Popular explanation:
PPP protocol , point-to -point protocol , is equivalent to the bridge where you take the plane, physically connecting the plane and the boarding hall, and then sending the passengers (IP Packet) to the plane (Internet) .
If there is no covered bridge, a shuttle bus is required, and L2TP and PPTP are equivalent to this shuttle bus .
L2TP is a convertible car without security. For the safety of all passengers in the car, it is equipped with security personnel (IPsecurity) , protects all passengers (IP Packet) , safely arrive at the destination, and then board the plane (Internet).
PPTP is two vehicles, one is responsible for clearing the road (control channel, TCP Port 1723, used to establish a safe channel ), one is transporting passengers (IP/GRE) security channel , the passenger car is equipped with some security personnel, only responsible for guarding For the safety of VIP passengers (IP Packet, end user traffic) , other passengers (IP Packet, control traffic) will not be protected by anyone, and will eventually reach their destination and board the plane (Internet) .
You can see that they have the same destination by different paths, and the ultimate purpose is to send passengers (IP Packet) to the plane (Internet) , but the way is different and the security level is different.
Professional student channel:
PPTP: Point to Point Protocol Tunnel Protocol
L2TP : Layer 2 Tunnel Protocol
If they have to say that they have any connection, it is that they can use the PPP protocol as their payload and encapsulate the PPP protocol. This is the only connection between them. Then someone must ask, PPP is a good point-to-point protocol for dial-up networks. Yes, why encapsulate it? What else should PPTP and L2TP do? The article is a bit long, keep reading, and you will have different harvests.
Now that they are all related to the PPP protocol, we must talk about PPP, which is a dial-up Internet protocol, whether it is a traditional telephone network PSTN, ISDN, or ADSL, and finally completes user authentication and assigns user computer/modem IP addresses All of them are completed by the PPP protocol. The only difference between them is the transmission medium. The process is the same, that is, the PPP session is completed between the PPP client and the PPP server, the user is authenticated, and the IP address is assigned. But the biggest shortcoming of these three traditional deployment methods: too inflexible! A point-to-point connection is required between the client and the server. Whether it is a PSTN circuit, an ISDN circuit or an ADSL subscriber, all of them need to be on the same telecommunication central office equipment. The first is to complete the circuit termination, and the second is to complete the termination of the PPP session. (PPP session termination), see the figure below:
This requires on PSTN Access Server (NAS), ISDNNAS, DSLAM NAS:
Configure the PPP server
Configure the authentication server
Configure the address pool
There will be many, many NASs on different networks. This very decentralized approach is not conducive to management, and management costs are high.
Therefore, there is an assumption, whether the two functions of circuit termination and PPP session termination can be physically separated , and the circuit termination can be completed on one device, and the PPP session termination can be completed on the other device. On these two physically separated devices, using the IP network as the transmission medium, a tunnel is established to encapsulate the PPP stripped from the circuit termination in this tunnel, and transmit it to the PPP server to complete the termination of the PPP session. In this way, we only You only need one or two centralized PPP servers, as shown in the figure below. Fortunately, we have just these two tunneling protocols to accomplish this idea.
These two tunneling protocols are PPTP and L2TP. Although their ultimate goals are the same, namely encapsulating the PPP protocol, traversing the IP network/ATM cloud/MPLS cloud, reaching the PPP Server, completing the PPP session, and PPP user data traffic, but their The implementation methods are quite different, so we will introduce them separately, first to talk about the PPTP protocol.
PPTP
is an enterprise standard designed by Microsoft, and later standardized, but it still leaves a deep corporate mark, corresponding to the standard RFC2637.
There are two levels of control connection and tunnel connection:
Control connection is a TCP-based connection used to negotiate how to establish, release, and modify tunnels, and how to distinguish these tunnels.
PAC -----------TCP 1723-------------PNS
Tunnel connection is based on enhanced GRE, running on the IP layer, with protocol number 47. The so-called enhanced type means that the GRE header has a Key Tunnel ID. On the one hand, it can distinguish tunnels, and on the other hand, it can traverse NAT devices without obstacles.
PAC -----------Enhanced GRE-------------PNS
In summary, both the control and data layers run above the IP layer, so PPTP is inseparable from the support of the IP network. In addition, the separation of the control plane and the data plane, and the multi-channel mode make the implementation more complicated, and the configuration of the firewall policy should also consider two channels at the same time.
In addition, PPTP only relies on the encapsulated PPP protocol to provide security. TCP sessions and GRE Tunnel are both plaintext, and the security strength is not high enough.
L2TP
What we are talking about here is L2TPv2, a protocol developed by Cisco, and the corresponding standard is RFC2661.
Since Cisco is leading the design of this protocol, it must consider the diversity of the network, instead of just considering the IP network as the underlying transmission network like Microsoft designed PPTP, so L2TP can be transmitted on the following networks:
1 ) IP network
Agreement number: 115
LAC -----------IP 115------------LNS
The advantage is that the protocol header is smaller, but it is not conducive to NAT Transversal
2)IP/UDP
UDP PORT 1701
LAC -----------UDP 1701-----------LNS
Facilitate NAT transversal
3 ) Layer 2 ATM switching network
LAC -----------ATM-----------LNS
Can be hosted on ATM cloud
4)MPLS
LAC -----------MPLS-----------LNS
Can be carried over Layer 2 and Layer 3 MPLS VPNs
5)Frame Relay
LAC -----------Frame Relay-----------LNS
Can be carried over Frame Relay switched networks
In addition, the control plane and the data plane use the same communication channel, that is, use an IP tunnel or the same UDP tunnel, which simplifies the implementation and deployment of the network.
Based on the above support for network diversity and the realization of single channel, L2TP has gained wider support, so L2TP has been developed and upgraded. Now the latest version is L2TPv3, which not only supports PPP encapsulation, but also supports Ethernet and ATM. , HDLC, Frame Relay encapsulation, almost comparable to Layer 2 MPLS, the corresponding protocol standard RFC3931.
However, L2TP itself does not provide security encryption. It is necessary to use IP security to encrypt the L2TP tunnel. Because the entire tunnel is encrypted, the security is higher.
The above PPTP and L2TP are both configured on the access network. In fact, these two protocols are very flexible. As long as there are hosts, servers, and routers in the IP network, they can be used. Let's talk about the scenarios in which PPTP and L2TP are configured on the user's computer.
Users want PPTP, or L2TP+ IP security to remotely dial to the company server and get the company VPN connection.
There is a premise here, that is, the user has already connected to the Internet via ADSL, and with IPconnectivity, both protocols can be implemented at this time, as long as the following preconditions are guaranteed:
a) PPTP
Firewall open TCP 1723
Firewall open IP protocol 47, namely GRE
NAT device supports enhanced GRE
b) L2TP
Use UDP tunnel
firewall to open UDP 1701 L2TP
firewall to open UDP 500 IKE
firewall to open UDP 4500 IKE NAT Transversal
As for ESP, because it is encapsulated in UDP tunnel, there is no need to consider it separately.