[unisog] Opinion on L2TP/IPSEC?

Clark Gaylord cgaylord at vt.edu
Wed Sep 27 18:21:34 GMT 2006


Julian Y. Koh wrote:
> We're seeing about the same success rate with both protocols.  The built-in
> L2TP/IPSec clients do NAT-T pretty well - the failure usually happens in the
> actual NAT device itself not handling the translations properly.  We tell
> people who are having issues with their ISPs to use the Cisco client in TCP
> NAT Passthrough mode.
>   
As opposed to using PPTP, wherein you don't get those calls in the first 
place because "it just works" (tm). Granted NAT-T works more than it 
used to and there are problems with PPTP, but then you are better using 
openvpn anyway. And, oh btw, openvpn is very good stuff. If I have to 
support some stupid shimware VPN anyway, *that's* what I'm talking about.

Actually, we use 7301 routers. They process switch all the MPPE packets 
anyway, which kinda sucks, but so much beefier than a VPN3000 POS that 
they work quite well.

Incidentally, notable problems with PPTP:

    * gets confused (read: often doesn't work) when multiple tunnels
      traverse the same NAT box (no session tag in the PPP for state to
      be tracked with ... TCP is nice here, but then you have TCP inside
      TCP and that is bad for the sauce too);
    * initialization lag causing packet-loss for about 30 seconds on
      tunnel instantiation;
    * process switching of MPPE packets;
    * no hardware accelerator (not too much of a problem for RC4 anyway
      if you have a half-way decent CPU, but still might be nice); no
      decent routing protocol for split tunnel (as much a client
      end-point problem as anything else);
    * support seems to be waning by vendors who want you to buy their
      "new shinies" (solution: replace vendor with open source) -- many
      of these aren't addressed with L2TP or untunneled IPsec either,
      but things to consider.

Even considering this, I find PPTP still wins for me, and I recommend 
spending the time looking more closely at OpenVPN instead.

--ckg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.dshield.org/pipermail/unisog/attachments/20060927/5ee2663a/attachment.htm 


More information about the unisog mailing list