Layer Two Tunneling Protocol — Version 3
L2TP/IPsec was the default VPN protocol on every major OS for a decade. Understanding L2TP explains why many legacy VPN deployments use UDP port 1701, why they're always paired with IPsec, and how they differ from pure IPsec tunnel mode.
What It Defines
Defines L2TPv3 — a tunneling protocol for carrying Layer 2 frames (Ethernet, PPP, HDLC, ATM) over an IP network. L2TP creates a control connection (for tunnel setup, teardown, keepalives) and data sessions within it. L2TPv3 extends the original L2TP (RFC 2661) beyond PPP to support any L2 frame type. L2TP provides no encryption — it is always paired with IPsec for confidentiality (L2TP/IPsec). The L2TP/IPsec combination was the dominant client VPN protocol on Windows, macOS, and iOS before IKEv2 and WireGuard.
Canonical (Normative)
Related References
The canonical publication point for finalized RFCs. If a protocol is standardized as an RFC, the RFC Editor text is the normative final reference. Published by the IETF, IRTF, IAB, and independent stream.
Related Specs
IPsec is the dominant VPN technology for enterprise site-to-site links (AWS VPN, Azure VPN Gateway, on-prem firewalls). Understanding tunnel vs transport mode, SAs, and the SPD is essential for configuring and debugging VPN connectivity.
ESP is the workhorse of IPsec — every encrypted VPN tunnel uses it. When your cloud VPN shows 'Phase 2 SA established', that's an ESP SA. Understanding ESP's SPI, sequence numbers, and algorithm negotiation is key to VPN troubleshooting.
IKEv2 is how IPsec tunnels are established and rekeyed. Every cloud VPN gateway (AWS, GCP, Azure), enterprise firewall, and mobile VPN client uses IKEv2. Phase 1/Phase 2 failures are the #1 VPN debugging scenario.
PPTP is a cautionary tale in protocol design. Understanding why it's broken (DES key space in MS-CHAPv2, RC4 key reuse in MPPE) teaches important lessons about protocol-level cryptographic failures. Never deploy it.