How To Configure Mikrotik Site To Site Eoip Tunnel Alongside Ipsec.

MikroTik provides EoIP (Ethernet over IP) tunnel that is used to create a site to site VPN. EoIP tunneling is a MikroTik RouterOS protocol that creates an Ethernet tunnel betwixt ii MikroTik Routers on give off of an IP connection. EoIP adds an outer header mentioning the entry call for of the tunnel (SourceIP) as well as the larn out call for of the tunnel (DestinationIP) but the inner package is kept unmodified.

EoIP tunnel entirely encapsulates IP packets but does non render authentication as well as encryption. EoIP tunnel amongst IPsec ensures IP package encapsulation every bit good every bit authentication as well as encryption. IPsec usage makes your packets secure but it industrial plant piece of cake because of having extra authentication as well as encryption process. So, my regard is that if information safety is your concern, utilization EoIP tunnel amongst IPsec but if information safety is non thus headache, utilization entirely MikroTik EoIP tunnel because it industrial plant thus faster.




The goal of this article is to pattern an EoIP VPN tunnel amongst IPsec. So, inward this article I volition demo how to create an EoIP tunnel amongst IPsec to found a secure site to site VPN tunnel betwixt ii MikroTik Routers.

To configure a site to site EoIP VPN Tunnel (with IPsec) betwixt ii MikroTik Routers, I am next a network diagram above.


In this network, Office i Router is connected to network through ether1 interface having IP address 192.168.70.2/30. In your existent network this IP address volition locomote replaced amongst world IP address provided past times your ISP. Office1 Router’s ether2 interface is connected to local network having IP network 10.10.11.0/24. After EoIP tunnel configuration, an EoIP tunnel interface volition locomote created inward Office i Router whose IP address volition locomote assigned 172.22.22.1/30.

Similarly, Office 2 Router is connected to network through ether1 interface having IP address 192.168.80.2/30. In your existent network this IP address volition besides locomote replaced amongst world IP address. Office 2 Router’s ether2 interface is connected to local network having IP network 10.10.12.0/24. After EoIP tunnel configuration an EoIP tunnel interface volition besides locomote created inward Office 2 Router whose IP address volition locomote assigned 172.22.22.2/30.

We volition configure a site to site EoIP Tunnel betwixt these ii MikroTik Routers thus that local network of these routers tin communicate amongst each other through this VPN tunnel across world network.

Core Devices as well as IP Information

To configure a site to site EoIP VPN betwixt ii Routers, I am using ii MikroTik RouterOS v6.38.1. IP information that I am using for this network configuration are given below.
Office i Router WAN IP: 192.168.70.2/30, LAN IP Block 10.10.11.0/24 as well as Tunnel interface IP 172.22.22.1/30
Office 2 Router WAN IP: 192.168.80.2/30, LAN IP Block 10.10.12.0/24 as well as Tunnel interface IP 172.22.22.2/30


This IP information is merely for my RND purpose. Change this information according to your network requirements.
Site to Site EoIP Tunnel Configuration amongst IPsec

We volition directly kickoff our site to site EoIP VPN configuration according to the higher upwards network diagram. Complete configuration tin locomote divided into 4 parts.
MikroTik RouterOS basic configuration
EoIP tunnel configuration amongst IPsec
Assigning IP address on tunnel interface
Static road configuration
Part 1: MikroTik RouterOS Basic Configuration

Basic RouterOS configuration includes assigning WAN IP, LAN IP, DNS IP as well as Route, NAT configuration. According to our network diagram, nosotros volition directly consummate these topics inward our ii MikroTik RouterOS (Office i Router as well as Office 2 Router).

