LT2P: “In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself. Rather, it relies on an encryption protocol that it passes within the tunnel to provide privacy.”
This is a one shot for this article. I had to learn something new for a change, if I write something that’s just wrong please tell me down below. I claim no responsibility if this information is used for malicious purposes.
Now with that outta the way, LT2P is a tunneling protocol used a lot with VPNs, but don’t rely on LT2P alone to keep anonymity, as this sentence(s) states:
“L2TP does not provide confidentiality or strong authentication by itself. IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity.”
How L2TP works was a bit trivial for me to understand, but L2TP “waits” for new “tunnels”, but once established the traffic is then bidirectional, functioning in two directions. The packets are categorized as control packets or data packets. L2TP provides reliability features for the control packets, but no reliability for data packets. If one wants to have reliability for data packets then they must establish it themselves. There are several tunneling models once you establish a tunnel, they’re:
- voluntary tunnel
- compulsory tunnel — incoming call
- compulsory tunnel — remote dial
- L2TP multihop connection
The way the packet exchange is done is one peer requests the other peer to assign a specific tunnel and session id through these control packets. Then using this tunnel and session id, data packets are exchanged with the compressed PPP frames as payload.
The image below shows a diagram for establishing a tunnel and session in voluntary tunnel method:
Earlier I explained (wikipedia did) that alone L2TP isn’t encrypted by itself, but IPsec works hand with hand with L2TP to encrypt the traffic or tunnel. The steps to establish a L2TP/IPsec VPN are as follows:
Negotiation of IPsec security association (SA), typically through Internet key exchange (IKE). This is carried out over UDP port 500, and commonly uses either a shared password (so-called “pre-shared keys”), public keys, or X.509 certificates on both ends, although other keying methods exist.
Establishment of Encapsulating Security Payload (ESP) communication in transport mode. The IP protocol number for ESP is 50 (compare TCP’s 6 and UDP’s 17). At this point, a secure channel has been established, but no tunneling is taking place.
Negotiation and establishment of L2TP tunnel between the SA endpoints. The actual negotiation of parameters takes place over the SA’s secure channel, within the IPsec encryption. L2TP uses UDP port 1701.
Once established L2TP packets are encapsulated via IPsec. A more detailed description:
“When the process is complete, L2TP packets between the endpoints are encapsulated by IPsec. Since the L2TP packet itself is wrapped and hidden within the IPsec packet, no information about the internal private network can be garnered from the encrypted packet. Also, it is not necessary to open UDP port 1701 on firewalls between the endpoints, since the inner packets are not acted upon until after IPsec data has been decrypted and stripped, which only takes place at the endpoints.”
And that’s that. I hope I explained accurately. This was a bit boring to research, but it was interesting. That much I can say. I’m still doing research on L2TP and hopefully in the near future I could write a article on how to establish my own L2TP tunnel via C or C++, unless someone else does it before me.