参考http://www.unix.org.ua/orelly/networking_2ndEd/fire/ch14_12.htm
14.12. Layer 2 Transport Protocol (L2TP)
The Layer 2 Transport Protocol (L2TP) is another generic encapsulation protocol designed to allow you to tunnel IP networking. Like PPTP, it is an extension of PPP. There are two main differences between PPTP and L2TP. First, PPTP always runs on top of IP; it requires that you have an IP connection of some sort. L2TP can run over a number of different protocols, including directly over a phone line (like PPP). Second, PPTP is an encrypted protocol; it encrypts everything except for the initial negotiations. L2TP is not an encrypted protocol; it does not encrypt message bodies. On the other hand, L2TP does do mutual authentication for the initial negotiations and is capable of concealing the information in the initial negotiations.
L2TP is normally used in conjunction with IPsec, so that IPsec can provide the encryption. This results in a heavily layered protocol stack. Figure 14-4 shows the layers of encapsulation involved in sending a TCP packet via LT2P securely over an IP network.
Figure 14-4. L2TP encapsulation of a TCP packet, as normally seen crossing an IP network
14.12.1. Packet Filtering Characteristics of L2TP
When L2TP is layered on top of IP, it uses UDP port 1701. However, in most implementations, L2TP is actually transmitted over IP via IPsec, using ESP encapsulation of UDP; this will have the packet filtering characteristics shown earlier for ESP.
| Direction
|
Source Addr.
|
Dest. Addr.
|
Protocol
|
Source Port
|
Dest. Port
|
Notes
|
|---|---|---|---|---|---|---|
| In
|
Ext
|
Int
|
UDP
|
>1023
|
1701
|
External client to internal server
|
| Out
|
Int
|
Ext
|
UDP
|
1701[40]
|
>1023
|
Response, internal server to external client
|
| Out
|
Int
|
Ext
|
UDP
|
>1023
|
1701
|
Internal client to external server
|
| In
|
Ext
|
Int
|
UDP
|
1701
|
>1023
|
Response, external server to internal client
|
[40]The standard does not require L2TP servers to return packets from port 1701; they must receive packets at 1701 but may send them from any port. Many servers will send packets from 1701 to simplify interactions with network address translation and dynamic packet filtering.
