On Mon, 17 Jan 2000, Lisa Napier wrote:
>Hi Mikael,
>
>I checked with the people doing our IPSEC interoperability
>testing. They've done lots of work with Win2k.
>
>The Microsoft Win2k client supports transport and tunnel mode IKE/IPsec and
>is fully
>interoperable with Cisco IOS.
L2TP was co-designed by Microsoft and Cisco. Visit
http://www.nwfusion.com/news/2000/0110vpn.html for an interesting article
about L2TP vs. 'plain' IPsec and how the other VPN vendors are reacting to
L2TP.
>
>You do NOT need to use L2TP to interoperate securely with Cisco IOS. The
>advantages L2TP provides are user-level authentication (via
>PPP-CHAP/PAP/MS-CHAP) and virtual addressing (a biggie for VPN's). The
>user-level auth is _in_addition_to the IKE authentication scheme. Also, the
>L2TP makes configuration considerably harder. If you are going to do L2TP
>& IPSEC, the recommendation is to carefully review the canned policies that
>ship with Win2k, and reference the tech tips by Microsoft.
To summarize the article I refrenced, IPsec was designed for IP, whereas
L2TP extends IPsec to support any protocol, at the expense of a 10%
increase in overhead.
>
>Win2k in tunnel mode can protect a single peer or multiple hosts & subnets
>and can terminate multiple tunnels simultaneously. It provides pre-shared
>key, certificate, or kerberos authentication for IKE, and supports DES,
>3DES, MD5 and SHA hash/encryption algorithms. It's fully configurable via
>the IPSec snap-in for Microsoft Management Console.
>
I'm interested in testing Microsofts implementation, but that extra 10% is
going to be tough for low-bandwidth dialin users. I expect we will use it
in emergency setups only, and rely mainly on CheckPoints native
SecureRemote client.
>In general, someone who is not a Microsoft fan at all, nearly raved about it.
>
>But yeah, if the answer had been NO, then it would have sucked. But the
>answer is YES, and that doesn't suck. ;)
>
>And yeah, I realize that I'm using Cisco IOS as the test for IPSEC
>interoperability. I'm Cisco centric. It's what we've done our testing with.
You'd have a problem on your hands if it didn't interoperate with W2K :)
>
>Hope that helps,
>
>Lisa Napier
>Product Security Incident Response Team
>Cisco Systems
>http://www.cisco.com/warp/public/707/sec_incident_response.shtml
>
Chipper
------
Please encrypt anything important.
PGP Key: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0x6CFA486D
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
