[2023 October Tips & Tricks] Why deprecate L2TP over IPSec in the USG FLEX H Series?

Quelle: Link

Why deprecate L2TP over IPSec in the USG FLEX H Series?

L2TP over IPSec was a popular VPN protocol in the past, but it has become less common and is often deprecated and discouraged for several reasons:

Security Concerns: It does NOT provide encryption or confidentiality to traffic passing through it. It relies on other protocols like IPsec for encryption and security.

Limited Platforms: Not all platforms and devices support L2TP/IPSec. For example, some mobile devices and operating systems have moved away from supporting this protocol in favor of more modern and secure alternatives. Android has removed L2TP VPN in its version 12 onward so that consumers can enjoy better security, performance, and interoperability with other systems.

Performance: L2TP over IPSec can be less efficient in terms of performance compared to newer VPN protocols. The additional overhead introduced by the combination of L2TP and IPSec can result in reduced throughput, which may be a concern in high-speed or high-bandwidth scenarios.

Zyxel is determined to deprecate the L2TP over IPSec in favor of a more modern and secure VPN protocol like IKEv2 in our USG FLEX H series, while keeping L2TP over IPSec in the ZLD-based product lines USG FLEX series and ATP series. IKEv2 is a VPN protocol known for its security, reliability, and efficiency. The best part is it’s widely adopted and provides outstanding interoperability, working with different types of VPN clients, OS, and VPN gateway.

To help our customers migrate to IKEv2, we provide Remote VPN Wizard in every product (ZLD, uOS, Nebula firewall, and future SCR), which generates a VPN script for use with free OS native- IKEv2 VPN clients e.g., Windows, macOS, iOS, Android (StrongSwan) in just a few clicks. As a result, our customers can enjoy the benefits of IKEv2 without the additional cost of purchasing IKEv2 client software.

With the subscription-based Zyxel SecuExtender VPN client, we take a step further allowing customers to enjoy auto-provisioning by simply retrieving the VPN settings right from our firewalls.