SonicOS 8 IPSec VPN
- titlepage
- table-of-contents
- SonicOS 8
- About SonicOS
- IPSec VPN Overview
- Site to Site VPNs
- VPN Auto Provisioning
- Rules and Settings
- Advanced
- DHCP over VPN
- L2TP Servers and VPN Client Access
- AWS VPN
- SonicWall Support
L2TP with IPsec
Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support VPNs or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself, and because of that lack of confidentiality in the L2TP protocol, it is often implemented along with IPsec. The general process for setting up an L2TP/IPsec VPN is:
- Negotiate an IPsec security association (SA), typically through Internet key exchange (IKE). This is carried out over UDP port 500, and commonly uses either a shared password (also called pre-shared keys), public keys, or X.509 certificates on both ends, although other keying methods exist.
- Establish Encapsulating Security Payload (ESP) communication in transport mode. The IP protocol number for ESP is 50 (compare TCP's 6 and UDP's 17). At this point, a secure channel has been established, but no tunneling is taking place.
- Negotiate and establish L2TP tunnel between the SA endpoints. The actual negotiation of parameters takes place over the SA's secure channel, within the IPsec encryption. L2TP uses UDP port 1701.
When the process is complete, L2TP packets between the endpoints are encapsulated by IPsec. Because the L2TP packet itself is wrapped and hidden within the IPsec packet, no information about the internal private network can be garnered from the encrypted packet. Also, UDP port 1701 does not need to be opened on firewalls between the endpoints, because the inner packets are not acted upon until after IPsec data has been decrypted and stripped, which only takes place at the endpoints.
Was This Article Helpful?
Help us to improve our support portal