Community discussions

MikroTik App
  4. RouterOS
  5. General

Gre over ipsec

Post Reply
 
mafiosa
Member Candidate
Member Candidate
Topic Author
Posts: 266
Joined: Fri Dec 09, 2016 8:10 pm
Location: Kolkata, India
Contact:
Contact mafiosa

Gre over ipsec

Fri Jan 01, 2021 1:16 am

In case of gre over ipsec what ipsec policy should I create? Does it need to be a 255(all) or 4(ip-encap) or 47 gre? I am configuring it between huawei and mikrotik. Huawei guide suggests to set up for ipsec acl for gre over ipsec.
Top
 
msatter
Forum Guru
Forum Guru
Posts: 2912
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Gre over ipsec

Fri Jan 01, 2021 3:39 am

viewtopic.php?f=2&t=171082
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Gre over ipsec

Fri Jan 01, 2021 10:55 am

In case of gre over ipsec what ipsec policy should I create? Does it need to be a 255(all) or 4(ip-encap) or 47 gre? I am configuring it between huawei and mikrotik. Huawei guide suggests to set up for ipsec acl for gre over ipsec.
Definitely not IP-ENCAP as GRE is a different protocol. Setting GRE is sufficient if Huawei supports that too, otherwise 255. The Huawei ACL 3000 in your other topic as linked by @msatter doesn't specify any IP protocol, hence 255 (which is the default if you don't specify any protocol) at Mikrotik side is a matching setting.
Top
 
mafiosa
Member Candidate
Member Candidate
Topic Author
Posts: 266
Joined: Fri Dec 09, 2016 8:10 pm
Location: Kolkata, India
Contact:
Contact mafiosa

Re: Gre over ipsec

Fri Jan 01, 2021 11:02 am

Definitely not IP-ENCAP as GRE is a different protocol. Setting GRE is sufficient if Huawei supports that too, otherwise 255. The Huawei ACL 3000 in your other topic as linked by @msatter doesn't specify any IP protocol, hence 255 (which is the default if you don't specify any protocol) at Mikrotik side is a matching setting.
Yes as per that guide from huawei the acl mentions:
acl number 3000 //Configure an ACL.
rule 0 permit ip source 1.2.1.1 0 destination 1.2.2.1 0

so when I set this acl to gre after permit instead of ip tunnel establishes but no traffic passes even though the tunnel is established.
Let me try with 255 on mikrotik end.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10240
Joined: Mon Jun 08, 2015 12:09 pm

Re: Gre over ipsec

Fri Jan 01, 2021 12:15 pm

In case of gre over ipsec what ipsec policy should I create? Does it need to be a 255(all) or 4(ip-encap) or 47 gre? I am configuring it between huawei and mikrotik. Huawei guide suggests to set up for ipsec acl for gre over ipsec.
Of course you can do whatever you need to keep the other end happy. In MikroTik you can auto-create a policy (by just entering an IPsec key directly at the GRE interface settings) and it will automatically create the policy, and you can look at it.
Top
 
mafiosa
Member Candidate
Member Candidate
Topic Author
Posts: 266
Joined: Fri Dec 09, 2016 8:10 pm
Location: Kolkata, India
Contact:
Contact mafiosa

Re: Gre over ipsec

Fri Jan 01, 2021 3:50 pm

I found out that with 3DES and SHA1 and 255 tunnel establishes and traffic moves through it. Having issue with other cipher combinations. tunnel between huawei and mikrotik.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10240
Joined: Mon Jun 08, 2015 12:09 pm

Re: Gre over ipsec

Fri Jan 01, 2021 10:15 pm

That is quite common with incomplete or older IPsec implementations.
It is also the reason why this is still the default configuration. When you change it, you run the risk of problems.
Top
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1281
Joined: Tue Jun 23, 2015 2:35 pm

Re: Gre over ipsec

Sat Jan 02, 2021 8:40 am

@mafiosa

make your life easily, play specially with ipsec with same vendors devices.
I had unestablished tunnels with mikrotik on different version.
When i upgraded to later version bum everything works well.

i found dynamic routhing protocol are much more easy (i'm avoiding as much as possible) for establishing..ipsec is just weasting a time
Top
 
mafiosa
Member Candidate
Member Candidate
Topic Author
Posts: 266
Joined: Fri Dec 09, 2016 8:10 pm
Location: Kolkata, India
Contact:
Contact mafiosa

Re: Gre over ipsec

Sat Jan 02, 2021 11:06 am

@mafiosa

make your life easily, play specially with ipsec with same vendors devices.
I had unestablished tunnels with mikrotik on different version.
When i upgraded to later version bum everything works well.

i found dynamic routhing protocol are much more easy (i'm avoiding as much as possible) for establishing..ipsec is just weasting a time
I am using GRE over IPSec, so that I can use ospf between branches.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10240
Joined: Mon Jun 08, 2015 12:09 pm

Re: Gre over ipsec

Sat Jan 02, 2021 12:12 pm

I am using GRE over IPSec, so that I can use ospf between branches.
It should work well.
Another potential problem is to enable keepalive. Don't do that at first. It can be incompatible.
With a routing protocol on top you probably don't require the keepalive at all. When you want fast switchover use BFD instead.
Top
 
mafiosa
Member Candidate
Member Candidate
Topic Author
Posts: 266
Joined: Fri Dec 09, 2016 8:10 pm
Location: Kolkata, India
Contact:
Contact mafiosa

Re: Gre over ipsec

Sat Jan 02, 2021 8:01 pm

@mafiosa

make your life easily, play specially with ipsec with same vendors devices.
I had unestablished tunnels with mikrotik on different version.
When i upgraded to later version bum everything works well.

i found dynamic routhing protocol are much more easy (i'm avoiding as much as possible) for establishing..ipsec is just weasting a time
I am using GRE over IPSec, so that I can use ospf between branches.
Top
Post Reply

Who is online

Users browsing this forum: diasdm, lubara and 154 guests
  4. RouterOS
  5. General