[Openswan Users] L2TP IPSec with multiple customers using roadwarrior configuration

Geekman the1geekman at gmail.com
Mon Oct 3 09:18:11 EDT 2011


Hi All,

I haven't got a solid L2TP config I'm working with yet, just something
I want to verify first.

In this setup, we're wanting to be able to have multiple clients
connect in from anywhere to our VPN server. Although, our we're aiming
for a VPN concentrator, so each customer will terminate into their own
subnet, keeping things separated.

The two options I've been looking at for the "roadwarrior users" is a
PPTP setup, or L2TP. I wanted to go with L2TP \w IPSec as I'm
convinced its more secure. It seems like IPSec and L2TP can handle my
requirements in everywhere by one section: the ipsec.secrets file.

Because I want it in a road warrior configuration, I'm aware that I'd
need to specify something like:

SERVER_IP %any: "CustomerOnePSK"

However, obviously I'd want different PSKs for each customer ideally,
but that's not really going to fly unless I have different customers
connect to a different public IP on the VPN server, right?

I was considering, for about a second, just having each customer use
the PSK, but from what I understand the PSK is an encryption key, not
a password - and should not be treated as such? So this would be a
definite no.

A separate IP for each customer isn't too much of a stretch, as we'll
be doing NAT on the same server anyway. So I guess, if I am right on
the above, the deciding factor between L2TP and PPTP is really remote
end point support.

I know anything down to XP/2000 (with patch) can be supported, but I'm
wondering what the general experience is when trying to support L2TP
with IPSec vs. PPTP. I know with PPTP (at least, deployed on Windows)
has given us very few problems itself. So I guess what I'm getting at
is, would you consider L2TP to be less supported by common end-user
platforms than PPTP?

Of course, I'm not trying to say I expect there to be no issues with
it. There will always be problems.

Any input appreciated. Thanks.


More information about the Users mailing list