What Is the L2TP/IPSec Tunneling Protocol? (Quick Guide)
L2TP is a tunneling protocol used to create VPN connections. It used to be more popular a few years ago, but a lot of VPN providers have stopped supporting this protocol.
Keep reading to find out why, and to learn how this protocol works and how to manually set it up on your device.
What Is an L2TP VPN?
L2TP (Layer 2 Tunneling Protocol) is a tunneling protocol, which is a set of rules that determine how a VPN connection is established. However, L2TP can’t be used on its own because it doesn’t provide encryption. To fix that, L2TP is usually paired with the IPSec (Internet Protocol Security) protocol.
What Is an L2TP/IPSec VPN?
L2TP/IPSec is a VPN protocol that is composed of the L2TP and IPSec protocols. L2TP handles the tunneling of data, while IPSec is responsible for the connection’s security.
Even though L2TP and L2TP/IPSec connections are different, these 2 terms are often used interchangeably. Some online sources and even VPN providers use the term “L2TP” when they’re actually referring to an L2TP/IPSec VPN connection.
What Is an L2TP/IPSec VPN Client?
An L2TP/IPSec VPN client is an application that uses the L2TP over IPSec protocol to establish a connection to a VPN server. A dedicated app from a commercial VPN that supports this protocol can be called an L2TP/IPSec VPN client.
What Is an L2TP/IPSec VPN Server?
An L2TP over IPSec VPN server is a server configured to encrypt your data using the L2TP/IPSec VPN protocol. Here’s what the server does:
- Communicates with the VPN client to establish an L2TP over IPSec connection.
- Receives your encrypted data from the VPN client.
- Decrypts your data and forwards it to the web.
- Receives the requested data, encrypts it again, and forwards it to the VPN client.
How Does the L2TP/IPSec VPN Protocol Work?
L2TP/IPSec is used to create a VPN connection.
First, the IPSec protocol handles the security association. That’s when the VPN client on your device and the VPN server decide what encryption to use. IPSec then creates the ESP (Encapsulated Security Payload). That lets all devices know that the data they receive really comes from where it claims to originate. After that, the L2TP protocol sets up the VPN tunnel.
Finally, the L2TP/IPSec protocol bundles the data twice — L2TP does it first, then IPSec bundles it again to secure it.
L2TP VPN Protocol Pros & Cons
- Good speeds: L2TP/IPSec provides pretty fast connections. In most of our speed tests, we only experienced a 30–40% slowdown on average, which is decent.
- Cross-platform compatibility: L2TP is built into many platforms, including Widows, macOS, Linux, iOS, and Android.
- More secure than PPTP (Point-to-Point Tunneling Protocol): L2TP/IPSec’s security is an improvement over the PPTP protocol, which is easy to compromise.
- Can’t handle encryption on its own: L2TP needs to be paired with IPSec, otherwise it can’t secure your traffic.
- Easy to block: L2TP uses UDP port 1701 by default. When it’s paired with IPSec, it uses UDP ports 500 and 4500, and ESP IP Protocol 50. ISPs or network admins could block those ports, which would prevent you from using L2TP connections.
- Only has moderate security: Even when it’s paired with IPSec, L2TP still can’t provide strong security like most top VPN protocols.
L2TP VPN Protocol vs. Other VPN Protocols
We’re going to provide you with a quick overview of how other popular protocols compare to L2TP/IPSec connections. If you’d like to read more about other protocols, check out our guide.
|VPN Protocol||How It Compares to L2TP/IPSec|
|PPTP||Much less secure, should definitely be avoided.|
|OpenVPN||Way more secure and difficult to block, but might be slower.|
|IKEv2/IPSec||More secure, slightly faster, and much better for mobile users since it resists network changes.|
|WireGuard||Much more secure, faster, and harder to block.|
Which VPNs Offer Access to L2TP VPN Connections?
Here’s a quick list of VPN providers that provide built-in access to the L2TP/IPSec protocol:
Very few VPNs have this protocol, as they consider it to be less secure than other options like OpenVPN, IKEv2/IPSec, and WireGuard.
How to Set Up an L2TP VPN Connection
It’s possible to set up your own L2TP VPN connection, though we don’t normally recommend this as the setup process can be difficult. It’s much easier to just get a VPN that supports L2TP connections, like the one we mentioned above.
That said if you’re certain you want to perform a manual setup, we can help you out. However, you’ll first need access to a VPN that supports L2TP/IPSec connections, as you’ll need the IP address of one of the provider’s servers.
Once you have the IP address, just follow the following steps, depending on which device you’re using:
- From the Start Menu, pick Settings.
- Select Network & Internet and choose VPN on the left.
- Pick Add a VPN connection.
- Under the VPN provider field, pick Windows (built-in).
- Under Connection name, type a name for your VPN connection.
- Under Server name or address, copy-paste the IP address of the VPN server you’ll use.
