What Is L2TP?
L2TP stands for Layer 2 Tunneling Protocol, and it’s – like the name implies – a tunneling protocol that was designed to support VPN connections. Funnily enough, L2TP is often employed by ISPs to allow VPN operations.
L2TP was first published in 1999. It was designed as a sort of successor to PPTP, and it was developed by both Microsoft and Cisco. The protocol takes various features from Microsoft’s PPTP and Cisco’s L2F (Layer 2 Forwarding) protocol, and improves on them.
How L2TP Works – The Basics
L2TP tunneling starts out by initiating a connection between LAC (L2TP Access Concentrator) and LNS (L2TP Network Server) – the protocol’s two endpoints – on the Internet. Once that’s achieved, a PPP link layer is enabled and encapsulated, and afterwards it’s carried over the web.
The PPP connection is then initiated by the end-user (you) with the ISP. Once the LAC accepts the connection, the PPP link is established. Afterwards, a free slot within the network tunnel is assigned, and the request is then passed on to the LNS.
Lastly, once the connection is fully authenticated and accepted, a virtual PPP interface is created. At that moment, link frames can freely be passed through the tunnel. The frames are accepted by the LNS, which then removes the L2TP encapsulation and proceeds to process them as regular frames.
Some Technical Details About the L2TP Protocol
- L2TP is often paired up with IPSec in order to secure the data payload.
- When paired with IPSec, L2TP can use encryption keys of up to 256-bit and the 3DES algorithm.
- L2TP works on multiple platforms, and is natively supported on Windows and macOS operating systems and devices.
- L2TP’s double encapsulation feature makes it rather secure, but it also means it’s more resource-intensive.
- L2TP normally uses TCP port 1701, but when it’s paired up with IPSec it also uses UDP ports 500 (for IKE – Internet Key Exchange), 4500 (for NAT), and 1701 (for L2TP traffic).
The L2TP data packet structure is as follows:
- IP Header
- IPSec ESP Header
- UDP Header
- L2TP Header
- PPP Header
- PPP Payload
- IPSec ESP Trailer
- IPSec Authentication Trailer
How Does L2TP/IPSec Work?
Basically, here’s a quick overview of how an L2TP/IPSec VPN connection takes place:
- The IPSec Security Association (SA – an agreement between two network devices on security attributes) is first negotiated. That is normally done through IKE and over UDP port 500.
- Next, the Encapsulating Security Payload (ESP) process is established for the transport mode. This is done using IP protocol 50. Once ESP is established, a secure channel between the network entities (VPN client and VPN server, in this case) has been set up. However, for now, no actual tunneling is taking place.
- That’s where L2TP comes into play – the protocol negotiates and establishes a tunnel between the network endpoints. L2TP uses TCP port 1701 for that, and the actual negotiation process takes place within the IPSec encryption.
What Is L2TP Passthrough?
Since an L2TP connection has to generally access the web through a router, L2TP traffic will need to be able to pass through said router in order for the connection to work. L2TP Passthrough is essentially a router feature that allows you to enable or disable L2TP traffic on it.
You should also know that – sometimes – L2TP doesn’t work well with NAT (Network Address Translation) – a feature that ensures multiple Internet-connected devices that use a single network can use the same connection and IP address instead of multiple ones. That’s when L2TP Passthrough comes in handy since enabling it on your router will allow L2TP to work well with NAT.
In case you’d like to learn more about VPN Passthrough, we have an article you might be interested in.
How Good Is L2TP Security?
While L2TP tunneling is generally considered an improvement over PPTP, it’s very important to understand that L2TP encryption doesn’t really exist on its own – the protocol doesn’t use any. As a result, using only the L2TP protocol when you’re online is not a smart move.
That’s why L2TP is always paired up with IPSec, which is a pretty secure protocol. It can use powerful encryption ciphers like AES, and it also uses double encapsulation to further secure your data. Basically, the traffic is first encapsulated like a normal PPTP connection, and then a second encapsulation takes place courtesy of IPSec.
