two more IPSec questions...

Robert Moskowitz rgm at icsa.net
Tue Aug 10 22:37:22 EDT 1999 

At 07:19 PM 8/10/1999 -0500, Eric Zines wrote:
>
>1.  I know that this would be REALLY ugly, but is it possible to use both
>PPTP and IPSec at the same time?  

YOu might be able to do this, but not even MS is spending any time on it.
See below.

>Not in parallel on the same network, but
>serially...one after the other?  I ask because alot of organizations have
>PPTP already (though I haven't run across too many that are pleased with
>that decision) and it DOES handle multiprotocol traffic, and it IS tied to
>the NT directory structure.  So it does offer some things that IPSec doesn't
>at this point, but is it even possible to use both at once?  If so, what
>does it look like from both the client and HQ sides?  I suspect that the
>client side may be the most difficult issue.  Would the overhead completely
>crater performance?
>
>2.  Same question, but for L2TP/IPSec.  

This is MS's direction.  In fact if you read the RFCs, L2TP's REAL security
is IPsec.

It has some wrinkles to iron out.  Dispite what Glen Zorn and Peter Ford
have said.

>I think that this may be a little
>more elegant, but what does it look like?  I'm curious from both a
>theoretical and practical/architectural standpoint.  I'm afraid that there
>may not be a great deal of experience with this out there, as L2TP isn't in
>widespread use at this point...especially with end-user organizations.  I'm
>guessing that to implement a multiprotocol solution you would have to L2TP
>first, then IPSec?  Or is there a situation in which you'd want to do it the
>other way 'round?

L2TP over IPsec.

I'd rather add IKE CFG to IPsec to handle the address negotiation (10
vendors already support the Internet Draft to meet customer requirements)
and GRE if you really need multiprotocol.


Robert Moskowitz
ICSA, Inc.
	(248) 968-9809
Fax:	(248) 968-2824
rgm at icsa.net

There's no limit to what can be accomplished 
if it doesn't matter who gets the credit


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************

More information about the VPN mailing list