Hi, guys!

I have a two mikrotik devices - RB951G (Office1) and RB951Ui(Office2), which connected on this example scheme:

192.168.0.2/16(Mikrotik inner bridge) <-> WAN Office1 (1.1.1.1) <-> 100 Mbit provider channel <-> WAN Office2 (2.2.2.2) <-> 192.168.0.1/16(Mikrotik inner bridge)

I want to make single layer 2 network (192.168.0.0/16) using EoIP tunnel with encription all traffic. I think that more secure tunnel - is ipsec.
But how configurate ipsec tunnel for use it with EoIP tunnel? I don't find any instructions on this theme.

Thanks.

Basically you will need to setup IPSEC using the site-to-site instructions. Then when defining the policy configure the source and destination information based on where your EoIP tunnel originates. So you don't add too much overhead to the tunnel uncheck the "tunnel" box on the policy. This will make IPSEC run in transport mode only. This will require that the EoIP tunnel originate on IP address that is directly routeable between the two routers. Assuming your transport is the Internet this means a public IP address.

That said spanning such a big L2 domain across a WAN is generally not a good idea. L2 problems quickly become WAN problems as broadcast storms and other L2 issues will traverse the WAN. It can also lead to tromboning of your data flows meaning depending on where you gateway is all traffic will need to flow over the WAN to get to even a local destination in some cases.