In computer networking, the Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). A computer network is a system for communication between computers. ... A tunneling protocol is a network protocol which encapsulates one protocol or session inside another. ... A virtual private network (VPN) is a private communications network often used within a company, or by several companies or organizations, to communicate confidentially over a publicly accessible network. ...

History and future

Published in 1999 as proposed standard RFC 2661, L2TP has its origins primarily in two older tunneling protocols for PPP: Cisco's Layer 2 Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP). A new version of this protocol, L2TPv3, was published as proposed standard RFC 3931 in 2005. L2TPv3 provides additional security features, improved encapsulation, and the ability to carry data links other than simply PPP over an IP network (e.g., Frame Relay, Ethernet, ATM, etc). Cisco Systems, Inc. ... The Microsoft Corporation, (NASDAQ: MSFT, HKSE: 4338) is a multinational computer technology corporation with global annual sales of US$44. ... The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. ... Layer 2 Tunneling Protocol Version 3 is a draft version of L2TP that is proposed as an alternative protocol to MPLS for encapsulation of multiprotocol Layer 2 communications traffic over IP networks. ...

Description

L2TP acts as a data link layer (layer 2 of the OSI model) protocol for tunneling network traffic between two peers over an existing network (usually the Internet). It is common to carry Point-to-Point Protocol (PPP) sessions within an L2TP tunnel. L2TP does not provide confidentiality or strong authentication by itself. IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity. The combination of these two protocols is generally known as L2TP/IPsec (discussed below). To meet Wikipedias quality standards, this article or section may require cleanup. ... OSI Model The Open Systems Interconnection Reference Model (OSI Reference Model or OSI Model for short) is a layered, abstract description for communications and computer network protocol design, developed as part of the Open Systems Interconnection initiative. ... In computing, the Point-to-Point Protocol, or PPP, is commonly used to establish a direct connection between two nodes. ... IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. ... IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. ...

The two endpoints of an L2TP tunnel are called the LAC (L2TP Access Concentrator) and the LNS (L2TP Network Server). The LAC is the initiator of the tunnel while the LNS is the server, which waits for new tunnels. Once a tunnel is established, the network traffic between the peers is bidirectional. To be useful for networking, higher-level protocols are then run through the L2TP tunnel. To facilitate this an L2TP session (or call) is established within the tunnel for each higher-level protocol such as PPP. Either the LAC or LNS may initiate sessions. The traffic for each session is isolated by L2TP, so it is possible to set up multiple virtual networks across a single tunnel.

Be sure to consider MTU when implementing L2TP. The Maximum Transmission Unit (MTU) is a term for the size (in bytes) of the largest datagram that can be passed by a layer of a communications protocol. ...

The packets exchanged within an L2TP tunnel are either categorised as control packets or data packets. L2TP provides reliability features for the control packets, but no reliability for data packets. Reliability, if desired, must be provided by the nested protocols running within each session of the L2TP tunnel. A packet is the fundamental unit of information carriage in all modern computer networks that use packet switching. ...

Cisco has the software patent related to L2F and L2TP [1]. It has been assigned patent number 5,918,019 in the United States. [2] Software patents are patents on computer-implemented inventions. ...

L2TP/IPsec

Because of the lack of confidentiality inherent in the L2TP protocol, it is often implemented along with IPsec. This is referred to as L2TP/IPsec, and is standardized in IETF RFC 3193. IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. ... IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. ... The Internet Engineering Task Force (IETF) is charged with developing and promoting Internet standards. ...

The process of setting up an L2TP/IPsec VPN is as follows: IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. ...

1. Negotiation of IPsec Security Association (SA), typically through Internet Key Exchange (IKE). This is carried out over UDP port 500, and commonly uses either a shared password (so-called "pre-shared keys"), public keys, or X.509 certificates on both ends, although other keying methods exist.
2. Establishment of Encapsulated Security Payload (ESP) communication in transport mode. The IP Protocol number for ESP is 50 (compare TCP's 6 and UDP's 17). At this point, a secure channel has been established, but no tunneling is taking place.
3. Negotiation and establishment of L2TP tunnel between the SA endpoints. The actual negotiation of parameters takes place over the SA's secure channel, within the IPsec encryption. L2TP uses UDP port 1701.

