Community discussions

MikroTik App
 
lctn
Member Candidate
Member Candidate
Topic Author
Posts: 176
Joined: Tue Apr 04, 2006 3:51 pm

Mikrotik Cisco GRE IPsec tunnel not coming up

Thu Sep 25, 2014 7:53 pm

I am working on a GRE IPsec tunnel with Verizon. We get it to come up enough where info is populated in installed-sa. However, the traffic does not seem to return and we cannot ping the private address on either end

Mikrotik: CCR1036-12G-4S
rOS: 6.19

Here is a sample config Verizon believes would work on my end if I were using a cisco device:

rypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2


crypto isakmp key VzWmPn01686 address 2.2.2.2
crypto isakmp key VzWmPn01686 address 4.4.4.4

!
crypto ipsec transform-set VZW-TSET esp-aes 256 esp-sha-hmac
mode transport
!
crypto map VZW-MAP 10 ipsec-isakmp
set peer 2.2.2.2
set peer 4.4.4.4
set transform-set VZW-TSET
match address 172
!
!
!
!
interface Tunnel0
ip address 10.98.0.2 255.255.255.252
tunnel source 1.1.1.1
tunnel destination 2.2.2.2
!
interface Tunnel1
ip address 10.98.0.6 255.255.255.252
tunnel source 1.1.1.1
tunnel destination 4.4.4.4

!
interface GigabitEthernet0/0
ip address 1.1.1.1------------------outside interface
duplex auto
speed 100
crypto map VZW-MAP
!

router bgp 65505
no synchronization
bgp log-neighbor-changes
neighbor 10.98.0.1 remote-as 6167
neighbor 10.98.0.1 default-originate
neighbor 10.98.0.5 remote-as 6167
neighbor 10.98.0.5 default-originate
no auto-summary
!
!



access-list 172 permit gre host 1.1.1.1 host 2.2.2.2
access-list 172 permit gre host 1.1.1.1 host 4.4.4.4






Mikrotik Installed-Sa info:






lags: A - AH, E - ESP, P - pfs
0 E spi=0xB3E2DB2 src-address=2.2.2.2:4500
dst-address=1.1.1.1:4500 auth-algorithm=md5 enc-algorithm=aes-cbc
replay=4 state=mature auth-key="xxxxxxxxxxx"
enc-key="xxxxxxxxxxxxxx"
addtime=sep/25/2014 10:49:57 expires-in=23m37s add-lifetime=48m/1h
current-bytes=10464

1 E spi=0xBBE84F0 src-address=1.1.1.1:4500
dst-address=2.2.2.2:4500 auth-algorithm=md5
enc-algorithm=aes-cbc replay=4 state=mature
auth-key="xxxxxxxxxxxxxxxx"
enc-key="xxxxxxxxxxxxxxxx"
add-lifetime=48m/1h


IPsec debug log:


