L2TP is the method of choice for Windows 2000 VPNs. The Windows 2000 operating system has the components necessary to create a VPN built into the operating system. This can be an advantage for mobile users who connect via the Internet and need to create a secure connection to the home corporate network. L2TP is an enhancement of PPTP that uses technology from a Cisco protocol called Layer 2 Forwarding (L2F). The combination of these two protocols is documented in RFC 2662, "Layer Two Tunneling Protocol 'L2TP.'" L2TP uses UDP for sending user data packets as well as for maintenance messages used to manage the VPN connection. Because L2TP itself is only a tunneling protocol, the IPSec protocol, discussed previously in this chapter, is used for the actual encryption that protects the contents of the data traversing the tunnel.
Because UDP packets ”rather than TCP packets ”are used by L2TP, a session does not exist. Instead, L2TP uses sequence numbers for each message to make sure that packets are ordered correctly from the origination point to the destination. L2TP EncapsulationL2TP relies on the PPP protocol. The PPP datagram is encapsulated by L2TP by attaching an L2TP header directly in front of the PPP header. Because L2TP uses UDP, as you can probably guess, the UDP header is prefixed to the result. In Figure 50.2, you can see an overview of how the packet looks at this point. Figure 50.2. The L2TP protocol transfers PPP datagrams using UDP as a transport protocol.
If you just want to create a tunnel, this level of encapsulation is all you need because the UDP packet will make a best-effort attempt to deliver the packet by passing it to the IP protocol for transmission on the routed network. However, because a VPN needs to provide some level of security for the payload, the IPSec protocol comes into play. The packet shown earlier in Figure 50.1 is encapsulated by IPSec by attaching the IPSec header and trailer to the packet before it is sent to the IP protocol. In Figure 50.3, you can see the format for the resulting datagram. Figure 50.3. IPSec provides the encryption necessary to create a true VPN when used with L2TP.
Finally, UDP passes the resulting packet to IP for transmission on the network, just like any other IP packet. The source and destination addresses used by IP are the addresses of the VPN client and server. |