L2TP over IPSEC with "shared" gateway

valerio_vanni

Device is a USG Flex 200, but I think it can be a more generic thing.

When I add a "VPN Connection" for L2TP over IPSEC, is it ok to use an already existing "VPN Gateway" (already used for a classic IPSEC tunnel)?

Or is it better to create a dedicated one?

zyman2008

valerio_vanni,,
You cannot share rule for xauth and L2TPoverIPSec .
Since Xauth authentication is involve in IKE negotiation before IPSec tunnel up.
But L2TP is involve in L2TP authentication after IPSec tunnel up.

The L2TPoverIPSec client does not support IKE Xauth and the IPSec tunnel will fail.

zyman2008

valerio_vanni,
If you don't need different security strength and PSK for different VPN peer.
Then you can share the rule.

The down side of share rule is, any change on the rule will impact all VPN peers using the rule.
So that not recommend to share with site to site rule that need to has min. tunnel down time, I think.
And that's easy to trouble shoot once issues happened with different rule.

valerio_vanni

I didn't mean to use Site to site rules, those will be left untouched.

It would be the same "gateway" used by a "Remote Access (Server Role)" rule.

I don't see drawbacks, but now a doubt arise. If that "gateway" uses Xauth, with authorized users, and L2TP config can choose authentication rules, how does authentication work?

First against gateway rules and then against L2TP ones?

Should it be able to satisfy both?

zyman2008

valerio_vanni,,
You cannot share rule for xauth and L2TPoverIPSec .
Since Xauth authentication is involve in IKE negotiation before IPSec tunnel up.
But L2TP is involve in L2TP authentication after IPSec tunnel up.

The L2TPoverIPSec client does not support IKE Xauth and the IPSec tunnel will fail.