Layer 2 Tunneling Protocol (L2TP) is a hybrid of PPTP and Layer 2 Forwarding (L2F). It uses the same authentication mechanisms as PPTP but its tunneling protocol is advanced as it relies on IPSec for encryption. Like PPTP, it uses a single point-to-point connection per session. L2TP also provides encryption for IP, IPX, or NetBEUI traffic and transmits it over any medium that supports point-to-point datagram delivery, such as IP, X.25, Frame Relay, or ATM networks. This blending of L2TP and IPSec is known as L2TP/IPSec.
When using IP as its datagram transport, L2TP can be used as a tunneling protocol over the Internet. L2TP tunnels must be authenticated by using the same authentication mechanisms as PPP connections. Because it doesn’t conform with the security requirements of L2TP, PPP encryption is not used. PPP encryption can provide confidentiality but not per packet authentication, integrity, or replay protection. In this case data encryption is provided by IPSec, which uses Data Encryption Standard (DES) or Triple DES (3DES) by using encryption keys produced by IPSec’s Internet Key Exchange (IKE) negotiation process. L2TP/IPSec used the source and destination IP addresses for authentication and installed this information inside the encrypted part of the packet. Thus NAT servers were unable to modify the source and destination IP addresses.
NAT Traversal (NAT-T), a new function of L2TP/IPSec, enables you to use L2TP to connect to an L2TP Server when the client is located behind a NAT server. However, the client, the server, and the NAT Server must all support NAT-T. New VPN server installations should use L2TP rather than PPTP.