Community discussions

MikroTik App
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 152
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

OSPF over GRE/IPSec

Sun Feb 07, 2021 1:17 am

I'm currently experimenting with running OSPF over GRE/IPsec

IKE Phase 1 between 2 routers (R1 & R2) public IP addresses, PPPoE client interface - established
IKE Phase 2 IPSec (R1) 10.5.0.0/16 <--> (R2) 10.0.0.0/16 - established (this works fine and has done for some time)
GRE Tunnel established:
(R1) interface address 192.168.10.1/30 tunnel local: 10.5.0.254 remote: 10.0.0.254
(R2) interface address 192.168.10.2/30 tunnel local: 10.0.0.254 remote: 10.5.0.254
OSPF peer-to-peer link established between (R1) 192.168.10.1 & (R2) 192.168.10.2
OSPF connected routes (with filters) exchanged between routers:
172.25.5.0/24 - connected route on R1, OSPF route via 192.168.10.2 reachable via GRE interface on R2
172.25.0.0/24 - connected route on R2, OSPF route via 192.168.10.1 reachable via GRE interface on R1

IP Firewall Filter rules (amongst others):
R1 forward chain src: 10.5.0.0/16 dst: 172.25.0.0/24 action: accept
R2 input chain src: 10.5.0.0/16 dst: 172.25.0.0/24 action: accept
IP NAT rules (amongst others):
R1 srcnat chain src: 10.5.0.0/16 dst: 172.25.0.0/24 action: accept
R2 srcnat chain src: 172.25.0.0/24 dst: 10.5.0.0/16 action: accept

Tried to ping dst: 172.25.0.254 from src: 10.5.1.5
Using Torch on both R1 & R2, I see OSPF passing over the GRE interface, but I do not see the ICMP traffic from 10.5.1.5 on either router.
If I check the VLAN interface for 10.5.0.0/16, I see the traffic arriving on R1.

Any ideas? Am I missing something? Trying to achieve the impossible?

P.S. I have successfully established routing over OSPF between a direct physical Ethernet connection of R1 & R3..
R1: 192.168.32.1/30
R3: 192.168.32.2/30
10.5.0.0/16 on R1 has two way traffic flow with 192.168.100.0/24 on R3, connected routes exchanged both ways (with filters) between R1 & R3. R1 also advertising default route to R3 which is working.

So it seems I can manage OSPF over a direct connection, but when I try to add a tunnel into the mix, I'm failing...
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 152
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: OSPF over GRE/IPSec  [SOLVED]

Sun Feb 07, 2021 12:35 pm

User error!

The path I was trying to use for source and destination had asymmetric routing. The ICMP echo-request packets would pass over the GRE tunnel as expected, but the echo-reply responses would have gone through the existing Phase 2 definition on the IPSec tunnel.

Tested using source and destination subnets not associated with the existing Phase 2 and it's now working as expected.

That's late nights on a weekend after a long work week for you!
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)

Who is online

Users browsing this forum: No registered users and 10 guests