OpenL2TP vs xl2tpd - which to choose?

tomfra
tomfra used Ask the Experts™
on
This will be an easy question I suppose...

I am setting up L2TP/IPSec on a Linux CentOS 5.x server, using OpenSwan. The IPSec part seems to be working already but I need to decide on the L2TP server part.Does OpenL2TP offer any significant benefits over xl2tpd and is it worth trying? I am interested in some personal experience ideally.

The L2TP solution needs to work well with Freeradius (to be setup) and work in thousands clients environment, although no more than a few hundreds are expected to be online at the same time.

Your suggestions are welcome.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Software Engineer
Distinguished Expert 2018
Commented:
xl2tpd is maitained by the openswan maintainers. So i would expect that to be tested best with openswan.

I have no use for l2tpd so I haven't tested it.
nociSoftware Engineer
Distinguished Expert 2018
Commented:

Author

Commented:
Well, I have actually already installed OpenSwan with xl2tpd. But what I am somewhat worried about is how it will perform under load when there are 100+ users connected at the same time as from what I have read at the http://www.jacco2.dds.nl/networking/openswan-l2tp.html#Road_Warrior_support website, xl2tpd may not ideal in this situation.

However, a lot of the info on that website, as well as on other websites, seems to be rather outdated in some parts. My main problem is that I need to deploy the VPN solution on several servers (15+) so I am trying to find the almost-ideal setup as any significant change will be quite complicated once deployed.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

nociSoftware Engineer
Distinguished Expert 2018
Commented:
But that is the fate of xl2tpd. it's more or less 2 times encryption (rc4 weak for l2tpd, +ipsec strong encryption) , pppd wraps packets, ipsec wraps packets, l2tpd daemon has some work...

If you can restrict the work to JUST ipsec it will scale much better.
The Technology about ipsec stopped being new in 2003.
The only thing that changed since then is the various new encryption methods that have been added to the kernel.

Do you actually need server to server encryption or site to site in the latter case there is a lot less effort to wrap traffic.

Author

Commented:
There will be servers to which clients, using different appliances (Windows PC, OS X, iPhone...) connect. The VPN will not be used for server to server connections. However, because of so many different client devices, pure IPSec would not work for everyone (I still have another open question about whether pure IPSec does work on the iPhone).

Are you sure the xl2tpd daemon uses RC4? Although I realize that there is a lot of overhead in this L2TP over IPSec implementation, I do not think it will be the bottleneck as that will most likely be the relatively slow Internet connection because the VPN will be used in server -> client connections scenarion where the client is connected via Internet, not local network.

I tested the speed and was surprised to get (much) better results than with OpenVPN but then again, I have no idea what it will do once there are 50+ or even 100+ users connected at the same time and have currently no viable way to test it.
nociSoftware Engineer
Distinguished Expert 2018
Commented:
According to this article: http://support.microsoft.com/kb/314831
MPPE (using RC4) is used for transport through PPP.

OpenVPN carries any packet over a TCP link. When a loss occurs TCP can sleep up to 30-120 seconds before retransmit. UDP is slightly faster, but both  add 40+ bytes to any IP packet whereas IPSEC just add about 20 max.
IPSEC just transports IP packets, so there are no assumptions about loss or whatever.

If you can measure with less links, say up to 20, then you can measure the amount of average traffic, per link, the amount of memory in use, the amount of CPU used. (using representative loads). Then you can exrtapolate.
If you have that many users, maybe you shouldn't gamble on one access point and make some redundant pair of them.

Author

Commented:
Generally, there will be no single access point, as I mentioned, there will be several servers and the user will be able to choose to which of them to connect. If there is too much load on any server, another server can be added. However, extra server = extra costs so I need to find an acceptable compromise.

The servers are being already used as OpenVPN nodes and are doing a great job (considering the lower than IPSec speed) and I can say that even with 20+ simultaneous OpenVPN connections there is no CPU load problem.

I do not expect this to be worse with IPSec. My main concern has been the scalability of xl2tpd as from what I have read, xl2tpd is not recommended for situations when there are many users and for example on Jacco's website it is recommended to use another L2TP solution - for example the mentioned OpenL2TP.

I mainly wanted to know if there is a serious design limiation of xl2tpd that would make it a bad solution in the scenario I described. So far it is working but I will be also adding (Free)Radius authentication in the next few days.

To be honest, when I began reading about all the L2TP/IPSec implementations, I found  a lot of information but very often quite inaccurate, partial at best, some even contradicting. My main experience when it comes to VPNs is mostly OpenVPN and I have to admit there is much to learn when switching to IPSec.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
In General I use IPSEC, mostly to connect sites together. Some embedded systems (modems) can be limiting. Esp. OpenVPn a like tunnels weigh in havily esp. on the memory footprint.

I have seen systems that easily run ~30 IPSEC tunnels (with memory to spare) to block up with only about 10 OpenVPN connections. But memory also became critical for about the same amount of L2TPD tunnels. The modem in question only has a few MB of space though.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
I have no real recommendation, I expect the asker to close the question the right way, either close / delete.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial