Re: Minimum requirements for IPSec over L2TP - PIX.

---

• From: ddl@danlan.*com (Dan Lanciani)
• Date: 27 Jun 2006 19:42:55 GMT

---

In article <987og.17464$_J1.224177@xxxxxxxxxxxxxxxxxx>, am@xxxxx (AM) writes:
| We're buying a service from a provider and they said we need to have a device that can manage IPsec over L2TP (not the
| opposite). PIX should not be able to manage that kind of encapsulation (I'm investigating on it, it's a PIX515 with
| finesse 7.0.2) and I'm looking for the cheapest solution to build the tunnel.
|
| They say the minimum requirements are 12.4, 128 MB RAM, 32 MB Flash and encr./decry. module and they suggest at least a
| 1812-K9 router.
|
| Cisco published one of the first documents about the topic in November 2000.
| So I think that even a rather old hardware (OK not all old devices) can manage that kind of tunnel. Do you have any idea
| if I can use hardware like 1720 series or 870 series or a 3640 router?

I do it on a 3660 with 12.1(5)T and a 4700 with 12.2(34a). Note that
the ability to associate a dialer with an L2TP tunnel probably requires
"service internal" and (IIRC) did not exist prior to 12.1T.

| Moreover is it possible to split the de-encapsulation process by two and let the PIX decrypt the IPsec and forward the
| L2TP packets to another device that will de-encapsulate them?

For IPSec over L2TP you could have one box de-capsulate and the next
decrypt. Your way of saying it sounds more like L2TP over IPSec...

The neat thing about IPSec over L2TP is that the PPP connection in
the L2TP tunnel can establish static IP addresses making the IPSec
configuration simpler, i.e., no dynamic crypto maps even if your
real IP address is dynamic. It's almost like encrypting a dedicated
serial link, and your access lists can match (virtually) all traffic.

Dan Lanciani
ddl@danlan.*com
.

---

• Follow-Ups:
  • Re: Minimum requirements for IPSec over L2TP - PIX.
    • From: AM

• References:
  • Minimum requirements for IPSec over L2TP - PIX.
    • From: AM

• Prev by Date: Remote Access or Branch Office Solution Needed
• Next by Date: frame-relay traffic-shapping default throttling?
• Previous by thread: Re: Minimum requirements for IPSec over L2TP - PIX.
• Next by thread: Re: Minimum requirements for IPSec over L2TP - PIX.
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: IPSec vs. IPSec/L2TP ... The reason people use L2TP is due the need to provide login mechanism ... logging and the rest of the session would be using IPSec. ... > L2TP/IPSec tunnelling instead of a good old IPSec tunnel. ... Earn your MS in Information Security ONLINE ... (Security-Basics) Re: Wifi ipsec freebsd ... I too have set up a ipsec secured wireless network and this article ... Tunnel vs. transport mode was something I never fully understood. ... connection over wifi between a FreeBSD gateway and a Windows laptop. ... (freebsd-questions) Re: freebsd-security Digest, Vol 201, Issue 2 ... freebsd vpn server behind nat dsl router ... which allows IPSec tunnels to be established if there is some NAT ... I have created an esp tunnel between my two sites, ... (FreeBSD-Security) Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG to ipsec/racoontroubles, help please ...] ... The IPSEC peer gateway is also defined for each spdadd so ... peer gateways are actually defined by the private tunnel interface end ... I have attached my config script as an example. ... (FreeBSD-Security) Re: IPSEC config ... >> I'm trying to setup a IPSec tunnel and am having trouble. ... >> for a transport between the two machines it works fine, ... >> I'm following the IPsec mini-HOWTO from January 2001 daemonnews. ... (FreeBSD-Security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

newsgroups.derkeiler.com  > Archive  > Comp  > comp.dcom.sys.cisco  > 2006-06