Forum

Looking carrefully at the CWSP study guide I do not really agree/understand the Figure 13.8 on page 304.

According to what is shown the remote user built the IPSec tunnel---> goes to the LAC----> then goes to the IPSec Gateway (?!?!)---> goes to the LNS

How is that possible ? I cannot imagine this architecture to work this way. I would rather use the IPsec Gateway after the LNS otherwise the IPSec Gateway will only see L2TP traffic... no ESP traffic or AH traffic.

My other question (still on L2TP/IPSec) is :
- Wouldn't it be the same to do IPSec/L2TP (by using routers and VPN concentrators)? Is there a strong difference ? Do the Security rules of the CWSP avoid this kind of architecture ?

To me it looks like that the L2TP/IPSec description of the guide refers to a Microsoft implementation of these protocols. A new Figure (other than the 13.8 ) would have been helpful to illustrate the explanations of the study guide.

Microsoft uses the L2TP over IPSec but in this case the LAC and the LNS are also doing the IPSec (two in one). In this precise case the LAC is a Windows OS (Client) and the LNS is typically a Windows Server.... the LAC and LNS are not routers !!! in this way it makes a big difference.
The IPSec is then used in a transport mode and the destination IP address of this frame is used by Microsoft both as the LNS,IPSec concentrator IP address.
Pages 304, 305, 306 are only valid for Microsoft embedded L2TP/IPSec (tell me if I am wrong). is quite different.

The main advantage to me for the L2TP/IPSec (in contrary of IPSec over L2TP) is that the frames exchanged during the user-level authentication are never sent in an unencrypted form.
Any information coming from P3 or the CWSP community would be helpful.

I do hope I am clear... thanks for letting me know if I should be more precise.

Regards to you all

Christophe