[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec Complexity
>>>>> "Frederic" == Frederic Detienne <fd@cisco.com> writes:
Frederic> Skip Booth wrote:
>> On Thu, 17 Feb 2000, Joe Touch wrote:
>>
> > Yipe. I've already found that I need to use transport mode subsequent
> > to vanilla tunneling (IP in IP) to allow dynamic routing to run
> > inside an IPSEC'd overlay (VPN, if you prefer).
>
> I agree. One very nice thing about L2TP+IPSEC is that it looks like a network
> interface with security features versus a IPSEC in tunnel mode which is a layer
> 3 security transport. Since there is a PPP interface on top of L2TP, all the of
> the interface specific stuff runs transparent to IPSEC. There are no Routing
> protocol issues and standardized, well deployed MIBs are available for the
> interface. PPP and L2TP also give you built-in keepalives for interface
> maintenance.
Frederic> I think the presence of an IPSec tunnel interface is a
Frederic> matter of implementation. Nothing prevents you a priori
Frederic> from having such an interface and you could very well have
Frederic> the traffic run independent of the IPSec thing.
Agreed. We're running routing protocols over IPsec tunnels without
any trouble. There's nothing I know of that requires you to use L2TP
or other extraneous protocols. Look at it another way: if tunnel
protocol X is suitable, why not tunnel protocol Y?
paul
References: