TMS zl Management and Configuration Guide ST.1.2.100916
1-65
Overview
Virtual Private Network (VPN)
L2TP over IPsec
Microsoft VPN clients use Layer 2 Tunneling Protocol (L2TP) over IPsec to
establish VPN connections. The TMS zl Module can act as a gateway for these
endpoints, allowing them remote access to the private network. L2TP users
must authenticate to gain access. The module can authenticate the users
locally or to an external RADIUS server.
L2TP tunnels data, but it does not secure it. With L2TP over IPsec, the L2TP
session is encapsulated and secured by IPsec.
See “Layer 2 Tunneling Protocol (L2TP) over IPsec Concepts” in Chapter 7:
“Virtual Private Networks.”
GRE
GRE is a Layer 2 protocol that can encapsulate any protocol that Ethernet can
encapsulate. GRE tunneling establishes a virtual point-to-point connection
between two devices across an intervening network. When the TMS zl Module
selects traffic for the GRE tunnel, it encapsulates the traffic with a GRE header
and a new IP header. The new IP header includes the destination address of
the remote tunnel endpoint.
Because GRE tunnels do not secure traffic, you should configure GRE over
IPsec for traffic that requires data integrity or data privacy.
The TMS zl Module supports redundancy for GRE tunnels (as well as GRE
over IPsec VPNs).
See “Generic Routing Encapsulation (GRE) Concepts” in Chapter 7: “Virtual
Private Networks.”
VPN Use Models
The TMS zl Module supports both site-to-site VPNs and client-to-site VPNs.
Site-to-Site VPNs
A site-to-site VPN is a tunnel between two gateway devices, such as TMS zl
Modules, routers with VPN capabilities, Unified Threat Management (UTM)
devices, or standalone VPN devices. The TMS zl Module can establish a VPN
with any IPsec and IKE v1-compliant VPN gateway—another TMS zl Module
is not required.