< Home

L2TP over IPSec

L2TP over IPSec encapsulates packets using L2TP and then IPSec. It uses L2TP to implement user authentication and address allocation and IPSec to ensure secure communication. L2TP over IPSec ensures that branches and traveling employees can connect to the headquarters.

A branch can connect to the headquarters network through L2TP over IPSec, as shown in Figure 1, and NAS-Initiated L2TP VPN is used as an example. For other L2TP VPN scenarios, see L2TP VPN.

Figure 1 L2TP over IPSec packet encapsulation and tunnel negotiation

Packets are encapsulated by L2TP, and then by IPSec. In the IP header added during IPSec encapsulation, the source IP address is the IP address of the interface to which the IPSec policy is applied, and the destination IP address is the IP address of the peer interface to which the IPSec policy on the remote peer is applied.

IPSec protects the data flows from the source to the destination of the L2TP tunnel. In the new IP header added during L2TP encapsulation, the source IP address is the address of the L2TP source interface, and the destination IP address is the address of the L2TP destination interface. When a branch connects to the headquarters, the source address of the L2TP tunnel is the IP address of the outbound interface on the L2TP access concentrator (NAS), and the destination address is the IP address of the inbound interface on the L2TP network server (LNS).

A public IP address is added to the header in L2TP encapsulation. Compared with the transport mode, an additional public IP address is added in tunnel mode. As a result, the packets are larger and more packets will be fragmented in tunnel mode. Therefore, the transport mode of L2TP over IPSec is recommended.

The L2TP over IPSec negotiation sequence and packet encapsulation process are the same for employees on the move and employees at branch offices. The difference is that, L2TP and IPSec encapsulation is performed on clients when employees on the move connect to the headquarters. The L2TP source address is the private address assigned to the client. The address can be any address in the address pool configured on the LNS. The destination address of the L2TP tunnel is the address of the inbound interface on the LNS.

Parent Topic: IPSec Enhancements
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >