what protocol is used with l2tp to encrypt data?

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual individual networks (VPNs) or as part of the commitment of services by ISPs. It uses encryption ('hiding') just for its own control letters (using an optional pre-shared hole-and-corner), and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer ii (which may be encrypted), and the tunnel itself may be passed over a Layer 3 encryption protocol such every bit IPsec.^[1]

History [edit]

Published in 2000 as proposed standard RFC 2661, L2TP has its origins primarily in two older tunneling protocols for point-to-bespeak advice: Cisco's Layer 2 Forwarding Protocol (L2F) and Microsoft'south^[two] Bespeak-to-Signal Tunneling Protocol (PPTP). A new version of this protocol, L2TPv3, appeared as proposed standard RFC 3931 in 2005. L2TPv3 provides additional security features, improved encapsulation, and the ability to behave data links other than simply Point-to-Point Protocol (PPP) over an IP network (for instance: Frame Relay, Ethernet, ATM, etc.).

Description [edit]

The entire L2TP packet, including payload and L2TP header, is sent within a User Datagram Protocol (UDP) datagram. A virtue of transmission over UDP (rather than TCP) is that it avoids the "TCP meltdown problem".^[3] ^[4] It is common to bear PPP sessions within an L2TP tunnel. L2TP does not provide confidentiality or strong authentication by itself. IPsec is often used to secure L2TP packets past providing confidentiality, authentication and integrity. The combination of these two protocols is generally known as L2TP/IPsec (discussed below).

The ii endpoints of an L2TP tunnel are called the L2TP admission concentrator (LAC) and the L2TP network server (LNS). The LNS waits for new tunnels. In one case a tunnel is established, the network traffic betwixt the peers is bidirectional. To be useful for networking, higher-level protocols are then run through the L2TP tunnel. To facilitate this, an L2TP session is established within the tunnel for each higher-level protocol such as PPP. Either the LAC or LNS may initiate sessions. The traffic for each session is isolated by L2TP, so information technology is possible to set upwards multiple virtual networks across a unmarried tunnel.

The packets exchanged inside an L2TP tunnel are categorized as either control packets or data packets. L2TP provides reliability features for the command packets, just no reliability for data packets. Reliability, if desired, must exist provided by the nested protocols running within each session of the L2TP tunnel.

L2TP allows the creation of a virtual private dialup network (VPDN)^[v] to connect a remote customer to its corporate network past using a shared infrastructure, which could be the Cyberspace or a service provider's network.

Tunneling models [edit]

An L2TP tunnel can extend beyond an unabridged PPP session or only across one segment of a two-segment session. This tin be represented by four different tunneling models, namely:

voluntary tunnel
compulsory tunnel — incoming call
compulsory tunnel — remote punch
L2TP multihop connection^[six]

L2TP package construction [edit]

An L2TP bundle consists of :

Bits 0–15	Bits 16–31
Flags and Version Info	Length (opt)
Tunnel ID	Session ID
Ns (opt)	Nr (opt)
Offset Size (opt)	Starting time Pad (opt)......
Payload data

Field meanings:

Flags and version: control flags indicating data/command packet and presence of length, sequence, and offset fields.
Length (optional): Full length of the message in bytes, nowadays only when length flag is set up.
Tunnel ID: Indicates the identifier for the control connexion.
Session ID: Indicates the identifier for a session within a tunnel.
Ns (optional): sequence number for this data or control bulletin, outset at naught and incrementing by one (modulo 2¹⁶) for each bulletin sent. Present only when sequence flag set.
Nr (optional): sequence number for expected message to be received. Nr is set to the Ns of the final in-order message received plus one (modulo ii¹⁶). In data letters, Nr is reserved and, if present (as indicated by the South bit), MUST be ignored upon receipt..
Offset Size (optional): Specifies where payload data is located by the L2TP header. If the offset field is present, the L2TP header ends later the final byte of the offset padding. This field exists if the offset flag is set up.
Kickoff Pad (optional): Variable length, as specified past the get-go size. Contents of this field are undefined.
Payload data: Variable length (Max payload size = Max size of UDP bundle − size of L2TP header)

L2TP packet exchange [edit]

At the fourth dimension of setup of L2TP connectedness, many control packets are exchanged between server and client to establish tunnel and session for each direction. I peer requests the other peer to assign a specific tunnel and session id through these control packets. Then using this tunnel and session id, data packets are exchanged with the compressed PPP frames as payload.

