Fig: Mikrotik Routers Site to Site GRE over IPSec VPN Tunnel Configuration
How to configure GRE over IPSce VPN Tunnel, IPSec VPN cannot forward any multicast and broadcast traffic as a result any dynamic routing protocol such as OSPF,RIP or EIGRP cannot forward traffic.GRE Protocol support transport traffic over IPSec VPN Tunnel.Mikrotik IPSec VPN tunnel protect LAN Traffic between two remote sites.
Mikrotik Routers Site to Site GRE over IPSec VPN Tunnel Configuration Video
Mikrotik Routers Site to Site GRE over IPSec VPN Tunnel Configuration Video
Mikrotik 1 Router IP Address Configuration:
[admin@MikroTik1] > ip
address add address=103.31.178.2/30 interface=ether1
[admin@MikroTik1] > ip
address add address=192.168.1.1/24 interface=ether2
[admin@MikroTik1] > interface
gre add name= gre-tunnel1 local-address=103.31.178.2
remote-address=180.140.100.2
[admin@MikroTik1] > ip
address add address=172.16.1.1/30 interface=
gre-tunnel1
[admin@MikroTik1] > ip
route add dst-address=0.0.0.0 gateway=103.31.178.1
Mikrotik1 Router IPSec VPN Configuration:
[admin@MikroTik1] /ip ipsec peer>add address=180.140.100.2/32:500 auth-method=pre-shared-key
secret="password"
generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no
proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=disable-dpd dpd-maximum-failures=1
[admin@MikroTik1] /ip ipsec policy>add src-address=103.31.178.2/32:any dst-address=180.140.100.2/32:any
protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=103.31.178.2 sa-dst-address=180.140.100.2
proposal=default
priority=0
[admin@MikroTik1] /ip ipsec proposal>add
name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024
[admin@MikroTik1] /ip firewall nat>add chain=srcnat
action=accept src-address=192.168.1.0/24 dst-address=192.168.2.0/24
[admin@MikroTik1] /ip firewall nat>add chain=srcnat
action=masquerade out-interface=ether1
Mikroitk 1 Router OSPF Configuration:
[admin@MikroTik1]
/routing ospf> interface add interface=all
[admin@MikroTik1]
/routing ospf> network add network=192.168.1.0/24
area=backbone
[admin@MikroTik1]
/routing ospf> network add network=172.16.1.0/30 area=backbone
Mikrotik 2 Router IP Address Configuration:
[admin@MikroTik2]
> ip address add address=180.140.100.2/30 interface=ether1
[admin@MikroTik2] > ip
address add address=192.168.2.1/24 interface=ether2
[admin@MikroTik2]
> interface gre add name= gre-tunnel1 local-address=180.140.100.2
remote-address=103.31.178.2
[admin@MikroTik2] > ip
address add address=172.16.1.2/30 interface=
gre-tunnel1
[admin@MikroTik2] > ip
route add dst-address=0.0.0.0 gateway=180.140.100.1
Mikrotik2 Router Site to Site IPSec VPN Configuration:
[admin@MikroTik2] /ip ipsec peer>add address=103.31.178.2/32:500 auth-method=pre-shared-key
secret="password"
generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no
proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=disable-dpd dpd-maximum-failures=1
[admin@MikroTik2] /ip ipsec policy>add src-address=180.140.100.2/32:any dst-address=103.31.178.2/32:any
protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=180.140.100.2 sa-dst-address=103.31.178.2
proposal=default
priority=0
[admin@MikroTik2] /ip ipsec proposal>add
name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024
[admin@MikroTik2] /ip firewall nat>add chain=srcnat
action=accept src-address=192.168.2.0/24 dst-address=192.168.1.0/24
[admin@MikroTik2] /ip firewall nat>add chain=srcnat
action=masquerade out-interface=ether1
Mikroitk 2 Router OSPF Configuration:
[admin@MikroTik2]
/routing ospf> interface add interface=all
[admin@MikroTik2]
/routing ospf> network add network=192.168.2.0/24
area=backbone
[admin@MikroTik2]
