Community discussions

 
XTX
newbie
Topic Author
Posts: 26
Joined: Sat Jun 04, 2011 4:34 pm

EOIP over IPSEC TWO RB750

Sat Jun 04, 2011 10:35 pm

Hi
I have a RB750 on location A(wanip:x.y.v.z, lanip 192.168.0.1/24-dhcp) that works like a charm. Now I want to install another 750 at location B (wanip:a.b.c.d).
But I want that all the devices that are connected to the 750 on the B location, access the internet over the 750 on location A and that the 750 at location A provides the lan ip addreses (dhcp) for both locations.
If I understand corectly this is possible if I use eoip, and becouse I want it to be secure I need ipsec.
Could someone please explain (step by step - i'm a total newbie, with some code maybe) how to achieve this? I'd be very grateful.
(I have read the examples on how to create an ipsec between two lans and also how to create an eoip but I somehow just can merge those two things)

THX
 
XTX
newbie
Topic Author
Posts: 26
Joined: Sat Jun 04, 2011 4:34 pm

Re: EOIP over IPSEC TWO RB750

Wed Jun 08, 2011 8:50 pm

OK...I'm dying a slow and painfull death here :D

I have managed to establish an eoip connection between the 2 routers and it works perfect...I have also managed to establish a ipsec connection between them...that works also.
But i just can't merge those two together
My procedure:

First I create an eoip between the 2...no problems..everything works like it should, then I start making ipsec :
/ip ipsec policy
add src-address=192.168.123.0/24 src-port=any dst-address=192.168.123.0/24 dst-port=any \
sa-src-address=111.222.333.444 sa-dst-address=555.666.777.888 \
tunnel=no action=encrypt proposal=default

but then there is a problem...I get an error about and Ip that must be in /32 when using transport mode?!? I mean sa-src and sa-dst are /32 ip block...I just don't get it :(

Also do I have to make the NAT bypass rule ?

/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=192.168.123.0/24 dst-address=192.168.123.0/24

That just doesn't make sence to me...

So if ANYONE can help I'd be very gratefull
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: EOIP over IPSEC TWO RB750

Wed Jul 06, 2011 6:18 am

I concur with you. I am in the same situation and scratching my head also :?

Assistance appreciated please ?
 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

Re: EOIP over IPSEC TWO RB750

Wed Jul 06, 2011 6:31 pm

Wouldn't it be easier to create your IPSec tunnel then run your EoIP through that?
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179

Next Training
https://www.cbrown.co/2019/04/08/mtcna-june2019-wv/
 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

Re: EOIP over IPSEC TWO RB750

Wed Jul 06, 2011 8:24 pm

First I create an eoip between the 2...no problems..everything works like it should, then I start making ipsec :
/ip ipsec policy
add src-address=192.168.123.0/24 src-port=any dst-address=192.168.123.0/24 dst-port=any \
sa-src-address=111.222.333.444 sa-dst-address=555.666.777.888 \
tunnel=no action=encrypt proposal=default
It should be more like this (don't forget to add your peers):
Side A:
/ip ipsec policy
add src-address=111.222.333.444 src-port=any dst-address=555.666.777.888 dst-port=any \
sa-src-address=111.222.333.444 sa-dst-address=555.666.777.888 \
tunnel=no action=encrypt proposal=default

/interface eoip
add remote-address=555.666.777.888 tunnel-id=1

Side B:
/ip ipsec policy
add src-address=555.666.777.888 src-port=any dst-address=111.222.333.444 dst-port=any \
sa-src-address=555.666.777.888 sa-dst-address=111.222.333.444 \
tunnel=no action=encrypt proposal=default

/interface eoip
add remote-address=111.222.333.444 tunnel-id=1

Then just put your EoIP interfaces into the correct bridges.
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179

Next Training
https://www.cbrown.co/2019/04/08/mtcna-june2019-wv/
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: EOIP over IPSEC TWO RB750

Thu Jul 07, 2011 7:17 am

This is what I had setup - sort of.....

