two more IPSec questions...

Eric Vyncke evyncke at cisco.com
Fri Aug 13 10:24:31 EDT 1999


>From Eric to Eric ;-)

The combination of L2TP with IPSec is commonly seen as a good
one (except for the throughput via double encapsulation!):

- protecting LAC/LNS via IPSec can be useful specially if the
  LAC is the dial-in client itself: all protocols are encrypted
  and not only IP, no need to rely on IETF drafts for dynamic
  IP addressing (modecfg) and user authentication (xauth)

- putting IPSec packets in L2TP can be useful as well (but 
  probably less), L2TP is used to convey IPSec packets and
  you have the advantages of L2TP. This solutions will most
  probably be deployed by ISP for their customers

Just my biased 0.01 EUR

-eric

At 19:19 10/08/1999 -0500, Eric Zines wrote:
>First of all, thanks to Rick Smith for the quick response to the questions
>on AH transport/tunnel and authentication options.
>
>I did have two more questions, and was hoping that someone could answer them
>directly, or point me to a really good resource or example.  Here goes...
>
>1.  I know that this would be REALLY ugly, but is it possible to use both
>PPTP and IPSec at the same time?  Not in parallel on the same network, but
>serially...one after the other?  I ask because alot of organizations have
>PPTP already (though I haven't run across too many that are pleased with
>that decision) and it DOES handle multiprotocol traffic, and it IS tied to
>the NT directory structure.  So it does offer some things that IPSec doesn't
>at this point, but is it even possible to use both at once?  If so, what
>does it look like from both the client and HQ sides?  I suspect that the
>client side may be the most difficult issue.  Would the overhead completely
>crater performance?
>
>2.  Same question, but for L2TP/IPSec.  I think that this may be a little
>more elegant, but what does it look like?  I'm curious from both a
>theoretical and practical/architectural standpoint.  I'm afraid that there
>may not be a great deal of experience with this out there, as L2TP isn't in
>widespread use at this point...especially with end-user organizations.  I'm
>guessing that to implement a multiprotocol solution you would have to L2TP
>first, then IPSec?  Or is there a situation in which you'd want to do it the
>other way 'round?
>
>Anyway...any input would be GREATLY appreciated!
>
>Thanks in advance.
>
>Eric Zines
>TeleChoice, Inc.
>
>
>
>****************************************************************
>TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
>The VPN FAQ (under construction) is available at
>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
>We are currently experiencing "unsubscribe" difficulties.  If you
>wish to unsubscribe, please send a message containing the single line
>"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
>
>****************************************************************

Eric Vyncke                        
Consulting Engineer                Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke at cisco.com          Mobile: +32-75-312.458

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************




More information about the VPN mailing list