Layer 2 Tunnel Protocol (L2TP)
Layer 2 Tunnel Protocol (L2TP) is a protocol that creates a tunnel to securely transfer data between two points in a public network. While mainly implemented for security, L2TP doesn’t provide encryption on its own and needs to be paired with a secure network protocol. The most common protocol paired with L2TP for encryption is IPSec (Internet Protocol Security).
How Does L2TP Work
Framing it through the OSI model, L2TP creates a layer 2 (Data Link Layer) tunnel that “encapsulates” data to securely send it over a layer 3 (Network Layer) encryption protocol (e.g., IPSec). L2TP/IPSec is one of the most popular VPN protocols due to its improved security compared to previous protocols and wide-ranging compatibility with different devices and operating systems.
Understanding how L2TP tunneling works requires some understanding of how data is transferred across networks. Data is divided into smaller, more manageable chunks known as packets.
These packets contain two components:
- Header: Information about the packet, such as the IP addresses of its origin and destination.
- Payload: The actual data being transferred.
The header contains information that is read by network components as the packet moves across the network.
Encapsulation
Tunneling protocols encapsulate packets in a new container that only exposes the IP addresses of the tunnel’s start and end points. Therefore, all the routers the packet passes in the tunnel only have access to these two IP addresses (associated with the tunnel, not the original source and destination), and nothing else from the header or payload.
Cifrado de datos
In a typical L2TP implementation, the data is encrypted using IPSec to provide additional security. The two tunnel endpoints are called the L2TP Access Concentrator (LAC) and the L2TP Network Server (LNS).
The IP addresses for the LAC and LNS are provided by the Internet Service Provider (ISP).
- The LAC accepts the data packets from the client and routes them securely to the LNS using the User Datagram Protocol (UDP) communication protocol.
- The LNS is the termination point that removes the encapsulation container to reveal the full packet information to the local private network.
Therefore, L2TP/IPsec escorts encrypted data through public networks directly to private network assets.
L2TP/IPsec Use Cases
Microsoft and Cisco developed L2TP as a more secure update to Point-to-Point Tunneling Protocol (PPTP) by combining elements of L2F (Layer 2 Forwarding Protocol). While its original use case was replacing dial-up connections for remote networks, L2TP has become one of the popular VPN protocols when paired with IPSec.
L2TP implementation is particularly popular for connecting remote devices to a central network. Users with remote devices install the L2TP client to securely connect to the corporate network via VPN servers. The IPSec protocol provides L2TP security through encryption and potentially other protections such as authentication.
While L2TP/IPSec is primarily used to support VPNs, L2TP/IPSec use cases also include:
- Extending LAN (Local Area Network) corporate networks to remote devices, connecting them using secure, stable tunnels.
- Enabling ISPs to resell network capacity by routing traffic from customers.
- Building secure public Wi-Fi networks with users connecting through access points that create an L2TP tunnel.
The Pros and Cons of L2TP
L2TP VPNs offer a range of potential benefits compared to others, including:
- Utilizing the Point-to-Point Protocol (PPP) layer 2 protocol to encapsulate data, L2TP can support a range of features including authentication, encryption, and compression.
- Compatibility with different types of devices and almost all operating systems. Additionally, while it is normally paired with IPSec, L2TP offers multi-protocol support and can work with various other layer 3 protocols.
- Combining robust security with relatively fast speeds. IPSec implements more advanced and secure encryption standards than PPTP, such as AES-256.
- Ease of use with L2TP implementation built into operating systems, users can quickly implement a VPN without much expertise.
However, L2TP is an older protocol that also has some disadvantages, such as:
- The added complexity of pairing L2TP with IPSec and checking their configuration to prevent vulnerabilities.
- While it is relatively fast compared to other secure tunneling protocols, IPSec encryption still causes a drop in speed.
- Firewalls and other connectivity issues can reduce stability when using L2TP/IPSec.
- L2TP has issues with firewalls and Network Address Translator (NAT) gateways blocking data due to security policies.
To overcome these issues, traversing firewalls and NAT, it is common to enable L2TP passthrough, a method of establishing connections initiated from the client side inside the private network. L2TP passthrough is especially important for remote access VPNs and letting employees access the corporate network from outside the firewall.
L2TP vs. Other Tunneling Protocols
While an L2TP VPN is simple and convenient to use, newer protocols provide enhanced performance in terms of security, speed, stability, and bypassing firewalls.
Below, we discuss L2TP vs. PPTP, IKEv2, OpenVPN, and SSTP.
L2TP vs. PPTP
Another early tunneling protocol, PPTP was once popular among VPNs but is now rarely used due to its weak security. PPTP is faster than L2TP due to its lower encryption standards, relying on 128-bit rather than 256-bit.
Despite this, L2TP/IPSec offers significantly stronger encryption.
(making it more suitable for enterprise applications. PPTP is also more susceptible to firewall blocking.)
L2TP vs. IKEv2
IKEv2 (Internet Key Exchange version 2) is a protocol that also uses IPSec for security.
While it can be harder to implement, sometimes requiring third-party software depending on the platform, IKEv2 offers significant benefits over L2TP. These include:
- Improved stability
- Faster speeds
IkeV2’s ability to quickly reconnect is beneficial for VPNs that connect mobile devices switching between different networks.
L2TP vs. OpenVPN
OpenVPN is an open-source VPN protocol with improved protection compared to L2TP security.
OpenVPN utilizes SSL (Secure Sockets Layer) and TLS (Transport Layer Security) for encryption to enhance security while also providing faster performance than L2TP.
Additionally, OpenVPN can run on any port to bypass firewalls, while L2TP is regularly blocked due to being restricted to UDP port 500. The only downside is that OpenVPN does not have native support on most platforms, and you usually have to install third-party software to implement the protocol.
L2TP vs. SSTP
Created by Microsoft and mainly used on Windows, Secure Socket Tunneling Protocol (SSTP) also relies on SSL and TLS to provide the same level of protection as OpenVPN. Similarly, it can bypass firewalls successfully. But, it’s generally slower than both OpenVPN and L2TP.
SSTP is a strong VPN option, especially on Windows systems where it is natively supported.
Security Considerations in L2TP: How Secure Is It?
Given that L2TP doesn’t inherently provide security, the protections offered to users are defined by the protocol it is paired with. By itself, L2TP creates the tunnel between the two points on the network. There is no data encryption or authentication to verify the packet.
If intercepted, the data will be exposed.
That is why it is usually paired with IPSec, especially for VPN use, to deliver the protections required.
- L2TP/IPSec provides a secure tunnel to send encrypted data across public networks safely.
- Encapsulation and robust IPSec encryption combine to offer multilayered protection, including confidentiality, data integrity, and authentication of the data’s origin.
L2TP/IPSec encrypts both the packet header and payload using 256-bit AES encryption and IKE handshakes.
The combined protocol sends data using UDP port 500 as an Encapsulated Security Payload (ESP). The LAC and LNS authenticate transfers and determine the origin of the data.
During transit through the L2TP tunnel, the origin and actual data are concealed through encryption.
Seguridad VPN con Quantum VPN
Quantum VPN, from Check Point, offers multiple remote access VPN products to meet your needs.
This includes both IPSec and SSL VPNs. Schedule a demo to learn more and discover how Quantum could transform your network security with uncompromised, unified protection at scale.
