Community discussions

MikroTik App
 
StephanXtrabits
just joined
Topic Author
Posts: 4
Joined: Sat Oct 23, 2021 9:56 pm

GRE over IPSec between Mikrotik and Draytek

Fri Jun 24, 2022 3:53 pm

Is there anybody who has any experience in setting this up and made it actually work? I Ask this in general before i start spitting out configs and so on :)

Background as to why this setup:
We install and manage networks for small businesses (mainly in the hospitality scene) where on the client side we use Draytek routers and switches in combination with Unifi AP's. We already did this way before i had any experience with Mikrotik. So most sites already have this equipment and due to mechanics and engineers not skilled with mikrotik for the time being we will keep using this on client sites.

Since a year we are rolling out these network setups with VLANs and they will all have at least a MGMT_VLAN with a unique ip subnet so we can start creating VPN tunnels between these client routers and our router so we can easily manage all network equipment behind the router. So far so good as we started doing this with and IPSec IKEv2 tunnel and it works like a charm.
We have to use IKEv2 as some clients are behind NAT (the clients were we didn't provide the internet connection), where possible we try to bridge their existing router but that is not always possible.

In this setup we made the client side always the initiator of the VPN tunnel and our router being the responder. However this way we are not able to setup multiple subnets through the tunnel from the client side, besides due to historical reasons the client subnets are not always unique (you can imagine a lot of client subnets being 192.168.1.0/24 or alike) so we can't make these subnets permanently available either.

With all this in mind i thought it would be a good solution to start using GRE over IPSec, the way i can easily create temporary routes to and client subnets to make it possible to do better troubleshouting.

Our side: Draytek Vigor 2862ac in bridged mode (VVDSL+ connection) and a Mikrotik CCR1016-12G responsible for setting up the PPPoe connection on the DSL bridge

Client sides: Mostly Draytek Vigor 2927 either directly connected to the internet or behind NAT

As i sais earlier, it's not a problem setting up the IPSec IkeV2 connection, works like a charm
Setting up a GRE tunnel between the two (not encrypted in that case) works like a charm too
But getting the thing to do GRE over IPSec just keeps giving me headaches.

On the Draytek i created a LAN-to-LAN VPN Dial out IPSec IkeV2, and enabled the "Enable IPSec Dial-Out function GRE over IPsec", set local IP to 172.16.0.2 (i cannot set a subnet mask ANYwhere) and remote IP 172.16.0.1. My GRE interface on the mikrotik is still the same as before (using ONLY a GRE tunnel) with source and destination IP's being the WAN ip's from both sides and setting an IP on the interface as 172.16.0.1/32.
Now the IPSec tunnel is coming up perfectly and i can see the dynamically created Policy having 172.16.0.1 as source and 172.16.0.2 as destination... but no matter what, the GRE tunnel is not coming up.

I've already done like a searches on google, browsed to everything that was even closely related to this kind of setup, but nothing that addresses this exact same setup.

So any ideas, tips, suggestions would be welcome.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: GRE over IPSec between Mikrotik and Draytek

Sat Jun 25, 2022 9:44 am

Knowing nothing about Draytek's approach, there are two points.

First, you need to find out how Draytek wants to use the SA to deliver the GRE transport packets, so what traffic selector it asks for when establishing Phase 2. If you let Mikrotik generate the policy from a wide open template, you will see that from the detailed print of the policy - what is the mode (tunnel or transport) and what is the traffic selector (src-address, dst-address, maybe protocol). This will tell you what local-address and remote-address to set on the /interface gre row.

Second, there's the keepalive thing. As the GRE protocol itself is stateless, some vendors (Mikrotik, Cisco) use a workaround to detect the tunnel availability and indicate the state (up/down) of the virtual interface: the interface is considered up some (configurable) time after a GRE transport packet has arrived, and a special transport packet carrying a return transport packet as its payload is sent every (configurable) time to make sure that some traffic will keep coming even if no real payload traffic exists. But in order that this trick worked, the remote party (Draytek in this case) must accept and forward packets coming from a "weird" source - the "keepalive response" comes in from outside, via the GRE tunnel, whereas its source address is Draytek's own one. Whilst you've tested that this does work for bare GRE (without IPsec), there may be additional limitations caused by the IPsec policy matching.

Unrelated to what Draytek does, there is also the "security patch" in RouterOS from 6.45.something that started flagging incoming GRE packets with connection-state=invalid on some CPU architectures under some conditions, even if GRE packets were sent by the router itself. It may be related to use of IPsec too - I cannot be sure because I've never tried that without IPsec. So if your set of firewall rules is based on the default one, you may need to add protocol=!gre to the existing chain=input connection-state=invalid action=drop rule, and then make sure no GRE traffic comes in for more than 10 minutes. Sounds like a cargo cult and it probably is, but I wasn't able to find any more deterministic solution. A reboot of the Mikrotik helps too but I don't think it is an acceptable method on a central element of a network.
Last edited by sindy on Sat Jun 25, 2022 2:14 pm, edited 1 time in total.
 
