EOIP over HQ

hofi76 · September 29, 2022, 1:39pm

I want to create EOIP tunnel in Office1---- HQ-----Office2 way (maybe later office3)
I can ping Office1 and Office2 from HQ.
I can ping HQ from Office1 and Office2.
I cannot ping Office2 from Office1 and reverse.
After pinging I see the MAC address of the PC from the other Office int e the PC’s ARP table and reverse but that is all. No ping and other communication.

HQ

/interface bridge
add arp=proxy-arp fast-forward=no name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp
/interface eoip
add allow-fast-path=no arp=proxy-arp local-address=10.36.6.204 loop-protect=on mac-address=02:6A:86:3F:2D:CF mtu=1500 name=eoip-tunnel1 remote-address=10.36.6.205 tunnel-id=7
add allow-fast-path=no arp=proxy-arp local-address=10.36.6.204 loop-protect=on mac-address=02:6A:86:3F:2D:CF mtu=1500 name=eoip-tunnel2 remote-address=10.36.6.206 tunnel-id=8
/interface bridge port
add bridge=bridge1 hw=no ingress-filtering=no interface=ether2
add bridge=bridge1 interface=eoip-tunnel2
add bridge=bridge1 interface=eoip-tunnel1

Office1

/interface bridge
add arp=proxy-arp fast-forward=no name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp
/interface eoip
add allow-fast-path=no arp=proxy-arp local-address=10.36.6.205 mac-address=02:F1:17:72:55:47 mtu=1500 name=eoip-tunnel1 remote-address=10.36.6.204 tunnel-id=7
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=eoip-tunnel1

Office2

/interface bridge
add arp=proxy-arp fast-forward=no name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp
/interface eoip
add allow-fast-path=no arp=proxy-arp local-address=10.36.6.206 mac-address=02:F1:17:72:55:47 mtu=1500 name=eoip-tunnel2 remote-address=10.36.6.204 tunnel-id=8
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=eoip-tunnel2

I assume there is a little mistake but I still not found it.

hofi76 · September 30, 2022, 11:15am

I started from scratch and the O1—HQ----O2 model operate well.
(The test was ping from an O1 PC to O2 PC )
I added IPsec Secret to O1-HQ all was fine
I added the IPsec secret to O2-HQ the connection turned to failed
I remove the IPsec secret form O1-HQ and operate again.

Are there any rule which forbidden to use two EOIP tunnel with IPsec secret in the same bridge?

Any idea ?

sindy · October 1, 2022, 7:23am

Could it be that packets from O1 and O2 arrive from the same public IP address to the HQ router?

hofi76 · October 1, 2022, 8:05am

Hi sindy. I would say no.
This is a test environment in my office, so all three routers wan interface IP are in the same Network 10.36.0.0 so the traffic don’t go thru the internet only thru my test network. The routers lan/clients IP-s are 192.168.76.x. My goal to build the network without any routing.
If it will not work I am thinking to set up an eoip without ipsec thru an l2tp tunnnel but in this case I will lose the simplivity.

sindy · October 1, 2022, 9:46am

When you configure the ipsec-secret for both EoIP tunnels, what do the following commands show?
/ip ipsec peer print
/ip ipsec active-peers print
/ip ipsec policy print detail
Since you run the tests on private addresses, no need to obfuscate them.

hofi76 · October 2, 2022, 4:13am

These are the outputs of the commands above:

[admin@router1] > /ip ipsec peer print
Flags: X - disabled; D - dynamic; R - responder 
 0  D  name="eoip-tunnel2" address=10.36.6.206/32 local-address=10.36.6.204 
       profile=default exchange-mode=main send-initial-contact=yes 

 1  D  name="eoip-tunnel1" address=10.36.6.205/32 local-address=10.36.6.204 
       profile=default exchange-mode=main send-initial-contact=yes 
[admin@router1] > /ip ipsec active-peers print
Flags: R - RESPONDER
Columns: STATE, UPTIME, PH2-TOTAL, REMOTE-ADDRESS
#    STATE        UPTIME  PH2-TOTAL  REMOTE-ADDRESS
;;; eoip-tunnel2
0    established  9m9s            1  10.36.6.206   
;;; eoip-tunnel1
1    established  9m8s            2  10.36.6.205   
;;; eoip-tunnel2
2 R  established  9m8s            1  10.36.6.206   
;;; eoip-tunnel1
3 R  established  9m3s               10.36.6.205   
[admin@router1] > /ip ipsec policy print detail
Flags: T - template; B - backup; 
X - disabled, D - dynamic, I - invalid, A - active; * - default 
 0 T  * group=default src-address=::/0 dst-address=::/0 protocol=all 
        proposal=default template=yes priority=0x10000 

