I'm pretty sure you can use encryption with EoIP these days... it's a fairly recent addition, if I remember right.
On Mon, Oct 19, 2015 at 12:29 PM, That One Guy /sarcasm < [email protected]> wrote: > So what is this doing? > > *ipsec-secret* (*string*; Default: )When secret is specified, router adds > dynamic ipsec peer to remote-address with pre-shared key and policy with > default values (by default phase2 uses sha1/aes128cbc). Both local-address > and remote-address of the tunnel must be specified for router to create > valid ipsec policy. > > On Mon, Oct 19, 2015 at 12:04 PM, Adam Moffett <[email protected]> > wrote: > >> 100% less secure. There's no encryption at all in EoIP. >> >> >> On 10/19/2015 11:44 AM, That One Guy /sarcasm wrote: >> >> in the mikrotik implementation with ipsec, how much less "secure" than >> something like an ipsec VPN tunnel? For the most part, since its all routed >> traffic anyway, security isnt all that great a concern, other than maybe >> some snmp strings I cant think of much that would matter >> >> We do have an instance, Im assuming MPLS will be what would be best, the >> customer has a 10mb ptp fiber connection from another provider terminated >> in our NOC as a backup to their DIA with us over our wireless >> infrastructure, but I dont know, its all new to me >> >> On Mon, Oct 19, 2015 at 8:54 AM, Adam Moffett <[email protected]> >> wrote: >> >>> EoIP is non-standard, and while multiple platforms have it, they are >>> probably not compatible. >>> >>> The main reason to do EoIP is if you need the entire layer2 header. I >>> use it now and then to default a device, then bridge it's port with an EOIP >>> tunnel back to my office so that I can access it from my laptop on it's >>> default IP. >>> >>> You can also carry a full size 1500 byte packet on the EoIP tunnel....it >>> will be fragmented on the outer layer so there's an efficiency penalty in >>> doing so, so if everything works with a shorter MTU then use a shorter >>> MTU. I switched a VPN to an EOIP tunnel for a library whose SonicWall >>> broke PMTUD and thus there was packet loss on the tunneled traffic until I >>> switched them to EoIP. >>> >>> The other reason to do EoIP is that it's stupid simple. >>> >>> Downsides: EoIP is insecure. Supposedly it's more cpu intensive than >>> other types of tunnels, but in practice I haven't noticed. >>> >>> >>> >>> On 10/19/2015 2:28 AM, That One Guy /sarcasm wrote: >>> >>>> >>>> More interested in eoip comments, but when are these two bad ideas, >>>> eoip with the ipsec in particular. >>>> I have two scenarios where eoip will be necessary to maintain upstream >>>> static routing between providers, one tunnel over the interwebs and one >>>> tunnel over our network since our providers are geographically isolated. >>>> I'm having a hard time figuring out if eoip is up and coming or dying, >>>> everything I read says its new but the documents are old, mikrotik >>>> documents indicate it's proprietary but Cisco docs mention it. >>>> >>>> >>> >> >> >> -- >> If you only see yourself as part of the team but you don't see your team >> as part of yourself you have already failed as part of the team. >> >> >> > > > -- > If you only see yourself as part of the team but you don't see your team > as part of yourself you have already failed as part of the team. >
