Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
R
R
RazorBlade2017-03-20 11:49:06
Computer networks
RazorBlade, 2017-03-20 11:49:06

Why is a one-way GRE over IPSec connection established between Mikrotik and PaloAlto?

After many experiments, we managed to somehow make friends between the two pieces of iron, by means of a GRE tunnel over IPSec. However, if you look from the side of PaloAlto, then all phases are successful, and traffic goes into the tunnel. But from the Mikrotik side, it is clear that the correct SAs are set only from the paloalto side, and traffic is visible in it, and the reverse SA is empty (correct algorithms but no traffic).
At the same time, if you initiate the raising of the tunnel from the Mikrotik side, then it is clear that SA is one-sided (from Mikrotik towards paloalto) and incorrect (wrong algorithms, empty) and a response SA is not created.
That is, it seems that some packets do not reach the Mikrotik side.
I tried several types of encryption and authentication - the results are the same.

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=8h
add auth-algorithms=sha1,null enc-algorithms=null lifetime=8h name=Palto
add enc-algorithms=aes-128-cbc lifetime=1h name=PALTO-RT

/ip ipsec peer
add address=M.M.M.90/32 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h local-address=P.P.P.50 \
    secret=****

/ip ipsec policy
add dst-address=172.20.255.5/32 proposal=PALTO-RT sa-dst-address=P.P.P.90 sa-src-address=M.M.M.50 \
    src-address=172.20.255.6/32 tunnel=yes

/interface gre
add !keepalive local-address=172.20.255.6 name=gre-Palto remote-address=172.20.255.5

UPD: I found a jamb in the settings - I incorrectly specified the external IP. Now the SA pair has been established correctly, and traffic is visible in both directions, but it goes into the tunnel and disappears there. I do not see any packets leaving the tunnel from both sides.
UPD2: I noticed a very strange behavior - if you ping the response address of the gre tunnel from the mikrotik, then everything is pinged, but these packets are not visible in the interface graphics. But if you ping with a different source address, then these packets are visible in the transmit field, but there are no replays at all. That is, the gre interface is one-way.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
O
Obsession, 2017-03-21
@Obsession

Try to play with MTU, put at least 1500.

Similar questions
C
clume2019-10-14 03:19:19
How to set up declarative autonization in Java EE? 5Reply
M
Maxim Kyrganov2017-06-26 06:45:08
What program to use to find the moment of frame change in a video file for 48 hours? 2Reply
V
vialka2014-12-25 23:41:24
What is the difference between web design and UI/UX design? 3Reply
V
Vladislav Orlov2014-12-26 12:01:07
Is the C++ website development platform interesting? 9Reply
S
spazmoGnom2021-01-18 23:11:52
How to connect to a device on a local network from the Internet through a server purchased from a provider? 5Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question