L2TP over IPSEC with "shared" gateway

valerio_vanni
Posts: 40
Freshman Member

in Security
Device is a USG Flex 200, but I think it can be a more generic thing.
When I add a "VPN Connection" for L2TP over IPSEC, is it ok to use an already existing "VPN Gateway" (already used for a classic IPSEC tunnel)?
Or is it better to create a dedicated one?
0
Accepted Solution
-
valerio_vanni,,
You cannot share rule for xauth and L2TPoverIPSec .
Since Xauth authentication is involve in IKE negotiation before IPSec tunnel up.
But L2TP is involve in L2TP authentication after IPSec tunnel up.
The L2TPoverIPSec client does not support IKE Xauth and the IPSec tunnel will fail.1
All Replies
-
valerio_vanni,
If you don't need different security strength and PSK for different VPN peer.
Then you can share the rule.
The down side of share rule is, any change on the rule will impact all VPN peers using the rule.
So that not recommend to share with site to site rule that need to has min. tunnel down time, I think.
And that's easy to trouble shoot once issues happened with different rule.
0 -
I didn't mean to use Site to site rules, those will be left untouched.It would be the same "gateway" used by a "Remote Access (Server Role)" rule.I don't see drawbacks, but now a doubt arise. If that "gateway" uses Xauth, with authorized users, and L2TP config can choose authentication rules, how does authentication work?First against gateway rules and then against L2TP ones?Should it be able to satisfy both?
0
Categories
- 7K All Categories
- 1.4K Nebula
- 29 Nebula Ideas
- 35 Nebula Status and Incidents
- 3.9K Security
- 200 Security Ideas
- 719 Switch
- 29 Switch Ideas
- 595 WirelessLAN
- 8 WLAN Ideas
- 4.5K Consumer Product
- 97 Service & License
- 215 New and Release
- 38 Security Advisories
- 496 FAQ
- 217 Nebula FAQ
- 120 Security FAQ
- 72 Switch FAQ
- 67 WirelessLAN FAQ
- 4 Consumer Product FAQ
- Documents
- 30 Nebula Monthly Express
- 43 About Community
- 31 Security Highlight