You are designing a remote access solution to support sales representatives equipped with laptops, tablets, and smartphones as road warriors. Mobility, confidentiality, and integrity are your design objectives. Which of the following L2TP/IPsec VPN solutions best meets your requirements?
A. IPsec Tunnel mode and AH protocol
B. IPsec Tunnel mode and ESP protocol
C. IPsec Transport mode and AH protocol
D. IPsec Transport mode and ESP protocol
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. IPsec Transport mode and ESP protocol.
The process of setting up an L2TP/IPsec VPN is as follows:
- Negotiation of IPsec security association (SA), typically through Internet key exchange (IKE). This is carried out over UDP port 500, and commonly uses either a shared password (so-called “pre-shared keys”), public keys, or X.509 certificates on both ends, although other keying methods exist.
- Establishment of Encapsulating Security Payload (ESP) communication in transport mode. The IP protocol number for ESP is 50 (compare TCP’s 6 and UDP’s 17). At this point, a secure channel has been established, but no tunneling is taking place.
- Negotiation and establishment of L2TP tunnel between the SA endpoints. The actual negotiation of parameters takes place over the SA’s secure channel, within the IPsec encryption. L2TP uses UDP port 1701.