Hi Christopher, Perhaps add a system/ logging rule of ipsec and !packet and see if the additional log tells you anything. You can also look at the various ip/ ipsec tabs, and make sure the entry for your gre tunnel looks similar/symmetric at both ends. Regards Roger From: Christopher Hawker <chris@thesysadmin.dev> To: "public@talk.mikrotik.com.au" <public@talk.mikrotik.com.au> Date sent: Mon, 6 Sep 2021 00:01:35 +0000 Subject: Re: [MT-AU Public] EoIP Tunnel that doesn't want to tunnel Send reply to: MikroTik Australia Public List <public@talk.mikrotik.com.au> [ Double-click this line for list subscription options ] Hi Roger, I've established that GRE itself unencrypted works as expected, however with IPSec enabled it does not. Logs also show "phase 1 negotiation failed due to time up", however I've disabled the Input chain drop rules on both routers, just to confirm if it was a firewall issue, which it is not. Something else is going on... Thanks, Christopher Hawker ________________________________ From: Public <public-bounces@talk.mikrotik.com.au> on behalf of Roger Plant <rplant@melbpc.org.au> Sent: Monday, September 6, 2021 9:56 AM To: public@talk.mikrotik.com.au <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] EoIP Tunnel that doesn't want to tunnel Hi, Another posibility Given it has ipsec, you likely also need to allow that in the firewall. And once working, preferably disallow unencrypted protocol GRE coming in, or leaving. (It could be the 2 packets come through unencrypted, before ipsec comes up, you don't want that) ie. Allow UDP 500 in (from remote IP only?) Allow protocol ESP in (from remote IP only?) ** Assumes no NAT ** Maybe allow UDP 4500 in (In case there is some NAT) Later: (I think these to allow the GRE in/out but only if has been processed via ipsec) Allow protocol GRE in if it has ipsec-policy=in, ipsec Allow protocol GRE out if it has ipsec-policy=out,ipsec (Probably redundant) ** Ideally ** Drop protocol GRE out if doesn't have ipsec-policy=out,ipsec Regards Roger From: Christopher Hawker <chris@thesysadmin.dev> To: "public@talk.mikrotik.com.au" <public@talk.mikrotik.com.au> Date sent: Sun, 5 Sep 2021 23:01:08 +0000 Subject: [MT-AU Public] EoIP Tunnel that doesn't want to tunnel Send reply to: MikroTik Australia Public List <public@talk.mikrotik.com.au> [ Double-click this line for list subscription options ] Hi Everyone, I for some reason, have two MT devices (A-side is a CCR1009-8G-1S-1S+ and the Z-side is a CHR) and they don't seem to want to tunnel together. The tunnel comes up, two ICMP packets get through, and the link goes down. There is no firewalling in place (or has been disabled altogether for testing purposes) however the issue still manifests. The only thing is on the A side the public IP address is received by DHCP, however a reservation has been set by the carrier so the address will not change. *** A Side *** /interface eoip add allow-fast-path=no disabled=yes ipsec-secret="fakepass" local-address=192.0.2.10 mac-address=12:34:56:78:90:12 name=tun1 remote-address=203.0.113.10 tunnel-id=1 /ip address add address=172.21.254.2/30 interface=tun1 network=172.21.254.0 *** Z Side *** /interface eoip add allow-fast-path=no disabled=yes ipsec-secret="fakepass" local-address=203.0.113.10 mac-address=21:09:87:65:43:21 name=tun1 remote-address=192.0.2.10 tunnel-id=1 /ip address add address=203.0.113.10/29 interface=ether1 network=27.32.52.8 add address=172.21.254.1/30 interface=tun1 network=172.21.254.0 If anyone would be able to point out any issues or have any ideas, it'd be much appreciated! Thanks, Christopher Hawker _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au---------------------------- Roger Plant _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au---------------------------- Roger Plant