You’ve heard all the hoopla, and there’s only going to be more. Windows 2000 isn’t even out yet, but the talk of improved security features is already making the rounds.

Why? As I mentioned in last week’s “New Virtual Private Network security options coming with Windows 2000 ,” much of the hype is due to enhanced security in the new OS, including supp ort for Internet Protocol Security (IPSec) and the Layer 2 Tunneling Protocol (L2TP).

L2TP is essentially a merger of Cisco Systems’ L2F (Layer 2 Forwarding) and PPTP (Point to Point Tunneling Protocol, developed by Microsoft, U.S. Robotics, and others). L2TP was developed through the IETF (Internet Engineering Task Force) standards process. One of its chief functions is to provide a mechanism for remote users connecting to a local ISP to tunnel to a remote network.

It’s important to remember that L2TP does not conflict with or replace IPSec. L2TP can and should be used in conjunction with IPSec tools to secure a virtual private network.

IPSec overview
IPSec operates in two modes. Transport mode secures existing IP packets between source and destination. Tunnel mode encapsulates the existing IP packet inside another packet. In either mode, the packets can be encapsulated in Encapsulated Security Payload (ESP) or Authentication Headers (AH).

IPSec’s transport mode offers security, replay, and authentication protection between systems. IPSec’s tunnel mode operates between one private IP network (router or gateway) and another, including over the Internet.

In basic terms, IPSec addresses server-to-server tunneling, not client-to-server tunneling. That’s L2TP’s job.

Of course, that’s a simplification, but it gets us started in looking at the virtual private network features found in Windows 2000. According to Microsoft, Win2K is the only “operating system-integrated solution for securing end-to-end communications within a private network. Windows 2000 integrates IPSec with the Active Directory directory service to deliver central control of policy based security administration.”

Please bear in mind that I’m writing this column before I have a copy of the shipping version in hand. Microsoft is indicating, though, that the OS will support client/server PPTP- and L2TP-based virtual private networks running over IPSec, as well as server-to-server tunnels based on PPTP, L2TP, and IPSec.


It’s important to remember that Microsoft has its own definition of VPN, which may vary from yours. Microsoft considers VPNs to include:

  • Secure remote access from client-to-gateway, either through Internet connections or within private or outsourced networks.
  • Secure gateway-to-gateway connections, across the Internet or across private or outsourced networks.

L2TP overview
L2TP is a protocol that defines a method of encapsulating and transporting multi-protocol data packets in point-to-point links. It extends the Point-to-Point (PPP) protocol by allowing the layer-2 and PPP endpoints to exist on different devices connected by a packet-switched network.

L2TP manages data frames (PPP), which are sent over IP, ATM, X.25, or frame-relay networks, and includes support for non-Internet Protocol (IP) packets, including AppleTalk and NetWare IPX (a feature taken from PPTP).

Control and data messages in any L2TP implementation are, by default, checksum protected. UDP checksums can optionally be disabled for data messages. However, this can weaken the security.

The L2TP payload and header are held within a UDP datagram. The frames themselves can be either compressed or encrypted and, since they can be sent as IP packets, standard IPSec-compatible security can (and should) be applied. This means L2TP data can use standard authentication, privacy, and replay protection.

As usual, there is fresh jargon to go with the new technology. Here are some brief definitions of terms you’ll be hearing, if you haven’t heard them already:

  • NAS—Network Access Server
  • LAC (L2TP Access Concentrator)—a PPP- and L2TP-capable device with telephone system or ISDN connections
  • LNS (L2TP Network Server)—the server side of the L2TP protocol that terminates calls originating at PPP calls

The tunnel in L2TP is created between the LAC and LNS. For more basic definitions, see the end of this column.

L2TP Session Diagram

In a typical L2TP session:

  1. Remote user contacts the NAS using PPP connection.
  2. After the NAS determines that the user has authorization, the NAS/LAC component attempts to connect to the LNS through a tunnel.
  3. LNS authenticates user and completes the tunnel connection.
  4. LNS and user device exchange PPP negotiations.
  5. Data is now exchanged between user and LNS through the tunnel.

We don’t need no stinking tunnels!
Before you decide that you do or don’t need L2TP, it helps to know just what an L2TP tunnel is. The L2TP tunnel is an L2TP frame encapsulated in a User Datagram Protocol (UDP) packet placed inside an IP packet carrying the tunnel origin and destination address. It looks roughly like this:

(IP packet(UDP(L2TP)UDP)IP packet)

You also need to know what an LT2P tunnel isn’t.

Strong authentication control is available when the L2TP tunnel is initiated, but that only applies to the endpoints. There is no authentication for the individual data packets and, therefore, no way to know if someone has altered the data. This can leave the connection open to denial-of-service attacks, which close the tunnel by faking control packets.

L2TP tunnels are an important component of secure low-cost remote access. But, as we mentioned earlier, IPSec is also needed to provide enhanced security. Together they make a strong combination.

IPSec, L2TP, PPTP, and L2F
A Microsoft FAQ compares IPSec and PPTP this way:

IPSec offers Compression and Encryption. PPTP offers MPPC (Microsoft Point to Point Compression), Address Allocation, Multi-protocol support, MPPE (MS PTP Encryption), Flow Control, and Token Cards (in Windows 2000).

There are several differences between L2F and L2TP, but the most important is that L2TP offers vendor interoperability and isn’t limited to Cisco users.


  • UDP—User Datagram Protocol is a TCP/IP protocol generally used instead of TCP for streaming data such as audio and video, where it doesn’t matter if a few packets are lost (or at least there is nothing you can do about it because there’s no time for retransmission of lost packets).
  • SSL—Secure Socket Layer, a security protocol operating at Layer 4. IPSec operates at Layer 3.
  • Layer 2—the data-link layer (also MAC, or Media Access Control, layer) that contains the actual physical address of the server or client. MAC (e.g., CSMA/CD for Ethernet or Token Ring passing protocols) is built into the network adapter.
  • Layer 3—the network layer that contains the physical IP, IPX, or other address used by routers to forward packets.
  • Layer 4—that part of the OSI model that controls the establishment of a connection.

John McCormick is a consultant and writer (five books and 14,000-plus articles and columns) who has been working with computers for more than 35 years.

Have a comment?

If you’d like to share your opinion, please post a comment below or send the editor an e-mail.