Still, it is worth mentioning that there have been rumours that L2TP/IPSec has been either cracked or intentionally weakened by the NSA. Now, there isn’t any clear proof to those claims, though they do come from Edward Snowden himself. So, it ultimately depends on whether or not you want to take his word for it. You should know that Microsoft has been the first partner of the NSA PRISM surveillance program, though.
In our personal opinion, L2TP/IPSec is a safe enough VPN protocol, but you should make sure you use a reliable, no-log VPN provider as well. Also, if you’re dealing with very sensitive information, it’s better to just use a more secure protocol instead or try out VPN cascading.
How Fast Is L2TP?
On its own, L2TP would be considered very fast due to its lack of encryption. Of course, the downside of not having your connections secured is very serious, and shouldn’t be overlooked for the sake of speed.
As for L2TP/IPSec, the VPN protocol can offer decent speeds, though it’s recommended to have a fast broadband connection (somewhere around or over 100 Mbps) and a fairly powerful CPU. Otherwise, you might see some drops in speed, but nothing too serious that would ruin your online experience.
How Easy Is It to Set Up L2TP?
On most Windows and macOS devices, it’s as simple as just going into your Network Settings, and following a few steps to establish and configure the L2TP connection. The same thing goes for the L2TP/IPSec VPN protocol – usually you might just have to change an option or two to select the IPSec encryption.
L2TP and L2TP/IPSec are pretty simple to set up manually on devices with no native support for them too. You might have to follow a few extra steps, but the whole setup process shouldn’t take you too long or require too much knowledge and effort.
What Is an L2TP VPN?
Like the name implies, an L2TP VPN is a VPN service that offers users access to the L2TP protocol. Please be aware that you aren’t very likely to find a VPN provider who only offers access to L2TP on its own. Normally, you’ll only see providers who offer L2TP/IPSec to make sure users’ data and traffic are secured.
Ideally, you should choose a VPN provider who offers access to multiple VPN protocols, though. Only being able to use L2TP on its own is usually a red flag, and just having access to L2TP/IPSec isn’t too bad, but there’s no reason you should be limited only to it.
L2TP Advantages and Disadvantages
Advantages
- L2TP can be paired up with IPSec to offer a decent level of online security.
- L2TP is readily available on many Windows and macOS platforms since it’s built into them. It also works on many other devices and operating systems too.
- L2TP is fairly easy to set up, and that goes the same for L2TP/IPSec.
Disadvantages
- L2TP has no encryption on its own. It must be paired with IPSec for proper online security.
- L2TP and L2TP/IPSec have been allegedly weakened or cracked by the NSA – though, that’s only according to Snowden, and there’s no hard proof to back up that claim.
- Due to its double encapsulation feature, L2TP/IPSec tends to be a bit resource-intensive and not extremely fast.
- L2TP can be blocked by NAT firewalls if it’s not further configured to bypass them.
Need a Reliable L2TP VPN?
We’ve got just what you need – a high-end, high-speed VPN service that can offer you a smooth online experience with a well-configured and optimized L2TP/IPSec protocol. What’s more, you can also choose from five other VPN protocols: OpenVPN, IKEv2/IPSec, SoftEther, PPTP, SSTP.
And yes, our L2TP/IPSec VPN protocol comes built-in with our user-friendly VPN clients, so setting up a connection is extremely easy.
Enjoy Top-Notch Security and Peace of Mind
We want to make sure you never have to worry about abusive surveillance and nasty cybercriminals on the Internet, which is why we made sure you will (depending on your operating system) either use AES-256 or AES-128 with our L2TP/IPSec protocol.
Not only that, but we also follow a strict no-logging policy at our company, which means you never need to worry about anyone at CactusVPN knowing what you do online.
Special Deal! Get CactusVPN for $2.7/mo!
And once you do become a CactusVPN customer, we’ll still have your back with a 30-day money-back guarantee.
L2TP vs. Other VPN Protocols
For all intents and purposes, we’ll be comparing L2TP/IPSec to other VPN protocols in this section. L2TP on its own offers 0 security, which is why pretty much all VPN providers offer it alongside IPSec. So, when you normally see a VPN provider talking about the L2TP protocol and saying it offers access to it, they’re actually referring to L2TP/IPSec.
