In computer networking, the Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). A computer network is a group of interconnected Computers. Networks may be classified according to a wide variety of characteristics The term tunneling protocol is used to describe when one Network protocol called the payload protocol is encapsulated within a different delivery protocol
Published in 1999 as proposed standard RFC 2661, L2TP has its origins primarily in two older tunneling protocols for PPP: Cisco's Layer 2 Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP). L2F, or Layer 2 Forwarding, is a protocol developed by Cisco to establish Virtual Private Network connections over the Internet Microsoft Corporation is an American multinational Computer technology Corporation, which rose to dominate the Home computer The Point-to-Point Tunneling Protocol (PPTP is a method for implementing Virtual private networks Layer 2 Tunneling Protocol (L2TP or IPSec are the standards-based A new version of this protocol, L2TPv3, was published as proposed standard RFC 3931 in 2005. Layer 2 Tunneling Protocol Version 3 is a draft version of L2TP that is proposed as an alternative protocol to MPLS for encapsulation of multiprotocol L2TPv3 provides additional security features, improved encapsulation, and the ability to carry data links other than simply PPP over an IP network (e. g. , Frame Relay, Ethernet, ATM, etc).
L2TP acts like a data link layer (layer 2 of the OSI model) protocol for tunneling network traffic between two peers over an existing network (usually the Internet). The Data Link Layer is Layer 2 of the seven-layer OSI model. It responds to service requests from the Network Layer and issues service requests to the The Open Systems Interconnection Basic Reference Model (OSI Reference Model or OSI Model) is an abstract description for layered communications and computer Network protocol The Internet is a global system of interconnected Computer networks L2TP is in fact a layer 5 protocol session layer, and uses the registered UDP port 1701. The entire L2TP packet, including payload and L2TP header, is sent within a UDP datagram. It is common to carry Point-to-Point Protocol (PPP) sessions within an L2TP tunnel. In networking, the Point-to-Point Protocol, or PPP, is a data link protocol commonly used to establish a direct connection between two nodes L2TP does not provide confidentiality or strong authentication by itself. IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity. Internet Protocol Security ( IPsec) is a suite of protocols for securing Internet Protocol (IP communications by authenticating and/or encrypting The combination of these two protocols is generally known as L2TP/IPsec (discussed below). Internet Protocol Security ( IPsec) is a suite of protocols for securing Internet Protocol (IP communications by authenticating and/or encrypting
The two endpoints of an L2TP tunnel are called the LAC (L2TP Access Concentrator) and the LNS (L2TP Network Server). The LAC is the initiator of the tunnel while the LNS is the server, which waits for new tunnels. Once a tunnel is established, the network traffic between the peers is bidirectional. To be useful for networking, higher-level protocols are then run through the L2TP tunnel. To facilitate this an L2TP session (or call) is established within the tunnel for each higher-level protocol such as PPP. Either the LAC or LNS may initiate sessions. The traffic for each session is isolated by L2TP, so it is possible to set up multiple virtual networks across a single tunnel. MTU should be considered when implementing L2TP. In Computer networking, the term Maximum Transmission Unit ( MTU) refers to the size (in Bytes of the largest packet or frame
The packets exchanged within an L2TP tunnel are categorised as either control packets or data packets. In Information technology, a packet is a formatted unit of Data carried by a Packet mode Computer network. L2TP provides reliability features for the control packets, but no reliability for data packets. Reliability, if desired, must be provided by the nested protocols running within each session of the L2TP tunnel.
In the voluntary tunnel model, a tunnel is created by the user, typically by the use of an L2TP enabled client which is called the LAC client. The user will send L2TP packets to the Internet Service Provider (ISP) which will forward them on to the LNS. The ISP does not need to support L2TP, it only forwards the L2TP packets between LAC and LNS. The LAC client acts as an L2TP tunnel initiator which effectively resides on the same system as the remote client. The tunnel extends across the entire PPP session from the L2TP client to the LNS.
In the compulsory tunnel model-incoming call, a tunnel is created between ISP LAC and the LNS home gateway. The company may provide the remote user with a Virtual Private Network (VPN) login account from which he can access the corporate server. As a result the user will send PPP packets to the ISP (LAC) which will encapsulate them in L2TP and tunnel them to the LNS. In the compulsory tunneling cases, the ISP must be L2TP capable. In this model the tunnel only extends across the segment of the PPP session between the ISP and the LNS.
In the compulsory tunnel model-remote dial the home gateway (LNS) initiates a tunnel to an ISP (LAC) (outgoing call) and instructs the ISP to place a local call to the PPP enabled client which is the remote user. This model is intended for cases where the remote PPP Answer Client has a permanently established phone number with an ISP. This model is expected to be used when a company with established presence on the Internet needs to establish a connection to a remote office that requires a dial-up link. In this model the tunnel only extends across the segment of the PPP session between the LNS and the ISP.
