Hello,
The problems I experience with IPSec are not the same.
Actually, I have problems with IPSec, with or without GRE, those are instability problems (tunnel stopping to work without any apparent reason).
The fact is that the same GRE tunnel work great with IPSec (except the instability), and doesn't work at all without IPSec.
I indeed follow the wiki example when I set up my first GRE tunnels, but I always used IPSec encryption, so I never noticed the issues without it.
It's difficult to make anything wrong following the wiki example, since it's basically 3 lines on each side, but I could have done a mistake with everything not in the example, I admit it.
Here is the export of one side :
export hide-sensitive
# jan/10/2020 10:35:09 by RouterOS 6.46.1
# software id = LH3E-PIED
#
# model = RB2011UiAS-2HnD
# serial number = B9070A875DD7
/interface gre
add allow-fast-path=no dont-fragment=inherit local-address=aaa.bbb.ccc.ddd name=gre-vence-1 remote-address=eee.fff.ggg.hhh
/interface list
add comment=defconf name=WAN
add name=GRE
add comment=defconf include=GRE name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=vdsl-orange-ether1 list=WAN
add interface=adsl-sfr-ether2 list=WAN
add interface=gre-vence-1 list=GRE
/ip address
add address=192.168.3.1/24 comment=defconf interface=bridge network=192.168.3.0
add address=172.16.0.17/30 interface=gre-vence-1 network=172.16.0.16
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
# For testing purpose
add action=accept chain=input dst-port=500,4500 in-interface-list=WAN protocol=udp
#For testing purpose
add action=accept chain=input in-interface-list=WAN protocol=gre
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=vdsl-orange-ether1 new-connection-mark=From-WAN1 passthrough=yes
# adsl-sfr-ether2 not ready
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=adsl-sfr-ether2 new-connection-mark=From-WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=From-WAN1 dst-address-type=!local new-routing-mark=WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=From-WAN2 dst-address-type=!local new-routing-mark=WAN2 passthrough=yes
add action=mark-connection chain=prerouting in-interface=bridge new-connection-mark=VoIP-cnx passthrough=yes src-address=192.168.3.250
add action=mark-connection chain=prerouting dst-address=192.168.3.250 in-interface-list=GRE new-connection-mark=VoIP-cnx passthrough=yes
add action=mark-packet chain=prerouting connection-mark=VoIP-cnx new-packet-mark=VoIP-Pkt passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark new-connection-mark=GRE-cnx passthrough=yes src-address-list=gre
add action=mark-connection chain=output connection-mark=no-mark dst-address-list=gre new-connection-mark=GRE-cnx passthrough=yes
add action=mark-packet chain=output connection-mark=GRE-cnx new-packet-mark=GRE-Pkt passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface-list=LAN new-connection-mark=Data-cnx passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Data-cnx new-packet-mark=Data-Pkt passthrough=yes
/ip firewall nat
#For testing purpose
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.3.0/24
#For testing purpose
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.3.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=vdsl-orange-ether1
# adsl-sfr-ether2 not ready
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=adsl-sfr-ether2
/ip firewall service-port
set sip disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=vdsl-orange-ether1 routing-mark=WAN1
add check-gateway=ping distance=1 gateway=adsl-sfr-ether2 routing-mark=WAN2
add check-gateway=ping distance=1 gateway=vdsl-orange-ether1
add check-gateway=ping distance=2 gateway=adsl-sfr-ether2
add check-gateway=ping distance=1 dst-address=eee.fff.ggg.hhh/32 gateway=vdsl-orange-ether1
add distance=10 dst-address=eee.fff.ggg.hhh/32 type=blackhole
add check-gateway=ping distance=1 dst-address=192.168.0.0/24 gateway=172.16.0.18
/system clock
set time-zone-name=Europe/Paris
/system ntp client
set enabled=yes server-dns-names=fr.pool.ntp.org
Is there something wrong ?
Joris