How to bind EoIP tunnel to IPSec IKEv2 connection?

Hello. I’m trying to set up EoIP over IPSec between 2 Mikrotik routers (FW 6.48.4) but I probably have a problem understanding how IPSec works…

My setup is a little specific and I haven’t found any tutorials dealing with this.

SERVER ROUTER = has public IP address and uses PPPoE interface to connect to VDSL modem
REMOTE ROUTER = does not have public IP, connects to my ISP via Wifi

I’ve managed to set up IPSec IKEv2 connection from the REMOTE router to my SERVER router, so on the server I see this:

10.80.0.61 is the WAN interface (PPPoE) IP address from the VDSL modem. There’s a public IP for this connection which I use to connect to the server from the remote location and from other clients like my phone (IKEv2 VPN).
80.92.246.248 is the ISP’s public IP at the remote location (so it’s not my public IP which I could use to make connection to)

What I don’t understand now is how to establish the EoIP tunnel because the IPSec tunnel between the 2 Mikrotiks doesn’t seem to be complete - on the REMOTE router side, I have the IP 10.0.88.201, which is accessible from the SERVER. But what is the IP address I would use on the REMOTE side to establish the EoIP tunnel?

Until now I used PPTP server, which was easy in the sense that it assigned IP address to both Server side and Remote side once the connection is established, so it’s very easy to add EoIP tunnel. But with IPSec IKEv2 connection, I only get the client’s IP address, but still miss the other half and just can’t figure out how to configure it.

If your ISP always uses the same public IP to NAT the traffic sent by your client router, and if you always get the same IP at the client router’s WAN, you can use a transport mode of the Security Association (chosen by setting tunnel=no on the policy). In that case:

• on the initiator router, you’ll set its private WAN IP as EoIP’s local-adress and policy’s src-address, and the public IP of the responder router as EoIP’s remote-address and policy’s dst-address.
• on the responder, you set its public WAN IP as EoIP’s local-address, and the public IP of the ISP, from which you get the traffic from the initiator, as EoIP’s remote-address

The advantage of transport mode is that the IP header of the payload packet is not transported, leaving more space in the transport packet for the actual payload.

If any of the two addresses mentioned above is not static, you have to use some static IP on the client router as the EoIP’s local-address at the client router and as the remote-address at the server router, and use a tunnel mode of the SA, which allows sa-src-address to differ from src-address and sa-dst-address to differ from dst-address. Of course you must make sure that the chosen private static address is not the same as any address used in the network at the responder side.

Edit: maybe the changing private WAN IP at initiator side is not a problem as if you don’t specify the local-address for EoIP, it is chosen according to the routing result.

Thanks for your time to think about this.

But I still have some doubts:

Facts:

• the Initiator side is the router without my own public IP and the ISP’s public IP is 80.92.246.248 and this is translated to WAN (wlan1) interface IP on Mikrotik into 172.24.73.9/25
  
  
  
• the Responder side is the router with my public IP 1.2.3.4 (which I use to make IPSec connection to from Initiator), translated into 10.80.0.61 on the WAN (PPPoE out) interface on Mikrotik

all IPs are static

I tried creating policy on the Initiator with tunnel=no and src-address=172.24.73.9/25 but it’s not possible to specify the netmask in this field, so I got stuck right at this point.

So I’m still confused about couple of things:

1. What IP to work with as the src and dst addresses in the policy and EoIP, whether it’s
   80.92.246.248 vs 172.24.73.9/25 on Initiator side and
   1.2.3.4 vs. 10.80.0.61 on the Responder side
2. Do I just change the policy on the Initiator side or does it need to match on the Responder side too (meaning a policy with tunnel=no and the same src and dst addresses, just in opposite order)?

Ah, the mask confusion strikes again… The WAN IP address of the initiator is not “172.24.73.9/25”, it is just 172.24.73.9. The /25 is there to tell the router what is the size of the subnet around this single own address, inside which the other hosts can be reached directly, not via a gateway router. But you should not need to enter the address for a transport mode policy at all, see below.

Sorry that I haven’t noticed before that there is a static dst-nat at responder side.

So at initiator side, the local address to use will be 172.24.73.9 and the remote address will be 1.2.3.4; at responder side, the local address to use will be 10.80.0.61 and the remote address will be 80.92.246.248. In another words, you always use the addresses which are meaningful from the perspective of the local peer - its own private one and the remote peer’s public one. In transport mode, since the source and destination addresses of the payload packets are inherited by the transport packet and vice versa, all the eventual NAT operations that change them in the transport packet’s header remain in place when the payload packet gets decapsulated from the IPsec transport packet.

Moreover, if the gateway interface of the route to 1.2.3.4 at the initiator is the interface to which 172.24.73.9 is attached (use /ip route check 1.2.3.4 to double-check this), you don’t need to specify the local-address for EoIP, as it will be chosen automatically. You also don’t need to specify any of (src-address, dst-address) for the policy if you uncheck the tunnel checkbox and choose the peer, because for transport mode policy, the source and destination addresses are inherited from the peer (several RouterOS versions ago, it worked the reverse way - you entered the addresses and the peer was chosen according to them). At least it works like this on command line, Winbox may be more picky due to this change of approach. The policy will then show src-address=0.0.0.0/0, but effectively it will use 172.14.73.9.

