VPN client alternatives: Layer 2 Tunneling Protocol (L2TP) over IPsec

This month, Lisa Phifer discusses a robust VPN client alternative: Layer 2 Tunneling Protocol (L2TP) over IPsec.

Read about Lisa

by Lisa Phifer, Core Competence

Those searching for "free" VPN client software have many options. In my last column, I discussed Point-to-Point Tunneling Protocol (PPTP) -- a readily-available, easy-to-use client with known vulnerabilities. This month, we'll consider a more robust VPN client alternative: Layer 2 Tunneling Protocol (L2TP) over IPsec.


L2TP is an IETF standard for tunneling Point-to-Point Protocol (PPP) across any intervening network. It forwards data transparently from an access concentrator (LAC) to a network server (LNS). The LAC may be an individual host or an ISP's network access server. For example:



  • Consider an ISP that purchases dial-up services from another ISP. When subscribers dial into the wholesaler's LAC, PPP sessions may be forwarded over an L2TP tunnel to the reseller's LNS. This configuration is referred to as compulsory mode.
  • Consider an individual dialing into a local ISP or associating with a wireless hotspot. After the host is connected to the Internet, data can be sent through an L2TP tunnel from a VPN client on the host to a VPN gateway. Because the user decides whether and when to open the tunnel, this is known as voluntary mode.

In both cases, L2TP provides data-independent framing, the ability to multiplex IP and non-IP protocols, tunnel endpoint authentication, and dynamic address assignment. For compulsory tunnels inside private networks, L2TP by itself may be fine. To tunnel data securely over the Internet, L2TP must be combined with a protocol that prevents eavesdropping, modification and replay.

Securing L2TP
Running L2TP over a secure IPsec transport is defined by RFC 3193. In this approach, L2TP packets are exchanged over User Datagram Protocol (UDP) port 1701. UDP payload is protected by an IPsec Encapsulating Security Payload (ESP) transport mode connection between the LAC and LNS.

IPsec ESP provides confidentiality, per-packet message authentication, and anti-replay protection for all L2TP, including both control and data packets. In contrast, the Microsoft Point-to-Point Encryption (MPPE) used by PPTP encrypts only data and does not prevent forgery or replay.

The Internet Key Exchange (IKE) protocol is used to establish the IPsec transport. First, IKE lets the LAC and LNS authenticate each other with digital certificates or a shared secret. Then, L2TP authenticates the user over this encrypted transport. PPTP provides user authentication only, over a cleartext channel that risks dictionary attack.

IKE also lets the LAC and LNS safely derive crypto keys used by IPsec. MPPE provides weaker key management -- for example, it cannot ensure that new keys are unrelated to previously-used keys like IKE can.

Using L2TP over IPsec is more secure than PPTP, but there are some drawbacks:


  1. This approach encapsulates application data in PPP, PPP in L2TP, L2TP in UDP, UDP in ESP, ESP in IP. Even without counting header bytes, it is easy to see that multi-layer encapsulation generates longer packets.
  2. IKE authentication with digital certificates is strong, but requiring every client to have its own certificate increases installation complexity. Although you can use a group secret instead, doing so largely negates the added value of IKE authentication.
  3. IKE and IPsec have many negotiable options, making configuration more complex than PPTP. However, a default policy that dictates options can reduce complexity.
  4. Running IPsec through a device that performs network address translation (NAT) can be a problem. New draft standards overcome this by encapsulating ESP in UDP.

Windows 2000/XP VPN client
Microsoft championed L2TP/IPsec by including it in Windows 2000 and Windows XP VPN clients. Strictly speaking, these embedded clients are commercial software, purchased with your licensed copy of Windows. However, they are "free" in the sense that you don't have to buy or install additional software for each client PC.

The Win2000/XP VPN client supports both PPTP and L2TP. By default, this client attempts to launch an L2TP tunnel, downgrading to PPTP if L2TP fails. Launching L2TP is therefore quite similar to launching PPTP -- just identify the LNS by IP address or hostname and supply a login/password for user authentication.

As I discussed last month, Microsoft's VPN client offers a choice of authentication methods like PAP, CHAP, MS-CHAPv2, or EAP. Because L2TP control packets are encrypted by IPsec, password methods like PAP and CHAP can be used safely. Smart cards or digital certificates are still stronger choices. In addition, user certificates stored on smart cards can prevent misuse of lost or stolen PCs that might otherwise pass IKE authentication with a machine certificate stored on disk.

To simplify configuration, Win2000/XP automatically applies a default policy for IKE and IPsec. This causes Windows to automatically launch an IPsec transport mode connection whenever traffic is sent or received over UDP port 1701. If this default policy meets your needs, then using L2TP will be relatively simple. If not, you can set the "ProhibitIPsec" registry key and learn how to configure your own Windows security policies.

You won't have to install software when using the embedded Win2000/XP VPN client, but you will need to install IKE credentials. The default policy requires a digital certificate on every client PC. The Microsoft Windows Certificate Authority (CA) supplies a Web page for users to submit requests and install certificates on their own PCs. Of course, users must enroll when already connected securely -- for example, before taking a laptop out on the road. You can also use the Windows CA without self-enrollment, use another vendor's CA, or purchase certificates from a third-party service.