L2TP vs. PPTP
For starters, L2TP offers superior security to PPTP (Point-to-Point Tunneling Protocol) due to IPSec. What’s more, compared to PPTP’s 128-bit encryption, L2TP offers support for 256-bit encryption. Also, L2TP can use extremely secure ciphers like AES (military-grade encryption), while PPTP is stuck with MPPE which isn’t as safe to use.
In terms of speed, PPTP tends to be much faster than L2TP, but it losses to the L2TP protocol when it comes to stability since PPTP is very easy to block with firewalls. Since L2TP runs over UDP, it’s more elusive. Also, a VPN provider can tweak the protocol even more to make sure it isn’t blocked by NAT firewalls.
Lastly, there’s also the fact that PPTP was solely developed by Microsoft (a company that’s known to leak sensitive data to the NSA), while L2TP was developed by Microsoft working together with Cisco. For that reason, some users consider L2TP as being more secure and trustworthy. Furthermore, PPTP is known to have been cracked by the NSA, while L2TP has only allegedly been cracked by the NSA (not yet proven).
All in all, you should know that L2TP is considered the improved version of PPTP, so you should always pick it over that protocol.
In case you’d like to read more about the PPTP VPN protocol, feel free to check out this article.
L2TP vs. IKEv2
It’s worth mentioning that IKEv2 is a tunneling protocol that’s based on IPSec, so you’ll often see VPN providers talking about IKEv2/IPSec when they refer to IKEv2. So, you normally get to enjoy the same level of security with IKEv2 that you get with L2TP – the only big difference being that there aren’t any rumors from Snowden that IKEv2 was weakened by the NSA.
Besides that, IKEv2 is far more reliable than L2TP when it comes to stability, and it’s all thanks to its Mobility and Multihoming protocol (MOBIKE) that allows the protocol to resist network changes. Basically, with IKEv2, you can freely switch from a WiFi connection to your data plan without needing to worry about the VPN connection going down. IKEv2 can also automatically resume working after a sudden interruption of your VPN connection (like a power outage, for example).
While IKEv2 was also developed by Microsoft together with Cisco, another reason many people prefer it over the L2TP protocol is because there are open-source versions of IKEv2, making it more trustworthy.
If you’d prefer to learn more about IKEv2, please check out this article.
L2TP vs. OpenVPN
Both protocols offer a decent level of security, but OpenVPN is considered the superior choice because it’s open-source, it uses SSL 3.0, and can be configured to offer extra protection. The downside to all that extra security is lower connection speeds. OpenVPN is normally slower than L2TP, though results might be a bit different if you use OpenVPN on UDP.
However, when it comes to stability, L2TP takes a backseat because of its use of limited ports. Simply put, the protocol can be blocked by NAT firewalls – unless it’s properly configured (which can be an extra hassle if you’re not experienced enough). OpenVPN, on the other hand, can essentially use any port it wants – including port 443, the port reserved for HTTPS traffic. That means it’s very difficult for any ISP or network admin to block OpenVPN with a firewall.
As for availability and setup, OpenVPN does work on many platforms, but it’s not exactly natively available on them like L2TP is. As a result, it’s usually going to take you much longer to set up an OpenVPN connection on your device than an L2TP connection. Luckily, if you use a VPN that offers OpenVPN connections, you don’t need to do much since everything is already set up for you.
Want to find out more about OpenVPN? Follow this link then.
L2TP vs. SSTP
Like OpenVPN, SSTP (Secure Socket Tunneling Protocol) uses SSL 3.0 and can use port 443. So, it’s more secure than L2TP, and it’s also harder to block with a firewall. SSTP is developed by Microsoft alone, so – in that regard – L2TP might be a bit more trustworthy because Cisco was involved in its development process.
Regarding speed, SSTP is often considered to be faster than L2TP because no double encapsulation takes place. But when it comes to cross-platform compatibility, L2TP fares better because SSTP is only built-in on Windows operating systems, and it can be also set up on:
L2TP, on the other hand, is available on many other platforms, and it’s also built-in in most of them. So, setting up the VPN protocol is also easier.
