Today, with diverse mobile devices used throughout businesses, and pervasive availability of broadband in the home, most corporate networks must provide remote access as a basic necessity. Virtual private network (VPN) technologies are an essential part of meeting that need.
Since L2TP doesn't provide any authentication or encryption mechanisms directly, both of which are key features of a VPN, L2TP is usually paired with IPSec to provide encryption of user and control packets within the L2TP tunnel. Figure 1 shows a simplified VPN configuration. Here the corporate network on the right contains an L2TP Network Server (LNS) providing access to the network. Remote workers and mobile devices may join the corporate network via IPSec-secured L2TP tunnels over any intermediate network (most likely the Internet).
Clients attaching to the VPN will often run L2TP and IPSec software directly. It is normally unnecessary to install extra software in client systems to communicate with an L2TP VPN server: L2TP VPN software is provided with Windows, OS X, iOS, Android and Linux systems.
L2TP to extend a LAN
An L2TP-based VPN works well to allow individual clients to make single links with a remote LAN. Our next example takes the VPN concept and runs with it, employing L2TP to merge two or more LANs. Many businesses have the challenge of managing several remote locations, all of which must share data and network infrastructure. By using L2TP to provide tunnels between each individual LAN, we can create one unified network with easy access to resources from any location.
Figure 2 shows a simple deployment using L2TP to join two LANs over the Internet. Rather than running L2TP software on each host in each office, a separate machine is used as an LCCE endpoint at each office location. The LCCE machines bridge Ethernet frames from the LAN with the L2TP interface to the remote site, thereby acting as a gateway between the LANs. Depending on the LAN configuration and the nature of the intermediate network, it may be necessary or desirable to add packet filters at the LCCE to confine certain traffic to the LAN of origin instead of passing it over the tunnel.