As mine was in a lab environment we needed to add in the necessary SRCNAT/Masquerades and Default Routes as if we were on the Internet and away it went. Thanks for your help.
 
rumiclord
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Fri Jul 23, 2010 10:20 pm

Re: EOIP over IPSEC TWO RB750

Thu Aug 18, 2011 8:15 pm

Got this to work once in a lab using 5.6, tried to create the same thing from a production router running 4.17 back to my lab using 5.6... no luck, i was able to get them to both work seperately but not together, once the ipsec established, the eoip would not work over the top of it. Upgrading another box to 5.6 to put in production later tonight... anywho, has anyone been able to get ipsec to work correctly, when u have multiple ip's on the same interface ???
 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

Re: EOIP over IPSEC TWO RB750

Fri Aug 19, 2011 1:42 pm

Give us a detail print of your IPSec and address settings.
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179

Next Training
https://www.cbrown.co/2019/04/08/mtcna-june2019-wv/
 
TXBrew
just joined
Posts: 5
Joined: Tue Sep 01, 2015 6:40 pm

Re: EOIP over IPSEC TWO RB750

Tue Sep 08, 2015 10:54 pm

First I create an eoip between the 2...no problems..everything works like it should, then I start making ipsec :
/ip ipsec policy
add src-address=192.168.123.0/24 src-port=any dst-address=192.168.123.0/24 dst-port=any \
sa-src-address=111.222.333.444 sa-dst-address=555.666.777.888 \
tunnel=no action=encrypt proposal=default
It should be more like this (don't forget to add your peers):
Side A:
/ip ipsec policy
add src-address=111.222.333.444 src-port=any dst-address=555.666.777.888 dst-port=any \
sa-src-address=111.222.333.444 sa-dst-address=555.666.777.888 \
tunnel=no action=encrypt proposal=default

/interface eoip
add remote-address=555.666.777.888 tunnel-id=1

Side B:
/ip ipsec policy
add src-address=555.666.777.888 src-port=any dst-address=111.222.333.444 dst-port=any \
sa-src-address=555.666.777.888 sa-dst-address=111.222.333.444 \
tunnel=no action=encrypt proposal=default

/interface eoip
add remote-address=111.222.333.444 tunnel-id=1

Then just put your EoIP interfaces into the correct bridges.

Just an FYI... This example worked for me... (EoIP over IPSec)! Thanks!
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: EOIP over IPSEC TWO RB750

Wed Sep 09, 2015 12:18 am

It is even easier now as Mikrotik added IPSEC support to EOIP in 6.30 - now you can just specify an IPsec Secret when setting up EoIP and the IPSEC is created automatically for you.
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
gotsprings
Forum Veteran
Forum Veteran
Posts: 774
Joined: Mon May 14, 2012 9:30 pm

Re: EOIP over IPSEC TWO RB750

Wed Feb 17, 2016 6:14 pm

I can't seem to get this to work.

The "easier" EOIP.

I setup EoIP selected a secret. Made sure the tunnel IDs were the same. All I see it this in my logs
10:28:18 ipsec,error failed to pre-process ph2 packet.

Do I need additions to the firewall filter and nat too?
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1740
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: EOIP over IPSEC TWO RB750

Wed Feb 17, 2016 9:38 pm

maybe if you dont need layer 2 connectivity between sites using iPiP over ipsec tunnels can make easier the routing
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: EOIP over IPSEC TWO RB750

Wed Feb 17, 2016 10:26 pm

I can't seem to get this to work.

The "easier" EOIP.

I setup EoIP selected a secret. Made sure the tunnel IDs were the same. All I see it this in my logs
10:28:18 ipsec,error failed to pre-process ph2 packet.

Do I need additions to the firewall filter and nat too?
Ensure your firewall is allowing input traffic from the endpoint IP address - start by allowing anything from the remote site IP (to get it working) and then refine it to protocol 50, gre, UDP 500,4500 etc
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
gotsprings
Forum Veteran
Forum Veteran
Posts: 774
Joined: Mon May 14, 2012 9:30 pm

Re: EOIP over IPSEC TWO RB750

Thu Feb 18, 2016 6:24 pm

I can't seem to get this to work.

The "easier" EOIP.

I setup EoIP selected a secret. Made sure the tunnel IDs were the same. All I see it this in my logs
10:28:18 ipsec,error failed to pre-process ph2 packet.

Do I need additions to the firewall filter and nat too?
Ensure your firewall is allowing input traffic from the endpoint IP address - start by allowing anything from the remote site IP (to get it working) and then refine it to protocol 50, gre, UDP 500,4500 etc
Put an accept rule at the top of each routers firewall chain for input from the other IP.

No change. Same error.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: EOIP over IPSEC TWO RB750

Thu Feb 18, 2016 9:00 pm

Hmmm, ok well you have the basics right it seems.

I did some looking around and found this link which may help - http://forum.mikrotik.com/viewtopic.php?t=88033

I wonder if you have some peer settings left over from earlier attempts.

Try the following and see if it helps...

