EOIP+IPSEC [siteA CZ siteB FR]

RouterOS General
1

SITe1
HAP AX2


WAN ethernet1
LAN in bridge mode


/interface/eoip/pr detail 
 0  R name="eoip-tunnel-core-router01" mtu=1500 actual-mtu=1500 l2mtu=65535 mac-address=02:72:FD:38:FB:CC arp=enabled arp-timeout=auto 
      loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m local-address=<WAN_SITe1> 
      remote-address=<WAN_SITe2> tunnel-id=10 keepalive=10s,10 dscp=inherit clamp-tcp-mss=yes dont-fragment=no ipsec-secret="XXXZZXXX" 
      allow-fast-path=no

ipsec:

  • profile
/ip/ipsec/profile/pr
 0 * name="default" hash-algorithm=sha256 enc-algorithm=aes-256,aes-192 dh-group=ecp256,modp2048,modp1024 lifetime=1d proposal-check=obey 
     nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
  • policy
/ip/ipsec/policy/print detail 
 0 T  * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000 

 1      peer=core-router01 tunnel=no src-address=<WAN_SITe1/32> src-port=any dst-address=<WAN_SITe2/32> dst-port=any protocol=all action=encrypt 
        level=require ipsec-protocols=esp proposal=default priority=0x20000 ph2-count=0 ph2-state=no-phase2
  • identity
 /ip/ipsec/identity/pr    
 0    peer=core-router01 auth-method=pre-shared-key secret="XXXZZXXX" generate-policy=no
  • proposal
  /ip/ipsec/proposal/print      
 0  * name="default" auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-gcm lifetime=30m 
      pfs-group=ecp256

SITe2
rb450gx4

WAN
multiple vlans

 /interface/eoip/pr detail
 0    name="eoip-tunnel-core-router02" mtu=1500 actual-mtu=1500 l2mtu=65535 mac-address=FE:6E:17:26:E5:F3 arp=enabled
      arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m
      local-address=<WAN_SITe2> remote-address=<WAN_SITe1>
      tunnel-id=10 keepalive=10s,10 dscp=inherit clamp-tcp-mss=yes dont-fragment=no ipsec-secret="XXXZZXXX" allow-fast-path=no

ipsec:

  • profile
/ip/ipsec/profile/pr
 0 * name="default" hash-algorithm=sha256 enc-algorithm=aes-256,aes-192 dh-group=ecp256,modp2048,modp1024 lifetime=1d proposal-check=obey 
     nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
  • policy
/ip/ipsec/policy/print detail 
 0 T  * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000 

 1      peer=core-router01 tunnel=no src-address=<WAN_SITe2/32> src-port=any dst-address=<WAN_SITe1/32> dst-port=any protocol=all action=encrypt 
        level=require ipsec-protocols=esp proposal=default priority=0x20000 ph2-count=0 ph2-state=no-phase2
  • identity
 /ip/ipsec/identity/pr    
 0    peer=core-router01 auth-method=pre-shared-key secret="XXXZZXXX" generate-policy=no
  • proposal
 /ip/ipsec/proposal/print      
 0  * name="default" auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-gcm lifetime=30m 
      pfs-group=ecp256

on SITe1 EOPI interface has IP 172.17.12.2

on SITe2 EOPI interface has IP 172.17.12.1




Firewall on SITe1

/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input in-interface=ether1 log=yes protocol=ipsec-esp
add action=accept chain=input dst-port=500,4500 in-interface=ether1 log=yes log-prefix=IPSEC protocol=udp
add action=accept chain=input dst-port=1812 log-prefix=radius:: protocol=udp
add action=accept chain=input ipsec-policy=in,ipsec
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=\
    WAN

So, tunnel established, logs on both routers show no errors !!
BUT

from SITe2 I can\t ping IP of EOIP address on SITe1

am I missing something ?!

2

update 1:

according to some videos about setting up the EOIP :

site1:

I’ve delete the address assigned to interface eop-router01 and add that interface to bridge

site2:

I’ve delete the address assigned to interface eop-router02 and add that interface to bridge


Now, site1 can ping public IP of site2 and opposite,
but otherwise no other traffic seems to pass…