12

Most VPN clients distinguish between IPSec and "Cisco IPSec." For example, (Apple's) iOS treats them as essentially separate things.

But I can't find any explanation of what the protocol-level differences are. They may be minor, but there definitely appear to be differences.

Can someone shed light on this? Even just a pointer to a detailed explanation would help a great deal. Thanks!

Dave Peck
  • 223
  • 1
  • 6
  • (My best guess right now is that there's no real protocol difference, but that Cisco IPSec typically uses PSK and xauth in isakmp. But I don't really know -- looking to the experts for this one. Thanks. ;-) – Dave Peck Nov 22 '11 at 23:09
  • My iPhone doesn't have two different IPSec. It has L2TP, PPTP and IPSec, which client code seems to be provided by Cisco. Could you please share a screenshot showing both clients ? – petrus Nov 23 '11 at 23:29
  • Wrong IOS, I suspect. IOS (Internetwork Operating System) is the OS used by better-than-consumer-grade CISCO routers, and was for years before Apple came along, borrowed yet another thing that was already in use, and claimed it was theirs ;-) – MadHatter Nov 24 '11 at 11:00
  • @MadHatter I've clarified in the question by adding the word "(Apple's)" in front of iOS. I did definitely mean Apple's iOS. – Dave Peck Nov 28 '11 at 21:24
  • @petrus "L2TP" on Apple's iOS is actually L2TP+IPSec, and is the default non-cisco IPSec implementation. "IPSec" on Apple's iOS is actually Cisco IPSec. This is confusing, yes. – Dave Peck Nov 28 '11 at 21:27
  • @Dave: ooops, my bad, thanks for clarifying. Also Apple's bad, but hey, what can you do? – MadHatter Nov 30 '11 at 08:56

2 Answers2

5

From my understanding, "Cisco IPSec" is just marketing speak for IPSec with some pre-defined settings for AH/ESP, tunnel/transport mode, etc. pp.

When you read the RFCs, you see that they deliberately leave room for implementations...you, as the network admin setting up the IPSec connection have quite a lot of options to choose from for the protocol (and you need to). Cisco simplified this a great deal by saying "Both participiants do ESP, they have encryption modes X, Y, Z at their disposal, (...)".

Roman
  • 3,825
  • 3
  • 20
  • 33
  • 1
    This is my belief, too. I'm wondering what specific settings we're looking at as well. My best guess is that the StrongSwan wiki pages about Apple iOS hold at least some of the answer: http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) – Dave Peck Nov 28 '11 at 21:25
  • Tell me about it, I searched for those quite a while as well, but no dice. If you ever find out about them, make sure to drop me a note! :) – Roman Nov 29 '11 at 11:32
  • I've decided to accept this as the answer. I suspect it's the only good one we're gonna get. Thanks, @Roman! – Dave Peck Nov 30 '11 at 02:27
0

I understand from your comment that you are wondering the differences between L2TP+IPSec and IPSec only.

  • L2TP is a tunneling protocol. No encryption.
  • IPSec is a security protocol (encryption + authentication)

When IPSec is used "alone", it can oper in two modes :

  • "tunnel": The tunnel is in fact a GRE tunnel (IP in IP), but the payload is encrypted.
  • "transport": IP payload is encrypted, without any encapsulation.

Tunnel mode is mostly used to connect two networks, from router to router, while transport mode will be used for road-warriors, devices (laptop, iPhone), connecting to corporate network.

L2TP over IPSec is similar to transport mode, connecting a remote device to a concentrator. The remote device can be however a router.

petrus
  • 5,287
  • 25
  • 42
  • Thanks, @petrus, but: alas, that is not what I am asking about at all. Please re-read the initial question. – Dave Peck Nov 30 '11 at 02:26