Networking

MikroTik GRE over IPsec Tunnel Setup Guide

Learn how to configure GRE over IPsec on MikroTik router and VPS server. Step-by-step guide for secure GRE tunnel encryption, troubleshooting, MTU optimization, and WireGuard alternatives since IPsec over GRE is unsupported.

1 answer 1 view

How to configure IPsec over GRE tunnel between a MikroTik router and a VPS server? I have an existing GRE tunnel working between a MikroTik device and a VPS, but it lacks encryption. When I tried using MikroTik’s ‘IPSec secrets’ option for GRE over IPsec, the tunnel doesn’t establish with the foreign server. Currently, I’m running a separate VPN inside the GRE tunnel, but I’d prefer to have encryption handled directly by the MikroTik through routing rules. What are the configuration steps to implement IPsec encapsulation within GRE (not GRE within IPsec) on MikroTik? If IPsec over GRE isn’t feasible, what alternative VPN solutions supported by MikroTik could provide encrypted tunneling to the same host as the GRE endpoint?

MikroTik routers don’t support IPsec over GRE (encrypting GRE traffic with IPsec encapsulation inside the tunnel), as confirmed in the official documentation—this limitation means your attempts with routing rules or simple secrets won’t work for that setup. Instead, the supported and secure approach is GRE over IPsec (GRE tunnel encrypted within an IPsec ESP envelope), which you can configure directly on the MikroTik side using the ipsec-secret in the GRE interface for quick PSK-based encryption. If your VPS lacks native support for MikroTik’s simplified method, full MikroTik GRE IPsec peer/policy setup or alternatives like WireGuard provide reliable encrypted tunneling to the same endpoint.

Contents

Why IPsec over GRE Fails on MikroTik

You’ve got a working GRE tunnel MikroTik to your VPS, but adding encryption directly via IPsec over GRE? That’s a common frustration. The catch: MikroTik RouterOS explicitly doesn’t support encapsulating IPsec inside a GRE tunnel. What you want—IPsec → GRE, where GRE carries encrypted IPsec packets—isn’t feasible.

Think about it. GRE is a lightweight carrier protocol for almost anything, including multicast or non-IP traffic. But RouterOS flips the script: it only handles GRE over IPsec, wrapping the entire GRE packet in an ESP tunnel first. Your ipsec-secret test failed because that’s designed for the reverse—simple encryption of outgoing GRE traffic, not the other way around. And no amount of routing rules will override this hardware/firmware limitation.

This isn’t just theory. The official MikroTik IPsec docs spell it out: “MikroTik RouterOS does not support IPsec encapsulation inside a GRE tunnel (IPsec → GRE). The only supported combination is GRE over IPsec.” Running a separate VPN inside GRE works as a workaround, but it’s clunky—double encapsulation eats MTU and CPU.

GRE over IPsec: The Supported Alternative

So, what’s the fix? Switch to GRE over IPsec MikroTik style. Here, GRE packets get bundled into IPsec ESP for encryption and authentication before hitting the wire. It’s secure, supports your existing tunnel endpoints, and MikroTik makes it dead simple with the ipsec-secret option on the GRE interface.

Why does this rock for your VPS setup? Your current GRE (local-address=MikroTik-IP, remote-address=VPS-IP) stays mostly the same. Add the secret, tweak fast-path off, and boom—encrypted GRE tunnel IPsec. No need for complex peers/policies unless your VPS demands it. Tests from community configs show it establishes reliably when both ends align.

But your foreign VPS server? Linux boxes like Ubuntu/Debian need strongSwan or Libreswan to match. If it’s not playing nice, we’ll cover full manual IPsec too. Either way, this ditches your inner VPN for native encryption.

Prerequisites for MikroTik GRE IPsec Setup

Before diving in, check these boxes. Public IPs on both ends? Essential—NAT traversal complicates MikroTik GRE IPsec tunnel. Static routes or dynamic routing (BGP/OSPF over GRE) planned? Good.

  • RouterOS v6.48+ (v7 preferred for WireGuard alternatives).
  • Firewall rules allowing UDP 500/4500 (IKE), ESP (protocol 50), and GRE (47).
  • Matching PSK (your ipsec-secret—keep it strong, 20+ chars).
  • VPS with IPsec tools: apt install strongswan or equivalent.
  • Existing GRE IPs: Say MikroTik local 1.1.1.1, VPS remote 2.2.2.2, tunnel addrs 172.16.0.1/30 and .2.

Pings over plain GRE working? Verify first. MTU? Start at 1400, adjust later. And disable fast-path: it breaks IPsec.

Step-by-Step MikroTik Configuration

Ready to build? Log into Winbox or terminal. We’ll use the simple ipsec-secret method first—perfect for VPS if you control both ends.

Basic GRE over IPsec with Secret

/interface gre
add name=gre-vps local-address=1.1.1.1 remote-address=2.2.2.2 \
 ipsec-secret="MySuperSecret123!" keepalive=10s,3s allow-fast-path=no

Assign tunnel IP:

/ip address add address=172.16.0.1/30 interface=gre-vps

Routes:

/ip route add dst-address=0.0.0.0/0 gateway=172.16.0.2 # VPS subnet
/ip route add dst-address=VPS-LAN/24 gateway=172.16.0.2

Firewall (add these, adjust chains):

/ip firewall filter
add chain=input action=accept protocol=udp dst-port=500,4500 place-before=0
add chain=input action=accept protocol=ipsec-esp place-before=1
add chain=forward action=accept connection-state=established,related

Test: /ping 172.16.0.2 count=10. Up? Encrypted traffic flows.

