IPSEC and L2TP

GHOSTRIDER2016

Hi Guys,

I understand that IPSEC operates at layer 3 of the OSI model and L2TP at layer 2. I read that sometimes organizations incorporate both these security protocols to ensure data integrity. Would using two layers of encryption impact performance ? as the packet as to be "stripped" twice before it can be presented ?.

Thanks

Find more posts tagged with

Comments

lucky0977

The most common tunneling protocols are PPTP and L2TP. To answer your question, because double encapsulation occurs using L2TP with IPSEC, it is slightly slower than PPTP but what is more important is that it is more secure than PPTP. You also have OpenVPN but more common tunneling protocols you see in books are the two I mentioned.

GHOSTRIDER2016 wrote: »

Hi Guys,

I understand that IPSEC operates at layer 3 of the OSI model and L2TP at layer 2. I read that sometimes organizations incorporate both these security protocols to ensure data integrity. Would using two layers of encryption impact performance ? as the packet as to be "stripped" twice before it can be presented ?.

Thanks

GHOSTRIDER2016

lucky0977 wrote: »

The most common tunneling protocols are PPTP and L2TP. To answer your question, because double encapsulation occurs using L2TP with IPSEC, it is slightly slower than PPTP but what is more important is that it is more secure than PPTP. You also have OpenVPN but more common tunneling protocols you see in books are the two I mentioned.

Thankyou for being so open with what you know about the protocols

docrice

I normally don't see much PPTP or L2TP used in my experience unless its for some consumer-based VPN services. IPSec is the most common implementation, at least for site-to-site connections at the enterprise level.

To complicate the discussion (for the sake of slightly extra completion of the subject), individual clients connection to gateways (to access corporate networks) which fall into the category of "client remote access VPN" the trend has shifted away from IPSec for quite a while now due to IPSec management with laptops wandering in the field and connecting from public facilities like cafes and hotels. These days it tends to be SSL VPNs. Cisco AnyConnect, for example, uses typical SSL/TLS over TCP 443 but also uses UDP 443 for DTLS. OpenVPN can use either TCP or UDP, but by default it uses UDP over a non-typical port.

There are other SSL VPN implementations which have their own scheme with very unusual ports, but for the most part it boils down to IPSec vs. SSL VPNs in my experience.

Mike7

PPTP has known security vulnerabilities while L2TP is not common. There are reports of ISPs throttling or blocking IPSEC traffic especially if you are not using their "business" internet offerings. Apparently, nation-state resources are capable of evasdropping on certain IPSEC traffic.

SSL VPN such as Cisco AnyConnect that @docrice mentions uses the standard HTTPS TCP 443 port that most firewalls do not block and can also use UDP 443 for possible performance improvements. In general, IPSec has better throughout than SSL VPN due to lower overheads and better integration. SSL VPN throughput can be improved by selecting faster encryption algorithm.

SSL VPN is easier to configure, suitable for users and less likely to be blocked while IPSec is good for performance and low latency. If performance and latency are not critical considerations, SSL VPN is a good option.