[unisog] Opinion on L2TP/IPSEC?

Julian Y. Koh kohster at northwestern.edu
Tue Sep 26 12:39:15 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 23:29 -0400 09/25/2006, Clark Gaylord wrote:
>What most people refer to as "ipsec" in the MS
>world is just IP filtering

That's the part I'm complain about.

>, but the ESP/AH pieces seem to be fully
>functional, as is the certificate based authentication.
>

Absolutely true.

>To Gary's question, though, we finally decided "why bother?" after
>running PPTP and L2TP+IPsec in parallel for three years with a grand
>total of *three* regular L2TP users and hundreds of PPTP users.

Our biggest problem with PPTP is that our VPN 3000 concentrators don't do
PPTP/MPPE encryption/decryption in hardware.  So their CPUs get taxed.  If we
didn't have that problem, we probably would have just stayed with PPTP.

>Also, PPTP successfully
>traverses NAT much more often than IPsec.

We're seeing about the same success rate with both protocols.  The built-in
L2TP/IPSec clients do NAT-T pretty well - the failure usually happens in the
actual NAT device itself not handling the translations properly.  We tell
people who are having issues with their ISPs to use the Cisco client in TCP
NAT Passthrough mode.


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

iQA/AwUBRRkfcw5UB5zJHgFjEQKA3wCgi7mdyu8dGFTFIPK4woB8vxbiCOAAnjDg
sx6Cmmosjz7z39Ppq7i6OvtY
=XShB
-----END PGP SIGNATURE-----

-- 
Julian Y. Koh                         <mailto:kohster at northwestern.edu>
Network Engineer                                   <phone:847-467-5780>
Telecommunications and Network Services         Northwestern University
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>


More information about the unisog mailing list