• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 166
  • Last Modified:

GRE Trunnel with IPsec Encryption Issue

Currently have a MikroTik switch hosting GRE tunnels with IPSec encryption (Site A).  We have multiple other sites with other MikroTik's directly connected to the internet setup that are working great.

We have this one site (Site B) where the MikroTik switch is behind a Cisco ASA 5505.  However the tunnel is not functioning properly, one side of the GRE tunnel can see the other but not the other way around.

Here's the Cisco ASA Configuration that are relevant, if you need something else let me know.

name 192.168.10.90 MIKROTIK

object-group service MIKROTIK
 service-object gre
 service-object tcp eq 50
 service-object udp eq isakmp
object-group network MIKROTIK_SERVER
 network-object 68.70.xxx.xxx 255.255.255.255

access-list outside_access_in extended permit object-group MIKROTIK object-group MIKROTIK_SERVER host 24.39.xxx.xxx

static (inside,outside) 24.39.xxx.xxx MIKROTIK netmask 255.255.255.255

access-group outside_access_in in interface outside
0
Railroad
Asked:
Railroad
1 Solution
 
masnrockCommented:
Is the ASA really necessary if you are talking about the other sites not needing one?

I don't want to assume, but I am guessing that site B is seeing the other side fine, but nothing is able to see site B?
0
 
SIM50Commented:
We have this one site (Site B) where the MikroTik switch is behind a Cisco ASA 5505.  However the tunnel is not functioning properly, one side of the GRE tunnel can see the other but not the other way around.

Not sure what you mean. Does it mean the tunnel doesn't establish or you can't send data?

object-group service MIKROTIK
 service-object gre
service-object tcp eq 50
 service-object udp eq isakmp

It should be "service-object esp".
0
 
RailroadAuthor Commented:
The ASA is required for this site.

Site A can see Site B as a neighbor, but the OSPF it doesn't form a full adjacency and therefor never exchanges routing tables.  Site B never sees Site A as a neighbor.

Adding "service-object esp" to the object-group service corrected the issue.

Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now