What is L2TP (Layer 2 Tunneling Protocol)?
The abbreviation L2TP stands for Layer 2 Tunneling Protocol. It is a standardized further development of PPTP (Point to Point Tunneling Protocol) and L2F (Layer 2 Forwarding), which can be used to tunnel data frames of Layer 2 (link layer) of the ISO/OSI layer model over IP-based networks.
L2TP was developed by the IETF (Internet Engineering Task Force) and is described in RFC 2661 and other RFCs. It supports the tunneling of packet-switching protocols such as PPP (Point to Point Protocol), ATM (Asynchronous Transfer Mode), Ethernet or Frame Relay.
In principle, any protocol within a PPP frame can be transmitted over an IP network. The IP network operates transparently for the packet-switching protocols and appears like a Layer 2 switch. For the Layer 2 Tunneling Protocol, CHAP (Challenge Handshake Authentication Protocol) and PAP (Password Authentication Protocol) are provided as authentication methods.
By default, the Layer 2 Tunneling Protocol does not provide its own encryption mechanisms. However, it can be combined with almost any encryption method. The combination of L2TP and IPsec (Internet Protocol Security) is frequently used. The combination of Layer 2 Tunneling Protocol and IPsec allows the implementation of secure Virtual Private Networks (VPNs).
Windows does not require a separate VPN client for L2TP, since it is already integrated into the operating system. In addition to VPN, dial-up connections to service providers are another important area of application for the tunneling protocol. In this scenario, network frames are packaged by an L2TP Access Concentrator (LAC) and sent to a central L2TP Network Server (LNS) of the provider.
The different versions of the Layer 2 Tunneling Protocol
Two different protocol versions exist: Layer 2 Tunneling Protocol version 2 and Layer 2 Tunneling Protocol version 3. L2TP V2 is specifically designed for tunneling PPP frames and does not support other frames of other protocols.
Tunneling in packet-based networks is possible and uses UDP in IP networks. The Layer 2 Tunneling Protocol Version 3 represents a further development. It can be regarded as an alternative to Multiprotocol Label Switching (MPLS). In contrast to version 2, layer 2 frames other than PPP can also be encapsulated in a tunnel. Version 3 is defined in RFC 3931.
Basic architecture and operation of the Layer 2 Tunneling Protocol
Two important components of an L2TP connection are the L2TP Access Concentrator (LAC) and the L2TP Network Server (LNS). The LAC establishes the connections to the LNS via Layer 2 Tunneling Protocol. Different channels exist between the LNS and the LAC for control packets and data packets.
While the data channel is unsecured, a secured transmission takes place in the control channel. The task of the LNS is to route the packets received from the LAC to further destinations and to control the communication. The client can use Layer 2 Tunneling Protocol in two different ways. The first way works with PPP connections between the client and the LAC. The actual tunneling of data to the LNS is handled by the LAC. In the second option, the client supports L2TP directly. It virtually takes over the role of the LAC and tunnels the data from the client to the LNS.
Secure connections with L2TP and IPsec
The Layer 2 tunneling protocol itself does not provide for encryption or strong authentication. Therefore, it is often used in combination with IPsec. IPsec provides the actual end-to-end security. L2TP with IPsec is considered very secure and offers 256-bit encryption. The protocol combination allows secure VPN connections to be established. L2TP/IPsec is implemented by default in many operating systems of PCs and mobile devices such as smartphones or tablets.