[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: l2tp/ipsec for remote access (LONG; was Re: PPP over IPSec... on the ipsec list)]



"Scott G. Kelly" wrote:
> I'd like to point out one thing: the current ipsec spec requires no
> changes in order for you to deploy a remote access solution using l2tp.
> You can configure your security gateways to secure l2tp over udp, and
> have your remote access client tunnel through to a NAS which terminates
> the l2tp connection.
> 
> Scott

One concern with this is that you can accidentally
configure one end of a connection to use plain IPSec while the
other end wants to use L2TP/IPSec. It gets even more complicated
when you locate L2TP and IPSec endpoints in different boxes, or
even if you run IPSec inside L2TP, as one draft suggests.

If the result at the end of this discussion is that L2TP should
be in the picture, I would strongly suggest that IKE negotiation
and SPP (or whatever IPSP WG produces for this purpose) also
take proper note of L2TP.

It has been stated many times in this thread that since PPP/L2TP
already exist and are deployed, it is the path of least resistance
to remote access. I doubt that until I see them fully incorporated,
including this negotiation I mention above.

Ari

-- 
Ari Huttunen                   phone: +358 9 859 900
Senior Software Engineer       fax  : +358 9 8599 0452

F-Secure Corporation       http://www.F-Secure.com 

F-Secure products: Integrated Solutions for Enterprise Security