Hi guys,
I was wondering something about EOIP.
I m going to need to connect a remote site to our main site, i was thinking on putting a EOIP link in a tunnel to avoid different networks etc
What do you think is best, considering everything is going to be in the same network, let’s say a 192.168.0.0/24, with an AD (on the main site) deserving everyone (no remote ad, all the ad request will be handled by the VPN / EOIP for the remote site).
How would you do the link, pptp? l2tp? ipip? etc
Thanks a lot
Regards,
Andy
IPSec would be the best option. But use it in Transport mode, not Tunnel mode.
PPTP would work ok too. SSTP, OpenVPN would work as well but they rely on TCP which adds bandwidth overhead.
Since EOIP is a layer2 bridge, broadcast packets will go between the two sites adding to traffic over the wan.
This includes DHCP requests, so your DHCP server would be in your main site. The problem is now clients on the remote site will try and use the gateway on the main site which will in fact work but will add latency. So then you could use a firewall to block DHCP packets and have a DHCP server on the remote site. It would give clients the gateway of the local router but can still give the DNS server of the server on your main site.
If you have low bandwidth between the two sites then EOIP may not be the best option. With a site-to-site VPN, you can have a separate subnet for each location, and still use all your AD services. FQDN hostnames will resolve fine, so will just the hostname if your dhcp server gives out connection suffixes. Detecting things like printers on the network won’t work, or net-bios if your connection suffix is absent or incorrect.
after 6.30 you can encrypt your GRE/IPIP/EOIP tunnels using IPSEC just by adding the ‘ipsec-secret=“youwillneverguessthis”’ attribute to both sides. the tunnel will be encrypted using SHA1/aes128
without any additional configuration. dynamic peers will be generated by ROS automatically.
be wary, that these kind of tunnels require fixed ip addresses on both local and remote addresses.
if you have dynamic address on one side, use SSTP to connect the sites, and you can still have your EOIP
(this time you don’t need encryption for EOIP) running between the SSTP tunnel’s assigned IP addresses
which will be then specified by you and will not change over the time.
connecting two sites using EOIP will pass broadcast and multicast traffic without knowing what it is. in windows
environments this causes pretty much traffic on the LAN segment. also, avoid connecting more sites without STP (e.g. bridge protocol=none) or you will end up having L2 loops forwarding sh1t using your full link capacity.
unless you deal with an unroutable protocol, or you want to move hosts from site A to site B without additional address configuration, our you need some sort of geo-redundancy and you use VRRP, there’s no real deal for “bridging” together two different locations. nowadays basically everything can be solved with L3, and this gives you much better control over what happens in your network.
but if it’s the business objective to connect those sites using L2, then EOIP is the way to go. and yes, unless you want to be in the open, use encryption.
last suggestion: forget about PPTP. you can use L2TP o IPSEC or SSTP. both of them is far more secure and pretty easy to set up.
I m not a smart guy… 
Didn’t think about the broadcast on the moment when i wrote that, thought about it after, so clearly eoip is not a good idea. I’ll certainly go for a L2TP IPSEC tunnel between those two site and route the traffic.
Thanks for the answers guys