2/2 IPSec over GRE with MikroTik's RouterOS and Linux
This post is the second part of this blog post: https://www.jumping-frog.de/project-details/part-1-ipsec-over-gre-with-mikrotiks-routeros-and-linux.html
It only took me two years to finish the second part ;-)
Installing Libreswan on Linux
I use Libreswan to configure IPSec on Linux.
How you can install Libreswan is described in the first part of this post: https://www.jumping-frog.de/project-details/building-a-l2tp-ipsec-server-with-ospf-routing-capability.html
Configuring IPSec on Linux
Basically, you need two configuration files to setup IPSec:
/etc/ipsec.de/my.secrets to define your pre-shared key:
%any: PSK "this.is.not.secure"
The second file you need is the configuration file (/etc/ipsec.d/gre-psk.conf) for encrypting GRE:
conn GRE-PSK-NAT rightsubnet=vhost:%priv also=GRE-PSK-noNAT conn GRE-PSK-noNAT authby=secret pfs=yes auto=add keyingtries=3 rekey=no dpddelay=10 dpdtimeout=90 dpdaction=clear ikelifetime=8h keylife=30m type=transport left=%defaultroute leftprotoport=gre right=%any rightprotoport=gre
Afterwards, you need to run:
ipsec setup ipsec verify
Configuring IPSec in RouterOS
Configuring IPSec for the GRE tunnel in RouterOS is very easy. Open the GRE interface, untick the Checkbox "Allow Fast Path" and enter the pre-shared key in the field "IPSec Scret":
If you've already configured IP addresses on both sides of your GRE tunnel, you're fine.
On the Linux side you can check if the IPSec connection is established and encryption takes place:
ipsec whack --trafficstatus