RA VPN using L2TP/IPsec with pre-shared key
The following figure shows establishment of an L2TP/IPsec VPN session.
- The remote client first establishes an IPsec tunnel with the VPN server.
- The L2TP client and server then establish an L2TP tunnel on top of the IPsec tunnel.
- Finally, a PPP session is established on top of the L2TP tunnel, i.e., the PPP packets are encapsulated and sent/received inside the L2TP tunnel.
With this solution, only user authentication is done at the PPP level (with username/password). Data encryption is provided by the IPsec tunnel. Furthermore, in order to perform encryption, IPsec also requires authentication (studies have shown that IPsec encryption-only mode is not secure) at the host level.
When pre-shared key is used with L2TP/IPsec, all remote clients must be configured with the same PSK for IPsec authentication. This presents both a security challenge and an operations challenge, since when the key is changed, all remote clients must be re-configured. An alternative is to use L2TP/IPsec with X.509 certificates, as discussed in the next section.