EoiP is GRE - but not always? or - Multiple EoiP and no connection possible

Hey Folks. I configured 3x Mikrotiks with EoiP and its running, but I still dont get why? They are not configured in the same way - this wont work! (same devices with same firmware etc.)
I had a real real bad problem with it and was getting crazy the last 2 weeks. Its solved now, but I dont get why. Whyt I did makes (almost) no sense to me.
AND I think a lot of people will run in this problem, too. And maybe dont find the answer - I had luck with it (and was going to test around like 18 hours a day!)


Overview:
2x Router in the “Backbone Location” (VRRP) so one is active, only. Lets call them M1 and M2.
1x Router in the Remote Office. Lets call it R1.
The M1 and M2 have an EoiP-Tunnel to the R1.

First things first, so I connected R1 and M1 with EoiP.
No conneciton possible.
Firewall → GRE (input and output chain)
WORKS

Second lets connect M2 and R1 in the same way.
Wont work!
I checked everythink twice, but the configuration was the same.
One think was “special” EoiP-Tun1 and EoiP-Tun2 got the same Bridge on R1. (of course)

Well, lets see what the logs are telling … WOW … IPSEC ERRORS IN A ROW.
WHY!

I started to test around with Firewall rules on ipsec and after 2-3 checks I found the solution.
M2 needs to have protocol 50 (ipsec-esp) activated as input chain and the packets started to flow.

WHY?!

R1 and M1 never need it with EoiP.
Both working clean with GRE (protocoll 47) as input and output chain between R1 and M1.

Why M2 suddenly needs an Ipsec chain?
Never used ipsec, well ofc the ipsec-passphrase build in with EoiP - but not more.
I was lucky that I tested around with pptp, l2tp, ovpn and and and some years and month before.
I had a feeling to check the firewall because there was no packet flow.

But it still does not make sense to me.

Any ideas why 2 same devices, with the same configuration, are not working the same way?
Did not found anything about it.

Many thanks.

The default config in newer versions have allow rules for IPSec so that’s a possibility. Additionally you may have set IPSec values for one EoIP tunnel and not the other. Without an

/export hide-sensitive

from each device we couldn’t tell you what caused the difference.

Same devices from same quantity order.
Same config, firmware and version on both devices.
Even same manufacturing date.

One has GRE traffic passing the firewall only.
One needs IPSEC-ESP traffic allowed, too.
And its funny - its always number 2 which need this, even after reset and switching them.
Number 2 in the connection heaven will need the additional IPSEC-ESP rule and some 500 UDP … etc.

Even the same profiles and default stuff is on it.
Nothing changed of security or ipsec yet because of testing.

It seems that there is an issue with connecting more EoIP Tunnel to a far bridge or to one device.
Same devices have to work the same way. No example or tutorial would work. That is mad and crazy if you are right with your information.
I am sure there is an issue, but it is not a different firmware or device or whatever.

Hope someone knows another Eoip background to this.

I need to see the configurations to make any kind of meaningful determination. Anything else is just key-strokes. EoIP will always be a kind of GRE tunnel but it can be wrapped (protected) by IPSec.

A drawing in addition would be useful to confirm how they are inter-connected.

Well, ok.
I will try to get those informations and have to see how with Mikrotik.
First I am doing with the WI only.
Have to try the WinBox and CL for this, or?
Maybe you have some advice where and what you need?

At the end, that was a point how I was getting the problem.
LOG was telling that there is an IPSEC problem and I opened the needed ports.

First thought: Oh fu…n. Why I need those additional ports. I want it to work like its from first device. With GRE protocol open, only.

Maybe for what I want now, we dont need any copy and you can help me out.

Router 1 → EoiP1 → Router 3 → Bridge1 (the EoiP with GRE, only. No IPSEC traffic or packets.)
Router 2 → EoiP2 → Router 3 → Bridge1 (the EoiP with same configuration but ofc another ID, local host etc.)

Whatever.
I cannot choose any IPSEC option within the EoiP interface. Just the IPsec Secret.
For this I am wondering how to setup.
I want the EoiP1 to work like EoiP2 now. How?

Enabled: Yes
Name: MyName3
Type: EoIP Tunnel
MTU: 1400 (I know, EoIP can handle up to 1500 - testing for later - right now that does not matter for me)
Actual MTU: 1400
L2 MTU: 65535
MAC Address: (ofc, right one - this is working)
Local Address: (ofc, right one - this is working)
Remote Adress: (ofc, right one - this is working)
Tunnel ID: (ofc, right one for this tunnel only - this is working)
IPsec Secret: (its just a password of letters and numbers, nothing to choose like a profile, certificate or whatever)
Keepalive: 00:00:10 ; 10
DSCP: inherit
Dont Fragment: no
Clamp TCP MSS: yes
Allow Fast Path: no

So. My EoIP Tunnel on Router1, why ever, has no IPSEC traffic.
Btw. all 6 Access-IP-Addresses between the routers are static public.
I am not using the VRRP for this direction - this is a transfernet for incoming ip networks (PI and PA).
I added the input rule for ipsec-esp, too. No packets. No traffic on EoIP1.

Under IP → IPsec
I see the peers and remote peers (both router are 100% fine)
The Group is -default- like delivered
Policies are the same, too (ofc with different IPs)
… and for all further tabs the same. (Mode Configs, Proposals, Installed SAs, Keys and Users)

I get a feeling that IP->IPsec is not the right point for EoiP IPsec, maybe?
Never setup anything in here and wont start this, before I understand everything
But like I know IPsec from other VPNs — this looks all fine and is working … in a way

So please tell me. How to add IPsec security to an Eoip Tunnel which is not working with IPsec for now??

