Mikrotik Routers Site to Site GRE over IPSec VPN Tunnel Configuration | IPSec VPN Setup

Fig: Mikrotik Routers Site to Site GRE over IPSec VPN Tunnel Configuration

 How to configure GRE over IPSce VPN Tunnel, IPSec VPN cannot forward any multicast and broadcast traffic as a result any dynamic routing protocol such as OSPF,RIP or EIGRP cannot forward traffic.GRE Protocol support transport traffic over IPSec VPN Tunnel.Mikrotik IPSec VPN tunnel protect LAN Traffic between two remote sites.
Mikrotik Routers Site to Site GRE over IPSec VPN Tunnel Configuration Video

Mikrotik 1 Router IP Address Configuration:

[admin@MikroTik1] > ip address add address=103.31.178.2/30 interface=ether1
[admin@MikroTik1] > ip address add address=192.168.1.1/24 interface=ether2

[admin@MikroTik1] > interface gre add name= gre-tunnel1 local-address=103.31.178.2 remote-address=180.140.100.2
[admin@MikroTik1] > ip address add address=172.16.1.1/30 interface= gre-tunnel1

[admin@MikroTik1] > ip route add dst-address=0.0.0.0 gateway=103.31.178.1

Mikrotik1 Router IPSec VPN Configuration: 

[admin@MikroTik1] /ip ipsec peer>add address=180.140.100.2/32:500 auth-method=pre-shared-key secret="password"
     generate-policy=no exchange-mode=main send-initial-contact=yes
     nat-traversal=no proposal-check=obey hash-algorithm=sha1
     enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
     dpd-interval=disable-dpd dpd-maximum-failures=1
[admin@MikroTik1] /ip ipsec policy>add src-address=103.31.178.2/32:any dst-address=180.140.100.2/32:any
     protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
     sa-src-address=103.31.178.2 sa-dst-address=180.140.100.2 proposal=default
     priority=0
[admin@MikroTik1] /ip ipsec proposal>add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m  pfs-group=modp1024

[admin@MikroTik1] /ip firewall nat>add chain=srcnat action=accept src-address=192.168.1.0/24      dst-address=192.168.2.0/24
[admin@MikroTik1] /ip firewall nat>add chain=srcnat action=masquerade out-interface=ether1

Mikroitk 1 Router OSPF Configuration:

[admin@MikroTik1] /routing ospf> interface add interface=all
[admin@MikroTik1] /routing ospf> network add network=192.168.1.0/24 area=backbone
[admin@MikroTik1] /routing ospf> network add network=172.16.1.0/30  area=backbone

Mikrotik 2 Router IP Address Configuration:

[admin@MikroTik2] > ip address add address=180.140.100.2/30 interface=ether1
[admin@MikroTik2] > ip address add address=192.168.2.1/24 interface=ether2

[admin@MikroTik2] > interface gre add name= gre-tunnel1 local-address=180.140.100.2 remote-address=103.31.178.2
[admin@MikroTik2] > ip address add address=172.16.1.2/30 interface= gre-tunnel1
[admin@MikroTik2] > ip route add dst-address=0.0.0.0 gateway=180.140.100.1

Mikrotik2 Router Site to Site IPSec VPN Configuration: 

[admin@MikroTik2] /ip ipsec peer>add address=103.31.178.2/32:500 auth-method=pre-shared-key secret="password"
     generate-policy=no exchange-mode=main send-initial-contact=yes
     nat-traversal=no proposal-check=obey hash-algorithm=sha1
     enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
     dpd-interval=disable-dpd dpd-maximum-failures=1
[admin@MikroTik2] /ip ipsec policy>add src-address=180.140.100.2/32:any dst-address=103.31.178.2/32:any
     protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
     sa-src-address=180.140.100.2 sa-dst-address=103.31.178.2  proposal=default
     priority=0
[admin@MikroTik2] /ip ipsec proposal>add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m   pfs-group=modp1024

[admin@MikroTik2] /ip firewall nat>add chain=srcnat action=accept src-address=192.168.2.0/24      dst-address=192.168.1.0/24
[admin@MikroTik2] /ip firewall nat>add chain=srcnat action=masquerade out-interface=ether1

Mikroitk 2 Router OSPF Configuration:

[admin@MikroTik2] /routing ospf> interface add interface=all
[admin@MikroTik2] /routing ospf> network add network=192.168.2.0/24 area=backbone
[admin@MikroTik2] /routing ospf> network add network=172.16.1.0/30  area=backbone

Mikrotik1 Router Site to Site IPSec VPN Verification: 

[admin@Mikrotik 1] > ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
 0 E  spi=0x6E39274 src-address=103.31.178.2 dst-address=180.140.100.2
      auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
      auth-key="ce7b5d5ef508ad678ffc549e83aff34dc476f864"
      enc-key="50e5a5d86656e5787e9ef113d082a81a8fe3e77043dc3b8b"
      addtime=jan/05/2015 19:31:53 expires-in=29m51s add-lifetime=24m/30m
      current-bytes=720
 1 E  spi=0xB1EA005 src-address=180.140.100.2 dst-address=103.31.178.2
      auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
      auth-key="9f0ee3d8f263275871ae28160a5b0c095e170ee7"
      enc-key="834fd137507113fb33f7835859e79e54af299ed63dd1d815"
      addtime=jan/05/2015 19:31:53 expires-in=29m51s add-lifetime=24m/30m
      current-bytes=812

Mikrotik1 Router OSPF Verification: 

[admin@Mikrotik 1] > routing ospf route print
 # DST-ADDRESS        STATE          COST         GATEWAY         INTERFACE   
 0 172.16.1.0/30      intra-area     10              0.0.0.0         gre-tunnel1 
 1 192.168.1.0/24     intra-area     10             0.0.0.0         ether2      
 2 192.168.2.0/24     intra-area     20             172.16.1.2      gre-tunnel1 
[admin@Mikrotik 1] > routing ospf neighbor print
 0 instance=default router-id=172.16.1.2 address=172.16.1.2
   interface=gre-tunnel1 priority=1 dr-address=0.0.0.0
   backup-dr-address=0.0.0.0 state="Full" state-changes=5 ls-retransmits=0
   ls-requests=0 db-summaries=0 adjacency=55m40s

Mikrotik1 Route Verification: 

admin@Mikrotik 1] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC              GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                                            103.31.178.1               1
 1 ADC  103.31.178.0/30    103.31.178.2          ether1                    0
 2 ADC  172.16.1.0/30      172.16.1.1            gre-tunnel1               0
 3 ADC  192.168.1.0/24     192.168.1.1         ether2                      0
 4 ADo  192.168.2.0/24                                172.16.1.2                110

Mikrotik2 Router Site to Site IPSec VPN Verification: 

[admin@Mikrotik 2] > ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
 0 E  spi=0x475C2D3 src-address=103.31.178.2 dst-address=180.140.100.2
      auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
      auth-key="53ec03c2eaaeb38606997d22cc4d59c5988df555"
      enc-key="aff610cbc12b15acbb22e25de72766525725698a0dac9554"
      addtime=jan/05/2015 19:36:53 expires-in=29m46s add-lifetime=24m/30m
      current-bytes=1224

 1 E  spi=0xF0CB73F src-address=180.140.100.2 dst-address=103.31.178.2
      auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
      auth-key="e653be26a68d5dc74db9e5a67851252e457c1b96"
      enc-key="2c2eea5ba9bd14c5f8313d28c6609c17463431bc4f90597d"
      addtime=jan/05/2015 19:36:53 expires-in=29m46s add-lifetime=24m/30m
      current-bytes=113

Mikrotik2 Router OSPF Verification: 

[admin@Mikrotik 2] > routing ospf route print
 # DST-ADDRESS        STATE          COST          GATEWAY         INTERFACE    
 0 172.16.1.0/30      intra-area      10                0.0.0.0         gre-tunnel1  
 1 192.168.1.0/24     intra-area     20            172.16.1.1      gre-tunnel1  
 2 192.168.2.0/24     intra-area     10               0.0.0.0         ether2       
[admin@Mikrotik 2] > routing ospf neighbor print
 0 instance=default router-id=103.31.178.2 address=172.16.1.1
   interface=gre-tunnel1 priority=1 dr-address=0.0.0.0
   backup-dr-address=0.0.0.0 state="Full" state-changes=4 ls-retransmits=0
   ls-requests=0 db-summaries=0 adjacency=1h13s

Mikrotik2 Route Verification: 

[admin@Mikrotik 2] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS          PREF-SRC               GATEWAY                 DISTANCE
 0 A S  0.0.0.0/0                                                    180.140.100.1               1
 1 ADC  172.16.1.0/30         172.16.1.2                 gre-tunnel1                 0
 2 ADC  180.140.100.0/30   180.140.100.2            ether1                       0
 3 ADo  192.168.1.0/24                                       172.16.1.1                110
 4 ADC  192.168.2.0/24     192.168.2.1               ether2                       0