Before deciding to implement IPsec remote access VPNs, it is important to understand their advantages and disadvantages, as well as how they compare to other types of remote access VPN.
Some of the main advantages and disadvantages of IPsec remote access VPNs are as follows:
- IPsec can provide strong security for remote access VPN traffic.
The precise level of security offered by IPsec depends on a number of factors, including the type of Internet Key Exchange (IKE) phase 1 negotiation (main or aggressive mode), the type of IKE phase 1 authentication, the form of any preshared keys, the types and levels of security associated with any Public Key Infrastructure (PKI), the type of user authentication, the type (and key lengths) of encryption and hashing algorithms, whether Perfect Forward Secrecy (PFS) is used, and the duration of security association (SA) lifetimes.
L2TP/IPsec (RFC 3193) and SSL remote access VPNs offer similar security to IPsec remote access VPNs.
- Extensions to IPsec that provide additional functionality such as IKE Extended Authentication (Xauth) and ISAKMP Configuration Method (Mode Config) are not industry standards, and therefore are not implemented on all operating systems or devices (this might cause some vendor interoperability issues).
L2TP/IPsec remote access VPNs, on the other hand, rely on industry (IETF) standards.
Secure Sockets Layer (SSL) versions 2 and 3 are de facto standards, and Transport Layer Security (TLS) is an industry (IETF) standard.
- The Cisco VPN Client (which provides IPsec remote access VPN functionality) must be installed (and administered) on each remote access VPN client workstation.
Operating systems such as Windows 2000, Windows XP, and MacOS X include an L2TP/IPsec remote access VPN client by default.
Clientless SSL remote access VPNs do not require the installation of specific VPN client software.
- IPsec remote access VPNs, L2TP/IPsec remote access VPNs, and SSL remote access VPNs using the Cisco SSL VPN Client offer a similar level of functionality for remote users that they would experience if they were at their office or central site. Clientless SSL remote access VPNs, on the other hand, offer only a subset of this functionality.
- IPsec remote access VPNs provide IP unicast transport between VPN clients and gateways. L2TP/IPsec remote access VPNs, on the other hand, offer multiprotocol (IP, IPX, and so on) unicast and multicast transport between VPN clients and gateways.
- The Cisco VPN Client allows the integration of features such as enforcement of firewall type, antivirus software type and level, and OS service pack level on client operating systems, as well as the enforcement of split-tunneling (and split-DNS) policies. Additionally, Cisco VPN Client software can be auto-updated when remote access VPN users connect to a Cisco remote access VPN gateway such as the Cisco VPN 3000 concentrator or the Cisco ASA 5500.