Layer 2 Tunneling Protocol (L2TP)

Last Edited



Layer 2 Tunneling Protocol is an Internet Engineering Task Force (IETF) standard tunneling protocol that is used to encapsulate Point-to-Point Protocol (PPP) frames for transmission over TCP/IP, X.25, frame relay, or Asynchronous Transfer Mode (ATM) networks.

You can use Layer 2 Tunneling Protocol (L2TP) to create virtual private networks (VPNs) over public networks such as the Internet. Because L2TP is an IETF standard, it provides the interoperability between different VPN vendors that protocols such as Microsoft’s Point-to-Point Tunneling Protocol (PPTP) and Cisco’s Layer 2 Forwarding (L2F) protocol do not, although L2TP essentially combines the best features of these two protocols and is an extension of them.

Layer 2 Tunneling Protocol

The driving forces behind the development of L2TP include Microsoft and Cisco Systems; L2TP is supported on many Cisco Systems platforms and by the Microsoft Windows operating systems.

How it works

PPP provides the connection over which L2TP tunnels packets. The tunnel can be initiated by either the dial-up client at the customer premises or by the network access server (NAS) located at the L2TP service provider, typically an Internet service provider (ISP). When the client initiates a connection to the NAS, the NAS is referred to as an L2TP access concentrator (LAC). The LAC forwards its L2TP traffic to the remote node, which is referred to as an L2TP network server (LNS); the NAS performs the server-side function of PPP termination and acts as the receiver of incoming connections. However, if the NAS initiates the L2TP tunnel with the customer premises, the client PC acts as the LNS.

L2TP supports several of the authentication options supported by PPP, including Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). You can use L2TP to authenticate the endpoints of a tunnel to provide additional security, and you can implement it with Internet Protocol Security (IPSec) to provide a secure, encrypted VPN solution.

Some of the differences between L2TP and L2F include the following:

  • L2F has no defined client.
  • L2F functions in compulsory tunnels only, while L2TP can use voluntary tunnels.
  • L2TP provides additional features such as flow control and AVP hiding.

L2TP differs from PPTP in the following ways:

  • PPTP tunnels only over an IP internetwork such as the Internet, while L2TP can use a wider variety of tunnel media.
  • PPTP supports only one tunnel between two endpoints, while L2TP supports multiple tunnels between two points, each with its own quality of service (QoS).
  • L2TP headers are compressed and are only 4 bytes, while PPTP has 6-byte headers.

L2TP can be implemented wherever PPTP or L2F is used. A VPN constructed using L2TP can be initiated in two ways:

  • The client can initiate the tunnel in a similar fashion to PPTP tunnels. For example, Windows 2000 clients can initiate L2TP tunnels and connect with routers that support L2TP, such as Cisco routers.
  • A NAS can initiate the tunnel, enabling telcos and ISPs to provide corporate customers with complete VPN solutions.

Using Multilink PPP

When Multilink PPP (MPPP) is used, the PPP links from the customer premises must terminate at the same NAS at the service provider. L2TP has the advantage of supporting multilink configurations in which each link terminates at a different NAS at the provider for more flexibility.