IPSec with or without L2TP?

networking vpn tunnel ipsec l2tp
8,196

Solution 1

Android since 4.0 supports plain IPsec out of the box. And there are several apps for 4.x that provide other VPN protocols on unrooted devices (e.g. IKEv2/IPsec with the strongSwan VPN Client).

Since Windows 7 you can use the built-in IKEv2/IPsec client. Granted racoon does not support IKEv2, but there are other open-source implementations that do (e.g. strongSwan or Libreswan).

Does anyone know why L2TP is still the standard way with IPSec?

I wouldn't say it's the standard way, as e.g. Windows 7 and newer first try IKEv2, but I agree that clients still offer it quite prominently.

One reason for its initial success was probably that it allowed reusing the PPP infrastructure that existed for dial-up connections (while being more secure and standardized than PPTP). And because L2TP installations have been around for a long time, and were deployed pretty widespread, about any client had (and still has) to support it. This makes it, of course, easier for VPN providers as they can reduce the number of offered VPN technologies. This, however, reduces the incentive to implement other protocols in clients.

There could also be licensing issues preventing other protocols from being used, for instance, the IKEv2 implementations mentioned above are GPL licensed, which Apple in iOS and Google in Android tend to avoid in favour of more permissively licensed software such as racoon (which they both use in their products).

Solution 2

In the beginning (long ago before the BSD IPsec implementation has been integrated into the Linux kernel) it was not possible to use a IPsec VPN over a NAT gateway, because it was not possible to NAT IPsec. IPsec has been developed for IPv6, which does not know NAT anymore and using IPsec for IPv4 has always been some kind of hack. Not having NAT for the so called road warriors using IPv4 was a no-go. The only way to get it working in the 90th was to use L2TP, because L2TP works on top of UDP and NAT is possible. Cisco picked up this solution and implemented it in their VPN-Concentrators. This is the time it became a "standard". And in order to be compatible with Cisco many other vendors implemented it. That is the reason why Apple implemented it and why Android supports it, too.

But tunneling layer 2 Ethernet frames through the IPsec tunnel has never been a great idea for an IP only communication. In the 90th there were other protocols which needed bridging like IPX but nowadays everybody speaks IP. And in order to get rid of the layer 2 frame overhead RFC 3948 proposed the "UDP Encapsulation of IPsec ESP Packets". This works also by putting the ESP and AH protocols in UDP packets and by this NAT is possible. But it avoids any layer 2 frames. This is the modern solution everybody should try first. Using L2TP is the legacy way, which exists only for backward compatibility.

Share:
8,196

Related videos on Youtube

creethy
Author by

creethy

Updated on September 18, 2022

Comments

  • creethy
    creethy over 1 year

    I'm referring to this question. And to be clear: This is really not about the old PPTP vs L2TP debate. ;-)

    I successfully set up racoon as an IKE server without any L2TP implementation running and it works quite well. I can establish a tunnel from my laptop to the VPN server and use this one as an internet gateway. As far as I can see all IP packets are securely encapsulated. Voilà, this is everything I wanted. But, oops, it's only OS X/iOS that support this type of a "plain IPSec" VPN out of the box, but I need to support other platforms as well. All other OS including Windows and Android seem to need the additional PPP connection that is established using L2TP using software like xl2tpd. I was curious, so I set it up again with racoon+xl2tpd and created an L2TP/IPSec tunnel. And it works exactly like it did without L2TP.

    So, what's the benefit of using L2TP at all? Yes, I can tunnel other protocols like X.25, but anything other than IP is rarely needed by the vast majority of users. I can assume reasons why MS is doing it more complex than the VPN stuff has to be. But at least I cannot understand why Android still needs this L2TP layer, which in my opinion just adds complexity and overhead. And yes, I know there is extra client software to overcome the OS limits.

    Even with authentication, there is no difference: Remote authentication is usualy done using pre-shared-keys or certificates and user authentication is done via XAuth or CHAP/PAP. – Jep, I'm simplifying here, but you know what I mean.

    Does anyone know why L2TP is still the standard way with IPSec? Am I missing something?

  • creethy
    creethy about 10 years
    Thank you for this explanatory answer. So my guess was right – using L2TP is not so much about functionality (but history and licensing). Indeed I completely forgot about IKEv2, but mainly because racoon doesn't support it. I will try to set it up with strongSwan and give it a try.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

L2TP/IPSec stopped working after openssl upgrade
How can I permanently delete tun interfaces
VPN L2TP/IPSec client on Ubuntu 16.04 VPN service failed to start
Where to add the Pre-Shared Key for the Server Authentication with Network Manager for L2TP/IPSEC?
How can I make VirtualBox guests share the host's VPN connection?
PFSense IPSec connection established, wan works, lan not
IPsec on pfSense: Tunnel is up, but I can't connect to remote host
IPSec/L2TP VPN connection fails
Use putty tunnels to sneak through on the VPN?
ipsec configuration problems on Ubuntu. Errors on IP forwarding" connection authorization from Android client