Railroad
asked on
GRE Trunnel with IPsec Encryption Issue
Currently have a MikroTik switch hosting GRE tunnels with IPSec encryption (Site A). We have multiple other sites with other MikroTik's directly connected to the internet setup that are working great.
We have this one site (Site B) where the MikroTik switch is behind a Cisco ASA 5505. However the tunnel is not functioning properly, one side of the GRE tunnel can see the other but not the other way around.
Here's the Cisco ASA Configuration that are relevant, if you need something else let me know.
name 192.168.10.90 MIKROTIK
object-group service MIKROTIK
service-object gre
service-object tcp eq 50
service-object udp eq isakmp
object-group network MIKROTIK_SERVER
network-object 68.70.xxx.xxx 255.255.255.255
access-list outside_access_in extended permit object-group MIKROTIK object-group MIKROTIK_SERVER host 24.39.xxx.xxx
static (inside,outside) 24.39.xxx.xxx MIKROTIK netmask 255.255.255.255
access-group outside_access_in in interface outside
We have this one site (Site B) where the MikroTik switch is behind a Cisco ASA 5505. However the tunnel is not functioning properly, one side of the GRE tunnel can see the other but not the other way around.
Here's the Cisco ASA Configuration that are relevant, if you need something else let me know.
name 192.168.10.90 MIKROTIK
object-group service MIKROTIK
service-object gre
service-object tcp eq 50
service-object udp eq isakmp
object-group network MIKROTIK_SERVER
network-object 68.70.xxx.xxx 255.255.255.255
access-list outside_access_in extended permit object-group MIKROTIK object-group MIKROTIK_SERVER host 24.39.xxx.xxx
static (inside,outside) 24.39.xxx.xxx MIKROTIK netmask 255.255.255.255
access-group outside_access_in in interface outside
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The ASA is required for this site.
Site A can see Site B as a neighbor, but the OSPF it doesn't form a full adjacency and therefor never exchanges routing tables. Site B never sees Site A as a neighbor.
Adding "service-object esp" to the object-group service corrected the issue.
Thanks!
Site A can see Site B as a neighbor, but the OSPF it doesn't form a full adjacency and therefor never exchanges routing tables. Site B never sees Site A as a neighbor.
Adding "service-object esp" to the object-group service corrected the issue.
Thanks!
I don't want to assume, but I am guessing that site B is seeing the other side fine, but nothing is able to see site B?