What is L2TP IPSec?

Is L2TP IPSec safe?

I have a question regarding IPSec as part of the L2TP protocol on Cisco routers.

There is a lot of documentation on L2TP IPSec, but I haven't been able to find much on how "secure" this protocol is, or if there are any known vulnerabilities. Does anyone have any info about this? Thanks! -T

Solved. I read some of the documentation and figured it out for myself, but I thought I'd share in case others were looking for info. I'll answer the question below since I can't put a comment on my answer in this forum.

No, you are not allowed to use a Cisco router as an IPSec VPN server, and in general it is very inadvisable to do so. An example of why you shouldn't do so is because an IPSec connection is based upon the IP address of the device acting as the IPSec VPN server (in this case the device with the L2TP service) and only the IP address of that device will be unique and available to any outside clients. If the device acts as the IPSec VPN server, then the IPSec connection will not be unique and will provide full network access to any device capable of using that IPSec connection. The device in question could even be a device with no other services running on it and it still will provide full network access to all connected devices. (eg, your router will allow anyone on the internet to connect to your router as long as they know your IP address). So it's easy to see how a device acting as a VPN server for IPSec could be vulnerable to being used as a backdoor into the private network. If someone wanted to compromise a server within your private network, then they would not need to compromise the entire outside network to do so. In essence, the IPSec VPN server provides a very convenient way for someone inside the private network to easily gain access to the entire private network. In summary, IPSec does not provide sufficient security for a VPN server, and if one doesn't fully understand the risks of using a router as a VPN server for IPSec, then it's very likely to make things worse than just configuring your router as a separate VPN server.

When you look at it, a firewall is similar to a VPN server.

Why is L2TP over IPSec not recommended?

L2TP-IPSec is recommended in this draft (draft-ietf-nat-l2tp-tunneling-05.txt).

Is there any significant reason why it was not included in earlier drafts of IETF standards? My guess would because of implementation concerns. The IPSec and L2TP mechanisms can be quite complex and, once a connection is established, they are expected to protect traffic forever. That means that they tend to require support from the underlying host OS. The IETF does not have enough information to tell us whether the underlying OSes implement these features well enough for them to use them as part of the transport.

Should I use IKEv2 IPSec or L2TP?

Which is better for mobile users?

IPSec or L2TP? Does it depend on connection speed? If I have an option of either using the built in VPN app provided by the carriers or using my own VPN client - what should I choose? Or is this completely based on preference? What kind of encryption level do I need, does it matter? 128-bit? Short answer: It depends on the needs. Longer answer: IKEv2 uses a different protocol and will be a bit more efficient than a standard L2TP tunnel setup but with standard IPSec it won't cost you anything in terms of performance unless the network is really slow (and even then, most modern cell network cards and wifi equipment support AES-CCM, which is basically AES-256 for the packet). If your data transfer speed is slower than 500 kbps, the difference between these two isn't going to be very big. If the bandwidth is lower than that, IPSec will probably work better.

I should clarify that this doesn't mean that IKEv2 performs better than IPSec, it simply means that it has a different protocol and might require additional hardware support. If you are only concerned with mobile connections, IPSec will probably provide a better experience than IKEv2, as mobile connections generally have lower bandwidth than desktop connections. The advantage of IKEv2 is the flexibility it provides, if you're planning on doing VPNs in your network that support multiple clients. It allows you to specify a specific client, it works with dynamic IP addresses and it will work over both wired and wireless connections.

In your case, I'd recommend that you start with IPSec and test it, see how it works, and decide after a bit whether it's good enough. Note: There are other protocols like OpenVPN and PPTP that can be used for mobile networks too.