Site to site GRE over IPSec

Hi,

I am try to establish GRE/IPSec site to site connectivity between a AWS cloud based VyOS router and one of my on premise Mikrotik CCR routers. I am having much difficulty getting phase 2 up and I was hoping someone has perhaps dealt with a similar problem before. The error seems to be very common but non of the fixes I have tried (e.g. setting authentication ID) have fixed the issue.

Capture875×212 11.8 KB

Config:
set vpn ipsec esp-group GRE compression ‘disable’
set vpn ipsec esp-group GRE lifetime ‘3600’
set vpn ipsec esp-group GRE mode ‘transport’
set vpn ipsec esp-group GRE pfs ‘enable’
set vpn ipsec esp-group GRE proposal 1 encryption ‘aes128’
set vpn ipsec esp-group GRE proposal 1 hash ‘sha1’

set vpn ipsec ike-group GRE dead-peer-detection action ‘restart’
set vpn ipsec ike-group GRE dead-peer-detection interval ‘15’
set vpn ipsec ike-group GRE dead-peer-detection timeout ‘30’
set vpn ipsec ike-group GRE ikev2-reauth ‘no’
set vpn ipsec ike-group GRE key-exchange ‘ikev1’
set vpn ipsec ike-group GRE lifetime ‘28800’
set vpn ipsec ike-group GRE proposal 1 dh-group ‘2’
set vpn ipsec ike-group GRE proposal 1 encryption ‘aes128’
set vpn ipsec ike-group GRE proposal 1 hash ‘sha1’

set interfaces tunnel tun1 address ‘169.254.1.1/30’
set interfaces tunnel tun1 encapsulation ‘gre’
set interfaces tunnel tun1 local-ip ‘10.0.1.1’
set interfaces tunnel tun1 remote-ip ‘180.0.0.1’

set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer 180.0.0.1 authentication id ‘190.0.0.1’
set vpn ipsec site-to-site peer 180.0.0.1 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 180.0.0.1 authentication pre-shared-secret ‘secret-here’
set vpn ipsec site-to-site peer 180.0.0.1 authentication remote-id ‘180.0.0.1’
set vpn ipsec site-to-site peer 180.0.0.1 connection-type ‘initiate’
set vpn ipsec site-to-site peer 180.0.0.1 default-esp-group ‘GRE’
set vpn ipsec site-to-site peer 180.0.0.1 ike-group ‘GRE’
set vpn ipsec site-to-site peer 180.0.0.1 local-address ‘10.0.1.1’
set vpn ipsec site-to-site peer 180.0.0.1 tunnel 1 protocol ‘gre’

Error:
cannot respond to IPsec SA request because no connection is known for 180.0.0.1/32===10.0.1.1[180.0.0.1]:47/0…190.0.0.1[190.0.0.1]:47/0

You have the link local networks on both sides. Try different networks on both sides. Also gre is overhead, ipsec alone should do what you want.

Fixed. Thanks for the help. ESP mode also changed to tunnel. Config below if it will assist anyone in the future:

set interfaces dummy dum1 address ‘169.254.200.10/32’

set interfaces tunnel tun1 address ‘169.254.100.98/30’
set interfaces tunnel tun1 encapsulation ‘gre’
set interfaces tunnel tun1 local-ip ‘169.254.200.10’
set interfaces tunnel tun1 remote-ip ‘169.254.200.9’

set vpn ipsec site-to-site peer 180.0.0.1 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 180.0.0.1 authentication pre-shared-secret ‘secret-here’
set vpn ipsec site-to-site peer 180.0.0.1 connection-type ‘initiate’
set vpn ipsec site-to-site peer 180.0.0.1 default-esp-group ‘GRE’
set vpn ipsec site-to-site peer 180.0.0.1 ike-group ‘GRE’
set vpn ipsec site-to-site peer 180.0.0.1 local-address ‘10.0.1.1’
set vpn ipsec site-to-site peer 180.0.0.1 tunnel 1 local prefix ‘169.254.200.10/32’
set vpn ipsec site-to-site peer 180.0.0.1 tunnel 1 protocol ‘gre’
set vpn ipsec site-to-site peer 180.0.0.1 tunnel 1 remote prefix ‘169.254.200.9/32’

Glad it helped. Happy ipsec’ing

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.