Link to home
Start Free TrialLog in
Avatar of tomfra
tomfraFlag for Czechia

asked on

OpenL2TP vs xl2tpd - which to choose?

This will be an easy question I suppose...

I am setting up L2TP/IPSec on a Linux CentOS 5.x server, using OpenSwan. The IPSec part seems to be working already but I need to decide on the L2TP server part.Does OpenL2TP offer any significant benefits over xl2tpd and is it worth trying? I am interested in some personal experience ideally.

The L2TP solution needs to work well with Freeradius (to be setup) and work in thousands clients environment, although no more than a few hundreds are expected to be online at the same time.

Your suggestions are welcome.
ASKER CERTIFIED SOLUTION
Avatar of noci
noci

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of tomfra

ASKER

Well, I have actually already installed OpenSwan with xl2tpd. But what I am somewhat worried about is how it will perform under load when there are 100+ users connected at the same time as from what I have read at the http://www.jacco2.dds.nl/networking/openswan-l2tp.html#Road_Warrior_support website, xl2tpd may not ideal in this situation.

However, a lot of the info on that website, as well as on other websites, seems to be rather outdated in some parts. My main problem is that I need to deploy the VPN solution on several servers (15+) so I am trying to find the almost-ideal setup as any significant change will be quite complicated once deployed.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of tomfra

ASKER

There will be servers to which clients, using different appliances (Windows PC, OS X, iPhone...) connect. The VPN will not be used for server to server connections. However, because of so many different client devices, pure IPSec would not work for everyone (I still have another open question about whether pure IPSec does work on the iPhone).

Are you sure the xl2tpd daemon uses RC4? Although I realize that there is a lot of overhead in this L2TP over IPSec implementation, I do not think it will be the bottleneck as that will most likely be the relatively slow Internet connection because the VPN will be used in server -> client connections scenarion where the client is connected via Internet, not local network.

I tested the speed and was surprised to get (much) better results than with OpenVPN but then again, I have no idea what it will do once there are 50+ or even 100+ users connected at the same time and have currently no viable way to test it.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of tomfra

ASKER

Generally, there will be no single access point, as I mentioned, there will be several servers and the user will be able to choose to which of them to connect. If there is too much load on any server, another server can be added. However, extra server = extra costs so I need to find an acceptable compromise.

The servers are being already used as OpenVPN nodes and are doing a great job (considering the lower than IPSec speed) and I can say that even with 20+ simultaneous OpenVPN connections there is no CPU load problem.

I do not expect this to be worse with IPSec. My main concern has been the scalability of xl2tpd as from what I have read, xl2tpd is not recommended for situations when there are many users and for example on Jacco's website it is recommended to use another L2TP solution - for example the mentioned OpenL2TP.

I mainly wanted to know if there is a serious design limiation of xl2tpd that would make it a bad solution in the scenario I described. So far it is working but I will be also adding (Free)Radius authentication in the next few days.

To be honest, when I began reading about all the L2TP/IPSec implementations, I found  a lot of information but very often quite inaccurate, partial at best, some even contradicting. My main experience when it comes to VPNs is mostly OpenVPN and I have to admit there is much to learn when switching to IPSec.
Avatar of noci
noci

In General I use IPSEC, mostly to connect sites together. Some embedded systems (modems) can be limiting. Esp. OpenVPn a like tunnels weigh in havily esp. on the memory footprint.

I have seen systems that easily run ~30 IPSEC tunnels (with memory to spare) to block up with only about 10 OpenVPN connections. But memory also became critical for about the same amount of L2TPD tunnels. The modem in question only has a few MB of space though.
I have no real recommendation, I expect the asker to close the question the right way, either close / delete.