What is L2TP (Layer 2 Tunnel Protocol)?
date
Sep 27, 2022
slug
what-is-l2tp
status
Published
summary
L2TP is one of the most popular VPN protocols. Learn the details of Layer 2 Tunnel Protocol and what it is used for.
tags
Website
type
Post
Author
Berktug Mutlu
category
Privacy & Security
meta_title
What is L2TP (Layer 2 Tunnel Protocol)? How Fast L2TP? - FastVPN
When considering VPN providers, L2TP is a term thrown around a lot. Back in the day (assuming you are “internet old”), L2TP was incredibly popular. It was an alternative to PPTP (Point-To-Point Tunneling Protocol) for many privacy-conscious individuals.
Below, we will dig into all of your burning questions about this VPN protocol, so you will know whether it’s worth pursuing.
What Is an L2TP Connection?What is IPsec?How Do IPSec and L2TP Relate?What is L2TP/IPSec Used For?How L2TP/IPSec WorksHow Fast Is L2TP/IPSec?How Good Is L2TP/IPSec Security?IPSec and Alleged NSA InterferenceHow Does L2TP/IPSec Compre to Other Connection Protocols:L2TP FAQsWhat is L2TP Passthrough?Conclusion – Is L2TP/IPSec a Good VPN Protocol?
What Is an L2TP Connection?
L2TP, or Layer 2 Tunneling Protocol, is a VPN protocol that provides a tunnel. The tunnel acts as a connection point, offering the opportunity for higher-level encryption.
Both Microsoft and Cisco published L2TP in 2000, shortly after the release of PPTP in 1999. L2TP was the following release of another tunneling protocol, L2F (Layer 2 Forwarding), solely developed by Cisco.
Both L2F and PPTP did the same thing: tunnel PPP (Point-to-Point Protocol) traffic. Both protocols also had the same weakness: neither provided an encryption protocol. This lack of encryption transferred duties to the tunneled data, so L2TP is often alongside IPsec.
What is IPsec?
IPSec (IP Secure) is a group of related protocols. With numerous protocols included, IPSec offers the following features:
- An IKE (Internet Key Exchange) using Diffie-Hellman or ECDH keys has algorithms and strings to protect your data.
- An Authentication Header (AH) under SHA-1 (Secure Hash Algorithm) confirms both connections are trustworthy and untampered. Other authentication protocols include RSA, ECDSA, and PSK.
- Encryption through 3DES (Triple DES) and ESP (Encapsulating Security Protocol) to ensure both the data and IP header are secure and hidden.
- Access to port 500 to navigate transmission around routers.
- Transmission via UDP (User Datagram Protocol) to avoid the potential of firewall blocking.
IPSec dictates the rules on the safe side of the data transfer process.
How Do IPSec and L2TP Relate?
Because an L2TP tunnel has no method to secure data, it relies on third-party sources. The majority of those third-party sources come from IP Secure. So when you see the “L2TP/IPSec” label, it’s because this VPN protocol uses the IPSec cipher suite.
What is L2TP/IPSec Used For?
In combination, L2TP primarily supports VPNs (Virtual Private Networks). A decent amount of VPN clients use this system, making it reasonably popular.
It has been part of Microsoft products since Windows 2000, making it slightly newer than PPTP. Windows use it as part of Windows Firewall with Advanced Security. In modern Windows settings, you can find this under “Add VPN Connection.”
Outside of VPNs, L2TP is also part of ISPs and their delivery method. ISP resellers use this often as a method to repackage services. So instead of hiding your information, the ISP hides their information under reselling companies in some towns and cities.
Some business owners can also use the protocol to connect remotely to devices within LAN networks. This practice prevents third parties within the same business from accessing sensitive data.
How L2TP/IPSec Works
The L2TP protocol starts by establishing a tunnel between two network points. They do this by using TCP port 1701.
At this point, the non-secure internet protocol takes a backseat to IPSec, which handles the entire encryption process. The connection is through TCP/UDP 500.
UDP is a communications protocol typically used for data transfers that demand quick access. For example, YouTube videos rely on UDP for rapid transference. UDP is unique because it can send data before a complete connection.
TCP (Transmission Control Protocol) is more of a standard, relying on formal connections. Many VPN clients that depend on IPSec’s security suite enable you to choose between the two options. UDP offers speed while TCP provides stability.
The ESP (Encapsulating Security Payload) encrypts and adds the authentication headers to your data during this process. IPSec does this through another UDP port under IP Protocol 50 (UDP Port 4500). The AH uses the same UDP port under IP protocol 51.
The entire communication process happens before any tunneling occurs. The negotiation, a network term for reaching specific ports, must be approved before data transfer. Under UDP, there is some chance of data loss because of this slowdown.
