Hello
I am trying to get Gre / ipsec tunnel between Juniper srx 5400 and mikrotik ccr1036. Ipsec tunnel and gre tunnel seperately work. But i would like to have gre tunnel and everyting that passes over that tunnel to get ipsec encrypted. I need this because mikrotik nativly dont make interface with ipsec tunnel and therefore i cant use ospf. Sofar i have tryed few different ways to get it working, currently i have gre tunnel up and ipsec connection established over it but i cant ping pc to pc in different subnets. i think its ipsec policy issue. Same setup (gre and ipsec over gre) works just fine with two mikrotiks but i need one end to be juniper.
Juniper:
## Last changed: 2018-06-12 09:14:47 UTC
version 15.1X49-D120.3;
system {
host-name SRX1;
root-authentication {
encrypted-password ""; ## SECRET-DATA
}
services {
ssh;
web-management {
http;
}
}
}
security {
ike {
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy ike-phase1-policy {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$2woZjmfzCtOHqtO1RlegoJ"; ## SECRET-DATA
}
gateway gw-chicago {
ike-policy ike-phase1-policy;
address 10.255.7.98;
no-nat-traversal;
local-identity inet 10.255.7.97;
remote-identity inet 10.255.7.98;
external-interface gr-0/0/0;
}
}
ipsec {
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy ipsec-phase2-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-phase2-proposal;
}
vpn ike-vpn-chicago {
bind-interface st0.0;
ike {
gateway gw-chicago;
proxy-identity {
local 192.168.3.0/24;
remote 192.168.88.0/24;
service any;
}
ipsec-policy ipsec-phase2-policy;
}
establish-tunnels immediately;
}
}
policies {
from-zone Sise to-zone vpn-chicago {
policy vpn-tr-chi {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn-chicago to-zone Sise {
policy vpn-chi-tr {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Gre to-zone Sise {
policy gre-sise {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Sise to-zone Gre {
policy sise-gre {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
}
zones {
security-zone Sise {
address-book {
address V6rk 192.168.3.0/24;
address V6rkGre 10.255.7.96/30;
}
interfaces {
ge-2/1/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
inactive: vrrp;
inactive: ospf;
all;
}
}
}
}
}
security-zone AsoV2line {
interfaces {
xe-2/2/0.0 {
host-inbound-traffic {
system-services {
ping;
ike;
}
}
}
}
}
security-zone vpn-chicago {
address-book {
address V6rk 192.168.88.0/24;
address V6rkGre 10.255.7.96/30;
}
interfaces {
st0.0;
}
}
security-zone Gre {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
gr-0/0/0.0;
}
}
}
}
interfaces {
gr-0/0/0 {
unit 0 {
tunnel {
source 195.90.100.10;
destination 195.90.100.12;
}
family inet {
address 10.255.7.97/30;
}
}
}
ge-2/1/0 {
description Sisev6rk;
unit 0 {
family inet {
address 192.168.3.253/24 {
vrrp-group 1 {
virtual-address 192.168.3.1;
priority 200;
preempt;
accept-data;
}
}
}
}
}
xe-2/2/0 {
description Aso_Uplink;
unit 0 {
family inet {
address 195.90.100.10/29;
}
}
}
fxp0 {
description Management;
unit 0 {
family inet {
address 10.200.200.1/24;
}
}
}
st0 {
unit 0 {
family inet;
}
}
}
routing-options {
static {
route 192.168.88.0/24 next-hop gr-0/0/0.0;
}
}
Mikrotik:
/interface ethernet
set [ find default-name=ether1 ] comment="V\E4lis"
set [ find default-name=ether2 ] comment=Sise
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
set [ find default-name=sfp2 ] disabled=yes
set [ find default-name=sfp3 ] disabled=yes
set [ find default-name=sfp4 ] disabled=yes
/interface gre
add allow-fast-path=no !keepalive local-address=195.90.100.12 name=\
gre-tunnel1 remote-address=195.90.100.10
/interface list
add name=Discovery
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-128-cbc name=proposal1
/routing ospf area
set [ find default=yes ] disabled=yes
/routing ospf instance
set [ find default=yes ] disabled=yes router-id=172.17.1.1
/ip neighbor discovery-settings
set discover-interface-list=Discovery
/interface list member
add interface=ether2 list=Discovery
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=195.90.100.12/29 interface=ether1 network=195.90.100.8
add address=10.255.7.98/30 interface=gre-tunnel1 network=10.255.7.96
/ip cloud
set update-time=no
/ip ipsec peer
add address=195.90.100.10/32 dh-group=modp1024 disabled=yes dpd-interval=\
disable-dpd enc-algorithm=aes-128 lifetime=30m nat-traversal=no secret=\
juniper
add address=10.255.7.97/32 dh-group=modp1024 dpd-interval=disable-dpd \
enc-algorithm=aes-128 lifetime=30m nat-traversal=no secret=juniper
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=192.168.3.0/24 proposal=proposal1 \
sa-dst-address=195.90.100.10 sa-src-address=195.90.100.12 src-address=\
192.168.88.0/24 tunnel=yes
add dst-address=192.168.3.0/24 proposal=proposal1 sa-dst-address=10.255.7.97 \
sa-src-address=10.255.7.98 src-address=192.168.88.0/24 tunnel=yes
/ip route
add distance=1 dst-address=192.168.3.0/24 gateway=gre-tunnel1
add disabled=yes distance=1 dst-address=192.168.3.0/24 gateway=ether1
/system routerboard settings
set silent-boot=no
Egert