Community discussions

 
gotsprings
Forum Veteran
Forum Veteran
Topic Author
Posts: 774
Joined: Mon May 14, 2012 9:30 pm

Using EoIP as the connector.

Tue Feb 02, 2016 10:06 pm

Got a request to connect two Mikrotik's together.

"We want any device on one Tik to be able to talk to the Other."

Set up an IPSec profile for each router and scripts to check for IP changes.
Both sites can reach devices on the other side by entering the IP address of the device they want to communicate with.

Now enter the issue of the IP phone.
The phone server is at the office. The Phone is at the house.
From the house router I can ping the phone server on at the office.
The clients state that they can see cameras at the office from the house.
BUT... the phone won' connect.
I have watched in torch and sure enough the phone is sending packets to the phone server over the tunnel. But nothing is coming back from the Phone Server.

They have confirmed that the phone works when on site with the server (at office). I wonder if the phone system is set up not to allow connections from outside its subnet.

Easy answer...
EoIP for the phone to a port.

But the client wants to be able to move the phone around. (I said tag the phone output to force it to a VLAN. Then include that VLAN in a bridge that has the EoIP tunnel.)

My question is... if I establish the EoIP tunnel... I can now encrypt that with IPSec.
Should I make a route that allows the 2 subnets to communicate over the EoIP tunnel?
Or
Do I keep the current IPSec connection and have the EoIP tunnel aswell.

Opinions?
Pitfalls?
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Using EoIP as the connector.

Tue Feb 02, 2016 10:21 pm

I would say to have the phone system updated to allow the remote network as a source of phone registrations.
It could be something silly like no default GW set on the phone system, too...

If none of that is possible, I'd say to keep the phone bridge over EoIP as a separate entity from the tunnel you've already built. In fact, you wouldn't need to enable crypto for this EoIP session so long as you use endpoint IP addresses that will already go through the existing tunnel.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
gotsprings
Forum Veteran
Forum Veteran
Topic Author
Posts: 774
Joined: Mon May 14, 2012 9:30 pm

Re: Using EoIP as the connector.

Tue Feb 02, 2016 10:51 pm

Thanks Zerobyte...

But you know the story... no one has access to the phone server. No one knows when last it worked. Someone things they remember being able to use it from off site but that might have been a different system...

So stick my EoIP tunnel in my IPSec?

Not sure how I could do that. Assign a bridge on one side to have an IP from this side then set up EoIP between those 2 addresses? That should push the packets into the tunnel? Seems like I am gonna break something there.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Using EoIP as the connector.

Tue Feb 02, 2016 11:05 pm

Not sure how I could do that. Assign a bridge on one side to have an IP from this side then set up EoIP between those 2 addresses? That should push the packets into the tunnel? Seems like I am gonna break something there.
When configuring the EoIP interface, use the local IP = the LAN of the local site, and the remote IP = the LAN of the remote site.
Then create a bridge "phonebridge" and connect whichever physical interface is for the phone, and the EoIP interface (no IP necessary for the Mikrotik itself)

For the Main site, if there's already a LAN bridge, just add the EoIP interface to it. So long as your VPN itself is routed (i.e. not bridging the LAN interface at either end) then there shouldn't be any spacetime paradoxes generated when you do it this way. :)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
gotsprings
Forum Veteran
Forum Veteran
Topic Author
Posts: 774
Joined: Mon May 14, 2012 9:30 pm

Re: Using EoIP as the connector.

Tue Feb 02, 2016 11:56 pm

Hahahah

Looks like its running.

Now I have to have someone plug in a phone.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
gotsprings
Forum Veteran
Forum Veteran
Topic Author
Posts: 774
Joined: Mon May 14, 2012 9:30 pm

Re: Using EoIP as the connector.

Sat Feb 13, 2016 5:30 pm

Looks like it did rupture the space time continuum.

I see packets going through. I see pings. I see multicast coming across... a device plugged in failed to get an IP from the far side.

Also various websites stopped working on the main router.

Removed EoIP and everything went back to normal.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Using EoIP as the connector.

Sat Feb 13, 2016 7:15 pm

perhaps another strategy would be to dual-IP the router at the office, adding whatever IP the phone system thinks is its default GW. Then you'd be able to have regular routed connections working from "remote" phones.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
gotsprings
Forum Veteran
Forum Veteran
Topic Author
Posts: 774
Joined: Mon May 14, 2012 9:30 pm

Re: Using EoIP as the connector.

Tue Feb 16, 2016 7:34 pm

That was the initial issue. I set up an IPsec tunnel between the 2 routers. Services work fine via IP.

But the phone despite having a proper gateway did not have packets coming back. Hence the attempt at EoIP.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: Using EoIP as the connector.

Tue Feb 16, 2016 9:01 pm

Could you not have used src-nat to fool the pbx that any packets received from a remote network were instead locally sent ?

This would eliminate the need for eoip Eric and possibly simpler ?

Also where we see sip issues the packet sniffer is the best tool as you can save to a file, called sip.cap for example, then open the resultant file
In wireshark and analyse why the phone won't connect. It's excellent for sip related issues.
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz

Who is online

Users browsing this forum: MSN [Bot] and 85 guests