RE: IPSec = L2TP?

From: Dave Killion (Dkillion_at_netscreen.com)
Date: 10/01/03

  • Next message: kurtis.myers_at_us.army.mil: "RE: Reporting to Senior Management" 
    To: "'Zachary Mutrux'" <zmutrux@compumentor.org>, Security-Basics <security-basics@securityfocus.com>
Date: Tue, 30 Sep 2003 15:59:23 -0700

    IPSec is not L2TP, however L2TP can ride *on top* of IPSec.

    Any protocol can traverse IPSec, but it needs to be routed in order to
    work, i.e. handed off to a gateway for processing. You can't do IPSec
    between two machines on the same layer 2 segment, which is what L2TP is
    for. L2TP over IPSec is a way for a remote machine on a completely
    different IP network to appear to be on the same network as others - and
    not being NAT'd. The remote computer *knows* what the IP is, since it's
    negotiated during the L2TP set up. L2TP shows up as an additional
    interface with it's own IP.

    Example:

       Machine A, Network A IP
         (L2TP: Network B IP) Network B
      (IPSEC out Network A's IP)======{Internet Cloud}=======(IPSec/L2TP
    Gateway)

    It looks like a direct-connect, and others on Network B see it as local.
    The L2TP gateway accepts ARP's for it, and pass traffic back down the
    L2TP-over-IPSEC tunnel. This is useful mostly for Windows traffic,
    which doesn't like to be NAT'd, and also spews out broadcast traffic -
    Outlook new mail notifications come to mind. Unix systems could care
    less, and typically work great over standard IPSec without issue.

    Basically, L2TP passes Layer 2 Broadcast traffic over a tunnel, whilst
    IPSec does not.

    I hope this information is helpful,

    Dave Killion
    Senior Security Engineer
    Security Group, NetScreen Technologies, Inc.

    -----Original Message-----
    From: Zachary Mutrux [mailto:zmutrux@compumentor.org]
    Sent: Tuesday, September 30, 2003 2:46 PM
    To: Security-Basics
    Subject: IPSec = L2TP?

    Do most VPN solutions that use IPSec also use L2TP? Or are there other
    protocols that also use IPSec? I see a lot of mention of IPSec in the
    sales
    literature but no mention of L2TP.

    Thanks,

    Zac 

    --
Zac Mutrux
Technology Consultant
CompuMentor
415-633-9437
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----

    • application/x-pkcs7-signature attachment: smime.p7s
  • Next message: kurtis.myers_at_us.army.mil: "RE: Reporting to Senior Management"

    Relevant Pages

    • Re: PPTP versus L2TP and possible attacks
      ... Actually L2TP is only a tunneling protocol. ... L2TP makes a "virtual network" just not a "virtual private ... Which is the better tunnelling protocol in terms of security and ...
      (Focus-Microsoft)
    • Re: L2TP over IPsec VPN and nat-t
      ... I had seen these articles and was hopeful that this would solve the problem, ... L2TP over IPSec is not supported with NAT Traversal. ... and that is why you can configure IPSec VPN tunnels ...
      (microsoft.public.security)
    • RE: IPSec vs. IPSec/L2TP
      ... The reason people use L2TP is due the need to provide login mechanism ... logging and the rest of the session would be using IPSec. ... > L2TP/IPSec tunnelling instead of a good old IPSec tunnel. ... Earn your MS in Information Security ONLINE ...
      (Security-Basics)
    • Re: VPN server
      ... You have to choose either/both PPTP or L2TP (which uses IPSec) for the ... (Dial-in tab even though this is VPN) ...
      (microsoft.public.windows.server.active_directory)
    • Re: Configured IPSec Policy is not working.
      ... As for the RRAS filters themselves, they're fairly basic, requiring ipsec ... and encryption will depend on the security settings of the connection. ... why exactly do you want to use l2tp without any ipsec protection rather ... > What is the default filter rule and filter policy ...
      (microsoft.public.win2000.ras_routing)