Terminal Services  «Prev  Next»

Lesson 6 Layer Two Tunneling Protocol
ObjectiveDifferentiate between L2TP and PPTP.

Layer Two Tunneling Protocol

Encrypted tunnels

L2TP is very similar to PPTP in that its primary purpose is to create an encrypted tunnel through which data can pass without risk of interception by an unwanted third party. Tunnels can be created over public networks, such as the Internet. You can tunnel communications within an intranet as well.

Tunneling is not security

Its important to understand that tunneling is a process that is independent of security. Many MCSEs who learn about PPTP during their Windows NT 4.0 training misconstrue tunneling as a security process, which it is not.

How tunneling Works

A tunneling protocol takes packets and wraps them in its own headers, which explains how you can create tunnels that run on TCP/IP based networks. But inside the tunnel, the network protocol might be NetBEUI or NWLink. The NetBEUI headers are encapsulated by the tunnel headers, and run "inside" the tunnel. When the packet gets to the end of the tunnel, the tunnel header is removed, and the NetBEUI packet travels through the destination network as a native NetBEUI packet again.


L2TP differs from PPTP in several ways. First, PPTP only secures the link; only the information passing from the PPTP client to the PPTP server is protected. PPTP uses the MPPE encryption algorithm to obtain its security. One of the major advantages that L2TP/IPSec has over PPTP/MPPE is that data is protected from source to destination, not just when inside the tunnel. PPTP only secures the link; only the information passing from the PPTP client to the PPTP server is protected. PPTP uses the MPPE encryption algorithm to obtain its security. L2TP, like PPTP, provides a secure tunnel by cooperating with other encryption technologies, such as IPSec. IPSec does not require L2TP, but its encryption functions complement L2TP to create a secure VPN solution. Both PPTP and L2TP use PPP to provide an initial envelope for the data and then append additional headers for transport through the transit internetwork. Some of the key differences between PPTP and L2TP include: PPTP requires an IP-based transit internetwork. L2TP requires only that the tunnel media provide packet-oriented, point-to-point connectivity. L2TP can use IP, Frame Relay permanent virtual circuits (PVCs), X.25 VCs, or asynchronous transfer mode (ATM) VCs to operate over an IP network. However, to-date the only implementation of L2TP has been with IP as the network layer protocol. Therefore, in practice, L2TP's greater connectivity options do not represent a real world difference at this time. L2TP supports header compression, whereas PPTP does not. When header compression is enabled, L2TP operates with four bytes of overhead, as compared to six bytes for PPTP. This allows L2TP to transfer the actual data faster, because there is less protocol overhead. L2TP supports tunnel authentication, whereas PPTP does not. However, when either PPTP or L2TP is used in conjunction with IPSec, IPSec provides tunnel authentication so that layer 2 tunnel authentication is not necessary. IPSec is a layer 3 protocol. Layer 2 (datalink layer) authentication is performed by authentication protocols such as CHAP ,MS-CHAP, or EAP. PPTP uses MPPE encryption. L2TP requires IPSec for encryption. The table below summarizes these distinctions.

Terminal Services
Creates an encrypted tunnelXX
Requires IP-based transit internetworkNot required. (Only implementation is IP based, however)X
Requires packet-oriented, point-to-point connectivityX 
Supports header compressionX 
Supports tunnel authenticationX 
Supports tunnel authentication with IPSecXX
Uses MPPE encryption X
Uses IPSec for encryptionX 

Choosing the Best Protocol

As an administrator, you are most concerned about when you should employ one protocol over another. Overall, the L2TP/IPSec combination offers many advantages over the PPTP/MPPE protocols. L2TP provides host-to-host encryption, so that data remains encrypted even after reaching a tunnel endpoint at the destination network's VPN server. The encrypted data remains encrypted until it has reached its final destination; only then is it decrypted. If you need this level of security, then you should deploy L2TP/IPSec.

Limitations of L2TP/IPSec

There is one major limitation to L2TP/IPSec. If your network uses Network Address Translation (NAT)[1] to provide access for intranet clients to an Internet-based VPN, then you will not be able to use IPSec. This is because when you use NAT, all data appears to originate from a single IP address after it leaves the NAT server. When a computer responds to a message from an intranet client behind a NAT, the NAT server takes the packet that was sent to its IP address and "translates" it so that it is returned to the computer that initiated the request. However, IPSec packets are protected by cryptographic checksums. In the process of altering the destination IP address, the NAT server changes the destination IP address and therefore invalidates the packet's cryptographic checksum. IPSec interprets this change as a violation of the packet's integrity, and will reject the packet. However, this does not mean you cannot use IPSec on your TCP/IP-based intranet. Your packets cannot pass through a NAT server, but if your intranet uses all public IP addresses, you can use L2TP/IPSec without problems. IPSec can be used without tunneling to protect data within an intranet, where it may pass from physically secure areas of the network to physically insecure areas.

The next authentication protocol you'll learn about is BAP.

Layer Two - Tunneling Protocol -Exercise

Click the Exercise link below to see how well you can match each protocol with its features.
Layer Two - Tunneling Protocol -Exercise
[1]Network Address Translation (NAT): Private addresses cannot receive traffic from Internet locations. Therefore, if an intranet is using private addresses and communicating with Internet locations, the private address must be translated to a public address. A network address translator (NAT) is placed between an intranet that uses private addresses and the Internet, which uses public addresses. Outgoing packets from the intranet have their private addresses translated by the NAT into public addresses. Incoming packets from the Internet have their public addresses translated by the NAT into private addresses.