Reply
New Member
Posts: 7
Registered: ‎11-18-2014
Kudos: 5
Accepted Solution

[SOLVED] GRE tunnel + IPSec, Edgerouter - Mikrotik

[ Edited ]

I have some issues getting my GRE/IPSec tunnel up and runnig, with Mikrotik in one end and EdgeRouter in the other.

Here's a simple topology.

 

 

                 +---------------------+
        +--------+      Interwebz      +---------+
        |        +---------------------+         |
        |                                        |
        |                                        |
1.1.1.1 |                                        | 2.2.2.2
        |                                        |
+-------+------+        GRE Tunnel       +-------+------+
|   Mikrotik   +-------------------------+  EdgeRouter  |
|              +-------------------------+              |
+--------------+ .6                  .5  +--------------+


                     172.16.99.4/30

 

 

Getting the GRE tunnel up is easy and works as intended.

 

Mikrotik GRE

Here's the interface

 

# /interface gre pr
	name="tun1"
	mtu=auto
	actual-mtu=1476
	local-address=1.1.1.1
	remote-address=2.2.2.2
	keepalive=10s,10
	dscp=inherit
	clamp-tcp-mss=yes
	dont-fragment=no
	allow-fast-path=no

And the IP address

 

# /ip address pr
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 1 D 1.1.1.1/26         1.1.1.0         ether1
 2   172.16.99.6/30     172.16.99.4     tun1

 

EdgeRouter GRE

 

Setting up the GRE interface on the EdgeRouter.

 

$ show interfaces
 ethernet eth0 {
     address dhcp
     description Internet
     duplex auto
     ip {
         enable-proxy-arp
     }
     speed auto
 }
 tunnel tun0 {
     address 172.16.99.5/30
     description "Tunnel Kerwood"
     encapsulation gre
     local-ip 2.2.2.2
     remote-ip 1.1.1.1
 }

 

 

The tunnel routing net is now up and pingable. Pinging from Mikrotik.

 

# /ping 172.16.99.5
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 172.16.99.5                                56  64 1ms
    1 172.16.99.5                                56  64 1ms
    sent=2 received=2 packet-loss=0% min-rtt=1ms avg-rtt=1ms max-rtt=1ms

 

 

Success.. The tunnel is up, so far so good. Lets put IPSec in to the mix.

 

EdgeRouter IPSec
Here's the EdgeRouter IPSec configuration.

 

$ show vpn
ipsec {
  auto-firewall-nat-exclude enable
  esp-group ESP-AES128-SHA1-DH2 {
    proposal 1 {
       encryption aes128
       hash sha1
    }
  }
  ike-group IKE-AES256-SHA256-DH19 {
    proposal 1 {
      dh-group 19
      encryption aes256
      hash sha256
    }
  }
  ipsec-interfaces {
    interface eth0
  }
}

 

 

So now lets add the peer.

 

$ show vpn ipsec site-to-site
peer 1.1.1.1 {
  authentication {
    mode pre-shared-secret
    pre-shared-secret PASSWORD
  }
  default-esp-group ESP-AES128-SHA1-DH2
  ike-group IKE-AES256-SHA256-DH19
  local-address 2.2.2.2
  tunnel 1 {
    protocol gre
  }
}

 

Mikrotik IPSec

Now for the Mikrotik part.
Below is the IKE part.. Phase 1.

 

/ip ipsec peer pr
	address=2.2.2.2/32
	local-address=1.1.1.1
	auth-method=pre-shared-key
	secret="PASSWORD"
	generate-policy=no
	policy-template-group=default
	exchange-mode=main
	send-initial-contact=yes
	nat-traversal=no
	proposal-check=obey
	hash-algorithm=sha256
	enc-algorithm=aes-256
	dh-group=ecp256
	lifetime=1d
	dpd-interval=2m
	dpd-maximum-failures=5

 

And this is the ESP part.. Phase 2

 

/ip ipsec policy pr
	src-address=1.1.1.1/32
	src-port=any
	dst-address=2.2.2.2/32
	dst-port=any
	protocol=gre
	action=encrypt
	level=require
	ipsec-protocols=esp
	tunnel=no
	proposal=default

And the default proposal for Phase 2

 

/ip ipsec proposal pr
	name="default"
	auth-algorithms=sha1
	enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc
	lifetime=30m
	pfs-group=modp1024

Logs

Ok so now IPSec is enabled on both sides.
From below logs on the EdgeRouter it seems that Phase 1 (IKE) has successfully stablished. But Phase 2 has not.

