I have two Mikrotik routers operating as a transparent bridge using EoIP, they are connected to each other using a shared long distance wireless network (operated by a rural technology company).
Main office:
192.168.1.0/24
RuralTech wifi: 10.16.0.89/21
Branch office:
192.168.1.0/24
RuralTech wifi: 10.16.1.40/21
The long distance wifi service does not provide internet access, and so our PCs at the branch office (via the transparent bridge) get IP addresses via DHCP on the head office Mikrotik and use its internet connection.
The long distance wifi has no security, and is shared with other businesses.
We have used a PPTP service on the main office router, and the branch office setup as a PPTP client (similar config described here: http://blog.butchevans.com/2008/09/mikr ... pptp_eoip/)
But what we would like to do is ditch the insecure PPTP service and use IPSEC.
I found this: http://forum.mikrotik.com/viewtopic.php?f=7&t=6102 which describes something similar, and with partial config. But I keep breaking the EoIP link.
Has anyone done anything similar? I really need to keep EoIP as really like the transparent bridge.
Re: Secure EoIP with IPSEC
I'm doing something similar and I'll give you a run down of what my config looks like:
Router1 has a public IP of 1.2.3.4
Router2 has a public IP of 4.3.2.1
I create an EoIP tunnel specifying the Public IP addresses as the source and destination endpoints in the config. I then add the EoIP tunnel to a bridge interface. This creates the L2 bridge that we want. Of course, at this stage it's completely unencrypted.
With IPSec, I create a policy on each router with the public IPs specified in the source and destination address fields as well as the SA source and SA destination fields. The trick here is to uncheck tunnel mode. We don't need to create an IPSec tunnel since we want EoIP. We just want to encrypt communication between the two endpoints. I select ESP for the IPSec protocol in the policy config. From there, it's just setting up your Peer config and Proposal config to handle the type of encryption, preshared keys, etc.
Once the policies are in place, you can disable and re-enable the EoIP tunnel and the Remote Peers and Installed SAs should populate under IPSec indicating that the communication between the two routers is encrypted.
Router1 has a public IP of 1.2.3.4
Router2 has a public IP of 4.3.2.1
I create an EoIP tunnel specifying the Public IP addresses as the source and destination endpoints in the config. I then add the EoIP tunnel to a bridge interface. This creates the L2 bridge that we want. Of course, at this stage it's completely unencrypted.
With IPSec, I create a policy on each router with the public IPs specified in the source and destination address fields as well as the SA source and SA destination fields. The trick here is to uncheck tunnel mode. We don't need to create an IPSec tunnel since we want EoIP. We just want to encrypt communication between the two endpoints. I select ESP for the IPSec protocol in the policy config. From there, it's just setting up your Peer config and Proposal config to handle the type of encryption, preshared keys, etc.
Once the policies are in place, you can disable and re-enable the EoIP tunnel and the Remote Peers and Installed SAs should populate under IPSec indicating that the communication between the two routers is encrypted.
Re: Secure EoIP with IPSEC
Thanks so much!
It was the SA source and destination fields I had wrong in my original config, and not understanding why tunnel mode should be unchecked.
It seems to be working - bytes column is rapidly increased in 'IPsec > Installed SAs' as I send traffic.
Many thanks!
It was the SA source and destination fields I had wrong in my original config, and not understanding why tunnel mode should be unchecked.
It seems to be working - bytes column is rapidly increased in 'IPsec > Installed SAs' as I send traffic.
Many thanks!
Re: Secure EoIP with IPSEC
Awesome! Glad you got it working.