Community discussions

MikroTik App
 
azzurro
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

IKEv2 + GRE with Fortigate - GRE connects only one way?

Sat Mar 25, 2023 4:25 am

Hi

so I have IKEv2 + GRE working between a CHR and a Fortigate in tunnel mode and from the Fortigate I can ping the IP of the loopback bridge which was created on the Mikrotik but vice versa, from the Mikrotik I can't ping the corresponding IP of the tunnel interface of the Fortigate. Pings are allowed and rules are in place on the Fortigate. If I only allow GRE traffic from the Forti to the Tik, GRE tunnel gets connected immediately. If I only allow the other way, from the Tik to the Forti, the tunnel stays down.

It seems to me that the Mikrotik is missing a route or someting and can't initate a connection to the IP of the Fortigate.
Where to look? Any NAT/masquerade exceptions to make on the Mikrotik?
Various firewall rules are in place but it still doesn't work if I put "allow all" rules on top of the chains.

I can post the whole config of both sides, or just let me know which parts could be interesting.

Thanks!
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: IKEv2 + GRE with Fortigate - GRE connects only one way?

Sat Mar 25, 2023 5:59 am

hi.
t seems to me that the Mikrotik is missing a route or someting and can't initate a connection to the IP of the Fortigate.
Where to look? Any NAT/masquerade exceptions to make on the Mikrotik?
Various firewall rules are in place but it still doesn't work if I put "allow all" rules on top of the chains.
how about show us the output from both devices where the tunnel activated:

show which device act as the server?
show ip interface brief
show ip route list
show ip filter list, if any.
show ip lan subnet, for both sides.
 
azzurro
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

Re: IKEv2 + GRE with Fortigate - GRE connects only one way?

Sun Mar 26, 2023 4:26 am

Hi,
what output do you mean? Also I don't know about these Cisco commands. Here's the configs though:
The IPSEC tunnel is up btw, the MT just can't initiate a GRE tunnel to the Fortigate, but the other direction works just fine.
I mostly want to understand why the MT can't initiate the GRE tunnel.

