L2TP/IPsec Traffic Compatibility Issues and Requirements Overview

This topic covers various compatibility issues and requirements for the L2TP/IPsec traffic.

Client Software Supported

The L2TP/IPsec software supports the following client PC operating systems and L2TP and IPsec applications:

Interactions with NAT

There are two ways that you can configure E Series routers to interact with Network Address Translation (NAT) devices in the network:

Interaction Between IPsec and PPP

The Point-to-Point Protocol (PPP) defines the Compression Control Protocol (CCP) and Encryption Control Protocol (ECP) modes. These modes are currently not supported in E Series routers. There is no interaction related to encryption directives between IPsec and PPP.

LNS Change of Port

In the L2TP world, the LNS is allowed to change its port number; this functionality is currently not supported in ERX routers. IPsec allows only port 1701 to be used for L2TP/IPsec tunnels. However, the LAC is allowed to use any source port it desires.

Group Preshared Key

Group preshared keys allow the provisioning of secure remote access by means of L2TP/IPsec to networks that do not use a certificate authority (CA) to issue certificates. A group preshared key is associated with a local IP address in an E Series router and is used to authenticate L2TP/IPsec clients that target this IP address as their VPN server address.

Caution: Group preshared keys are not fully secure, and we recommend that you use digital certificates in place of group preshared keys. Group preshared keys are open to man-in-the-middle attacks. To reduce this risk, ERX routers accept only IPsec connections that specify L2TP traffic selectors for security associations (SAs) that are negotiated over IKE connections authenticated with group preshared keys.

Related Documentation