StephanXtrabits
just joined
Topic Author
Posts: 4
Joined: Sat Oct 23, 2021 9:56 pm

Re: GRE over IPSec between Mikrotik and Draytek

Sat Jun 25, 2022 2:05 pm

Really good information that i can use to try to tackle this problem.
I knew about the statelessnes of GRE but i figured that to be the last hurdle to take in this process.

Will let you know what i have found and if I'm able to solve this problem with the information you gave me.
 
StephanXtrabits
just joined
Topic Author
Posts: 4
Joined: Sat Oct 23, 2021 9:56 pm

Re: GRE over IPSec between Mikrotik and Draytek

Fri Jul 01, 2022 1:25 pm

ok.. finally got some time to test again.
This is what i get from the autogenerated policy:
peer=OFS tunnel=yes src-address=172.16.0.1/32 src-port=any dst-address=172.16.0.2/32 dst-port=any protocol=all action=encrypt level=unique 
ipsec-protocols=esp sa-src-address=xxx.xxx.xxx.xxx sa-dst-address=yyy.yyy.yyy.yyy proposal=default priority=0x33A0000 ph2-count=1 
ph2-state=established
So based on that i changed local and remote addresses on the GRE tunnel to 172.16.0.1/32 and 172.16.0.2/32

Next i'm getting this from my log:
new ike2 SA (R): OFS 37.235.86.122[500]-37.235.86.123[500] spi:3eaa3ae5407a61d4:a6acb09ea2e8b0d7
peer authorized: OFS 37.235.86.122[500]-37.235.86.123[500] spi:3eaa3ae5407a61d4:a6acb09ea2e8b0d7
GRE input: in:PPPoE_X2com_line2 out:(unknown 0), src-mac 78:50:7c:40:30:74, proto 47, 172.16.0.2->172.16.0.1, len 68
GRE input: in:PPPoE_X2com_line2 out:(unknown 0), src-mac 78:50:7c:40:30:74, proto 47, 172.16.0.2->172.16.0.1, len 279
The last 2 are firewall, info messages from the following firewall filter rule:
chain=input action=accept protocol=gre in-interface=PPPoE_X2com_line2 log=yes log-prefix="GRE" ipsec-policy=in,ipsec
After this the tunnel still wasn't coming up. When i checked traffic on the GRE interface the graph was showing me some sporadic packets, so i decided to torch the interface and i wasn't seeing anything.. then i realised that the packets i saw where off course the keep alives from the mikrotik GRE interface settings... i disabled the keep alive..... and weird thing, the tunnel came up.
The dynamically created routing rule is no longer invalid....

So far so good......now will see if i can get any traffic routed through the GRE tunnel
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: GRE over IPSec between Mikrotik and Draytek

Fri Jul 01, 2022 1:46 pm

i disabled the keep alive..... and weird thing, the tunnel came up.
Nothing weird about it - if keepalive is disabled, the tunnel "upness" is not linked to reception of packets, so it is up all the time and it says nothing about its actual transparency.
 
StephanXtrabits
just joined
Topic Author
Posts: 4
Joined: Sat Oct 23, 2021 9:56 pm

Re: GRE over IPSec between Mikrotik and Draytek

Fri Jul 15, 2022 12:09 pm

Nothing weird about it - if keepalive is disabled, the tunnel "upness" is not linked to reception of packets, so it is up all the time and it says nothing about its actual transparency.
Realised that... Anyway wasn't able to test the rest until today and after some more tweaking on the Draytek side I'm happy to say that thanks to your help I was able to now setup an active GRE tunnel over ipsec with ikev2 between mikrotik and draytek.
I can now happily add an additional temporary route to any of the subnets on the Draytek by only adding a single routing rule on the mikrotik without having to change anything on the Draytek side. Now this way it becomes much more easier to start troubleshooting on the client side remotely.

If i have some time left later today i will create a short manual on how to set this up between the 2. Just not sure where to post/publish this :)
 
dnomyarv
just joined
Posts: 3
Joined: Mon Sep 17, 2018 3:00 pm

Re: GRE over IPSec between Mikrotik and Draytek

Wed Mar 22, 2023 9:53 pm

Have you found the time to create a manual or screenshot for this yet?
I am having trouble getting it to work too.

Gotten as far as an established Phase 2 in a transport policy for a short time. After a few seconds it gets disconnected again.
There seem to be Tx packets, but no Rx received.

Who is online

Users browsing this forum: Amazon [Bot], gigabyte091, onnyloh, TheCat12 and 86 guests