At the Microsoft Federal Security Conference last year, Microsoft had a
presentation on L2TP and IPsec. L2TP does use an IPsec encryption scheme
but does not provide a virtual connection in the same sense as SSH.
SSH allows you to establish a secure communication path to the target
system. It only affects packets destined for the target system, i.e. you
retain connectivity to your local network and access to your local network
resources.
L2TP, on the other hand, "binds" you to the target system. Although the
local network is used as a transport media, you are, effectively, no
longer connected to the local network. You lose access to any NFS or SMB
file systems that you may have been using before establishing the L2TP
connection. The network resources available to you are those provided by
the target system.
The presentation did go into great detail about the differences between
L2TP and "conventional" IPsec virtual circuits. My impression was that,
initially, Windows2000 would only provide the L2TP capability; however,
this may have been a function of tailoring the presentation for the DoD
attendees.
Merton Campbell Crockett
On Mon, 17 Jan 2000, Mikael Olsson wrote:
>
> Hi,
>
> I was previously of the view "Great! IPsec in Win2K - now we won't
> have to install separate clients in all PCs!", but I'm having
> doubts.
>
> (Note: This is not MS-bashing. I'm just a concerned netizen)
>
> Relevant excerpts from
> http://www.microsoft.com/WINDOWS2000/guide/server/solutions/vpn.asp
>
> "Integrating L2TP with IPSec encryption provides a very secure, end-to-end,
> standards-based solution for remote networking clients."
>
> Ehm. Is this just me, or are they glossing over the fact that L2TP is
> not very widely deployed? Okay, it _is_ "standards-based", but we're
> still talking widely deployed here.
>
> "This adherence to Internet standards allows greater interoperability
> across standards-compliant systems, providing user authenticity, privacy,
> and data integrity."
>
> Ehm.. User authentication is not a part if IPsec yet, if my memory
> serves me? (There IS a draft, but that's nowhere near final, right?)
> Is this L2TP magic again?
>
> So, to the core of the question:
>
> Does anyone know if it's possible to run Win2K in IPsec-only mode,
> so that Win2K clients can connect via "normal" IPsec gateways?
>
> and,
>
> If not, doesn't that suck big time? =P
>
> Hmm, no, don't answer the last one if the answer is "yes". Rather,
> if IPsec-only is impossible and you feel that it's great,
> I'd really rather know WHY it's great?
>
> TIA
>
> /Mike
>
> --
> Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
> Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50
> Mobile: +46 (0)70 248 00 33
> WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
