Guest Post: An in-depth review of the L2TP/IPsec protocol

Image credit: Pixabay

Among the various VPN protocols, Layer 2 Tunneling Protocol (L2TP) is one of the most secure. Moreover, it is incredibly easy to set up.

Taken alone, L2TP is simply a tunneling protocol (facilitates end-to-end communication) that allows remote clients to use a public network to communicate within a private network. To provide the required encryption; it is paired with IPsec which is a security protocol.

Different VPN protocols carry various strengths and weaknesses and to fully understand the strengths and weaknesses of L2TP/IPsec; here is an in-depth review.

History of L2TP/IPSec

L2TP was developed in the 90s by both Cisco and Microsoft. The two companies came together out of a need to develop a protocol that would improve on the individual protocols that each company had developed.

Before L2TP, a Microsoft employee had developed the first ever tunneling protocol—Point-to-Point Tunneling Protocol(PPTP). The main reason the Microsoft employee developed the protocol was to allow users to work effectively and securely from home via a secure internet connection.

Unfortunately, PPTP, though effective, was not perfect. For one, due to the technology of that time, it had weak encryption. Second, the protocol did not and still does not recover as quickly as others over unstable network connections.

To try and improve on the weaknesses of PPTP, Cisco came up with Layer 2 Forwarding (L2F) protocol. L2F, according to Cisco, was meant to tunnel Point-to-Point communications over an IP and create a dial-up link across a network.

Similar to PPTP, L2F had significant weaknesses such as low support for different devices and weak encryption. Therefore, Cisco and Microsoft came together in a bid to create a protocol that wouldn’t have some of these glaring weaknesses. They succeeded because they created L2TP/IPsec which is still in use today.

The differences between L2TP and PPTP/L2F

As noted above, L2TP is pretty much an extension pf both PPTP and L2F. To differentiate between the three and understand why L2TP is better, here are the differences.

The differences between L2TP and L2F include:

  • L2F lacks a defined client
  • L2F only works in compulsory tunnels (the tunnel ends at ISP) while L2TP can use voluntary tunnels (the tunnel ends at the remote client) which makes it flexible
  • L2TP has additional beneficial features such as flow control

The differences between L2TP and PPTP include:

  • A PPTP connection only tunnels over IP while L2TP is more flexible and can tunnel over a wide variety of media
  • A PPTP connection can only handle one tunnel between two points. L2TP supports multiple tunnels between any two points, and each tunnel will have its own quality of service (QoS)
  • The size of L2TP headers is as low as 4 bytes while that of PPTP is larger

How L2TP/IPsec works

L2TP/IPsec uses a technique known as double encapsulation to facilitate security. This unique feature is the reason L2TP/IPsec first gained popularity. Essentially, the first encapsulation will create a connection between two parties.

The second encapsulation, on the other hand, contains the IPSec encryption which provides for security. Due to the double encapsulation, it is impossible to tamper with a data packet while it is on the move from one party to another.

That protects anyone who is using this protocol from a man-in-the-middle attack. Man-in-the-middle attacks occur when an attacker lies in wait and alters communication between two parties without their knowledge. As a result, even though the two parties believe they are communicating with each other, in reality, they are both communicating with the attacker who can misinform, misdirect and cause harm.

Note that L2TP on its own without IPsec supports several authentication options. One it supports Password Authentication Protocol (PAP). Second, it supports the Challenge Handshake Authentication Protocol and finally, Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). MS-CHAP is similar to CHAP with the only difference being that it is proprietary to Microsoft.

The IPsec part of the L2TP/IPsec protocol contains a 256-bit encryption key. A 256-bit encryption key offers military-grade encryption that is next to impossible to break. Also, it contains security algorithms that also help in improving security.


  • Easy to set up due to minimal complexity
  • High levels of security due to double encapsulation
  • Compatible with a large number of devices and operating systems
  • Supports multithreading (execution of multiple threads concurrently) which in turn enhances performance


  • According to reports, it is possible the NSA has weakened the IPsec protocol in their bid to monitor what people are doing online. As a result, the protocol has weakened security to some degree
  • It is possible to block L2TP/IPsec because it runs on User Datagram Protocol (UDP) port 500
  • Double encapsulation reduces the speed by a significant margin

Shoutouts to Jeff Anderson from for this Guest Post – hope you guys enjoyed it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha * Time limit is exhausted. Please reload CAPTCHA.