🔒

L2TP over IPsec Security Overview

Jun 24, 2025

Overview

This lecture covers how to secure L2TP (Layer Two Tunneling Protocol) over IP networks using the IPsec protocol suite, explaining security requirements, protocol interplay, configuration guidelines, and authentication considerations.

Introduction to L2TP and IPsec

  • L2TP tunnels PPP traffic over IP and non-IP networks, inheriting PPP authentication and encryption features.
  • L2TP supports mutual authentication of tunnel endpoints but lacks per-packet tunnel protection.
  • IPsec is a network-layer security suite, including AH, ESP, and IKE for authentication, encryption, and key management.
  • Purpose: Describe how L2TP and IPsec should be combined to deliver secure tunneling over IP.

Security Requirements for L2TP

  • Both control and data packets in L2TP are vulnerable to interception, modification, hijacking, and denial-of-service attacks.
  • L2TP security protocol must provide authentication, integrity, and replay protection for control packets and should provide confidentiality.
  • IPsec ESP in transport mode is mandatory for L2TP security; tunnel mode is optional.
  • All IPsec-mandated ciphersuites, including NULL encryption, must be supported.

Key Management and Protocol Interoperability

  • Key management is not provided natively in L2TP; IPsec's IKE is recommended for this.
  • All L2TP/IPsec implementations must provide scalable key management.
  • Guidelines establish how L2TP tunnel setup, teardown, and packet security checks integrate with IPsec SAs.

IPsec Filtering and Tunnel Establishment

  • L2TP’s use of dynamic UDP ports necessitates flexible IPsec filter management.
  • The process includes updating filters as IP addresses or port numbers float during tunnel establishment.
  • The responder may choose a new IP address or port, requiring phase 1 and phase 2 IKE negotiations and new filter injections.

Authentication and Certificate Handling

  • IPsec IKE must negotiate a specified authentication method (pre-shared key or certificates).
  • Machine authentication via IKE ensures per-packet verification; PPP authentication does not.
  • Use of user certificates is possible but must be tightly managed, especially for enrollment and revocation.

Security Scenarios: Compulsory vs. Voluntary Tunneling

  • In compulsory tunneling, the client is unaware of tunnel security, so extra end-to-end protection may be desired.
  • In voluntary tunneling, both client and LNS can negotiate and know the active security protections.
  • Duplicate encryption/compression may occur and should be minimized where possible.

Example Filter Sets (Appendix)

  • Provides example IPsec filter sets for both fixed and dynamic port/address scenarios.
  • Demonstrates filter adjustments needed during different tunnel establishment phases.

Key Terms & Definitions

  • L2TP — Layer Two Tunneling Protocol for tunneling PPP over various networks.
  • IPsec — Internet Protocol Security suite for secure network communication.
  • IKE — Internet Key Exchange protocol for IPsec key management.
  • ESP — Encapsulating Security Payload; IPsec protocol for encryption/authentication.
  • SCCRQ/SCCRP/STOPCCN — L2TP control messages for tunnel setup and teardown.
  • Voluntary Tunneling — User or gateway-initiated tunnels.
  • Compulsory Tunneling — Network-initiated, client-unaware tunnels.

Action Items / Next Steps

  • Review example filter sets in Appendix A.
  • Understand the interplay between PPP, L2TP, and IPsec for exam preparation.
  • Study differences between voluntary and compulsory tunneling for scenario analysis.

View note sourcehttps://tools.ietf.org/html/rfc3193