remote addresses for the gre tunnel at both ends are not advertised out/received in as an OSPF route. You want them connected routes on each end only.

Do you mean like this ?

/routing filter
add action=discard chain=ospf-in prefix=172.16.1.0/30 protocol=ospf
add action=discard chain=ospf-out prefix=172.16.1.0/30 protocol=ospf

172.16.1.0/30 is my GRE tunnel subnet
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 166
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: OSPF over GRE/IPSec

Thu Feb 25, 2021 9:02 pm

I think that's correct - in mine I do not specify protocol=OSPF but I'm sure thats fine. I'm reading your post/config from my phone so a little hard to follow.

If you're still struggling I'll share my example.
Last edited by sjoram on Thu Feb 25, 2021 9:04 pm, edited 1 time in total.
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
Funboy
just joined
Posts: 13
Joined: Tue Feb 23, 2021 2:38 pm

Re: OSPF over GRE/IPSec

Thu Feb 25, 2021 9:03 pm

Correct - in mine I do not specify protocol=OSPF but I'm sure thats fine.
But the problem is the same, GRE disconnects every 10-20 second
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 166
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: OSPF over GRE/IPSec

Thu Feb 25, 2021 9:17 pm

Let me take a look again at your config when in front of the PC and I'll post back. I think my GRE tunnel might have a slightly different configuration to yours.
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
Funboy
just joined
Posts: 13
Joined: Tue Feb 23, 2021 2:38 pm

Re: OSPF over GRE/IPSec

Thu Feb 25, 2021 9:17 pm

Let me take a look again at your config when in front of the PC and I'll post back. I think my GRE tunnel might have a slightly different configuration to yours.
Ok, thank you in advanced :)
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 166
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: OSPF over GRE/IPSec

Fri Feb 26, 2021 12:31 am

First things first, I'm making the assumption here that your IPsec Phase 1/2 policy is working and you can ping between the two? Although I would note you seem to have a mis-match between a /30 and /32 mask. You really want the GRE tunnel interface on each side to have no smaller than a /30.

I think you may have a couple of different issues here...

I would suggest setting up a Bridge with no member ports and assigning an IP address to this (replicates a loopback interface on, for example, a Cisco router) - you should in theory be able to use a /32 mask for this. Use this for the local and remote IP addresses for the GRE tunnel on each side. It appears that you haven't configured the local address and the remote address is obfuscated in your output, therefore I'm assuming this isn't a private address running over the IPsec tunnel.

You need to filter out the Bridge IPs you are using for the GRE tunnel from OSPF. It's also worth filtering out the default route and your WAN next hop address.

See some relevant portions of my config from one side below - hopefully gives you something to go on:

