What is L2TP, and can you trust it in a VPN?
An L2TP or Layer 2 Tunneling protocol can be a part of Virtual Private Networks (VPNs) infrastructures. Its main purpose is to generate a VPN tunnel: the secure path traffic takes after connecting to servers. So, L2TP introduces a set of rules for transporting data from one point to another.
However, L2TP is no longer one of the preferred VPN tunneling protocols. It is an older VPN protocol, getting replaced in favor of more modern alternatives. Let’s review the L2TP legacy and why its implementation is scarce.
What is L2TP?
Layer 2 Tunneling Protocol (L2TP) is a VPN protocol for traversing traffic over IP networks. It includes instructions on how data should move from one point to another.
So, a common use case is supporting a VPN client in building tunnels and guiding data. Internet Service Providers (ISPs) can also integrate it into their services.
However, the Layer 2 Forwarding Protocol emerged to replace the point-to-point tunneling protocol (PPTP). At the time, an L2TP connection offered more security and reliability, particularly when paired with IPSec.
The greatest weakness of any L2TP tunnel is that it does not encrypt the traffic it transports. IPSec encryption protocol provides the mechanism necessary to secure tunneled data.
Thus, IPSec makes L2TP more secure and highly beneficial for anonymization and location change (via IP address). However, you won’t find trusted VPNs implementing it as the default protocol. It could be merely available through manual configuration.
Use cases for L2TP
L2TP has had many use cases since its introduction.
- L2TP extends LAN corporate networks to facilitate more remote devices.
- Internet Service Providers use it to resell spare bandwidth and deal with private client traffic.
- L2TP is an option for tunneling traffic from devices to VPN servers.
However, the protocol does not always work independently. It needs other protocols, like those responsible for encrypting traffic.
Is L2TP VPN secure?
A pure L2TP VPN is unsafe to use. It means that a VPN reroutes traffic but does not encrypt it. Therefore, users’ internet activities are still susceptible to interception and tracking.
Double-check if it pairs with IPSec if you’re looking for a VPN with L2TP. Only then will a VPN provide safe and encrypted tunnels. However, even if L2TP/IPSec can be secure for everyday use, other options offer higher-quality security and performance.
What is PPTP?
While L2TP has redeeming qualities, like its cooperation with IPSec, PPTP presents very few reasons for using it. It is an outdated option, and if a VPN client supports it, avoid it. However, most VPN providers won’t include PPTP as a preferred protocol.
How does L2TP/IPSec work?
Here is how L2TP usually works with IPSec protocol:
- The IPSec performs a procedure called security association (SA). It is the agreement between two network entities on shared security attributes (like a pre-shared key).
- Then, they can establish secure communications. This dialogue typically occurs via Internet Key Exchange (IKE) and over UDP port 500.
- Now, it is time for Encapsulating Security Payload (ESP). It is a component of the IPSec suite, and its purpose is to encrypt and authenticate packets.
- Thus, this procedure allows two entities to communicate via a secure channel. Nevertheless, no data exchange (or tunneling) happens at this point.
- So far, it was IPSec doing most of the work. Now, L2TP steps in and builds a tunnel between the two entities. The latter refers to the VPN client and the VPN server address. Also, L2TP uses UDP port 1701.
- The L2TP Access Concentrator (LAC) is a node standing as a point on one side of the tunnel. It transfers data to L2TP Network Server (LNS).
- Finally, IPSec encapsulates the L2TP control packets between the entities. With the secure connection established, the VPN client and the VPN server can communicate safely.
Pros and cons of using L2TP
L2TP has been around for a long time (released in 2000). However, its usage has significantly decreased.
By default, VPNs support their connections via other protocols. Users need to manually configure it even if providers offer L2TP/IPSec.
- The L2TP protocol can be secure when used in conjunction with IPSec.
- It is highly compatible, working on operating systems like Windows and macOS by default.
- L2TP (and L2TP/IPSec) are relatively easy to set up due to their high compatibility.
- More firewall-friendly as it runs over UDP protocol.
- L2TP is much safer than PPTP. Thus, it is always best to choose L2TP between the two.
- L2TP does not offer the best performance. It uses more CPU, meaning that such VPN connections can be slower.
- This protocol is better at securing data than evading geo-restrictions and censorship. It is because L2TP communicates via UDP, and such communications are easier to block.
- Experts have doubts about the reliability of L2TP. The NSA may have weakened the standard. However, it is a speculation, not a fact.
- Other protocols like WireGuard®, OpenVPN, and IKEv2/IPSec have showcased robust security with minimal speed drops. Thus, these three options are typically better than L2TP/IPSec.
Does Atlas VPN use L2TP protocol?
We agree that L2TP/IPSec has its benefits, no severe vulnerabilities, and is theoretically safe. However, its contribution is less impressive than other modern protocols available. Most VPN providers opt for more modern protocols that benefit users’ experiences the most.
Therefore, we currently offer WireGuard® and IKEv2/IPSec protocols:
- WireGuard® offers a fine blend of security and speed. The lightweight protocol supports one of the fastest connections and uses superior techniques (like ChaCha20 and Blake2).
- IKEv2/IPSec is also a widely trusted protocol, especially useful to mobile users. For instance, it makes it easy to jump between mobile data and Wi-Fi without losing the VPN connection.
Both protocols are highly secure and will provide the robust protection you need. You can choose which protocol you would like to use with Atlas VPN. When unsure, you can let our app pick the most suitable option!
WireGuard® is a registered trademark of Jason A. Donenfeld.