Fully working solution:

navid.gharib · ‎08-28-2015

Hello everybody,

We are currently trying to establish a GRE over IPSEC solution between our HQ and our partners. They have a CISCO router and we have a MT RB951G. The configurations are as follows:

Cisco side:

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key **** address 172.16.30.1

crypto ipsec transform-set TEST esp-3des esp-md5-hmac

mode tunnel

crypto ipsec profile IPSEC

set transform-set TEST

interface Tunnel0

ip address 172.20.19.41 255.255.255.252

tunnel source 172.16.30.2

tunnel mode ipsec ipv4

tunnel destination 172.16.30.1

tunnel protection ipsec profile IPSEC

interface FastEthernet0/0

ip address 172.16.30.2 255.255.255.0

speed auto

duplex full

!

interface FastEthernet0/1

ip address 10.200.151.1 255.255.255.0

speed auto

duplex auto

Mikrotik side:

Interfaces:

Flags: D - dynamic, X - disabled, R - running, S - slave

# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS

0 R ether1 ether 1500 08:00:27:AD:08:79

1 gre-tunnel1 gre-tunnel 1476 65535

IP Addresses:

Flags: X - disabled, I - invalid, D - dynamic

# ADDRESS NETWORK INTERFACE

0 172.16.30.1/24 172.16.30.0 ether1

1 172.20.19.42/30 172.20.19.0 gre-tunnel1

Peers:

0 address=172.16.30.2/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret="*******"

generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no

proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0

dpd-interval=2m dpd-maximum-failures=5

Policy:

1 src-address=172.20.19.42/32 src-port=any dst-address=172.20.19.41/32 dst-port=any protocol=all action=encrypt

level=require ipsec-protocols=esp tunnel=yes sa-src-address=172.16.30.2 sa-dst-address=172.16.30.1

proposal=default priority=0

Proposal:

* name="default" auth-algorithms=md5 enc-algorithms=3des lifetime=1d pfs-group=none

Unfortunately we don't have access to the Cisco router thus we can’t modify configs on it, but our partner's network guy assured methat his configs are good.

The goal here is that we want to have access to the 10.200.151.0/24 network from the Mikrotik router.

When there is just the GRE tunnel between the two routers, everything is working fine. I can ping the mentioned network from my Mikrotik router without any problem. But from the moment we activate the IPSEC protection I can still ping the other side of the tunnel (172.20.19.41) but I get timeouts when I try to access the 10.200.151.0/24 network.

Regarding the IPSEC protection, everything looks fine to me, the SA are properly installed.

Can anyone please point out what I’m doing wrong here? :D

Thank you in advance for your assistance.

N.

Richard Bradfield · ‎08-30-2015

On the Cisco config try adding to " crypto isakmp key **** address 172.16.30.1 " no-xauth

so the command becomes

crypto isakmp key **** address 172.16.30.1 no-xauth

HTH

Richard

Myzichin_Stas1 · ‎09-09-2015

Unfortunately it did not help . I have the same issue. The command "sh crypto isa sa" indicates that is encrypted , but the ping between objects or not.
And the configuration is set up similarly as in "navid.gharib"

К сожалению это не помогло. У меня такая же проблема. Команда "sh crypto isa sa" показывает, что шифруется, но пинга между объектами так и нет.
И конфиг настроен аналогично как у "navid.gharib"

pfoerster · ‎01-22-2019

You will find a full solution here:

https://administrator.de/wissen/cisco-mikrotik-vpn-standort-vernetzung-dynamischem-routing-398932.html

IPSEC over GRE between Cisco and Mikrotik Router