Mikrotik:
# mar/26/2023 01:17:11 by RouterOS 7.8
# software id = 
#
/interface bridge
add name=loopback
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
/interface gre
add local-address=192.168.99.1 name=GRE-FGT remote-address=192.168.99.5
add local-address=192.168.99.1 name=GRE-LAB36 remote-address=192.168.99.2
add local-address=192.168.99.1 name=GRE-LAB3532 remote-address=192.168.99.3
/interface list
add name=trusted_FullyMeshedVPN-Interfaces
add name=trusted_Internal-Interfaces
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add address=192.168.99.3 address-prefix-length=32 name=LAB3532 split-include=192.168.99.1/32 system-dns=no
/ip ipsec policy group
add name=LAB3532
/ip ipsec profile
add dh-group=modp8192 enc-algorithm=aes-256 hash-algorithm=sha512 name=LAB36 nat-traversal=no prf-algorithm=sha512 proposal-check=strict
add dh-group=modp8192 enc-algorithm=aes-256 hash-algorithm=sha512 name=LAB3532 nat-traversal=no prf-algorithm=sha512 proposal-check=strict
add dh-group=modp8192 enc-algorithm=aes-256 hash-algorithm=sha512 name=FGT nat-traversal=no proposal-check=strict
/ip ipsec peer
add address=192.168.37.34/32 exchange-mode=ike2 name=LAB36 profile=LAB36
add address=192.168.37.1/32 exchange-mode=ike2 name=FGT profile=FGT
add exchange-mode=ike2 name=LAB3532 passive=yes profile=LAB3532
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=LAB36 pfs-group=modp8192
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=LAB3532 pfs-group=modp8192
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=FGT pfs-group=modp8192
/port
set 0 name=serial0
set 1 name=serial1
/ip neighbor discovery-settings
set protocol=""
/interface list member
add interface=GRE-LAB36 list=trusted_FullyMeshedVPN-Interfaces
add interface=GRE-LAB3532 list=trusted_FullyMeshedVPN-Interfaces
add interface=ether1 list=trusted_Internal-Interfaces
add interface=ether2 list=trusted_Internal-Interfaces
add interface=GRE-FGT list=trusted_FullyMeshedVPN-Interfaces
/ip address
add address=192.168.35.14/28 interface=ether1 network=192.168.35.0
add address=192.168.35.30/28 interface=ether2 network=192.168.35.16
add address=192.168.37.18/28 interface=ether3 network=192.168.37.16
add address=192.168.99.1 interface=loopback network=192.168.99.1
add address=10.0.0.1/30 interface=GRE-LAB36 network=10.0.0.0
add address=10.0.0.5/30 interface=GRE-LAB3532 network=10.0.0.4
add address=10.0.0.14/30 interface=GRE-FGT network=10.0.0.12
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.35.0/28 list=trusted_LAB-Networks
add address=192.168.35.16/28 list=trusted_LAB-Networks
add address=192.168.35.32/28 list=trusted_LAB-Networks
add address=192.168.35.48/28 list=trusted_LAB-Networks
add address=192.168.36.0/28 list=trusted_LAB-Networks
add address=192.168.36.16/28 list=trusted_LAB-Networks
add address=192.168.25.0/24 list=trusted_LAB-Networks
/ip firewall filter
add action=accept chain=input dst-port=500,4500 in-interface=ether3 protocol=udp src-address=192.168.37.0/24
add action=accept chain=input in-interface=ether3 protocol=ipsec-esp src-address=192.168.37.0/24
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input connection-state=new in-interface-list=trusted_Internal-Interfaces src-address-list=trusted_LAB-Networks
add action=accept chain=input connection-state=new in-interface-list=trusted_FullyMeshedVPN-Interfaces src-address-list=trusted_LAB-Networks
add action=accept chain=input in-interface=ether3 protocol=icmp
add action=accept chain=input connection-state=new dst-port=8291 protocol=tcp src-address=192.168.25.0/24
add action=drop chain=input
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid protocol=!gre
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether3
add action=accept chain=forward connection-state=new in-interface-list=trusted_Internal-Interfaces src-address-list=trusted_LAB-Networks
add action=accept chain=forward connection-state=new in-interface-list=trusted_FullyMeshedVPN-Interfaces src-address-list=trusted_LAB-Networks
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether3 protocol=!gre src-address=192.168.35.0/28
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether3 protocol=!gre src-address=192.168.35.16/28
/ip ipsec identity
add my-id=key-id:LAB35 peer=LAB36 remote-id=key-id:LAB36
add generate-policy=port-strict mode-config=LAB3532 peer=LAB3532 policy-template-group=LAB3532
add my-id=key-id:LAB35 peer=FGT remote-id=key-id:FGT-LAB35
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.99.2/32 peer=LAB36 proposal=LAB36 src-address=192.168.99.1/32 tunnel=yes
add dst-address=192.168.99.3/32 group=LAB3532 proposal=LAB3532 src-address=192.168.99.1/32 template=yes
add dst-address=192.168.99.5/32 peer=FGT proposal=FGT protocol=gre src-address=192.168.99.1/32 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=192.168.36.16/28 gateway=GRE-LAB36 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.99.2/32 gateway=loopback pref-src=192.168.35.30 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.37.17 pref-src=192.168.37.18 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.36.0/28 gateway=GRE-LAB36 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.35.32/28 gateway=GRE-LAB3532 routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.35.48/28 gateway=GRE-LAB3532 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.99.3/32 gateway=loopback pref-src=192.168.35.30 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.25.0/24 gateway=GRE-FGT routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.99.5/32 gateway=loopback pref-src=192.168.35.30 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system identity
set name=LAB35RT14
Fortigate:
config system interface
    edit "LAB35"
        set vdom "root"
        set ip 192.168.99.5 255.255.255.255
        set allowaccess ping
        set type tunnel
        set snmp-index 43
        set interface "NNET25-DMZ3700"
    next
    edit "GRE-LAB35"
        set vdom "root"
        set ip 10.0.0.13 255.255.255.255
        set type tunnel
        set remote-ip 10.0.0.14 255.255.255.252
        set snmp-index 44
        set interface "LAB35"
    next
end

config firewall address
    edit "gre_NNET25-LAB35"
        set uuid a8726b3c-caab-51ed-b37f-ef06261e435b
        set subnet 192.168.99.5 255.255.255.255
    next
    edit "gre_LAB35-NNET25"
        set uuid bdb93fac-caab-51ed-883a-ccec684a7904
        set subnet 192.168.99.1 255.255.255.255
    next
    edit "net_LAB3500"
        set uuid 559ec1a2-caac-51ed-f0aa-98148f51bb5e
        set subnet 192.168.35.0 255.255.255.240
    next
    edit "net_LAB3516"
        set uuid 70dd4d26-caac-51ed-d891-791f13606fb9
        set subnet 192.168.35.16 255.255.255.240
    next
end

