Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    L2TP/IPsec Traffic Compatibility Issues and Requirements Overview

    This topic covers various compatibility issues and requirements for the L2TP/IPsec traffic.

    Client Software Supported

    The L2TP/IPsec software supports the following client PC operating systems and L2TP and IPsec applications:

    • Windows 2000 and Windows XP running built-in IPsec VPN software
    • Microsoft L2TP/IPsec VPN client for Windows NT, Windows 98, and Windows ME
    • SafeNet client software
    • Mac OS X version 10.3 or later

    Interactions with NAT

    There are two ways that you can configure E Series routers to interact with Network Address Translation (NAT) devices in the network:

    • Configure the router to run in NAT passthrough mode by using the application l2tp-nat-passthrough command. For information about NAT passthrough, see NAT Passthrough Mode Overview.
    • Configure the virtual router to enable Network Address Translation-Traversal (NAT-T) by using the ipsec option nat-t command. For information about NAT-T, see NAT-Traversal Overview.

    Interaction Between IPsec and PPP

    The Point-to-Point Protocol (PPP) defines the Compression Control Protocol (CCP) and Encryption Control Protocol (ECP) modes. These modes are currently not supported in E Series routers. There is no interaction related to encryption directives between IPsec and PPP.

    LNS Change of Port

    In the L2TP world, the LNS is allowed to change its port number; this functionality is currently not supported in ERX routers. IPsec allows only port 1701 to be used for L2TP/IPsec tunnels. However, the LAC is allowed to use any source port it desires.

    Group Preshared Key

    Group preshared keys allow the provisioning of secure remote access by means of L2TP/IPsec to networks that do not use a certificate authority (CA) to issue certificates. A group preshared key is associated with a local IP address in an E Series router and is used to authenticate L2TP/IPsec clients that target this IP address as their VPN server address.

    Caution: Group preshared keys are not fully secure, and we recommend that you use digital certificates in place of group preshared keys. Group preshared keys are open to man-in-the-middle attacks. To reduce this risk, ERX routers accept only IPsec connections that specify L2TP traffic selectors for security associations (SAs) that are negotiated over IKE connections authenticated with group preshared keys.

    Published: 2014-08-12