Community discussions

 
BrandonSk
just joined
Topic Author
Posts: 20
Joined: Wed May 06, 2015 12:21 am

Yet another GRE not working

Fri Sep 13, 2019 3:29 pm

Dear all,

I've been trying to get secured GRE site-to-site going, but after exhausting all tips and tricks, hints and workarounds I found either here or on internet, I must ask for help.

The setup:
Location 1
Public IP: 1.1.1.1
LAN: 10.201.1.0/24
Assigned IP to GRE interface: 192.168.200.1/30

Location 2
Public IP: 2.2.2.2
LAN: 10.201.2.0/24
Assigned IP to GRE interface: 192.168.200.2/30

Note: Public IPs are 1:1 NATed - that can be seen in configs below.

What works:
  • Site to Site ipsec tunnel (with additional fw rules which are not listed below in configs) [either IKEv1 with NAT traversal enabled or IKEv2 with NAT traversal unchecked - both work]
  • plain GRE tunnel - works
What does NOT work
  • Encrypted GRE when I specify IPSec secret in the configuration (ipsec connection is autogenerated and says established)
  • When I do not use IPSec secret in GRE configuration, but manually create ipsec connection and then try to establish GRE afterwards
Relevant parts of configuration:
Some of the items are disabled (e.g. ipsec policy) - but I include them so that you can see both setups - i.e. one with ipsec secret set in GRE config and the other when ipsec is manually applied and GRE setting is without ipsec secret.

Location 1
# sep/13/2019 11:45:33 by RouterOS 6.45.1
# software id = 4N0Y-WMM0
#
# model = CRS109-8G-1S-2HnD
# serial number = 522D04C45082

/interface gre
add allow-fast-path=no local-address=1.1.1.1 name=GRE-EDI \
    remote-address=2.2.2.2

/ip address
add address=10.201.1.1/24 comment="default configuration" interface=\
    bridge-local network=10.201.1.0
add address=1.1.1.1/27 comment="WAN address" interface=\
    ether1-gateway network=1.1.1.224
add address=192.168.200.1/30 interface=GRE-EDI network=192.168.200.0

/ip route
add distance=1 gateway=1.1.1.225
add distance=1 dst-address=10.201.2.0/24 gateway=192.168.200.2

/ip ipsec peer
add address=2.2.2.2/32 exchange-mode=ike2 name=EDISONOVA
/ip ipsec policy group
add name=IPSGRE
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc
/ip ipsec identity
add peer=EDISONOVA policy-template-group=IPSGRE
# The below IPSEC policy is disabled because I am using IPSEC secret in GRE config
# However, if I enable below policy, then ipsec connection between the peers establishes.
/ip ipsec policy
add disabled=yes dst-address=192.168.200.2/32 peer=EDISONOVA src-address=\
    192.168.200.1/32

/ip firewall filter
add action=log chain=input ipsec-policy=in,ipsec protocol=gre
add action=accept chain=input protocol=gre
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=related
add action=accept chain=input comment="default configuration" \
    connection-state=established,related,untracked
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment="intruders DROP" src-address-list=\
    Intruders
add action=drop chain=input comment="IPSEC intruders" src-address-list=\
    ipsec_blacklist
add action=accept chain=input comment=ipsec dst-port=500,4500 protocol=udp
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment=OVPN port=1194 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway

Location 2
# sep/13/2019 11:43:42 by RouterOS 6.45.2
# software id = 93ZN-U8NZ
#
# model = CRS125-24G-1S-2HnD
# serial number = 6232056FF060

/interface gre
add allow-fast-path=no local-address=2.2.2.2 name=GRE-SKL \
    remote-address=1.1.1.1
	
/ip address
add address=10.201.2.1/24 comment="default configuration" interface=\
    bridge-local network=10.201.2.0
add address=172.22.35.122/24 interface=ether1-gateway network=172.22.35.0
add address=2.2.2.2 comment="public IP" interface=ether1-gateway \
    network=2.2.2.2
add address=192.168.200.2/30 interface=GRE-SKL network=192.168.200.0

/ip route
add distance=1 gateway=172.22.35.254
add distance=1 dst-address=10.201.1.0/24 gateway=192.168.200.1

/ip ipsec peer
add address=1.1.1.1/32 exchange-mode=ike2 name=SKLADNA
/ip ipsec policy group
add name=IPSGRE
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc
/ip ipsec identity
add peer=SKLADNA policy-template-group=IPSGRE
# The below IPSEC policy is disabled because I am using IPSEC secret in GRE config
# However, if I enable below policy, then ipsec connection between the peers establishes.
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=192.168.200.1/32 peer=SKLADNA src-address=\
    192.168.200.2/32

