Layer Two Tunneling Protocol (L2TP)

L2TP is one of two protocols with built-in support in Windows XP and Windows 2000. Users running either version of Windows can use the built-in VPN clients to connect via the Internet and create a secure connection to the home corporate network.

L2TP is an enhancement of PPTP that uses technology from a Cisco protocol called Layer 2 Forwarding (L2F). The combination of these two protocols is documented in RFC 2662, "Layer Two Tunneling Protocol 'L2TP.'" L2TP uses UDP for sending user data packets as well as for maintenance messages used to manage the VPN connection. Because L2TP itself is only a tunneling protocol, the IPSec protocol, discussed previously in this chapter, is used for the actual encryption that protects the contents of the data traversing the tunnel.

Note

A true VPN should provide both a tunnel, which is a method for encapsulating another protocol datagram or packet, and some kind of encryption to protect the contents of the data being transferred. However, it's possible to create a tunnel that does not use any form of encryption for the data packet. In such a case, L2TP or AH, discussed earlier in this chapter, can provide an integrity check on the header information and packet contents to ensure that they are not altered during transit. This type of tunnel is not a true VPN, but it does provide some sort of security in that you can be assured that the data sent from one end of the connection arrives at the other end in its original format. For security purposes, the data should be sent in encrypted format, using IPSec.

Because UDP packetsrather than TCP packetsare used by L2TP, a session does not exist. Instead, L2TP uses sequence numbers for each message to make sure that packets are ordered correctly from the origination point to the destination.

L2TP Encapsulation

L2TP relies on the PPP protocol. The PPP datagram is encapsulated by L2TP by attaching an L2TP header directly in front of the PPP header. Because L2TP uses UDP, as you can probably guess, the UDP header is prefixed to the result. In Figure 46.2, you can see an overview of how the packet looks at this point.

If you just want to create a tunnel, this level of encapsulation is all you need because the UDP packet will make a best-effort attempt to deliver the packet by passing it to the IP protocol for transmission on the routed network.

However, because a VPN needs to provide some level of security for the payload, the IPSec protocol comes into play. The packet shown earlier in Figure 46.1 is encapsulated by IPSec by attaching the IPSec header and trailer to the packet before it is sent to the IP protocol. In Figure 46.3, you can see the format for the resulting datagram.

Finally, UDP passes the resulting packet to IP for transmission on the network, just like any other IP packet. The source and destination addresses used by IP are the addresses of the VPN client and server.