/ip ipsec policy
add dst-address=192.168.255.4/30 peer=xxx proposal=xxx sa-dst-address=\
xx.xxx.xxx.xx sa-src-address=xx.xxx.xxx.xxx src-address=192.168.255.0/30 \
tunnel=yes
/interface bridge
add name=GRE_for_OSPF
/ip address
add address=192.168.255.1/30 interface=GRE_for_OSPF network=192.168.255.0
add address=192.168.10.1/30 interface=ospf_gre network=192.168.10.0
/interface gre
add local-address=192.168.255.1 name=ospf_gre remote-address=192.168.255.5
/routing ospf instance
set [ find default=yes ] distribute-default=if-installed-as-type-1 in-filter=\
xxx-In name=xxx out-filter=xxx-Out redistribute-connected=as-type-1 \
redistribute-other-ospf=as-type-1 router-id=192.168.10.1
/routing ospf network
add area=backbone network=192.168.10.0/30
/routing filter
add action=discard chain=xxx-In prefix=0.0.0.0/0 (default route from remote router)
add action=discard chain=xxx-In prefix=xx.xx.xxx.xxx (PPPoE client WAN interface remote/default route next hop address on remote router)
add action=discard chain=xxx-In prefix=192.168.2.0/24 (DSLmodem management eth1 remote router)
add action=discard chain=xxx-In prefix=192.168.88.0/24 (Default MT IP on default bridge - remote router)
add action=discard chain=xxx-In prefix=192.168.255.4/30 (Bridge for GRE on remote router)
add action=discard chain=xxx-In prefix=xxx.xxx.xxx.xx/29 (public IPs on remote router)
add action=discard chain=xxx-Out prefix=0.0.0.0/0 (default route from local router)
add action=discard chain=xxx-Out prefix=xx.xx.xxx.xxx (PPPoE client WAN interface remote/default route next hop address on local router)
add action=discard chain=xxx-Out prefix=192.168.2.0/24 (DSL modem management eth1 on local router)
add action=discard chain=xxx-Out prefix=192.168.88.0/24 (Default MT IP on default bridge - local router)
add action=discard chain=xxx-Out prefix=192.168.255.0/30 (Bridge for GRE on local router)
add action=discard chain=xxx-Out prefix=xx.xxx.xxx.xxx/29 (public IPs on local router)
/ip firewal filter
add action=accept chain=input comment=OSPF dst-address-list=OSPF protocol=\
icmp src-address-list=OSPF
add action=accept chain=forward dst-address-list=OSPF protocol=icmp \
src-address-list=OSPF
add action=accept chain=output dst-address-list=OSPF protocol=icmp \
src-address-list=OSPF
add action=accept chain=input dst-address-list=OSPF protocol=ospf \
src-address-list=OSPF
add action=accept chain=forward dst-address-list=OSPF protocol=ospf \
src-address-list=OSPF
add action=accept chain=output dst-address-list=OSPF protocol=ospf \
src-address-list=OSPF
add action=accept chain=input dst-address-list=OSPF protocol=igmp \
src-address-list=OSPF
add action=accept chain=forward dst-address-list=OSPF protocol=igmp \
src-address-list=OSPF
add action=accept chain=output dst-address-list=OSPF protocol=igmp \
src-address-list=OSPF
/ip firewall address-list
add address=224.0.0.1 list=OSPF
add address=224.0.0.5 list=OSPF
add address=224.0.0.6 list=OSPF
add address=192.168.10.0/30 list=OSPF
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.255.4/30 src-address=\
192.168.255.0/30
add action=accept chain=srcnat out-interface=ospf_gre
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
Funboy
just joined
Posts: 13
Joined: Tue Feb 23, 2021 2:38 pm

Re: OSPF over GRE/IPSec

Fri Feb 26, 2021 8:23 pm

First things first, I'm making the assumption here that your IPsec Phase 1/2 policy is working and you can ping between the two? Although I would note you seem to have a mis-match between a /30 and /32 mask. You really want the GRE tunnel interface on each side to have no smaller than a /30.

I think you may have a couple of different issues here...

I would suggest setting up a Bridge with no member ports and assigning an IP address to this (replicates a loopback interface on, for example, a Cisco router) - you should in theory be able to use a /32 mask for this. Use this for the local and remote IP addresses for the GRE tunnel on each side. It appears that you haven't configured the local address and the remote address is obfuscated in your output, therefore I'm assuming this isn't a private address running over the IPsec tunnel.

You need to filter out the Bridge IPs you are using for the GRE tunnel from OSPF. It's also worth filtering out the default route and your WAN next hop address.

See some relevant portions of my config from one side below - hopefully gives you something to go on:

/ip ipsec policy
add dst-address=192.168.255.4/30 peer=xxx proposal=xxx sa-dst-address=\
xx.xxx.xxx.xx sa-src-address=xx.xxx.xxx.xxx src-address=192.168.255.0/30 \
tunnel=yes
/interface bridge
add name=GRE_for_OSPF
/ip address
add address=192.168.255.1/30 interface=GRE_for_OSPF network=192.168.255.0
add address=192.168.10.1/30 interface=ospf_gre network=192.168.10.0
/interface gre
add local-address=192.168.255.1 name=ospf_gre remote-address=192.168.255.5
/routing ospf instance
set [ find default=yes ] distribute-default=if-installed-as-type-1 in-filter=\
xxx-In name=xxx out-filter=xxx-Out redistribute-connected=as-type-1 \
redistribute-other-ospf=as-type-1 router-id=192.168.10.1
/routing ospf network
add area=backbone network=192.168.10.0/30
/routing filter
add action=discard chain=xxx-In prefix=0.0.0.0/0 (default route from remote router)
add action=discard chain=xxx-In prefix=xx.xx.xxx.xxx (PPPoE client WAN interface remote/default route next hop address on remote router)
add action=discard chain=xxx-In prefix=192.168.2.0/24 (DSLmodem management eth1 remote router)
add action=discard chain=xxx-In prefix=192.168.88.0/24 (Default MT IP on default bridge - remote router)
add action=discard chain=xxx-In prefix=192.168.255.4/30 (Bridge for GRE on remote router)
add action=discard chain=xxx-In prefix=xxx.xxx.xxx.xx/29 (public IPs on remote router)
add action=discard chain=xxx-Out prefix=0.0.0.0/0 (default route from local router)
add action=discard chain=xxx-Out prefix=xx.xx.xxx.xxx (PPPoE client WAN interface remote/default route next hop address on local router)
add action=discard chain=xxx-Out prefix=192.168.2.0/24 (DSL modem management eth1 on local router)
add action=discard chain=xxx-Out prefix=192.168.88.0/24 (Default MT IP on default bridge - local router)
add action=discard chain=xxx-Out prefix=192.168.255.0/30 (Bridge for GRE on local router)
add action=discard chain=xxx-Out prefix=xx.xxx.xxx.xxx/29 (public IPs on local router)
/ip firewal filter
add action=accept chain=input comment=OSPF dst-address-list=OSPF protocol=\
icmp src-address-list=OSPF
add action=accept chain=forward dst-address-list=OSPF protocol=icmp \
src-address-list=OSPF
add action=accept chain=output dst-address-list=OSPF protocol=icmp \
src-address-list=OSPF
add action=accept chain=input dst-address-list=OSPF protocol=ospf \
src-address-list=OSPF
add action=accept chain=forward dst-address-list=OSPF protocol=ospf \
src-address-list=OSPF
add action=accept chain=output dst-address-list=OSPF protocol=ospf \
src-address-list=OSPF
add action=accept chain=input dst-address-list=OSPF protocol=igmp \
src-address-list=OSPF
add action=accept chain=forward dst-address-list=OSPF protocol=igmp \
src-address-list=OSPF
add action=accept chain=output dst-address-list=OSPF protocol=igmp \
src-address-list=OSPF
/ip firewall address-list
add address=224.0.0.1 list=OSPF
add address=224.0.0.5 list=OSPF
add address=224.0.0.6 list=OSPF
add address=192.168.10.0/30 list=OSPF
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.255.4/30 src-address=\
192.168.255.0/30
add action=accept chain=srcnat out-interface=ospf_gre
I tried based on your suggestion, but still disconnects, but i do not give up :)
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 166
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: OSPF over GRE/IPSec

Fri Feb 26, 2021 8:40 pm

Based on my experience until I got it right, it feels likely to be an issue on your route filters allowing a particular connected route to be advertised to the neighbour upsetting the GRE tunnel.

When the tunnel drops, so does OSPF so the routing is restored... GRE comes up, route is advertised...and repeat!

Are you using a RFC1918 private address of some form for the local and remote addeess of the GRE tunnel? Your pastebin upload didn't specify a local address and you had edited out the remote address...

If you don't have any conflicting subnets, try using exactly the addressing in my config and see if it works for you...then track back from there through your config until you get your desired addresses working.
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
Funboy
just joined
Posts: 13
Joined: Tue Feb 23, 2021 2:38 pm

Re: OSPF over GRE/IPSec

Fri Feb 26, 2021 9:09 pm

Based on my experience until I got it right, it feels likely to be an issue on your route filters allowing a particular connected route to be advertised to the neighbour upsetting the GRE tunnel.

When the tunnel drops, so does OSPF so the routing is restored... GRE comes up, route is advertised...and repeat!

Are you using a RFC1918 private address of some form for the local and remote addeess of the GRE tunnel? Your pastebin upload didn't specify a local address and you had edited out the remote address...

If you don't have any conflicting subnets, try using exactly the addressing in my config and see if it works for you...then track back from there through your config until you get your desired addresses working.
I use these subnets:

GRE_Loopback: 172.16.1.0/30 ( I can ping both sides from both direction )
GRE_Tunnel: 172.16.2.0/30 ( i can ping both sides from both direction )

LHG connected route:
192.168.1.0/24

HEX connected routes:
10.10.11.0/24
10.10.12.0/24
10.10.13.0/24
10.10.14.0/24
10.10.15.0/24
10.10.16.0/24
10.10.17.0/24
10.10.100.0/24
10.10.110.0/24
10.10.120.0/24


Can i use these subnets ?
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 166
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: OSPF over GRE/IPSec

Fri Feb 26, 2021 9:40 pm

So you want the "loopback" bridge addresses to be on different subnets on each router. The addresses assigned to the tunnel itself can be on the same /30

You want the bridge addresses to be filtered out of OSPF on both sides.

