Is there anybody who has any experience in setting this up and made it actually work? I Ask this in general before i start spitting out configs and so on
Background as to why this setup:
We install and manage networks for small businesses (mainly in the hospitality scene) where on the client side we use Draytek routers and switches in combination with Unifi AP's. We already did this way before i had any experience with Mikrotik. So most sites already have this equipment and due to mechanics and engineers not skilled with mikrotik for the time being we will keep using this on client sites.
Since a year we are rolling out these network setups with VLANs and they will all have at least a MGMT_VLAN with a unique ip subnet so we can start creating VPN tunnels between these client routers and our router so we can easily manage all network equipment behind the router. So far so good as we started doing this with and IPSec IKEv2 tunnel and it works like a charm.
We have to use IKEv2 as some clients are behind NAT (the clients were we didn't provide the internet connection), where possible we try to bridge their existing router but that is not always possible.
In this setup we made the client side always the initiator of the VPN tunnel and our router being the responder. However this way we are not able to setup multiple subnets through the tunnel from the client side, besides due to historical reasons the client subnets are not always unique (you can imagine a lot of client subnets being 192.168.1.0/24 or alike) so we can't make these subnets permanently available either.
With all this in mind i thought it would be a good solution to start using GRE over IPSec, the way i can easily create temporary routes to and client subnets to make it possible to do better troubleshouting.
Our side: Draytek Vigor 2862ac in bridged mode (VVDSL+ connection) and a Mikrotik CCR1016-12G responsible for setting up the PPPoe connection on the DSL bridge
Client sides: Mostly Draytek Vigor 2927 either directly connected to the internet or behind NAT
As i sais earlier, it's not a problem setting up the IPSec IkeV2 connection, works like a charm
Setting up a GRE tunnel between the two (not encrypted in that case) works like a charm too
But getting the thing to do GRE over IPSec just keeps giving me headaches.
On the Draytek i created a LAN-to-LAN VPN Dial out IPSec IkeV2, and enabled the "Enable IPSec Dial-Out function GRE over IPsec", set local IP to 172.16.0.2 (i cannot set a subnet mask ANYwhere) and remote IP 172.16.0.1. My GRE interface on the mikrotik is still the same as before (using ONLY a GRE tunnel) with source and destination IP's being the WAN ip's from both sides and setting an IP on the interface as 172.16.0.1/32.
Now the IPSec tunnel is coming up perfectly and i can see the dynamically created Policy having 172.16.0.1 as source and 172.16.0.2 as destination... but no matter what, the GRE tunnel is not coming up.
I've already done like a searches on google, browsed to everything that was even closely related to this kind of setup, but nothing that addresses this exact same setup.
So any ideas, tips, suggestions would be welcome.