11:22:19 ipsec,debug,packet 01108d28 a6a6589a e720a7b4 d71c856e 87abbe95 00000270 ebcacaf7 d69ab707
11:22:19 ipsec,debug,packet encryption(aes)
11:22:19 ipsec,debug,packet with key:
11:22:19 ipsec,debug,packet 61892ad1 3a9ce904 4c7b64f8 c566b22d 11ac3ce0 319d6e9d d6c7196b dcc06803
11:22:19 ipsec,debug,packet encrypted payload by IV:
11:22:19 ipsec,debug,packet 7ca7979d a1efeb74 89cec7e8 7d070ef8
11:22:19 ipsec,debug,packet save IV for next:
11:22:19 ipsec,debug,packet c60fcae4 4bd52f88 200d5b93 68fd559c
11:22:19 ipsec,debug,packet encrypted.
11:22:19 ipsec,debug,packet Adding NON-ESP marker
11:22:19 ipsec,debug,packet 96 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
11:22:19 ipsec,debug,packet sockname 1.1.1.1[4500]
11:22:19 ipsec,debug,packet send packet from 1.1.1.1[4500]
11:22:19 ipsec,debug,packet send packet to 2.2.2.2[4500]
11:22:19 ipsec,debug,packet src4 1.1.1.1[4500]
11:22:19 ipsec,debug,packet dst4 2.2.2.2[4500]
11:22:19 ipsec,debug,packet 1 times of 96 bytes message will be sent to 2.2.2.2[4500]
11:22:19 ipsec,debug,packet 00000000 a6a6589a e720a7b4 d71c856e 87abbe95 08100501 c459373f 0000005c
11:22:19 ipsec,debug,packet 1b3a8357 1ab9c54b 5282be6e d2c7a6c9 3727efc0 49c5e36e 9dd96d0d 67d19e63
11:22:19 ipsec,debug,packet 82a87130 08cf8e41 8a53c5ea 962863de c60fcae4 4bd52f88 200d5b93 68fd559c
11:22:19 ipsec,debug,packet sendto Information notify.
11:22:19 ipsec,debug,packet DPD R-U-There sent (0)
11:22:19 ipsec,debug,packet rescheduling send_r_u (5).
11:22:19 ipsec,debug,packet ==========
11:22:19 ipsec,debug,packet 92 bytes message received from 2.2.2.2[4500] to 1.1.1.1[4500]
11:22:19 ipsec,debug,packet a6a6589a e720a7b4 d71c856e 87abbe95 08100501 60b2bfe9 0000005c 72433117
11:22:19 ipsec,debug,packet c3696590 5397c85e 4df438e1 af59d7ae 5b150f29 4c59fdae 667bf2bc 47007610
11:22:19 ipsec,debug,packet 151aa5d9 af14e6f4 71edf9cd 6a8d4212 67ee8caf 9098ebfd fae6e0e4
11:22:19 ipsec,debug,packet receive Information.
11:22:19 ipsec,debug,packet compute IV for phase2
11:22:19 ipsec,debug,packet phase1 last IV:
11:22:19 ipsec,debug,packet e5446c37 36c39671 39d0ff76 b660bb7c 60b2bfe9
11:22:19 ipsec,debug,packet hash(sha1)
11:22:19 ipsec,debug,packet encryption(aes)
11:22:19 ipsec,debug,packet phase2 IV computed:
11:22:19 ipsec,debug,packet d9f9769f 35ecde0e 9b821cc6 4a2f3ba2
11:22:19 ipsec,debug,packet encryption(aes)
11:22:19 ipsec,debug,packet IV was saved for next processing:
11:22:19 ipsec,debug,packet 6a8d4212 67ee8caf 9098ebfd fae6e0e4
11:22:19 ipsec,debug,packet encryption(aes)
11:22:19 ipsec,debug,packet with key:
11:22:19 ipsec,debug,packet 61892ad1 3a9ce904 4c7b64f8 c566b22d 11ac3ce0 319d6e9d d6c7196b dcc06803
11:22:19 ipsec,debug,packet decrypted payload by IV:
11:22:19 ipsec,debug,packet d9f9769f 35ecde0e 9b821cc6 4a2f3ba2
11:22:19 ipsec,debug,packet decrypted payload, but not trimed.
11:22:19 ipsec,debug,packet 0b000018 d206797d 2293ea0d f75ce828 66e13c33 f560dc6b 00000020 00000001
11:22:19 ipsec,debug,packet 01108d29 a6a6589a e720a7b4 d71c856e 87abbe95 00000270 00000000 00000000
11:22:19 ipsec,debug,packet padding len=1
11:22:19 ipsec,debug,packet skip to trim padding.
11:22:19 ipsec,debug,packet decrypted.
11:22:19 ipsec,debug,packet a6a6589a e720a7b4 d71c856e 87abbe95 08100501 60b2bfe9 0000005c 0b000018
11:22:19 ipsec,debug,packet d206797d 2293ea0d f75ce828 66e13c33 f560dc6b 00000020 00000001 01108d29
11:22:19 ipsec,debug,packet a6a6589a e720a7b4 d71c856e 87abbe95 00000270 00000000 00000000
11:22:19 ipsec,debug,packet HASH with:
11:22:19 ipsec,debug,packet 60b2bfe9 00000020 00000001 01108d29 a6a6589a e720a7b4 d71c856e 87abbe95
11:22:19 ipsec,debug,packet 00000270
11:22:19 ipsec,debug,packet hmac(hmac_sha1)
11:22:19 ipsec,debug,packet HASH computed:
11:22:19 ipsec,debug,packet d206797d 2293ea0d f75ce828 66e13c33 f560dc6b
11:22:19 ipsec,debug,packet hash validated.
11:22:19 ipsec,debug,packet begin.
11:22:19 ipsec,debug,packet seen nptype=8(hash)
11:22:19 ipsec,debug,packet seen nptype=11(notify)
11:22:19 ipsec,debug,packet succeed.
11:22:19 ipsec,debug,packet DPD R-U-There-Ack received
11:22:19 ipsec,debug,packet received an R-U-THERE-ACK
11:22:19 firewall,info input: in:ether5 out:(none), src-mac 00:1c:2e:9c:5a:c0, proto UDP, 2.2.2.2:4500->1.1.1.1:4500, len 124
11:22:27 ipsec,debug,packet KA: 1.1.1.1[4500]->2.2.2.2[4500]
11:22:27 ipsec,debug,packet sockname 1.1.1.1[4500]
11:22:27 ipsec,debug,packet send packet from 1.1.1.1[4500]
