Community discussions

MikroTik App
 
nicolae
just joined
Topic Author
Posts: 16
Joined: Sat Jul 02, 2016 9:22 pm

GRE over IPsec IKEv2 (with dynamic dns)

Tue Nov 08, 2022 1:38 pm

Hello.

I have a lab setup using VirtualBox and I am trying to test this https://help.mikrotik.com/docs/display/ ... 2)usingDNS tutorial because I tried it on a real life setup and it did not work. So far it's not working in the lab also.

This is my lab layout:

VM1 - chr1 ros 7.6 - ether1 bridged to my home lan (192.168.16.0/24) (with dns chr1.nv.lan) (working internet, can ping chr2 via ip or dns)
- ether2 dhcpserver (network 192.168.1.0/24) - virtual switch 1
- ether3 host only adapter

VM2 - chr2 ros 7.6 - ether1 bridged to my home lan (192.168.16.0/24) (with dns chr2.nv.lan) (working internet, can ping chr1 via ip or dns)
- ether2 dhcpserver (network 192.168.2.0/24) - virtual switch 2
- ether3 host only adapter

VM3 - debian1 - ether1 - virtual switch 1 - (dhcpclient with correct network ip - can ping chr1,chr2, working internet)
VM4 - debian2 - ether1 - virtual switch 2 - (dhcpclient with correct network ip - can ping chr2,chr1, working internet)

My goal is exactly what the tutorial helps to achieve, i have two houses, one with a datacenter where I have all my stuff and the other only with a mikrotik router, i want to be able to access the datacenter resources from my second home's lan. Both my houses have dynamic ip from the ISP.

I followed all the steps from the above link, 3 times, both chr routers started with blank config, i only added NAT masquerade to out interface list WAN (no other firewall rules), dhcpclient on eth1, dhcpserver on eth2, interface list LAN with ether2 in it and WAN with ether1 in it.

I can never ping 192.168.99.1 from the client (2nd home) or 192.168.99.2 from the server (1st home with datacenter). The IPsec tunnel is up but the traffic gets routed outside chr1 to my main home lan and obviously the GRE tunnel never gets online.

Did anybody ever had any success with this kind of setup?

Screenshot: https://imgur.com/9sVLf1R
 
Sob
Forum Guru
Forum Guru
Posts: 9049
Joined: Mon Apr 20, 2009 9:11 pm

Re: GRE over IPsec IKEv2 (with dynamic dns)

Sat Nov 12, 2022 7:33 pm

Traceroute can't work like this, because it's not selecting the right source address. You'd need:
/tool/traceroute src-address=192.168.99.1 address=192.168.99.2
Other than that, it seems overcomplicated. If you just need routing between the two subnets, isn't it simpler to use something more like the first example without GRE?

https://help.mikrotik.com/docs/display/ ... Ev1)tunnel
 
nicolae
just joined
Topic Author
Posts: 16
Joined: Sat Jul 02, 2016 9:22 pm

Re: GRE over IPsec IKEv2 (with dynamic dns)

Sat Nov 12, 2022 10:45 pm

Traceroute can't work like this, because it's not selecting the right source address. You'd need:
/tool/traceroute src-address=192.168.99.1 address=192.168.99.2
Other than that, it seems overcomplicated. If you just need routing between the two subnets, isn't it simpler to use something more like the first example without GRE?

https://help.mikrotik.com/docs/display/ ... Ev1)tunnel
/tool/traceroute src-address=192.168.99.1 address=192.168.99.2
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
#  ADDRESS       LOSS  SENT  LAST     AVG  BEST  WORST  STD-DEV
1  192.168.16.1  0%      16  47ms     9.8  1     55.8   17.6
2  10.0.0.1      0%      16  2.6ms    5.8  1.6   47.1   10.9
3                100%    16  timeout 
4                100%    15  timeout
5                100%    15  timeout
6                100%    15  timeout
7                100%    15  timeout

Thanks for the reply, as you see, it goes outside the router to my real lan router and then to my ISP's PPPoE adapter, something is wrong with the tutorial or there is a bug somewhere.
I want to do it this way (with a GRE Tunner) rather than the simple IKEv1 example for many reasons:
  • I want to use IKEv2
  • I have dynamic ips
  • I will have a wireguard server running on site 1
  • I always want site 1 the be the main site, always a responder, every other site/location connects to this hq/base and all roadwarrior connections via wireguard
  • I need to keep things more clean and production ready
 
sindy
Forum Guru
Forum Guru
Posts: 9899
Joined: Mon Dec 04, 2017 9:19 pm

Re: GRE over IPsec IKEv2 (with dynamic dns)

Sat Nov 12, 2022 11:07 pm

Post the actual configurations of both routers. This kind of setup normally works.
 
nicolae
just joined
Topic Author
Posts: 16
Joined: Sat Jul 02, 2016 9:22 pm

Re: GRE over IPsec IKEv2 (with dynamic dns)

Sun Nov 13, 2022 9:50 pm

Post the actual configurations of both routers. This kind of setup normally works.
Hi, sorry, i forgot to do that.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 9899
Joined: Mon Dec 04, 2017 9:19 pm

Re: GRE over IPsec IKEv2 (with dynamic dns)

