← Back to team overview

registry team mailing list archive

[Bug 264691] Re: NM 0.7 No option for connecting to L2TP IPSEC VPN

 

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling
protocol used to support virtual private networks (VPNs). It does not
provide any encryption or confidentiality by itself; it relies on an
encryption protocol that it passes within the tunnel to provide privacy.
Although L2TP acts like a Data Link Layer protocol in the OSI model,
L2TP is in fact a Session Layer protocol, and uses the registered UDP
port 1701.

Because of the lack of confidentiality inherent in the L2TP protocol, it is often implemented along with IPsec. This is referred to as L2TP/IPsec, and is standardized in IETF RFC 3193. The process of setting up an L2TP/IPsec VPN is as follows:
Negotiation of IPsec Security Association (SA), typically through Internet Key Exchange (IKE). This is carried out over UDP port 500, and commonly uses either a shared password (so-called "pre-shared keys"), public keys, or X.509 certificates on both ends, although other keying methods exist.
Establishment of Encapsulating Security Payload (ESP) communication in transport mode. The IP Protocol number for ESP is 50 (compare TCP's 6 and UDP's 17). At this point, a secure channel has been established, but no tunneling is taking place.
Negotiation and establishment of L2TP tunnel between the SA endpoints. The actual negotiation of parameters takes place over the SA's secure channel, within the IPsec encryption. L2TP uses UDP port 1701.

When the process is complete, L2TP packets between the endpoints are
encapsulated by IPsec. Since the L2TP packet itself is wrapped and
hidden within the IPsec packet, no information about the internal
private network can be garnered from the encrypted packet. Also, it is
not necessary to open UDP port 1701 on firewalls between the endpoints,
since the inner packets are not acted upon until after IPsec data has
been decrypted and stripped, which only takes place at the endpoints.

A potential point of confusion in L2TP/IPsec is the use of the terms
"tunnel" and "secure channel." Tunnel refers to a channel which allows
untouched packets of one network to be transported over another network.

 In the case of L2TP/IPsec, it allows L2TP/PPP packets to be transported
over IP. A secure channel refers to a connection within which the
confidentiality of all data is guaranteed.

In L2TP/IPsec, first IPsec provides a secure channel, then L2TP provides
a tunnel.

 It will be very important addition for day to day work in organization
that need access to internal networks for daily task, not just sys
admins

-- 
NM 0.7 No option for connecting to L2TP IPSEC VPN
https://bugs.launchpad.net/bugs/264691
You received this bug notification because you are a member of Registry
Administrators, which is the registrant for Debian.