inspecting l2tp traffic using AIM-IPS

Unanswered Question
Mar 25th, 2009
User Badges:

Hi All,

I have an IPS module in a ASA via which we are planning to send l2tp traffic. Would it be possible for the IPS to insoect this traffic as it normmaly does with other traffic ?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
andrew100 Wed, 03/25/2009 - 07:36
User Badges:


Yes this is possible for the IPS to inspect as the traffic is decrypted before it is processed by the AIP-SSM.

This is providing the ASA with the module in is terminating the l2TP connection :-)



thedinuka Wed, 03/25/2009 - 19:18
User Badges:


Thanks for the response. But two points I need to clarify

We would not be using the ASA to terminate the l2tp tunnel. It will simply pass through the ASA to a router at which the tunnel is terminated.

Also, by default l2tp traffic is not encrypted right ? It is just encapsulation. It it was decrypted, then I know for sure that the IPS will not be able to inspect it. But since it is not, then theoretically the IPS should be capable of inspecting it.

the question is whether my hypothesis here is correct ?

thanks again

marcabal Thu, 03/26/2009 - 10:04
User Badges:
  • Cisco Employee,

To inspect l2tp traffic the sensor software has to understand that their is an additional header on the packet in order to understand how to get to the packet inside the tunnel header.

Unfortunately the Cisco IPS Sensor software has not been coded to recognize an l2tp header and so does not know how to get to the underlying packet.

The Cisco IPS Sensor has only been coded to recognize and analyze packets within GRE, MPLES, IPV4inIPV4, and IPV4inIPV6 tunnels.

thedinuka Thu, 03/26/2009 - 20:21
User Badges:

Hi, Many thanks for the short and sweet answer. So the IPS will not inspect the l2tp traffic. Since it doesn't identify the traffic type, will it drop these ?


marcabal Fri, 03/27/2009 - 07:02
User Badges:
  • Cisco Employee,

The IPS will do some very basic signature checking on the first IPv4 packet header.

If the first header looks fine, then it should pass the packet through without further analysis.


This Discussion