What Is Layer Two Tunneling Protocol (L2TP)?

The Layer Two Tunneling Protocol is a Point-to-Point Tunneling Protocol (PPTP) extension that is used by an Internet Service Provider (ISP) to allow a Virtual Private Network (VPN) to run over the internet. L2TP incorporates the best features of two other tunneling protocols: Microsoft’s PPTP and Cisco Systems’ Layer 2 Forwarding Protocol (L2F). The L2TP Access Concentrator (LAC), the device that physically terminates a call, and the L2TP Network Server (LNS), the device that removes and likely authenticates the PPP stream, are the two main components of the L2TP.

Point-to-Point Protocol (PPP) establishes a means of encapsulation for transmitting multi-protocol packets over point-to-point links of layer two (L2). To ensure that the endpoints are placed adequately on various devices, L2TP utilizes packet-switched network connections.

Key Facts about L2TP

  1. For the data payload to be protected, L2TP pairs up with IPSec.
  2. L2TP can use encryption keys of up to 256-bit and the 3DES algorithm when combined with IPSec.
  3. L2TP runs on various platforms and operating systems. Computers using Windows and macOS are natively supported.
  4. The double encapsulation mechanism of L2TP makes it very secure, but it also means that it is more resource-intensive.
  5. L2TP usually uses TCP port 1701, but it also uses UDP ports 500 (for IKE-Internet Key Exchange), 4500 (for NAT), and 1701 (for NAT) when combined with IPSec (for L2TP traffic).

How Does L2TP Work?

L2TP tunneling begins by creating a connection between LAC (L2TP Access Concentrator) and LNS (L2TP Network Server) on the internet. These are the two endpoints of the protocol. A PPP connection layer is allowed and encapsulated once that is successful, and then it is carried across the network.

Then the end-user (you) with the ISP initiates the PPP connection. Once the LAC accepts the connection, the PPP link forms. A free slot is then reserved within the network tube, and the request passes on to the LNS.

Lastly, a virtual PPP interface is created once the link is completely authenticated and approved. At that moment, it is possible to transfer connection frames through the tunnel freely. The LNS accepts the frames, and then eliminates the encapsulation of the L2TP and continues to process them as regular frames.

Is the L2TP Fast?

On its own, due to its lack of encryption, L2TP would be considered very fast. Note that the downside of not getting your connection secured is very severe, of course, and should not be ignored for the sake of pace.

However, when you pair L2TP with IPSec, the VPN protocols can provide decent speeds. You would need a fast broadband link (somewhere near or over 100 Mbps) and a reasonably powerful CPU. If not, you could notice some speed drops, but nothing too drastic that would ruin your experience online.

Is There Any Relationship Between L2TP and IPSec?

Due to the lack of confidentiality inherent in the L2TP protocol, it is mostly introduced along with IPsec. The protocol is referred to as L2TP/IPsec, and IETF RFC 3193 standardizes it. IPSec provides encryption security for data that is transferred from one computer to another. When you pair them, the combination offers more security.

The set-up procedure for an L2TP/IPsec VPN is as follows:

  1. IPsec security association (SA) negotiation is usually via Internet key exchange (IKE). It is done over UDP port 500, using either a shared password, public keys, or X.509 certificates on both ends.
  2. Establishment of contact in transport mode with Encapsulating Protection Payload (ESP). For ESP, the IP protocol number is 50 (compare TCP 6 with UDP 17). At this stage, a secure channel is set up, but no tunneling is taking place.
  3. The L2TP takes charge of setting up the negotiation between the SA endpoints. The actual negotiation of parameters takes place using the IPsec encryption. L2TP uses port 1701 for UDP.

Other Important Details

L2TP packets between the endpoints are encapsulated by IPsec when the process is complete. As the L2TP packet itself is wrapped and hidden inside the IPsec packet, the source and destination’s IP address is encrypted inside the packet. Also, on firewalls between endpoints, it is not appropriate to open UDP port 1701 because the internal packets do not function until IPsec data has been decrypted and stripped, which only takes place at the endpoints.

In L2TP/IPsec, the use of the words tunnel and the safe channel is a possible point of misunderstanding. The term tunnel-mode refers to a channel that enables the transport of unchanged packets from one network to another network. It requires transporting L2TP/PPP packets over IP in the case of L2TP/PPP. A secure channel refers to a link through which the protection of all information is guaranteed. In L2TP/IPsec, IPsec provides a secure channel first; then, a tunnel is provided by L2TP. IPsec also defines a protocol for a tube: there’s no need for this when using the L2TP tunnel.

The Benefits of L2TP

Find below some of the benefits of the Layer Two Tunneling Protocol:

  1. For sensitive applications, high data protection is provided.
  2. It uses high-level encryption so that critical data is always secure and stays personal.
  3. It offers outstanding and effective connectivity.
  4. It is cost-effective, and after implementation, does not have overhead costs.
  5. It is reliable, scalable, quick, and versatile.
  6. It’s the highest industry practice for the business sector.
  7. For users with VPN authentication, it has the strongest authorization policy.

The Drawbacks of L2TP

Like other protocols, L2TP also has a few drawbacks. Some of them include:

  1. On its own, L2TP has no encryption. For proper online protection, it must be combined with IPSec.
  2. The NSA has reportedly weakened or cracked L2TP and L2TP/IPSec, but that’s only according to Snowden, and there’s no hard evidence to back up the argument.
  3. L2TP/IPSec tends to be a bit resource-intensive and not extremely fast due to its double encapsulation functionality.
  4. NAT firewalls will block L2TP if it isn’t further configured to bypass them.


Overall, L2TP/IPSec is reasonably secure to use, but it is worth noting that there have been reports that the protocol is compromisable and vulnerable. L2TP is not too bad in terms of latency, but you can encounter slower link rates due to the double encapsulation function protocols. As for availability, on many Windows and macOS platforms, L2TP works natively and can also be configured on other computers and operating systems very easily.