L2TP VPN vs PPTP VPN: A Detailed Comparison
Advertisement
This article compares L2TP VPN and PPTP VPN, outlining the differences between the two. It also provides an overview of VPNs and tunneling.
What is a VPN?
A private network supports a closed group of authorized users, allowing them to access various network-related services and resources. Traffic originating and terminating within a private network traverses only the nodes that belong to that private network.
VPN connection
A VPN is an extension of a private network. It enables users to transmit data between two computers across shared/public inter-networks in a manner that emulates the properties of a point-to-point private link. The act of configuring and creating a VPN is known as virtual private networking.
As shown in the figure above, a VPN allows users working at home to connect securely to a remote corporate server using the routing infrastructure provided by the public internet. It is a point-to-point connection between a client and a server. This allows corporations to connect to branch offices or other companies over the internet while maintaining secure communications.
There are different types of VPN services, including LAN interconnect VPN services, dial-up VPN services, and extranet VPN services. For more information, refer to “What is a VPN and How does it work?”.
What is Tunneling?
Tunneling technique
VPNs provide secure connections through tunneling. Tunneling is the process of using internetwork infrastructure to transfer data from one network to another. The data can be frames or packets. The tunneling protocol encapsulates an additional header to the frame or packet produced by the originating node before transmission.
The logical path over which encapsulated packets travel is known as a tunnel. Once these encapsulated packets arrive at the destination, they are decapsulated to retrieve the original data. The header provides routing information for the encapsulated payload to traverse over the intermediate internetwork (the internet).
The tunneling process consists of the following steps:
- Encapsulation
- Transmission
- Decapsulation
There are different tunneling techniques, including:
- SNA tunneling over IP internetwork
- IPX tunneling for Novell NetWare over IP internetwork
- Point-to-Point Tunneling Protocol (PPTP)
- Layer 2 Tunneling Protocol (L2TP)
- IPSec tunnel mode (A layer-3 tunneling protocol)
Both PPTP and L2TP use frames as their unit of exchange. They operate on the data link layer and encapsulate the payload in a PPP frame to be sent across an internetwork.
PPTP VPN
PPTP stands for Point-to-Point Tunneling Protocol. It is developed over PPP and TCP/IP. PPTP allows a PPP session to be tunneled through an existing IP connection, regardless of the setup.
PPTP encapsulates Point-To-Point Protocol (PPP) frames into IP datagrams for transmission over an IP-based internetwork, such as the Internet. To encapsulate PPP frames as tunneled data, PPTP uses a TCP connection known as the PPTP control connection to create, maintain, and terminate the tunnel, and a modified version of Generic Routing Encapsulation (GRE).
PPTP inherits encryption or compression (or both) of PPP payloads from PPP. Authentication that occurs during the creation of a PPTP-based VPN connection uses the same authentication mechanisms as PPP connections, such as:
- Extensible Authentication Protocol (EAP)
- Challenge Handshake Protocol (CHAP)
- Shiva Password Authentication Protocol (SPAP)
- Password Authentication Protocol (PAP)
There are two types of tunneling:
- Compulsory Tunneling: Enables users to dial into a Network Access Server (NAS), which then establishes a tunnel to the server. The connection between the client of the user and the NAS is not encrypted.
- Voluntary Tunneling: Enables clients to configure and establish encrypted tunnels to tunnel servers without an intermediate NAS participating in the tunnel negotiation and establishment.
PPTP supports only voluntary tunneling.
PPTP packet structure
The image above shows the structure of a PPTP packet containing user data.
PPTP control packet
The image above shows the PPTP Control Connection Packet.
PPTP tunneled data
The image above shows the PPTP Tunneled data structure.
L2TP VPN
L2TP stands for Layer 2 Tunneling Protocol. Layer Two Tunneling Protocol (L2TP) is a combination of Microsoft’s PPTP and Layer 2 Forwarding, a technology proposed by Cisco Systems, Inc.
L2TP supports any routed protocol such as IP, IPX, and AppleTalk. It also supports any WAN technology including frame relay, ATM, X.25, and SONET. L2TP can be used as a tunneling protocol over the Internet or private Intranets.
L2TP extends the PPP model by allowing the L2 and PPP endpoints to reside on different devices interconnected by a packet-switched network. L2TP uses UDP messages over IP internetworks for both tunnel maintenance and tunneled data, therefore it uses message sequencing to ensure message delivery. L2TP supports multiple calls for each tunnel using a Tunnel ID and Call ID in the L2TP control message and the L2TP header for tunneled data.
Authentication during L2TP tunnel creation uses the same authentication mechanisms as PPP connections, such as EAP, CHAP, SPAP, and PAP.
L2TP is used in two different scenarios:
- Compulsory Tunneling
- Voluntary Tunneling
The characteristics of L2TP include:
- Multiplexing
- Signaling
- Data security
- Multiprotocol transport
L2TP Control message
The tunneling process changes when using L2TP over IPSec. The L2TP data tunneling is performed through multiple levels of encapsulation. The image above shows an L2TP encrypted control message.
Similarities and Differences Between L2TP and PPTP
The following table highlights the similarities and differences between L2TP and PPTP protocols:
Feature | L2TP Support | PPTP Support |
---|---|---|
Operates on OSI layer | Layer-2 | Layer-2 |
Transport protocols supported | IP, IPX, NetBEUI | IP, IPX, NetBEUI |
Required underlying protocol | IP, X.25, Frame Relay, ATM | IP |
Number of tunnels | Several | One |
User authentication | Yes/PAP, CHAP, EAP, SPAP | Yes/PAP, CHAP, EAP, SPAP |
Packet authentication, encryption, key management | Not supported | Not supported |