11:22:27 ipsec,debug,packet send packet to 2.2.2.2[4500]
11:22:27 ipsec,debug,packet src4 1.1.1.1[4500]
11:22:27 ipsec,debug,packet dst4 2.2.2.2[4500]
11:22:27 ipsec,debug,packet 1 times of 1 bytes message will be sent to 2.2.2.2[4500]
11:22:27 ipsec,debug,packet ff
11:22:34 ipsec,debug,packet DPD monitoring....
11:22:34 ipsec,debug,packet compute IV for phase2
11:22:34 ipsec,debug,packet phase1 last IV:
11:22:34 ipsec,debug,packet e5446c37 36c39671 39d0ff76 b660bb7c c61f9e66
11:22:34 ipsec,debug,packet hash(sha1)
11:22:34 ipsec,debug,packet encryption(aes)
11:22:34 ipsec,debug,packet phase2 IV computed:
11:22:34 ipsec,debug,packet ba8cc016 5a405dae 62d2433a 8015bee6
11:22:34 ipsec,debug,packet HASH with:
11:22:34 ipsec,debug,packet c61f9e66 00000020 00000001 01108d28 a6a6589a e720a7b4 d71c856e 87abbe95
11:22:34 ipsec,debug,packet 00000271
11:22:34 ipsec,debug,packet hmac(hmac_sha1)
11:22:34 ipsec,debug,packet HASH computed:
11:22:34 ipsec,debug,packet 4505944f 72671c57 aab6a142 a078ed2b 7e569f39
11:22:34 ipsec,debug,packet begin encryption.
11:22:34 ipsec,debug,packet encryption(aes)
11:22:34 ipsec,debug,packet pad length = 8
11:22:34 ipsec,debug,packet 0b000018 4505944f 72671c57 aab6a142 a078ed2b 7e569f39 00000020 00000001
11:22:34 ipsec,debug,packet 01108d28 a6a6589a e720a7b4 d71c856e 87abbe95 00000271 b4c3b58b 9daa8207
11:22:34 ipsec,debug,packet encryption(aes)
11:22:34 ipsec,debug,packet with key:
11:22:34 ipsec,debug,packet 61892ad1 3a9ce904 4c7b64f8 c566b22d 11ac3ce0 319d6e9d d6c7196b dcc06803
11:22:34 ipsec,debug,packet encrypted payload by IV:
11:22:34 ipsec,debug,packet ba8cc016 5a405dae 62d2433a 8015bee6
11:22:34 ipsec,debug,packet save IV for next:
11:22:34 ipsec,debug,packet 0dc02949 e823c319 2ba09365 f1b9c498
11:22:34 ipsec,debug,packet encrypted.
11:22:34 ipsec,debug,packet Adding NON-ESP marker
11:22:34 ipsec,debug,packet 96 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
11:22:34 ipsec,debug,packet sockname 1.1.1.1[4500]
11:22:34 ipsec,debug,packet send packet from 1.1.1.1[4500]
11:22:34 ipsec,debug,packet send packet to 2.2.2.2[4500]
11:22:34 ipsec,debug,packet src4 1.1.1.1[4500]
11:22:34 ipsec,debug,packet dst4 2.2.2.2[4500]
11:22:34 ipsec,debug,packet 1 times of 96 bytes message will be sent to 2.2.2.2[4500]
11:22:34 ipsec,debug,packet 00000000 a6a6589a e720a7b4 d71c856e 87abbe95 08100501 c61f9e66 0000005c
11:22:34 ipsec,debug,packet e20c9e5f 593dac14 cd7a8bb3 1a217ddb 2f2ff16a a1e5fa23 c91ca9bc 10166b58
11:22:34 ipsec,debug,packet 0ea67678 add8007b ab0b7ef4 091ba8a5 0dc02949 e823c319 2ba09365 f1b9c498
11:22:34 ipsec,debug,packet sendto Information notify.
11:22:34 ipsec,debug,packet DPD R-U-There sent (0)
11:22:34 ipsec,debug,packet rescheduling send_r_u (5).
11:22:34 ipsec,debug,packet ==========
11:22:34 ipsec,debug,packet 92 bytes message received from 2.2.2.2[4500] to 1.1.1.1[4500]
11:22:34 ipsec,debug,packet a6a6589a e720a7b4 d71c856e 87abbe95 08100501 4b1aede6 0000005c 70f498bf
11:22:34 ipsec,debug,packet 8a89ae68 96bfb07c 75052377 66e9692e 30daf489 748dad27 e65feed2 8bb3114f
11:22:34 ipsec,debug,packet dcc4b3a5 aef80151 f4013289 96bcc67d d2fcf6d8 97e9fda6 6c7a956d
11:22:34 ipsec,debug,packet receive Information.
11:22:34 ipsec,debug,packet compute IV for phase2
11:22:34 ipsec,debug,packet phase1 last IV:
11:22:34 ipsec,debug,packet e5446c37 36c39671 39d0ff76 b660bb7c 4b1aede6
11:22:34 ipsec,debug,packet hash(sha1)
11:22:34 ipsec,debug,packet encryption(aes)
11:22:34 ipsec,debug,packet phase2 IV computed:
11:22:34 ipsec,debug,packet ccebbef3 58ff968a abcf7fd7 7485d840
11:22:34 ipsec,debug,packet encryption(aes)
11:22:34 ipsec,debug,packet IV was saved for next processing:
11:22:34 ipsec,debug,packet 96bcc67d d2fcf6d8 97e9fda6 6c7a956d
11:22:34 ipsec,debug,packet encryption(aes)
11:22:34 ipsec,debug,packet with key:
11:22:34 ipsec,debug,packet 61892ad1 3a9ce904 4c7b64f8 c566b22d 11ac3ce0 319d6e9d d6c7196b dcc06803
11:22:34 ipsec,debug,packet decrypted payload by IV:
11:22:34 ipsec,debug,packet ccebbef3 58ff968a abcf7fd7 7485d840
11:22:34 ipsec,debug,packet decrypted payload, but not trimed.
11:22:34 ipsec,debug,packet 0b000018 fd0cf8f2 66db9b0d bb381086 1f440489 2f9d7b9b 00000020 00000001
11:22:34 ipsec,debug,packet 01108d29 a6a6589a e720a7b4 d71c856e 87abbe95 00000271 00000000 00000000
11:22:34 ipsec,debug,packet padding len=1
11:22:34 ipsec,debug,packet skip to trim padding.
11:22:34 ipsec,debug,packet decrypted.
