[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bridging non-IP traffic over IPSec
The only point about "de-facto" on PPTP is that it may be the only way
Windows 2000 clients will do IPX VPN IPSec over remote access.
(Unless Microsoft adds L2TP to Windows 2000.) Also, if you put IPSec
under Windows 95/98 DUN 1.3, PPTP is free. This may make the point
that "PPP is too much baggage" VERY moot. (It's up to the market to
decide if they want to install a third-party L2TP or GRE on Windows
2000, or use PPTP.)
I certainly see GRE as the lightest-weight solution. Certainly the
lowest byte overhead. The configuration cost may be higher than L2TP,
due to the absence of PPP negotiation.
But, it may well be up to Cisco to cede revision control over GRE to
the IETF/IANA.
The things that PPP (over L2TP or PPTP) can negotiate for us are
network layer addressing for IPX and AppleTalk. In particular, IPXCP
can be setup to use IPXWAN to negotiate network numbers. The nodes
have pools of network numbers, and hand one out for each connection.
Also, IPXCP can do some smart header compression for us. It's smart
enough that the advantages won't be lost with IPCOMP.
We need to remember that there are two problem spaces. One is routing
IPX (or briding) over a tunnel between security gateways. There we
have an decision-making impact. The other is connection from a
Windows 95/89/2000 IPX client to a security gateway. There, I think
the decision may already be made.
For the inter-security-gateway connection, GRE is less overhead, more
configuration. L2TP is more overhead, less configuration.
Follow-Ups:
References: