[sdnog] L2TP/IPsec and IKEv2/IPsec VPN?!
Patrick Okui
pokui at psg.com
Sat Jun 30 20:47:29 SAST 2018
[late comment, sorry]
On 13 Jun 2018, at 0:28 EAT, Sara Alamin wrote:
> Hi SdNOG community,
> Wish you Happy Eid , it's almost here :-)
>
> Can you please help me to understand the difference between these two
> types of VPNs:
> L2TP/IPsec and IKEv2/IPsec?
I’m surprised *Trouble* hasn’t chimed in.
I’m guessing that by the time you’d asked this you’d looked up the
definitions. So let’s just look at differences.
- L2TP by the way is a tunnelling protocol of its own kinda like GRE
with zero encryption so IPSEC is added to it to secure the tunnel. As a
result it’s more CPU intensive, and slower than IKEv2/IPSEC. Probably
matters more for SBCs like the raspberry pi or slow links.
- IKEv2/IPSEC uses plain IPSEC in tunnel mode to udp port 5000 (can be
changed). It makes it faster, but much easier to detect/block on
firewalls.
- the IKEv2 spec has NAT traversal in it but it isn’t mandatory to
implement so some implementations of IKEv2 require public IPs on both
sides. I think the one in Cisco IOS for years had this issue (don’t
know if it’s been fixed). L2TP on the other hand deals with NAT just
fine.
- L2TP traditionally has had more support in terms of the operating
systems you can run it on but IKEv2 has quickly caught up. I think
Apple’s iOS > 9 has it inbuilt with a GUI to configure. Where you
don’t have native support you could find configuration of the end
devices for IKEv2/IPSEC harder with third party tools. Similarly,
configuring the VPN server (if you’re in charge of it) can be easier
for L2TP/IPSEC unless you’re dealing with devices that have it baked
in like routers.
- IKEv2 has the ability to automatically keep the tunnel up as the user
roams. This is useful for mobile users e.g if you switch from wifi to
3G/LTE. With L2TP you’d have to reconnect. The issue is some clients
can’t be configured to do that automatically so your connection has a
higher chance of becoming insecure without you noticing.
Which one to use depends on whether it’s for you or for friends, what
OS support you have on both sides, etc. For site-to-site VPNs (on
routers) my preference is for IKEv2/IPSEC if it’s for end user VPNs
then depends on who’s supporting the end users and what OS they’ll
be connecting with. If I don’t know in advance, then I’d go for
L2TP/IPSEC.
Both use IPSEC for the crypto side of things. Snowden has hinted that
the NSA *may* have weakened IPSEC but not provided any proof and neither
has anyone else.
--
patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sdnog.sd/pipermail/sdnog/attachments/20180630/7429c3dc/attachment.html>
More information about the sdnog
mailing list