L2TP over IPSEC with "shared" gateway
valerio_vanni
Posts: 116 Ally Member
in Security
Device is a USG Flex 200, but I think it can be a more generic thing.
When I add a "VPN Connection" for L2TP over IPSEC, is it ok to use an already existing "VPN Gateway" (already used for a classic IPSEC tunnel)?
Or is it better to create a dedicated one?
0
Accepted Solution
-
valerio_vanni,,
You cannot share rule for xauth and L2TPoverIPSec .
Since Xauth authentication is involve in IKE negotiation before IPSec tunnel up.
But L2TP is involve in L2TP authentication after IPSec tunnel up.
The L2TPoverIPSec client does not support IKE Xauth and the IPSec tunnel will fail.1
All Replies
-
valerio_vanni,
If you don't need different security strength and PSK for different VPN peer.
Then you can share the rule.
The down side of share rule is, any change on the rule will impact all VPN peers using the rule.
So that not recommend to share with site to site rule that need to has min. tunnel down time, I think.
And that's easy to trouble shoot once issues happened with different rule.
0 -
I didn't mean to use Site to site rules, those will be left untouched.It would be the same "gateway" used by a "Remote Access (Server Role)" rule.I don't see drawbacks, but now a doubt arise. If that "gateway" uses Xauth, with authorized users, and L2TP config can choose authentication rules, how does authentication work?First against gateway rules and then against L2TP ones?Should it be able to satisfy both?
0 -
valerio_vanni,,
You cannot share rule for xauth and L2TPoverIPSec .
Since Xauth authentication is involve in IKE negotiation before IPSec tunnel up.
But L2TP is involve in L2TP authentication after IPSec tunnel up.
The L2TPoverIPSec client does not support IKE Xauth and the IPSec tunnel will fail.1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight