Security Basics mailing list archives

RE: IPSec = L2TP?

From: Dave Killion <Dkillion () netscreen com>
Date: Tue, 30 Sep 2003 15:59:23 -0700

IPSec is not L2TP, however L2TP can ride *on top* of IPSec.

Any protocol can traverse IPSec, but it needs to be routed in order to
work, i.e. handed off to a gateway for processing.  You can't do IPSec
between two machines on the same layer 2 segment, which is what L2TP is
for.  L2TP over IPSec is a way for a remote machine on a completely
different IP network to appear to be on the same network as others - and
not being NAT'd.  The remote computer *knows* what the IP is, since it's
negotiated during the L2TP set up. L2TP shows up as an additional
interface with it's own IP.

Example:

   Machine A, Network A IP 
     (L2TP: Network B IP)                                     Network B
  (IPSEC out Network A's IP)======{Internet Cloud}=======(IPSec/L2TP
Gateway)

It looks like a direct-connect, and others on Network B see it as local.
The L2TP gateway accepts ARP's for it, and pass traffic back down the
L2TP-over-IPSEC tunnel.  This is useful mostly for Windows traffic,
which doesn't like to be NAT'd, and also spews out broadcast traffic -
Outlook new mail notifications come to mind.  Unix systems could care
less, and typically work great over standard IPSec without issue.

Basically, L2TP passes Layer 2 Broadcast traffic over a tunnel, whilst
IPSec does not.

I hope this information is helpful, 

Dave Killion 
Senior Security Engineer 
Security Group, NetScreen Technologies, Inc.



-----Original Message-----
From: Zachary Mutrux [mailto:zmutrux () compumentor org]
Sent: Tuesday, September 30, 2003 2:46 PM
To: Security-Basics
Subject: IPSec = L2TP?


Do most VPN solutions that use IPSec also use L2TP? Or are there other
protocols that also use IPSec? I see a lot of mention of IPSec in the
sales
literature but no mention of L2TP.

Thanks,

Zac

--
Zac Mutrux
Technology Consultant
CompuMentor
415-633-9437



------------------------------------------------------------------------
---
------------------------------------------------------------------------
----

Attachment: smime.p7s
Description:

Current thread:

RE: IPSec = L2TP? Dave Killion (Oct 01)
- <Possible follow-ups>
- RE: IPSec = L2TP? Freilich, Robert (Oct 01)
  - RE: IPSec = L2TP? Zachary Mutrux (Oct 01)
- RE: IPSec = L2TP? LordInfidel (Oct 01)