Wait! We Have a Special Deal!

Get CactusVPN for $3.5/mo!

Save 64% Now
30-Day Money-Back Guarantee

What Is L2TP (Layer 2 Tunneling Protocol)?

What is L2TP
Like PPTP, L2TP is a very popular VPN protocol - most VPN providers offer access to it, actually. But what is L2TP and how does it work? If you’d like to learn about that, we’ve got you covered with this article. Stick around, and you’ll get to learn everything you need to know about the L2TP protocol.

What Is L2TP?

L2TP stands for Layer 2 Tunneling Protocol, and it’s – like the name implies – a tunneling protocol that was designed to support VPN connections. Funnily enough, L2TP is often employed by ISPs to allow VPN operations.

L2TP was first published in 1999. It was designed as a sort of successor to PPTP, and it was developed by both Microsoft and Cisco. The protocol takes various features from Microsoft’s PPTP and Cisco’s L2F (Layer 2 Forwarding) protocol, and improves on them.

How L2TP Works – The Basics

L2TP tunneling starts out by initiating a connection between LAC (L2TP Access Concentrator) and LNS (L2TP Network Server) – the protocol’s two endpoints – on the Internet. Once that’s achieved, a PPP link layer is enabled and encapsulated, and afterwards it’s carried over the web.

The PPP connection is then initiated by the end-user (you) with the ISP. Once the LAC accepts the connection, the PPP link is established. Afterwards, a free slot within the network tunnel is assigned, and the request is then passed on to the LNS.

Lastly, once the connection is fully authenticated and accepted, a virtual PPP interface is created. At that moment, link frames can freely be passed through the tunnel. The frames are accepted by the LNS, which then removes the L2TP encapsulation and proceeds to process them as regular frames.

Some Technical Details About the L2TP Protocol

  • L2TP is often paired up with IPSec in order to secure the data payload.
  • When paired with IPSec, L2TP can use encryption keys of up to 256-bit and the 3DES algorithm.
  • L2TP works on multiple platforms, and is natively supported on Windows and macOS operating systems and devices.
  • L2TP’s double encapsulation feature makes it rather secure, but it also means it’s more resource-intensive.
  • L2TP normally uses TCP port 1701, but when it’s paired up with IPSec it also uses UDP ports 500 (for IKE – Internet Key Exchange), 4500 (for NAT), and 1701 (for L2TP traffic).

The L2TP data packet structure is as follows:

  • IP Header
  • IPSec ESP Header
  • UDP Header
  • L2TP Header
  • PPP Header
  • PPP Payload
  • IPSec ESP Trailer
  • IPSec Authentication Trailer

How Does L2TP/IPSec Work?

Basically, here’s a quick overview of how an L2TP/IPSec VPN connection takes place:

  • The IPSec Security Association (SA – an agreement between two network devices on security attributes) is first negotiated. That is normally done through IKE and over UDP port 500.
  • Next, the Encapsulating Security Payload (ESP) process is established for the transport mode. This is done using IP protocol 50. Once ESP is established, a secure channel between the network entities (VPN client and VPN server, in this case) has been set up. However, for now, no actual tunneling is taking place.
  • That’s where L2TP comes into play – the protocol negotiates and establishes a tunnel between the network endpoints. L2TP uses TCP port 1701 for that, and the actual negotiation process takes place within the IPSec encryption.

What Is L2TP Passthrough?

Since an L2TP connection has to generally access the web through a router, L2TP traffic will need to be able to pass through said router in order for the connection to work. L2TP Passthrough is essentially a router feature that allows you to enable or disable L2TP traffic on it.

You should also know that – sometimes – L2TP doesn’t work well with NAT (Network Address Translation) – a feature that ensures multiple Internet-connected devices that use a single network can use the same connection and IP address instead of multiple ones. That’s when L2TP Passthrough comes in handy since enabling it on your router will allow L2TP to work well with NAT.

In case you’d like to learn more about VPN Passthrough, we have an article you might be interested in.

How Good Is L2TP Security?

While L2TP tunneling is generally considered an improvement over PPTP, it’s very important to understand that L2TP encryption doesn’t really exist on its own – the protocol doesn’t use any. As a result, using only the L2TP protocol when you’re online is not a smart move.

website security certificate

That’s why L2TP is always paired up with IPSec, which is a pretty secure protocol. It can use powerful encryption ciphers like AES, and it also uses double encapsulation to further secure your data. Basically, the traffic is first encapsulated like a normal PPTP connection, and then a second encapsulation takes place courtesy of IPSec.

Still, it is worth mentioning that there have been rumours that L2TP/IPSec has been either cracked or intentionally weakened by the NSA. Now, there isn’t any clear proof to those claims, though they do come from Edward Snowden himself. So, it ultimately depends on whether or not you want to take his word for it. You should know that Microsoft has been the first partner of the NSA PRISM surveillance program, though.

In our personal opinion, L2TP/IPSec is a safe enough VPN protocol, but you should make sure you use a reliable, no-log VPN provider as well. Also, if you’re dealing with very sensitive information, it’s better to just use a more secure protocol instead or try out VPN cascading.

How Fast Is L2TP?

On its own, L2TP would be considered very fast due to its lack of encryption. Of course, the downside of not having your connections secured is very serious, and shouldn’t be overlooked for the sake of speed.

As for L2TP/IPSec, the VPN protocol can offer decent speeds, though it’s recommended to have a fast broadband connection (somewhere around or over 100 Mbps) and a fairly powerful CPU. Otherwise, you might see some drops in speed, but nothing too serious that would ruin your online experience.

How Easy Is It to Set Up L2TP?

On most Windows and macOS devices, it’s as simple as just going into your Network Settings, and following a few steps to establish and configure the L2TP connection. The same thing goes for the L2TP/IPSec VPN protocol – usually you might just have to change an option or two to select the IPSec encryption.

L2TP and L2TP/IPSec are pretty simple to set up manually on devices with no native support for them too. You might have to follow a few extra steps, but the whole setup process shouldn’t take you too long or require too much knowledge and effort.

What Is an L2TP VPN?

Like the name implies, an L2TP VPN is a VPN service that offers users access to the L2TP protocol. Please be aware that you aren’t very likely to find a VPN provider who only offers access to L2TP on its own. Normally, you’ll only see providers who offer L2TP/IPSec to make sure users’ data and traffic are secured.

Ideally, you should choose a VPN provider who offers access to multiple VPN protocols, though. Only being able to use L2TP on its own is usually a red flag, and just having access to L2TP/IPSec isn’t too bad, but there’s no reason you should be limited only to it.

L2TP Advantages and Disadvantages


  • L2TP can be paired up with IPSec to offer a decent level of online security.
  • L2TP is readily available on many Windows and macOS platforms since it’s built into them. It also works on many other devices and operating systems too.
  • L2TP is fairly easy to set up, and that goes the same for L2TP/IPSec.


  • L2TP has no encryption on its own. It must be paired with IPSec for proper online security.
  • L2TP and L2TP/IPSec have been allegedly weakened or cracked by the NSA – though, that’s only according to Snowden, and there’s no hard proof to back up that claim.
  • Due to its double encapsulation feature, L2TP/IPSec tends to be a bit resource-intensive and not extremely fast.
  • L2TP can be blocked by NAT firewalls if it’s not further configured to bypass them.

Need a Reliable L2TP VPN?

We’ve got just what you need – a high-end, high-speed VPN service that can offer you a smooth online experience with a well-configured and optimized L2TP/IPSec protocol. What’s more, you can also choose from five other VPN protocols: OpenVPN, IKEv2/IPSec, SoftEther, PPTP, SSTP.

And yes, our L2TP/IPSec VPN protocol comes built-in with our user-friendly VPN clients, so setting up a connection is extremely easy.

CactusVPN app

Enjoy Top-Notch Security and Peace of Mind

We want to make sure you never have to worry about abusive surveillance and nasty cybercriminals on the Internet, which is why we made sure you will (depending on your operating system) either use AES-256 or AES-128 with our L2TP/IPSec protocol.

Not only that, but we also follow a strict no-logging policy at our company, which means you never need to worry about anyone at CactusVPN knowing what you do online.

Special Deal! Get CactusVPN for $3.5/mo!

And once you do become a CactusVPN customer, we’ll still have your back with a 30-day money-back guarantee.

Save 64% Now

L2TP vs. Other VPN Protocols

For all intents and purposes, we’ll be comparing L2TP/IPSec to other VPN protocols in this section. L2TP on its own offers 0 security, which is why pretty much all VPN providers offer it alongside IPSec. So, when you normally see a VPN provider talking about the L2TP protocol and saying it offers access to it, they’re actually referring to L2TP/IPSec.


