L2TP over IPSEC with "shared" gateway

valerio_vanni
valerio_vanni Posts: 116  Ally Member
5 Answers First Comment Friend Collector Third Anniversary
Device is a USG Flex 200, but I think it can be a more generic thing.

When I add a "VPN Connection" for L2TP over IPSEC, is it ok to use an already existing "VPN Gateway" (already used for a classic IPSEC tunnel)?

Or is it better to create a dedicated one?

Accepted Solution

  • zyman2008
    zyman2008 Posts: 222  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    Answer ✓
    valerio_vanni,,
    You cannot share rule for xauth and L2TPoverIPSec .
    Since Xauth authentication is involve in IKE negotiation before IPSec tunnel up.
    But L2TP is involve in L2TP authentication after IPSec tunnel up.

    The L2TPoverIPSec client does not support IKE Xauth and the IPSec tunnel will fail.

All Replies

  • zyman2008
    zyman2008 Posts: 222  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    valerio_vanni,
    If you don't need different security strength and PSK for different VPN peer.
    Then you can share the rule.

    The down side of share rule is, any change on the rule will impact all VPN peers using the rule.
    So that not recommend to share with site to site rule that need to has min. tunnel down time, I think.
    And that's easy to trouble shoot once issues happened with different rule.

  • valerio_vanni
    valerio_vanni Posts: 116  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    edited April 2022
    I didn't mean to use Site to site rules, those will be left untouched.
    It would be the same "gateway" used by a "Remote Access (Server Role)" rule.

    I don't see drawbacks, but now a doubt arise. If that "gateway" uses Xauth, with authorized users, and L2TP config can choose authentication rules, how does authentication work?
    First against gateway rules and then against L2TP ones?

    Should it be able to satisfy both?


  • zyman2008
    zyman2008 Posts: 222  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    Answer ✓
    valerio_vanni,,
    You cannot share rule for xauth and L2TPoverIPSec .
    Since Xauth authentication is involve in IKE negotiation before IPSec tunnel up.
    But L2TP is involve in L2TP authentication after IPSec tunnel up.

    The L2TPoverIPSec client does not support IKE Xauth and the IPSec tunnel will fail.

Security Highlight