 1   D  peer=eoip-tunnel1 tunnel=no src-address=10.36.6.204/32 src-port=any 
        dst-address=10.36.6.205/32 dst-port=any protocol=gre action=encrypt 
        level=require ipsec-protocols=esp proposal=default priority=0x20000 
        ph2-count=2 ph2-state=established 

 2   D  peer=eoip-tunnel2 tunnel=no src-address=10.36.6.204/32 src-port=any 
        dst-address=10.36.6.206/32 dst-port=any protocol=gre action=encrypt 
        level=require ipsec-protocols=esp proposal=default priority=0x20100 
        ph2-count=2 ph2-state=established 
[admin@router1] >

hofi76 · October 6, 2022, 9:14am

@sindy I assume something wrong with ipsec in 7.5 or in my config
I create a very basic L2tp server and wants to join with an other mikrotik as l2tp client HQ- R1.
On serverside (HQ) the ipsec is enabled . If I enable ipsec on the cilent on R1 I see this:

 09:00:51 ipsec,info initiate new phase 1 (Identity Protection): 10.36.6.205[500]<=>10.36.6.204[500]
 09:00:53 ipsec,info ISAKMP-SA established 10.36.6.205[500]-10.36.6.204[500] spi:4177187bf2dbd8ea:5730247ff6eef71b
 09:02:23 l2tp,ppp,info l2tp-out1: terminating...
 09:02:23 l2tp,ppp,info l2tp-out1: disconnected
 09:02:23 l2tp,ppp,info l2tp-out1: initializing...
 09:02:23 l2tp,ppp,info l2tp-out1: connecting...
 09:02:23 l2tp,ppp,info l2tp-out1: terminating... - session closed

On HQ side the " ppp active print " shows nothing

If I disable the ipsec on R1 the connection operate

[admin@Router1] > /ppp active/ print 
Columns: NAME, SERVICE, CALLER-ID, ADDRESS, UPTIME, ENCODING
# NAME   SERVICE  CALLER-ID    ADDRESS        UPTIME  ENCODING             
0 user1  l2tp     10.36.6.205  172.16.16.101  8m42s   cbc(aes) + hmac(sha1)

HQ “server” config:

/interface ethernet
set [ find default-name=ether1 ] name=WAN
/interface eoip
add arp=proxy-arp local-address=172.16.16.1 mac-address=02:EA:F9:52:59:AE name=eoip-tunnel1 remote-address=172.16.16.101 tunnel-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes local-address=172.16.16.1 name=HQ-R1 remote-address=172.16.16.101 use-encryption=yes
add change-tcp-mss=yes local-address=172.16.16.2 name=HQ-R2 remote-address=172.16.16.102 use-encryption=yes
/interface l2tp-server server
set authentication=mschap2 default-profile=HQ-R1 enabled=yes use-ipsec=yes
/ip dhcp-client
add interface=WAN
/ppp profile
set *0 local-address=172.16.16.101 remote-address=*1
/ppp secret
add name=user1 profile=HQ-R1 service=l2tp
add name=user2 profile=HQ-R2 service=l2tp
/system identity
set name=Router1
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.36.2.11

R1 Client config:

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes local-address=172.16.16.101 name=R1-HQ remote-address=172.16.16.1 use-encryption=yes
/interface l2tp-client
add connect-to=10.36.6.204 disabled=no name=l2tp-out1 profile=R1-HQ use-ipsec=yes user=user1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether3
/interface l2tp-server server
set authentication=mschap2 use-ipsec=yes
/ip address
add address=192.168.77.254/22 interface=bridge1 network=192.168.76.0
/ip dhcp-client
add interface=WAN
/system identity
set name=Router2
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.36.2.11