EoIP with IPsec

Ethernet over IP is a tunnel which transports layer 2 packets between two IP addresses, this allows two remote locations to share a single subnet.

From RouterOS 6.30 EoIP has an extra parameter called ipsec-secret. When set, the EoIP tunnel is encapsulated in an IPsec PSK tunnel. For situations where encryption is not required the ipsec-secret and allow-fast-path parameters can be omitted, allowing for a substantial speed boost.

The connection has a primary and secondary router since only one router should provide a DHCP server and internet uplink to the connection.

Primary Router The tunnel endpoint is directly bridged into the LAN

# Create EoIP tunnel
/interface eoip
add name=eoip-test remote-address=192.168.100.205 tunnel-id=0 ipsec-secret=SET-THIS-SECRET allow-fast-path=no

# Add tunnel to existing bridge (with dhcp-server configured)
/interface bridge port
add bridge=bridge interface=eoip-test

Secondary Router An ethernet port is added to a new bridge with the tunnel endpoint

# Create EoIP tunnel
/interface eoip
add name=eoip-test remote-address=192.168.100.202 tunnel-id=0 ipsec-secret=SET-THIS-SECRET allow-fast-path=no

# Create new bridge (no dhcp-server from this router)
/interface bridge
add name=eoip-bridge

# add bridge to LAN list for firewall rules
/interface list member
add interface=eoip-bridge list=LAN

/interface bridge port
add bridge=eoip-bridge interface=eoip-test
# move ethernet port to bridge
remove bridge=bridge interface=ether2
add bridge=eoip-bridge interface=ether2

MTU Issues

By default the EoIP interfaces will reduce the MTU inside the tunnel such that the encapsulated packets fit in a 1500 MTU. Unfortunately when this interface is added to a bridge it reduces the MTU on all the interfaces in the bridge. This causes certain websites to fail to load (including reddit.com). The solution is to increase the interface MTU to 1500 by adding the mtu=1500 parameter when creating the eoip interface. The side-effect of this change is that, where the tunnel's connection's MTU cannot be increased, packets traversing the tunnel can become fragmented.

IPsec IKEv2 Site-to-site

While this does provide you with greater options for choosing between speed and security, this does result in a layer 3 tunnel instead of layer 2 as above.

First create the profile and proposal on both routers, these need to have compatible settings for the tunnel to establish. The hash and encryption algorithms can be tuned for a compromise between speed and encryption strength.

# phase 1
/ip ipsec profile
add name=ike2-tun hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048
# phase 2
/ip ipsec proposal
add name=ike2-tun auth-algorithms=sha256 enc-algorithms=aes-256-gcm pfs-group=modp2048

The next step is to create the peer and policy on the first router. The peer address parameter is the WAN IP address of the remote router. The policy src-address and dst-address parameters are the local and remote LAN subnets.

/ip ipsec peer
add name=ike2-tun exchange-mode=ike2 profile=ike2-tun address=192.168.100.205/32
/ip ipsec policy
add peer=ike2-tun proposal=ike2-tun src-address=192.168.102.0/24 dst-address=192.168.105.0/24 tunnel=yes

This then repeated on the second router with the address parameter set to the WAN IP address of the first router. Additionally the src-address and dst-address parameters are reversed.

/ip ipsec peer
add name=ike2-tun exchange-mode=ike2 profile=ike2-tun address=192.168.100.202/32
/ip ipsec policy
add peer=ike2-tun proposal=ike2-tun src-address=192.168.105.0/24 dst-address=192.168.102.0/24 tunnel=yes

Finally create an identity with the shared secret on both routers, after this the tunnel will automatically connect.

/ip ipsec identity
add peer=ike2-tun secret=YOUR-PSK-HERE

The tunnel status can be checked with:

/ip ipsec
active-peers print
installed-sa print

Phase-2 speed comparison

After creating this tunnel initially (with aes-256-cbc) my performance was lower than expected so I tested a series of phase 2 authentication and encryption algorithms. These were all tested with an iPerf3 test between 2 VMs on opposite ends of the tunnel, both routers are Mikrotik CHR VMs with 1 core with AES-NI and 512MB of RAM. The phase 1 settings were sha1 hashing, aes128 encryption and diffie-hellman group modp2048, pfs was modp2048.

iPerf3 TCP speeds (Mbps)

enc\auth sha1 sha256 sha512
aes-128-cbc 550 360 380
aes-256-cbc 500 350 370
blowfish 300 240 250
twofish 325 250 270
camellia-128 315 245 265
camellia-256 280 220 230
aes-128-ctr 570 350 400
aes-256-ctr 560 380 390
aes-128-gcm 880 890 895
aes-256-gcm 880 890 895
3des 110 100 100
des 210 180 190
null 590 390 425