11:22:34 ipsec,debug,packet a6a6589a e720a7b4 d71c856e 87abbe95 08100501 4b1aede6 0000005c 0b000018
11:22:34 ipsec,debug,packet fd0cf8f2 66db9b0d bb381086 1f440489 2f9d7b9b 00000020 00000001 01108d29
11:22:34 ipsec,debug,packet a6a6589a e720a7b4 d71c856e 87abbe95 00000271 00000000 00000000
11:22:34 ipsec,debug,packet HASH with:
11:22:34 ipsec,debug,packet 4b1aede6 00000020 00000001 01108d29 a6a6589a e720a7b4 d71c856e 87abbe95
11:22:34 ipsec,debug,packet 00000271
11:22:34 ipsec,debug,packet hmac(hmac_sha1)
11:22:34 ipsec,debug,packet HASH computed:
11:22:34 ipsec,debug,packet fd0cf8f2 66db9b0d bb381086 1f440489 2f9d7b9b
11:22:34 ipsec,debug,packet hash validated.
11:22:34 ipsec,debug,packet begin.
11:22:34 ipsec,debug,packet seen nptype=8(hash)
11:22:34 ipsec,debug,packet seen nptype=11(notify)
11:22:34 ipsec,debug,packet succeed.
11:22:34 ipsec,debug,packet DPD R-U-There-Ack received
11:22:34 ipsec,debug,packet received an R-U-THERE-ACK
11:22:34 firewall,info input: in:ether5 out:(none), src-mac 00:1c:2e:9c:5a:c0, proto UDP, 2.2.2.2:4500->1.1.1.1:4500, len 124
11:22:45 firewall,info input: in:ether5 out:(none), src-mac 00:1c:2e:9c:5a:c0, proto UDP, 2.2.2.2:4500->1.1.1.1:4500, len 128
11:22:45 firewall,info input: in:ether5 out:(none), proto 47, 2.2.2.2->1.1.1.1, len 68
11:22:47 ipsec,debug,packet KA: 1.1.1.1[4500]->2.2.2.2[4500]
11:22:47 ipsec,debug,packet sockname 1.1.1.1[4500]
11:22:47 ipsec,debug,packet send packet from 1.1.1.1[4500]
11:22:47 ipsec,debug,packet send packet to 2.2.2.2[4500]
11:22:47 ipsec,debug,packet src4 1.1.1.1[4500]
11:22:47 ipsec,debug,packet dst4 2.2.2.2[4500]
11:22:47 ipsec,debug,packet 1 times of 1 bytes message will be sent to 2.2.2.2[4500]
11:22:47 ipsec,debug,packet ff
11:22:47 firewall,info input: in:ether5 out:(none), src-mac 00:1c:2e:9c:5a:c0, proto UDP, 2.2.2.2:4500->1.1.1.1:4500, len 128
11:22:47 firewall,info input: in:ether5 out:(none), proto 47, 2.2.2.2->1.1.1.1, len 68
11:22:49 ipsec,debug,packet DPD monitoring....
11:22:49 ipsec,debug,packet compute IV for phase2
11:22:49 ipsec,debug,packet phase1 last IV:
11:22:49 ipsec,debug,packet e5446c37 36c39671 39d0ff76 b660bb7c 9655bcdf
11:22:49 ipsec,debug,packet hash(sha1)
11:22:49 ipsec,debug,packet encryption(aes)
11:22:49 ipsec,debug,packet phase2 IV computed:
11:22:49 ipsec,debug,packet a0c67ef0 64727165 e9904dbe 6a3b0a80
11:22:49 ipsec,debug,packet HASH with:
11:22:49 ipsec,debug,packet 9655bcdf 00000020 00000001 01108d28 a6a6589a e720a7b4 d71c856e 87abbe95
11:22:49 ipsec,debug,packet 00000272
11:22:49 ipsec,debug,packet hmac(hmac_sha1)
11:22:49 ipsec,debug,packet HASH computed:
11:22:49 ipsec,debug,packet 41f49990 908f2103 699bc758 40887676 3af6744d
11:22:49 ipsec,debug,packet begin encryption.
11:22:49 ipsec,debug,packet encryption(aes)
11:22:49 ipsec,debug,packet pad length = 8
11:22:49 ipsec,debug,packet 0b000018 41f49990 908f2103 699bc758 40887676 3af6744d 00000020 00000001
11:22:49 ipsec,debug,packet 01108d28 a6a6589a e720a7b4 d71c856e 87abbe95 00000272 ceff85a4 be8ff007
11:22:49 ipsec,debug,packet encryption(aes)
11:22:49 ipsec,debug,packet with key:
11:22:49 ipsec,debug,packet 61892ad1 3a9ce904 4c7b64f8 c566b22d 11ac3ce0 319d6e9d d6c7196b dcc06803
11:22:49 ipsec,debug,packet encrypted payload by IV:
11:22:49 ipsec,debug,packet a0c67ef0 64727165 e9904dbe 6a3b0a80
11:22:49 ipsec,debug,packet save IV for next:
11:22:49 ipsec,debug,packet 5062c7d7 9b3081a3 700f64cf ca72eb43
11:22:49 ipsec,debug,packet encrypted.
11:22:49 ipsec,debug,packet Adding NON-ESP marker
11:22:49 ipsec,debug,packet 96 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
11:22:49 ipsec,debug,packet sockname 1.1.1.1[4500]
11:22:49 ipsec,debug,packet send packet from 1.1.1.1[4500]
11:22:49 ipsec,debug,packet send packet to 2.2.2.2[4500]
11:22:49 ipsec,debug,packet src4 1.1.1.1[4500]
11:22:49 ipsec,debug,packet dst4 2.2.2.2[4500]
11:22:49 ipsec,debug,packet 1 times of 96 bytes message will be sent to 2.2.2.2[4500]
11:22:49 ipsec,debug,packet 00000000 a6a6589a e720a7b4 d71c856e 87abbe95 08100501 9655bcdf 0000005c
11:22:49 ipsec,debug,packet a0c76fea 1d0884d5 e1cbcace 5db621f9 8adcb78e 1867298a d238e22f bd3a0b41
11:22:49 ipsec,debug,packet 1d413a8c e2c4eeec ded832fd 7bb0c4f7 5062c7d7 9b3081a3 700f64cf ca72eb43
11:22:49 ipsec,debug,packet sendto Information notify.
11:22:49 ipsec,debug,packet DPD R-U-There sent (0)
11:22:49 ipsec,debug,packet rescheduling send_r_u (5).