So in my config...
Router 1: 192.168.255.1/30 - bridge
Router 1: 192.168.10.1/30 - GRE
Router 2: 192.168.255.5/30 - bridge
Router 2: 192.168.10.2/30 - GRE

Route filters..
Router 1
In discard 192.168.255.4/30
Out discard 192.168.255.0/30
Router 2
In discard 192.168.255.0/30
Out discard 192.168.255.4/30
If you have more than one instance you can have more than one chain of rules - check you are applying the correct one.
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 166
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: OSPF over GRE/IPSec

Fri Feb 26, 2021 9:51 pm

Also check your router ID is using the address assigned to the local GRE tunnel interface on each side.
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
Funboy
just joined
Posts: 13
Joined: Tue Feb 23, 2021 2:38 pm

Re: OSPF over GRE/IPSec

Fri Feb 26, 2021 10:33 pm

Also check your router ID is using the address assigned to the local GRE tunnel interface on each side.
I checked them. There is a next hop 10.0.0.1 on the HEX side, when i filter with:

/routing filter
add action=discard chain=GRE_OSPF_IN prefix=10.0.0.1 ( This works perfectly )
add action=discard chain=GRE_OSPF_IN prefix=172.16.1.0/30 ( It does not work )
add action=discard chain=GRE_OSPF_OUT prefix=172.16.1.0/30 ( It does not work )
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 166
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: OSPF over GRE/IPSec

Fri Feb 26, 2021 10:39 pm

There's quite a few variables here that could be tripping you up and it's hard to spot the issue without being able to look at both router configs side by side at the same time..
Can you post full configs from both sides, redacting any sensitive info such as passwords, shared keys, public IPs etc? Try not to redact any internal private addressing if you can.
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
Funboy
just joined
Posts: 13
Joined: Tue Feb 23, 2021 2:38 pm

Re: OSPF over GRE/IPSec

Fri Feb 26, 2021 10:52 pm

There's quite a few variables here that could be tripping you up and it's hard to spot the issue without being able to look at both router configs side by side at the same time..
Can you post full configs from both sides, redacting any sensitive info such as passwords, shared keys, public IPs etc? Try not to redact any internal private addressing if you can.
Here is the current configuration:

https://pastebin.com/JNeyg8gU
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 166
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: OSPF over GRE/IPSec

Fri Feb 26, 2021 11:14 pm

OK, I think your problem is the IP you have assigned to the bridge on each side is from the same subnet (172.16.1.0/30). It needs to be on a different subnet on each router.
You can keep the same IPs but you'd need to make the addresses /32 masks. If that doesn't work, use 172.16.1.0/30 and 172.16.1.4/30 networks with IPs of 172.16.1.1 and 172.16.1.5
Update the IP assigned to the bridges, then your IPsec policies, route filters and the local/remote address for the GRE tunnel on each side
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
Funboy
just joined
Posts: 13
Joined: Tue Feb 23, 2021 2:38 pm

Re: OSPF over GRE/IPSec

Sat Feb 27, 2021 12:43 pm

OK, I think your problem is the IP you have assigned to the bridge on each side is from the same subnet (172.16.1.0/30). It needs to be on a different subnet on each router.
You can keep the same IPs but you'd need to make the addresses /32 masks. If that doesn't work, use 172.16.1.0/30 and 172.16.1.4/30 networks with IPs of 172.16.1.1 and 172.16.1.5
Update the IP assigned to the bridges, then your IPsec policies, route filters and the local/remote address for the GRE tunnel on each side
I made the suggestion as you said:

HEX:
GRE_Loopback: 172.16.1.0/30
DIGI_LTE_GRE: 172.16.2.1/30

LTE:
GRE_Loopback: 172.16.1.4/30
LTE_DIGI_GRE: 172.16.2.2/30

Filters:

HEX:
/routing filter
add action=discard chain=GRE_OSPF_IN prefix=172.16.1.4/30
add action=discard chain=GRE_OSPF_OUT prefix=172.16.1.0/30
add action=discard chain=GRE_OSPF_IN prefix=172.16.2.0/30
add action=discard chain=GRE_OSPF_OUT prefix=172.16.2.0/30

LTE:
/routing filter
add action=discard chain=ospf-in prefix=10.0.0.1 ( HEX next hop )
add action=discard chain=ospf-in prefix=172.16.1.0/30
add action=discard chain=ospf-out prefix=172.16.1.4/30
add action=discard chain=ospf-in prefix=172.16.2.0/30
add action=discard chain=ospf-out prefix=172.16.2.0/30

The GRE still disconnects.
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 166
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: OSPF over GRE/IPSec

Sat Feb 27, 2021 12:55 pm

So on the hex you've created a new chain in route filters, instead of the default, whereas the other router is using the default chain.

