MikroTik GRE over IPSec

Question

I'm trying to establish a GRE over IPSec tunnel between two MikroTik devices. Everything seems to work yet when I sniff the WAN interface I can clearly see the GRE packets which theoretically I shouldn't be able to see.

I've spent a few days on this and I'm at a loss on whats missing.

1.1.1.1 is the datacenter WAN, while 2.2.2.2 is the home WAN.

Router 1:

/interface gre
add allow-fast-path=no !keepalive local-address=1.1.1.1 name=\
    gre-tunnel-home remote-address=2.2.2.2

/ip ipsec peer
add address=2.2.2.2/32 dh-group=modp8192 enc-algorithm=blowfish \
    hash-algorithm=sha512 lifetime=30m local-address=1.1.1.1 \
    nat-traversal=no proposal-check=strict secret=secretcode

/ip ipsec policy
add dst-address=2.2.2.2/32 proposal=proposal1 sa-dst-address=2.2.2.2 \
    sa-src-address=1.1.1.1 src-address=1.1.1.1/32 tunnel=yes

Router 2:

/interface gre
add allow-fast-path=no !keepalive local-address=2.2.2.2 name=\
    gre-tunnel-datacenter remote-address=1.1.1.1

/ip ipsec peer
add address=1.1.1.1/32 dh-group=modp8192 enc-algorithm=blowfish \
    hash-algorithm=sha512 lifetime=30m local-address=2.2.2.2 \
    nat-traversal=no proposal-check=strict secret=secretcode

/ip ipsec policy
add dst-address=1.1.1.1/32 proposal=proposal1 sa-dst-address=\
    1.1.1.1 sa-src-address=2.2.2.2 src-address=2.2.2.2/32 \
    tunnel=yes

score 2 · Accepted Answer · answered Aug 29 '16 at 13:16

Don't use tunnel mode in your IPSec Policy.

That's what causes Torch to show the GRE packets.

Since you are encrypting the whole GRE connection, it will be just as secure by not using tunnel mode. Packets going through the tunnel will be encrypted anyway so no one will be able to see who is communicating with who inside the tunnel.

To a 3rd party sniffing the traffic it will be pretty much the same regardless of tunnel mode (ie: 1.1.1.1 communicates with 2.2.2.2 over protocol 50-ipsec - there's no benefit in trying to hide this information with tunnel mode).

Also you will have less packet overhead.

From Mikrotik Wiki:

Tunnel mode

In tunnel mode original IP packet is encapsulated within a new IP packet thus securing IP payload and IP header.

Perfect thanks just wanted confirmation as all the tutorials online had the tunnel parameter set to yes. — john.mill, Aug 30 '16 at 12:49

MikroTik GRE over IPSec

1 Answers1