Certificate enrollment is really the step that makes L2TP setup more expensive than PPTP. To avoid dealing with certificates, small and home offices may opt for weaker IKE authentication with shared secrets. When doing so, choose a long random string and caution users to protect this "password". Because all users must present the same secret, loss or disclosure will impact everyone. If your VPN supports a large user community, certificates may be more hassle up front, but will prove less expensive over time. Another "happy middle" option is to purchase one group certificate for all L2TP users.

Windows 98/ME/NT VPN client
Last summer, Microsoft released an L2TP/IPsec VPN client for legacy Win32 operating systems: Windows 98, ME, and NT. This VPN client, developed by SafeNet for Microsoft, is freely available for download from Microsoft's website. That means you won't have to pony up extra cash for client licenses. But this alternative is not quite as simple as using an embedded client -- you'll need to install new software on every PC.


  • On Windows ME, just check to make sure you are running IE 5.5 or later before installing the Microsoft L2TP/IPsec VPN client.
  • On Windows 98, you must first install Dial-Up Networking 1.4 and IE 5.01 or later, then add the Microsoft L2TP/IPsec VPN client.
  • On Windows NT4, you must start with SP6 or later. Install the Remote Access Service and the PPTP protocol (even if you don't plan to use PPTP). Next, add the L2TP/IPSec driver (RASL2TPM) as a RAS capable device and configure it for TCP/IP. Then complete installation of the Microsoft L2TP/IPsec VPN client.

As when installing any software, you may run into problems like incomplete installation, missing pre-requisites, the presence of incompatible software (other VPN clients), or incompatible network settings (like Internet Connection Sharing). In my opinion, installation is straightforward on ME and 98, well within reason for most end users. NT installation requires admin privileges and is more suitable for IT support staff. The Administrator's Guide suggests bundling required software onto a distribution CD, along with any group certificate or Connection Manager profile that should be used by clients.

To dial-up networking, the L2TP/IPsec client looks like an adapter or a remote access device. Configuration (and therefore policy flexibility) is intentionally minimal. You will either need to install a certificate that can be used by this client for IKE authentication or you will need to manually configure the client with a shared secret (see previous discussion). There is no user-visible interface to modify other security policy parameters.

This 98/ME/NT client includes two nice features not found in the Win2000/XP client:

  1. Troubleshooting is made easier by a built-in traffic log that can be enabled or disabled by end users. Log contents are still best interpreted by IT staff, but users can more easily obtain this log when they experience problems on the road or at home.
  2. This client supports draft two of the new UDP encapsulation and NAT traversal standards. It can automatically determine whether NAT is present somewhere between the LAC and LNS. If both ends support compatible versions of NAT traversal, they can compensate for problems that otherwise break the IPsec transport. This feature can be used when the LNS is a .NET server or another vendor's L2TP server with NAT traversal (e.g., Cisco). It cannot currently be used when the LNS is a Windows 2000 server.

Windows 95 and Pocket PC…not
Microsoft's L2TP/IPsec VPN client does not run on Windows 95 or Pocket PC. I am not aware of any shareware L2TP/IPsec VPN clients for these operating systems. SafeNet's commercial VPN client, SoftRemote, does support L2TP over IPsec on any Win32 OS. But I have not seen an L2TP/IPsec VPN client for Pocket PC -- or for any other PDA OS. If you know of a free L2TP/IPsec VPN client for any PDA platform, I would like to hear from you. The same goes for MacOS.

Linux L2TPD
On the other hand, if you're looking for a Linux or BSD solution for L2TP/IPsec, L2TPD is a good place to start. L2TPD provides a command line interface that opens a virtual tty through which PPP can be sent from LAC to LNS.

This open source L2TP client/daemon is available from http://www.l2tpd.org/. Previously hosted at SourceForge, this project recently found a new home at IgLou. According the Web site, tunnel authentication is currently broken, and some users interoperate with Windows L2TP by disabling IPsec. That may be relatively easy, but it does not provide secure (authenticated, encrypted) tunneling. Although I have not tried it myself, posts indicate that L2TPD can be combined with an open source IPsec implementation like Free S/WAN to encrypt L2TP over IPsec.

L2TP network servers
Of course, you cannot use an L2TP client without an L2TP network server. L2TP/IPsec clients are an obvious match when using a Windows 2000 Server as your VPN gateway. Windows is not your only alternative, but non-Windows L2TP gateways are less common than non-Windows IPsec gateways. For example, L2TP server software is also available from Checkpoint and lt2tpd.org. L2TP-capable hardware appliance vendors include 3Com, Cisco, Netscreen, Nortel, and PacTech. Most gateways that implement L2TP are access concentrators designed to support remote user VPNs over any of several protocols (L2TP, IPsec, PPTP, etc).

The VPN Expert: VPN client alternatives, part 2 -- PPTP
The VPN Expert: VPN client alternatives, part 1

Dig Deeper on WAN technologies and services

Unified Communications
Mobile Computing
Data Center