Sun Nov 13, 2022 10:09 pm

You have to prevent the action=masquerade rule from acting on the GRE transport packets by adding an ipsec-policy=out,none match condition to it, and then issuing /ip firewall connection remove [find where protocol=gre] to remove the src-nated connections. The thing is that src-nat is applied on the packets before they get matched to the traffic selectors of the IPsec policies. Since there is only the default route via WAN on both CHRs, the GRE transport traffic does match the out-interface-list=WAN condition. And once it gets src-nated, it doesn't match the traffic selector of the policy any more.
 
nicolae
just joined
Topic Author
Posts: 16
Joined: Sat Jul 02, 2016 9:22 pm

Re: GRE over IPsec IKEv2 (with dynamic dns)

Mon Nov 14, 2022 10:04 am

You have to prevent the action=masquerade rule from acting on the GRE transport packets by adding an ipsec-policy=out,none match condition to it, and then issuing /ip firewall connection remove [find where protocol=gre] to remove the src-nated connections. The thing is that src-nat is applied on the packets before they get matched to the traffic selectors of the IPsec policies. Since there is only the default route via WAN on both CHRs, the GRE transport traffic does match the out-interface-list=WAN condition. And once it gets src-nated, it doesn't match the traffic selector of the policy any more.
Thank you for the reply, I will apply the suggestions and come back. And if you are correct what I think this means is that:
1. The tutorial is buggy or incomplete, making it misleading. (MikroTik should fix it or remove it)
2. The fact that chr1 cannot ping chr2 via the IPSec IPs (192.168.99.1/192.168.99.2) is not an issue
Am i wrong?
 
sindy
Forum Guru
Forum Guru
Posts: 9899
Joined: Mon Dec 04, 2017 9:19 pm

Re: GRE over IPsec IKEv2 (with dynamic dns)  [SOLVED]

Mon Nov 14, 2022 3:36 pm

1. The tutorial is buggy or incomplete, making it misleading. (MikroTik should fix it or remove it)
If you took two cleanly installed CHRs and followed the tutorial exactly, you would not add any src-nat or masquerade rule and it would work, so in this sense, the tutorial is complete. It is possible to add other items to the configuration that also break the setup outlined in the tutorial, and it is not possible to anticipate all of them in the tutorial.

In the real life, if you add a decent set of firewall rules, you may run into an issue with GRE that was there in RouterOS 6 since 6.45.something, where you had to exclude GRE from the "drop invalid" rule as the connection-state attribute of GRE packets not matching to existing connections were set to invalid rather than new. Also there used to be an issue with GRE keepalive in RouterOS 7 - not sure whether it has been already fixed. So you had to disable keepalive in order that the tunnel interfaces were up and the tunnel could be used.

2. The fact that chr1 cannot ping chr2 via the IPSec IPs (192.168.99.1/192.168.99.2) is not an issue
The fact that you cannot ping from 192.168.99.1 to 192.168.99.2 or vice versa is caused by the src-nat rule as well. Once you modify that rule, the pings between 192.168.99.1 and 192.168.99.2 will start passing too.
 
nicolae
just joined
Topic Author
Posts: 16
Joined: Sat Jul 02, 2016 9:22 pm

Re: GRE over IPsec IKEv2 (with dynamic dns)

Tue Nov 15, 2022 12:06 am

If you took two cleanly installed CHRs and followed the tutorial exactly, you would not add any src-nat or masquerade rule and it would work, so in this sense, the tutorial is complete. It is possible to add other items to the configuration that also break the setup outlined in the tutorial, and it is not possible to anticipate all of them in the tutorial.

In the real life, if you add a decent set of firewall rules, you may run into an issue with GRE that was there in RouterOS 6 since 6.45.something, where you had to exclude GRE from the "drop invalid" rule as the connection-state attribute of GRE packets not matching to existing connections were set to invalid rather than new. Also there used to be an issue with GRE keepalive in RouterOS 7 - not sure whether it has been already fixed. So you had to disable keepalive in order that the tunnel interfaces were up and the tunnel could be used.
I can see your point about the tutorial not being broken, but in practice most people will have a couple of firewall rules, most tutorials on the mikrotik wiki give you some heads up about conflicting configurations and/or prerequisites, i guess this one does not.

The fact that you cannot ping from 192.168.99.1 to 192.168.99.2 or vice versa is caused by the src-nat rule as well. Once you modify that rule, the pings between 192.168.99.1 and 192.168.99.2 will start passing too.
So the IPSec tunnel was fixed by your suggestion, also the follwing pings now work:

I can ping 192.168.99.1 from 192.168.99.2 and vice versa.

I can ping 192.168.1.1 from 192.168.2.1 and vice versa.

I can ping 192.168.1.1 from 192.168.2.254 (debian-2) & I can ping 192.168.2.1 from 192.168.1.253 (debian-1).

I can ping 192.168.2.254 (debian-2) from 192.168.1.253 (debian-1) and vice versa.

I can't ping 172.16.1.1 from 172.16.1.2 or vice versa but i think this is normal, and ofc can't ping 192.168.99.1 from any ip on the 192.168.2.0 network or 192.168.99.2 from any ip on the 192.168.1.0 network.

I guess i can go try it out on some real world routers.

Thank you!

Who is online

Users browsing this forum: Semrush [Bot] and 24 guests