/ip ipsec policy
add peer=Peer_Cisco proposal=proposal_to_cisco src-address=2.2.2.2/32 dst-address=1.1.1.1/32 protocol=gre tunnel=no
It should also include the protocol 47 when you specified that on the MikroTik side.Here's the config of the Cisco that is the other endpoint:
#the access-lists on the WAN interface are ip any any from/to the public interfaces 1.1.1.1 and 2.2.2.2 in both directions:
ip access-list extended INBOUND
permit ip host 2.2.2.2 host 1.1.1.1
[...]
ip access-list extended OUTBOUND
permit ip host 1.1.1.1 host 2.2.2.2
[...]
Definitely not! I cannot enter anything else then what is already in the list. Neither the name of the protocol, not the corresponding protocol number. It could be linked to the browser I was using, I tried with Safari yesterday, but I'll check with Chrome and Firefox tonight.You can type in the drop-down list in the GUI
Indeed, good point, I will try that tonight! Even though I wouldn't expect the GRE tunnel to come up at all if there is a difference in the ACL's between both sites... But I agree, thes sometimes behave in a very strange way.It should also include the protocol 47 when you specified that on the MikroTik side.
crypto ipsec transform-set TSET_MIKROTIK esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile MIKROTIK
set transform-set TSET_MIKROTIK
set pfs group5
!
crypto ipsec transform-set aes-sha-transp esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile vpn-profile
set transform-set aes-sha-transp
set pfs group5
!
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
# may/28/2022 09:20:52 by RouterOS 6.44.5
# software id = 0G7Y-54W3
#
# model = 951Ui-2HnD
# serial number = B8570BE4F3C7
/interface ethernet
set [ find default-name=ether1 ] name=ether1_toCisco
set [ find default-name=ether2 ] name=ether2_toLAN
set [ find default-name=ether4 ] name=ether4_toLaptop
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface gre
add !keepalive local-address=192.168.222.3 name=gre-tunnel1 remote-address=\
192.168.222.2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
set [ find default=yes ] src-address-list=0
/ip ipsec peer
add address=192.168.222.2/32 name=MYSET
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=3des hash-algorithm=\
md5 nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des lifetime=1d
/ip address
add address=192.168.222.3/30 interface=ether1_toCisco network=192.168.222.0
add address=192.168.0.2/30 interface=gre-tunnel1 network=192.168.0.0
add address=172.16.2.2/24 interface=ether2_toLAN network=172.16.2.0
/ip firewall address-list
add address=0.0.0.0/0 disabled=yes list=0
/ip firewall filter
add action=accept chain=input disabled=yes protocol=icmp
add action=accept chain=output disabled=yes protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat
/ip ipsec identity
add mode-config=request-only peer=MYSET secret=1234@qwer
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.222.2/32 dst-port=500 sa-dst-address=192.168.222.2 \
sa-src-address=192.168.222.3 src-address=192.168.222.3/32 src-port=500 \
tunnel=yes
/ip route
add distance=1 gateway=192.168.222.1
/system clock
set time-zone-name=Asia/Tehran
/system clock manual
set dst-delta=+03:30 time-zone=+03:30
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key 1234@qwer address 192.168.222.3
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode tunnel
crypto map VPN 10 ipsec-isakmp
set peer 192.168.222.3
set transform-set MYSET
set pfs group2
match address GREIPSEC
!
!
interface Tunnel1
ip address 192.168.0.1 255.255.255.252
tunnel source GigabitEthernet0/0/1.2
tunnel destination 192.168.222.3
!
!
interface GigabitEthernet0/0/0.2
crypto map VPN
!
!
ip access-list extended GREIPSEC
permit ip 192.168.222.0 0.0.0.255 192.168.222.0 0.0.0.255
permit gre 192.168.222.0 0.0.0.255 192.168.222.0 0.0.0.255
permit icmp 192.168.222.0 0.0.0.255 192.168.222.0 0.0.0.255