The origins of L2TP
The 1999 standardized PPTP protocol was the attempt from Microsoft, and some other network equipment supplier companies like 3Com, Ascend Communications, Copper Mountain Networks, and ECI Telematics, to re-use the existing PPP dial-in protocol as a VPN protocol over the internet. This was so existing PPP network equipment could stay relevant and existing PPP dial-in setups could be migrated from the phone network to the internet.
The biggest challenge those companies faced was adding secure authentication and encryption to PPP, since an internet connection was far easier to hack than a physical phone line. To find out how they overcame that challenge, check out our history of PPTP blog post.
However, there was another company that also wanted to keep PPP relevant. That company was Cisco and they had a different idea. Cisco also teamed up with Microsoft, Ascend Communications, and Redback Networks to propose an alternative solution to the problem, which was standardized the very same year as PPTP.
Instead of creating a new protocol to first negotiate a GRE tunnel and then running PPP over the (somewhat obscure) GRE protocol, they proposed to just wrap PPP into a layer 2 tunnel protocol and then use the IPsec protocol suite – which was already standardized one year before PPTP in 1998 – for providing authentication and encryption, as this is the core competency of that entire protocol suite.
Instead of using IPsec in tunnel mode, which directly allows tunneling IP packets from one network to another but could only handle IP traffic, their idea was to use IPsec in transport mode. This would only secure the transported payload data between two endpoints, similar to what TLS does nowadays, but that is enough to serve as a VPN protocol between two VPN gateways or a VPN client and a VPN gateway.
Protocols of the IPsec protocol suite like IKE would ensure a secure connection and ESP would guarantee data integrity and encryption.
To learn more about how the IPsec protocol suite works, check out our deep dive blog post about IKEv2.
PPP strikes back
With encryption and authentication out of the way, there was no need to modify PPP or add any non-standard extensions to it. Instead, PPP could be used exactly as one would use it over a modem dial-up connection, except that some protocol layer was still required below to negotiate a point to point link and to allow PPP to also terminate at a different endpoint (e.g. a dial up concentrator) than the internet link or the IPsec connection.
Continuing to use IPsec was considered optional if you still wanted to directly run over a phone or maybe a private (A)DSL line and did not require any additional security level, and even for that case a protocol layer was desired in case PPP would not directly terminate at the same gateway as the connection.