11:22:49 ipsec,debug,packet ==========
11:22:49 ipsec,debug,packet 92 bytes message received from 2.2.2.2[4500] to 1.1.1.1[4500]
11:22:49 ipsec,debug,packet a6a6589a e720a7b4 d71c856e 87abbe95 08100501 14eed48b 0000005c ef8238c0
11:22:49 ipsec,debug,packet ba276b6c 0414a2e1 83423a4a c1a82cdc 10f2fcff d99a0aa5 e6c1a87b 44b4017e
11:22:49 ipsec,debug,packet eea33305 fb70ed88 b2f9ba7d 9e80c5f7 3bc78aaa c9d33a63 c2f8a922
11:22:49 ipsec,debug,packet receive Information.
11:22:49 ipsec,debug,packet compute IV for phase2
11:22:49 ipsec,debug,packet phase1 last IV:
11:22:49 ipsec,debug,packet e5446c37 36c39671 39d0ff76 b660bb7c 14eed48b
11:22:49 ipsec,debug,packet hash(sha1)
11:22:49 ipsec,debug,packet encryption(aes)
11:22:49 ipsec,debug,packet phase2 IV computed:
11:22:49 ipsec,debug,packet 3d6a1c36 6f800601 69e9f6b7 1bca0c61
11:22:49 ipsec,debug,packet encryption(aes)
11:22:49 ipsec,debug,packet IV was saved for next processing:
11:22:49 ipsec,debug,packet 9e80c5f7 3bc78aaa c9d33a63 c2f8a922
11:22:49 ipsec,debug,packet encryption(aes)
11:22:49 ipsec,debug,packet with key:
11:22:49 ipsec,debug,packet 61892ad1 3a9ce904 4c7b64f8 c566b22d 11ac3ce0 319d6e9d d6c7196b dcc06803
11:22:49 ipsec,debug,packet decrypted payload by IV:
11:22:49 ipsec,debug,packet 3d6a1c36 6f800601 69e9f6b7 1bca0c61
11:22:49 ipsec,debug,packet decrypted payload, but not trimed.
11:22:49 ipsec,debug,packet 0b000018 b24c86bc 04a421b9 b0e2ac7e 871aea1d 3a9a7d98 00000020 00000001
11:22:49 ipsec,debug,packet 01108d29 a6a6589a e720a7b4 d71c856e 87abbe95 00000272 00000000 00000000
11:22:49 ipsec,debug,packet padding len=1
11:22:49 ipsec,debug,packet skip to trim padding.
11:22:49 ipsec,debug,packet decrypted.
11:22:49 ipsec,debug,packet a6a6589a e720a7b4 d71c856e 87abbe95 08100501 14eed48b 0000005c 0b000018
11:22:49 ipsec,debug,packet b24c86bc 04a421b9 b0e2ac7e 871aea1d 3a9a7d98 00000020 00000001 01108d29
11:22:49 ipsec,debug,packet a6a6589a e720a7b4 d71c856e 87abbe95 00000272 00000000 00000000
11:22:49 ipsec,debug,packet HASH with:
11:22:49 ipsec,debug,packet 14eed48b 00000020 00000001 01108d29 a6a6589a e720a7b4 d71c856e 87abbe95
11:22:49 ipsec,debug,packet 00000272
11:22:49 ipsec,debug,packet hmac(hmac_sha1)
11:22:49 ipsec,debug,packet HASH computed:
11:22:49 ipsec,debug,packet b24c86bc 04a421b9 b0e2ac7e 871aea1d 3a9a7d98
11:22:49 ipsec,debug,packet hash validated.
11:22:49 ipsec,debug,packet begin.
11:22:49 ipsec,debug,packet seen nptype=8(hash)
11:22:49 ipsec,debug,packet seen nptype=11(notify)
11:22:49 ipsec,debug,packet succeed.
11:22:49 ipsec,debug,packet DPD R-U-There-Ack received
11:22:49 ipsec,debug,packet received an R-U-THERE-ACK
11:22:49 firewall,info input: in:ether5 out:(none), src-mac 00:1c:2e:9c:5a:c0, proto UDP, 2.2.2.2:4500->1.1.1.1:4500, len 124
11:22:51 firewall,info input: in:ether5 out:(none), src-mac 00:1c:2e:9c:5a:c0, proto UDP, 2.2.2.2:4500->1.1.1.1:4500, len 128
11:22:51 firewall,info input: in:ether5 out:(none), proto 47, 2.2.2.2->1.1.1.1, len 68
11:22:59 firewall,info input: in:ether5 out:(none), src-mac 00:1c:2e:9c:5a:c0, proto UDP, 2.2.2.2:4500->1.1.1.1:4500, len 128
11:22:59 firewall,info input: in:ether5 out:(none), proto 47, 2.2.2.2->1.1.1.1, len 68
11:23:04 ipsec,debug,packet DPD monitoring....
11:23:04 ipsec,debug,packet compute IV for phase2
11:23:04 ipsec,debug,packet phase1 last IV:
11:23:04 ipsec,debug,packet e5446c37 36c39671 39d0ff76 b660bb7c c00c88f9
11:23:04 ipsec,debug,packet hash(sha1)
11:23:04 ipsec,debug,packet encryption(aes)
11:23:04 ipsec,debug,packet phase2 IV computed:
11:23:04 ipsec,debug,packet bffb9cb4 8b11d339 3461a7f6 508b7d1b
11:23:04 ipsec,debug,packet HASH with:
11:23:04 ipsec,debug,packet c00c88f9 00000020 00000001 01108d28 a6a6589a e720a7b4 d71c856e 87abbe95
11:23:04 ipsec,debug,packet 00000273
11:23:04 ipsec,debug,packet hmac(hmac_sha1)
11:23:04 ipsec,debug,packet HASH computed:
11:23:04 ipsec,debug,packet 5ce5f867 3a642ef3 2e713be3 f867fb09 b06e760f
11:23:04 ipsec,debug,packet begin encryption.
11:23:04 ipsec,debug,packet encryption(aes)
11:23:04 ipsec,debug,packet pad length = 8
11:23:04 ipsec,debug,packet 0b000018 5ce5f867 3a642ef3 2e713be3 f867fb09 b06e760f 00000020 00000001
11:23:04 ipsec,debug,packet 01108d28 a6a6589a e720a7b4 d71c856e 87abbe95 00000273 fbc6f6a0 b2b39a07
11:23:04 ipsec,debug,packet encryption(aes)
11:23:04 ipsec,debug,packet with key:
11:23:04 ipsec,debug,packet 61892ad1 3a9ce904 4c7b64f8 c566b22d 11ac3ce0 319d6e9d d6c7196b dcc06803
