L2TP

Short for Layer Two (2) Tunneling Protocol, an extension to the PPP protocol that enables ISPs to operate Virtual Private Networks (VPNs). L2TP merges the best features of two other tunneling protocols: PPTP from Microsoft and L2F from Cisco Systems. Like PPTP, L2TP requires that the ISP's routers support the protocol. It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy.New version of this protocol, L2TPv3, was published as proposed standard RFC 3931 in 2005. L2TPv3 provides additional security features, improved encapsulation, and the ability to carry data links other than simply PPP over an IP network (e.g., Frame Relay, Ethernet, ATM, etc.).

The entire L2TP packet, including payload and L2TP header, is sent within a User Datagram Protocol (UDP) datagram. It is common to carry Point-to-Point Protocol (PPP) sessions within an L2TP tunnel. L2TP does not provide confidentiality or strong authentication by itself. IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity. The combination of these two protocols is generally known as L2TP/IPsec (discussed below).
The two endpoints of an L2TP tunnel are called the LAC (L2TP Access Concentrator) and the LNS (L2TP Network Server). The LAC is the initiator of the tunnel while the LNS is the server, which waits for new tunnels. Once a tunnel is established, the network traffic between the peers is bidirectional. To be useful for networking, higher-level protocols are then run through the L2TP tunnel. To facilitate this, an L2TP session (or 'call') is established within the tunnel for each higher-level protocol such as PPP. Either the LAC or LNS may initiate sessions. The traffic for each session is isolated by L2TP, so it is possible to set up multiple virtual networks across a single tunnel. MTU should be considered when implementing L2TP.
The packets exchanged within an L2TP tunnel are categorized as either control packets or data packets. L2TP provides reliability features for the control packets, but no reliability for data packets. Reliability, if desired, must be provided by the nested protocols running within each session of the L2TP tunnel.

L2TP packet structure

An L2TP packet consists of :
 

Bits 0–15	Bits 16–31
Flags and Version Info	Length (opt)
Tunnel ID	Session ID
Ns (opt)	Nr (opt)
Offset Size (opt)	Offset Pad (opt)......
Payload data

Flags and version: control flags indicating data/control packet and presence of length, sequence, and offset fields.

Length (optional) : Total length of the message in bytes, present only when length flag is set.

Tunnel ID : Indicates the identifier for the control connection.

Session ID : Indicates the identifier for a session within a tunnel.

Ns (optional) : Sequence number for this data or control message, beginning at zero and incrementing by one (modulo 2¹⁶) for each message sent. Present only when sequence flag set.

Nr (optional) : Sequence number for expected message to be received. Nr is set to the Ns of the last in-order message received plus one (modulo 2¹⁶). In data messages, Nr is reserved and, if present (as indicated by the S bit), MUST be ignored upon receipt..

Offset Size (optional) : Specifies where payload data is located past the L2TP header. If the offset field is present, the L2TP header ends after the last byte of the offset padding. This field exists if the offset flag is set.

Offset Pad (optional) : Variable length, as specified by the offset size. Contents of this field are undefined.

Payload data : Variable length (Max payload size = Max size of UDP packet − size of L2TP header)

 

L2TP packet exchange

At the time of setup of L2TP connection, many control packets are exchanged between server and client to establish tunnel and session for each direction. One peer requests the other peer to assign a specific tunnel and session id through these control packets. Then using this tunnel and session id, data packets are exchanged with the compressed PPP frames as payload.
The list of L2TP Control messages exchanged between LAC and LNS, for handshaking before establishing a tunnel and session in voluntary tunneling method are

Tunnel Setup:
Start-Control-Connection-Request (SCCRQ)
Start-Control-Connection-Reply (SCCRP)
Start-Control-Connection-Connected (SCCCN)

Session Setup:
Incoming-Call-Request (ICRQ) 
Incoming-Call-Reply (ICRP)
Incoming-Call-Connected (ICCN)

Note: For more detail about the L2TP message please refer the RFC 2661.

 

Uses of the L2TP in the real world:

VPN Server:

VPN server, providing a secure gateway to the services available on your site network to remote sites and workers. With the rise of remote and mobile working a robust VPN solution is becoming even more important. Unsecured public Wi-Fi is the last place you want your users accessing your site network from, but with an end-to-end secured VPN you can protect your core assets.

In a diverse computing environment it's hard to predict what devices will be used to access your network. That's why it's important to pick a standards based solution rather than a proprietary offering. L2TP implements IETF standards for the widest possible interoperability with devices from many different vendors.

 

Layer-2 Tunneling:

Using Ethernet pseudowires and IPSec, L2TP can securely bridge ethernet networks together across the Internet or other IP network.

Unlike an L2TPv2 tunnel which carries only PPP, an L2TPv3 Ethernet pseudowire can carry any Ethernet traffic - not just IP protocols. When bridged in this way the two remote Ethernet segments appear as if they were physically connected together.

 

L2TP Protocol Version Bridging and Tunnel Switch:

ProL2TP supports tunnel switching, which allows ProL2TP to transfer data from an incoming tunnel to an outgoing tunnel.As well as supporting the newer L2TPv3 protocol, ProL2TP retains compatibility with the older L2TPv2 standard. This means that ProL2TP is able to switch between network segments using either version.

Perhaps you have an older hardware-based solution which can't be upgraded, but represents a significant investment to replace. ProL2TP can bridge L2TPv2 tunnels from that device to your L2TPv3 tunnel destination.

 ISP Network:

L2TP can be used to connect ISP subscribers back to their ISP. PPPoE and PPPoA are commonly used protocols across "the last mile" which connects an Internet subscriber's router to their local exchange. ProL2TP includes a sophisticated access concentrator, which can accept incoming subscriber PPP connections, authenticate the connections using RADIUS, and route the connections to the ISP based on the RADIUS response.

ProL2TP can be used to replace the expensive proprietary hardware usually used for this purpose with suitably specified off-the-shelf commodity hardware. With it's plugin and management APIs, ProL2TP allows you to integrate it with your accounting and billing systems.