So what is this doing? *ipsec-secret* (*string*; Default: )When secret is specified, router adds dynamic ipsec peer to remote-address with pre-shared key and policy with default values (by default phase2 uses sha1/aes128cbc). Both local-address and remote-address of the tunnel must be specified for router to create valid ipsec policy.
On Mon, Oct 19, 2015 at 12:04 PM, Adam Moffett <[email protected]> wrote: > 100% less secure. There's no encryption at all in EoIP. > > > On 10/19/2015 11:44 AM, That One Guy /sarcasm wrote: > > in the mikrotik implementation with ipsec, how much less "secure" than > something like an ipsec VPN tunnel? For the most part, since its all routed > traffic anyway, security isnt all that great a concern, other than maybe > some snmp strings I cant think of much that would matter > > We do have an instance, Im assuming MPLS will be what would be best, the > customer has a 10mb ptp fiber connection from another provider terminated > in our NOC as a backup to their DIA with us over our wireless > infrastructure, but I dont know, its all new to me > > On Mon, Oct 19, 2015 at 8:54 AM, Adam Moffett <[email protected]> wrote: > >> EoIP is non-standard, and while multiple platforms have it, they are >> probably not compatible. >> >> The main reason to do EoIP is if you need the entire layer2 header. I use >> it now and then to default a device, then bridge it's port with an EOIP >> tunnel back to my office so that I can access it from my laptop on it's >> default IP. >> >> You can also carry a full size 1500 byte packet on the EoIP tunnel....it >> will be fragmented on the outer layer so there's an efficiency penalty in >> doing so, so if everything works with a shorter MTU then use a shorter >> MTU. I switched a VPN to an EOIP tunnel for a library whose SonicWall >> broke PMTUD and thus there was packet loss on the tunneled traffic until I >> switched them to EoIP. >> >> The other reason to do EoIP is that it's stupid simple. >> >> Downsides: EoIP is insecure. Supposedly it's more cpu intensive than >> other types of tunnels, but in practice I haven't noticed. >> >> >> >> On 10/19/2015 2:28 AM, That One Guy /sarcasm wrote: >> >>> >>> More interested in eoip comments, but when are these two bad ideas, eoip >>> with the ipsec in particular. >>> I have two scenarios where eoip will be necessary to maintain upstream >>> static routing between providers, one tunnel over the interwebs and one >>> tunnel over our network since our providers are geographically isolated. >>> I'm having a hard time figuring out if eoip is up and coming or dying, >>> everything I read says its new but the documents are old, mikrotik >>> documents indicate it's proprietary but Cisco docs mention it. >>> >>> >> > > > -- > If you only see yourself as part of the team but you don't see your team > as part of yourself you have already failed as part of the team. > > > -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