11:23:04 ipsec,debug,packet encrypted payload by IV:
11:23:04 ipsec,debug,packet bffb9cb4 8b11d339 3461a7f6 508b7d1b
11:23:04 ipsec,debug,packet save IV for next:
11:23:04 ipsec,debug,packet b7d90d7c cf7dc9e9 3a1dc790 86e322ed
11:23:04 ipsec,debug,packet encrypted.
11:23:04 ipsec,debug,packet Adding NON-ESP marker
11:23:04 ipsec,debug,packet 96 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
11:23:04 ipsec,debug,packet sockname 1.1.1.1[4500]
11:23:04 ipsec,debug,packet send packet from 1.1.1.1[4500]
11:23:04 ipsec,debug,packet send packet to 2.2.2.2[4500]
11:23:04 ipsec,debug,packet src4 1.1.1.1[4500]
11:23:04 ipsec,debug,packet dst4 2.2.2.2[4500]
11:23:04 ipsec,debug,packet 1 times of 96 bytes message will be sent to 2.2.2.2[4500]
11:23:04 ipsec,debug,packet 00000000 a6a6589a e720a7b4 d71c856e 87abbe95 08100501 c00c88f9 0000005c
11:23:04 ipsec,debug,packet 61129290 20df3cf1 ada6a7bc c2687919 a5f1fdfb 0b637fa9 7a3767af bed73124
11:23:04 ipsec,debug,packet d331a1cb 78a05ea7 a6c04470 6993a4d0 b7d90d7c cf7dc9e9 3a1dc790 86e322ed
11:23:04 ipsec,debug,packet sendto Information notify.
11:23:04 ipsec,debug,packet DPD R-U-There sent (0)
11:23:04 ipsec,debug,packet rescheduling send_r_u (5).
11:23:04 ipsec,debug,packet ==========
11:23:04 ipsec,debug,packet 92 bytes message received from 2.2.2.2[4500] to 1.1.1.1[4500]
11:23:04 ipsec,debug,packet a6a6589a e720a7b4 d71c856e 87abbe95 08100501 8962acc8 0000005c 29407896
11:23:04 ipsec,debug,packet 600eb06f 1a9b0002 c65313db 6f180364 ef4cb541 57a4d43e def5b8df 87c14da0
11:23:04 ipsec,debug,packet 22f870a1 70aa5c99 88cdfd82 da550ade c3179450 252e01db 3486993c
11:23:04 ipsec,debug,packet receive Information.
11:23:04 ipsec,debug,packet compute IV for phase2
11:23:04 ipsec,debug,packet phase1 last IV:
11:23:04 ipsec,debug,packet e5446c37 36c39671 39d0ff76 b660bb7c 8962acc8
11:23:04 ipsec,debug,packet hash(sha1)
11:23:04 ipsec,debug,packet encryption(aes)
11:23:04 ipsec,debug,packet phase2 IV computed:
11:23:04 ipsec,debug,packet 5acf7de8 4013e923 59be8678 cc80e3ef
11:23:04 ipsec,debug,packet encryption(aes)
11:23:04 ipsec,debug,packet IV was saved for next processing:
11:23:04 ipsec,debug,packet da550ade c3179450 252e01db 3486993c
11:23:04 ipsec,debug,packet encryption(aes)
11:23:04 ipsec,debug,packet with key:
11:23:04 ipsec,debug,packet 61892ad1 3a9ce904 4c7b64f8 c566b22d 11ac3ce0 319d6e9d d6c7196b dcc06803
11:23:04 ipsec,debug,packet decrypted payload by IV:
11:23:04 ipsec,debug,packet 5acf7de8 4013e923 59be8678 cc80e3ef
11:23:04 ipsec,debug,packet decrypted payload, but not trimed.
11:23:04 ipsec,debug,packet 0b000018 6f7c36bc 1235bc31 b18fc129 bce0d1ba 798226d3 00000020 00000001
11:23:04 ipsec,debug,packet 01108d29 a6a6589a e720a7b4 d71c856e 87abbe95 00000273 00000000 00000000
11:23:04 ipsec,debug,packet padding len=1
11:23:04 ipsec,debug,packet skip to trim padding.
11:23:04 ipsec,debug,packet decrypted.
11:23:04 ipsec,debug,packet a6a6589a e720a7b4 d71c856e 87abbe95 08100501 8962acc8 0000005c 0b000018
11:23:04 ipsec,debug,packet 6f7c36bc 1235bc31 b18fc129 bce0d1ba 798226d3 00000020 00000001 01108d29
11:23:04 ipsec,debug,packet a6a6589a e720a7b4 d71c856e 87abbe95 00000273 00000000 00000000
11:23:04 ipsec,debug,packet HASH with:
11:23:04 ipsec,debug,packet 8962acc8 00000020 00000001 01108d29 a6a6589a e720a7b4 d71c856e 87abbe95
11:23:04 ipsec,debug,packet 00000273
11:23:04 ipsec,debug,packet hmac(hmac_sha1)
11:23:04 ipsec,debug,packet HASH computed:
11:23:04 ipsec,debug,packet 6f7c36bc 1235bc31 b18fc129 bce0d1ba 798226d3
11:23:04 ipsec,debug,packet hash validated.
11:23:04 ipsec,debug,packet begin.
11:23:04 ipsec,debug,packet seen nptype=8(hash)
11:23:04 ipsec,debug,packet seen nptype=11(notify)
11:23:04 ipsec,debug,packet succeed.
11:23:04 ipsec,debug,packet DPD R-U-There-Ack received
11:23:04 ipsec,debug,packet received an R-U-THERE-ACK
11:23:05 firewall,info input: in:ether5 out:(none), src-mac 00:1c:2e:9c:5a:c0, proto UDP, 2.2.2.2:4500->1.1.1.1:4500, len 124
11:23:07 ipsec,debug,packet KA: 1.1.1.1[4500]->2.2.2.2[4500]
11:23:07 ipsec,debug,packet sockname 1.1.1.1[4500]
11:23:07 ipsec,debug,packet send packet from 1.1.1.1[4500]
11:23:07 ipsec,debug,packet send packet to 2.2.2.2[4500]
11:23:07 ipsec,debug,packet src4 1.1.1.1[4500]
11:23:07 ipsec,debug,packet dst4 2.2.2.2[4500]
11:23:07 ipsec,debug,packet 1 times of 1 bytes message will be sent to 2.2.2.2[4500]
11:23:07 ipsec,debug,packet ff
 
