Layer 2 Tunnel Protocol

Layer 2 Tunneling Protocol (L2TP) connections, which are also called virtual lines, provide cost-effective access for remote users by allowing a corporate network systems to manage the IP addresses assigned to its remote users. Further, L2TP connections provide secure access to your system or network when you use them in conjunction with IP Security (IPSec).

L2TP supports two tunnel modes: the voluntary tunnel and the compulsory tunnel. The major difference between these two tunnel modes is the endpoint. On the voluntary tunnel, the tunnel ends at the remote client whereas the compulsory tunnel ends at the Internet Service Provider (ISP).

With an L2TP compulsory tunnel, a remote host initiates a connection to its ISP. The ISP then establishes an L2TP connection between the remote user and the corporate network. Although the ISP establishes the connection, you decide how to protect the traffic by using VPN. With a compulsory tunnel, the ISP must support LT2P.

With an L2TP voluntary tunnel, the connection is created by the remote user, typically by using an L2TP tunneling client. As a result, the remote user sends L2TP packets to its ISP which forwards them on to the corporate network. With a voluntary tunnel, the ISP does not need to support L2TP. The scenario, Protect an L2TP voluntary tunnel with IPSec provides you with an example of how to configure a branch office system to connect to its corporate network through a gateway system with an L2TP tunnel protected by VPN.

You can view a visual presentation about the concept of L2TP voluntary tunnels protected by IPSec. This requires the Flash plug-in. Alternatively, you can use the HTML version of this presentation.

L2TP is actually a variation of an IP encapsulation protocol. The L2TP tunnel is created by encapsulating an L2TP frame inside a User Datagram Protocol (UDP) packet, which in turn is encapsulated inside an IP packet. The source and destination addresses of this IP packet define the endpoints of the connection. Because the outer encapsulating protocol is IP, you can apply IPSec protocols to the composite IP packet. This protects the data that flows within the L2TP tunnel. You can then apply Authentication Header (AH), Encapsulated Security Payload (ESP), and the Internet Key Exchange (IKE) protocol in a straightforward way.