The list of L2TP Control messages exchanged between LAC and LNS, for handshaking earlier establishing a tunnel and session in voluntary tunneling method are

L2TP/IPsec [edit]

Because of the lack of confidentiality inherent in the L2TP protocol, information technology is often implemented along with IPsec. This is referred to as L2TP/IPsec, and is standardized in IETF RFC 3193. The process of setting up an L2TP/IPsec VPN is as follows:

Negotiation of IPsec security association (SA), typically through Internet key commutation (IKE). This is carried out over UDP port 500, and commonly uses either a shared password (so-chosen "pre-shared keys"), public keys, or X.509 certificates on both ends, although other keying methods be.
Establishment of Encapsulating Security Payload (ESP) advice in transport mode. The IP protocol number for ESP is 50 (compare TCP's 6 and UDP's 17). At this signal, a secure aqueduct has been established, merely no tunneling is taking place.
Negotiation and establishment of L2TP tunnel between the SA endpoints. The actual negotiation of parameters takes place over the SA's secure channel, within the IPsec encryption. L2TP uses UDP port 1701.

When the process is complete, L2TP packets betwixt the endpoints are encapsulated by IPsec. Since the L2TP packet itself is wrapped and hidden inside the IPsec package, the original source and destination IP address is encrypted within the packet. Besides, it is non necessary to open UDP port 1701 on firewalls between the endpoints, since the inner packets are not acted upon until afterwards IPsec information has been decrypted and stripped, which just takes place at the endpoints.

A potential point of confusion in L2TP/IPsec is the use of the terms tunnel and secure aqueduct. The term tunnel-mode refers to a channel which allows untouched packets of 1 network to exist transported over another network. In the case of L2TP/PPP, it allows L2TP/PPP packets to be transported over IP. A secure channel refers to a connection within which the confidentiality of all data is guaranteed. In L2TP/IPsec, first IPsec provides a secure channel, and so L2TP provides a tunnel. IPsec too specifies a tunnel protocol: this is not used when a L2TP tunnel is used.

Windows implementation [edit]

Windows has had native support (configurable in control panel) for L2TP since Windows 2000. Windows Vista added 2 alternative tools, an MMC snap-in chosen "Windows Firewall with Advanced Security" (WFwAS) and the "netsh advfirewall" control-line tool. One limitation with both of the WFwAS and netsh commands is that servers must exist specified by IP address. Windows 10 added the "Add-VpnConnection" and "Set-VpnConnectionIPsecConfiguration" PowerShell commands. A registry key must be created on the client and server if the server is behind a NAT-T device. [1]

L2TP in ISPs' networks [edit]

L2TP is often used by ISPs when net service over for example ADSL or cable is being resold. From the end user, packets travel over a wholesale network service provider's network to a server called a Broadband Remote Access Server (BRAS), a protocol converter and router combined. On legacy networks the path from end user customer premises' equipment to the BRAS may be over an ATM network. From there on, over an IP network, an L2TP tunnel runs from the BRAS (acting as LAC) to an LNS which is an edge router at the boundary of the ultimate destination Isp'due south IP network. Run into instance of reseller ISPs using L2TP.

RFC references [edit]

RFC 2341 Cisco Layer Two Forwarding (Protocol) "L2F" (a predecessor to L2TP)
RFC 2637 Point-to-Point Tunneling Protocol (PPTP)
RFC 2661 Layer 2 Tunneling Protocol "L2TP"
RFC 2809 Implementation of L2TP Compulsory Tunneling via RADIUS
RFC 2888 Secure Remote Access with L2TP
RFC 3070 Layer Two Tunneling Protocol (L2TP) over Frame Relay
RFC 3145 L2TP Disconnect Crusade Data
RFC 3193 Securing L2TP using IPsec
RFC 3301 Layer Two Tunneling Protocol (L2TP): ATM access network
RFC 3308 Layer Two Tunneling Protocol (L2TP) Differentiated Services
RFC 3355 Layer 2 Tunneling Protocol (L2TP) Over ATM Accommodation Layer 5 (AAL5)
RFC 3371 Layer Ii Tunneling Protocol "L2TP" Management Information Base
RFC 3437 Layer Two Tunneling Protocol Extensions for PPP Link Control Protocol Negotiation
RFC 3438 Layer Two Tunneling Protocol (L2TP) Internet Assigned Numbers: Internet Assigned Numbers Authority (IANA) Considerations Update
RFC 3573 Signaling of Modem-On-Agree status in Layer 2 Tunneling Protocol (L2TP)
RFC 3817 Layer 2 Tunneling Protocol (L2TP) Agile Discovery Relay for PPP over Ethernet (PPPoE)
RFC 3931 Layer Two Tunneling Protocol - Version 3 (L2TPv3)
RFC 4045 Extensions to Back up Efficient Conveying of Multicast Traffic in Layer-2 Tunneling Protocol (L2TP)
RFC 4951 Neglect Over Extensions for Layer 2 Tunneling Protocol (L2TP) "failover"

Meet also [edit]

IPsec
Layer 2 Forwarding Protocol
Point-to-Point Tunneling Protocol
Point-to-Point Protocol
Virtual Extensible LAN

References [edit]

^ IETF (1999), RFC 2661, Layer Ii Tunneling Protocol "L2TP"
^ "Point-to-Point Tunneling Protocol (PPTP)". TheNetworkEncyclopedia.com. 2013. Retrieved 2014-07-28 . Point-to-Point Tunneling Protocol (PPTP) [:] A data-link layer protocol for broad area networks (WANs) based on the Point-to-Bespeak Protocol (PPP) and developed by Microsoft that enables network traffic to be encapsulated and routed over an unsecured public network such as the Internet. ^{[ permanent dead link ]}
^ Titz, Olaf (2001-04-23). "Why TCP Over TCP Is A Bad Thought". Retrieved 2015-10-17 .
^ Honda, Osamu; Ohsaki, Hiroyuki; Imase, Makoto; Ishizuka, Mika; Murayama, Junichi (October 2005). "Understanding TCP over TCP: effects of TCP tunneling on finish-to-stop throughput and latency". In Atiquzzaman, Mohammed; Balandin, Sergey I (eds.). Performance, Quality of Service, and Command of Next-Generation Communication and Sensor Networks Iii. Vol. 6011. Bibcode:2005SPIE.6011..138H. CiteSeerXten.1.1.78.5815. doi:10.1117/12.630496. S2CID 8945952.
^ Cisco Support: Understanding VPDN – Updated Jan 29, 2008
^ IBM Knowledge Center: L2TP multi-hop connection

External links [edit]

Implementations [edit]

Cisco: Cisco L2TP documentation, also read Engineering cursory from Cisco
Open source and Linux: xl2tpd, Linux RP-L2TP, OpenL2TP, l2tpns, l2tpd (inactive), Linux L2TP/IPsec server, FreeBSD multi-link PPP daemon, OpenBSD npppd(viii), ACCEL-PPP - PPTP/L2TP/PPPoE server for Linux
Microsoft: born client included with Windows 2000 and higher; Microsoft L2TP/IPsec VPN Client for Windows 98/Windows Me/Windows NT 4.0
Apple: built-in client included with Mac OS X 10.3 and higher.
VPDN on Cisco.com

Other [edit]

IANA assigned numbers for L2TP
L2TP Extensions Working Group (l2tpext) - (where time to come standardization work is being coordinated)
Using Linux every bit an L2TP/IPsec VPN customer
L2TP/IPSec with OpenBSD and npppd
Comparison of L2TP, PPTP and OpenVPN

holloncamain.blogspot.com

Source: https://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol#:~:text=IPsec%20is%20often%20used%20to,providing%20confidentiality%2C%20authentication%20and%20integrity.