Community discussions

MikroTik App
  4. RouterOS
  5. General

GRE over IPSEC stopped working

Post Reply
 
OlofL
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Mon Oct 12, 2015 2:37 pm

GRE over IPSEC stopped working

Wed Feb 19, 2020 12:32 pm

Recently my gre tunnel over my ipsec tunnel stopped working.
Remote site is using vyos.

Ping works, so ipsec tunnel is obviously up, however, gre doesnt work.
Here is a ping between both routers loopback interfaces. Which is in the ipsec policy.
Code: Select all
/ping src-address=172.24.32.54 172.18.255.26 count=3
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                     
    0 172.18.255.26                              56  64 1ms  
    1 172.18.255.26                              56  64 1ms  
    2 172.18.255.26                              56  64 1ms  
    sent=3 received=3 packet-loss=0% min-rtt=1ms avg-rtt=1ms max-rtt=1ms

The gre tunnel linknet between the routers are 172.24.1.112/29. Each router has an ip on the gre interface.
When I initiate ping from vyos to mikrotik on the gre-network, I can see vyos is sending esp packets to mikrotik.
But when initating ping from mikrotik to vyos, I cannot see mikrotik encrypting these packets in the tunnel...
Code: Select all
/ping 172.24.1.113 count=3
  SEQ HOST                                     SIZE TTL TIME  STATUS         
    0 172.24.1.113                                            timeout        
    1 172.24.1.113                                            timeout        
    2 172.24.1.113                                            timeout        
    sent=3 received=0 packet-loss=100%

This was working until recently when I upgraded from version 6.44 or 45 something to 6.46.2


Relevant configuration
Code: Select all
/ip ipsec export
/ip ipsec peer
add address=111.111.111.47/32 exchange-mode=ike2 name=80003
/ip ipsec profile
set [ find default=yes ] dh-group=ecp521 enc-algorithm=aes-128 lifetime=8h name=\
    80003-ike nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=1h pfs-group=ecp521
add enc-algorithms=aes-256-cbc lifetime=1h name=80003-esp pfs-group=ecp521
/ip ipsec identity
add my-id=fqdn:mt-cpe peer=80003 secret=xxx
/ip ipsec policy
set 0 disabled=yes
add dst-address=172.18.255.26/32 peer=80003 proposal=80003-esp sa-dst-address=\
    111.111.111.47 sa-src-address=0.0.0.0 src-address=172.24.32.54/32 tunnel=yes

/interface gre export
add !keepalive local-address=172.24.32.54 name=gre0 remote-address=172.18.255.26

/ip address export
add address=172.24.32.54 comment=loopback interface=loopback network=172.24.32.54
add address=172.24.1.114/29 comment=gre-ipsec interface=gre0 network=172.24.1.112


/ip firewall nat export
add action=accept chain=srcnat dst-address=172.18.255.26 src-address=172.24.32.54
add action=accept chain=srcnat src-address=172.24.1.112/29
add action=masquerade chain=srcnat log=yes out-interface=ether1
Top
 
Elliot
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Tue May 30, 2017 3:04 pm

Re: GRE over IPSEC stopped working

Wed Feb 19, 2020 1:36 pm

Same problem here. It helped to restart VPN server on router side and delete clients and configure them again on client side. Hope that helps. I'm not sure but I think that Mikrotik might have some ipsec issues in versions 4.63.1-3.
Top
 
OlofL
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Mon Oct 12, 2015 2:37 pm

Re: GRE over IPSEC stopped working

Wed Feb 19, 2020 2:21 pm

Same problem here. It helped to restart VPN server on router side and delete clients and configure them again on client side. Hope that helps. I'm not sure but I think that Mikrotik might have some ipsec issues in versions 4.63.1-3.
@Elliot

I have restarted the vpn several times, on both ends.

However, I am just seeing some very weird, and I think it might be causing the issue...

My gre interface ip address is in a /29. all good.
Code: Select all
/ip address print where comment=gre-ipsec
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                                                                    
 0   ;;; gre-ipsec
     172.24.1.114/29    172.24.1.112    gre0




ip route to network address - all good
Code: Select all
/ip route check 172.24.1.112             
     status: ok
  interface: gre0
    nexthop: 172.24.1.112


ip route to vyos gre ip address... nexthop over eth1 wan address.. wtf?!
Code: Select all
/ip route check 172.24.1.113
     status: ok
  interface: ether1
    nexthop: 123.123.123.1


mikrotik gre ip address (myself) - all good
Code: Select all
/ip route check 172.24.1.114
     status: ok
  interface: *FFFFFFFF
    nexthop: 172.24.1.114


another address in gre network... also nexthop out wan interface.. wtf?!
Code: Select all
/ip route check 172.24.1.115
     status: ok
  interface: ether1
    nexthop: 123.123.123.1
Top
 
OlofL
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Mon Oct 12, 2015 2:37 pm

Re: GRE over IPSEC stopped working

Wed Feb 19, 2020 2:34 pm

Same problem here. It helped to restart VPN server on router side and delete clients and configure them again on client side. Hope that helps. I'm not sure but I think that Mikrotik might have some ipsec issues in versions 4.63.1-3.
Do you also have a RB4011?

Also, I downgraded to channel=long-term - same issue. Version 6.45.8.

Then I upgraded to channel=testing and version 6.47beta35. - Same issue. ALSO this broke my regular user ssh-key login.

Then I downgraded to old image 6.44.6 - same issue AGAIN?! hmm something must be wrong with my setup?!

THEN I changed
Code: Select all
/interface gre set [find name=gre0] allow-fast-path=no
NOW it suddenly works..

Now again I upgraded again to latest stable... 6.46.3 stable.
It is still working.
And then I set
Code: Select all
/interface gre set [find name=gre0] allow-fast-path=yes
Still working again...

And everything works as exptected on "stable" version again!
hooray?!!!!

For future reference. something must have broke in regards to allow-fast-path in the config. This seems ot be a config that was persistent and hidden through my down/upgrades. And reset when I manually changed that value.
Top
 
OlofL
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Mon Oct 12, 2015 2:37 pm

Re: GRE over IPSEC stopped working

Thu Feb 20, 2020 2:45 pm

I will set this to unsolved again, because I just had an equal case where the ip route for my ipsec gre link network is not routing properly...
And this time that trick is not working :/
Top
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Re: GRE over IPSEC stopped working

Thu Feb 20, 2020 6:19 pm

I will set this to unsolved again, because I just had an equal case where the ip route for my ipsec gre link network is not routing properly...
And this time that trick is not working :/
I got the same error, even with a loopback interface. When you use 10.24.1.112/29 instead, routing doesn't work at all.
I have another /29 in 192.168. address space which is working correctly.
You should report this error to mikrotik support.

EDIT: seems /ip route check not only uses the main table to resolve routes (which is bs imo), this is why 10.X.X.X/29 didn't work at all.
I have a blackhole route for 10/8 for my guest network with a routing mark.
EDIT2: had to reboot the router because the snmp daemon crashed again.. now the right interface is used for all addresses in this range...very strange
Top
Post Reply

Who is online

Users browsing this forum: GoogleOther [Bot], Semrush [Bot] and 43 guests
  4. RouterOS
  5. General