IP / VPN tunnel question

jo2jo · October 25, 2006, 10:29pm

do the IPIP tunnels offer any encryption or encoding. I ask since i need to use the MOST compatable tunnel type to route two internal IPs over the net. where the traffic is ONLY cleartext FTP traffic and i KNOW someone on the ftp server end will be packet sniffing.

when i say most compatable tunnel i mean since from what i understand using a PPTP or L2TP tunnel can sometimes require configuring of the gateway router (and in the device im building, the gateway router will be cheap, crappy consumer linksys and dlink and netgear ect.. routers). Is this true? (that GRE based tunnels can conflict with GW routers)

any ideas? It seems IPIP is the most compatable as its just IP vs GRE proto, but i assume ftp will be in cleartext over this too (the kid doing the packetsniffing ONLY knows how to packet sniff for cleartext)

thanks!

oh and if anyone cares i explain what this “device” will be doing and what it is im making..

bjohns · October 25, 2006, 11:17pm

From a Cisco perspective, IPIP is as basic as tunnels can get - absolutely no encryption or identity protection at all. It simply lets you sneek a subnet over others.

jo2jo · October 26, 2006, 1:13am

thanks, thats what i thought…

anyone know if there are issues with PPTP or L2TP and consumer routers? or is it pretty much plug, and as long as you can ping the net, play??

again this is an mt to mt tunnel/vpn but its the cheap home, consumer router i’m worried about.

tks

bjohns · October 26, 2006, 1:19am

PPTP is probably your best bet, quite common and there isn’t a whole lot to think about. L2TP is a little more involved when adding IPSec.

I run an older MT 2.8.26 as a VPN concentrator - takes PPTP/L2TP/IPSec and I’ve hooked up all sorts of consumer routers to it. IPSec takes a bit of fiddling but PPTP works straight off most times.

jo2jo · October 26, 2006, 4:50am

cool..thanks for the input.

when you say ipsec w/ l2tp are you saying that l2tp is not encrypted? or just for extra security?

tks

fatonk · October 26, 2006, 9:19am

For more tighten security, you can create an IPIP tunnel and than encrypt all traffic wich goes through it, and leve the rest of the traffic intact.

regards.

faton

changeip · October 26, 2006, 5:23pm

Are you asking if routing tunnel packets thru a cheap nat device is going to be an issue, or using a cheap router for the endpoint? If it’s MT to MT only, I would use L2TP since its only using udp/1701. Less firewall / nat hassles to deal with. PPTP behind NAT is trickier. IPIP is a different protocol and not sure how those cheap routers forward that. L2TP is your best bet I think - straight UDP on a single port.

jo2jo · October 26, 2006, 8:02pm

changeip:

yea, the question was routing the MT to MT tunnel through a cheap nat device… Im going to start off wiht using l2tp and will report back in a week or two with some results!

tks!

digus · February 8, 2007, 10:35pm

I know this is a little late, but why not just use SFTP? If the person in question is “sniffing” at the ftp server, encrypted tunnels won’t do you any good anyway, unless you are terminating the tunnel directly to the ftp server itself.