 

$ show vpn debug
...
Connections:
peer-1.1.1.1-tunnel-1:  2.2.2.2...1.1.1.1  IKEv1
peer-1.1.1.1-tunnel-1:   local:  [2.2.2.2] uses pre-shared key authentication
peer-1.1.1.1-tunnel-1:   remote: [1.1.1.1] uses pre-shared key authentication
peer-1.1.1.1-tunnel-1:   child:  dynamic[gre] === dynamic[gre] TUNNEL
Routed Connections:
peer-1.1.1.1-tunnel-1{1}:  ROUTED, TUNNEL
peer-1.1.1.1-tunnel-1{1}:   2.2.2.2/32[gre] === 1.1.1.1/32[gre]
Security Associations (1 up, 0 connecting):
peer-1.1.1.1-tunnel-1[1]: CONNECTING, 2.2.2.2[%any]...1.1.1.1[%any]
peer-1.1.1.1-tunnel-1[1]: IKEv1 SPIs: fdfddc86102375cc_i* 0000000000000000_r
peer-1.1.1.1-tunnel-1[1]: Tasks queued: QUICK_MODE
peer-1.1.1.1-tunnel-1[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD

Here's some logs from Swan on EdgeRouter

 

$ sudo swanctl --log
...
06[ENC] generating INFORMATIONAL_V1 request 703128126 [ HASH D ]
06[NET] sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (108 bytes)
14[NET] received packet: from 1.1.1.1[500] to 2.2.2.2[500] (380 bytes)
14[IKE] received retransmit of request with ID 3500542426, but no response to retransmit
12[NET] received packet: from 1.1.1.1[500] to 2.2.2.2[500] (380 bytes)
12[IKE] received retransmit of request with ID 3500542426, but no response to retransmit
01[NET] received packet: from 1.1.1.1[500] to 2.2.2.2[500] (380 bytes)
01[ENC] parsed QUICK_MODE request 3059985471 [ HASH SA No KE ID ID ]
01[IKE] no matching CHILD_SA config found
...

And here's some logs from Mikrotik.

 

# /log pr
...
17:02:50 ipsec acquire for 1.1.1.1 <=> 2.2.2.2
17:02:50 ipsec suitable policy found: 1.1.1.1 <=> 2.2.2.2 ip-proto:47
17:02:50 ipsec initiate new phase 2 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
17:02:50 ipsec sent phase2 packet 1.1.1.1[500]<=>2.2.2.2[500] fdfddc86102375cc:ee01a0f92531ea28:0000c6b4
17:02:50 ipsec 2.2.2.2 fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
17:03:00 ipsec resent phase2 packet 1.1.1.1[500]<=>2.2.2.2[500] fdfddc86102375cc:ee01a0f92531ea28:0000c6b4
17:03:10 ipsec resent phase2 packet 1.1.1.1[500]<=>2.2.2.2[500] fdfddc86102375cc:ee01a0f92531ea28:0000c6b4
17:03:20 ipsec 2.2.2.2 give up to get IPsec-SA due to time up to wait.
17:03:20 ipsec IPsec-SA expired: ESP/Transport 2.2.2.2[500]->1.1.1.1[500] spi=0xda59781
...

 

Based on the last to log outputs, specifically "01[IKE] no matching CHILD_SA config found" and "INVALID-ID-INFORMATION notify messsage", my best guess is that there's some ID mismatch.
I dont know what ID the Mikrotik sends and I dont know what ID the EdgeRouter expects.

 

Does any have an idea on how to fix this ?

 

 

#############################################################

 

Update

As 16again mentioned, the fix to my issue was to set tunnel=no to tunnel=yes in the policy on Mikrotik.


Accepted Solutions
Veteran Member
Posts: 7,221
Registered: ‎03-24-2016
Kudos: 1859
Solutions: 821

Re: GRE tunnel + IPSec, Edgerouter - Mikrotik

At MT side tunnel=no looks suspicious.

afaik, IPSEC normally is transport mode

View solution in original post

Regular Member
Posts: 587
Registered: ‎01-06-2017
Kudos: 126
Solutions: 52

Re: [SOLVED] GRE tunnel + IPSec, Edgerouter - Mikrotik

 


@16again wrote:

Of course tunnel=no can work.....but both ends of the tunnel must have same settings.  As happens when using 2 MTs

I'm not sure ER side can be configured to use transport mode (tunnel=no)


I looked into this further last night.

 

Transport mode on the ER can be set with this command

 

set vpn ipsec esp-group FOO0 mode transport

Tunnel mode has slightly higher overhead because the original IP header is encapsulated and a new header created. From what I've read, transport mode is normally used for GRE/IPSEC, and if tunnel mode is used it can break some things that would otherwise work over GRE, such as protocols that use broadcast or multicast.

 

 

So it would seem transport would be the preferred mode for GRE/IPSEC.

View solution in original post


All Replies
Veteran Member
Posts: 7,221
Registered: ‎03-24-2016
Kudos: 1859
Solutions: 821

Re: GRE tunnel + IPSec, Edgerouter - Mikrotik

On the edgerouter, add remote and local subnets under the peer (being 1.1.1.1/32 and 2.2.2.2/32)

New Member
Posts: 7
Registered: ‎11-18-2014
Kudos: 5

Re: GRE tunnel + IPSec, Edgerouter - Mikrotik

Hmm.. Under the peer ?

