How to Set Up an EoIP over IPsec MikroTik VPS Tunnel
Creating an Ethernet over IP (EoIP) tunnel allows you to bridge two remote networks at Layer-2. Because native EoIP traffic is unencrypted, securing it with IPsec is essential for protecting your data. This guide shows you how to configure an EoIP over IPsec MikroTik VPS connection.
To ensure stable performance and low latency for your tunnels, using a reliable MikroTik VPS hosting is highly recommended for your setup.
Note: EoIP creates a Layer-2 bridge, meaning both networks act as if they are on the same physical switch. If you only need to route traffic between two different subnets (Layer-3) without forwarding broadcast traffic, you can check this guide on Site-to-Site IPsec Setup on MikroTik VPS.
Table of Contents
Prerequisites for Configuring EoIP over IPsec MikroTik VPS Connection
Before you start to configure EoIP over IPsec MikroTik VPS connection, ensure you meet the following prerequisites:
- Two MikroTik routers or VPS instances (Router A and Router B).
- Static public IP addresses are accessible on both sides.
- A designated local network interface on each router, for example, ether2.
If you need reliable MikroTik VPS hosting for this setup, you can check PerLod Hosting plans, which offer solid options.
Once you are done with these prerequisites, proceed to the following steps to configure EoIP over IPsec MikroTik VPS connection.
1. Create an EoIP Tunnel with IPsec
To establish the connection, you must define the local and remote IPs, assign a matching tunnel ID, and configure an IPsec pre-shared key.
You can use the ipsec-secret parameter, which is the most efficient way. It automatically generates the necessary IPsec Phase 1 and Phase 2 encryption policies in RouterOS.
To configure Router A, you can use the command below:
/interface eoip add name=eoip-tunnel1 local-address=198.51.100.1 remote-address=203.0.113.2 tunnel-id=10 ipsec-secret="SecurePass123!"To configure Router B, you can run the command below:
/interface eoip add name=eoip-tunnel1 local-address=203.0.113.2 remote-address=198.51.100.1 tunnel-id=10 ipsec-secret="SecurePass123!"Explanation of the parameters:
- name: A custom name for your tunnel interface.
- local-address: The public IP of the router you are currently configuring.
- remote-address: The public IP of the remote router on the other side.
- tunnel-id: A unique numerical identifier that must exactly match on both routers.
- ipsec-secret: The strong password used to automatically encrypt the tunnel traffic.
2. Create a Layer 2 Network Bridge on MikroTik
To allow devices on both sides to communicate, you must connect them. In RouterOS, a bridge acts like a virtual network switch that links your physical local network and your new EoIP tunnel into a single Layer 2 network.
On both Router A and Router B, run the command below:
/interface bridge add name=bridge-eoipThe name parameter assigns an identifiable name to the virtual bridge interface.
3. Add the EoIP Tunnel to the Bridge
At this point, you must add the required interfaces to the bridge. It connects your local LAN port to the EoIP tunnel, so traffic can pass between the two sides as a single Layer 2 network.
On both Router A and Router B, run the commands below:
/interface bridge port add bridge=bridge-eoip interface=eoip-tunnel1
/interface bridge port add bridge=bridge-eoip interface=ether2- bridge: Specifies the name of the bridge you created in the previous step.
- interface: The physical (ether2) or virtual (eoip-tunnel1) interface being added to the bridge.
4. Check the EoIP Tunnel Status
To ensure everything is working correctly, confirm that the tunnel interface is up and that IPsec encryption is active between the two routers.
On both routers, run the commands below:
/interface eoip print
/ip ipsec active-peers printIf everything is correct, you will see:
- An R (running) next to the EoIP interface.
- The IPsec peer listed as active.
Your devices on both sides of Ether2 are now securely bridged and can communicate directly.
FAQs
Why is the EoIP tunnel dropping packets or loading pages slowly?
This is usually an MTU (Maximum Transmission Unit) fragmentation issue. Because both EoIP and IPsec add extra data headers, the default MTU of 1500 is too large and causes packet drops. To fix unstable or slow connections, lower the MTU and l2mtu on both EoIP tunnel interfaces. A safe starting value is usually between 1280 and 1360.
Can I set up EoIP if one of the routers is behind NAT?
Native EoIP requires both routers to communicate directly using the GRE protocol. If one router is behind NAT, you must set up port forwarding for GRE to reach your MikroTik router. Alternatively, you can use WireGuard or SSTP/L2TP over IPsec.
Why does my VPS CPU usage spike when the EoIP tunnel is active?
EoIP itself is light, but IPsec encryption uses a lot of CPU power. If your MikroTik VPS does not support hardware encryption, the router’s CPU must encrypt every packet manually. To fix high CPU usage, select encryption algorithms, like AES-128-CBC or AES-256-GCM, that your hardware can process efficiently.
Conclusion
Setting up an EoIP over IPsec MikroTik VPS connection is a simple and effective way to bridge two remote networks into a single Layer 2 environment. By using the ipsec-secret parameter, RouterOS automatically secures your tunnel without needing complex manual encryption policies.
Once your bridge is active, devices on both sides can communicate securely as if they were on the same physical switch.
We hope you enjoy this guide. Subscribe to our X and Facebook channels to get the latest articles.
For further reading:
