2/2 IPSec over GRE with MikroTik's RouterOS and Linux

Part 1

This post is the second part of this blog post: https://www.jumping-frog.de/project-details/part-1-ipsec-over-gre-with-mikrotiks-routeros-and-linux.html

It only took me two years to finish the second part ;-)

Installing Libreswan on Linux

I use Libreswan to configure IPSec on Linux.

How you can install Libreswan is described in the first part of this post: https://www.jumping-frog.de/project-details/building-a-l2tp-ipsec-server-with-ospf-routing-capability.html

Configuring IPSec on Linux

Basically, you need two configuration files to setup IPSec:

/etc/ipsec.de/my.secrets to define your pre-shared key:

%any: PSK "this.is.not.secure"

The second file you need is the configuration file (/etc/ipsec.d/gre-psk.conf) for encrypting GRE:

conn GRE-PSK-NAT
        rightsubnet=vhost:%priv
        also=GRE-PSK-noNAT

conn GRE-PSK-noNAT
        authby=secret
        pfs=yes
        auto=add
        keyingtries=3
        rekey=no
        dpddelay=10
        dpdtimeout=90
        dpdaction=clear
        ikelifetime=8h
        keylife=30m
        type=transport
        left=%defaultroute
        leftprotoport=gre
        right=%any
        rightprotoport=gre

Afterwards, you need to run:

ipsec setup
ipsec verify

Configuring IPSec in RouterOS

Configuring IPSec for the GRE tunnel in RouterOS is very easy. Open the GRE interface, untick the Checkbox "Allow Fast Path" and enter the pre-shared key in the field "IPSec Scret":

Finish

If you've already configured IP addresses on both sides of your GRE tunnel, you're fine.

On the Linux side you can check if the IPSec connection is established and encryption takes place:

ipsec whack --trafficstatus

Go back