At the responder, you don’t need to create the policy at all as it is generated from the template if you permit this on the /ip ipsec identity row. To use a static policy instead, you’d have to create a dedicated peer for 80.92.246.248 - policies are linked to peers, not to identities. You cannot specify the tunnel/transport mode for a template, it accommodates automatically to the parameters offered by the other peer. And also at the responder end, if the route to 80.92.246.248 goes via the interface to which 10.80.0.61 is attached, you don’t need to specify the local-address for the EoIP.

I’ve done EoIP over IKE2. I’ve documented in here: http://forum.mikrotik.com/t/mikrotik-behind-nat-to-mikrotik-ipsec-ike2-with-certs-tunnel-eoip/144952/1

Alright, so if the mask doesn’t matter, it means I should be able to establish the EoIP tunnel because without manually specifying any IP in the policy, I get this (real public IP modified to 1.2.3.4):

On Initiator:

peer=peer1 tunnel=no src-address=172.24.73.9/32 src-port=any 
        dst-address=1.2.3.4/32 dst-port=any protocol=all action=encrypt 
        level=require ipsec-protocols=esp proposal=default ph2-count=2

On Responder:

peer=peer1234 tunnel=no src-address=10.80.0.61/32 src-port=any 
        dst-address=80.92.246.248/32 dst-port=any protocol=all action=encrypt 
        level=require ipsec-protocols=esp proposal=default ph2-count=1

But the EoIP tunnel doesn’t seem to work. It could be simply because my Initiator config is old and messy but before I start with fresh configuration, please let me confirm once more that it’s correct to use the 1.2.3.4 and 80.92.246.248 as the remote addresses for EoIP. Sorry I keep repeating the same thing, but I just can’t understand why it’s supposed to be like this because I thought I would be avoiding using the internet IPs since the EoIP connection was supposed to be inside IPSec tunnel and also because of the 80.92.246.248 IP, which is shared with many ISP’s customers so how could I just use it as the remote address of my specific Mikrotik router - that’s the most strange part but perhaps it’s some IPSec magic where Mikrotik uses the internal IPSec tunnel instead of just trying to establish the tunnel over the internet? However, on the Responder, 80.92.246.248 is still routed to the PPPoE gateway, so into the internet, so I don’t get how EoIP tunnel to this IP would work.

Thanks, I’ll try with the loopback bridge. That looks like what I’m looking for. Looks similar to this guide which I was going to try next https://help.mikrotik.com/docs/display/ROS/IPsec#IPsec-SitetoSiteGREtunneloverIPsec(IKEv2)usingDNS which uses GRE instead of EoIP

Let me put it another way. Think about IPsec responder like a TCP server and IPsec initiator like a TCP client. The server doesn’t send anything to the client until it gets an initial request from it; once the initial request arrives, the server learns the client’s IP address and port from it and responds to this address and port. If the client is behind a NAT on its own side, the server knows nothing about it, as it cannot see any other address of the client than the one from which the traffic from the client arrives to it.

In IPsec, if the initiator wishes to use a tunnel mode SA, it suggests the traffic selectors (at least the source and destination addresses, but it may also specify a particular IP protocol and source and destination ports if the notion of ports is supported by that protocol) and the responder either accepts the suggestions compatible with its local policy templates and rejects those that are not. Other scenarios are possible too, but let’s stay concentrated.

With tunnel mode, you can use any combination of addresses as traffic selectors, not related to the peers’ own addresses at all. So you can use any private address at the responder router, and any private address at the initiator router, and create a tunnel mode SA to forward traffic between the two. Then, you configure EoIP to use this pair of private addresses, and you’re good. The price to pay for this comfort is some 20 bytes per packet occupied by the inner IP header.

If the initiator wishes to use transport mode, the source and destination addresses of the traffic selector are given, because they must be the peers’ addresses. Effectively, the transport mode security association only encrypts the traffic between the two peers’ addresses. So much like in the TCP case, each peer uses its own private address on WAN, and uses the public IP of the remote peer because that’s from where it can see the traffic to arrive, and that’s where it has to send it so that the remote side NAT would deliver it to the right destination.

Of course there may be other initiators behind 80.92.246.248, but that doesn’t matter unless they connect to the same responder. And since there is NAT, the IPsec transport packets may not arrive to the responder from port 4500 but from any other UDP port the ISP’s NAT has chosen to use. So as long as the responder sends its traffic to that address and port, the traffic will reach the client, again same like in the TCP case. But the ISP’s NAT will, still like in the TCP case, replace its own public IP with the client’s private IP as it forwards the packet.

The EoIP knows nothing about any IPsec. It sends its transport packets to the remote-address, and they are intercepted by the IPsec traffic selector, encrypted, and sent via the SA. If the SA doesn’t exist, e.g. before the IPsec session is established after reboot, the EoIP packets are sent without encryption to the remote public address, and the NAT of the ISP drops them because they are unexpected for it. This can be avoided by a specific IPsec or routing configuration.

What can be a problem is when multiple initiators connect from behind the same public IP to the same responder. Whereas the security associations can be distinguished from each other, because they come from different ports at the client NAT side, the traffic selectors may overlap unless they use specific protocol and port, so the first policy to be generated from a template intercepts the matching packets.

So if you have some other initiator (like your PC) connected to the LAN of the router behind 80.92.246.248, or merely behind 80.92.246.248, and that initiator suggests a traffic selector with no restriction on IP protocol, the EoIP traffic sent by the responder may get “stolen” by that traffic selector and get delivered to the wrong initiator.

I.e. transport mode provides a more efficient use of packet space, but it has the above mentioned limitations.

This part greatly clarifies my doubt. Thank you!