Hello, its been a while.

I am having problems setting up GRE over IPSEC. I have spent most of the day on it and I am stumped. Hoping someone on the forum can provide some guidance, as the web resources do not solve the issue.

Anyway the setup is MT 6.0rc11 connecting to NetScreen FW (not my choice).

MT public WAN IP is 63.224.89.XXX
Peer is 129.196.225.XXX

GRE TUNNEL FNET
Local 192.65.0.59
Remote 192.65.0.66

IP Address GRE FNET 192.65.1.94/30 other end is 192.65.1.93/30

The Peer setup is 129.196.XXX.XXX

IPSEC POLICY

SRC-ADDRESS = 192.65.0.59
DST-ADDRESS = 192.65.0.66
SA-SRC-ADDRESS = 63.224.XXX.XXX
SA-DST-ADDRESS = 129.196.XXX.XXX

When I ping via FNET to 192.65.1.93 the log shows nothing happening with IPSEC. If I change IPSEC POLICY to:

SRC-ADDRESS = 192.65.1.94
DST-ADDRESS = 192.65.1.93

And then ping via FNET to 192.5.1.93 the IPSEC tunnel passes Phase 1 and gets stuck on Phase 2 where the NetScreen FW complains about the policy not being correct. The MT shows two different SA certs that time out.

At this point I am stumped. I was certain that the SRC-ADDRESS needs to be 192.65.0.59 and DST-ADDRESS should be 192.65.0.66. I am hoping someone on the board can tell me what I am doing wrong. I have added the SRC-NAT ACCEPT RULES. I have also turned off all firewall rules to minimize other road blocks.

PS: IP addresses have been modified to protect the innocent .


Clinton W.

Ok solved the issue, it took a lot of reading for me to find the solution in the end the problem is in documentation. So here is how I got it to work.

Scenario: Mikrotik to NetScreen FW.

Mikrotik WAN Interface with PUBLICIPA
NetScreen WAN Interface with PUBLICIPB

Add GRE Tunnel (Endpoint)
Local = PublicIPC
Remote = PublicIPD

GRE Tunnel IP
Local = PublicIPE
Remote = PublicIPF

To make this work you have to:

Add GRE Interface Name=GRET (Or whatever you want to call it)
Local = PublicIPC
Remote = PlublicIPD
IP ADDRESS ADD PUBLICIPC/24 (or whatever yours is) Interface = PublicIPA Interface Name, in my case WAN

Next add the GRE TunnelIP
IP ADDRESS ADD PublicIPE/30 Interface = GRET

Now you have setup the tunnel with proper endpoints and tunnel IP's.

Note, the manual and every document published uses the WAN IP of the MT Interface for the GRE Tunnel Endpoints. This works great when you control both sides. But, in my case the endpoints were assigned to me.

Now you need to setup the IPSEC PEER, given that this side is very well documented I will list only one item.

IPsec Peer PUBLICIPB

Now setup the Policy

SRC-ADDRESS = PublicIPC
DST-ADDRESS = PublicIPD
Both refer to the Tunnel EndPoints

SA-SRC-ADDRESS = PublicIPA
SA-DST-ADDRESS = PublicIPB

Leave Tunnel Checked
The manual covers the rest of the Policy

At this point we have GRE over IPSEC setup. To test that this works you simply need to launch the MT Ping Program and ping PublicIPF via the GRET (your GRE interface name) interface. Watching the log you should see Phase1 and Phase2 come up. Under IPsec - Installed-SA's you should see entries in the table. For me I look for AUTH & ENCR Algorithm entries, like sha1 and aes respectively. If you have this working you need only setup your routes to the other end.

IP ROUTE ADD XXX.XXX.XXX.XXX/XX GATEWAY = PublicIPF
Etc

The route will send your traffic over the IPsec tunnel. You do need to setup the SRC-NAT ACCEPT rules as explained by the manuals.

Hope this helps someone.