Benefits and Drawbacks of L2TP Remote Access VPNs

When deciding whether you want to deploy remote access L2TP VPNs, it is important to understand their benefits and drawbacks, and how they compare to other widely deployed remote access VPN types such as IPsec and Secure Sockets Layer (SSL).

The benefits and drawbacks of L2TP remote access VPNs include the following:

• L2TP can be used to transport multiprotocol traffic such as IP, IPX, and AppleTalk (over PPP).

  Neither IPsec nor SSL natively provide multiprotocol support, although as discussed in Chapter 5, "Advanced MPLS Layer 3 VPN Deployment Considerations," multiprotocol traffic transport is sometimes supported in an IPsec site-to-site VPN configuration by using Generic Routing Encapsulation (GRE)/IPsec tunnels.

  If you are planning to support multiprotocol traffic transport over L2TP, however, it is a good idea to ensure that the VPN gateway that you choose supports these protocols (Cisco VPN 3000 concentrators support IP only, whereas Cisco routers support IP, IPX, AppleTalk, and other protocols depending on the version of Cisco IOS Software).

• PPP, which is tunneled over L2TP, allows flexible negotiation of options such as user authentication protocols, compression, and IP addresses.

  Mechanisms such as Extended Authentication within IKE (Xauth), Hybrid Authentication Mode for IKE, Challenge/Response Authentication of Cryptographic Keys (CRACK), and the ISAKMP Configuration Method (Mode Config) can be used to provide similar functionality with IPsec.

• Windows VISTA, XP, and 2000, and MacOS X include a built-in L2TP/IPsec client. L2TP VPN client software is also available for other operating systems.
• L2TP can be used to transport multicast traffic. This contrasts with protocols such as IPsec that do not, at the time of this writing, transport multicast traffic in a remote access configuration.
• L2TP offers a flexible method for service providers to back haul large numbers of remote access users' PPP connections from a NAS (or other aggregation device) across an intervening network to an LNS. Neither IPsec nor SSL provide this type of functionality.
• L2TP remote access VPNs are completely Internet Engineering Task Force (IETF) standards based.
• L2TP's native security is weak, and consists simply of control connection/tunnel authentication and hidden attribute-value pairs (AVP).

  Additional security may be provided by protecting the L2TP tunnel with IPsec (RFC3193).

• L2TP/IPsec can add considerable overhead to encapsulated PPP packets. L2TPv2 itself typically adds 40 bytes of overhead (IP + UDP + L2TP headers), and on top of that, IPsec adds even more overhead. The precise amount of overhead depends on a number of factorssee Chapter 7, "Scaling and Optimizing IPsec VPNs," for more information.

  Last but not least, L2TP/IPsec remote access VPNs are sometimes thought of as being difficult to implement. This can certainly be true if, for example, your remote access clients are Windows 2000 workstations and you want to use preshared key authentication with IPsec (more on this later). If your remote access client workstations are Windows XP, however, implementation is much easier.

Before going on to the design and implementation of L2TP remote access VPNs, it is essential that you understand the operation of both voluntary tunnel mode and compulsory tunnel mode L2TP configurations.

The following section discusses the operation of L2TP voluntary/client-initiated mode.