This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP Pass through and IPSEC Site2Site on the same Sophos XG

Hi All,

I have several Sophos XGs and the older Cyberoams setup with L2TP pass through (to a Windows server) for RRAS and also setup as an IPSEC Site to Site tunnel End Point. Generally speaking, the Sophos units are connected directly to the Internet (so no NAT-T needed for connections directly to the router).

This all works and appears to quite stable.

My questions is, how does the Router know which connections are which (L2TP vs IPSec) and hence where to send the packets (to the RRAS server or to the internal IPSec tunnel). The reason I ask is that both L2TP and IPSec appear to use the same ports - 500, 4500, 1701 and ESP (Protocol 50).

I am thinking that the IPSec tunnel only uses port 500 as it is a direct connection across the Internet (no NAT), whereas the L2TP connections are probably using 4500 as the user is generally behind a firewall that does NAT.

What is your experience / thoughts?

Regards

Mike

This thread was automatically locked due to age.

Keyur over 6 years ago

Hi Michael Wallis

Header files and SPI are different for IPsec and L2TP VPN to differentiate, the HASH value can be used to define NAT-T.

Please check the article for IPsec VPN- https://networklessons.com/cisco/ccie-routing-switching/ipsec-internet-protocol-security/
Cancel
Vote Up 0 Vote Down

Cancel
Michael Wallis over 6 years ago in reply to Keyur

Hi Keyur,

Excellent information - precise and exactly what I was looking for.

For anyone else looking for the low down on how IPSec works (at the packet level), I suggest you have a look at the article Keyur put forward:
https://networklessons.com/cisco/ccie-routing-switching/ipsec-internet-protocol-security/

Thanks to Keyur for answering all my questions so promptly :)

Regards

Mike
Cancel
Vote Up 0 Vote Down

Cancel