Re: IPSec Complexity

[Paul Koning <pkoning@xedia.com>]

>>>>> "Frederic" == Frederic Detienne <fd@cisco.com> writes:

 Frederic> Skip Booth wrote:
 >>  On Thu, 17 Feb 2000, Joe Touch wrote:
 >> 
> > Yipe. I've already found that I need to use transport mode subsequent
> > to vanilla tunneling (IP in IP) to allow dynamic routing to run
> > inside an IPSEC'd overlay (VPN, if you prefer).
> 
> I agree.  One very nice thing about L2TP+IPSEC is that it looks like a network
> interface with security features versus a IPSEC in tunnel mode which is a layer
> 3 security transport. Since there is a PPP interface on top of L2TP, all the of
> the interface specific stuff runs transparent to IPSEC. There are no Routing
> protocol issues and standardized, well deployed MIBs are available for the
> interface.  PPP and L2TP also give you built-in keepalives for interface
> maintenance.

 Frederic> I think the presence of an IPSec tunnel interface is a
 Frederic> matter of implementation. Nothing prevents you a priori
 Frederic> from having such an interface and you could very well have
 Frederic> the traffic run independent of the IPSec thing.

Agreed.  We're running routing protocols over IPsec tunnels without
any trouble.  There's nothing I know of that requires you to use L2TP
or other extraneous protocols.  Look at it another way: if tunnel
protocol X is suitable, why not tunnel protocol Y? 

	paul

---

References:

• Re: IPSec Complexity
• From: Skip Booth <ebooth@cisco.com>
• Re: IPSec Complexity
• From: Frederic Detienne <fd@cisco.com>

---

• Prev by Date: Re: IPSec Complexity
• Next by Date: Re: IPSec Complexity
• Prev by thread: Re: IPSec Complexity
• Next by thread: Re: IPSec Complexity
• Index(es):
  • Main
  • Thread