That's OK, but check on routing OSPF instance that you're applying the correct chains.

Also on the GRE, you're using the network addresses rather than the first available "usable" address. That might be causing you an issue. Use .1 and .5 respectively.

I've actually updated my config this morning so the bridge IPs running the GRE are a /32 mask instead of /30.

For the purposes of this configuration, you should only have the IPs associated with the bridge IPs defined on IPsec policy.

You've got a routing conflict somewhere in there I'm fairly sure, I'm just struggling to spot it from here!
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 166
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: OSPF over GRE/IPSec

Sat Feb 27, 2021 1:12 pm

I think your conflict might be with your default route or WAN next hop.

Add a route filter for the in and out chains on both sides to discard 0.0.0.0/0 to ensure you're not advertising a default route. Also don't advertise "other" OSPF routes unless you need to.

In my case, I also filter my WAN next hop address which is added to IP routes by my PPPoE client interface since it's the same on both sides and we don't want that trying to go over the tunnel, otherwise I lose my WAN link (which would also cause the IPsec & GRE to drop, so the OSPF route disappears, network recovers, IPsec and GRE come up, OSPF receives the route again and it drops).
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 166
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: OSPF over GRE/IPSec

Sat Feb 27, 2021 1:28 pm

To try to be a little clearer...

Your issue might be with the 0.0.0.0/0 default route, but my WAN setup via PPPoE client also adds a route to the remote address of that interface (62.x.x.x/32)
If I don't filter these two connected routes, all traffic to the WAN/internet will try to go via the address of GRE tunnel on the remote router. But the IPsec tunnel can't run effectively inside itself.. so the IPsec tunnel (and therefore the GRE & OSPF) will go down. This results in that OSPF route conflict being removed as the neighbour is down. This route conflict being removed brings the WAN, IPsec, GRE and OSPF neighbour back up, route gets advertised & received again...cycle repeats.

My example - "router 1":
OSPF router ID: 172.16.1.1/30 (IP address is assigned to GRE tunnel interface)
GRE tunnel local address: 172.16.0.1/32 remote address: 172.16.0.2/32
"Lo0" bridge: 172.16.0.1/32
IPsec policy src: 172.16.0.1/32 dst: 172.16.0.2/32
IPsec peer: 95.x.x.x

IP routes (amongst others):
0.0.0.0/0 via Uno FTTC reachable
62.x.x.x via Uno FTTC reachable

IPsec tunnel to "router 2" via the internet is established via the 0.0.0.0/0 route, so if that route becomes advertised through OSPF as via 172.16.0.2, the IPsec will go down.

If I did want to advertise a default route from one of the two via OSPF then I would need to add a static route between the two routers via Uno FTTC and stop adding the default route via PPPoE client on the router that should receive its default via OSPF.

As long as the two routers could then still reach each other via static route (ensuring that in turn is also filtered out of OSPF advertisements) and establish the IPsec/GRE tunnels, there would be no issue advertising the default route through the tunnel. But only one of the two should advertise this i.e. router 2 receives default route advertised via router 1 or vice-versa. You can't have both routers advertising a default route into the same area.
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
Funboy
just joined
Posts: 13
Joined: Tue Feb 23, 2021 2:38 pm

Re: OSPF over GRE/IPSec

Sat Feb 27, 2021 6:13 pm

To try to be a little clearer...

Your issue might be with the 0.0.0.0/0 default route, but my WAN setup via PPPoE client also adds a route to the remote address of that interface (62.x.x.x/32)
If I don't filter these two connected routes, all traffic to the WAN/internet will try to go via the address of GRE tunnel on the remote router. But the IPsec tunnel can't run effectively inside itself.. so the IPsec tunnel (and therefore the GRE & OSPF) will go down. This results in that OSPF route conflict being removed as the neighbour is down. This route conflict being removed brings the WAN, IPsec, GRE and OSPF neighbour back up, route gets advertised & received again...cycle repeats.

My example - "router 1":
OSPF router ID: 172.16.1.1/30 (IP address is assigned to GRE tunnel interface)
GRE tunnel local address: 172.16.0.1/32 remote address: 172.16.0.2/32
"Lo0" bridge: 172.16.0.1/32
IPsec policy src: 172.16.0.1/32 dst: 172.16.0.2/32
IPsec peer: 95.x.x.x

IP routes (amongst others):
0.0.0.0/0 via Uno FTTC reachable
62.x.x.x via Uno FTTC reachable

IPsec tunnel to "router 2" via the internet is established via the 0.0.0.0/0 route, so if that route becomes advertised through OSPF as via 172.16.0.2, the IPsec will go down.

If I did want to advertise a default route from one of the two via OSPF then I would need to add a static route between the two routers via Uno FTTC and stop adding the default route via PPPoE client on the router that should receive its default via OSPF.

As long as the two routers could then still reach each other via static route (ensuring that in turn is also filtered out of OSPF advertisements) and establish the IPsec/GRE tunnels, there would be no issue advertising the default route through the tunnel. But only one of the two should advertise this i.e. router 2 receives default route advertised via router 1 or vice-versa. You can't have both routers advertising a default route into the same area.
I work with you, i try everything that you said, but the problem is the same :) I know this is a huge mystery .
I can ping the GRE tunnel, the IPSec is still rock solid.

HEX
/routing filter
add action=discard chain=GRE_OSPF_OUT prefix=10.0.0.1
add action=discard chain=GRE_OSPF_IN prefix=0.0.0.0/0
add action=discard chain=GRE_OSPF_OUT prefix=0.0.0.0/0
add action=discard chain=GRE_OSPF_IN prefix=172.16.0.2
add action=discard chain=GRE_OSPF_OUT prefix=172.16.0.1
add action=discard chain=GRE_OSPF_IN prefix=172.16.1.0/30
add action=discard chain=GRE_OSPF_OUT prefix=172.16.1.0/30

LTE:
/routing filter
add action=discard chain=ospf-in prefix=10.0.0.1
add action=discard chain=ospf-in prefix=0.0.0.0/0
add action=discard chain=ospf-out prefix=0.0.0.0/0
add action=discard chain=ospf-in prefix=172.16.0.1
add action=discard chain=ospf-out prefix=172.16.0.2
add action=discard chain=ospf-in prefix=172.16.1.0/30
add action=discard chain=ospf-out prefix=172.16.1.0/30
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 166
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: OSPF over GRE/IPSec

Sat Feb 27, 2021 6:20 pm

To be honest I think we're reaching the point I've exhausted most things I can think of based on the config you've shared.

I've only been working with OSPF in my ROS a few weeks...and that's after having an issue with it on Cisco kit at work, so I set it up to help me understand it better.

Might be worth setting up your own thread - since I marked it as solved for my original issue, others might not be looking in. Feel free to reference back to your posts here. A fresh pair of eyes aside from both of us might spot and solve your issue quickly...or at least have some more suggestions to offer :-)
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
Funboy
just joined
Posts: 13
Joined: Tue Feb 23, 2021 2:38 pm

Re: OSPF over GRE/IPSec

Sat Feb 27, 2021 8:13 pm

To be honest I think we're reaching the point I've exhausted most things I can think of based on the config you've shared.

I've only been working with OSPF in my ROS a few weeks...and that's after having an issue with it on Cisco kit at work, so I set it up to help me understand it better.

Might be worth setting up your own thread - since I marked it as solved for my original issue, others might not be looking in. Feel free to reference back to your posts here. A fresh pair of eyes aside from both of us might spot and solve your issue quickly...or at least have some more suggestions to offer :-)
I really appreciate your help anyway, i think we tried so many things. The english is not my mother language, very difficult to express myself, that is why i rarely ask help from others :)
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 166
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: OSPF over GRE/IPSec

Sat Feb 27, 2021 8:21 pm

Sorry that we weren't able to get to the bottom of it. Don't give up, you'll get there eventually!
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
Funboy
just joined
Posts: 13
Joined: Tue Feb 23, 2021 2:38 pm

Re: OSPF over GRE/IPSec

Sat Feb 27, 2021 10:02 pm

Sorry that we weren't able to get to the bottom of it. Don't give up, you'll get there eventually!
I will working on it :)

Who is online

Users browsing this forum: AdrianT88 and 17 guests