1/2 IPSec over GRE with MikroTik's RouterOS and Linux

Motivation

I just ordered a jiffybox from domainfactory (link goes to domainfactory) to enhance the jumpnet with a second VPN hub.

After trying to re-create our OpenVPN setup on a linux host, I noticed, that the OpenVPN interfaces do not behave like I expected them to do. Because I was planning to use OSPF over the VPN links and I was unable to get bird (a OSPF daemon) running on the OpenVPN links, I could not use OpenVPN.

Next plan was to create GRE tunnels which worked fine but do not provide encryption and authentication. So, additionally I need IPSec to encrypt and authenticate the traffic.

Let's start with the GRE tunnels:

GRE tunnels on linux

To create a GRE tunnel, we use the ip command:

ip tunnel add gre-tun0 local <LOCAL IP> remote <REMOTE IP>
ip tunnel change gre-tun0 ttl 64
ip set gre-tun0 up

Now, you can assign a IP. As the GRE tunnel is a point to point link, you should assig an /30 net:

ip address add 10.10.0.1/30 dev gre-tun0

That's it on the linux host. Next we'll create a GRE tunnel on the router board.

GRE tunnels in RouterOS

Just navigate to interfaces and create a GRE interface. Then, enter local and remote IP (keep in mind that you need to swap the IP adresses from above: local is remote and vice versa).

Klick on OK, the interface should be up an running.

Configure 10.10.0.2/30 on this GRE interface. Now you should be able to ping to 10.10.0.1 over the GRE tunnel.

Preview

In the next post, I'll explain IPSec, how to set it up on MikroTik and Linux and how to interconnect the systems.

Stay tuned!

Go back