L2TP meaning, encryption, and security

What is L2TP?

The Layer 2 Tunneling Protocol (L2TP) is a virtual private network (VPN) protocol that connects your device and a VPN server without encrypting your content. Due to this lack of encryption and authentication, L2TP is usually paired with the Internet Protocol Security (IPsec) protocol. IPsec uses encryption algorithms and cryptographic keys to provide L2TP with the necessary encryption. However, L2TP is outdated and NordVPN no longer supports it.

How does L2TP work?

As with other VPN protocols, the first stage of tunneling your data through the internet via L2TP is to establish a connection between your device and the VPN server you want to reach. Once L2TP, combined with IPsec, creates a tunnel between the endpoints, the data you want to send via it passes through these stages:

1. 1.The data you want to send through a VPN connection is broken up into packets.
2. 2.IPsec encrypts these packets to secure the data.
3. 3.L2TP encapsulates the encrypted packets into its own packets to create a tunnel to transmit the data through the public network safely.
4. 4.The L2TP packets are sent over the internet.
5. 5.L2TP unpacks the encapsulated packets at the receiving end (a VPN server), and IPsec decrypts them.
6. 6.The decrypted packets are restored to the original data, which is then accessible on the local area network (LAN) connected to the VPN server.

What are the advantages of L2TP?

Although L2TP is a relatively old tunneling protocol, it is still used in certain environments due to its simplicity and broad compatibility. Let's take a look at the features that contributed to L2TP’s popularity.

• Compatibility. L2TP, in combination with IPsec, is supported by different types of devices and operating systems, including Windows, macOS, Linux, iOS, Android, and routers.
• PPP integration. Using Point-to-Point Protocol (PPP) for encapsulating data within the created tunnel, L2TP can extend its features to support authentication, encryption (when combined with IPsec), and compression.
• Voluntary and compulsory tunneling. L2TP supports both voluntary tunneling, which the VPN user initiates, and compulsory tunneling, initiated by the network's carrier.

What are the disadvantages of L2TP?

L2TP has been on the market for over 25 years and is considered to be outdated. L2TP also has some major drawbacks, including:

• Slowness. L2TP is a slow protocol because it encapsulates (hides or restricts the direct access of data) data twice, which leads to slower transmission speeds.
• Lack of safety. Designed only to create a tunnel for the data to pass through, L2TP itself doesn't encrypt the transmitted data. As a result, this protocol is highly susceptible to data breaches.
• Liable to network restrictions. L2TP struggles to bypass firewalls and is unreliable when circumventing network restrictions.
• Complicated setup. L2TP is a more complex protocol to set up when compared to newer tunneling protocols because it needs to be paired with IPsec to encrypt the transmitted data.

What is L2TP passthrough?

L2TP passthrough is a feature that enables L2TP traffic to pass through the router's network address translator (NAT), which is connected to the VPN client, and establish an outbound connection to a VPN server on the internet.

Without the VPN passthrough, the router's security settings may prevent the L2TP traffic from reaching the desired VPN server. However, the router doesn't perform L2TP processing and simply forwards L2TP traffic between the VPN client and a VPN server. Remember that not all routers may provide a passthrough for VPN traffic. Otherwise, they may support passthrough only for a certain type of VPN protocol. So make sure to check your router's configuration settings before you try to establish a VPN connection on your router.

How does L2TP compare to other protocols?

L2TP is just one among many VPN protocols used today. Let's take a look at how its features compare with other protocols, both older and newer.

What does L2TP use for encryption?

L2TP doesn't encrypt anything by itself — on its own, it only creates the tunnel that carries data. To make that connection secure, L2TP is almost always paired with IPsec, which handles the actual encryption and authentication. This pairing is commonly known as L2TP/IPsec.

The encryption algorithms used with IPsec can include:

• AES encryption (Advanced Encryption Standard). It is the most widely used algorithm in IPsec and is known for its strong security.
• 3DES (Triple Data Encryption Standard). It is an older, slower encryption method that remains in use mainly in legacy systems.
• Blowfish. It offers faster performance but is regarded as less secure by modern cryptographic standards.

