[c-nsp] will L2TP break Kerberos?

Michael K. Smith mksmith at adhost.com
Tue Oct 14 21:09:19 EDT 2008


Hello:


On 10/14/08 3:51 AM, "Rogelio" <scubacuda at gmail.com> wrote:

> Will Kerberos break if it goes through an L2TP tunnel?
> 
> I have these handheld wireless devices that are currently talk Kerberos
> back to a Symbol access point.  I'm looking to replace these Symbol
> units with BelAir access points.
> 
> These BelAir access points will L2TP tunnel back to a central Cisco
> router so that I can manage all of these handheld wireless devices with
> one DHCP and one RADIUS server.
> 
> In theory, I would think that L2TP tunneling works fine (the only
> difference being that your pipe gets smaller as go across a WAN), but I
> was hoping to get some feedback from others here before I put this in
> production.
> 
> (I'm a little gun shy b/c I've seen things like NAT break IPsec)

The main issue, AFAIK, is NAT translation, which is a no-no for Kerberos.
As long as you are going native IP to IP, even if they are RFC 1918,
Kerberos should work fine.  However, if you need to NAT it anywhere on
either side of the tunnel, it will fail.

Regards,

Mike



More information about the cisco-nsp mailing list