IPsec versus L2TP/IPsec

Cisco IPsec vs. L2TP (over IPsec)

The term Cisco IPsec is just a marketing ploy which basically means plain IPsec using ESP in tunnel mode without any additional encapsulation, and using the Internet Key Exchange protocol (IKE) to establish the tunnel. IKE provides several authentication options, preshared keys (PSK) or X.509 certificates combined with Extended Authentication (XAUTH) user authentication are the most common.

The Layer 2 Tunneling Protocol (L2TP) was has its origins in PPTP. Since it does not provide security features such as encryption or strong authentication it is typically combined with IPsec. To avoid too much additional overhead ESP in transport mode is commonly used. This means first the IPsec channel is established, again using IKE, then this channel is used to establish the L2TP tunnel. Afterwards, the IPsec connection is also used to transport the L2TP encapsulated user data.

Compared to plain IPsec the additional encapsulation with L2TP (which adds an IP/UDP packet and L2TP header) makes it a little less efficient (more so if it is also used with ESP in tunnel mode, which some implementations do).

NAT traversal (NAT-T) is also more problematic with L2TP/IPsec due to the common use of ESP in transport mode.

One advantage L2TP has over plain IPsec is that it can transport protocols other than IP.

Security-wise both are similar but it depends on the authentication method, the mode of authentication (Main or Aggressive Mode), the strength of the keys, the used algorithms etc.


L2TP vs PPTP

L2TP/IPSec and PPTP are similar in the following ways:

provide a logical transport mechanism to send PPP payloads; provide tunneling or encapsulation so that PPP payloads based on any protocol can be sent across an IP network; rely on the PPP connection process to perform user authentication and protocol configuration.

Some facts about PPTP:

  • advantages
    • PPTP easy to deploy
    • PPTP use TCP, this reliable solution allow to retransmit lost packets
    • PPTP support
  • disadvantages
    • PPTP less secure with MPPE(up to 128 bit)
    • data encryption begins after the PPP connection process (and, therefore, PPP authentication) is completed
    • PPTP connections require only user-level authentication through a PPP-based authentication protocol

Some facts about L2TP(over PPTP):

  • advantages
    • L2TP/IPSec data encryption begins before the PPP connection process
    • L2TP/IPSec connections use the AES(up to 256bit) or DESUup to three 56-bit keys)
    • L2TP/IPSec connections provide stronger authentication by requiring both computer-level authentication through certificates and user-level authentication through a PPP authentication protocol
    • L2TP use UDP. It is a faster, but less reliable, because it does not retransmit lost packets, is commonly used in real-time Internet communications
    • L2TP more “firewall friendly” than PPTP — a crucial advantage for an extranet protocol due to most firewalls do not support GRE
  • disadvantage
    • L2TP require certificate infrastructure for issuing computer certificates

To summarize:

There’s no clear winner, but PPTP is older, more light-weight, works in most cases and clients are readily pre-installed, giving it an advantage in normally being very easy to deploy and configure (without EAP).

But for most of countries like UAE, Oman, Pakistan, Yemen, Saudi Arabia, Turkey, China, Singapore, Lebanon PPTP blocked by ISP or government so they need L2TP or SSL VPN

Reference : http://vpnblog.info/pptp-vs-l2tp.html

IPSec VS L2TP/IPSec

The reason people use L2TP is due to the need to provide login mechanism to users. IPSec by itself is meant to by a tunneling protocol in a gateway-to-gateway scenario (there are still two modes, tunnel mode & transport mode). So vendors use L2TP to allow people to use their products in client-to-network scenario. So, they use L2TP only for logging and the rest of the session would be using IPSec. You have to take in consideration two other modes; pre-shared-keys vs. certificates.

Reference : http://seclists.org/basics/2005/Apr/139

IPsec tunnel mode

When Internet Protocol security (IPsec) is used in tunnel mode, IPsec itself provides encapsulation for IP traffic only. The primary reason for using IPsec tunnel mode is interoperability with other routers, gateways, or end systems that do not support L2TP over IPsec or PPTP VPN tunneling. Interoperability information is provided at the Virtual Private Network Consortium Web site.

Reference : http://forums.isaserver.org/m_2002098668/mpage_1/key_/tm.htm#2002098668

Tags:

Ipsec

L2Tp

Recent Posts