What are the two modes of operation for L2TP remote access VPNs?

L2TP remote access VPNs can operate in either voluntary/client-initiated tunnel mode or compulsory/NAS-initiated tunnel mode.

What are some of the main advantages and disadvantages of L2TP VPNs?

L2TP can be used to transport multiprotocol traffic; PPP (tunneled over L2TP) offers flexible negotiation of user authentication protocols, compression, and assignment of IP addresses; Windows 2000, Windows XP, and MacOS X include a built-in L2TP/IPsec client; L2TP can be used to transport multicast traffic; L2TP allows service providers to back haul large numbers of remote access users' PPP connections across networks; L2TP's native security is relatively weak; L2TP/IPsec can add considerable overhead to encapsulated PPP packets.

How can security be configured for voluntary tunnel mode L2TP remote access VPNs?

L2TP with PPP user authentication (without IPsec protection) and L2TP over IPSec (L2TP/IPsec) with PPP user authentication.

What is the purpose of the accept-dialin command?

The accept-dialin command configures an L2TP VPN gateway to accept L2TP tunnel/session setup from remote access VPN clients/LACs.

What is split tunneling, and why is it a potential security risk?

Split tunneling is a situation in which a remote user can directly access both the Internet and the corporate network via a VPN tunnel at the same time. This situation can be a security risk because an attacker on the Internet may gain control of the remote user's workstation and thereby gain access to the corporate network over the VPN tunnel.

IPsec can be used to secure L2TP tunnels, and digital certificates can be used to authenticate IPsec peers. On the VPN 3000 concentrator, what are the two basic methods of enrolling and obtaining digital certificates from a CA?

It is possible to enroll and obtain digital certificates manually or using the Simple Certificate Enrollment Protocol (SCEP).

When deploying Cisco IOS L2TP client-initiated tunneling (voluntary tunnel mode), what is the main advantage of L2TPv3 over L2TPv2?

The main advantage is the lower overhead (assuming that L2TPv3 uses an IP encapsulation [protocol 115] rather than a UDP/IP encapsulation).

How can you debug IKE negotiation packet by packet on a Windows 2000/XP client (examining packet detail)?

You can enable Oakley logging on a Windows XP/2000 remote access VPN client.

In compulsory tunnel mode, how is PPP authentication typically performed on the LAC?

Partial PPP authentication is performed on the LAC. During partial PPP authentication, the LAC obtains the username of the remote access client and uses this username to assign the PPP connection to the appropriate L2TP tunnel.

What are the two methods of configuring tunnel definitions on a RADIUS server?

Using IETF standard (RFC2868) tunnel attributes and using Cisco attribute-value (AV) pairs.