[unisog] Opinion on L2TP/IPSEC?

Julian Y. Koh kohster at northwestern.edu
Tue Sep 26 12:39:15 GMT 2006

Hash: SHA1

At 23:29 -0400 09/25/2006, Clark Gaylord wrote:
>What most people refer to as "ipsec" in the MS
>world is just IP filtering

That's the part I'm complain about.

>, but the ESP/AH pieces seem to be fully
>functional, as is the certificate based authentication.

Absolutely true.

>To Gary's question, though, we finally decided "why bother?" after
>running PPTP and L2TP+IPsec in parallel for three years with a grand
>total of *three* regular L2TP users and hundreds of PPTP users.

Our biggest problem with PPTP is that our VPN 3000 concentrators don't do
PPTP/MPPE encryption/decryption in hardware.  So their CPUs get taxed.  If we
didn't have that problem, we probably would have just stayed with PPTP.

>Also, PPTP successfully
>traverses NAT much more often than IPsec.

We're seeing about the same success rate with both protocols.  The built-in
L2TP/IPSec clients do NAT-T pretty well - the failure usually happens in the
actual NAT device itself not handling the translations properly.  We tell
people who are having issues with their ISPs to use the Cisco client in TCP
NAT Passthrough mode.

Version: PGP Desktop 9.0.6 (Build 6060)
Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html>


Julian Y. Koh                         <mailto:kohster at northwestern.edu>
Network Engineer                                   <phone:847-467-5780>
Telecommunications and Network Services         Northwestern University
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

More information about the unisog mailing list