L2TP + IPSec

r-lemaster · ‎02-01-2005

I understand that using L2TP with IPSec allows for VPN traffic to travel over non-IP networks, and adds more authentication options over PPP (pls. correct me if I'm wrong)..

If the Internet is IP, why would you need to have IPSec tunneled over L2TP? Isn't that redundant?

My textbooks only cover IPSec, and don't cover any L2TP configuration. Where is L2TP configured & how?

In what circumstances would you need to use L2TP and why?

Thanks for your time.

gfullage · ‎02-01-2005

L2TP only works over IP networks, not non-IP networks. Don't know the full history of L2TP/IPSec, but it became popular, and a lot of vendors supported it, because you could configure it natively in Microsoft, without adding additional VPN client software. You'd have to ask MS why they added it into Windows. For my money PPTP is a LOT easier to setup natively in Windows, but PPTP encryption is not as secure as IPSec.

There's some sample configs here for configuring Cisco evices to accept connections:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094aca.shtml

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800942ad.shtml

There's some good info on configuring the MS client in the above docs also (it is not the easiest thing in the world to do though, plus to use pre-shared keys you need to add a registry key and reboot the device).

r-lemaster · ‎02-02-2005

Thanks for your reply.

I'm not trying to pick a fight, but I'm pretty sure IPSec only runs over IP, but L2TP runs over IP, IPX, Appletalk, Frame Relay, ATM, X.25.

I'm guessing from the links that L2TP is configured on the VPN concentrator when IPSec is configured.

I'm just trying to find out what the compelling reason is to use L2TP over IPSec instead of just using IPSec by itself.

Shawn Lebbon · ‎02-08-2005

I think we can figure part of it out from examining the source of these acronyms.

L2TP stands for Layer 2 Tunneling Protocol.

What it does is 'tunnel' traffic at a layer 2 level. Ie, it's not dependant on 'IP' (a layer 3 protocol). Therefore L2TP doesn't 'run over every protocol' but rather 'L2TP tunnels every protocol' inside itself!

The IPSec portion of this is "IP SECURITY". What this does is take the L2TP packets and encrypt them, and send them over TCP/IP.

Breaking this down, we see that a ping for example traveling over a L2TP/IPSEC tunnel is first encapsulated from IP into a generic L2TP packet. This L2TP packet is then encapsulated within an IPSEC packet.

The reasons for this are that L2TP allows protocols IN ADDITION TO IP to be 'tunneled' across the internet. PPTP for example tunnels ONLY IP traffic. This is the reason it is included as an alternative in Windows.

Also, L2TP relies on PPP type connectivity/authorization/authentication. PPTP also does. However, since L2TP requires another transport (IPSEC) to go over the internet, all the traffic is FURTHER hidden inside highly encrypted (certificate or pre-shared-key based) IPSEC. This is why L2TP/IPSEC is more secure. Theoretically you could also tunnel PPTP over IPSEC, but since it works across Layer 3 (IP) natively there's no need (other than added security), thus no implementations (that I know of) actually do this, despite the security benefits.