When the process is complete, L2TP packets between the endpoints are encapsulated by IPsec. Since the L2TP packet itself is wrapped and hidden within the IPsec packet, no information about the internal private network can be garnered from the encrypted packet. Also, it is not necessary to open UDP port 1701 on firewalls between the endpoints, since the inner packets are not acted upon until after IPsec data has been decrypted and stripped, which only takes place at the endpoints. If a firewall or packet filter is integrated into the endpoint itself, however, it will probably be necessary to open port 1701 on that endpoint. IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. ... In IPsec a security association (SA) describes an unidirectional secured flow of data between two gateways. ... Internet key exchange (IKE) is the protocol used to set up a Security Association in the IPsec protocol suite. ... In cryptography, X.509 is an ITU-T standard for public key infrastructure (PKI). ... IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. ... IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. ... IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. ... IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. ...

A potential point of confusion in L2TP/IPsec is the use of the terms "tunnel" and "secure channel." Tunnel refers to a channel which allows untouched packets of one network to be transported over another network. In the case of L2TP/IPsec, it allows L2TP/PPP packets to be transported over IP. A secure channel refers to a connection within which the confidentiality of all data is guaranteed. In L2TP/IPsec, first IPsec provides a secure channel, then L2TP provides a tunnel. IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. ... IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. ... IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. ... IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. ...

L2TP in ADSL networks

L2TP is often used as a tunneling mechanism to resell ADSL endpoint connectivity. An L2TP tunnel would sit between the user and the ISP the connection would be reselled to, so the reselling ISP wouldn't appear as doing the transit.

External links

Implementations

• Cisco: Cisco L2TP documentation, also read Technology brief from Cisco
• Open source and Linux: Linux RP-L2TP project, OpenL2TP project, L2tpns project, L2TPD project (inactive)
• Microsoft: Microsoft L2TP/IPsec VPN Client

Internet standards and extensions

• RFC 2341 Cisco Layer Two Forwarding (Protocol) "L2F". (A predecessor to L2TP)
• RFC 2637 Point-to-Point Tunneling Protocol (PPTP). (A predecessor to L2TP)
• RFC 2661 Layer Two Tunneling Protocol "L2TP"
• RFC 2809 Implementation of L2TP Compulsory Tunneling via RADIUS
• RFC 2888 Secure Remote Access with L2TP
• RFC 3070 Layer Two Tunneling Protocol (L2TP) over Frame Relay
• RFC 3145 L2TP Disconnect Cause Information
• RFC 3193 Securing L2TP using IPsec
• RFC 3301 Layer Two Tunnelling Protocol (L2TP): ATM access network
• RFC 3308 Layer Two Tunneling Protocol (L2TP) Differentiated Services
• RFC 3355 Layer Two Tunnelling Protocol (L2TP) Over ATM Adaptation Layer 5 (AAL5)
• RFC 3371 Layer Two Tunneling Protocol "L2TP" Management Information Base
• RFC 3437 Layer Two Tunneling Protocol Extensions for PPP Link Control Protocol Negotiation
• RFC 3438 Layer Two Tunneling Protocol (L2TP) Internet Assigned Numbers: Internet Assigned Numbers Authority (IANA) Considerations Update
• RFC 3573 Signaling of Modem-On-Hold status in Layer 2 Tunneling Protocol (L2TP)
• RFC 3817 Layer 2 Tunneling Protocol (L2TP) Active Discovery Relay for PPP over Ethernet (PPPoE)
• RFC 3931 Layer Two Tunneling Protocol - Version 3 (L2TPv3).
• RFC 4045 Extensions to Support Efficient Carrying of Multicast Traffic in Layer-2 Tunneling Protocol (L2TP).

• IANA assigned numbers for L2TP
• L2TP Extensions Working Group (l2tpext) - (where future standardization work is being coordinated)

IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. ...

Example real world usage

• the ISP-Howto (in french) details how the French Data Network is providing ADSL service through L2TP and how the ADSL network is setup in France