Site to site GRE over IPSec


#1

Hi,

I am try to establish GRE/IPSec site to site connectivity between a AWS cloud based VyOS router and one of my on premise Mikrotik CCR routers. I am having much difficulty getting phase 2 up and I was hoping someone has perhaps dealt with a similar problem before. The error seems to be very common but non of the fixes I have tried (e.g. setting authentication ID) have fixed the issue.

Config:
set vpn ipsec esp-group GRE compression ‘disable’
set vpn ipsec esp-group GRE lifetime ‘3600’
set vpn ipsec esp-group GRE mode ‘transport’
set vpn ipsec esp-group GRE pfs ‘enable’
set vpn ipsec esp-group GRE proposal 1 encryption ‘aes128’
set vpn ipsec esp-group GRE proposal 1 hash ‘sha1’

set vpn ipsec ike-group GRE dead-peer-detection action ‘restart’
set vpn ipsec ike-group GRE dead-peer-detection interval ‘15’
set vpn ipsec ike-group GRE dead-peer-detection timeout ‘30’
set vpn ipsec ike-group GRE ikev2-reauth ‘no’
set vpn ipsec ike-group GRE key-exchange ‘ikev1’
set vpn ipsec ike-group GRE lifetime ‘28800’
set vpn ipsec ike-group GRE proposal 1 dh-group ‘2’
set vpn ipsec ike-group GRE proposal 1 encryption ‘aes128’
set vpn ipsec ike-group GRE proposal 1 hash ‘sha1’

set interfaces tunnel tun1 address ‘169.254.1.1/30’
set interfaces tunnel tun1 encapsulation ‘gre’
set interfaces tunnel tun1 local-ip ‘10.0.1.1’
set interfaces tunnel tun1 remote-ip ‘180.0.0.1’

set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer 180.0.0.1 authentication id ‘190.0.0.1’
set vpn ipsec site-to-site peer 180.0.0.1 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 180.0.0.1 authentication pre-shared-secret ‘secret-here’
set vpn ipsec site-to-site peer 180.0.0.1 authentication remote-id ‘180.0.0.1’
set vpn ipsec site-to-site peer 180.0.0.1 connection-type ‘initiate’
set vpn ipsec site-to-site peer 180.0.0.1 default-esp-group ‘GRE’
set vpn ipsec site-to-site peer 180.0.0.1 ike-group ‘GRE’
set vpn ipsec site-to-site peer 180.0.0.1 local-address ‘10.0.1.1’
set vpn ipsec site-to-site peer 180.0.0.1 tunnel 1 protocol ‘gre’

Error:
cannot respond to IPsec SA request because no connection is known for 180.0.0.1/32===10.0.1.1[180.0.0.1]:47/0…190.0.0.1[190.0.0.1]:47/0


#2

You have the link local networks on both sides. Try different networks on both sides. Also gre is overhead, ipsec alone should do what you want.


#3

Fixed. Thanks for the help. ESP mode also changed to tunnel. Config below if it will assist anyone in the future:

set interfaces dummy dum1 address ‘169.254.200.10/32’

set interfaces tunnel tun1 address ‘169.254.100.98/30’
set interfaces tunnel tun1 encapsulation ‘gre’
set interfaces tunnel tun1 local-ip ‘169.254.200.10’
set interfaces tunnel tun1 remote-ip ‘169.254.200.9’

set vpn ipsec site-to-site peer 180.0.0.1 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 180.0.0.1 authentication pre-shared-secret ‘secret-here’
set vpn ipsec site-to-site peer 180.0.0.1 connection-type ‘initiate’
set vpn ipsec site-to-site peer 180.0.0.1 default-esp-group ‘GRE’
set vpn ipsec site-to-site peer 180.0.0.1 ike-group ‘GRE’
set vpn ipsec site-to-site peer 180.0.0.1 local-address ‘10.0.1.1’
set vpn ipsec site-to-site peer 180.0.0.1 tunnel 1 local prefix ‘169.254.200.10/32’
set vpn ipsec site-to-site peer 180.0.0.1 tunnel 1 protocol ‘gre’
set vpn ipsec site-to-site peer 180.0.0.1 tunnel 1 remote prefix ‘169.254.200.9/32’


#4

Glad it helped. Happy ipsec’ing :smiley:


#5

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.