Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
R
R
RazorBlade2017-03-20 11:49:06
Computer networks
RazorBlade, 2017-03-20 11:49:06

Why is a one-way GRE over IPSec connection established between Mikrotik and PaloAlto?

After many experiments, we managed to somehow make friends between the two pieces of iron, by means of a GRE tunnel over IPSec. However, if you look from the side of PaloAlto, then all phases are successful, and traffic goes into the tunnel. But from the Mikrotik side, it is clear that the correct SAs are set only from the paloalto side, and traffic is visible in it, and the reverse SA is empty (correct algorithms but no traffic).
At the same time, if you initiate the raising of the tunnel from the Mikrotik side, then it is clear that SA is one-sided (from Mikrotik towards paloalto) and incorrect (wrong algorithms, empty) and a response SA is not created.
That is, it seems that some packets do not reach the Mikrotik side.
I tried several types of encryption and authentication - the results are the same.

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=8h
add auth-algorithms=sha1,null enc-algorithms=null lifetime=8h name=Palto
add enc-algorithms=aes-128-cbc lifetime=1h name=PALTO-RT

/ip ipsec peer
add address=M.M.M.90/32 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h local-address=P.P.P.50 \
    secret=****

/ip ipsec policy
add dst-address=172.20.255.5/32 proposal=PALTO-RT sa-dst-address=P.P.P.90 sa-src-address=M.M.M.50 \
    src-address=172.20.255.6/32 tunnel=yes

/interface gre
add !keepalive local-address=172.20.255.6 name=gre-Palto remote-address=172.20.255.5

UPD: I found a jamb in the settings - I incorrectly specified the external IP. Now the SA pair has been established correctly, and traffic is visible in both directions, but it goes into the tunnel and disappears there. I do not see any packets leaving the tunnel from both sides.
UPD2: I noticed a very strange behavior - if you ping the response address of the gre tunnel from the mikrotik, then everything is pinged, but these packets are not visible in the interface graphics. But if you ping with a different source address, then these packets are visible in the transmit field, but there are no replays at all. That is, the gre interface is one-way.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
O
Obsession, 2017-03-21
@Obsession

Try to play with MTU, put at least 1500.

Similar questions
V
Vladimir Korotenko2020-11-14 16:28:57
How best to make a multiplication table? 4Reply
A
Aborigen10202019-02-13 10:48:51
How to understand the topic of IPTV and build an IPTV network at home? 0Reply
P
PO6OT2016-09-13 21:51:52
How to watch Internet TV on Samsung Smart TV as easily as cable TV (need easy navigation for parents)? 2Reply
W
wladimirmir642016-09-14 20:15:19
Forwarding a route to the local network? 4Reply
M
Maxim Krasnov2019-02-14 13:39:27
How to solve RRAS (Windows Server 2008 R2) and L2TP Server (Mikrotik) connection problems? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question