Full IPsec Peer/Policy for Stubborn VPS

If secret fails (VPS mismatch), manual setup from MikroTik wiki and forums:

/ip ipsec profile add name=gre-profile hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048
/ip ipsec proposal add name=gre-proposal pfs-group=none enc-algorithms=aes-256-cbc auth-algorithms=sha256
/ip ipsec peer add name=vps-peer address=2.2.2.2/32 local-address=1.1.1.1 secret="MySuperSecret123!" profile=gre-profile
/ip ipsec policy add src-address=1.1.1.1/32 dst-address=2.2.2.2/32 tunnel=yes sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2 proposal=gre-proposal

GRE stays plain (no secret), but policy encrypts it. Matches ServerFault examples.

VPS Server Side Setup for Compatibility

Your VPS (Linux?) must mirror. Simple PSK needs Libreswan/strongSwan configs matching MikroTik’s ESP.

Example Ubuntu strongSwan (/etc/ipsec.conf):

conn gre-tunnel
 left=2.2.2.2
 leftsubnet=172.16.0.2/30
 right=1.1.1.1
 rightsubnet=172.16.0.1/30
 type=transport
 authby=secret
 keyexchange=ikev1
 ike=aes256-sha2_256-modp2048
 esp=aes256-sha256
 auto=start

Secrets in /etc/ipsec.secrets: 1.1.1.1 2.2.2.2 : PSK "MySuperSecret123!"

GRE on VPS: ip tunnel add gre-vps mode gre local 2.2.2.2 remote 1.1.1.1; ip addr add 172.16.0.2/30 dev gre-vps; ip link set gre-vps up

Restart: ipsec restart. From systemzone.net guides, this syncs perfectly.

Troubleshooting GRE IPsec Tunnel Issues

Tunnel down? Check logs: /log print where topics~ipsec. No SA? PSK mismatch. Phase1 fail? DH-group wrong (try modp2048).

Common gotchas:

  • Fast-path enabled? Kills IPsec—allow-fast-path=no.
  • NAT? Enable nat-traversal=yes in peer.
  • Ping fails? /tool sniffer quick interface=gre-vps. See ESP wrappers?
  • High ping? See MTU next.

Forum threads like MikroTik’s GRE ipsec-secret discussion nail it: symmetric secrets, no keepalive mismatches.

MTU and Performance Optimization

GRE IPsec MTU headaches? Default 1500 + GRE(24) + ESP(~50) = fragmentation. Set:

MikroTik: /interface gre set gre-vps mtu=1380

VPS: ip link set gre-vps mtu 1380

MSS clamp: /ip firewall mangle add chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

Pings larger packets post-fix. Interface31.ru tests confirm 1380 golden.

Alternative VPN Solutions on MikroTik

IPsec/GRE too fiddly? Ditch GRE entirely.

  • WireGuard: Fastest. /interface wireguard add name=wg-vps; /ip address add ... Native RouterOS v7. VPS: wg-quick up. Zero config hell.
  • IPsec Tunnel (no GRE): Pure L3 VPN. /ip ipsec policy add tunnel=yes. Multicast? Add EoIP.
  • OpenVPN: Client on VPS, server on MikroTik. But slower.
  • L2TP/IPsec: Quick, but MS legacy.

WireGuard wins for VPS—encrypted point-to-point like GRE, minus overhead. Matches your “same host” need.

Sources

  1. IPsec - RouterOS - MikroTik Documentation — Official guide on GRE over IPsec support and configuration limits: https://help.mikrotik.com/docs/spaces/ROS/pages/11993097/IPsec
  2. Manual:Interface/Gre - MikroTik Wiki — Detailed GRE interface setup with routing examples: https://wiki.mikrotik.com/wiki/Manual:Interface/Gre
  3. GRE and IPIP Tunnel Configuration on MikroTik Routers — Practical commands for GRE + IPsec with MTU tips: https://interface31.ru/tech_it/2021/07/nastroyka-tunneley-gre-i-ipip-na-routerah-mikrotik.html
  4. MikroTik Site to Site GRE Tunnel Configuration with IPsec — Step-by-step site-to-site GRE over IPsec example: https://systemzone.net/mikrotik-site-to-site-gre-tunnel-configuration-with-ipsec/
  5. MikroTik GRE over IPSec — Community config for manual peer/policy setup: https://serverfault.com/questions/799665/mikrotik-gre-over-ipsec
  6. GRE tunnel with ipsec secret - MikroTik Forum — Real-world troubleshooting for ipsec-secret failures: https://forum.mikrotik.com/viewtopic.php?t=127487

Conclusion

Bottom line: Skip IPsec over GRE on MikroTik—it’s unsupported—and go GRE over IPsec with ipsec-secret for seamless encryption to your VPS. Match configs on both ends, tweak MTU to 1380, and you’ll ditch that inner VPN for good. If headaches persist, WireGuard offers a lighter, faster alternative without GRE baggage. Test thoroughly, and your tunnel’s secure.

Authors
NeuroAnswers
Author
Verified by moderation
NeuroAnswers
Moderation
MikroTik GRE over IPsec Tunnel Setup Guide