I am running RouterOS 6.47.6 on RB4011 on both routers.
I expected that if I try to ping other sides loopback address, with source-loopback, it should setup the gre tunnel and I can route over the gre tunnel.
However, the gre interface is never coming up.
Code: Select all
[admin@L] > /interface print where name=gre
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 gre gre-tunnel 1300 65535
[admin@L] > /ip route check 172.24.0.2
status: failed
[admin@L] > /ip ipsec active-peers print
Flags: R - responder, N - natt-peer
# ID STATE UPTIME PH2-TOTAL REMOTE-ADDRESS DYNAMIC-ADDRESS
0 R 1.1.1.2 established 9m5s 1 1.1.1.2
[admin@L] > /ip ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 HE spi=0x4FB053D src-address=1.1.1.2 dst-address=1.1.1.1 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256
auth-key="5291410ef6d7be3fa5197c55ca7fbb0c2a8122bb" enc-key="db58f5eb380e815344ef275c4a4c743c5301c3418b8b5c9175a17f7ab53bd057"
add-lifetime=24m4s/30m5s replay=128
1 HE spi=0x8C490BB src-address=1.1.1.1 dst-address=1.1.1.2 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256
auth-key="a70d7166a1ed4d57dd5371209c143fadc45672b0" enc-key="baa134c797c3d75f09e812730f759f220fd513ebb2d72a470c4dc49b79177e25"
add-lifetime=24m4s/30m5s replay=128
LEFT SIDE CONFIG:
===============
Code: Select all
/interface bridge
add name=lo protocol-mode=none
/interface gre
add local-address=10.0.0.1 mtu=1300 name=gre remote-address=10.0.0.2
/ip ipsec peer
add address=1.1.1.2/32 exchange-mode=ike2 name=rb4011
/ip address
add address=1.1.1.1/30 interface=ether1 network=1.1.1.0
add address=192.168.1.1/24 interface=ether5 network=192.168.1.0
add address=10.0.0.1 interface=lo network=10.0.0.1
add address=172.24.0.1/30 interface=gre network=172.24.0.0
/ip ipsec identity
add peer=rb4011 secret=testing1234
/ip ipsec policy
add dst-address=10.0.0.2/32 peer=rb4011 sa-dst-address=1.1.1.2 sa-src-address=1.1.1.1 src-address=10.0.0.1/32 tunnel=yes
/system identity
set name=L
RIGHT SIDE CONFIG:
================
Code: Select all
/interface bridge
add name=lo protocol-mode=none
/interface gre
add local-address=10.0.0.2 mtu=1300 name=gre remote-address=10.0.0.1
/ip ipsec peer
add address=1.1.1.1/32 exchange-mode=ike2 name=rb4011
/ip address
add address=1.1.1.2/30 interface=ether1 network=1.1.1.0
add address=192.168.2.1/24 interface=ether5 network=192.168.2.0
add address=10.0.0.2 interface=lo network=10.0.0.2
add address=172.24.0.2/30 interface=gre network=172.24.0.0
/ip ipsec identity
add peer=rb4011 secret=testing1234
/ip ipsec policy
add dst-address=10.0.0.1/32 peer=rb4011 sa-dst-address=1.1.1.1 sa-src-address=1.1.1.2 src-address=10.0.0.2/32 tunnel=yes
/system identity
set name=R
FROM IPSEC LOG:
===============
Code: Select all
16:58:19 ipsec,debug 05000000
16:58:19 ipsec initiator selector: 10.0.0.2
16:58:19 ipsec adding payload: TS_I
16:58:19 ipsec,debug => (size 0x18)
16:58:19 ipsec,debug 00000018 01000000 07000010 0000ffff 0a000002 0a000002
16:58:19 ipsec responder selector: 10.0.0.1
16:58:19 ipsec adding payload: TS_R
16:58:19 ipsec,debug => (size 0x18)
16:58:19 ipsec,debug 00000018 01000000 07000010 0000ffff 0a000001 0a000001
16:58:19 ipsec <- ike2 request, exchange: AUTH:1 1.1.1.1[4500] fd9a20f449736340:d654a3db4f90c1b5
16:58:19 ipsec,debug ===== sending 444 bytes from 1.1.1.2[4500] to 1.1.1.1[4500]
