Ethernet over IP is a tunnel which transports layer 2 packets between two IP addresses, this allows two remote locations to share a single subnet.
From RouterOS 6.30 EoIP has an extra parameter called
ipsec-secret. When set, the EoIP tunnel is encapsulated in an IPsec PSK tunnel.
For situations where encryption is not required the
allow-fast-path parameters can be omitted, allowing for a substantial speed boost.
The connection has a primary and secondary router since only one router should provide a DHCP server and internet uplink to the connection.
Primary Router The tunnel endpoint is directly bridged into the LAN
# Create EoIP tunnel /interface eoip add name=eoip-test remote-address=192.168.100.205 tunnel-id=0 ipsec-secret=SET-THIS-SECRET allow-fast-path=no # Add tunnel to existing bridge (with dhcp-server configured) /interface bridge port add bridge=bridge interface=eoip-test
Secondary Router An ethernet port is added to a new bridge with the tunnel endpoint
# Create EoIP tunnel /interface eoip add name=eoip-test remote-address=192.168.100.202 tunnel-id=0 ipsec-secret=SET-THIS-SECRET allow-fast-path=no # Create new bridge (no dhcp-server from this router) /interface bridge add name=eoip-bridge # add bridge to LAN list for firewall rules /interface list member add interface=eoip-bridge list=LAN /interface bridge port add bridge=eoip-bridge interface=eoip-test # move ethernet port to bridge remove bridge=bridge interface=ether2 add bridge=eoip-bridge interface=ether2
By default the EoIP interfaces will reduce the MTU inside the tunnel such that the encapsulated packets fit in a 1500 MTU.
Unfortunately when this interface is added to a bridge it reduces the MTU on all the interfaces in the bridge.
This causes certain websites to fail to load (including reddit.com).
The solution is to increase the interface MTU to 1500 by adding the
mtu=1500 parameter when creating the eoip interface.
The side-effect of this change is that, where the tunnel's connection's MTU cannot be increased, packets traversing the tunnel can become fragmented.
While this does provide you with greater options for choosing between speed and security, this does result in a layer 3 tunnel instead of layer 2 as above.
First create the profile and proposal on both routers, these need to have compatible settings for the tunnel to establish. The hash and encryption algorithms can be tuned for a compromise between speed and encryption strength.
# phase 1 /ip ipsec profile add name=ike2-tun hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 # phase 2 /ip ipsec proposal add name=ike2-tun auth-algorithms=sha256 enc-algorithms=aes-256-gcm pfs-group=modp2048
The next step is to create the peer and policy on the first router. The peer address parameter is the WAN IP address of the remote router. The policy src-address and dst-address parameters are the local and remote LAN subnets.
/ip ipsec peer add name=ike2-tun exchange-mode=ike2 profile=ike2-tun address=192.168.100.205/32 /ip ipsec policy add peer=ike2-tun proposal=ike2-tun src-address=192.168.102.0/24 dst-address=192.168.105.0/24 tunnel=yes
This then repeated on the second router with the address parameter set to the WAN IP address of the first router. Additionally the src-address and dst-address parameters are reversed.
/ip ipsec peer add name=ike2-tun exchange-mode=ike2 profile=ike2-tun address=192.168.100.202/32 /ip ipsec policy add peer=ike2-tun proposal=ike2-tun src-address=192.168.105.0/24 dst-address=192.168.102.0/24 tunnel=yes
Finally create an identity with the shared secret on both routers, after this the tunnel will automatically connect.
/ip ipsec identity add peer=ike2-tun secret=YOUR-PSK-HERE
The tunnel status can be checked with:
/ip ipsec active-peers print installed-sa print
After creating this tunnel initially (with aes-256-cbc) my performance was lower than expected so I tested a series of phase 2 authentication and encryption algorithms. These were all tested with an iPerf3 test between 2 VMs on opposite ends of the tunnel, both routers are Mikrotik CHR VMs with 1 core with AES-NI and 512MB of RAM. The phase 1 settings were sha1 hashing, aes128 encryption and diffie-hellman group modp2048, pfs was modp2048.
iPerf3 TCP speeds (Mbps)