General Computing
networking vpn tunnel ipsec l2tp
Updated Sun, 22 May 2022 09:18:23 GMT

IPSec with or without L2TP?

I'm referring to this question. And to be clear: This is really not about the old PPTP vs L2TP debate. ;-)

I successfully set up racoon as an IKE server without any L2TP implementation running and it works quite well. I can establish a tunnel from my laptop to the VPN server and use this one as an internet gateway. As far as I can see all IP packets are securely encapsulated. Voil, this is everything I wanted. But, oops, it's only OS X/iOS that support this type of a "plain IPSec" VPN out of the box, but I need to support other platforms as well. All other OS including Windows and Android seem to need the additional PPP connection that is established using L2TP using software like xl2tpd. I was curious, so I set it up again with racoon+xl2tpd and created an L2TP/IPSec tunnel. And it works exactly like it did without L2TP.

So, what's the benefit of using L2TP at all? Yes, I can tunnel other protocols like X.25, but anything other than IP is rarely needed by the vast majority of users. I can assume reasons why MS is doing it more complex than the VPN stuff has to be. But at least I cannot understand why Android still needs this L2TP layer, which in my opinion just adds complexity and overhead. And yes, I know there is extra client software to overcome the OS limits.

Even with authentication, there is no difference: Remote authentication is usualy done using pre-shared-keys or certificates and user authentication is done via XAuth or CHAP/PAP. Jep, I'm simplifying here, but you know what I mean.

Does anyone know why L2TP is still the standard way with IPSec? Am I missing something?


Android since 4.0 supports plain IPsec out of the box. And there are several apps for 4.x that provide other VPN protocols on unrooted devices (e.g. IKEv2/IPsec with the strongSwan VPN Client).

Since Windows 7 you can use the built-in IKEv2/IPsec client. Granted racoon does not support IKEv2, but there are other open-source implementations that do (e.g. strongSwan or Libreswan).

Does anyone know why L2TP is still the standard way with IPSec?

I wouldn't say it's the standard way, as e.g. Windows 7 and newer first try IKEv2, but I agree that clients still offer it quite prominently.

One reason for its initial success was probably that it allowed reusing the PPP infrastructure that existed for dial-up connections (while being more secure and standardized than PPTP). And because L2TP installations have been around for a long time, and were deployed pretty widespread, about any client had (and still has) to support it. This makes it, of course, easier for VPN providers as they can reduce the number of offered VPN technologies. This, however, reduces the incentive to implement other protocols in clients.

There could also be licensing issues preventing other protocols from being used, for instance, the IKEv2 implementations mentioned above are GPL licensed, which Apple in iOS and Google in Android tend to avoid in favour of more permissively licensed software such as racoon (which they both use in their products).

Comments (1)

  • +1 – Thank you for this explanatory answer. So my guess was right using L2TP is not so much about functionality (but history and licensing). Indeed I completely forgot about IKEv2, but mainly because racoon doesn't support it. I will try to set it up with strongSwan and give it a try. — Apr 03, 2014 at 14:18