I would like to configure two tunnels for a site-to-site VPN with fail-over. Each site has two ISPs. There are two ways I could approach this:
What are the pros and cons of each method? I believe method #2 would use less CPU.
What are the advantages, if any, of using GRE tunnels over IPIP tunnels?
so why the effin f’‘’’ did you not started testing yet ?
To start with, you cannot add a GRE or IPIP tunnel to a bridge, as they are L3 tunnels and only L2 interfaces can be made ports of a bridge. So you either have to route between the sites, or use EoIP tunnels and spanning tree for the failover.
Method #2 would definitely use less CPU but just a little bit (the IPsec overhead traffic is not that large and the actual traffic would use one of the tunnels at a time). However, bare IPsec is also an L3 tunnel, so you’d have to use “EoIP over IPsec over IPIP” to bridge the two sites together.
Last, you can only use method #2 if both sites have public IP addresses on all the WAN interfaces involved, because neither IPIP nor GRE can traverse NAT unless you can manually configure protocol (not just port) forwarding on the NAT device between the Mikrotik and the internet.
Regarding GRE and IPIP - the G in GRE means “generic”, which means that its header contains a few more bytes as compared to the IPIP one, allowing to identify the payload type; however, there is little use of that feature, so it’s only wasted packet space as compared to IPIP. Plus GRE handling in firewall is currently (6.45.9, 6.47.1) broken and requires a specific treatment to even work.
To make it even more complex, EoIP is a proprietary application of GRE, and the necessary firewall treatment is even more specific.
To make this kind of setup (redundant tunnels between sites), I setup multiple GRE/IPsec or GRE6/IPsec tunnels (IPIP/IPsec would work as well, as written by Sindy it uses a few less bytes, but it cannot route IPv6).
Each tunnel gets its own set of /30 endpoint addresses. E.g. 10.0.0.1/30 and 10.0.0.2/30 for the first tunnel, 10.0.0.5/30 and 10.0.0.6/30 for the second tunnel, etc.
The used /30 subnets should not overlap with any local network range used on the sites.
Then, I setup BGP (OSPF would be possible as well) on each of the routers, forming BGP peers over these tunnels (set the peer address of the remote tunnel endpoint, TTL 1, update source is the local tunnel endpoint address).
Configure BFD on the peers when you want quick changeover when a tunnel goes down. At the expense of continuous traffic over the tunnels.
I use this to have tunnels over IPv4 and over IPv6 between the same sites. Or dual tunnels over different providers.
Then I have an additional tunnel over 4G which uses L2TP/IPsec (because the address of the client is not fixed). I have configured it at a lower preference
so it is only used when really required, and I do not run BFD over that to conserve data bundle. And it is the last resort anyway, so BFD would not bring anything.
BGP neatly switches the routing when something goes down. It works perfectly.
I’ve done this with 2 EoIP tunnels between sites and both EoIP interfaces in a Bond with RR, work’s like a charm since 2 years for 14 sites.
It is usually not a good idea to use EoIP. Use it only as stopgap solution e.g. in migration scenarios, or when it is inconvenient to renumber at that time.
I certainly would not want to join 14 sites using EoIP tunnels!!
You really should be considering a solution that uses routing. Renumber everything so each site has its own network range, and the routers know what
to send where based on the IP address, not the MAC address.