There's isn't really parameters about subnets.

 

$ set vpn ipsec site-to-site peer 1.1.1.1
Possible completions:
  authentication
  		Peer authentication [REQUIRED]
  connection-type
  		Connection type
  default-esp-group
  		Defult ESP group name
  description	VPN peer description
  dhcp-interface
  		DHCP interface to listen on
  force-encapsulation
  		Force UDP Encapsulation for ESP Payloads
  ike-group	Internet Key Exchange (IKE) group name [REQUIRED]
  ikev2-reauth	Re-authentication of the remote peer during an IKE re-key.  IKEv2 option only
  local-address	IPv4 or IPv6 address of a local interface to use for VPN
  tunnel	Peer tunnel [REQUIRED]
  vti		Virtual tunnel interface [REQUIRED]
Veteran Member
Posts: 7,221
Registered: ‎03-24-2016
Kudos: 1859
Solutions: 821

Re: GRE tunnel + IPSec, Edgerouter - Mikrotik

Under the peer, under the tunnel

Spoiler
 set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 local prefix .....
New Member
Posts: 7
Registered: ‎11-18-2014
Kudos: 5

Re: GRE tunnel + IPSec, Edgerouter - Mikrotik

Didn't change change anything.

 

 peer 1.1.1.1 {
     authentication {
         mode pre-shared-secret
         pre-shared-secret PASSWORD
     }
     default-esp-group ESP-AES128-SHA1-DH2
     ike-group IKE-AES256-SHA256-DH19
     local-address 2.2.2.2
     tunnel 1 {
         local {
             prefix 2.2.2.2/32
         }
         protocol gre
         remote {
             prefix 1.1.1.1/32
         }
     }
 }

Same "01[IKE] no matching CHILD_SA config found" and "INVALID-ID-INFORMATION notify messsage", in the logs.

Veteran Member
Posts: 7,221
Registered: ‎03-24-2016
Kudos: 1859
Solutions: 821

Re: GRE tunnel + IPSec, Edgerouter - Mikrotik

At MT side tunnel=no looks suspicious.

afaik, IPSEC normally is transport mode

New Member
Posts: 7
Registered: ‎11-18-2014
Kudos: 5

Re: GRE tunnel + IPSec, Edgerouter - Mikrotik

Yes... That was it. Thank you.

 

FYI, the only thing i changed was tunnel=no to tunnel=yes in the policy on MT. I am not using the local prefix as first suggested.

Regular Member
Posts: 587
Registered: ‎01-06-2017
Kudos: 126
Solutions: 52

Re: GRE tunnel + IPSec, Edgerouter - Mikrotik

 

Strange.  I have a GRE/IPSEC tunnel between two Mikrotiks and "tunnel=no" is set. Must be down to how your Edgerouter was set.

Veteran Member
Posts: 7,221
Registered: ‎03-24-2016
Kudos: 1859
Solutions: 821

Re: [SOLVED] GRE tunnel + IPSec, Edgerouter - Mikrotik

Of course tunnel=no can work.....but both ends of the tunnel must have same settings.  As happens when using 2 MTs

I'm not sure ER side can be configured to use transport mode (tunnel=no)

New Member
Posts: 7
Registered: ‎11-18-2014
Kudos: 5

Re: GRE tunnel + IPSec, Edgerouter - Mikrotik

Yes.. I have that to. Its a bit strange. 

Regular Member
Posts: 587
Registered: ‎01-06-2017
Kudos: 126
Solutions: 52

Re: [SOLVED] GRE tunnel + IPSec, Edgerouter - Mikrotik

 


@16again wrote:

Of course tunnel=no can work.....but both ends of the tunnel must have same settings.  As happens when using 2 MTs

I'm not sure ER side can be configured to use transport mode (tunnel=no)


I looked into this further last night.

 

Transport mode on the ER can be set with this command

 

set vpn ipsec esp-group FOO0 mode transport

Tunnel mode has slightly higher overhead because the original IP header is encapsulated and a new header created. From what I've read, transport mode is normally used for GRE/IPSEC, and if tunnel mode is used it can break some things that would otherwise work over GRE, such as protocols that use broadcast or multicast.

 

 

So it would seem transport would be the preferred mode for GRE/IPSEC.

New Member
Posts: 7
Registered: ‎11-18-2014
Kudos: 5

Re: [SOLVED] GRE tunnel + IPSec, Edgerouter - Mikrotik

[ Edited ]

Thanks for looking into that. I set the MT policy to "tunnel=no" and the ESP group to "mode transport", and it works like a charm..

Veteran Member
Posts: 7,221
Registered: ‎03-24-2016
Kudos: 1859
Solutions: 821

Re: [SOLVED] GRE tunnel + IPSec, Edgerouter - Mikrotik

Indeed mode transport is preferred.

 

But multicast/broadcast stuff is already encapsulated by GRE tunnel, so IPSEC settings won't matter

Reply