What is L2TP and is it a good choice for VPN?

L2TP (Layer 2 Tunneling Protocol) is one of the oldest VPN protocols. Despite its age, it's still widely available – so much so that you've most likely either already used it, or at the very least seen it supported by your VPN gateway.

In this post, we go through the origins of L2TP VPN, as well as its benefits and drawbacks, and whether it has a future competing alongside more modern protocols.

The origins of L2TP

The 1999 standardized PPTP protocol was the attempt from Microsoft, and some other network equipment supplier companies like 3Com, Ascend Communications, Copper Mountain Networks, and ECI Telematics, to re-use the existing PPP dial-in protocol as a VPN protocol over the internet. This was so existing PPP network equipment could stay relevant and existing PPP dial-in setups could be migrated from the phone network to the internet.

The biggest challenge those companies faced was adding secure authentication and encryption to PPP, since an internet connection was far easier to hack than a physical phone line. To find out how they overcame that challenge, check out our history of PPTP blog post.

However, there was another company that also wanted to keep PPP relevant. That company was Cisco and they had a different idea. Cisco also teamed up with Microsoft, Ascend Communications, and Redback Networks to propose an alternative solution to the problem, which was standardized the very same year as PPTP.

Instead of creating a new protocol to first negotiate a GRE tunnel and then running PPP over the (somewhat obscure) GRE protocol, they proposed to just wrap PPP into a layer 2 tunnel protocol and then use the IPsec protocol suite – which was already standardized one year before PPTP in 1998 – for providing authentication and encryption, as this is the core competency of that entire protocol suite.

Instead of using IPsec in tunnel mode, which directly allows tunneling IP packets from one network to another but could only handle IP traffic, their idea was to use IPsec in transport mode. This would only secure the transported payload data between two endpoints, similar to what TLS does nowadays, but that is enough to serve as a VPN protocol between two VPN gateways or a VPN client and a VPN gateway.

Protocols of the IPsec protocol suite like IKE would ensure a secure connection and ESP would guarantee data integrity and encryption.

To learn more about how the IPsec protocol suite works, check out our deep dive blog post about IKEv2.

PPP strikes back

With encryption and authentication out of the way, there was no need to modify PPP or add any non-standard extensions to it. Instead, PPP could be used exactly as one would use it over a modem dial-up connection, except that some protocol layer was still required below to negotiate a point to point link and to allow PPP to also terminate at a different endpoint (e.g. a dial up concentrator) than the internet link or the IPsec connection.

Continuing to use IPsec was considered optional if you still wanted to directly run over a phone or maybe a private (A)DSL line and did not require any additional security level, and even for that case a protocol layer was desired in case PPP would not directly terminate at the same gateway as the connection.

L2TP VPN explained

In very simple terms, the L2TP protocol is the protocol in between PPP and whatever is being used to transport the data to the destination. Today, this is always IPsec since you certainly never want an unencrypted VPN that runs over the public internet.

Fun fact: The correct name for the protocol when using IPsec is actually "L2TP over IPsec", but as IPsec is the only way this protocol is still in use today, it is commonly referred to as just "L2TP" and the usage of IPsec is implied.

So let's summarize: When people speak of an L2TP connection today, what they actually mean is:

• A PPP tunnel,
• running on top of a L2TP layer 2 endpoint-to-endpoint connection,
• running on top of an IPsec transport connection.

Considering that the PPP tunnel typically tunnels IP network traffic and the IPsec connection is also made over an IP network like the internet, you also have a full IP protocol stack at the very top and the very bottom of the three protocols above.

If this sounds like a whole lot of protocol overhead, that's because it is.

Drawbacks of L2TP VPN

L2TP VPN connections have by far the biggest amount of protocol overhead of all VPN protocols still widely in use today. As explained before, there is a historical reason for that (the ability to have different termination endpoints for different protocol layers), but considering that today all protocol levels terminate at the same VPN gateway, this protocol overhead doesn't serve a purpose anymore. In reality, it only wastes bandwidth, makes the protocol slow to process, and makes troubleshooting a nightmare, as there can be issues on every protocol level, preventing a connection from coming up or working as expected.

Moreover, gateways quite often do not expose verbose logging for certain protocols. For example, while many gateways provide some PPP logging for L2TP connections, they often don't provide much logging of the IPsec connection process.

How does L2TP compare to other VPN protocols?

Unlike with PPTP, the one factor L2TP users don't have to worry about is security. As the security is provided by IPsec and the security of IPsec is undisputed, L2TP is as secure as a tunneling IPsec connection would be. The only difference being that tunneling an IPsec connection does not require an intermediate protocol like PPP or L2TP and thus also has way less protocol overhead and is easier to troubleshoot. This clearly makes L2TP the better PPP-based VPN if for some reason sticking to PPP is still a requirement for you.

However, if you aren’t interested in using PPP, there is little to no reason to use L2TP, with one exception: L2TP as a VPN protocol offers the broadest client support. Pretty much no operating system or handheld device comes without it.

If there was one protocol that vendors would support, it used to be L2TP and quite frankly it was the only one vendors would even offer. Of course, this makes one wonder why not also offer raw IPsec support? After all, to support L2TP, an IPsec implementation had to be present anyway.

The reason for that can probably be found in our IKEv2 blog post: Initially, IKE client features were missing. While PPP had these features built in from day one. In particular user authentication and automatic configuration were the features that IPsec didn't offer and that is what made PPP so appealing in comparison.

But the times are changing. With the introduction of new, very client friendly protocols such as OpenVPN and WireGuard, L2TP is rapidly losing popularity and in the professional environment, tunneling directly over IPsec provides the same level of security, yet way less protocol overhead; meaning higher speed, higher throughput, and easier troubleshooting.

Is this the end for L2TP VPN?

Why VPN Tracker?

VPN Tracker is the best secure remote access solution for Mac, iPhone and iPad and is compatible with the most popular VPN gateways, including UniFi, NETGEAR, TP Link, Draytek, and many more.