[unisog] Opinion on L2TP/IPSEC?
Julian Y. Koh
kohster at northwestern.edu
Tue Sep 26 12:39:15 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
At 23:29 -0400 09/25/2006, Clark Gaylord wrote:
>What most people refer to as "ipsec" in the MS
>world is just IP filtering
That's the part I'm complain about.
>, but the ESP/AH pieces seem to be fully
>functional, as is the certificate based authentication.
>To Gary's question, though, we finally decided "why bother?" after
>running PPTP and L2TP+IPsec in parallel for three years with a grand
>total of *three* regular L2TP users and hundreds of PPTP users.
Our biggest problem with PPTP is that our VPN 3000 concentrators don't do
PPTP/MPPE encryption/decryption in hardware. So their CPUs get taxed. If we
didn't have that problem, we probably would have just stayed with PPTP.
>Also, PPTP successfully
>traverses NAT much more often than IPsec.
We're seeing about the same success rate with both protocols. The built-in
L2TP/IPSec clients do NAT-T pretty well - the failure usually happens in the
actual NAT device itself not handling the translations properly. We tell
people who are having issues with their ISPs to use the Cisco client in TCP
NAT Passthrough mode.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
-----END PGP SIGNATURE-----
Julian Y. Koh <mailto:kohster at northwestern.edu>
Network Engineer <phone:847-467-5780>
Telecommunications and Network Services Northwestern University
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>
More information about the unisog