/routing ospf> network add network=172.16.1.0/30 area=backbone
Mikrotik1 Router Site to Site IPSec VPN Verification:
[admin@Mikrotik 1]
> ip ipsec installed-sa print
Flags: A - AH, E -
ESP, P - pfs
0 E
spi=0x6E39274 src-address=103.31.178.2 dst-address=180.140.100.2
auth-algorithm=sha1 enc-algorithm=3des
replay=4 state=mature
auth-key="ce7b5d5ef508ad678ffc549e83aff34dc476f864"
enc-key="50e5a5d86656e5787e9ef113d082a81a8fe3e77043dc3b8b"
addtime=jan/05/2015 19:31:53
expires-in=29m51s add-lifetime=24m/30m
current-bytes=720
1 E
spi=0xB1EA005 src-address=180.140.100.2 dst-address=103.31.178.2
auth-algorithm=sha1 enc-algorithm=3des
replay=4 state=mature
auth-key="9f0ee3d8f263275871ae28160a5b0c095e170ee7"
enc-key="834fd137507113fb33f7835859e79e54af299ed63dd1d815"
addtime=jan/05/2015 19:31:53
expires-in=29m51s add-lifetime=24m/30m
current-bytes=812
Mikrotik1 Router OSPF Verification:
[admin@Mikrotik 1]
> routing ospf route print
# DST-ADDRESS STATE COST GATEWAY INTERFACE
0 172.16.1.0/30 intra-area 10
0.0.0.0 gre-tunnel1
1 192.168.1.0/24 intra-area 10
0.0.0.0 ether2
2 192.168.2.0/24 intra-area 20
172.16.1.2
gre-tunnel1
[admin@Mikrotik
1] > routing ospf neighbor print
0 instance=default router-id=172.16.1.2
address=172.16.1.2
interface=gre-tunnel1 priority=1
dr-address=0.0.0.0
backup-dr-address=0.0.0.0
state="Full" state-changes=5 ls-retransmits=0
ls-requests=0 db-summaries=0
adjacency=55m40s
Mikrotik1 Route Verification:
admin@Mikrotik
1] > ip route print
Flags: X -
disabled, A - active, D - dynamic,
C - connect, S
- static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole,
U - unreachable, P - prohibit
#
DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S
0.0.0.0/0 103.31.178.1 1
1 ADC
103.31.178.0/30 103.31.178.2 ether1 0
2 ADC
172.16.1.0/30 172.16.1.1 gre-tunnel1 0
3 ADC
192.168.1.0/24
192.168.1.1 ether2 0
4 ADo
192.168.2.0/24 172.16.1.2 110
Mikrotik2 Router Site to Site IPSec VPN Verification:
[admin@Mikrotik 2]
> ip ipsec installed-sa print
Flags: A - AH, E -
ESP, P - pfs
0 E spi=0x475C2D3
src-address=103.31.178.2 dst-address=180.140.100.2
auth-algorithm=sha1 enc-algorithm=3des
replay=4 state=mature
auth-key="53ec03c2eaaeb38606997d22cc4d59c5988df555"
enc-key="aff610cbc12b15acbb22e25de72766525725698a0dac9554"
addtime=jan/05/2015 19:36:53
expires-in=29m46s add-lifetime=24m/30m
current-bytes=1224
1 E
spi=0xF0CB73F src-address=180.140.100.2 dst-address=103.31.178.2
auth-algorithm=sha1 enc-algorithm=3des
replay=4 state=mature
auth-key="e653be26a68d5dc74db9e5a67851252e457c1b96"
enc-key="2c2eea5ba9bd14c5f8313d28c6609c17463431bc4f90597d"
addtime=jan/05/2015 19:36:53
expires-in=29m46s add-lifetime=24m/30m
current-bytes=113
Mikrotik2 Router OSPF Verification:
[admin@Mikrotik 2]
> routing ospf route print
# DST-ADDRESS STATE COST GATEWAY INTERFACE
0 172.16.1.0/30 intra-area 10
0.0.0.0 gre-tunnel1
1 192.168.1.0/24 intra-area 20 172.16.1.1 gre-tunnel1
2 192.168.2.0/24 intra-area 10 0.0.0.0
ether2
[admin@Mikrotik 2]
> routing ospf neighbor print
0 instance=default router-id=103.31.178.2
address=172.16.1.1
interface=gre-tunnel1 priority=1
dr-address=0.0.0.0
backup-dr-address=0.0.0.0
state="Full" state-changes=4 ls-retransmits=0
ls-requests=0 db-summaries=0 adjacency=1h13s
Mikrotik2 Route Verification:
[admin@Mikrotik 2]
> ip route print
Flags: X - disabled, A
- active, D - dynamic,
C - connect, S -
static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U -
unreachable, P - prohibit
#
DST-ADDRESS PREF-SRC
GATEWAY DISTANCE
0 A S
0.0.0.0/0 180.140.100.1 1
1 ADC
172.16.1.0/30 172.16.1.2
gre-tunnel1 0
2 ADC
180.140.100.0/30
180.140.100.2 ether1 0
3 ADo
192.168.1.0/24 172.16.1.1
110
4 ADC
192.168.2.0/24
192.168.2.1 ether2 0
No comments:
Post a Comment