DLNoah
Member Candidate
Member Candidate
Posts: 144
Joined: Fri Nov 12, 2010 5:33 pm

Re: Mikrotik Cisco GRE IPsec tunnel not coming up

Fri Sep 26, 2014 9:12 pm

1) When creating IPsec tunnels in MT, you need to bypass your outbound NAT masquerade for traffic leaving on the IPsec tunnel. This happens because the IPsec tunnel doesn't create a virtual interface, so the NAT rule sees the traffic as going out the WAN port. In order to bypass this, add the following *before* your outbound NAT rule:
/ip firewall nat add chain=srcnat src-address=<local LAN network> dst-address=<remote LAN network> action=accept
(By "accepting" the traffic, you match it to a rule without doing anything, thus preventing it from matching any further rules).

2) If attempting to ping across the tunnel from the MT unit, you need to specify the source IP to ping from as your LAN IP. Without specifying, the MT will figure out which interface traffic is going out (your WAN port) and then use the IP address on that interface as the source, which then doesn't actually take the IPsec tunnel.
Last edited by DLNoah on Fri Sep 26, 2014 10:41 pm, edited 1 time in total.
 
lctn
Member Candidate
Member Candidate
Topic Author
Posts: 176
Joined: Tue Apr 04, 2006 3:51 pm

Re: Mikrotik Cisco GRE IPsec tunnel not coming up

Fri Sep 26, 2014 9:30 pm

Just need a little clarity on this.

In our setup, the far end of the tunnel private IP is 10.98.0.1/30 for their gre interface. Our end has 10.98.0.2/30 assigned to the gre interface. Traffic will flow from a Verizon AP (on a school bus) through the tunnel and pick up a 10.99.0.0/16 address from my Mikrotik and be routed through our network for Internet access, required filtering, etc....

Does your NAT statement still hold true? I'm not clear on how it would work.
 
DLNoah
Member Candidate
Member Candidate
Posts: 144
Joined: Fri Nov 12, 2010 5:33 pm

Re: Mikrotik Cisco GRE IPsec tunnel not coming up

Fri Sep 26, 2014 9:44 pm

So, a typical VPN setup will result in something like this:
10.10.1.0/24 -- 10.10.1.1/24                   10.20.2.1/24 -- 10.20.2.0/24
Site A LAN      Site A Router                 Site B Router    Site B LAN
		          1.1.1.1/30 WAN -- Internet -- WAN 2.2.2.2/30
In that sort of case, you would set up a VPN between the Site A and Site B routers, so that computers & devices on 10.10.1.0/24 can communicate with computers & devices on 10.20.2.0/24.

Without the VPN, your IP Firewall NAT settings on Site A will typically look something like:
/ip firewall nat add chain=srcnat src-address=10.10.1.0/24 out-interface=WAN action=masquerade
The problem is, that firewall rule matches traffic from Site A computers to the Internet -- e.g. DNS requests to 8.8.8.8, but they also match traffic running on the VPN to Site B, because the traffic is going out the WAN interface (no virtual interface for the IPsec tunnel). Site B devices see the traffic as coming from 1.1.1.1, and won't send the reply back via the IPsec tunnel, thus breaking the traffic flow.

By changing your Site A firewall to the following, you will cause traffic destined for Site B to pass through without being NAT'd, meaning that when it gets to the Site B devices, they see the 10.10.1.0/24 address and respond back to that address (which transits the tunnel).
/ip firewall nat add chain=srcnat src-address=10.10.1.0/24 dst-address=10.20.2.0/24 action=accept
/ip firewall nat add chain=srcnat src-address=10.10.1.0/24 out-interface=WAN action=masquerade
Obviously, you need similar firewall rules on Site B if you're doing a MT to MT IPsec tunnel. In your case, since Site B is Verizon's router, they'll already have taken care of making sure their firewall gets you the traffic without NATing it.
Last edited by DLNoah on Fri Sep 26, 2014 10:41 pm, edited 1 time in total.
 
User avatar
shaoranrch
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Feb 13, 2014 8:03 pm

Re: Mikrotik Cisco GRE IPsec tunnel not coming up

Fri Sep 26, 2014 10:03 pm

I've got almost the very same problem, i also have the same MK device (CCR1036-12G-4S), i posted this issue in the forums as well.

I did the nat rule to "accept" traffic going to the other side of the tunnel, i still have the same issue you describe, as a matter of fact the logs are basically the same on my device. It randomly starts working then stops...
 
lctn
Member Candidate
Member Candidate
Topic Author
Posts: 176
Joined: Tue Apr 04, 2006 3:51 pm

Re: Mikrotik Cisco GRE IPsec tunnel not coming up

Fri Sep 26, 2014 10:25 pm

Still no success. I do not have a private network to ping on the other side, outside of the IP of the gre tunnel on the Verizon end. Here is the latest config changes and IPSec logs

3 chain=srcnat action=accept src-address=10.10.0.0/16
dst-address=10.98.0.0/30 log=no log-prefix=""

4 chain=srcnat action=masquerade src-address=10.10.0.0/16
out-interface=ether5 log=no log-prefix=""