1. Disable IPSEC in the EoIP settings by removing the "secret's".
2. Remove any Ipsec Peers and policy's. You will not be able to remove the default Policy :-)
3. Test that traffic flows ok.
4. Now add in secrets to EoIP and check ipsec peers and policys. There should be a dynamic peer and dynamic policy created. Also check the default proposal on both routers match.
5. Retest and see if your tunnels come up OK.
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
gotsprings
Forum Veteran
Forum Veteran
Posts: 774
Joined: Mon May 14, 2012 9:30 pm

Re: EOIP over IPSEC TWO RB750

Fri Feb 19, 2016 12:32 am

FASTTRACK!!!!

Disable it and packets pass. Web Pages load.

Grrrrr.

Spent all day messing with this.

I have not gone back to EOIP yet.

Just standard IPSec config and its working. Finally.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: EOIP over IPSEC TWO RB750

Fri Feb 19, 2016 12:46 am

FASTTRACK!!!!

Disable it and packets pass. Web Pages load.

Grrrrr.

Spent all day messing with this.

I have not gone back to EOIP yet.

Just standard IPSec config and its working. Finally.
Some progress then :-) Yeah, Fasttrack breaks all kinds of things as the packets bypass the routing engine as such. It stops Queues, Connection Tracking, Hotspot and more.
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
Toby7
Member Candidate
Member Candidate
Posts: 100
Joined: Thu Jan 05, 2012 12:53 am

Re: EOIP over IPSEC TWO RB750

Fri Feb 10, 2017 1:10 pm

Hmmm, ok well you have the basics right it seems.

I did some looking around and found this link which may help - http://forum.mikrotik.com/viewtopic.php?t=88033

I wonder if you have some peer settings left over from earlier attempts.

Try the following and see if it helps...

1. Disable IPSEC in the EoIP settings by removing the "secret's".
2. Remove any Ipsec Peers and policy's. You will not be able to remove the default Policy :-)
3. Test that traffic flows ok.
4. Now add in secrets to EoIP and check ipsec peers and policys. There should be a dynamic peer and dynamic policy created. Also check the default proposal on both routers match.
5. Retest and see if your tunnels come up OK.
Sorry for bringing up this old thread but I have big troubles encrypting an EoIP Tunnel with RouterOS 6.38.1. The tunnel work if there is no IPsec Secret set but fails when there is an easy password like "test" set.
This is the error message:
phase1 negotiation failed due to time up...

I can ping both ends from the other device. One is connected to the network by wireless, its running in station mode(capsman network). I have check both IPsec proposals they are correct on both sides. Firewall issues should not be the problem because both devices are in the same subnet (10.0.128.0/24). Any ideas?
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: EOIP over IPSEC TWO RB750

Fri Feb 10, 2017 10:28 pm

If you enable IPSec you also need to allow Protocol 50 and UDP 500 & 4500 in the Input chain on both routers. Hope this helps.


Sent from my iPhone using Tapatalk
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: EOIP over IPSEC TWO RB750

Fri Feb 10, 2017 10:31 pm

If you are sure firewall is not stopping any packets then enable IPSec in the logs and see what is happening.


Sent from my iPhone using Tapatalk
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
Toby7
Member Candidate
Member Candidate
Posts: 100
Joined: Thu Jan 05, 2012 12:53 am

Re: EOIP over IPSEC TWO RB750

Fri Feb 10, 2017 11:58 pm

If you are sure firewall is not stopping any packets then enable IPSec in the logs and see what is happening.


Sent from my iPhone using Tapatalk
If I do that I see this "phase1 negotiation failed due to time up..." error coming all 30 seconds.... Hm I will verify the firewall rules tomorrow.
 
User avatar
m4t7e0
Frequent Visitor
Frequent Visitor
Posts: 79
Joined: Tue Jun 09, 2015 12:17 am
Contact:

Re: EOIP over IPSEC TWO RB750

Tue Feb 21, 2017 8:17 pm

I'm Looking a solution for improve my bandwidth rate, actually i have this solution:
area 1
r1 (publi IP) - l2tp server eoip to r2 and r3
area 2
r2 (under 2 nat [i can't manage it]) - l2tp client eoip to r1
area 3
r3 (under 1 nat [usb 3g]) - l2tp client eoip to r1

bridge on r1 (eoip r1 to r2 & r1 to r3).

Now the network work probely but i don't have a good connection performaces. How i can improve the bandwidh ? Other VPN solution ? VPLS ? BGP ? IpSec?

these solution (VPLS - IPSec - BGP etc etc etc) need a pubblic ip address? (on area 2 and area 3) i can't have a pubblic ip address and i can't forward traffic pub to r2 or r3,

Thanks

Who is online

Users browsing this forum: No registered users and 27 guests