For starters, L2TP offers superior security to PPTP (Point-to-Point Tunneling Protocol) due to IPSec. What’s more, compared to PPTP’s 128-bit encryption, L2TP offers support for 256-bit encryption. Also, L2TP can use extremely secure ciphers like AES (military-grade encryption), while PPTP is stuck with MPPE which isn’t as safe to use.

In terms of speed, PPTP tends to be much faster than L2TP, but it losses to the L2TP protocol when it comes to stability since PPTP is very easy to block with firewalls. Since L2TP runs over UDP, it’s more elusive. Also, a VPN provider can tweak the protocol even more to make sure it isn’t blocked by NAT firewalls.

Lastly, there’s also the fact that PPTP was solely developed by Microsoft (a company that’s known to leak sensitive data to the NSA), while L2TP was developed by Microsoft working together with Cisco. For that reason, some users consider L2TP as being more secure and trustworthy. Furthermore, PPTP is known to have been cracked by the NSA, while L2TP has only allegedly been cracked by the NSA (not yet proven).

All in all, you should know that L2TP is considered the improved version of PPTP, so you should always pick it over that protocol.

In case you’d like to read more about the PPTP VPN protocol, feel free to check out this article.

L2TP vs. IKEv2

It’s worth mentioning that IKEv2 is a tunneling protocol that’s based on IPSec, so you’ll often see VPN providers talking about IKEv2/IPSec when they refer to IKEv2. So, you normally get to enjoy the same level of security with IKEv2 that you get with L2TP – the only big difference being that there aren’t any rumors from Snowden that IKEv2 was weakened by the NSA.

Besides that, IKEv2 is far more reliable than L2TP when it comes to stability, and it’s all thanks to its Mobility and Multihoming protocol (MOBIKE) that allows the protocol to resist network changes. Basically, with IKEv2, you can freely switch from a WiFi connection to your data plan without needing to worry about the VPN connection going down. IKEv2 can also automatically resume working after a sudden interruption of your VPN connection (like a power outage, for example).

While IKEv2 was also developed by Microsoft together with Cisco, another reason many people prefer it over the L2TP protocol is because there are open-source versions of IKEv2, making it more trustworthy.

If you’d prefer to learn more about IKEv2, please check out this article.

L2TP vs. OpenVPN

Both protocols offer a decent level of security, but OpenVPN is considered the superior choice because it’s open-source, it uses SSL 3.0, and can be configured to offer extra protection. The downside to all that extra security is lower connection speeds. OpenVPN is normally slower than L2TP, though results might be a bit different if you use OpenVPN on UDP.

However, when it comes to stability, L2TP takes a backseat because of its use of limited ports. Simply put, the protocol can be blocked by NAT firewalls – unless it’s properly configured (which can be an extra hassle if you’re not experienced enough). OpenVPN, on the other hand, can essentially use any port it wants – including port 443, the port reserved for HTTPS traffic. That means it’s very difficult for any ISP or network admin to block OpenVPN with a firewall.

As for availability and setup, OpenVPN does work on many platforms, but it’s not exactly natively available on them like L2TP is. As a result, it’s usually going to take you much longer to set up an OpenVPN connection on your device than an L2TP connection. Luckily, if you use a VPN that offers OpenVPN connections, you don’t need to do much since everything is already set up for you.

Want to find out more about OpenVPN? Follow this link then.


Like OpenVPN, SSTP (Secure Socket Tunneling Protocol) uses SSL 3.0 and can use port 443. So, it’s more secure than L2TP, and it’s also harder to block with a firewall. SSTP is developed by Microsoft alone, so – in that regard – L2TP might be a bit more trustworthy because Cisco was involved in its development process.

Regarding speed, SSTP is often considered to be faster than L2TP because no double encapsulation takes place. But when it comes to cross-platform compatibility, L2TP fares better because SSTP is only built-in on Windows operating systems, and it can be also set up on:

  • Routers
  • Android
  • Linux

L2TP, on the other hand, is available on many other platforms, and it’s also built-in in most of them. So, setting up the VPN protocol is also easier.

Overall, if you were to choose between SSTP and L2TP, you’d be better off with SSTP.

f you’d like lt learn more about that protocol, follow this link.

L2TP vs. WireGuard®

Both WireGuard and L2TP/IPSec offer a decent level of security, but WireGuard uses newer algorithms that can’t be tampered with (users can’t make changes that might accidentally put data at risk). Also, WireGuard is open-source, which makes it more transparent and easier to audit.

