two more IPSec questions...
Eric Vyncke
evyncke at cisco.com
Fri Aug 13 10:24:31 EDT 1999
>From Eric to Eric ;-)
The combination of L2TP with IPSec is commonly seen as a good
one (except for the throughput via double encapsulation!):
- protecting LAC/LNS via IPSec can be useful specially if the
LAC is the dial-in client itself: all protocols are encrypted
and not only IP, no need to rely on IETF drafts for dynamic
IP addressing (modecfg) and user authentication (xauth)
- putting IPSec packets in L2TP can be useful as well (but
probably less), L2TP is used to convey IPSec packets and
you have the advantages of L2TP. This solutions will most
probably be deployed by ISP for their customers
Just my biased 0.01 EUR
-eric
At 19:19 10/08/1999 -0500, Eric Zines wrote:
>First of all, thanks to Rick Smith for the quick response to the questions
>on AH transport/tunnel and authentication options.
>
>I did have two more questions, and was hoping that someone could answer them
>directly, or point me to a really good resource or example. Here goes...
>
>1. I know that this would be REALLY ugly, but is it possible to use both
>PPTP and IPSec at the same time? Not in parallel on the same network, but
>serially...one after the other? I ask because alot of organizations have
>PPTP already (though I haven't run across too many that are pleased with
>that decision) and it DOES handle multiprotocol traffic, and it IS tied to
>the NT directory structure. So it does offer some things that IPSec doesn't
>at this point, but is it even possible to use both at once? If so, what
>does it look like from both the client and HQ sides? I suspect that the
>client side may be the most difficult issue. Would the overhead completely
>crater performance?
>
>2. Same question, but for L2TP/IPSec. I think that this may be a little
>more elegant, but what does it look like? I'm curious from both a
>theoretical and practical/architectural standpoint. I'm afraid that there
>may not be a great deal of experience with this out there, as L2TP isn't in
>widespread use at this point...especially with end-user organizations. I'm
>guessing that to implement a multiprotocol solution you would have to L2TP
>first, then IPSec? Or is there a situation in which you'd want to do it the
>other way 'round?
>
>Anyway...any input would be GREATLY appreciated!
>
>Thanks in advance.
>
>Eric Zines
>TeleChoice, Inc.
>
>
>
>****************************************************************
>TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
>The VPN FAQ (under construction) is available at
>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
>We are currently experiencing "unsubscribe" difficulties. If you
>wish to unsubscribe, please send a message containing the single line
>"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
>
>****************************************************************
Eric Vyncke
Consulting Engineer Cisco Systems EMEA
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: evyncke at cisco.com Mobile: +32-75-312.458
****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
We are currently experiencing "unsubscribe" difficulties. If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
****************************************************************
More information about the VPN
mailing list