[Mikrotik] IP-SEC vs. SSTP

2014-04-08 Thread Mike Hammett 
Why is one better than the other? 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IP-SEC vs. SSTP

2014-04-08 Thread Martin Ruiz Ibersystems 
Which one is better? ; )

Perhaps one is better for some uses or for simplicity of configuration or
open ports needed or something like that?


* Martín Ruiz*

 *Ibersystems Solutions, SL*

Dpto. Redes Inalámbricas

Tel.  902 909 858 / 93 184 52 13 / 669 37 95 21
Web: http://www.ibersystems.es
Facebook: http://www.facebook.com/Ibersystems
Twitter: http://www.twitter.com/Ibersystems
martinr...@ibersystems.es

La información incluida en este email es *CONFIDENCIAL*, siendo para uso
exclusivo del destinatario arriba mencionado. Si Ud lee este mensaje y no
es el destinatario indicado, le informamos que está totalmente prohibida
cualquier utilización, divulgación, distribución y/o reproducción de esta
comunicación, total o parcial, sin autorización expresa en virtud de la
legislación vigente. Si ha recibido este mensaje por error, le rogamos nos
lo notifique inmediatamente por esta vía y proceda a su eliminación junto
con sus ficheros anexos sin leerlo ni grabarlo.

En virtud de lo establecido en la Ley 15/1999, y la LSSICE 34/2002, le
informamos que sus datos forman parte de un fichero automatizado
titularidad de *IBERSYSTEMS SOLUTIONS, S.L.* La información registrada se
utilizará para informarle por cualquier medio electrónico de nuestras
novedades comerciales. Puede ejercer los derechos de acceso, rectificación,
cancelación y oposición en: *C/ CAMÍ RAL DE LA MERCÈ, 501 - 08302 MATARÓ
(BARCELONA).*

En cumplimiento de la Ley 34/2002 del 11 de julio, de Servicios de la
Sociedad de la Información y de Comercio Electrónico, le informamos que
puede revocar en cualquier momento, de forma sencilla y gratuita, el
consentimiento para la recepción de correo electrónico enviando un e-mail
con su solicitud a:*i...@ibersystems.es *





2014-04-08 22:48 GMT+02:00 Mike Hammett :

> Why is one better than the other?
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> -- next part --
> An HTML attachment was scrubbed...
> URL: <
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140408/67844992/attachment.html
> >
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://mail.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IP-SEC vs. SSTP

2014-04-08 Thread Butch Evans 

On 04/08/2014 03:48 PM, Mike Hammett wrote:

Why is one better than the other?


Short answer: Neither.

Moderately longer answer: SSTP works better behind a NAT and works on 
port 443, so firewalls are usually not an issue for these.


REALLY longer answer:  It really depends.  IMO, with modern options (for 
MT specific options), I think a "site to site" option that is better 
than either of these is OpenVPN.  OVPN works behind NAT and you can 
define the ports to be used, so firewalls are not an issue.  It is a bit 
easier (again, my opinion) to configure and troubleshoot than the other 
options.  Having said that, the SSTP is a client built into Windows, so 
if you have a "roaming" client, then this may be the best option. 
Additionally, most other router vendors have IPSEC built-in, so in some 
cases, that may be the best choice.  All things being equal, personally, 
I like the OVPN option.



--
Butch Evans
702-537-0979
Network Support and Engineering
http://store.wispgear.net/
http://www.butchevans.com/
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IP-SEC vs. SSTP

2014-04-08 Thread Mike Hammett 
I've never done IPSEC because it seems like such a PITA. Is the primary reason 
to use it for interop with other vendors? 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

- Original Message -

From: "Butch Evans"  
To: mikrotik@mail.butchevans.com 
Sent: Tuesday, April 8, 2014 4:21:01 PM 
Subject: Re: [Mikrotik] IP-SEC vs. SSTP 

On 04/08/2014 03:48 PM, Mike Hammett wrote: 
> Why is one better than the other? 

Short answer: Neither. 

Moderately longer answer: SSTP works better behind a NAT and works on 
port 443, so firewalls are usually not an issue for these. 

REALLY longer answer: It really depends. IMO, with modern options (for 
MT specific options), I think a "site to site" option that is better 
than either of these is OpenVPN. OVPN works behind NAT and you can 
define the ports to be used, so firewalls are not an issue. It is a bit 
easier (again, my opinion) to configure and troubleshoot than the other 
options. Having said that, the SSTP is a client built into Windows, so 
if you have a "roaming" client, then this may be the best option. 
Additionally, most other router vendors have IPSEC built-in, so in some 
cases, that may be the best choice. All things being equal, personally, 
I like the OVPN option. 


