Site home page
(news and notices)

Get alerts when Linktionary is updated

Book updates and addendums

Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)

Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!

Contribute to this site

Electronic licensing info



L2TP (Layer 2 Tunneling Protocol)

Related Entries    Web Links    New/Updated Information

Search Linktionary (powered by FreeFind)

Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

This topic continues in "The Encyclopedia of Networking and Telecommunications."

L2TP can help reduce the cost of remote dial-up networking for users who normally dial into a corporate network over a long-distance connection. L2TP is often called a "virtual dial-up protocol" because it extends a dial-up PPP session across the Internet. Consider the traditional dial-up session without tunneling: a remote user in Los Angeles who needs to connect with the corporate network in New York dials the home office remote access telephone number. A dedicated circuit is created across the PSTN from L.A. to New York. Obviously, this is not a cost-effective way to access the corporate network. In addition, the long-distance call does not meet the digital requirements for V.90 modems, so the data rate is usually around 33 Kbits/sec or worse, not the 56 Kbits/sec rate that is possible with V.90 modems. See "Modems" for an explanation.

With L2TP, the remote user connects to the Internet via a local ISP or by using one of the national ISPs that have local dial-up numbers throughout the country. As shown in the following illustration, native PPP runs over the dial-up link between the user and the CO. An L2TP access concentrator (LAC) then virtually extends PPP across the Internet to an L2TP network server (LNS), which is located at the corporate network. This is where the PPP session officially terminates.

  1. The client dials the ISP using an analog phone or ISDN. In this case, the client's computer is configured with PPP, although a client may also run L2TP directly.

  2. When the call arrives at the ISP's LAC, the LAC performs a call check by contacting a RADIUS server. The RADIUS server responds with an accept or reject message. If accepted, the reply will also specify that an L2TP tunnel is needed.
  3. The LAC creates a tunnel to the LNS at the client's corporate site. This is done by sending a message to UDP port 1701. An authentication procedure takes place between the LAC and the LNS.

  4. A tunnel is set up and the client begins communicating with the corporate LCP using PPP. The client first sends PPP authentication information to the LCP, which in turn authenticates the client.

The client's PPP frames are encapsulated into IP packets with an L2TP tunneling header and sent across the Internet connection. The LCP strips off the L2TP header to access the PPP frames. Note that the LAC does not authenticate the client during the set-up phase, but it does check with RADIUS to make sure that the dial-up session is allowed. The client is authenticated by the corporate server, just as if he or she logged on from a node directly attached to that network.

L2TP is used by carriers to provide outsourcing services. The carrier establishes a pool of modems (usually in a RAC-remote access concentrator) and leases the modems to ISPs. Many ISPs want to establish a wider presence by expanding their coverage areas. Rather than building new PoPs in those areas, they can lease modems that exist in the carrier's CO. The carrier then forwards dial-up subscriber traffic to the ISP's PoP over L2TP tunnels. Redback Networks is one such vendor that makes equipment for doing this as shown in the following illustration. When a client dials in, an L2TP tunnel session is set up across a link to the smaller service provider or corporate site. The corporate end of the tunnel may be accessible across a variety of networks, including frame relay, ATM, or the Internet. The following illustrates a situation in which multiple smaller ISPs lease modems in a pool that exist at a carrier CO. L2TP tunnels exist between the carriers RAS server and the smaller service providers LNSs.

Keep in mind that PPP is a point-to-point protocol, meaning that it normally operates across a circuit with a termination point at both ends. L2TP extends the PPP session "virtually" across an IP network where it terminates at an NAS (network access server). The NAS is usually at the corporate network site to which the remote user wishes to connect. Because the PPP packets traverse the Internet, no long-distance charges are incurred. This allows the remote user to dial in to a local service provider network from any location and connect with the corporate network. The advantage for the corporate network is that PPP terminates at its site, not at the local carrier central office or ISP that the remote user initially dials into. This allows the enterprise to run its own RADIUS server, which provides AAA (authentication, authorization, and accounting).

L2TP is not quite a VPN (virtual private network) technology, although it is close. L2TP in its native form lacks the security of a true VPN. However, RFC 2888 (Secure Remote Access with L2TP, August 2000), explains how L2TP can be combined with IPSec (IP Security) to create a secure environment.

PPTP (point-to-point tunneling protocol) is a Microsoft-developed protocol that provides virtual dial-up services similar to L2TP. L2TP was derived from PPTP features and features of an earlier Cisco protocol called L2F (Layer 2 Forwarding). L2TP supports TACACS+ and RADIUS authentication. PPTP does not. L2TP also supports more protocols than PPTP, including IPX, SNA, and others. Microsoft continues to support PPTP as a tunneling protocol for its Windows products, but L2TP is preferred over PPTP. IPSec is now the Internet standard for tunneling and secure VPNs. While L2TP is still used, IPSec is preferred when full VPN support is required. As mentioned, RFC 2888 describes  how L2TP and IPSec can be used together.

The following RFCs describe L2TP:

  • RFC 2661 (Layer Two Tunneling Protocol 'L2TP', August 1999)

  • RFC 2809 (Implementation of L2TP Compulsory Tunneling via RADIUS, April 2000)

  • RFC 2888 (Secure Remote Access with L2TP, August 2000)

  • RFC 3070 (Layer Two Tunneling Protocol (L2TP) over Frame Relay, February 2001)

Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.
All rights reserved under Pan American and International copyright conventions.