GRE over IPsec with VyOS and RouterOS

networking
, , ,

As part of my network learning process, I switched one of my router from RouterOS to VyOS.
Although RouterOS is really more convenient and friendly to use, I think in order to really learn how to use network equipment, using a command-line only equipment is a must. I got some experience with Cisco switch before (2960/3750), so setting up VyOS and get it running isn’t really that hard.

The goal here is to set GRE tunnel between my RouterOS and VyOS, and run the tunnel on IPsec. To create a GRE tunnel between VyOS and RouterOS is pretty simple, just a few click in RouterOS, and commands below in VyOS can get you up and running.

1
2
3
4
set interfaces tunnel tun100 address '10.0.0.1/30'
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 source-address '198.51.100.2'
set interfaces tunnel tun100 remote '203.0.113.10'

But setting up IPsec between VyOS and RouterOS is rather complicated. You’ll need to configure IPsec and GRE separately in RouterOS, and there are some settings in VyOS that needed to be set, and not one document I found online mentioned them, until now.

Let’s assume we got a network environment below.

1
2
3
4
5
6
7
RouterOS:
WAN: 1.1.1.1
Tunnel IP: 10.0.0.1/30

VyOS:
WAN: 2.2.2.2
Tunnel IP: 10.0.0.2/30

For VyOS part, refer to command below

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 source-address 2.2.2.2
set interfaces tunnel tun0 remote 1.1.1.1
set interfaces tunnel tun0 address 10.0.0.2/30

set vpn ipsec ipsec-interfaces interface <THE_INTERFACE_TO_RUN_IPSEC_ON>

set vpn ipsec esp-group my-esp-group compression disable
set vpn ipsec esp-group my-esp-group lifetime 1800
set vpn ipsec esp-group my-esp-group mode tunnel
set vpn ipsec esp-group my-esp-group pfs enable
set vpn ipsec esp-group my-esp-group proposal 1 encryption aes256
set vpn ipsec esp-group my-esp-group proposal 1 hash sha256

set vpn ipsec ike-group my-ike-group ikev2-reauth no
set vpn ipsec ike-group my-ike-group key-exchange ike1
set vpn ipsec ike-group my-ike-group lifetime 3600
set vpn ipsec ike-group my-ike-group proposal 1 dh-group 2
set vpn ipsec ike-group my-ike-group proposal 1 encryption aes256
set vpn ipsec ike-group my-ike-group proposal 1 hash sha256

set vpn ipsec site-to-site peer 1.1.1.1 authentication id 10.0.0.2
set vpn ipsec site-to-site peer 1.1.1.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret myipsecpresharedsecret
set vpn ipsec site-to-site peer 1.1.1.1 authentication remote-id 10.0.0.1
set vpn ipsec site-to-site peer 1.1.1.1 default-esp-group my-esp-group
set vpn ipsec site-to-site peer 1.1.1.1 ike-group my-ike-group
set vpn ipsec site-to-site peer 1.1.1.1 local-address 2.2.2.2
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-nat-networks disable
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-public-networks disable
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 local prefix 10.0.0.2/32
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 remote prefix 10.0.0.1/32
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 protocol all

That’s the command we need in VyOS, it will create a tunnel interface, create ESP and IKE group, then configure site-to-site peer and set up authentication.

Now we can move to RouterOS.
For RouterOS, refer to steps below

  • IP > IPsec > Proposals
    • New Proposal
      • Name:
      • Auth. Algo.: sha256
      • Enc. Algo.: aes256cbc
      • Lifetime: 00:30:00
      • PFS Group: modp1024
  • IP > IPsec > Profiles
    • New Profile
      • Name:
      • Hash Algo.: sha256
      • PRF Algo.: auto
      • Enc. Algo.: aes256
      • DH Group: modp1024
      • Don’t edit other options
  • IP > IPsec > Peers
    • New Peer
      • Name:
      • Address: 2.2.2.2
      • Local Address: 1.1.1.1
      • Profile:
      • Don’t edit other options
  • IP > IPsec > Identities
    • New Identity
      • Peer:
      • Auth. Method: pre shared key
      • Secret: myipsecpresharedsecret
      • My ID Type: address
      • My ID: 10.0.0.1
      • Remote ID Type: fqdn
      • Remote ID: 10.0.0.2
      • Match By: remote id
      • Don’t edit other options
  • IP > IPsec > Policies
    • New Policy
      • Peer:
      • Tunnel: yes
      • Src. Address: 10.0.0.1
      • Dst. Address: 10.0.0.2
      • Protocol: 255
      • Action
        • Proposal:
      • Don’t edit other options

After configuration, check IPsec status by checking Status in the policy you just created.
If PH2 State is established, then IPsec worked.

Now you can create a new GRE tunnel in RouterOS, and create a new address in IP, like

1
Address: 10.0.0.1/30, Network: 10.0.0.0, Interface: <GRE_INTERFACE>

You should got a GRE over IPsec tunnel between VyOS and RouterOS now, if not, try enable ipsec process logging in RouterOS, it can show some useful information for debugging.