P.S.:
I FOUND A DIFFERENCE. Under PPP there are profiles.
On the router without need of IPsec the Bridge is the EoIP bridge (@ default profile) and I have a PPTP secret (for a PPTP-test)
On the router with the need of IPsec the Bridge is empty for this profile … and there is no PPTP-secret, BUT

The PPTP secret is never used for this. But what about the Bridge in the profile? I will test it tomorrow but first await an answer.
Safe Mode can rescue, but maybe not always ^^ (funny the difference to Cisco, but I like the Safe Mode too — after understanding how it works)

Because EoIP is more a part of PPP and not like MPLS/VPLS — is that the point? The Bridge in the Profiles of PPP???

/export hide-sensitive

Execute that on each device. No idea how to do it in WinBox or WebFig. SSH into the devices.

You may want to use GNS3 with the free MikroTik CHR appliance to get some experience.

EoIP is a protocol that uses GRE to encapsulate Ethernet. It is absolutely unequivocally GRE. It should only be used when you need to stretch layer 2 across a layer 3 boundary (typically the Internet). If you simply want a routed tunnel choose a different protocol like IPIP or GRE. By using EoIP you are adding 14 bytes to every packet (Ethernet header). This can be verified by looking at a packet capture. You’ll see it’s IP protocol GRE (47) and GRE Protocol Type 0x6400 (MikroTik EoIP). Anything you are doing with PPTP will be ignored as you are already seeing.

MikroTik tried to make setting up encrypted tunnels (GRE, EoIP, IPIP, etc…) by adding the “ipsec-secret” option. Referencing the MikroTik Wiki:

When secret is specified, router adds dynamic ipsec peer to remote-address with pre-shared key and policy with default values (by default phase2 uses sha1/aes128cbc). Both local-address and remote-address of the tunnel must be specified for router to create valid ipsec policy.

If you set an IPSec secret on each side it will dynamically add the necessary configuration to secure it. If you want to control the values used when securing your tunnel simply do not set ipsec-secret. You then use the “/ip ipsec” menus to perform the necessary configuration. I personally use “/ip ipsec” so I can have control over the cipher suites used. Like you’ve already noticed if you choose to encrypt your tunnel you’ll need to adjust your firewall rules accordingly.

Hey idlemind.

Thank you for the workaround.
It makes sence what you are saying, but I am using the IPsec Passphrase on both Routers - but one is not sending any packets with ipsec-esp.

That is why I am wondering.
An EoiP-Tunnel with a WAN interface should be not possible without IPsec.
Without IPSec its possible with LAN-site only. (what I found out)…

Whatever. IPsec Passphrase is set in the same way on all sites for each EoiP tunnel.
I tried with same password (for all different EoiP tunnel) and I tried with different passwords for every pair. (same for one pair ofc)

You said:
“If you set an IPSec secret on each side it will dynamically add the necessary configuration to secure it.”

On Router2 it is working like this.
On Router3 it is working both ways (each way for one tunnel)
But on Router1 I dont get any IPsec traffic seen in the firewall. No packets. No traffic.

Strange, or?

P.S.: Will do the export stuff soon…

Sorry, export is not possible right now.
The output is one endless line. Anyways …

Its an IPsec problem, but I gave up now.

• accept forward rule (getting packets on one router, not on the other one) and I dont know WHY (its UDP I know meanwhile)
• ipsec (same, other way around - no accept forward traffic)
  Fasttrack off and all the other stuff is done the same way.
  I really went thru Label per Label, Option per Option and checked everythink in every submenu.
  I was able to open TERMINAL and /export hide-sensitive and I put both window next to next and compared line per line.
  I had some differences, but it has nothing to do with the problem (like bridge priority for RSTP 0x7000, standard and 0x9000).

I deleted everything and I restarted.
Most funny thing: Both routers are working. If I shutdown R1 then R2 is taking the command (VRRP).
Everything is working (in a way) but not the same.
Even without VRRP and using R1 and R3 (or R2 and R3) only the behavior will be the same.
And everything is causing a 15% packet loss (upload from R3 to R1-2)

For R1 and R2 (we can call them R1-2 because one is working and one is slave, only.)
IPSEC IN
2136668 STATE PROTOCOL ERRORS (R1)
3340831 STATE PROTOCOL ERRORS (R2)

And on R3 almost the same, but IPSEC OUT POLICIE (makes sense).
R4 was never attached, because why I should attach more problems.

So I am sure IPSEC is the bad guy on this game or something went badly wrong and IPSEC is just the point where it happens.
And I played around with MTU, too because of fragmentation. Different lines and speeds causes differents MTU´s. I tried to get a good way and this optimized it really a bit - but I am hunting a ghost for now and with my power.

But at the END. I know a bit more about networks then the normal user.
Maybe I even know a bit more then the experienced user and I am trying to get more and more in … maybe one day with Layer3 (OSPF) dreaming — or (BGP) megalomania
… but for now: I am able to use tagged vlans and I can set them up. I understand the most parts on layer2 and I am able to use the most managed switches, but …
IPSEC is a horror for me. It was. It is and I think it will be for a long time

I will try to play a bit with MPLS and VPLS first.
Got it running in 10 Minutes and all Routers finding the neighboors and the attached IP-Adresses to each LDP.

I am seeing some new problems for me, but I will open a new post with MPLS/VPLS questions about loop protection in this case.
I will try to get back to EoiP with the same configuration in 1-2 weeks because I am sure this is a small shi…ning sun and I hate such fu…n what is unsolved