EoIP tunnel not forwarding traffic

RouterOS General
1

I have two CHR routers with 6.46.5 version.

There is a EoIP over IPSec tunnel configured on both sides. The tunnel is stablished and the EoIP interfaces are UP. I can ping one router from each other from the LAN side, but cannot ping anything behind the routers.

Router 1:

[admin@MikroTik] /interface eoip> print
Flags: X - disabled, R - running
0 R name="eoip-tunnel-Servidores" mtu=auto actual-mtu=1396 l2mtu=65535 mac-address=02:9E:3F:98:FF:87 arp=enabled
arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s
loop-protect-disable-time=5m local-address=0.0.0.0 remote-address=213.27.218.187 tunnel-id=3
keepalive=10s,10 dscp=inherit clamp-tcp-mss=no dont-fragment=no ipsec-secret="secretovpn" allow-fast-path=no

1 R name="eoip-tunnel-Sistemas" mtu=auto actual-mtu=1396 l2mtu=65535 mac-address=02:87:FD:12:17:BC arp=enabled
arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s
loop-protect-disable-time=5m local-address=0.0.0.0 remote-address=213.27.218.187 tunnel-id=132
keepalive=10s,10 dscp=inherit clamp-tcp-mss=no dont-fragment=no ipsec-secret="secretovpn" allow-fast-path=no

[admin@MikroTik] > /interface bridge print
Flags: X - disabled, R - running
0 R name="Servidores" mtu=1500 actual-mtu=1500 l2mtu=65535 arp=enabled arp-timeout=auto mac-address=00:50:56:93:D9:65
protocol-mode=none fast-forward=no igmp-snooping=no auto-mac=yes ageing-time=5m vlan-filtering=no dhcp-snooping=no

1 R name="Sistemas" mtu=1500 actual-mtu=1500 l2mtu=65535 arp=enabled arp-timeout=auto mac-address=00:50:56:93:B3:09
protocol-mode=none fast-forward=no igmp-snooping=no auto-mac=yes ageing-time=5m vlan-filtering=no dhcp-snooping=no


[admin@MikroTik] > /interface bridge print
Flags: X - disabled, R - running
0 R name="Servidores" mtu=1500 actual-mtu=1500 l2mtu=65535 arp=proxy-arp arp-timeout=auto mac-address=00:50:56:93:1B:A1 protocol-mode=none fast-forward=no igmp-snooping=no
auto-mac=yes ageing-time=5m vlan-filtering=no dhcp-snooping=no

1 R name="Sistemas" mtu=1500 actual-mtu=1500 l2mtu=65535 arp=enabled arp-timeout=auto mac-address=00:50:56:93:45:F2 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no

protocol-mode=none fast-forward=no igmp-snooping=no auto-mac=yes ageing-time=5m vlan-filtering=no
dhcp-snooping=no

admin@MikroTik] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload

INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON

0 ether3 Servidores yes 1 0x80 10 10 none
1 ether4 Sistemas yes 1 0x80 10 10 none
2 eoip-tunnel-Sistemas Sistemas 1 0x80 10 10 none
3 eoip-tunnel-Servidores Servidores 1 0x80 10 10 none

[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 172.20.132.33/24 172.20.132.0 Sistemas
5 192.168.3.19/24 192.168.3.0 Servidores


Router 2:

[admin@MikroTik] > interface eoip print
Flags: X - disabled, R - running
0 R name="eoip-tunnel-Servidores" mtu=auto actual-mtu=1396 l2mtu=65535 mac-address=02:64:65:7C:9E:5B arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off
loop-protect-send-interval=5s loop-protect-disable-time=5m local-address=0.0.0.0 remote-address=5.196.24.204 tunnel-id=3 keepalive=10s,10 dscp=inherit clamp-tcp-mss=no
dont-fragment=no ipsec-secret="secretovpn" allow-fast-path=no

1 R name="eoip-tunnel-Sistemas" mtu=auto actual-mtu=1396 l2mtu=65535 mac-address=02:43:0E:C2:D0:72 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off
loop-protect-send-interval=5s loop-protect-disable-time=5m local-address=0.0.0.0 remote-address=5.196.24.204 tunnel-id=132 keepalive=10s,10 dscp=inherit clamp-tcp-mss=no
dont-fragment=no ipsec-secret="secretovpn" allow-fast-path=no

[admin@MikroTik] > /interface bridge print
Flags: X - disabled, R - running
0 R name="Servidores" mtu=1500 actual-mtu=1500 l2mtu=65535 arp=proxy-arp arp-timeout=auto mac-address=00:50:56:93:1B:A1 protocol-mode=none fast-forward=no igmp-snooping=no
auto-mac=yes ageing-time=5m vlan-filtering=no dhcp-snooping=no

1 R name="Sistemas" mtu=1500 actual-mtu=1500 l2mtu=65535 arp=enabled arp-timeout=auto mac-address=00:50:56:93:45:F2 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes
ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no

admin@MikroTik] > /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload

INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON

0 ether1 Servidores yes 1 0x80 10 10 none
1 ether2 Sistemas yes 1 0x80 10 10 none
2 eoip-tunnel-Sistemas Sistemas 1 0x80 10 10 none
3 eoip-tunnel-Servidores Servidores 1 0x80 10 10 none

admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 192.168.3.16/24 192.168.3.0 Servidores
1 172.20.133.21/24 172.20.133.0 ether3
2 192.168.12.21/22 192.168.12.0 ether4
3 172.20.132.32/24 172.20.132.0 Sistemas

One of the routers are behind a NAT, and the IPSec is working without problems with NAT Traversal.

Any help would be apreciated.

Thanks,

Victor Camacho

2

Why did you select EoIP in particular ?
By creating an Encrypted with IPsec EoIP Tunnel, and that’s it, will not give you access to the Hosts behind those Tunnels…
You must add routes from R1 to R2 LAN and from R2 to R1 LAN with gateway the EoIP…

What concerns me most is that EoIP is mostly used to extend Layer 2 Broadcast Domains, so is that your intention ?

3

I used EoIP to extend Layer 2 broadcast domain.

I am trying to use it to connect the main office to a contingency data center, that have a standby replica of the servers.

Tanks,

Victor Camacho

4

Have you permitted promiscuous mode on the vswitch ports to which those of your CHRs’ interfaces, which are member ports of the bridges interconnected using the EoIP tunnels, are connected? By default, the vswitch doesn’t forward frames to/from other MAC addresses than the one of the interface of the connected virtual machine.

5

Promiscous mode was the point.

After doing lots of tests with some types of VPN and different routers, I forgot the basic things.

Thanks,

Victor Camacho