The next steps volition guide y'all how to perform basic configuration inward your Office i RouterOS.
Login to Office i RouterOS using winbox as well as larn to IP > Addresses. In Address List window, click on PLUS SIGN (+). In New Address window, position WAN IP address (192.168.70.2/30) inward Address input champaign as well as pick out WAN interface (ether1) from Interface dropdown carte du jour as well as click on Apply as well as OK button. Click on PLUS SIGN over again as well as position LAN IP (10.10.11.1/24) inward Address input champaign as well as pick out LAN interface (ether2) from Interface dropdown carte du jour as well as click on Apply as well as OK button.
Go to IP > DNS as well as position DNS servers IP (8.8.8.8 or 8.8.4.4) inward Servers input champaign as well as click on Apply as well as OK button.
Go to IP > Firewall as well as click on NAT tab as well as and thus click on PLUS SIGN (+). Under General tab, pick out srcnat from Chain dropdown carte du jour as well as click on Action tab as well as and thus pick out masquerade from Action dropdown menu. Click on Apply as well as OK button.
Go to IP > Routes as well as click on PLUS SIGN (+). In New Route window, click on Gateway input champaign as well as position WAN Gateway address (192.168.70.1) inward Gateway input champaign as well as click on Apply as well as OK button.

Basic RouterOS configuration has been completed inward Office i Router. Now nosotros volition exercise like steps inward Office 2 RouterOS.

Office 2 Router Basic Configuration

The next steps volition guide y'all how to perform basic configuration inward your Office 2 RouterOS.
Login to Office 2 RouterOS using winbox as well as larn to IP > Addresses. In Address List window, click on PLUS SIGN (+). In New Address window, position WAN IP address (192.168.80.2/30) inward Address input champaign as well as pick out WAN interface (ether1) from Interface dropdown carte du jour as well as click on Apply as well as OK button. Click on PLUS SIGN over again as well as position LAN IP (10.10.12.1/24) inward Address input champaign as well as pick out LAN interface (ether2) from Interface dropdown carte du jour as well as click on Apply as well as OK button.
Go to IP > DNS as well as position DNS servers IP (8.8.8.8 or 8.8.4.4) inward Servers input champaign as well as click on Apply as well as OK button.
Go to IP > Firewall as well as click on NAT tab as well as and thus click on PLUS SIGN (+). Under General tab, pick out srcnat from Chain dropdown carte du jour as well as click on Action tab as well as and thus pick out masquerade from Action dropdown menu. Click on Apply as well as OK button.
Go to IP > Routes as well as click on PLUS SIGN (+). In New Route window, click on Gateway input champaign as well as position WAN Gateway address (192.168.80.1) inward Gateway input champaign as well as click on Apply as well as OK button.
Basic RouterOS configuration has been completed inward Office 2 Router. Now nosotros are going to kickoff EoIP tunnel configuration.
Part 2: EoIP Tunnel Configuration amongst IPsec

After MikroTik Router basic configuration, nosotros volition directly configure EoIP tunnel amongst IPsec inward both MikroTik RouterOS. In EoIP tunnel configuration, nosotros volition specify local as well as remote IP address every bit good every bit shared cloak-and-dagger for IPsec as well as Tunnel ID.

EoIP Tunnel Configuration inward Office i Router

The next steps volition demo how to configure EoIP tunnel inward your Office i Router.
Click on Interfaces carte du jour special from Winbox as well as click on EoIP Tunnel tab as well as and thus click on PLUS SIGN (+). New Interface window volition appear.
Put a meaningful EoIP tunnel interface call (eoip-tunnel-r1) inward Name input field.
Put Office i Router’s WAN IP address (192.168.70.2) inward Local Address input field.
Put Office 2 Router’s WAN IP address (192.168.80.2) inward Remote Address input field.
Put a unique ID (for example: 10) inward Tunnel ID input field. This ID must locomote same inward both routers.
Put IPsec shared cloak-and-dagger inward IPsec Secret input champaign if your router supports IPsec as well as y'all want to enable IPsec authentication as well as encryption. You should call back that this IPsec Secret must locomote same inward both routers.
Also uncheck Allow Fast Path checkbox if it is checked as well as y'all desire to enable IPsec.
Click Apply as well as OK button.
You volition notice a novel EoIP tunnel interface followed past times your given call (eoip-tunnel-r1) has been created inward Interface List window.





EoIP tunnel configuration inward Office i Router has been completed. Now nosotros volition exercise the like steps inward our Office 2 Router to create EoIP tunnel interface.