The strength of your L2TP VPN connection depends entirely on how IPsec is configured and which encryption algorithms are used. When set up properly, L2TP/IPsec can be a secure option, but it still doesn't match the performance or firewall resistance of newer protocols like WireGuard.

How is L2TP used in modern VPNs?

L2TP is mostly used in legacy VPN systems or when compatibility across multiple platforms is needed. Many operating systems still support L2TP natively, which makes it convenient in specific use cases.

However, modern VPN providers rarely use L2TP as a first choice due to its slower performance and struggles with NAT and firewall traversal.

You may still see L2TP VPN offered in settings menus because:

• It pairs with IPsec for encryption.
• It's simple to set up manually without third-party apps.
• It works reliably on older operating systems and devices.

But again, unless you have a specific need for L2TP, you can find better options.

What are the performance challenges with L2TP?

L2TP has a few serious performance drawbacks, especially when compared to newer protocols like WireGuard or OpenVPN. Those include:

• Encryption overhead. L2TP wraps your data twice: once for tunneling and once for IPSec encryption. This feature creates extra overhead that slows down transmission.
• Latency. The added layers and handshake procedures can introduce latency, which is especially noticeable on long-distance connections.
• MTU size and fragmentation. L2TP/IPsec can cause issues with packet size. Fragmentation can lead to slower speeds or dropped connections.
• Firewall and NAT traversal. Strict firewalls can block L2TP over IPsec unless NAT traversal (NAT-T) is enabled.
• Connection stability. Because it's sensitive to network conditions and firewall configurations, L2TP connections can be unstable.
• Resource consumption. Older systems or low-power devices may struggle with the additional resource demands of double encapsulation.

If speed and performance are priorities, newer protocols like WireGuard VPN leave L2TP in the dust.

How does L2TP work with IPsec for security?

L2TP by itself doesn't provide any encryption or authentication. It's simply a tunneling protocol — a way to move data from one point to another. To make the connection secure, it needs to be paired with an additional protocol that handles data protection — usually IPsec.

When combined, the two protocols work like this:

1. 1.L2TP provides a tunnel for data traffic between your device and the VPN server.
2. 2.IPsec handles encryption, authentication, and data integrity. It wraps the L2TP tunnel in a layer of protection, ensuring the information hasn't been tampered with in transit.

Together, L2TP/IPsec protects both the payload and the L2TP control messages. Encryption is typically handled with 256-bit AES, while secure key exchange is managed through IKEv1 or IKEv2 (Internet Key Exchange).

If you're interested in how IPsec works independently or how it pairs with other protocols, you can explore more in the IPsec VPN guide.

Why is L2TP considered outdated compared to modern protocols?

While L2TP/IPsec was once a common choice for VPNs, several factors have pushed it into legacy status:

• Age. L2TP was introduced in 1999. That's ancient in tech years.
• Firewall issues. It doesn't handle NAT or strict firewalls well. That's a major problem in modern restrictive network environments.
• Slower performance. Double encapsulation and older encryption standards lead to slower speeds.
• Limited support for modern features. It lacks the flexibility, speed, and stealth of protocols like WireGuard.
• Complex configuration. It requires careful setup to work correctly, especially with IPsec.

How does L2TP operate within the OSI model?

L2TP transports Open Systems Interconnection (OSI) Layer 2 traffic, such as PPP sessions, across Layer 3 (IP) networks. It effectively extends a data link layer connection over an IP-based network, allowing remote devices to connect to centralized systems as if they were on the same local network.

Understanding L2TP's place in the VPN OSI model explains why it's typically paired with IPsec. L2TP doesn't include any built-in encryption, authentication, or integrity checks. It provides the tunnel for Layer 2 and moves data, but doesn't protect it. That's why it's combined with IPsec, which operates at Layer 3 and provides the necessary security features.