- In the VPN type dropdown menu, select Layer 2 Tunneling Protocol with IPSec (L2TP/IPSec). If other options appear (L2TP/IPSec with certificate or L2TP/IPSec with pre-shared key), ask the VPN provider which setting to choose.
- Under User name (optional) and Password (optional), add your VPN login details if necessary.
- Hit Save.
- Next, select Change adapter options on the right.
- Select your VPN connection and pick Change settings of this connection.
- Click the Security tab and make these changes:
- From the Data encryption dropdown menu, pick Require encryption (disconnect if server declines).
- Check the Allow these protocols option.
- Make sure Microsoft CHAP version 2 is the only selected protocol option.
- When you’re done, hit Advanced settings, which is also found on the Security tab. There are 2 scenarios here:
- If you picked a VPN connection that uses a pre-shared key, select Use pre-shared key for authentication. Then, copy-paste the pre-shared key in the Key field.
- If you set up a VPN that uses a certificate, select the Use certificate for authentication option. Make sure you imported the certificate to your divide. Also, this option must be enabled: Verify the Name and Usage attributes of the server’s certificate.
- Select OK.
- Hit OK again.
To start the VPN connection, click the Network icon in the system tray. Then, click the VPN connection, click Connect, and type your username and password if necessary, then select OK.
- Open the Apple menu and pick System Preferences.
- Hit the Network icon and use the + icon in the lower left to create a network interface.
- From the Interface dropdown menu, pick VPN.
- Open the VPN Type dropdown list and choose L2TP over IPSec.
- Under Service Name, type a name for your connection.
- Hit Create.
- The VPN settings will pop up, but we recommend not changing much and just using the default configuration.
- Now, copy-paste the IP address of the VPN server in the Server Address field.
- Then, copy-paste your username in the Account Name field.
- After that, select Authentication Settings.
- Copy-paste your password in the Password field.
- Now, there are 2 scenarios:
- If you created a connection that uses a pre-shared key, select Shared Secret and copy-paste the key in the Shared Secret field.
- If you created a connection that uses certificates, pick Certificate and pick which certificate to use by hitting Select.
- When you’re done, select Apply.
To start the connection, select System Preferences and click Network. Next, select the VPN connection you created, and hit Connect.
- Head to Settings > Wireless & Networks.
- Select More > VPN.
- Tap the + icon to add a VPN network.
- Type a name for your VPN connection in the Name text box.
- If you use a VPN with a pre-shared key:
- Select L2TP/IPSec PSK from the Type dropdown list.
- Copy-paste the key in the IPSec pre-shared key field.
- If you use a VPN with certificates:
- Select L2TP/IPSec RSA from the Type dropdown menu.
- Make sure you import the certificate to your Android device.
- Copy-paste the IP address of the server you’ll use in the Server Address field.
- Finally, save the connection.
To use this VPN connection on Android, start by selecting it. Then, type your username and password in the Username and Password fields, and tap Connect.
- First, go to Settings > General > VPN.
- Select Add VPN Configuration and select L2TP from the Type menu.
- Tap Back and type a name for your connection in the Description field.
- Copy-paste the IP address of the VPN server in the Server field.
- Then, copy-paste your username in the Account field.
- Make sure the RSA SecurID slider is set to the off position.
- Copy-paste your password in the Password field.
- Copy-paste the pre-shared key in the Secret field.
- Make sure the Send All Traffic slider is set to the on position.
- Also, make sure the Proxy setting is set to Off.
- Finally, tap Done.
To use the new VPN connection, go to Settings > General > VPN. Then, select the new VPN profile and change its Status to Connecting.
Is an L2TP VPN Connection Safe?
L2TP, on its own, is not safe to use because it doesn’t provide encryption. If it’s paired with IPSec, it can encrypt data, though it still provides only decent security. Also, there have been allegations that the NSA compromised L2TP/IPSec, but this only seems to be an issue if you use weak pre-shared passwords.
All in all, we think L2TP/IPSec is safe to use, but only if your options are L2TP/IPSec and PPTP. If OpenVPN, WireGuard, or IKEv2/IPSec are available, we strongly recommend using them instead.
Which Is Better: OpenVPN or L2TP/IPSec?
Even though L2TP/IPSec was usually faster than OpenVPN in our tests, we still think OpenVPN is the superior option — here’s why:
- Better security — OpenVPN can use more modern and lightweight encryption ciphers, like ChaCha20. Also, the protocol is open-source (anyone can inspect the code for vulnerabilities) and has passed many security audits.
- Harder to block — OpenVPN can use multiple ports, including TCP port 443. That port is pretty much impossible to block since it’s the same port used by HTTPS traffic.
The Bottom Line
L2TP is a good protocol, but only when it’s paired with IPSec to provide data encryption. Even then, however, it’s still not as good as other protocols like OpenVPN, WireGuard, and IKE2/IPSec. Plus, many top VPNs have stopped offering support for L2TP/IPSec because they consider it outdated.
Overall, we would only recommend using this protocol if you need fast connections, and your only other option is PPTP, which is dangerous to use.