CertiGuide to Security+  9  Chapter 2:  Communication Security (Domain 2.0; 20%)       9  2.1  Remote Access

2.1.4  TACACS/XTACACS/TACACS+ 1 2 3 2.1.6  SSH

L2TP

L2TP was intended as a replacement for PPTP by Cisco because they didn't care for some (rather lack of) features in PPTP. L2TP combines the best features from PPTP and Cisco’s L2F protocol, which was designed to facilitate tunneling over a variety of media/lower-level protocols such as frame relay and ATM, in addition to the IP-based tunneling supported by PPTP. L2TP supports PAP, CHAP, MS-CHAP and other authentication protocols.

As opposed to PPTP, whose client access is normally implemented by software running on individual desktops, L2TP clients most commonly connect into their VPN by going through a special hardware device that handles the L2TP tunneling. While Windows 2000 is quite capable of supporting L2TP natively many firms don't want to consume the server resources with L2TP

Additionally, with L2TP, the server side generally chooses the endpoint of the communication, a situation that is known as compulsory tunneling (in contrast to PPTP, where the endpoint is normally left up to the client). This scenario lends itself to the construction of hierarchically routed networks which gradually concentrate VPN traffic over fewer but higher bandwidth lines for more efficient transmission over a long haul¹⁵¹.

IPSec is the preferred encryption mechanism used in conjunction with L2TP, but sometimes 40 or 56-bit DES may be used as well. L2TP and L2F use UDP port 1701 for communication on the source and destination hosts, so if you are passing L2TP through a firewall, you need to ensure that port is open.

2.1.4  TACACS/XTACACS/TACACS+ 1 2 3 2.1.6  SSH