An L2TP Multi-hop connection is a way of redirecting L2TP traffic on behalf of client LACs and LNSs. A Multi-hop connection is established using an L2TP Multi-hop gateway. A tunnel is established from a client LAC to the L2TP Multi-hop gateway and then another tunnel is established between the L2TP Multi-hop gateway and a target LNS. L2TP traffic between client LAC and LNS is redirected to each other through the gateway.
An L2TP packet consists of :
|0 - 15 bit||16 - 31 bit|
|Flags and Version Info||Length (opt)|
|Tunnel ID||Session ID|
|Ns (opt)||Nr (Opt)|
|Offset Size (opt)||Offset Pad (Opt). . . . . .|
At the time of setup of L2TP connection, many control packets are exchanged between server and client to establish tunnel and session for each direction. One peer requests other peer to assign a specific tunnel and session id through these control packets. Then using this tunnel and session id data packets are exchanged with the compressed PPP frames as payload.
The list of L2TP Control messages exchanged between LAC and LNS, for handshaking before establishing a tunnel and session in voluntary tunneling method are
Because of the lack of confidentiality inherent in the L2TP protocol, it is often implemented along with IPsec. Internet Protocol Security ( IPsec) is a suite of protocols for securing Internet Protocol (IP communications by authenticating and/or encrypting This is referred to as L2TP/IPsec, and is standardized in IETF RFC 3193. Internet Protocol Security ( IPsec) is a suite of protocols for securing Internet Protocol (IP communications by authenticating and/or encrypting The process of setting up an L2TP/IPsec VPN is as follows:
When the process is complete, L2TP packets between the endpoints are encapsulated by IPsec. Internet Protocol Security ( IPsec) is a suite of protocols for securing Internet Protocol (IP communications by authenticating and/or encrypting Since the L2TP packet itself is wrapped and hidden within the IPsec packet, no information about the internal private network can be garnered from the encrypted packet. Internet Protocol Security ( IPsec) is a suite of protocols for securing Internet Protocol (IP communications by authenticating and/or encrypting Also, it is not necessary to open UDP port 1701 on firewalls between the endpoints, since the inner packets are not acted upon until after IPsec data has been decrypted and stripped, which only takes place at the endpoints. Internet Protocol Security ( IPsec) is a suite of protocols for securing Internet Protocol (IP communications by authenticating and/or encrypting
A potential point of confusion in L2TP/IPsec is the use of the terms "tunnel" and "secure channel. Internet Protocol Security ( IPsec) is a suite of protocols for securing Internet Protocol (IP communications by authenticating and/or encrypting " Tunnel refers to a channel which allows untouched packets of one network to be transported over another network. In the case of L2TP/IPsec, it allows L2TP/PPP packets to be transported over IP. Internet Protocol Security ( IPsec) is a suite of protocols for securing Internet Protocol (IP communications by authenticating and/or encrypting A secure channel refers to a connection within which the confidentiality of all data is guaranteed. In L2TP/IPsec, first IPsec provides a secure channel, then L2TP provides a tunnel. Internet Protocol Security ( IPsec) is a suite of protocols for securing Internet Protocol (IP communications by authenticating and/or encrypting Internet Protocol Security ( IPsec) is a suite of protocols for securing Internet Protocol (IP communications by authenticating and/or encrypting
Windows versions before Vista were very difficult to configure for IPsec without L2TP. Microsoft boasts that they have reduced the complexity: they say that in Windows 2000/XP it required more than 100 mouseclicks to set up an IPsec VPN connection, and in Vista it requires "only" 15 mouseclicks. There is also slightly more help info in Vista compared to XP, such as "What is a VPN?" but this is generally very basic info. The help info does say that IPsec without L2TP is not to be used for Road Warrior-style VPNs. They advise to use L2TP/IPsec or PPTP for that.
There are two new configuration utilities in Windows Vista that attempt to make IPsec without L2TP easier:
Unfortunately, both these configuration utilities experience a couple of problems.
The first problem is that there is almost no documentation about both "netsh advfirewall" and the IPsec client in WFwAS. Problem #2 is that there is a bug in Vista: when certificate-based authentication is involved Vista currently cannot process packets that it receives from the Openswan server. This problem is reported to be fixed in Vista SP1. The third problem is that things don't work at all if NAT is involved. A fourth problem is that you can only specify server IP addresses in the new Vista configuration utilities. You cannot specify the hostname of the server, so if the IP address of the IPsec server changes, all clients will have to be informed of this new IP address (this also rules out servers that addressed by DynDNS or something similar).
L2TP is often used as a tunneling mechanism to resell ADSL endpoint connectivity. Asymmetric Digital Subscriber Line ( ADSL) is a form of DSL, a data communications technology that enables faster data transmission over Copper Telephone An L2TP tunnel would sit between the user and the ISP the connection would be resold to, so the reselling ISP would not appear as doing the transport.
L2TP is used by the Cable providers (HOT in Israel for example) as a tunneling mechanism to sell endpoint connectivity. Hot is a Telecommunications and Cable television company in Israel founded on August 18, 2003. This L2TP tunnel sits between the user and the ISP the connection has been sold by; And again the reselling cable provider doesn't appear as doing the transport.