Some Background.  L2TP - Layer 2 Tunneling Protocol is a tunneling protocol that operates at layer 2 of the OSI model.  It was developed by Cisco, largely to combat what Cisco considered to be deficiencies in PPTP.

Their initial effort resulted in the L2F - Layer 2 Forwarding protocol.  Unfortunately, L2F provided encapsulation, but didn't encrypt what was being encapsulated.  In order to make use of the features of both PPTP and L2F, L2TP was developed in a joint venture between Microsoft and Cisco.

L2TP was definitely an improvement.  L2TP does not provide its own internal encryption capabilities.  But L2TP was developed to make sue of IPSec for encryption among other things.

The main differences between PPTP and L2TP are listed in the following table.



Differences Between PPTP and L2TP
  • Microsoft chose the RSA/RCA cipher for encryption.  Either a 40 bit or 128 bit session key can be used.  The length of the key is determined by the operating system.  Other sources say that MPPE - Microsoft Point-to-Point Encryption is used to encrypt data.  As is almost always the case, authorities differ.
  • It cannot make use of IPSec
  • Makes use of IPSec for encryption (which is more flexible and powerful as we will see in future webpages).
    • IPSec
    • DES
  • PPTP is usually implemented as a software solution (Microsoft thinking)
  • L2TP is often implemented as a hardware solution (Cisco thinking)
    • usually on a router or special purpose device
    • though it is available on Microsoft RAS servers
  • PPTP works only on IP networks


  • L2TP can run on top of a variety of network protocols
    • IP
    • ATM - Asynchronous Transfer Mode
    • Frame Relay
    • IPX - Internetwork Packet Exchange
    • SNA - Systems Network Architecture
  • PPTP provides only per packet data confidentiality.
  • Using IPSec with L2TP provides a number of additional security benefits
  • per packet data origin authentication
    • strong evidence that data was sent by authorized user
  • data integrity
    • strong evidence that the data was not modified in transit
  • replay protection
    • helps prevent resending a stream of captured packets
  • data confidentiality
    • data interpretation requires the correct encryption key
  • L2TP/IPSec requires two levels of authentication
    • computer level authentication
      • using certificates or pre-shared keys for IPSec sessions
    • user level authentication
      • using PPP authentication protocol for the L2TP tunnel (encapsulation)
      • user level authentication is never sent unencrypted because the PPP connection occurs after the IPSec SA - security association is established
  • Designed to work with AAA services such as
    • TACACS+
    • RADIUS


One of the most common mistakes made when implementing VPNs using PPTP or L2TP is to forget to allow the associated ports through the firewall.
  • PPTP makes use of TCP port 1723
  • L2TP makes use of UDP port 1701

Microsoft supports L2TP in Windows 2000 and after.  But because of the computing resources required by implementing L2TP, most implementations make use of specialized hardware.

More will be added.