Community discussions

MikroTik App
 
kauksi
just joined
Topic Author
Posts: 4
Joined: Sun Dec 26, 2021 10:37 am

Microtic + Cisco GRE/ipsec

Tue Jan 04, 2022 9:59 am

Hi! need help.
I have Cisco 2951 and Mikrotik RB4011iGS+ (6.49.2)
GRE/ipsec tunnel is up, phase2 status is established, but after 30-60 sec is down with error "79.111.xx.xx failed to pre-process ph2 packet."

Lan1: 192.168.50.0/23
Lan2: 192.168.40.0/24

WAN1: 91.211.xx.xx (Microtik)
WAN2: 79.111.xx.xx (Cisco)

GRE1:192.168.210.1/31
GRE2:192.168.210.2/31

Mikrotik config:
/interface gre
add allow-fast-path=no disabled=yes mtu=1460 name=filial1 remote-address=\
    79.111.xx.xx

/ip ipsec profile
add dh-group=modp1024 enc-algorithm=3des name=filial1

/ip ipsec peer
add address=79.111.xx.xx/32 name=filial1 profile=filial1

/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc,3des name=filial1

/ip ipsec identity
add comment=filial1 my-id=address:91.211.xx.xx peer=filial1 \
    policy-template-group=filial1 secret=MySecret

/ip ipsec policy
set 0 proposal=filial1
add dst-address=79.111.xx.xx/32 level=unique peer=filial1 proposal=filial1 \
    protocol=gre src-address=91.211.xx.xx/32

/ip address
add address=192.168.210.1/31 interface=filial1 network=192.168.210.0

/ip route
add distance=1 dst-address=192.168.40.0/24 gateway=192.168.210.2 
Cisco config:
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key MySecret address 91.211.xx.xx
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac 
!
crypto ipsec profile PROF
 set transform-set TSET 

interface Tunnel0
 description to Office
 ip address 192.168.210.2 255.255.255.252
 keepalive 10 3
 tunnel source GigabitEthernet0/1
 tunnel mode ipsec ipv4
 tunnel destination 91.211.xx.xx
 tunnel protection ipsec profile PROF

ip route 192.168.50.0 255.255.255.0 192.168.210.1 

access-list 101 permit gre any host 79.111.xx.xx

problem look like this:
viewtopic.php?t=118202

the same config with other mikrotik is work.

Could you help me to resolve this problem?
Last edited by kauksi on Thu Jan 06, 2022 8:39 am, edited 3 times in total.
 
kauksi
just joined
Topic Author
Posts: 4
Joined: Sun Dec 26, 2021 10:37 am

Re: Microtic + Cisco GRE/ipsec

Thu Jan 06, 2022 8:15 am

now all worked.

I created GRE tunnel without encryption.

GRE network /31 not working. ok

add address=192.168.210.1/28 interface=gre-tunnel-1 network=\
192.168.210.0

routing is worked.

add stronger encryption on Cisco side
"tunnel protection ipsec profile PROF"

and do the same on microtik side.

Error was "failed to pre-process ph2 packet" again

then I disable "no tunnel mode ipsec ipv4" on cisco's tunnel interface

and hoobla! tunnel is up, and it is no disconnects!
Last edited by kauksi on Thu Jan 06, 2022 8:46 am, edited 1 time in total.
 
kauksi
just joined
Topic Author
Posts: 4
Joined: Sun Dec 26, 2021 10:37 am

Re: Microtic + Cisco GRE/ipsec

Thu Jan 06, 2022 8:38 am

Working configs:

Mikrotik config:
/interface gre
add allow-fast-path=no disabled=yes name=filial1 remote-address=\
    79.111.xx.xx

/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=filial1

/ip ipsec peer
add address=79.111.xx.xx/32 name=filial1 profile=filial1

/ip ipsec proposal
add enc-algorithms=aes-256-cbc pfs-group=none name=filial1

/ip ipsec identity
add comment=filial1 my-id=address:91.211.xx.xx peer=filial1 \
    policy-template-group=filial1 secret=MySecret

/ip ipsec policy
set 0 proposal=filial1
add dst-address=79.111.xx.xx/32 level=unique peer=filial1 proposal=filial1 \
    protocol=gre src-address=91.211.xx.xx/32

/ip address
add address=192.168.210.1/28 interface=filial1 network=192.168.210.0

/ip route
add distance=1 dst-address=192.168.40.0/24 gateway=192.168.210.2 
Cisco config:
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key MySecret address 91.211.xx.xx
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac  
!
crypto ipsec profile PROF
 set transform-set TSET 

interface Tunnel0
 description to Office 
 ip address 192.168.210.2 255.255.255.240
 keepalive 10 3
 tunnel source GigabitEthernet0/1
 tunnel destination 91.211.xx.xx
 tunnel protection ipsec profile PROF

ip route 192.168.50.0 255.255.255.0 192.168.210.1 

access-list 101 permit gre any host 79.111.xx.xx
 
citizenkane
just joined
Posts: 1
Joined: Sun Aug 07, 2022 9:21 am

Re: Microtic + Cisco GRE/ipsec

Sun Aug 07, 2022 9:24 am

Hello. Thanks for the great post. I cannot get it to work though. Are you sure you posted entire cisco config? The access-list destination host seems to point to it's own address, and the access-list is not applied anywhere. Should there also be a crypto map configured?
Last edited by citizenkane on Sun Aug 07, 2022 11:33 am, edited 1 time in total.

Who is online

Users browsing this forum: Bing [Bot], outtahere and 52 guests