L2TP & IPSec

If L2TP is a tunneling protocol that doesn't include encryption and it uses IPSec for the encryption, what's the use for L2TP if IPSec could also be used for the tunneling part? BTW, studying for the Security+ and using Darril's book

Find more posts tagged with

Comments

boredgamelad

If I remember correctly, the advantage of L2TP with IPSec (L2TP/IPSec) over IPSec alone alone is that L2TP/IPsec can transport protocols other than IP.

If you're only worried about securing IP traffic, an IPSec tunnel is more efficient than L2TP/IPSec and L2TP. If you need to secure traffic from IP and non-IP protocols, you'd want L2TP/IPSec.

quinnyfly

L2TP I think of as the medium by which the IPSec <let's say encrypted packets> travel. L2TP uses UDP port 1701 and is an incarnation of L2F (Layer 2 Forwarding) and also PPP (Point-to-Point) protocols.

Essentially L2TP creates the transport medium or shall we say "tunnel" and the IPSec is responsible for encrypting the packets that transverse this medium, as in a VPN. L2TP by itself does not encrypt traffic, but IPSec does.

An analogy I used to explain this to the Mrs went like this:

There is a train tunnel that has a sign above it titled UDP 1701, this is L2TP. <transport medium>
There is a train which will run through that tunnel and use a system called IPSec. <data encryption>

A conductor locks all of the carriages at one end before the train enters the tunnel, he uses a key that will lock the carriages but this same key cannot unlock the carriages. Once the train gets to the other side there is another conductor who has in his possession a different key that can unlock the carriages.

IPSec agrees well before the train gets to the tunnel on exactly what keys will be used, and only each conductor knows this information.

It follows naturally that if the train where to stop or be intercepted while in the tunnel, theoretically, no one other than the last conductor would be able to unlock the carriages and compromise the data inside ecah carriage.

This very basically describes the use of L2TP and IPSec in a VPN, let's call our train tunnel the VPN tunnel in this example.

Now as for IPSec:

IPSec is implemented in IPv4 but is native to IPv6 - (so it works automatically in IPv6, hence another reason why IPv6 is considered more secure).

IPSec use an AH (Authentication Header) which authenticates the packet and ESP (Encapsulating Security Payload) which securely encapsulates the packet before transport. ESP only secures the data payload within the packet and operates at Layer 3 of the OSI (the Network Layer or IP Layer).

It also uses SA (Security Associations) which uniquely identify the host in this trust relationship by way of pubic key cryptography. IPSec uses the IKE (Internet Key Exchange) protocol that allows two host to establish a trust relationship, the IKE is used to determine which keys will be used by which host <or conductor as above> (which encryption type). This helps maintain the security associations and can also determine the length of time before the SA's expire.

Just keep in mind for the Sec+ exam that L2TP use port 1701 and is responsible for the transport within a VPN and that IPSec is responsible for packet-level encryption and authentication. Combined they add another layer of security to transport over a public network such as the internet.

Check this link and the RFC 2661 (Request for Comments) for more info: Internet Engineering Task Force (IETF)

I hope you find this info helpful

Carl_S_901

L2TP allows you to hand off the original Layer 2 to the far end.

Let me give you an example:

I used to work at a CLEC and we had built at DSLAMs across cities and we in turn sold the port access to ISPs. Their customer would come in via PPPoE and be riding over ATM. Based on the domain name in the PPPoE username we would hand the connection off to the appropriate ISP. Therefore, we tunneled the Ethernet from the end-user, carried it across our network via ATM, and handed it to the ISP as Ethernet. This was possible because we tunneled the original layer 2 using L2TP. So it basically looked like an ethernet connection between the end-user and the ISP and allowing us to be the seamless transport in the middle.

RoyalTech

boredgamelad wrote: »

If I remember correctly, the advantage of L2TP with IPSec (L2TP/IPSec) over IPSec alone alone is that L2TP/IPsec can transport protocols other than IP.

If you're only worried about securing IP traffic, an IPSec tunnel is more efficient than L2TP/IPSec and L2TP. If you need to secure traffic from IP and non-IP protocols, you'd want L2TP/IPSec.

With this description, it raises another question. When dealing with a tunnel you are dealing with a client and a server. Wouldn't an IP be involved in all tunneling?

RoyalTech

To Quinnyfly - I think you are missing my question. Either that, or I am missing your answer. I am simply asking why, if IPSec provides encryption and tunneling, you would need to use L2TP/IPSec instead of just using IPSec alone? In order to properly encrypt a packet that is being tunneled you have to use IPSec's tunnel mode already. I'm just looking at what the necessity for L2TP is. It seems as though you are just describing the two protocols and not why they are used based on my question.

lordy

Using L2TP allows you to tunnel Ethernet Frames instead of just IP packets like IPSec does.

This can be useful, for example, if broadcasts or multicast are used which run on Layer 2 and should be send to the remote host (connected via L2TP).

Darril

RoyalTech wrote: »

... what's the use for L2TP if IPSec could also be used for the tunneling part?

It's a great question and one that many IT professionals have asked. As a matter of fact, someone asked this just a couple of months ago on this forum.

You might like to check out this thread: http://www.techexams.net/forums/security/74976-l2tp-ipsec.html

I didn't remember the thread right away, but using this site's excellent search feature, I found it. I just typed in "L2TP IPsec" in the search box and ended up with several hits.

Hope you're enjoying the book.

RoyalTech

I know, I should have searched it but I was being lazy. I found exactly what I was looking for regarding hashes a while back. Guilty as charged.

Regarding your book, it's great! I think that I mentioned to you before that I wish you spent the extra few bucks and included a PDF version with it but other than that, it is a great book. I attended a school to get my A+ and Network+ and they used the Course Technology Books published by Cengage and the books cost close to or more than $100 a piece and aren't nearly as good as your book. It was upsetting that with a little research, they could have provided better books for a fraction of the cost.

Darril

Sorry if that came off as if I was trying to ping you - that wasn't my intent. I like the features of this site and how much content is available from so many people. Everyone doesn't know about the search feature and how valuable it can be so my response was to the lurkers as much as it was to you.

Thanks for the kind words about the book. I did consider adding a CD but it would have made the book too expensive. I instead chose to make the Kindle version available for only $9.99. Some people buy both the paperback and the Kindle version and it's cheaper than the $100 or so you'd pay for a Cengage textbook. Some people add the audio and the practice test question app for mobile devices and it's still cheaper.

Best of luck with your studies.