Hi,
I’ve just tried setting up an EoIP (+ IPsec) tunnel between our office and our datacenter network using a hardware and a virtual mikrotik router.
I’m trying to do this since our 3CX PBX is hosted there and we are trying to avoid NAT, so a direct layer 2 tunnel seems to be the way to go.
The office is behind NAT, so I forwarded and opened GRE, ESP, UDP 500 and UDP 4500
I noticed the datacenter is dropping GRE packets (most probably because of some way OpenStack handles GRE in VXLAN), since I was able to create a GRE tunnel between two offices but not to the datacenter, so I tried encapsulating it in IPsec by just setting the same “ipsec-secret” on both EoIP tunnels.
However now I’m getting on the office router:
ipsec,info initiate new phase 1 (Identity Protection): RouterOfficePublicIP[500]<=>RouterDatacenterPublicIP[500]
ipsec,error phase1 negotiation failed due to send error. RouterOfficePublicIP[500]<=>RouterDatacenterPublicIP[500] somevalue:0000000000000000
and on the datacenter router:
ipsec,info initiate new phase 1 (Identity Protection): RouterDatacenterPublicIP[500]<=>RouterOfficePublicIP[500]
ipsec,error phase1 negotiation failed due to send error. RouterDatacenterPublicIP[500]<=>RouterOfficePublicIP[500] somevalue:0000000000000000
So first of all, is mikrotik even encapsulating GRE in IPsec using this method or is it the other way round?
Second, am I missing anything? Maybe some port? I enabled logging for all dropped packets but couldn’t notice anything off.
Also, the max usable MTU in the datacenter network is 1450, which I had to set manually on the interfaces of the virtual router for it to work, do I have to set the same (or less) for the EoIP tunnel or can it be 1500?
