IPSEC + L2TP works ONLY WITH DOUBLE ENCRYPTION

jandafields · March 28, 2012, 8:56pm

#1
I setup an IPSEC tunnel between 2 routers. It works fine.

#2
I setup a PPTP tunnel inside the IPSEC tunnel, it works fine.
I setup a L2TP tunnel with “use encryption=yes” inside the IPSEC tunnel, it works fine.

#3
I setup a L2TP tunnel with “use encryption=no” inside the IPSEC tunnel… it connects but won’t pass any data.

I don’t need encryption with L2TP because it is inside an encrypted IPSEC tunnel already.

Why does it not work when MPPE encryption is disabled?

Any ideas?

gsloop · August 10, 2012, 10:00am

BUMP

I’m having the same problem.

I’m using IPSec to wrap the L2TP session, so I really don’t need MPPE on the L2TP session.

How can I disable MPPE on the L2TP internal channel?

[When I set the PPP profile assigned to the L2TP server to “Protocols | no encryption” it turns off the IPSec encryption - at least that’s what you see when you go see the SA’s in IPSec.]

[I’ve tried the registry hack to set it to allow weak-crypto for L2TP and then set the RoS L2TP server to use PAP/CHAP but then the sessions fail with a 734 error.]

So, again, is there a way to disable MPPE on the L2TP session? There’s simply no reason to do MPPE on the L2TP session when you’re doing IPSec on the outside.
-Greg

gsloop · August 15, 2012, 11:54pm

Anyone? Is there no way to disable MPPE on the inner tunnel in L2TP between a Windows client and a RB?
RoS v5.19, BTW.

TIA
-Greg

Leolo · August 21, 2013, 4:07am

It doesn’t make any sense to encrypt the data twice.

Are you sure that the double encryption is really happening?

Microsoft say they don’t do double encryption:

http://technet.microsoft.com/en-us/library/cc780018(v=ws.10).aspx

If you configure the VPN connection to connect to a PPTP server, only MPPE encryption is used. If you configure the VPN connection to connect to an L2TP server, only IPSec encryption is used

http://technet.microsoft.com/en-us/library/cc771298(v=ws.10).aspx

Unlike PPTP, the Microsoft implementation of L2TP does not use MPPE to encrypt PPP datagrams. L2TP relies on Internet Protocol security (IPsec) in Transport Mode for encryption services. The combination of L2TP and IPsec is known as L2TP/IPsec

Regards.

Leolo · August 21, 2013, 5:27am

Microsoft also says that you can use CHAP instead of MS-CHAPv2 if you want to be absolutely sure that MPPE is avoided:

http://technet.microsoft.com/en-us/library/cc775567(v=ws.10).aspx

You cannot use Microsoft Point-to-Point Encryption (MPPE) if CHAP is used to authenticate the connection.

Regards.

efaden · August 21, 2013, 10:27am

Curious about this myself.

Sent from my SCH-I545 using Tapatalk 2