[sdnog] L2TP/IPsec and IKEv2/IPsec VPN?!

Patrick Okui pokui at psg.com
Sat Jun 30 20:47:29 SAST 2018 

[late comment, sorry]

On 13 Jun 2018, at 0:28 EAT, Sara Alamin wrote:

> Hi SdNOG community,
> Wish you Happy Eid , it's almost here :-)
>
> Can you please help me to understand the difference between these two 
> types of VPNs:
> L2TP/IPsec and IKEv2/IPsec?

I’m surprised *Trouble* hasn’t chimed in.

I’m guessing that by the time you’d asked this you’d looked up the 
definitions. So let’s just look at differences.

- L2TP by the way is a tunnelling protocol of its own kinda like GRE 
with zero encryption so IPSEC is added to it to secure the tunnel. As a 
result it’s more CPU intensive, and slower than IKEv2/IPSEC. Probably 
matters more for SBCs like the raspberry pi or slow links.

- IKEv2/IPSEC uses plain IPSEC in tunnel mode to udp port 5000 (can be 
changed). It makes it faster, but much easier to detect/block on 
firewalls.

- the IKEv2 spec has NAT traversal in it but it isn’t mandatory to 
implement so some implementations of IKEv2 require public IPs on both 
sides. I think the one in Cisco IOS for years had this issue (don’t 
know if it’s been fixed). L2TP on the other hand deals with NAT just 
fine.

- L2TP traditionally has had more support in terms of the operating 
systems you can run it on but IKEv2 has quickly caught up. I think 
Apple’s iOS > 9 has it inbuilt with a GUI to configure. Where you 
don’t have native support you could find configuration of the end 
devices for IKEv2/IPSEC harder with third party tools. Similarly, 
configuring the VPN server (if you’re in charge of it) can be easier 
for L2TP/IPSEC unless you’re dealing with devices that have it baked 
in like routers.

- IKEv2 has the ability to automatically keep the tunnel up as the user 
roams. This is useful for mobile users e.g if you switch from wifi to 
3G/LTE. With L2TP you’d have to reconnect. The issue is some clients 
can’t be configured to do that automatically so your connection has a 
higher chance of becoming insecure without you noticing.


Which one to use depends on whether it’s for you or for friends, what 
OS support you have on both sides, etc. For site-to-site VPNs (on 
routers) my preference is for IKEv2/IPSEC if it’s for end user VPNs 
then depends on who’s supporting the end users and what OS they’ll 
be connecting with. If I don’t know in advance, then I’d go for 
L2TP/IPSEC.

Both use IPSEC for the crypto side of things. Snowden has hinted that 
the NSA *may* have weakened IPSEC but not provided any proof and neither 
has anyone else.

--
patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sdnog.sd/pipermail/sdnog/attachments/20180630/7429c3dc/attachment.html>

More information about the sdnog mailing list