• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Difference between IPsec and L2TP/IPsec

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> Difference between IPsec and L2TP/IPsec Page: [1]
Message << Older Topic   Newer Topic >>
Difference between IPsec and L2TP/IPsec - 4.Mar.2010 10:52:17 AM   


Posts: 47
Joined: 12.May2007
Status: offline

I am able to get IPsec working between a Draytek and an ISA server in a site to site VPN. I am unable to get L2TP/IPsec up and running however.

My question is, what is the benefit of having L2TP encapsulated  in an IPSEC packet, opposed to just sending traffic over an IPsec tunnel?
Post #: 1
RE: Difference between IPsec and L2TP/IPsec - 6.Mar.2010 8:39:49 AM   


Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline


Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand, multiple protocol, virtual private networking over public networks such as the Internet. PPTP allows IP traffic to be encrypted, and then encapsulated in an IP header to be sent across a corporate IP network or a public IP network such as the Internet.
L2TP over IPsec

Layer Two Tunneling Protocol (L2TP) is an industry standard tunneling protocol that provides encapsulation for sending Point-to-Point Protocol (PPP) frames across packet-oriented media. L2TP allows IP traffic to be encrypted, and then sent over any medium that supports point-to-point datagram delivery, such as IP. The Microsoft implementation of the L2TP protocol uses Internet Protocol security (IPsec) encryption to protect the data stream from one VPN server to the other VPN server. IPsec tunnel mode allows IP packets to be encrypted, and then encapsulated in an IP header to be sent across a corporate IP network or a public IP network such as the Internet.
PPTP connections require only user-level authentication through a PPP-based authentication protocol. L2TP over IPsec connections require the same user-level authentication and, in addition, computer-level authentication using computer certificates or a preshared key.


When choosing between PPTP and L2TP over IPsec site-to-site VPN solutions, consider the following:
  • PPTP can be used for site-to-site VPN connections for servers running Microsoft Windows Server® 2003 or Windows® 2000 Server with Routing and Remote Access, or Windows NT® Server 4.0 with the Routing and Remote Access Service (RRAS). PPTP does not require a public key infrastructure (PKI) to issue computer certificates. By using encryption, PPTP-based VPN connections provide data confidentiality. Captured data cannot be interpreted without the encryption key. PPTP-based VPN connections, however, do not provide data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user).
  • L2TP can be used with servers running Windows Server 2003 or Windows 2000 Server operating systems. When both types of servers are used, a PKI is required to issue computer certificates to all routers. Servers running Windows Server 2003 operating systems additionally support a single preshared key configured on the answering server and all calling servers. By using IPsec, L2TP over IPsec VPN connections provide data confidentiality, data integrity, and data origin authentication.
IPsec tunnel mode

When Internet Protocol security (IPsec) is used in tunnel mode, IPsec itself provides encapsulation for IP traffic only. The primary reason for using IPsec tunnel mode is interoperability with other routers, gateways, or end systems that do not support L2TP over IPsec or PPTP VPN tunneling. Interoperability information is provided at the Virtual Private Network Consortium Web site.
Tunneling is the entire process of encapsulation, routing, and then removing the encapsulation. Tunneling wraps, or encapsulates, the original packet inside a new packet. This new packet might have new addressing and routing information, which enables it to travel through a network. When tunneling is combined with data confidentiality, the original packet data (as well as the original source and destination) is not revealed to those listening to traffic on the network. After the encapsulated packets reach their destination, the encapsulation is removed, and the original packet header is used to route the packet to its final destination.
The tunnel itself is the logical data path through which the encapsulated packets travel. To the original source and destination peer, the tunnel is usually transparent and appears as another point-to-point connection in the network path. The peers are unaware of any routers, switches, proxy servers, or other security gateways between the tunnel's beginning point and the tunnel's endpoint. When tunneling is combined with data confidentiality, it can be used to provide a VPN.
The encapsulated packets travel through the network inside the tunnel. In this example, the network is the Internet. The gateway might be an edge gateway that stands between the outside Internet and the private network. The edge gateway can be a router, firewall, proxy server, or other security gateway. Also, two gateways can be used inside the private network to protect traffic across untrusted parts of the network.
For more information about IPsec tunnel mode, see "IPSec Technical Reference" at the Microsoft TechNet Web site.


When you create a remote site network that uses the IPsec tunneling protocol, the Microsoft Firewall service modifies the IPsec filters on the computer, when restarting the Firewall service. This process can take up to several minutes, depending on the number of subnets included in the address ranges for the network. To minimize the effect, we recommend that you define IP address ranges that are aligned in subnet boundaries. Authentication

IPsec tunnel mode and L2TP over IPsec can use either preshared keys or certificates to authenticate incoming VPN connections. Because certificates are more secure than preshared keys, we recommend that authentication for L2TP over IPsec and IPsec tunnel mode VPN connections use certificate authentication.


For security reasons, we recommend the use of a dedicated private certification authority (CA) for certificates that will be used for IPsec authentication. This is due to the fact that IPsec does not match the name of the certificate to the name of the site. If the certificates come from the same CA, this is sufficient for authentication. For more information about security consideration for site-to-site VPN connections, see "Security Hardening and Administration Guide" at the Microsoft TechNet Web site.

Source: http://technet.microsoft.com/en-gb/library/bb794723.aspx
 Regards,Paulo Oliveira.


Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to intersimi)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> Difference between IPsec and L2TP/IPsec Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts