Good day!

Configure IPSEC tunnel between Mikrotik 750G [192.168.200.129] with latest RouterOS 5.1 and Cisco 1841 [192.168.200.130].
When using GRE tunnel there is a problem: Mikrotik does not encrypt packets GRE, protocol 47, for a given policy

Code: Select all

/ ip ipsec policy
add action = encrypt disabled = no dst-address = 192.168.200.129/32 dst-port = any \
ipsec-protocols = esp level = require priority = 10 proposal = cisco protocol = 47 \
sa-dst-address = 192.168.200.129 sa-src-address = 192.168.200.130 src-address = \
192.168.200.130/32 src-port = any tunnel = yes

Configured on the Cisco IPSEC profile like this

Code: Select all

interface Tunnel1
  description MikrotikIPIP
  ip address 192.168.8.1 255.255.255.252
  ip mtu 1400
  tunnel source 192.168.200.129
  tunnel destination 192.168.200.130
  tunnel protection ipsec profile VTI

Tools -> Packet Sniffer show unencrypted packet from Mikrotik to Cisco proto 47, but the converse is encrypted. Cisco logging protocol missmatch for encrypted data (packet protocol 47 instead of 50). ISAKMP installed successfull and I saw in and out installes SAs.

If i change mikrotik ipsec policy to protocol ip-encap (#4), I see the outgoing ESP packets that can not decode Cisco.

If i change tunnel type to IPIP and modify policies to proto 4 on both sides everything works! But sometimes IPSEC policies on Mikrotik enters into the state .

Please help solve the problem with GRE tunnel.

Tunnel mode is set at the request of a network engineer. I tried to use the transport mode.

Thanks, I did not know that the release 5.2 is now available.
I'll try to update.