Layer Two Tunneling Protocol

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Layer Two Tunneling Protocol

Layer Two Tunneling Protocol (L2TP) is an RFC-based tunneling protocol that is an industry standard and was first supported in the Windows 2000 client and server operating systems. Unlike PPTP, L2TP in servers running Windows Server 2003 does not utilize Microsoft Point-to-Point Encryption (MPPE) to encrypt Point-to-Point Protocol (PPP) datagrams. L2TP relies on Internet Protocol security (IPSec) for encryption services. The combination of L2TP and IPSec is known as L2TP/IPSec. L2TP/IPSec provides the primary virtual private network (VPN) services of encapsulation and encryption of private data.

Both L2TP and IPSec must be supported by both the VPN client and the VPN server. Client support for L2TP is built-in to the Windows XP remote access client, and VPN server support for L2TP is built in to members of the Windows Server 2003 family.

L2TP is installed with the TCP/IP protocol. Depending on your choices when running the Routing and Remote Access Server Setup Wizard, L2TP is configured for five or 128 L2TP ports. For more information, see Checklist: Installing and configuring an L2TP server.

For more information about IPSec, see Internet Protocol Security Overview.


Encapsulation for L2TP/IPSec packets consists of two layers:

  1. L2TP encapsulation

    A PPP frame (an IP datagram or an IPX datagram) is wrapped with an L2TP header and a UDP header.

  2. IPSec encapsulation

    The resulting L2TP message is then wrapped with an IPSec Encapsulating Security Payload (ESP) header and trailer, an IPSec Authentication trailer that provides message integrity and authentication, and a final IP header. In the IP header is the source and destination IP address that corresponds to the VPN client and VPN server.

The following illustration shows L2TP and IPSec encapsulation for a PPP datagram.

L2TP and IPSec encapsulation


The L2TP message is encrypted with either Data Encryption Standard (DES) or Triple DES (3DES) by using encryption keys generated from the Internet Key Exchange (IKE) negotiation process.

For more information on deploying L2TP/IPSec VPN connections, see Deploying Virtual Private Networks. For configuration checklists, see VPN Checklists. For an example implementation of L2TP/IPSec VPN connections, see Virtual Private Network Implementation Examples. For information on configuring L2TP/IPSec VPN connections in a test lab, see Virtual Private Network Test Lab.


  • It is possible to have a nonencrypted L2TP connection where the PPP frame is sent in plaintext. However, a nonencrypted L2TP connection is not recommended for virtual private network connections over the Internet because communications of this type do not provide data confidentiality.

  • The IPX/SPX protocol is not available on Windows XP 64-bit Edition (Itanium) and the 64-bit versions of the Windows Server 2003 family.

  • On Windows Server 2003, Web Edition, and Windows Server 2003, Standard Edition, you can create up to 1,000 Point-to-Point Tunneling protocol (PPTP) ports, and you can create up to 1,000 Layer Two Tunneling protocol (L2TP) ports. However, Windows Server 2003, Web Edition, can accept only one virtual private network (VPN) connection at a time. Windows Server 2003, Standard Edition, can accept up to 1,000 concurrent VPN connections. If 1,000 VPN clients are connected, further connection attempts are denied until the number of connections falls below 1,000.