
To mitigate the impact of the pandemic of COVID-19, your company decides to have half of the employees work from home (WFH), who have to connect to the VPN server using L2TP/IPsec to access the intranet resources securely. Which of the following is the best configuration required to support the WFH initiative? (Wentz QOTD)
A. AH
B. ESP
C. Tunnel mode
D. Network Address Translation-Traversal (NAT-T)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. ESP.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams, and an informative reference for security professionals.

All four options in this question are essential to provision IPsec services, but we have to select the best and required configuration. As our security objective is to access intranet resources securely, we have to enforce confidentiality, integrity, and availability. ESP enforces confidentiality and integrity of data in transit; specifically, ESP not only encrypts but also signs packets.
IPsec is a framework upon which a suite of protocols is collaborating to provide security services., e.g., AH, ESP, IKE, etc. AH basically enforce integrity but not confidentiality; it’s not a mandatory requirement to IPsec implementations. In other words, AH signs but doesn’t encrypt packets.
Either tunnel mode or transport mode is about encapsulating packets. Even though tunnel mode is commonly implemented, it doesn’t protect data in transit. Moreover, it’s feasible for enterprises to implement a Virtual desktop infrastructure (VDI) server that is hardened to provide VPN service and can be accessed through transport mode.
NAT devices are ubiquitous. Network Address Translation-Traversal (NAT-T) is crucial and should be supported at both sides of the VPN peers. However, this question focuses on the server configuration and doesn’t mention if the VPN server is deployed behind a NAT device.
Reference
- RFC 3193: Securing L2TP using IPsec
- RFC 3948: UDP Encapsulation of IPsec ESP Packets
- VPN Pass-Through Setup
- NAT traversal
- Using NAT Traversal and IPsec Passthrough together
- What is a VPN passthrough?
- NAT Traversal – IPSec over NAT Tutorial
- UNDERSTANDING VPN IPSEC TUNNEL MODE AND IPSEC TRANSPORT MODE – WHAT’S THE DIFFERENCE?
為了減輕 COVID-19 大流行的影響,您的公司決定讓一半的員工在家工作 (WFH),他們必須使用 L2TP/IPsec 連接到 VPN 服務器才能安全地訪問內網資源。 以下哪一項是支持該 WFH 計畫所必需的最佳組態?(Wentz QOTD)
A. AH
B. ESP
C. Tunnel mode
D. Network Address Translation-Traversal (NAT-T)