Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used for virtual private networks (VPNs). It doesn’t provide any encryption or confidentiality, but it relies on an encryption protocol that it passes within the tunnel to provide privacy. L2TP is a Session Layer protocol, and uses the registered UDP port 1701.

The entire L2TP packet (also including payload and L2TP header) is sent by a UDP datagram. This is used to carry Point-to-Point Protocol (PPP) sessions within an L2TP tunnel. Authentication or confidentiality isn’t by L2TP provided by itself. Because of this, there is also often used IPsec to secure L2TP packets. The combination of these two protocols is generally known as L2TP/IPsec.

The two endpoints of created L2TP tunnel are called the LAC (L2TP Access Concentrator) and the LNS (L2TP Network Server). The LAC is the initiator of the tunnel while the LNS is the server, which waits for new tunnels. Once a tunnel is established, the network traffic between the peers is bidirectional. To be useful for networking, higher-level protocols are then run through the L2TP tunnel. To facilitate this L2TP session is established within the tunnel for each higher-level protocol such as PPP. The traffic for each session is isolated by L2TP, so it is possible to set up multiple virtual networks across a single tunnel. MTU should be considered when implementing L2TP.


Tunneling models

An L2TP tunnel can extend across an entire PPP session or only across one segment of a two-segment session. This can be represented by four different tunneling models:

  1. voluntary tunnel

    A tunnel is created by the user. User will send L2TP packets to the ISP (Internet Service Provider) and will be forwarded on to the LNS. The ISP does not need to support L2TP; it only forwards the L2TP packets between LAC and LNS.


  2. compulsory tunnel — incoming call

    A tunnel is created between ISP LAC and the LNS home gateway. The user’s company may provide the remote user with a Virtual Private Network (VPN) login account from which he can access the corporate server. Than the user will send PPP packets to the ISP (LAC) which will encapsulate them in L2TP and tunnel them to the LNS. In this model the tunnel only extends across the segment of the PPP session between the ISP and the LNS.


  3. compulsory tunnel — remote dial

    In the compulsory tunnel model-remote dial the home gateway (LNS) initiates a tunnel to an ISP (LAC) (outgoing call) and instructs the ISP to place a local call to the PPP enabled client which is the remote user. This model is intended for cases where the remote PPP Answer Client has a permanently established phone number with an ISP. Internet needs to establish a connection to a remote office that requires a dial-up link.


  4. L2TP multi-hop connection

    An L2TP Multi-hop connection is a way of redirecting L2TP traffic on behalf of client LACs and LNSs. A Multi-hop connection is established using an L2TP Multi-hop gateway. A tunnel is established from a client LAC to the L2TP Multi-hop gateway and then another tunnel is established between the L2TP Multi-hop gateway and a target LNS. L2TP traffic between client LAC and LNS is redirected to each other through the gateway.

Comments (0)Add Comment

Write comment

security code
Write the displayed characters


busy