[unisog] Opinion on L2TP/IPSEC?
cgaylord at vt.edu
Wed Sep 27 18:21:34 GMT 2006
Julian Y. Koh wrote:
> We're seeing about the same success rate with both protocols. The built-in
> L2TP/IPSec clients do NAT-T pretty well - the failure usually happens in the
> actual NAT device itself not handling the translations properly. We tell
> people who are having issues with their ISPs to use the Cisco client in TCP
> NAT Passthrough mode.
As opposed to using PPTP, wherein you don't get those calls in the first
place because "it just works" (tm). Granted NAT-T works more than it
used to and there are problems with PPTP, but then you are better using
openvpn anyway. And, oh btw, openvpn is very good stuff. If I have to
support some stupid shimware VPN anyway, *that's* what I'm talking about.
Actually, we use 7301 routers. They process switch all the MPPE packets
anyway, which kinda sucks, but so much beefier than a VPN3000 POS that
they work quite well.
Incidentally, notable problems with PPTP:
* gets confused (read: often doesn't work) when multiple tunnels
traverse the same NAT box (no session tag in the PPP for state to
be tracked with ... TCP is nice here, but then you have TCP inside
TCP and that is bad for the sauce too);
* initialization lag causing packet-loss for about 30 seconds on
* process switching of MPPE packets;
* no hardware accelerator (not too much of a problem for RC4 anyway
if you have a half-way decent CPU, but still might be nice); no
decent routing protocol for split tunnel (as much a client
end-point problem as anything else);
* support seems to be waning by vendors who want you to buy their
"new shinies" (solution: replace vendor with open source) -- many
of these aren't addressed with L2TP or untunneled IPsec either,
but things to consider.
Even considering this, I find PPTP still wins for me, and I recommend
spending the time looking more closely at OpenVPN instead.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the unisog