Difference between L2TP tunnel and IPsec tunnel 1

[Farmoor]

Hello
I'm quite new to VPN, but I've tried to read as much as I can on the Internet about it. Therefore I have a few questions:
1) I was under the impression that IPsec uses L2TP to tunnel data, but lately I've read that IPsec by itself creates a tunnel. Have I got it all wrong? If IPsec by itself can create a tunnel, what is the purpose of L2TP?
2) Assuming IPsec can create a tunnel, is it more secure to tunnel with L2TP, or perhaps the entire idea with L2TP is to be able to tunnel over different network protocols?
3) I've fooled around a bit with a Cisco VPN 3005 concentrator, and managed to create a connection between a client and the concentrator. I use shared secret to authenticate. The user is stored in the internal database, and it belongs to a group. Now, I've tried to disable IPsec for this group, but then the concentrator reply: "IPsec not allowed for this group". Why does the client(?) insist on using IPsec? Because I am quite convinced that it doesn't use L2TP at all. Even if I disable L2TP, I can still connect with the client to the concentrator (as long as IPsec is enabled in the concentrator).
The client uses Ciscos free client, probably the latest version (it's new, anyhow). The concentrator has the latest software version.

I know that some of these questions may seem stupid, but remember that I'm an amateur when it comes to VPN.

 

[MaxPipeline]

L2TP and IPSec are two completely different protocols. They have no relation to each other except that they are both VPN protocols. IPSec has the ability to encrypt the data itself within the tunnel so it is pretty secure. I do not believe L2TP is quite as secure.

 

[Farmoor]

But as I understand it, "L2TP over IPsec" is a commonly used expressen. Why is that?

 

[orsonhf]

This is when an L2TP packet is put inside an IPSEC packet. So the packet size is very large. But it means that L2TP all of a sudden becomes a lot more secure.

 

[Farmoor]

Ok, but then what is the advantage of using L2TP alone (is it just the smaller size)? Why not always use just IPsec (if this is smaller and more secure)? Or am I just way off? In other words, why does this exist (L2TP over IPsec)?

 

[MaxPipeline]

In my opinion, there really isn't a real advantage with L2TP over IPsec. This gets to be inefficient due to the overhead associated with both protocols. It most likely exists so that an existing L2TP VPN can co-exist with an IPsec VPN.

L2TP alone, like PPTP, has less overhead than IPsec therefore it may be a more efficient in terms of bandwidth utilization. However, it really depends on your security needs.

 

[Farmoor]

So if I have high security needs, but only one VPN (no need to have co-existing VPN's), there is actually no need for L2TP. I should just go with IPsec and use a good encryption algorith and strong authentication? I'm not missing out on some key feature here?
The reason why I'm asking all of this is that I'm investigating the possibility to deploy a VPN for about 100(max) users. I don't want to make som fundamental mistake that will require a complete remake.
The VPN will be used for classified data, so the security needs are quite high (well, it ain't NASA, but still..)

//Farmoor

 

[MaxPipeline]

This is purely my opinion, BTW. I don't think you need to have two different VPN protocols when IPSec seems to offer the level of security that seems to satisfy your needs. Make sure to use 128bit (TripleDES or 3DES) encryption or higher. It's just more secure than 40 bit or 56bit encryption.

 

[Farmoor]

Thank you for the information. I think I'll go for IPsec by itself then.