Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

RA VPN using L2TP/IPsec with pre-shared key

The following figure shows establishment of an L2TP/IPsec VPN session.

Figure 1. Remote access VPN-L2TP/IPsec with pre-shared key
  1. The remote client first establishes an IPsec tunnel with the VPN server.
  2. The L2TP client and server then establish an L2TP tunnel on top of the IPsec tunnel.
  3. Finally, a PPP session is established on top of the L2TP tunnel, i.e., the PPP packets are encapsulated and sent/received inside the L2TP tunnel.

    With this solution, only user authentication is done at the PPP level (with username/password). Data encryption is provided by the IPsec tunnel. Furthermore, in order to perform encryption, IPsec also requires authentication (studies have shown that IPsec encryption-only mode is not secure) at the host level.

    When pre-shared key is used with L2TP/IPsec, all remote clients must be configured with the same PSK for IPsec authentication. This presents both a security challenge and an operations challenge, since when the key is changed, all remote clients must be re-configured. An alternative is to use L2TP/IPsec with X.509 certificates, as discussed in the next section.