two more IPSec questions...

Chris Carlson carlsonmail at yahoo.com
Wed Aug 11 12:25:28 EDT 1999 

Eric,

Microsoft is addressing this right now with Windows
2000.

It appears that they're supporting IPSec, PPTP, and
L2TP clients on W2000 workstation, with the ability to
embed L2TP tunnels in an IPSec tunnel.

Therefore, you get multiprotocol support of L2TP, with
only using IPSec as the transport mechanism.

It makes sense, though.  Most users have a security
issue with PPTP/L2TP, but people are looking at it
because of native MS support AND the ability to handle
multiprotocols.  So, now you get multiprotocols AND
IPSec-strength security.

AND, you're tied to a Microsoft W2000 client and
compatible back-end.  Something tells me that W2000
server will support L2TP/IPSec tunnels, but other VPN
vendors won't...  Hmmm...

I personally feel that the biggest non-IP protocol
needing support is IPX.  Not too much AppleTalk in the
enterprise, and certainly very little SNA, DecNet,
LAT, etc., especially given all the gateways out
there.

IPX can be easily supported by a NetWare 5.0 acting as
an IP-IPX gateway.  Each server can support 1500
users.  Not too shabby.  I helped a customer put one
in...

Chris
--

--- Eric Zines <ezines at telechoice.com> wrote:
> First of all, thanks to Rick Smith for the quick
> response to the questions
> on AH transport/tunnel and authentication options.
> 
> I did have two more questions, and was hoping that
> someone could answer them
> directly, or point me to a really good resource or
> example.  Here goes...
> 
> 1.  I know that this would be REALLY ugly, but is it
> possible to use both
> PPTP and IPSec at the same time?  Not in parallel on
> the same network, but
> serially...one after the other?  I ask because alot
> of organizations have
> PPTP already (though I haven't run across too many
> that are pleased with
> that decision) and it DOES handle multiprotocol
> traffic, and it IS tied to
> the NT directory structure.  So it does offer some
> things that IPSec doesn't
> at this point, but is it even possible to use both
> at once?  If so, what
> does it look like from both the client and HQ sides?
>  I suspect that the
> client side may be the most difficult issue.  Would
> the overhead completely
> crater performance?
> 
> 2.  Same question, but for L2TP/IPSec.  I think that
> this may be a little
> more elegant, but what does it look like?  I'm
> curious from both a
> theoretical and practical/architectural standpoint. 
> I'm afraid that there
> may not be a great deal of experience with this out
> there, as L2TP isn't in
> widespread use at this point...especially with
> end-user organizations.  I'm
> guessing that to implement a multiprotocol solution
> you would have to L2TP
> first, then IPSec?  Or is there a situation in which
> you'd want to do it the
> other way 'round?
> 
> Anyway...any input would be GREATLY appreciated!
> 
> Thanks in advance.
> 
> Eric Zines
> TeleChoice, Inc.
> 
> 
> 
>
****************************************************************
> TO POST A MESSAGE on this list, send it to
> vpn at listserv.secnetgroup.com
> 
> The VPN FAQ (under construction) is available at
> http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
> 
> We are currently experiencing "unsubscribe"
> difficulties.  If you
> wish to unsubscribe, please send a message
> containing the single line
> "unsubscribe vpn your-e-mail-address" to
> owner-vpn at listserv.secnetgroup.com
> 
>
****************************************************************
> 

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************

More information about the VPN mailing list