I’m attempting to setup an IPSEC / L2TP VPN between two Mikrotiks, and I am unsure of the desired behaviour…
Should IPSEC be encapsulated in L2TP, or should L2TP be encapsulated in IPSEC?
Forgive me if this is a stupid question, but my VPN isn’t currently encrypting all traffic as expected, and I am trying to get a better understanding of how it should work.
It depends what you want to do I suppose. But generally you would send a L2TP connection over IPSec. E.g. the connection initiates IPSec first and then sends L2TP through it. I “suppose” you could do the other way… although I’m not sure what it buys you.
L2TP inside of IPSec is the norm. All major OS’s have it (be it desktop or mobile).
So you use an L2TP tunnel, secured with IPSec in transport mode.
You can do it the other way around, as mentioned, but that would open up your L2TP server to attacks.
Using IPSec, an IPSec session needs to be established first, and only encrypted traffic is able to talk to the L2TP server (IPSec secured with a PSK and matching options set).
Thanks both for your clarification, it’s much appreciated. I’ve managed to get things working as they should be now.