I’ve noticed a disturbing trend among ISA firewall admins to use IPSec tunnel mode for configuring site to site VPNs, instead of using the preferred method, L2TP/IPSec. I understand the reasons why ISA firewall admins might want to use IPSec tunnel mode:
- IPSec tunnel mode is perceived to be easier to configure, since they assume that the only way to configure IPSec tunnel mode site to site VPN security is to use pre-shared keys, while they assume that machine certificates are required for L2TP/IPSec. This perception is incorrect — you can use pre-shared keys for L2TP/IPSec (although not recommended)
- IPSec tunnel mode is also perceived to be easier because you don’t have to understand the complexities of demand-dial interface naming conventions and account creation, as you need to understand for L2TP/IPSec. This perception is correct — understanding interface naming conventions and demand-dial interface accounts is complex and can be confusing
- IPSec tunnel mode is perceived to be more secure, since "hardware" firewalls use this method instead of L2TP/IPSec. This perception is incorrect — L2TP/IPSec is more secure than IPSec tunnel mode.
While I appreciate the above, here’s a very useful fact regarding IPSec tunnel mode compared to PPTP and L2TP/IPSec:
"In a site-to-site VPN, there are two main choices from a performance and capacity perspective. One choice is using either PPTP or L2TP over IPsec. These protocols provide compression of the application traffic, which doubles the throughput that can be transferred through the site-to-site link. For example, sending a 2-MB file through a PPTP or L2TP tunnel will actually pass only 1 MB. The other choice is using IPsec tunneling, which does not incorporate compression. So in effect, PPTP and L2TP over IPsec save site-to-site throughput by 50 percent, as compared to IPsec tunneling."
–From the Best Practices for Performance in ISA Server 2004 at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/bestpractices.mspx
So, the next time you consider the VPN protocol of choice for site to site VPNs, keep in mind that if you go with IPSec tunnel mode, not only are you using the less secure solution, you’re also cutting your users’ effective bandwidth in half.
Thomas W Shinder, M.D.
MVP — ISA Firewalls