:18:30 ipsec,debug,packet IV was saved for next processing:
14:18:30 ipsec,debug,packet 92c7885b b27fd383 7ebe65a7 053df306
14:18:30 ipsec,debug,packet encryption(aes)
14:18:30 ipsec,debug,packet with key:
14:18:30 ipsec,debug,packet 6642b9f9 c6a3b1e2 1d2f9901 32e6d803 09ff2d87 445fbdaf 8475e406 d5673126
14:18:30 ipsec,debug,packet decrypted payload by IV:
14:18:30 ipsec,debug,packet 3c31c32d d32db1fb 88fdb6e0 7e701e2f
14:18:30 ipsec,debug,packet decrypted payload, but not trimed.
14:18:30 ipsec,debug,packet 0b000018 3787e9ac 7a51b760 ccf1dbf2 736a392f 04e65632 00000020 00000001
14:18:30 ipsec,debug,packet 01108d29 a6a6589a 15e78448 84484c31 5f1c14a4 00000cee 00000000 00000000
14:18:30 ipsec,debug,packet padding len=1
14:18:30 ipsec,debug,packet skip to trim padding.
14:18:30 ipsec,debug,packet decrypted.
14:18:30 ipsec,debug,packet a6a6589a 15e78448 84484c31 5f1c14a4 08100501 5e48e70b 0000005c 0b000018
14:18:30 ipsec,debug,packet 3787e9ac 7a51b760 ccf1dbf2 736a392f 04e65632 00000020 00000001 01108d29
14:18:30 ipsec,debug,packet a6a6589a 15e78448 84484c31 5f1c14a4 00000cee 00000000 00000000
14:18:30 ipsec,debug,packet HASH with:
14:18:30 ipsec,debug,packet 5e48e70b 00000020 00000001 01108d29 a6a6589a 15e78448 84484c31 5f1c14a4
14:18:30 ipsec,debug,packet 00000cee
14:18:30 ipsec,debug,packet hmac(hmac_sha1)
14:18:30 ipsec,debug,packet HASH computed:
14:18:30 ipsec,debug,packet 3787e9ac 7a51b760 ccf1dbf2 736a392f 04e65632
14:18:30 ipsec,debug,packet hash validated.
14:18:30 ipsec,debug,packet begin.
14:18:30 ipsec,debug,packet seen nptype=8(hash)
14:18:30 ipsec,debug,packet seen nptype=11(notify)
14:18:30 ipsec,debug,packet succeed.
14:18:30 ipsec,debug,packet DPD R-U-There-Ack received
14:18:30 ipsec,debug,packet received an R-U-THERE-ACK
14:18:30 firewall,info input: in:ether5 out:(none), src-mac 00:1c:2e:9c:5a:c0, proto UDP, 2.2.2.2:4500->1.1.1.1:4500, len 124
14:18:30 ipsec,debug,packet KA: 1.1.1.1[4500]->2.2.2.2[4500]
14:18:30 ipsec,debug,packet sockname 1.1.1.1[4500]
14:18:30 ipsec,debug,packet send packet from 1.1.1.1[4500]
14:18:30 ipsec,debug,packet send packet to 2.2.2.2[4500]
14:18:30 ipsec,debug,packet src4 1.1.1.1[4500]
14:18:30 ipsec,debug,packet dst4 2.2.2.2[4500]
14:18:30 ipsec,debug,packet 1 times of 1 bytes message will be sent to 2.2.2.2[4500]
14:18:30 ipsec,debug,packet ff
 
DLNoah
Member Candidate
Member Candidate
Posts: 144
Joined: Fri Nov 12, 2010 5:33 pm

Re: Mikrotik Cisco GRE IPsec tunnel not coming up

Fri Sep 26, 2014 10:43 pm

Hm, not sure what else it might be. When you torch, do you see the traffic going out the ether5 (WAN) interface with the correct src & dst IP addresses? Can they try to ping from their side, and do you see that traffic coming in via torch?

I've only ever really done VPN tunnels for site-to-site connectivity, with private IPs on both sides. Not sure if there are significant differences if you're doing a default-route-down-tunnel type approach, so I'm not going to be able to help you further, sorry.
 
lctn
Member Candidate
Member Candidate
Topic Author
Posts: 176
Joined: Tue Apr 04, 2006 3:51 pm

Re: Mikrotik Cisco GRE IPsec tunnel not coming up [Solved}

Thu Oct 02, 2014 11:53 pm

I was able to get the primary and secondary tunnel to come up with the following config:

GRE Interface:

Flags: X - disabled, R - running
0 R name="verizon1" mtu=1476 l2mtu=65535 local-address=1.1.1.1
remote-address=2.2.2.2 dscp=0

1 R name="verizon2" mtu=1476 l2mtu=65535 local-address=1.1.1.1
remote-address=3.3.3.3 dscp=0





Policy:

Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 src-address=1.1.1.1/32 src-port=any dst-address=2.2.2.2/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=no sa-src-address=1.1.1.1
sa-dst-address=2.2.2.2 proposal=VZW priority=0

1 src-address=1.1.1.1/32 src-port=any dst-address=3.3.3.3/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=no sa-src-address=64.8.148.29
sa-dst-address=3.3.3.3 proposal=VZW2 priority=0


Peer:

Flags: X - disabled, D - dynamic
0 address=2.2.2.2/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="sharedkey" generate-policy=no
policy-group=default exchange-mode=main send-initial-contact=no
nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=15s dpd-maximum-failures=5

1 address=3.3.3.3/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="sharedkey" generate-policy=no
exchange-mode=main send-initial-contact=no nat-traversal=no
proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=15s
dpd-maximum-failures=5

Remote peers:

0 local-address=1.1.1.1 remote-address=3.3.3.3 state=established
side=initiator established=1h39m18s

1 local-address=1.1.1.1 remote-address=2.2.2.2 state=established
side=initiator established=1h42m8s

2 local-address=1.1.1.1 remote-address=3.3.3.3 state=expired
side=initiator

3 local-address=1.1.1.1 remote-address=2.2.2.2 state=expired
side=initiator

Proposal:

Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc
lifetime=30m pfs-group=modp1024

1 name="VZW" auth-algorithms=md5 enc-algorithms=aes-256-cbc lifetime=1h
pfs-group=none

2 name="VZW2" auth-algorithms=md5 enc-algorithms=aes-256-cbc lifetime=30m
pfs-group=none

Who is online

Users browsing this forum: Ahrefs [Bot], friend2809, mkx and 67 guests