Overall, if you were to choose between SSTP and L2TP, you’d be better off with SSTP. If you’d like lt learn more about that protocol, follow this link.
L2TP vs. WireGuard®
Wireguard is a very new VPN protocol whose main purpose is to apparently replace IPSec. As a result, Wireguard is supposed to be much more secure than L2TP – especially since it’s open-source and only uses a single cryptographic suite (meaning it might have less security holes). It’s also claimed to be faster and lighter.
But for the moment, we still recommend using L2TP over Wireguard – given that Wireguard just works on Linux for now, and it’s still in its experimental phase. Therefore, it isn’t a secure protocol for now due to its high instability rate.
Still, if you’d like to learn more about Wireguard, follow this link.
L2TP vs. SoftEther
Like L2TP, SoftEther can also use a 256-bit encryption key and an encryption cipher as strong as AES. But SoftEther goes the extra mile – it’s also open-source, it uses SSL 3.0, and it’s also very stable. In fact, SoftEther is often considered a good alternative to OpenVPN.
What’s more, here’s a very interesting thing about SoftEther – it’s both a protocol and a VPN server. And the VPN server can actually support the L2TP/IPSec protocol, alongside many others:
- IPSec
- OpenVPN
- SSTP
- SoftEther
That’s the kind of thing you won’t get with an L2TP VPN server.
In terms of speed, you’re better off with SoftEther. Despite its high security, the protocol is also shown to be very fast. According to its developers, it all has to do with the fact that SoftEther was programmed with high-speed throughput in mind, while a protocol like L2TP that’s based on PPP was built with narrowband telephone lines in mind.
L2TP seems to shine when it comes to the setup process, though. While SoftEther does work on almost as many platforms as L2TP does, it’s harder to set up. Since it’s a software-based solution, you’ll also have to download and install SoftEther software on your device – yes, even if you use a VPN provider who offers the SoftEther protocol.
In case you’re interested in reading more about SoftEther, we’ve already got an article on that topic.
L2TP vs. IPSec
We’re saving this comparison for last since it’s a bit unusual. Still, since there are VPN providers who offer access only to IPSec as a protocol, we thought some of you might be interested in seeing how L2TP compares to it on its own.
For starters, IPSec offers online security compared to L2TP, which doesn’t provide any encryption on its own. Also, IPSec is much harder to block with a firewall than L2TP because it’s able to encrypt data without any end application being aware of it.
On the other hand, L2TP can transport protocols other than IP, while IPSec can’t do that.
In terms of L2TP/IPSec vs. IPSec, the security is pretty similar, but L2TP/IPSec might be a bit more resource-intensive and less speedy because of the additional encapsulation that adds an extra IP/UDP packet and an L2TP header.
Want to learn more about IPSec? Feel free to check out out article on it.
So Then, Is L2TP a Good VPN Protocol?
As long as L2TP is used with IPSec, it makes for a pretty secure protocol – depending on how you view Snowden’s accusations and claims, though. It’s not the fastest protocol out there due to its double encapsulation feature, but it’s rather stable and it works on multiple operating systems and devices.
In Conclusion – What Is L2TP?
L2TP (Layer 2 Tunneling Protocol) is a VPN tunneling protocol that is considered to be an improved version of PPTP. As it has no encryption, L2TP is often used alongside IPSec. So, you’ll mostly see VPN providers offering access to L2TP/IPSec, not L2TP on its own.
L2TP/IPSec is fairly safe to use, though it’s worth mentioning that there have been claims the protocol was cracked or weakened by the NSA. In terms of speed, L2TP isn’t too bad, but you might experience slower connection speeds due to the protocols double encapsulation feature. As for availability, L2TP works natively on many Windows and macOS platforms, and is pretty easy to configure on other devices and operating systems too.
Overall, L2TP/IPSec is a decent VPN protocol, but we recommend choosing a VPN provider who offers a selection of multiple VPN protocols besides L2TP if you want a truly secure online experience.
“WireGuard” is a registered trademark of Jason A. Donenfeld.
Leave a Reply