L2TP (Layer 2 Tunneling Protocol)

What is L2TP

L2TP (Layer 2 Tunneling Protocol) is a computer networking term used to describe one of the main tunneling protocols that handle VPNs (virtual private networks). Sometimes Internet Service Providers (ISPs) use it to deliver their services as well. The Layer 2 Tunneling Protocol encrypts only the messages that are a part of the protocol itself. The data that the user transfers through it remain unencrypted. At the same time, it offers the option to pass the tunnel containing Layer 2 to a Layer 3 encryption protocol such as IPsec, example. The L2TP was originally published in 2000 under the proposed standard code RFC 2661. Its history can be traced back even further to Cisco’s Layer 2 Forwarding Protocol (L2F) and Microsoft’s Point-to-Point Tunneling Protocol (PPTP). Both these older security protocols came with a lot of vulnerabilities and security concerns. These stemmed mainly from their lack of encryption whatsoever.

Latest L2TP Protocol

So the L2TP was created with the intention of remedying these shortcomings. The newest version of the Layer 2 Tunneling Protocol was revealed in 2005, under the name L2TPv2 (RFC 3991). It added more security features, better encapsulation, and the capability to carry links over ATM, Ethernet, and Frame Relay, among others. The older versions were able to carry links using only PPP over IP networks.

How Does it Work

L2TP uses packet-switched connections to allow endpoints to be located on different machines. The user has an L2 connection to the access hub, which then tunnels individual PPP frames to the NAS so that the packets can be processed separately from the circuit termination location.

L2TP connection consists of two components: a tunnel and a session. The tunnel provides reliable transport between two L2TP control endpoints (LCCEs) and contains only control packets. The session is logically contained in the tunnel and has user data. A single tunnel can contain multiple sessions, with user data stored separately by session ID numbers in L2TP encapsulation headers.

Because L2TP does not provide any authentication or encryption mechanisms directly, both of which are key features of VPNs, L2TP is usually coupled with IPSec to provide encryption of user and control packets in the L2TP tunnel.

The L2TP protocol supports two types of tunnels: mandatory and optional. The main difference between these tunnels is which system plays the role of the endpoint of the tunnel. The optional tunnel endpoint is the remote client, and the mandatory tunnel endpoint is the ISP.