Encapsulation in VPN
in [Cisco]
|
Prev: enable cli command logging howto
Next: SPAM
From: Bill Grant on 19 Dec 2009 17:46 "goarilla" <kevin.paulus(a)skynet.remove-this.be> wrote in message news:4b2d5444$0$2856$ba620e4c(a)news.skynet.be... > On Sat, 19 Dec 2009 14:09:33 -0800, karthikbalaguru wrote: > >> On Dec 19, 10:22 pm, "Bob Lin \(MS-MVP\)" <nore...(a)chicagotech.net> >> wrote: >>> IPSec and PPTP are more popular. The PPTP is using for client to >>> server. IPSec can be used as cleint to server or site to site VPN. This >>> search result may help. >>> >>> >> Thx for your response. But it seems that PPTP can support only one >> tunnel at a >> time for each user. Therefore, its proposed successor, L2TP (a hybrid of >> PPTP >> and another protocol, L2F ) can support multiple, simultaneous tunnels >> for >> each user. >> >> So, shouldn't L2TP be popular ? >> >> PPTP and L2TP are the layer 2 VPN technologies from CPE (customer >> premise >> equipment) to CPE. IPSec is the primary layer 3 VPN technology providing >> a CPE >> to CPE tunnel. Refer- >> http://www.networkdictionary.com/networking/vpn.php >> >> Further from another link from internet, i found that it seems that PPTP >> separates the control and data channels into control stream that runs >> over >> TCP and a data stream that runs over GRE (a less popular Internet >> standard). >> But, in contrast L2TP combines the control/data channels and uses >> high-performance UDP. This makes L2TP more "firewall friendly" than PPTP >> -- a crucial advantage for an extranet protocol -- since most firewalls >> do not support GRE. >> >> So, i wonder how PPTP is popular compared to L2TP ? Any ideas ? >> >> Thx in advans, >> Karthik Balaguru > > i don't know much about VPN, but i do believe it's a field > dominated by proprietary/gateway solutions: cisco vpn, intel vpn, ... > I would say that PPTP maintains its popularity with small to medium sized organisations because it does not require certificates. If you have an established certificate system in your organisation (and a person capable of maintaining it), L2TP is the obvious choice. If you do not, setting up and maintaining this simply to support a few dialup VPN clients is a big ask. Making a few changes to your firewall for GRE is pretty minor by comparison.
From: Stephen on 19 Dec 2009 18:01 On Sat, 19 Dec 2009 14:09:33 -0800 (PST), karthikbalaguru <karthikbalaguru79(a)gmail.com> wrote: >On Dec 19, 10:22�pm, "Bob Lin \(MS-MVP\)" <nore...(a)chicagotech.net> >wrote: >> IPSec and PPTP are more popular. The PPTP is using for client to server. >> IPSec can be used as cleint to server or site to site VPN. This search >> result may help. >> > >Thx for your response. But it seems that PPTP can support only one >tunnel at a >time for each user. Therefore, its proposed successor, L2TP (a hybrid >of PPTP >and another protocol, L2F ) can support multiple, simultaneous tunnels >for >each user. > >So, shouldn't L2TP be popular ? > RFCs are written around standards, and IPsec is the one that gets picked often :) I vaguely remember this is to do with the encryption setups since the various L2 protocols seem to be less versatile. You need to remember VPNs are often specified by security depts, not IP, so security can be considered more important than simplicity. >PPTP and L2TP are the layer 2 VPN technologies from CPE (customer >premise >equipment) to CPE. IPSec is the primary layer 3 VPN technology >providing a CPE >to CPE tunnel. Refer- http://www.networkdictionary.com/networking/vpn.php > >Further from another link from internet, i found that it seems that >PPTP separates the control and data channels into control stream that >runs over >TCP and a data stream that runs over GRE (a less popular Internet >standard). >But, in contrast L2TP combines the control/data channels and uses >high-performance UDP. This makes L2TP more "firewall friendly" than >PPTP -- a crucial advantage for an extranet protocol -- since most >firewalls >do not support GRE. life as usual isnt that simple. if you look at how IPsec is used in practice for "non single client" setups you tend to get another protocol within the IPsec wrapper. router to router links are often used in a resilient network - where you want multicast then you get IPsec -> GRE tunnel -> encap packet. Where you have client PC style VPNs a different set of constraints apply - Cisco VPN client on a PC is IPsec by default (last few times i used it)., but if you want to get it thru a NAT based SOHO router, you "hide" the IPsec by wrapping that in a UDP or TCP stream. So you get UDP wrapper stream -> IPsec -> encap packet. The TCP setup is a good fallback where the error handling is needed or a firewall doesnt allow UDP. So if you have a really poor link, or low thruput and high jitter such as older 3G links then TCP encap instead of UDP. Other VPN client setups seem to do similar things. > >So, i wonder how PPTP is popular compared to L2TP ? >Any ideas ? > If you want simple then throw all the thick client stuff out and go for SSL - but there are some apps that just do not work well or at all in a web front end setup. >Thx in advans, >Karthik Balaguru -- Regards stephen_hope(a)xyzworld.com - replace xyz with ntl
From: alexd on 20 Dec 2009 04:50 Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, bod43 chose the tried and tested strategy of: > Draytek interoperates with OpenVPN OpenVPN is proprietary and will not work with a Draytek router. -- <http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm(a)ale.cx) 09:47:26 up 22 days, 13:40, 8 users, load average: 0.00, 1.02, 1.32 Plant food is a made up drug
From: Rob on 20 Dec 2009 04:54 karthikbalaguru <karthikbalaguru79(a)gmail.com> wrote: > On Dec 19, 10:22 pm, "Bob Lin \(MS-MVP\)" <nore...(a)chicagotech.net> > wrote: >> IPSec and PPTP are more popular. The PPTP is using for client to server. >> IPSec can be used as cleint to server or site to site VPN. This search >> result may help. >> > > Thx for your response. But it seems that PPTP can support only one > tunnel at a > time for each user. Therefore, its proposed successor, L2TP (a hybrid > of PPTP > and another protocol, L2F ) can support multiple, simultaneous tunnels > for > each user. > > So, shouldn't L2TP be popular ? I think you should know that "what is popular" is not determined by what can do most, what is technically superior and other such reasons that you run in to when you do a comparison of VPN technologies as a technician. What is popular is determined by what sells best, or what is part of something that already sells best. When it can do the job, it is used.
From: Ace Fekay [MCT] on 21 Dec 2009 00:56
> On 19 Dec, 22:31, goarilla <kevin.pau...(a)skynet.remove-this.be> wrote: >> On Sat, 19 Dec 2009 14:09:33 -0800, karthikbalaguru wrote: >>> On Dec 19, 10:22�pm, "Bob Lin \(MS-MVP\)" <nore...(a)chicagotech.net> >>> wrote: >>>> IPSec and PPTP are more popular. The PPTP is using for client to >>>> server. IPSec can be used as cleint to server or site to site VPN. This >>>> search result may help. >> >>> Thx for your response. But it seems that PPTP can support only one >>> tunnel at a >>> time for each user. Therefore, its proposed successor, L2TP (a hybrid of >>> PPTP >>> and another protocol, L2F ) can support multiple, simultaneous tunnels >>> for >>> each user. >> >>> So, shouldn't L2TP be popular ? >> >>> PPTP and L2TP are the layer 2 VPN technologies from CPE (customer >>> premise >>> equipment) to CPE. IPSec is the primary layer 3 VPN technology providing >>> a CPE >>> to CPE tunnel. Refer- >>> http://www.networkdictionary.com/networking/vpn.php >>> Further from another link from internet, i found that it seems that PPTP >>> separates the control and data channels into control stream that runs >>> over >>> TCP and a data stream that runs over GRE (a less popular Internet >>> standard). >>> But, in contrast L2TP combines the control/data channels and uses >>> high-performance UDP. This makes L2TP more "firewall friendly" than PPTP >>> -- a crucial advantage for an extranet protocol -- since most firewalls >>> do not support GRE. >> >>> So, i wonder how PPTP is popular compared to L2TP ? Any ideas ? >>> Thx in advans, >>> Karthik Balaguru >> >> i don't know much about VPN, but i do believe it's a field >> dominated by proprietary/gateway solutions: cisco vpn, intel vpn, ... > > No. > > IPSEC is very widely used for infrastructure VPNs and is > not proprietary. Cisco interoperates with Checkpoint interoperates > with Draytek interoperates with OpenVPN ....... Never found > a problem in dozens of cases. > > What is often proprietary are the VPN client solutions where > one of the VPN endpoints is an individual PC. > > Cisco, Microsoft, Checkpoint all have their own proprietary > inplementations. I wouldn't say it's proprietary between Microsoft and Cisco, for after all, THEY developed L2TP as a joint venture, which became an industry standard. L2TPIn order to make use of the features of both PPTP and L2F, L2TP was developed in a joint venture between Microsoft and Cisco. ... http://zaielacademic.net/security/l2tp.htm Some companies do have their own propietary stuff, such as OpenVPN, but I haven't used it, so I can't comment on it. -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer For urgent issues, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. |