IPIP Tunnel Local Address Confusion

RouterOS General
1

Using the IPIP guide in the wiki (http://wiki.mikrotik.com/wiki/Manual:Interface/IPIP), I was able to create a tunnel between my apartment and my office. It worked beautifully without issue, but I began experiencing troubles when setting up another IPIP tunnel from my office to one of our clients. It seems that the Local IP field is very particular about what address goes there and I am curious why it is this way.

For example, the router at work has this config:

[admin@TSS] /interface ipip> print where running  
Flags: X - disabled, R - running, D - dynamic 
 #     NAME                                 MTU LOCAL-ADDRESS   REMOTE-ADDRESS 
 0  R  TSS-BAC                             1480 <TSS-Public-Address>  <BAC-Public-Address>
 2  R  TSS-Tony                            1480 172.19.30.253   <Tony-Public-Address>



  • The local address for TSS-BAC is our public IP
  • The local address for TSS-Tony is the IP of ether2 on the router.
  • If I change the local address of TSS-Tony to the IP of ether1 on the router (ether1 and ether2 serve different LANs), the tunnel breaks.
  • If I change the local address of TSS-Tony to our public IP, the tunnel breaks.
  • It does not matter if TSS-BAC is enabled or disabled for any of the above changes.
  • Likewise, changing the local address of TSS-BAC to that of either ether1 or ether2 breaks that tunnel.

My router at home has this config:

[admin@Tony] /interface ipip> print
Flags: X - disabled, R - running, D - dynamic 
 #     NAME                                   MTU LOCAL-ADDRESS   REMOTE-ADDRESS 
 0  R  Tony-TSS                              1480 10.0.0.1        <TSS-Public-Address>



  • Local address is the IP assigned to my bridge-local interface.
  • Changing the local address to my public IP breaks the tunnel.

The router at our client, BAC, has this config:

[admin@BAC] /interface ipip> print
Flags: X - disabled, R - running, D - dynamic 
 #     NAME                                    MTU LOCAL-ADDRESS   REMOTE-ADDRESS 
 0  R  ipip1                                  1480 10.4.1.254      <TSS-Public-Address>



  • Local address is the address assigned to ether1 of the client’s device
  • Changing it to their public IP breaks the tunnel.
  • Changing it to any of the address assigned to their other interfaces (in total, five different LANs are server from this router), breaks the tunnel.

When I say breaks the tunnel I mean that it no longer even attempts to send traffic out the tunnel interface. Both Tx and Rx are 0bps.

At this point, I’m not even routing traffic to the internal networks, I’m just assigning addresses to the tunnels as follows

Tony-TSS 1.1.1.1
TSS-Tony 1.1.1.2
BAC-TSS 1.1.1.3
TSS-BAC 1.1.1.4

The firmware levels are:

Tony 6.19
TSS 6.15
BAC 6.18

I can’t particularly update TSS or BAC on a whim, sadly.

I have been unable to find any examples of setting up multiple IPIP tunnels on one device. Our end goal is to essentially have a hub and spoke set up. We’re looking at IPIP tunnels because each location has multiple subnets and it’s easier to add and drop subnets from the routing table vs. creating specific IPSec policies for each subnet at each location.

If I’m doing something wrong, that’d be fantastic to know, or if I’m missing some key information about how this works, that’d also be great to know.

Let me know if I need to provide any further information.

Thanks!