/ip firewall filter
add action=accept chain=input protocol=gre
add action=accept chain=forward comment="default configuration" \
    connection-state=established,related
add action=accept chain=input comment="default configuration" \
    connection-state=established,related,untracked
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway
add action=drop chain=input comment="intruders - DROP" in-interface=\
    ether1-gateway src-address-list=Intruders
add action=drop chain=input comment="IPSEC blacklist" src-address-list=\
    ipsec_blacklist
add action=accept chain=input comment=ipsec dst-port=500,4500 protocol=udp
add action=accept chain=input comment=ipsec protocol=ipsec-esp
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment=oVPN dst-port=1194 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway

What I think I am missing is either some firewall rule or an entry in routing table. I tried some of options that seemed logical to me, but to no joy.
Can someone please give me a hint what am I missing?

Thanks,
Brandon.
 
savage
Forum Guru
Forum Guru
Posts: 1196
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Re: Yet another GRE not working

Fri Sep 13, 2019 3:53 pm

As the devices are 1:1 nated,

/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 nat-traversal=no

nat-traversal on the default policies needs to be enabled.
Regards,
Chris
 
BrandonSk
just joined
Topic Author
Posts: 20
Joined: Wed May 06, 2015 12:21 am

Re: Yet another GRE not working

Fri Sep 13, 2019 10:45 pm

As the devices are 1:1 nated,

/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 nat-traversal=no

nat-traversal on the default policies needs to be enabled.
Excellent. Thank you very much. It's a pity this is not documented somewhere.
Cheers,
B.
 
BrandonSk
just joined
Topic Author
Posts: 20
Joined: Wed May 06, 2015 12:21 am

Re: Yet another GRE not working

Fri Sep 13, 2019 11:07 pm

Excellent. Thank you very much. It's a pity this is not documented somewhere.
Cheers,
B.
Sorry, spoke too soon. I did not realize I had openVPN running at the same time when doing the ping :-\
So no, unfortunately, enabling NAT traversal did not solve the problem. :(
 
User avatar
16again
newbie
Posts: 48
Joined: Fri Dec 29, 2017 12:23 pm

Re: Yet another GRE not working

Sat Sep 14, 2019 2:59 pm

Your ipsec policy matches traffic 192.168.200.2/32 <->192.168.200.1/32, but it should match traffic between GRE local and remote addresses 1.1.1.1 <->2.2.2.2
As these are your WAN IPs, ipsec policy also should match GRE traffic.....or tunneled traffic might re-enter the tunnel endlessly.

A way around this is using local/remote LAN IP addresses as GRE tunnel source/destination
 
BrandonSk
just joined
Topic Author
Posts: 20
Joined: Wed May 06, 2015 12:21 am

Re: Yet another GRE not working

Sun Sep 15, 2019 12:09 am

Your ipsec policy matches traffic 192.168.200.2/32 <->192.168.200.1/32, but it should match traffic between GRE local and remote addresses 1.1.1.1 <->2.2.2.2
As these are your WAN IPs, ipsec policy also should match GRE traffic.....or tunneled traffic might re-enter the tunnel endlessly.

A way around this is using local/remote LAN IP addresses as GRE tunnel source/destination
Hello.
Thanks for the reply. Just today when playing with the setups I noticed (which confirms what you are saying), that when I let GRE to establish the ipsec connection, then the autogenerated connection is between Wan IP 1 and Wan IP 2, but also the SA-src and SA-dst correspond to these WAN IPs. Which means the 192.168.200.0/30 would never enter the ipsec.

Now because I had already a mess of different configs, I erased everything and in ipsec I only have the default configs.
I defined new GRE interfaces and assigned the 192.168.200.... adresses to them.

My GRE interfaces are now:
Local address: 192.168.200.1
Remote address: 2.2.2.2
IPSec secret: asd
Allow fast path: No

(and for the other side of-course with proper addresses for that site)

Ipsec default profile has Nat Traversal checked.

When I try to establish the tunnel, I get stuck with ipsec not being established. PH2 State is in "ready to sent" state, but in logs I see errors:
  • no auth method defined for peer
  • 1.1.1.1 failed to get a valid proposal
  • 1.1.1.1 failed to pre-process ph1 packet (side: 1, status 1)
  • 1.1.1.1 phase 1 negotiation failed

As far as I am aware, the configs are the same on both routers. Same encryption algorythms, hashes, DH groups, PFS, etc...

Any tips what to check for?
Also, just to make sure - is the ipsec autogeneration via GRE the correct way to go?
Or should I first make ipsec connection manually (I suppose in the Peer config I will have to define the 192.168.200.x address) and then when this is up, the GRE w/o ipsec should simply connect?

Thanks,
Brandon.

Who is online

Users browsing this forum: Bing [Bot] and 59 guests