Community discussions

 
jedimarcus
just joined
Topic Author
Posts: 2
Joined: Sun Apr 28, 2019 10:11 pm

GRE Tunnel with IPsec

Wed May 01, 2019 8:28 am

Hello,

My goal is to create a site-2-site connection between two networks with GRE Tunnel (to run OSPF on top) and IPsec (for security)

Getting a GRE Tunnel working is pretty straightforward:
# West Site
/interface gre
add local-address=1.2.3.4 name=gre_hq remote-address=5.6.7.8

/ip address
add address=172.16.1.2/30 interface=gre_hq network=172.16.1.0

/ip route
add distance=1 dst-address 192.168.222.0/24 gateway=172.16.1.1

# East Site
/interface gre
add local-address=5.6.7.8 name=gre_jedi remote-address=1.2.3.4

/ip address
add address=172.16.1.1/30 interface=gre_jedi network=172.16.1.0

/ip route
add distance=1 dst-address=192.168.9.0/24 gateway=172.16.1.2
GRE Interface has ipsec-secret option which dynamically creates a Policy, Peer & Identify in IPsec

But just activating this option with the same secret on both end kills the tunnel (the GRE keeps running but no traffic goes through)
Is there anything else required?

I tried adding a NAT Accept Rule for the traffic (as per IPsec experiences) but that didn't change anything.

Any help appreciated.
 
sindy
Forum Guru
Forum Guru
Posts: 3806
Joined: Mon Dec 04, 2017 9:19 pm

Re: GRE Tunnel with IPsec

Wed May 01, 2019 10:43 am

As the GRE tunnel is running without IPsec, I assume that both your devices have a public IP directly on them, which is used to send and receive the GRE transport packets. In this case (no NAT to be traversed at either end), the IPsec uses plain ESP as transport protocol (i.e. it does not encapsulate it into UDP). So first check that you have an action=accept chain=input protocol=ipsec-esp rule at a proper place in /ip firewall filter of both machines. If you do but they don't count packets and bytes (while diagnostic rules action=passthrough chain=output protocol=ipsec-esp as the very first chain=output rules in /ip firewall filter do count), they are either at wrong place or the ESP doesn't get through somewhere between your machines due to ISP's settings.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
jedimarcus
just joined
Topic Author
Posts: 2
Joined: Sun Apr 28, 2019 10:11 pm

Re: GRE Tunnel with IPsec

Thu Sep 12, 2019 5:07 pm

The problem was related to the default IPsec proposal which were different.

Even though the version where the same, the upgrade path wasn't the same which probably explains the different.

Tunnel works now as expected.

Who is online

Users browsing this forum: No registered users and 37 guests