We haven’t encountered stability issues with either protocol. Still, it’s easier for a network admin to block L2TP/IPSec since it only uses three ports (UDP 500, UDP 4500, and ESP IP Protocol 50). If you use L2TP on its own, it only uses one port – UDP 1701. WireGuard, on the other hand, uses tons of UDP ports.

WireGuard is definitely faster than L2TP/IPSec. The latter encapsulates your data twice, using up more resources.

You can use both protocols on most operating systems.

You should be safe with either protocol, but we’d recommend sticking to WireGuard when possible. It’s just faster and better for your privacy.

Still, if you’d like to learn more about Wireguard, follow this link.

L2TP vs. SoftEther

Like L2TP, SoftEther can also use a 256-bit encryption key and an encryption cipher as strong as AES. But SoftEther goes the extra mile – it’s also open-source, it uses SSL 3.0, and it’s also very stable. In fact, SoftEther is often considered a good alternative to OpenVPN.

What’s more, here’s a very interesting thing about SoftEther – it’s both a protocol and a VPN server. And the VPN server can actually support the L2TP/IPSec protocol, alongside many others:

  • IPSec
  • OpenVPN
  • SSTP
  • SoftEther

That’s the kind of thing you won’t get with an L2TP VPN server.

In terms of speed, you’re better off with SoftEther. Despite its high security, the protocol is also shown to be very fast. According to its developers, it all has to do with the fact that SoftEther was programmed with high-speed throughput in mind, while a protocol like L2TP that’s based on PPP was built with narrowband telephone lines in mind.

L2TP seems to shine when it comes to the setup process, though. While SoftEther does work on almost as many platforms as L2TP does, it’s harder to set up. Since it’s a software-based solution, you’ll also have to download and install SoftEther software on your device – yes, even if you use a VPN provider who offers the SoftEther protocol.

In case you’re interested in reading more about SoftEther, we’ve already got an article on that topic.

L2TP vs. IPSec

We’re saving this comparison for last since it’s a bit unusual. Still, since there are VPN providers who offer access only to IPSec as a protocol, we thought some of you might be interested in seeing how L2TP compares to it on its own.

For starters, IPSec offers online security compared to L2TP, which doesn’t provide any encryption on its own. Also, IPSec is much harder to block with a firewall than L2TP because it’s able to encrypt data without any end application being aware of it.

On the other hand, L2TP can transport protocols other than IP, while IPSec can’t do that.

In terms of L2TP/IPSec vs. IPSec, the security is pretty similar, but L2TP/IPSec might be a bit more resource-intensive and less speedy because of the additional encapsulation that adds an extra IP/UDP packet and an L2TP header.

Want to learn more about IPSec? Feel free to check out out article on it.

So Then, Is L2TP a Good VPN Protocol?

As long as L2TP is used with IPSec, it makes for a pretty secure protocol – depending on how you view Snowden’s accusations and claims, though. It’s not the fastest protocol out there due to its double encapsulation feature, but it’s rather stable and it works on multiple operating systems and devices.

In Conclusion – What Is L2TP?

L2TP (Layer 2 Tunneling Protocol) is a VPN tunneling protocol that is considered to be an improved version of PPTP. As it has no encryption, L2TP is often used alongside IPSec. So, you’ll mostly see VPN providers offering access to L2TP/IPSec, not L2TP on its own.

L2TP/IPSec is fairly safe to use, though it’s worth mentioning that there have been claims the protocol was cracked or weakened by the NSA. In terms of speed, L2TP isn’t too bad, but you might experience slower connection speeds due to the protocols double encapsulation feature. As for availability, L2TP works natively on many Windows and macOS platforms, and is pretty easy to configure on other devices and operating systems too.

Overall, L2TP/IPSec is a decent VPN protocol, but we recommend choosing a VPN provider who offers a selection of multiple VPN protocols besides L2TP if you want a truly secure online experience.

“WireGuard” is a registered trademark of Jason A. Donenfeld.

Posted on
Tim has been writing content and copy for a living for over 4 years, and has been covering VPN, Internet privacy, and cybersecurity topics for more than 2 years. He enjoys staying up-to-date with the latest in Internet privacy news, and helping people find new ways to secure their online rights.

Leave a Reply

Your email address will not be published. Required fields are marked *