Difference between the L2TP and the IPSec on the USG2000 and USG5000

24

The L2TP provides tunnel transmission support to data frames on the PPP link layer and allows L2 link terminations and PPP session points reside on different devices, thereby expanding the PPP model. That is, the L2TP establish a PPP link between a cross-LAC user and the LNS.
The IPSec is an open network-layer security framework protocol, stipulated by the Internet Engineering Task Force (IETF). It is a series of protocols and services that provide IP network security. The IPSec mainly includes the Authentication Header (AH), Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and algorithms used for network authentication and encryption. The L2TP over IPSec mechanism encapsulates packets based on the L2TP and then the IPSec. In this way, the L2TP over IPSec mechanism integrates advantages of two types of VPNs, implements user authentication and address allocation based on the L2TP, and makes up the disadvantages of the IPSec in terms of user authentication and authorization.

Other related questions:
Pass-through ports configured for L2TP over IPSec on the USG2000 and USG5000
The pass-through ports configured for L2TP over IPSec on the USG2000 and USG5000 are as follows: 1. Port 500 is initially used for IKE negotiation. After the NAT-T capability detection and NAT gateway detection are complete, the number of the UDP port that encapsulate ISAKMP messages is changed to 4500. This port is used for subsequent negotiations and data transmission. 2. L2TP is registered with UDP port 1701. However, this port is only used for initial tunnel establishment. The L2TP tunnel initiator (LAC) selects any idle port (may not necessarily be port 1701) to send packets to port 1701 on the receiver end; upon receiving the packets, the LNS also selects any idle port (may not necessarily be port 1701) to send packets to the specified port of the LAC. Therefore, ports of both ends are specified and remain unchanged within the tunnel connection period. 3. According to the L2TP over IPSec mechanism, packets are encapsulated based on L2TP and then IPSec. Therefore, port 1701 that transmits L2TP packets is used as a matching condition. All encapsulated L2TP packets are transmitted over the IPSec tunnel. Therefore, if the L2TP over IPSec is configured but no NAT traversal is available, port 500 and port 1701 are configured as pass-through ports. If the NAT traversal is available, port 500, port 4500, and port 1701 are configured as pass-through ports.

IPSec on the USG2000 and USG5000 series
Designed by Internet Engineering Task Force (IETF), IPSec is an open network-layer framework protocol. It is not a single protocol, but a collection of protocols and services that provide security for IP networks.

Method used to configure the L2TP over IPSec user address segment on the USG2000 and USG5000
The method used to configure the L2TP over IPSec user address segment on the USG2000 and USG5000 is as follows: Configure the L2TP over IPSec user address segment using the CLI: # Define an address pool and allocate an IP address to the dial-up user. [LNS] aaa [LNS-aaa] ip pool 1 10.1.1.1 10.1.1.100 # Set the user name and password (consistent with those configured on the PC of the employee on a business trip). [LNS-aaa] local-user vpdnuser password cipher Hello123 [LNS-aaa] quit # Allocate an address in the IP address pool to the peer interface. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] remote address pool 1 [LNS-Virtual-Template1] quit Configure the L2TP over IPSec user address segment using the web UI: Configure the L2TP parameters. 1. Choose Network > L2TP > L2TP. 2. In Configure L2TP, select Enable and click Apply. 3. In L2TP Group List, click New. 4. Set Group Type to LNS. 5. Configure the L2TP parameters. The server address shall be in the same network segment as the address in the address pool. In this way, you do not need to configure a route. Peer Tunnel Name must be consistent with Local Tunnel Name configured on the LAC. Group Type: LNS Peer Tunnel Name: LAC Tunnel Password Authentication: Enable Password Type: Ciphertext Tunnel password: Hello123 Confirm Tunnel password: Hello123 User Group: default Set the user address allocation parameters as follows: Server Address/Subnet Mask: 10.2.1.1/255.255.255.0 User Address Pool: 10.2.1.2-10.2.1.100 6. Click OK.

IPSec content on the USG2000 and USG5000 series
IPSec includes security protocols such as Authentication Header (AH) and Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and certain algorithms used for authentication and encryption.

Differences between static and dynamic routes on the USG2000 and USG5000 series
Static routes are easy to configure, have low requirements on the system, and apply to simple, stable, and small networks. The disadvantage of static routes is that they cannot automatically adapt to network topology changes. Therefore, static routes require subsequent maintenance. Dynamic routing protocols have their routing algorithms. Therefore, dynamic routes can automatically adapt to network topology changes and apply to the networks on which Layer 3 devices are deployed. The configurations of dynamic routes are complex. Dynamic routes have higher requirements on the system than static ones and consume network resources and system resources.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top