config vpn ipsec phase1-interface
    edit "LAB35"
        set type dynamic
        set interface "NNET25-DMZ3700"
        set ike-version 2
        set keylife 28800
        set peertype one
        set proposal aes256-sha512
        set localid "FGT-LAB35"
        set dpd on-idle
        set dhgrp 18
        set nattraversal disable
        set peerid "LAB35"
        set psksecret ENC rf4vTE6DTYaWNmdZgEHKwKk28jaDB/4eYFBtBGK3L7ZHHeXap358GfkX0LwlbqVOvUheo3MK+PHS0y+TIgAnypmmf7ZvsXWH9mPEDnRVJ/LiGzRCTM12VL5ZoWajBWlY+ued4r4q0udAKjjH+1UGz4s9rMQ4VmH/6NmygqQovauGM9GLVNZ3Tfz7eO9Rvc8LHDWmaA==
        set dpd-retryinterval 5
    next
end

config vpn ipsec phase2-interface
    edit "LAB35"
        set phase1name "LAB35"
        set proposal aes256-sha512
        set dhgrp 18
        set protocol 47
        set keylifeseconds 1800
        set src-subnet 192.168.99.5 255.255.255.255
        set dst-subnet 192.168.99.1 255.255.255.255
    next
end

config system gre-tunnel
    edit "GRE-LAB35"
        set interface "LAB35"
        set remote-gw 192.168.99.1
        set local-gw 192.168.99.5
    next
end

config firewall policy
    edit 218
        set uuid 88026fa2-ca86-51ed-10fc-11575113c9a0
        set srcintf "GRE-LAB35"
        set dstintf "internal-switch"
        set srcaddr "net_LAB3500" "net_LAB3516"
        set dstaddr "net_NNETVIE15-LAN"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set fsso disable
    next
    edit 219
        set uuid 99aa87ee-ca86-51ed-f887-f44e84d4a49d
        set srcintf "internal-switch"
        set dstintf "GRE-LAB35"
        set srcaddr "net_NNETVIE15-LAN"
        set dstaddr "net_LAB3500" "net_LAB3516"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set fsso disable
    next
    edit 224
        set uuid e26475e2-caab-51ed-08da-2d03155827b6
        set srcintf "LAB35"
        set dstintf "GRE-LAB35"
        set srcaddr "gre_LAB35-NNET25"
        set dstaddr "gre_NNET25-LAB35"
        set action accept
        set schedule "always"
        set service "GRE"
        set logtraffic all
        set fsso disable
        set comments "Reverse of 221"
    next
end
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: IKEv2 + GRE with Fortigate - GRE connects only one way?

Sun Mar 26, 2023 5:56 am

hi.

well, i am really way too old to read such very long config 😴 heheh... i am sorry , so i could only read partially.

in the fortigate side, could be this being the issue the Mt can't initiate connection?
set nattraversal disable
esp ah should have nat traversal enable for the connection to be established from the peers.
 
azzurro
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

Re: IKEv2 + GRE with Fortigate - GRE connects only one way?

Sun Mar 26, 2023 12:27 pm

I've enabled nat-t now on both sides but still no luck, unfortunately.

Do I need any route on the Mikrotik side for 192.168.99.5/32 to go into the tunnel? Do I need a srcnat allow rule on the MT side?
I have a feeling that I'm missing something on the MT side and I wasn't able to pinpoint it. Not even using the packet sniffer extensively... :(
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: IKEv2 + GRE with Fortigate - GRE connects only one way?

Sun Mar 26, 2023 5:55 pm

hi @azzurro
Do I need any route on the Mikrotik side for 192.168.99.5/32 to go into the tunnel? Do I need a srcnat allow rule on the MT side?
like i said previously,
show us your tunnels are up. and that they both have installed routes for both remote ends.

if both devices have their tunnels up but no traffic go inside the tunnels, then the problem lies within upper layer ie.
ip route print.
ip firewall filter print.
traceroute. from between end point. not between the router to see that split tunneling.

but please, make those output short will you?

if you performed port address translation aka masquerade, you should allow nat traversal for ip protocol 50, 51, udp 500 and 4500, and gre 47 to pass through the firewall. unaltered. prerouting. accept.

and, don't forget to see your ipsec log.

Wireshark is good, but not necessary.

good luck 👍🏻

Who is online

Users browsing this forum: Google [Bot] and 75 guests