Here we go - from the .30 changelog: *) tunnels - eoip, eoipv6, gre,gre6, ipip, ipipv6, 6to4 tunnels have new property - ipsec-secret - for easy setup of ipsec encryption and authentication;
On Mon, Oct 19, 2015 at 12:34 PM, Mathew Howard <mhoward...@gmail.com> wrote: > I'm pretty sure you can use encryption with EoIP these days... it's a > fairly recent addition, if I remember right. > > On Mon, Oct 19, 2015 at 12:29 PM, That One Guy /sarcasm < > thatoneguyst...@gmail.com> wrote: > >> So what is this doing? >> >> *ipsec-secret* (*string*; Default: )When secret is specified, router >> adds dynamic ipsec peer to remote-address with pre-shared key and policy >> with default values (by default phase2 uses sha1/aes128cbc). Both >> local-address and remote-address of the tunnel must be specified for router >> to create valid ipsec policy. >> >> On Mon, Oct 19, 2015 at 12:04 PM, Adam Moffett <dmmoff...@gmail.com> >> wrote: >> >>> 100% less secure. There's no encryption at all in EoIP. >>> >>> >>> On 10/19/2015 11:44 AM, That One Guy /sarcasm wrote: >>> >>> in the mikrotik implementation with ipsec, how much less "secure" than >>> something like an ipsec VPN tunnel? For the most part, since its all routed >>> traffic anyway, security isnt all that great a concern, other than maybe >>> some snmp strings I cant think of much that would matter >>> >>> We do have an instance, Im assuming MPLS will be what would be best, the >>> customer has a 10mb ptp fiber connection from another provider terminated >>> in our NOC as a backup to their DIA with us over our wireless >>> infrastructure, but I dont know, its all new to me >>> >>> On Mon, Oct 19, 2015 at 8:54 AM, Adam Moffett <dmmoff...@gmail.com> >>> wrote: >>> >>>> EoIP is non-standard, and while multiple platforms have it, they are >>>> probably not compatible. >>>> >>>> The main reason to do EoIP is if you need the entire layer2 header. I >>>> use it now and then to default a device, then bridge it's port with an EOIP >>>> tunnel back to my office so that I can access it from my laptop on it's >>>> default IP. >>>> >>>> You can also carry a full size 1500 byte packet on the EoIP >>>> tunnel....it will be fragmented on the outer layer so there's an efficiency >>>> penalty in doing so, so if everything works with a shorter MTU then use a >>>> shorter MTU. I switched a VPN to an EOIP tunnel for a library whose >>>> SonicWall broke PMTUD and thus there was packet loss on the tunneled >>>> traffic until I switched them to EoIP. >>>> >>>> The other reason to do EoIP is that it's stupid simple. >>>> >>>> Downsides: EoIP is insecure. Supposedly it's more cpu intensive than >>>> other types of tunnels, but in practice I haven't noticed. >>>> >>>> >>>> >>>> On 10/19/2015 2:28 AM, That One Guy /sarcasm wrote: >>>> >>>>> >>>>> More interested in eoip comments, but when are these two bad ideas, >>>>> eoip with the ipsec in particular. >>>>> I have two scenarios where eoip will be necessary to maintain upstream >>>>> static routing between providers, one tunnel over the interwebs and one >>>>> tunnel over our network since our providers are geographically isolated. >>>>> I'm having a hard time figuring out if eoip is up and coming or dying, >>>>> everything I read says its new but the documents are old, mikrotik >>>>> documents indicate it's proprietary but Cisco docs mention it. >>>>> >>>>> >>>> >>> >>> >>> -- >>> If you only see yourself as part of the team but you don't see your team >>> as part of yourself you have already failed as part of the team. >>> >>> >>> >> >> >> -- >> If you only see yourself as part of the team but you don't see your team >> as part of yourself you have already failed as part of the team. >> > >