Once the encryption process is done, and the ports are successfully negotiated, data is sent through the secure tunnel.
How Fast Is L2TP/IPSec?
Knowing that L2TP is a security vehicle, the VPN protocol is fast by itself. With IPSec, you can expect slower speeds than PPTP.
On the other hand, it results in decent speeds compared to OpenVPN. You also see some speed fluctuations depending on your chosen protocol (UDP vs. TCP).
How Good Is L2TP/IPSec Security?
Since L2TP is the security tube, IPSec is a pretty secure platform. The two are a solid security force when together. Here is an overview:
- It uses SHA1/SHA2 and HMAC hash codes, comprising some of the most respected authentication and data protection methods.
- TripleDES-CBC, AES-CCBC, and AES-CTR are better-known block ciphers. This combo gives it access to AES-256 bit encryption, which is brute force attack-proof.
- It also has access to AES-GCM and ChaCha20-Poly1305, two ciphers known for state-of-the-art performance.
- Key exchange algorithms include RFC 3526 (Diffie-Hellman or DH) and 4753 (ECDH or Elliptic Curve Diffie-Hellman); both are trusted cryptographic generation methods.
- You can access PSK (Pre-Shared Keys) for performance alongside UDP.
- IPSec relies on double encapsulation for an additional layer of security.
- RSA (Rivest-Shamir-Adleman) and ECDSA (Elliptic Curve Digital Signature Authentication) are both tested and trusted forms of authentication.
Simply put, L2TP/IPSec is one of the world’s most secure protocols on paper. The encryption protocols used involve some of the most well-regarded tools in cryptography.
However, this high level of encryption has a few significant drawbacks for security-conscious individuals.
IPSec and Alleged NSA Interference
According to a few sources, the US NSA (National Security Agency) actively worked within IPSec to insert security vulnerabilities. Many of these vulnerabilities allow the NSA to get backdoor access, putting IPSec’s merits into question.
These revelations came as a result of the Edward Snowden leaks during 2013. This compromise extends to the Diffie-Hellman algorithm. Given that Microsoft, a co-developer of L2TP, is known for actively working with the NSA, it does raise some concerns.
Given the many VPNs that rely on D-H keys, the targets also extend to other VPN software. So while this VPN protocol is excellent on paper, it does give other protocols (like OpenVPN or Wireguard) a bit of a preference due to their more significant commitment to security.
How Does L2TP/IPSec Compre to Other Connection Protocols:
Here is a quick comparison between L2TP/IPSec and other major protocols:
- PPTP is faster than L2TP by leaps and bounds. However, they make up for this speed by being an outdated method of VPN usage. Despite this, both PPTP and L2TP are available on a similar number of devices.
- OpenVPN is comparable to IPSec on security. However, most VPN providers prefer to use the OpenVPN protocol because it has no association with Microsoft’s L2TP. When comparing speeds, the two are very similar.
- IKEv2 is part of IPSec’s security suite. However, it is not part of L2TP. IKEv2 was not part of the data leaks using D-H keys, making it more trustworthy than L2TP by itself.
- Wireguard uses state-of-the-art technology that outpaces other platforms. It is also open-source software, which is more than we can say for the Microsoft-owned L2TP. Wireguard is less vulnerable than IPSec because it uses many UDP ports.
- SoftEther combines many of the high-level security protocols in a fast package. However, its reliance on a combo client/protocol approach means it is not adaptable across multiple devices. But that is likely to change with time. It also relies on newer “non-tainted” algorithms.
- SSTP is Microsoft’s current answer to security demands. However, its ownership under Microsoft makes it a bit sketchy given their known NSA affiliation. If you choose between the two, SSTP offers more speed and better integration with routers and operating systems.
L2TP FAQs
What is L2TP Passthrough?
Like PPTP Passthrough, the L2TP form is a router-based feature that helps VPNs navigate the NAT tool. If you plan on relying on the VPN protocol, getting a router with passthrough will help you.
You can enable it in the admin panel of your router. Otherwise, you might want to rely on other VPN protocols.
Conclusion – Is L2TP/IPSec a Good VPN Protocol?
L2TP/IPSec is Microsoft and Cisco’s second attempt at producing a VPN release. Regardless of what you might think of the companies, the two combined to make a solid protocol. However, it isn’t a suitable VPN protocol due to backend concerns.
The Edward Snowden leaks showed us that usage of this protocol is a potential risk. Given the potential for backdoor weaknesses, other encryption protocols are more secure.
The Fast VPN uses protocols that emphasize military-grade encryption to ensure your data remains secure. Download it today so you can take ownership of your data.
