Remote site is using vyos.
Ping works, so ipsec tunnel is obviously up, however, gre doesnt work.
Here is a ping between both routers loopback interfaces. Which is in the ipsec policy.
Code: Select all
/ping src-address=172.24.32.54 172.18.255.26 count=3
SEQ HOST SIZE TTL TIME STATUS
0 172.18.255.26 56 64 1ms
1 172.18.255.26 56 64 1ms
2 172.18.255.26 56 64 1ms
sent=3 received=3 packet-loss=0% min-rtt=1ms avg-rtt=1ms max-rtt=1ms
The gre tunnel linknet between the routers are 172.24.1.112/29. Each router has an ip on the gre interface.
When I initiate ping from vyos to mikrotik on the gre-network, I can see vyos is sending esp packets to mikrotik.
But when initating ping from mikrotik to vyos, I cannot see mikrotik encrypting these packets in the tunnel...
Code: Select all
/ping 172.24.1.113 count=3
SEQ HOST SIZE TTL TIME STATUS
0 172.24.1.113 timeout
1 172.24.1.113 timeout
2 172.24.1.113 timeout
sent=3 received=0 packet-loss=100%
This was working until recently when I upgraded from version 6.44 or 45 something to 6.46.2
Relevant configuration
Code: Select all
/ip ipsec export
/ip ipsec peer
add address=111.111.111.47/32 exchange-mode=ike2 name=80003
/ip ipsec profile
set [ find default=yes ] dh-group=ecp521 enc-algorithm=aes-128 lifetime=8h name=\
80003-ike nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=1h pfs-group=ecp521
add enc-algorithms=aes-256-cbc lifetime=1h name=80003-esp pfs-group=ecp521
/ip ipsec identity
add my-id=fqdn:mt-cpe peer=80003 secret=xxx
/ip ipsec policy
set 0 disabled=yes
add dst-address=172.18.255.26/32 peer=80003 proposal=80003-esp sa-dst-address=\
111.111.111.47 sa-src-address=0.0.0.0 src-address=172.24.32.54/32 tunnel=yes
/interface gre export
add !keepalive local-address=172.24.32.54 name=gre0 remote-address=172.18.255.26
/ip address export
add address=172.24.32.54 comment=loopback interface=loopback network=172.24.32.54
add address=172.24.1.114/29 comment=gre-ipsec interface=gre0 network=172.24.1.112
/ip firewall nat export
add action=accept chain=srcnat dst-address=172.18.255.26 src-address=172.24.32.54
add action=accept chain=srcnat src-address=172.24.1.112/29
add action=masquerade chain=srcnat log=yes out-interface=ether1