L2TP with IPsec

Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support VPNs or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself, and because of that lack of confidentiality in the L2TP protocol, it is often implemented along with IPsec. The general process for setting up an L2TP/IPsec VPN is:

1. Negotiate an IPsec security association (SA), typically through Internet key exchange (IKE). This is carried out over UDP port 500, and commonly uses either a shared password (also called pre-shared keys), public keys, or X.509 certificates on both ends, although other keying methods exist.
2. Establish Encapsulating Security Payload (ESP) communication in transport mode. The IP protocol number for ESP is 50 (compare TCP's 6 and UDP's 17). At this point, a secure channel has been established, but no tunneling is taking place.
3. Negotiate and establish L2TP tunnel between the SA endpoints. The actual negotiation of parameters takes place over the SA's secure channel, within the IPsec encryption. L2TP uses UDP port 1701.

When the process is complete, L2TP packets between the endpoints are encapsulated by IPsec. Because the L2TP packet itself is wrapped and hidden within the IPsec packet, no information about the internal private network can be garnered from the encrypted packet. Also, UDP port 1701 does not need to be opened on firewalls between the endpoints, because the inner packets are not acted upon until after IPsec data has been decrypted and stripped, which only takes place at the endpoints.