Community discussions

MikroTik App
 
maximum
just joined
Topic Author
Posts: 2
Joined: Thu Nov 19, 2020 8:44 am

GRE over IPSEC

Thu Nov 19, 2020 10:29 am

1. Mikrotik RB760iGS WinBox v6.47.7
IP: my.public.ip.1
LAN: 192.168.0.0/24
VPN: 172.16.31.1/30

2. Mikrotik RB760iGS WinBox v6.47.7
IP: my.public.ip.2
LAN: 192.168.22.0/24
VPN: 172.16.31.2/30

After an idle or reboot of the router, it is required to ping the remote router traffic.
RDP and SMB.
After the ping rises from both sides, the traffic goes.
How to make GRE over IPSEC automatically?
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 6262
Joined: Mon Dec 04, 2017 9:19 pm

Re: GRE over IPSEC

Thu Nov 19, 2020 8:23 pm

After an idle or reboot of the router, it is required to ping the remote router traffic.
RDP and SMB.
After the ping rises from both sides, the traffic goes.
How to make GRE over IPSEC automatically?
It looks like a firewall issue and/or GRE keepalive off. Post the text export of configurations of both routers. See a mini-howto in my automatic signature below.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
maximum
just joined
Topic Author
Posts: 2
Joined: Thu Nov 19, 2020 8:44 am

Re: GRE over IPSEC

Fri Nov 20, 2020 8:14 am

M1:
# nov/20/2020 08:37:40 by RouterOS 6.47.7
# model = RB760iGS
/interface bridge
add auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=eth1-wan speed=100Mbps
set [ find default-name=ether2 ] comment="Lan 192.168.0.0" name=eth2-lan speed=\
    100Mbps
/interface gre
add name=gre1-koms81 remote-address=my.public.ip.2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128 name=profile_1 \
    nat-traversal=no
/ip ipsec peer
add address=172.16.31.2/32 comment=koms81 name=peer1-koms81 profile=profile_1
/ip pool
add name=dhcp ranges=192.168.0.60-192.168.0.70
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add memory-lines=50000 name=ipsec target=memory
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=eth2-lan
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=eth1-wan list=WAN
/ip address
add address=192.168.0.77/24 comment=defconf interface=eth2-lan network=\
    192.168.0.0
add address=my.public.ip.1/27 comment=Internet interface=eth1-wan network=\
    my.public.gw.1
add address=172.16.31.1/30 comment=VPN interface=gre1-koms81 network=\
    172.16.31.0
/ip dhcp-client
add comment=defconf interface=eth1-wan
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=82.151.98.162,8.8.4.4 \
    gateway=192.168.0.77
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.77 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes protocol=!gre
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes protocol=!gre
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="FastTrack exc IPSec" \
    connection-mark=!ipsec connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid log=yes protocol=!gre
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=\
    out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=\
    in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=accept chain=srcnat comment="Route to Koms81" dst-address=\
    192.168.22.0/24 src-address=192.168.0.0/24
add action=src-nat chain=srcnat comment=masquerade ipsec-policy=out,none \
    out-interface=eth1-wan to-addresses=my.publoc.ip.1
/ip ipsec identity
add peer=peer1-koms81
/ip ipsec policy
add comment=koms81 dst-address=192.168.22.0/24 peer=peer1-koms81 \
    sa-dst-address=172.16.31.2 sa-src-address=172.16.31.1 src-address=\
    192.168.0.0/24 tunnel=yes
/ip route
add distance=1 gateway=my.public.gw.1
add comment="route to koms81" distance=1 dst-address=192.168.22.0/24 gateway=\
    172.16.31.2 pref-src=192.168.0.77
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Moscow
/system logging
add action=ipsec topics=ipsec,error
add action=ipsec topics=ipsec,debug,!packet
add action=ipsec topics=ipsec,info
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[Olimp13@MikroTik] > 
M2:
# nov/20/2020 08:29:59 by RouterOS 6.47.7

# model = RB760iGS

/interface bridge
add auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=eth1-wan speed=100Mbps
set [ find default-name=ether2 ] comment="Lan 192.168.22.0" name=eth2-lan \
    speed=100Mbps
/interface gre
add name=gre1-olimp13 remote-address=my.public.ip.1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128 name=profile_1 \
    nat-traversal=no
/ip ipsec peer
add address=172.16.31.1/32 comment=olimp13 name=peer1-olimp13 profile=profile_1
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/system logging action
add memory-lines=50000 name=ipsec target=memory
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=eth2-lan
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=eth1-wan list=WAN
/ip address
add address=my.public.ip.2/27 interface=eth1-wan network=my.public.gw.2
add address=192.168.22.77/24 interface=eth2-lan network=192.168.22.0
add address=172.16.31.2/30 interface=gre1-olimp13 network=172.16.31.0
/ip dhcp-client
add comment=defconf interface=eth1-wan
/ip dns
set allow-remote-requests=yes servers=82.151.98.162,8.8.4.4
/ip dns static
add address=192.168.22.77 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes protocol=!gre
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes protocol=!gre
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="FastTrack exc IPSec" \
    connection-mark=!ipsec connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid log=yes protocol=!gre
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=\
    out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=\
    in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=accept chain=srcnat comment="Route to Olimp13" dst-address=\
    192.168.0.0/24 src-address=192.168.22.0/24
add action=src-nat chain=srcnat comment=masquerade ipsec-policy=out,none \
    out-interface-list=WAN to-addresses=my.public.ip.2
/ip ipsec identity
add peer=peer1-olimp13
/ip ipsec policy
add comment=olimp13 dst-address=192.168.0.0/24 peer=peer1-olimp13 \
    sa-dst-address=172.16.31.1 sa-src-address=172.16.31.2 src-address=\
    192.168.22.0/24 tunnel=yes
/ip route
add check-gateway=ping distance=1 gateway=my.public.gw.2
add comment="route to olimp13" distance=1 dst-address=192.168.0.0/24 gateway=\
    172.16.31.1 pref-src=192.168.22.77
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=Koms81
/system logging
add action=ipsec topics=ipsec,error
add action=ipsec topics=ipsec,debug,!packet
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[Koms81@Koms81] > 

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 119 guests