EoIP Tunnel Configuration inward Office 2 Router

The next steps volition demo how to configure EoIP tunnel inward your Office 2 Router.
Click on Interfaces carte du jour special from Winbox as well as click on EoIP Tunnel tab as well as and thus click on PLUS SIGN (+). New Interface window volition appear.
Put a meaningful EoIP tunnel interface call (eoip-tunnel-r2) inward Name input field.
Put Office 2 Router’s WAN IP address (192.168.80.2) inward Local Address input field.
Put Office i Routers WAN IP address (192.168.70.2) inward Remote Address input field.
Put a unique ID (for example: 10) inward Tunnel ID input field. This ID must locomote same inward both routers.
Put IPsec shared cloak-and-dagger inward IPsec Secret input champaign if your router supports IPsec as well as y'all want to enable IPsec authentication as well as encryption. You should call back that this IPsec Secret must locomote same inward both routers.
Also uncheck Allow Fast Path checkbox if it is checked as well as y'all desire to enable IPsec.
Click Apply as well as OK button.
You volition notice a novel EoIP tunnel interface followed past times your given call (eoip-tunnel-r2) has been created inward Interface List window.

EoIP tunnel configuration inward Office 2 Router has been completed. Now nosotros volition assign IP address inward our newly created EoIP tunnel interface inward our both RouterOS thus that both router tin communicate amongst each other through this VPN tunnel interface.
Part 3: Assigning IP Address inward EoIP Tunnel Interface

After EoIP tunnel configuration, a novel EoIP tunnel interface has been created inward both routers. So, if nosotros assign same block IP inward both interfaces, the both router volition locomote able to communicate amongst each other through this EoIP tunnel. In this part, nosotros volition directly assign IP address inward our newly created tunnel interface.

Assigning IP Address on Office i Router’s EoIP Tunnel Interface

The next steps volition demo how to assign IP address on Office i Router’s tunnel interface.
Go to IP > Address carte du jour special as well as click on PLUS SIGN (+).
Put a novel somebody IP Block IP (172.22.22.1/30) inward Address input field.
Choose newly created tunnel interface (eoip-tunnel-r1) from Interface drib downwards menu.
Click Apply as well as OK button.

Assigning IP address on Office i Router’s tunnel interface has been completed. Similarly, nosotros volition directly assign IP address on Office 2 Router’s tunnel interface.

Assigning IP Address on Office 2 Router’s EoIP Tunnel Interface

The next steps volition demo how to assign IP address inward Office 2 Router’s tunnel interface.
Go to IP > Address carte du jour special as well as click on PLUS SIGN (+).
Put a novel somebody IP Block IP (172.22.22.2/30) inward Address input field.
Choose newly created tunnel interface (eoip-tunnel-r2) from Interface drib downwards menu.
Click Apply as well as OK button.


Assigning IP address on Office 2 Router’s tunnel interface has been completed. In this phase both routers are directly able to communicate amongst each other. But both routers’ LAN cannot communicate amongst each other without configuring static routing. So, inward the side past times side business office nosotros volition configure static routing inward our both Office Router.
Part 4: Static Route Configuration

We volition directly configure static road inward our both Office Router thus that each router’s LAN tin communicate amongst each other through EoIP tunnel.

Static Route Configuration inward Office i Router

The next steps volition demo how to configure static road inward Office i Router.
Go to IP > Routes as well as click on PLUS SIGN (+). New Route window volition appear.
In New Route window, position goal IP Block (10.10.12.0/24) inward Dst. Address input field.
Put the Gateway address (172.22.22.2) inward Gateway input field.
Click Apply as well as OK button.

Static road configuration inward Office i Router has been completed. Now nosotros volition configure static road inward Office 2 Router.

Static Route Configuration inward Office 2 Router

The next steps volition demo how to configure static road inward Office 2 Router.
Go to IP > Routes as well as click on PLUS SIGN (+). New Route window volition appear.
In New Route window, position goal IP Block (10.10.11.0/24) inward Dst. Address input field.
Put the Gateway address (172.22.22.1) inward Gateway input field.
Click Apply as well as OK button.

Static road configuration inward Office 2 Router has been completed. Now both router every bit good every bit its LAN tin communicate amongst each other through EoIP tunnel across world network.

To banking concern tally your configuration, exercise a ping asking from whatsoever router or whatsoever local network machine to other local network machine. If everything is OK, your ping asking volition locomote success.

Share this post