Hello and happy new year to everyone!

I have two routers in different locations and I've two tunnels running between them, an IPIP tunnel and an EoIP tunnel.
The idea of the IPIP tunnel is to be able to reach the local subnet of Router A from the local subnet of Router B.
The idea of the EoIP tunnel is to have some 'Router A ports' physically available in RouterB.

I've currently set up both tunnels at the same time, using the public IP addresses of both ends in boths tunnels.
EoIP is working fine but sometimes IPSec gives problems and doesn't connect (unless I disable the IPIP tunnel).
IPIP tunnel works fine when EoIP tunnel is disabled, but when both tunnels are enabled, ping only works in one direction (this is because on the routing table of Router B it tries to reach Router A through the EoIP tunnel instead of the IPIP tunnel).

It seems that having both tunnels active at the same time is not an ideal setup, isn't it?
Should I try to make the EoIP tunnel through the IPIP tunnel? Will this work?
If so, if the first tunnel (IPIP?) is already using IPSec, do I have to use IPsec on the 'embedded' (EoIP) tunnel?

What happens with the MTU then? Do I have to calculate the new MTU for the embedded tunnel or RouterOs does this automatically?

Thanks!

EoIP is basically a Layer2 link.
You can add your VLANs or other tunnels inside your EoIP interface..( not sure why you would tunnel in a tunnel as your MTU on you inner tunnel is going to small, plus your CPU load will be high running it like that )

Always post the complete exports of the configurations (minus the sensitive information, see my automatic signature below), as otherwise we have to guess rather than analyze.

The IPIP tunnel and EoIP tunnel as such cannot conflict with each other as they differ already by the L4 protocol they use. But as you mention IPsec, I guess you've configured some ipsec-secret on both the /interface ipip and /interface eoip rows, which makes RouterOS create dynamically the complete IPsec configuration needed to encrypt the respective tunnel. However, if the two tunnels are created between the same local-address and remote-address, which is likely your case, the second IPsec peer to be dynamically created conflicts with the first one, which completely breaks the creation of the dynamic IPsec configuration for the second tunnel, as the process is not sophisticated enough to analyse and augment an already existing configuration. And as each of the two dynamic configurations creates an IPsec policy that matches only the respective tunneling protocol (ip-encap for IPIP and gre for EoIP), the dynamic setup created for one tunnel doesn't provide encryption for the other one. And if a different tunnel wins the race at each peer, both are sent without encryption.

Running EoIP inside IPIP would cost you some part of MTU as you've realized. So I'd recommend to disable both tunnels, enable just one of them, and copy the dynamically created IPsec configuration items to static ones. While you've only got a single dynamically created IPsec configuration in place, do the following:

/ip ipsec peer add copy-from=[find where dynamic] disabled=yes name=common-peer
/ip ipsec identity add copy-from=[find where dynamic] peer=common-peer
/ip ipsec policy add peer=common-peer protocol=gre
/ip ipsec policy add peer=common-peer protocol=ip-encap

After that, disable the currently enabled tunnel and remove the ipsec-secret from both tunnels' configuration:
/interface ipip unset [find ipsec-secret~".*"] ipsec-secret
/interface eoip unset [find ipsec-secret~".*"] ipsec-secret

Now first enable the manually added peer, and then enable both tunnels.

Of course all the above has to be done at both ends.

Hi!

Sorry for the late reply, I haven't been able to test it again until today.
Thank you very much for your answers @sindy and @killersoft.

I've gone to the easiest possible way, and I've let only the EoIP tunnel running between both RBs.
In Router B, I've added two physical interfaces and the EoIp tunnel in a bridge . I've set up an static IP adress within the RouterA's IP range in the EoIP interface on RouterB, so I can route between both routers.

I can now access/ping RouterA's LAN from RouterB's LAN.
If I connect my computer on the two physical interfaces of the EoIP's bridge, it's like I'm connected on Router's A LAN.

So it does exactly what I wanted, thank you!

Still, there's a beahviour that I don't understand.
Ping from Router A to Router B is approx 50ms.
I am curently connected to RouterB, to a physical interface which belongs to the same bridge as the EoIP tunnel, so I get an IP address from RouterA and it's like I'm connected to Router A. If I ping to anything on Router B's LAN, the ping is 1ms! Why it is not 100ms? (50ms from RB to RA and 50ms to come back to RB). Isn't EoIP supposed to be a 'pure' Layer2 VPN? Why can it be directly routed to Router B?

Thanks!

What is the gateway of your computer? It should be the IP of RA. Ping is layer 3. Since you're pinging outside of your subnet, your PC will send the Ping to your gateway IP for routing.

If your gateway is RB's IP, then your ping is being routed at RB and never sent to RA. Thus the 1ms response time.

Why the need for 2 tunnels? If EoIP tunnel has IP addresses on both ends, route over this interface