-- 
Butch Evans 
702-537-0979 
Network Support and Engineering 
http://store.wispgear.net/ 
http://www.butchevans.com/ 
___ 
Mikrotik mailing list 
Mikrotik@mail.butchevans.com 
http://mail.butchevans.com/mailman/listinfo/mikrotik 

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS 

-- next part --
An HTML attachment was scrubbed...
URL: 
<http://mail.butchevans.com/pipermail/mikrotik/attachments/20140408/f8472cdc/attachment.html>
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IP-SEC vs. SSTP

2014-04-08 Thread Rory McCann 
+1 on Butch's response. I use SSTP for my Windows Laptops to remotely 
connect and use IPSec for router to router. They both have their merits 
and both work fine.


Can't speak on OVPN as I haven't used it.

Rory McCann
MKAP Technology Solutions
Web: www.mkap.net

On 4/8/2014 4:21 PM, Butch Evans wrote:

On 04/08/2014 03:48 PM, Mike Hammett wrote:

Why is one better than the other?


Short answer: Neither.

Moderately longer answer: SSTP works better behind a NAT and works on 
port 443, so firewalls are usually not an issue for these.


REALLY longer answer:  It really depends.  IMO, with modern options 
(for MT specific options), I think a "site to site" option that is 
better than either of these is OpenVPN.  OVPN works behind NAT and you 
can define the ports to be used, so firewalls are not an issue.  It is 
a bit easier (again, my opinion) to configure and troubleshoot than 
the other options.  Having said that, the SSTP is a client built into 
Windows, so if you have a "roaming" client, then this may be the best 
option. Additionally, most other router vendors have IPSEC built-in, 
so in some cases, that may be the best choice.  All things being 
equal, personally, I like the OVPN option.





___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IP-SEC vs. SSTP

2014-04-08 Thread Rick Smith 
Problem... I've not seen SSTP actually SECURE the traffic.  A working IPSec
config, while a PITA like mike says, actually locks down all the traffic
within the IPSec protocol.  If any of you that have working site to site
SSTP tunnels can torch them with active traffic and share their findings
I'd appreciate it.

IPSec is even harder to configure with dynamic IPs on one end.   Really
designed for static to static.  Might even be a bug with tik on dynamic
endpoints.
On Apr 8, 2014 5:24 PM, "Rory McCann"  wrote:

> +1 on Butch's response. I use SSTP for my Windows Laptops to remotely
> connect and use IPSec for router to router. They both have their merits and
> both work fine.
>
> Can't speak on OVPN as I haven't used it.
>
> Rory McCann
> MKAP Technology Solutions
> Web: www.mkap.net
>
> On 4/8/2014 4:21 PM, Butch Evans wrote:
>
>> On 04/08/2014 03:48 PM, Mike Hammett wrote:
>>
>>> Why is one better than the other?
>>>
>>
>> Short answer: Neither.
>>
>> Moderately longer answer: SSTP works better behind a NAT and works on
>> port 443, so firewalls are usually not an issue for these.
>>
>> REALLY longer answer:  It really depends.  IMO, with modern options (for
>> MT specific options), I think a "site to site" option that is better than
>> either of these is OpenVPN.  OVPN works behind NAT and you can define the
>> ports to be used, so firewalls are not an issue.  It is a bit easier
>> (again, my opinion) to configure and troubleshoot than the other options.
>>  Having said that, the SSTP is a client built into Windows, so if you have
>> a "roaming" client, then this may be the best option. Additionally, most
>> other router vendors have IPSEC built-in, so in some cases, that may be the
>> best choice.  All things being equal, personally, I like the OVPN option.
>>
>>
>>
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://mail.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IP-SEC vs. SSTP

2014-04-08 Thread Butch Evans 

On 04/08/2014 04:22 PM, Mike Hammett wrote:

I've never done IPSEC because it seems like such a PITA. Is the primary reason 
to use it for interop with other vendors?


I would NEVER use IPSEC unless it was a requirement.  Usually that 
"requirement" revolves around another administrator or another vendor 
product.  Personally, I use OVPN for site-site and vpn from away back to 
my network.



--
Butch Evans
702-537-0979
Network Support and Engineering
http://store.wispgear.net/
http://www.butchevans.com/
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS