Mikrotik EOIP and L2TP over Cisco NAT

Posted on by alex

I had a small task to connect two branch offices of a customer, one in Cape and second in JHB. Unfortunately JHB is not part of our MPLS network and has two Uplink connections, each 1 Mbps with Serial interfaces. When I was studying for CCNP I got a lot of Serial links tasks but thought that technology is dead. And was surprised when got this case. HDLC encapsulation and GT96K.

Attached is a topology of what we have to achieve. There are two 1841 Cisco routers with old 12.4(19) IOS.
One Cisco 1841 is used for transport of voice traffic and second for data.

In both offices there are 2011 Mikrotik routers with switches/customers/pbxs connected to it.

NAT

Looks like simple setup. We wanted to have EOIP tunnel between Mikrotiks. EOIP of Mikrotik is a proprietary GRE based tunnel, so I wanted to make static NAT of gre on cisco and create 2 EOIP tunnels on Mikrotik routers. Unfortunately C1841 with 12.4(19) doesn’t accept commands like :
access-list 101 permit gre …
ip nat inside source static gre …

Instead of it I tried a inside static NAT rule for everything –
ip nat inside source static 192.168.0.2 , then EOIP tunnels where created but L2 connection was not working inside it. It will be a subject of further investigation.

Finally I switched to L2TP, which worked quite fine in that setup.
NAT rules on both ciscos where :

ip nat inside source list 1 interface Serial0/0/0 overload
ip nat inside source static 192.168.0.2 access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 172.30.31.0 0.0.0.255
access-list 1 permit 10.2.0.0 0.0.0.255

Access list contains some IP ranges that are used in Mikrotik. Mikrotik is located at 192.168.0.2 and static NAT is used to port forwarding of L2TP.

Interesting story is with L2TP tunnels on Mikrotik. I was not able to create the same Tail->Head. It means I was not able to originate tunnels in JHB and terminate them in Cape router. That’s why I had to create L2TP on both servers and connect clients vise versa. Attached is a screenshot from one mikrotik – it acts as server for VOIP VPN and as client for DATA VPN.