L2TP over IPSEC with "shared" gateway
valerio_vanni
Posts: 54
Ally Member
Ally Member
in Security
Device is a USG Flex 200, but I think it can be a more generic thing.
When I add a "VPN Connection" for L2TP over IPSEC, is it ok to use an already existing "VPN Gateway" (already used for a classic IPSEC tunnel)?
Or is it better to create a dedicated one?
0
Accepted Solution
-
valerio_vanni,,
You cannot share rule for xauth and L2TPoverIPSec .
Since Xauth authentication is involve in IKE negotiation before IPSec tunnel up.
But L2TP is involve in L2TP authentication after IPSec tunnel up.
The L2TPoverIPSec client does not support IKE Xauth and the IPSec tunnel will fail.1
Master MemberAll Replies
-
valerio_vanni,
If you don't need different security strength and PSK for different VPN peer.
Then you can share the rule.
The down side of share rule is, any change on the rule will impact all VPN peers using the rule.
So that not recommend to share with site to site rule that need to has min. tunnel down time, I think.
And that's easy to trouble shoot once issues happened with different rule.
0 -
I didn't mean to use Site to site rules, those will be left untouched.It would be the same "gateway" used by a "Remote Access (Server Role)" rule.I don't see drawbacks, but now a doubt arise. If that "gateway" uses Xauth, with authorized users, and L2TP config can choose authentication rules, how does authentication work?First against gateway rules and then against L2TP ones?Should it be able to satisfy both?
0
Categories
- 7.2K All Categories
- 6 Education Center
- 1.4K Nebula
- 39 Nebula Ideas
- 46 Nebula Status and Incidents
- 4.1K Security
- 206 Security Ideas
- 790 Switch
- 34 Switch Ideas
- 679 WirelessLAN
- 11 WLAN Ideas
- 4.7K Consumer Product
- 113 Service & License
- 234 News and Release
- 43 Security Advisories
- 546 FAQ
- 258 Nebula FAQ
- 124 Security FAQ
- 73 Switch FAQ
- 68 WirelessLAN FAQ
- 7 Consumer Product FAQ
- Documents
- 30 Nebula Monthly Express
- 54 About Community
- 34 Security Highlight
