Configuring MikroTik RouterOS GRE Tunnel Over IPSec

In this guide, we’ll walk you through the process of configuring a GRE (Generic Routing Encapsulation) tunnel over IPSec (Internet Protocol Security) on MikroTik RouterOS. GRE tunnels offer a simple yet powerful solution for securely transmitting data across untrusted networks. When combined with IPSec, it adds an extra layer of security, ensuring your data remains protected. This configuration is often used in environments where remote connections or network extensions are needed, making it an essential skill for network administrators.

Let’s get started by exploring the core components of this setup and then walk through the actual configuration.

What is GRE Tunnel?

A GRE tunnel encapsulates data packets within another packet to allow the transmission of data between two endpoints. It does not encrypt the data, but it can carry any Layer 3 protocol. GRE is often used in VPN (Virtual Private Network) configurations to establish a direct and reliable communication channel between remote networks.

What is IPSec?

IPSec is a protocol suite used to secure internet protocol (IP) communications. It authenticates and encrypts the data to ensure secure transmission across untrusted networks. IPSec can be used to encrypt GRE tunnels, providing confidentiality and integrity for the data being transmitted.

Why Combine GRE Tunnel with IPSec?

Combining GRE tunnels with IPSec enhances the security of the data being transmitted. While GRE tunnels are great for transmitting data, they do not provide encryption. Adding IPSec to the configuration ensures that data is encrypted and protected from eavesdropping, offering an additional layer of security to the tunnel.

Prerequisites

Before we proceed with the configuration, ensure you have the following:

• Two MikroTik routers (Router A and Router B) configured with public IP addresses.
• Access to the MikroTik RouterOS web interface or Winbox for configuration.
• Basic knowledge of networking, especially IP routing and VPNs.

For this guide, let’s assume the following network details:

Router A Configuration:

• Bridge-LAN Interface IP: 192.168.1.0/24
• Public IP: 1.1.1.1/32
• GRE Tunnel Interface IP: 172.16.1.1/30

Router B Configuration:

• Bridge-LAN Interface IP: 192.168.2.0/24
• Public IP: 2.2.2.2/32
• GRE Tunnel Interface IP: 172.16.1.2/30

These settings will be used as the basis for our tunnel setup.

Step 1: Configuring GRE Tunnel on MikroTik RouterOS

1.1. Create GRE Tunnel Interface

First, you need to create a GRE tunnel interface on both Router A and Router B.

On Router A:

1. Open Winbox or Webfig and log into Router A.
2. Go to Interfaces > GRE Tunnels.
3. Click + to add a new GRE tunnel.
4. Set the Name to gre-tunnel.
5. In the Local Address, enter 1.1.1.1 (Router A’s public IP).
6. In the Remote Address, enter 2.2.2.2 (Router B’s public IP).
7. Set the Tunnel Address to 172.16.1.1/30 (Router A’s GRE tunnel IP).
8. Click Apply and OK.

On Router B:

1. Open Winbox or Webfig and log into Router B.
2. Go to Interfaces > GRE Tunnels.
3. Click + to add a new GRE tunnel.
4. Set the Name to gre-tunnel.
5. In the Local Address, enter 2.2.2.2 (Router B’s public IP).
6. In the Remote Address, enter 1.1.1.1 (Router A’s public IP).
7. Set the Tunnel Address to 172.16.1.2/30 (Router B’s GRE tunnel IP).
8. Click Apply and OK.

At this point, both routers will have their GRE tunnel interfaces configured. The tunnel interface will now allow communication between the two routers using the private 172.16.1.0/30 network.

Step 2: Configuring IPSec for Encryption

Next, we’ll configure IPSec to secure the GRE tunnel.

2.1. Create IPSec Peer

On Router A:

1. Go to IP > IPSec > Peers.
2. Click the + to add a new peer.
3. Set the Address to 2.2.2.2 (Router B’s public IP).
4. Choose Exchange Mode as IKE2.
5. Set the Authentication Method to pre-shared key and enter a shared secret (e.g., MikroTik2023).
6. Click Apply and OK.

On Router B:

1. Go to IP > IPSec > Peers.
2. Click the + to add a new peer.
3. Set the Address to 1.1.1.1 (Router A’s public IP).
4. Choose Exchange Mode as IKE2.
5. Set the Authentication Method to pre-shared key and enter the same shared secret (MikroTik2023).
6. Click Apply and OK.

At this stage, the IPSec peers are configured, but we still need to define the encryption settings and the policy.

2.2. Set IPSec Proposal

On both Router A and Router B:

1. Go to IP > IPSec > Proposals.
2. Click + to create a new proposal.
3. Set the Name to GRE-IPSec-Proposal.
4. For Encryption Algorithms, choose aes-256 or any preferred encryption method.
5. Set Hash Algorithms to sha256.
6. Set the PFS Group to none (unless you need Perfect Forward Secrecy).
7. Click Apply and OK.

2.3. Create IPSec Policy

On Router A:

1. Go to IP > IPSec > Policies.
2. Click + to add a new policy.
3. Set the Src. Address to 172.16.1.1/30 (Router A’s GRE tunnel IP).
4. Set the Dst. Address to 172.16.1.2/30 (Router B’s GRE tunnel IP).
5. Choose the Action as encrypt.
6. Set the Protocol to gre (since we are securing the GRE tunnel).
7. Under Proposal, choose the GRE-IPSec-Proposal we created earlier.
8. Click Apply and OK.

On Router B:

Repeat the same steps as on Router A, but reverse the source and destination IP addresses for the GRE tunnel.

Step 3: Test and Verify the Tunnel

Once the configuration is complete, it’s time to verify the setup and ensure the GRE tunnel over IPSec is functioning correctly.

1. Ping Test: From Router A, ping the GRE tunnel IP address of Router B (172.16.1.2). Similarly, from Router B, ping Router A’s GRE tunnel IP address (172.16.1.1).
2. Check IPSec Status: On both routers, go to IP > IPSec > Active Peers. Ensure that the connection shows as established.
3. Monitor Traffic: You can monitor traffic over the GRE tunnel using the Torch tool on both routers.

Conclusion

In this article, we’ve walked you through configuring a MikroTik RouterOS GRE tunnel over IPSec. By combining these two technologies, we’ve ensured a secure communication channel between two remote routers. Whether you’re managing remote offices or connecting distant network segments, this setup provides both flexibility and security.

By following the steps outlined, you should now have a secure, encrypted GRE tunnel running over IPSec between Router A and Router B. This configuration not only protects your data but also ensures reliable communication between your networks. As a final point, it’s essential to continuously monitor the tunnel’s performance and security to ensure long-term stability.