Community discussions

MikroTik App
  4. RouterOS
  5. General

Can't have OSPF over IPSEC/GRE

Post Reply
 
deejay2
just joined
Topic Author
Posts: 17
Joined: Sat Apr 13, 2024 5:48 pm

Can't have OSPF over IPSEC/GRE

Sat Apr 13, 2024 6:20 pm

Hi!

I'm trying to setup OSPF between a Juniper SRX 345 and a CCR2116 over IPSEC. I managed to have IPSEC and GRE working. Each device can ping each other over GRE interface and ipsec tunnel ends.

The issue I have is OSPF doesn't detect any neighbour.

# 2024-04-13 11:15:13 by RouterOS 7.14.2
# software id = T3RV-ARTQ
#
# model = CCR2116-12G-4S+
/routing ospf instance
add disabled=no name=ospf-instance-1 out-filter-select="" router-id=172.20.0.113 routing-table=main
/routing ospf area
add disabled=no instance=ospf-instance-1 name=backbonev2
/routing ospf interface-template
add area=backbonev2 disabled=no interfaces=bridge1 passive type=ptp
add area=backbonev2 disabled=no interfaces=SRX-MOMO type=ptp
add area=backbonev2 disabled=no interfaces="vlan101 - mgmt,vlan104 - IPTV" passive type=ptp


The bridge1 interface is the single bridge for l2 hw offloading. I used it as my loopback device to avoid having more than 1 bridge and cause problems with hw offloading.

The SRX has st0.0 and nterface gr-0/0/0.1 as interfaces in the area and is already doing routing with other routers properly.
Security is also allowing ospf protocol on these interfaces to the SRX.
Top
 
User avatar
baragoon
Member
Member
Posts: 384
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:
Contact baragoon

Re: Can't have OSPF over IPSEC/GRE

Sat Apr 13, 2024 7:41 pm

does ospf allowed by firewall?
Top
 
pimmie
newbie
Posts: 47
Joined: Fri Mar 27, 2015 4:51 pm

Re: Can't have OSPF over IPSEC/GRE

Sun Apr 14, 2024 11:55 am

Have you tried setting the interface template for the gre interface to a network type of ptp-unnumbered instead of just ptp? Have no xp with Juniper, but that resolved it for me a couple of times. Even though the neighbour did have an IP address and each device could ping each other's GRE-tunnel ip
Top
 
deejay2
just joined
Topic Author
Posts: 17
Joined: Sat Apr 13, 2024 5:48 pm

Re: Can't have OSPF over IPSEC/GRE

Wed Apr 17, 2024 3:51 am

Thank you for your help, I finally worked around it by using wireguard.
Top
 
User avatar
vingjfg
Member
Member
Posts: 413
Joined: Fri Oct 20, 2023 1:45 pm

Re: Can't have OSPF over IPSEC/GRE

Wed Apr 17, 2024 10:50 am

If you're willing to give a second shot, here is my lab setup.

Mikrotik: external 10.0.0.2, loopback 10.255.255.1/32, tunnel 10.255.254.1/30
Cisco: external 10.0.1.2, loopback 10.255.255.2/32, tunnel 10.255.254.2/30

Mikrotik configuration (relevant bits)
Code: Select all
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128
add dh-group=modp1536 enc-algorithm=aes-256,aes-128 name=tunnel_profile nat-traversal=no
/ip ipsec peer
add address=10.0.1.2/32 comment="IPSEC to cisco" local-address=10.0.0.2 name=cisco profile=tunnel_profile
/ip ipsec proposal
add enc-algorithms=aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=1h name=aesshag5
/ip ipsec identity
add peer=cisco secret=XXXXXXXX
/ip ipsec policy
add dst-address=10.255.255.2/32 peer=cisco proposal=aesshag5 src-address=10.255.255.1/32 tunnel=yes

/interface gre
add allow-fast-path=no comment="GRE to Cisco" local-address=10.255.255.1 mtu=1400 name=Tunnel0 remote-address=\
    10.255.255.2

/routing id
add comment="Router ID" disabled=no id=10.255.255.1 name=main-int

/routing ospf instance
add disabled=no name=ospf1 router-id=main-int
/routing ospf area
add comment="Backbone Area" disabled=no instance=ospf1 name=backbone
/routing ospf interface-template
add area=backbone disabled=no interfaces=Tunnel0 type=ptp
add area=backbone disabled=no interfaces=bridge passive

Cisco configuration (relevant bits)
Code: Select all

crypto keyring ipsec_keyring 
  pre-shared-key address 10.0.0.2 key XXXXXXX
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp profile for_vti
   keyring ipsec_keyring
   self-identity address
   match identity address 10.0.0.2 255.255.255.255 
   local-address 10.0.1.2
!
crypto keyring ipsec_keyring 
  pre-shared-key address 10.0.0.2 key tunnel_profile
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp profile for_vti
   keyring ipsec_keyring
   self-identity address
   match identity address 10.0.0.2 255.255.255.255 
   local-address 10.0.1.2
!
ip access-list extended ipsec_tun
 permit ip host 10.255.255.2 host 10.255.255.1
!
interface Tunnel0
 ip address 10.255.254.2 255.255.255.252
 ip mtu 1400
 ip ospf 1 area 0
 tunnel source Loopback0
 tunnel destination 10.255.255.1
!
router ospf 1
 router-id 10.255.255.2
 log-adjacency-changes
!

OSPF Status as seen from the Mikrotik
Code: Select all
[jeff@router1] > /routing/ospf/neighbor/print
Flags: V - virtual; D - dynamic 
 0  D instance=ospf1 area=backbone address=10.255.254.2 router-id=10.255.255.2 state="Full" state-changes=6 
      adjacency=2d20h46m43s timeout=35s
OSPF Status as seen from the Cisco
Code: Select all
routerB#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.255.255.1      0   FULL/  -        00:00:39    10.255.254.1    Tunnel0
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 16 guests
  4. RouterOS
  5. General