16:58:19 ipsec,debug 1 times of 448 bytes message will be sent to 1.1.1.1[4500]
16:58:19 ipsec,debug ===== received 444 bytes from 1.1.1.1[4500] to 1.1.1.2[4500]
16:58:19 ipsec -> ike2 reply, exchange: AUTH:1 1.1.1.1[4500] fd9a20f449736340:d654a3db4f90c1b5
16:58:19 ipsec payload seen: ENC (416 bytes)
16:58:19 ipsec processing payload: ENC
16:58:19 ipsec,debug => iv (size 0x10)
16:58:19 ipsec,debug dc5d00d0 669f2854 69bbc63b fda2e74a
16:58:19 ipsec,debug => plain payload (trimmed) (size 0x84)
16:58:19 ipsec,debug 2700000c 01000000 01010101 2c00001c 02000000 2e1d7e03 720c96bb 2f4e7e08
16:58:19 ipsec,debug a04c4ba7 12ff131f 2d000018 01000000 07000010 0000ffff 0a000002 0a000002
16:58:19 ipsec,debug 21000018 01000000 07000010 0000ffff 0a000001 0a000001 0000002c 00000028
16:58:19 ipsec,debug 01030403 04fb053d 0300000c 0100000c 800e0100 03000008 03000002 00000008
16:58:19 ipsec,debug 05000000
16:58:19 ipsec,debug decrypted
16:58:19 ipsec payload seen: ID_R (12 bytes)
16:58:19 ipsec payload seen: AUTH (28 bytes)
16:58:19 ipsec payload seen: TS_I (24 bytes)
16:58:19 ipsec payload seen: TS_R (24 bytes)
16:58:19 ipsec payload seen: SA (44 bytes)
16:58:19 ipsec processing payloads: NOTIFY (none found)
16:58:19 ipsec ike auth: initiator finish
16:58:19 ipsec processing payload: ID_R
16:58:19 ipsec ID_R (ADDR4): 1.1.1.1
16:58:19 ipsec processing payload: AUTH
16:58:19 ipsec requested auth method: SKEY
16:58:19 ipsec,debug => peer's auth (size 0x14)
16:58:19 ipsec,debug 2e1d7e03 720c96bb 2f4e7e08 a04c4ba7 12ff131f
16:58:19 ipsec,debug => auth nonce (size 0x18)
16:58:19 ipsec,debug 6f42ffb5 0a0445a7 d1a4a3cb aa3fcdb5 99949078 a82f6586
16:58:19 ipsec,debug => SK_p (size 0x14)
16:58:19 ipsec,debug 112804de 2a6b0f89 63111ccf 7ac01e03 c50a57cb
16:58:19 ipsec,debug => idhash (size 0x14)
16:58:19 ipsec,debug 1dc7d6a2 a4f3ecfa 25b4f5f1 e2547caa fa73ff08
16:58:19 ipsec,debug => calculated peer's AUTH (size 0x14)
16:58:19 ipsec,debug 2e1d7e03 720c96bb 2f4e7e08 a04c4ba7 12ff131f
16:58:19 ipsec,info,account peer authorized: 1.1.1.2[4500]-1.1.1.1[4500] spi:fd9a20f449736340:d654a3db4f90c1b5
16:58:19 ipsec processing payloads: NOTIFY (none found)
16:58:19 ipsec peer selected tunnel mode
16:58:19 ipsec processing payload: TS_I
16:58:19 ipsec 10.0.0.2
16:58:19 ipsec processing payload: TS_R
16:58:19 ipsec 10.0.0.1
16:58:19 ipsec my vs peer's selectors:
16:58:19 ipsec 10.0.0.2 vs 10.0.0.2
16:58:19 ipsec 10.0.0.1 vs 10.0.0.1
16:58:19 ipsec processing payload: SA
16:58:19 ipsec IKE Protocol: ESP
16:58:19 ipsec proposal #1
16:58:19 ipsec enc: aes256-cbc
16:58:19 ipsec auth: sha1
16:58:19 ipsec matched proposal:
16:58:19 ipsec proposal #1
16:58:19 ipsec enc: aes256-cbc
16:58:19 ipsec auth: sha1
16:58:19 ipsec,debug => child keymat (size 0x78)
16:58:19 ipsec,debug db58f5eb 380e8153 44ef275c 4a4c743c 5301c341 8b8b5c91 75a17f7a b53bd057
16:58:19 ipsec,debug 5291410e f6d7be3f a5197c55 ca7fbb0c 2a8122bb baa134c7 97c3d75f 09e81273
16:58:19 ipsec,debug 0f759f22 0fd513eb b2d72a47 0c4dc49b 79177e25 a70d7166 a1ed4d57 dd537120
16:58:19 ipsec,debug 9c143fad c45672b0 5a42c6fd 7c6a529e 6316f6cd 87460313
16:58:19 ipsec IPsec-SA established: 1.1.1.1[4500]->1.1.1.2[4500] spi=0x8c490bb
16:58:19 ipsec IPsec-SA established: 1.1.1.2[4500]->1.1.1.1[4500] spi=0x4fb053d