MikroTik

Community discussions
https://forum.mikrotik.com/

Can't have OSPF over IPSEC/GRE

https://forum.mikrotik.com/viewtopic.php?t=206719

Page 1 of 1

Can't have OSPF over IPSEC/GRE

Posted: Sat Apr 13, 2024 6:20 pm
by deejay2
Hi!

I'm trying to setup OSPF between a Juniper SRX 345 and a CCR2116 over IPSEC. I managed to have IPSEC and GRE working. Each device can ping each other over GRE interface and ipsec tunnel ends.

The issue I have is OSPF doesn't detect any neighbour.

# 2024-04-13 11:15:13 by RouterOS 7.14.2
# software id = T3RV-ARTQ
#
# model = CCR2116-12G-4S+
/routing ospf instance
add disabled=no name=ospf-instance-1 out-filter-select="" router-id=172.20.0.113 routing-table=main
/routing ospf area
add disabled=no instance=ospf-instance-1 name=backbonev2
/routing ospf interface-template
add area=backbonev2 disabled=no interfaces=bridge1 passive type=ptp
add area=backbonev2 disabled=no interfaces=SRX-MOMO type=ptp
add area=backbonev2 disabled=no interfaces="vlan101 - mgmt,vlan104 - IPTV" passive type=ptp


The bridge1 interface is the single bridge for l2 hw offloading. I used it as my loopback device to avoid having more than 1 bridge and cause problems with hw offloading.

The SRX has st0.0 and nterface gr-0/0/0.1 as interfaces in the area and is already doing routing with other routers properly.
Security is also allowing ospf protocol on these interfaces to the SRX.

Re: Can't have OSPF over IPSEC/GRE

Posted: Sat Apr 13, 2024 7:41 pm
by baragoon
does ospf allowed by firewall?

Re: Can't have OSPF over IPSEC/GRE

Posted: Sun Apr 14, 2024 11:55 am
by pimmie
Have you tried setting the interface template for the gre interface to a network type of ptp-unnumbered instead of just ptp? Have no xp with Juniper, but that resolved it for me a couple of times. Even though the neighbour did have an IP address and each device could ping each other's GRE-tunnel ip

Re: Can't have OSPF over IPSEC/GRE

Posted: Wed Apr 17, 2024 3:51 am
by deejay2
Thank you for your help, I finally worked around it by using wireguard.

Re: Can't have OSPF over IPSEC/GRE

Posted: Wed Apr 17, 2024 10:50 am
by vingjfg
If you're willing to give a second shot, here is my lab setup.

Mikrotik: external 10.0.0.2, loopback 10.255.255.1/32, tunnel 10.255.254.1/30
Cisco: external 10.0.1.2, loopback 10.255.255.2/32, tunnel 10.255.254.2/30

Mikrotik configuration (relevant bits)
Code: Select all
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128
add dh-group=modp1536 enc-algorithm=aes-256,aes-128 name=tunnel_profile nat-traversal=no
/ip ipsec peer
add address=10.0.1.2/32 comment="IPSEC to cisco" local-address=10.0.0.2 name=cisco profile=tunnel_profile
/ip ipsec proposal
add enc-algorithms=aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=1h name=aesshag5
/ip ipsec identity
add peer=cisco secret=XXXXXXXX
/ip ipsec policy
add dst-address=10.255.255.2/32 peer=cisco proposal=aesshag5 src-address=10.255.255.1/32 tunnel=yes

/interface gre
add allow-fast-path=no comment="GRE to Cisco" local-address=10.255.255.1 mtu=1400 name=Tunnel0 remote-address=\
    10.255.255.2

/routing id
add comment="Router ID" disabled=no id=10.255.255.1 name=main-int

/routing ospf instance
add disabled=no name=ospf1 router-id=main-int
/routing ospf area
add comment="Backbone Area" disabled=no instance=ospf1 name=backbone
/routing ospf interface-template
add area=backbone disabled=no interfaces=Tunnel0 type=ptp
add area=backbone disabled=no interfaces=bridge passive

Cisco configuration (relevant bits)
Code: Select all

crypto keyring ipsec_keyring 
  pre-shared-key address 10.0.0.2 key XXXXXXX
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp profile for_vti
   keyring ipsec_keyring
   self-identity address
   match identity address 10.0.0.2 255.255.255.255 
   local-address 10.0.1.2
!
crypto keyring ipsec_keyring 
  pre-shared-key address 10.0.0.2 key tunnel_profile
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp profile for_vti
   keyring ipsec_keyring
   self-identity address
   match identity address 10.0.0.2 255.255.255.255 
   local-address 10.0.1.2
!
ip access-list extended ipsec_tun
 permit ip host 10.255.255.2 host 10.255.255.1
!
interface Tunnel0
 ip address 10.255.254.2 255.255.255.252
 ip mtu 1400
 ip ospf 1 area 0
 tunnel source Loopback0
 tunnel destination 10.255.255.1
!
router ospf 1
 router-id 10.255.255.2
 log-adjacency-changes
!

OSPF Status as seen from the Mikrotik
Code: Select all
[jeff@router1] > /routing/ospf/neighbor/print
Flags: V - virtual; D - dynamic 
 0  D instance=ospf1 area=backbone address=10.255.254.2 router-id=10.255.255.2 state="Full" state-changes=6 
      adjacency=2d20h46m43s timeout=35s
OSPF Status as seen from the Cisco
Code: Select all
routerB#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.255.255.1      0   FULL/  -        00:00:39    10.255.254.1    Tunnel0
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/