[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
L2TP + IPSEC question
Sorry if this subject has already been done-to-death:
I've just been reading the draft on using IPSEC to defend L2TP.
Of the two models proposed, (compulsory and voluntarily), the
'Voluntarily' options feels safer to me (from a security management
point of view).
So, if my clients are IP-only, why do I need IPSEC AND L2TP? Why not
just IPSEC tunnel?
Here are a few cases :
1) PPP on client, L2TP LAC at ISP POP:- Unprotected L2TP exchange
not secure, hence the draft.
2) PPP on client, L2TP LAC at ISP POP + IPSEC encapsulation:- L2TP
secure, but means sharing security information
3) L2TP on Client :- as for 1) and tunnel server address has to be
known by the client, no longer available from the ISP
4) L2TP on Client + IPSEC:- secure, but why use L2TP when PPP in IPSEC
would do, and for IP-Only, not even PPP.
5) IPSEC on Client:- secure, but how can the tunnel server address be
discovered?
Option 5) seems to be the best answer for IP-Only and there seems to be
a PPP in IPSEC option for other requirements.
If there is a requirement for the tunnel server address to be
discovered by the client, no pre-configured, then the ISPs could
provide a PPP-based tunnel server address via PPP_IPCP. The IPSEC code
could then use DHCP to acquire the Intranet address if not static.
If there any comments on this, can someone copy me directly - just
joined the distribution lists.
Thanks, Steve.