What Is an L2TP VPN and Is It Still Safe to Use in 2025?

L2TP has been built into VPN settings for decades, from early routers to Windows, macOS, Android, and more. You might’ve seen it as a default option when setting up a manual VPN connection, even if you’ve never used it.

But what is L2TP, exactly? And in a world of faster, modern protocols like WireGuard and OpenVPN, why is it still included in so many devices today?

In a nutshell, L2TP is a tunneling protocol, meaning it only wraps your data to send it through a tunnel; it doesn’t encrypt or hide the contents on its own. When paired with IPsec, a protocol that encrypts data, it forms what used to be one of the most widely supported VPN setups around: L2TP/IPsec.

Let’s unpack what L2TP is, how it works, how secure it actually is, and when (if ever) it still makes sense to use it.

What Is an L2TP VPN?

L2TP, which is short for Layer 2 Tunneling Protocol, isn’t actually a VPN protocol: it creates a pathway for your data to travel through, but it doesn’t encrypt data or authenticate users on its own. It simply builds a tunnel between two endpoints, allowing raw data packets to move from point A to B over a public network. 

L2TP is almost always combined with another protocol, specifically, IPsec: L2TP builds the tunnel that carries the traffic, while IPsec locks and secures that traffic. Together, they function as a VPN protocol.

L2TP/IPsec gained widespread use in the 2000s, partly because older options like PPTP had serious security flaws. Today, L2TP/IPsec is still supported across most major platforms, but it’s widely considered outdated. Microsoft has even officially deprecated L2TP in Windows Server 2025, meaning it won’t be enabled by default.

How Does L2TP/IPsec Work?

Here’s how L2TP and IPsec work together:

1. IPsec sets up security: Before anything moves, IPsec and the VPN server agree on secret keys. These keys create an encrypted channel so that all traffic is protected.
2. L2TP builds the tunnel: This is a dedicated pathway your data travels through between your device and the VPN server.
3. Data is wrapped and encrypted: L2TP adds headers to your outgoing data so it knows where to send them, and then IPsec locks the whole thing with strong encryption.
4. VPN server processes the data: At the server end, IPsec unlocks the packets and L2TP removes its headers. The clean data is then sent on to the internet.

Benefits of L2TP/IPsec

L2TP/IPsec isn’t cutting-edge, but it didn’t survive this long by accident. As a matter of fact, there are a few key reasons it’s still kicking around (especially in networks that value stability and simplicity over raw performance).

1. Works out of the box: Most operating systems still include native support for L2TP/IPsec. That means no extra software to install, no drivers to update; just input your credentials and go.
2. Router-friendly: From consumer gateways to enterprise-grade gear, L2TP/IPsec is widely supported on network hardware. That makes it useful for building site-to-site tunnels (secure links between two different locations, for example two offices) or managing connections without relying on apps.
3. Legacy compatibility: L2TP works with outdated networking equipment that newer VPN protocols don’t support. If you’re stuck working with legacy networks, it’s one of the few protocols that can still get the job done without installing extra software.
4. Flexible tunneling modes: You can configure L2TP to let users connect voluntarily, or set it up to force traffic through a tunnel automatically; handy in environments with strict policy enforcement.

The Limitations of L2TP/IPsec

For all its compatibility perks, L2TP/IPsec comes with a few built-in tradeoffs, especially when stacked against faster, lighter protocols.

1. Slower VPN performance: Because L2TP puts your data in a tunnel and then IPsec encrypts the whole thing, every packet ends up wrapped twice. That extra processing and larger packet size creates more overhead, which can slow down your speeds, especially compared to newer protocols.
2. Fussy with firewalls: It relies on three specific data channels (ports 1701, 500, and 4500), which some networks block by default. Some routers need manual configuration or a VPN passthrough toggle, and not every network admin has time to troubleshoot port issues.
3. No encryption fallback: L2TP alone doesn’t protect anything. If the IPsec portion fails or is misconfigured, your traffic may travel unencrypted, without warning. There’s no built-in safeguard if the second layer drops out.
4. Manual setup pain: While it’s natively supported, setting it up usually means entering server IPs, pre-shared keys, and security settings by hand. Miss a field, and the tunnel won’t connect. Modern VPN apps avoid this mess with one-click installs and automatic config.

L2TP vs. Other VPN Protocols: How Does It Compare?

Here’s how L2TP/IPsec fares against the most common VPN protocols nowadays:

Protocol	Encryption	Speed	Router/ Firewall Compatibility	Network Switching	Legacy Support
L2TP/IPsec	Strong	Moderate	Fair	Weak	✅
PPTP	Weak (broken)	Fast	Poor	Weak	✅
IKEv2	Strong	Fast	Strong	Excellent	✅
OpenVPN	Strong	Moderate	Strong	Moderate	✅
WireGuard	Strong (modern)	Very Fast	Excellent	Excellent	❌

L2TP/IPsec vs. PPTP

PPTP came first, and was built for speed, not security. It relies on encryption algorithms that security researchers cracked a long time ago, making it unsafe to use. L2TP/IPsec replaced PPTP by using modern encryption standards and verification steps to check that data arrives untampered. 

While L2TP/IPsec is slower than PPTP due to its extra security layers, it’s a worthwhile trade-off. Both protocols are considered legacy technology today. PPTP is effectively retired, and L2TP/IPsec only makes sense on older systems that aren’t compatible with modern protocols.

L2TP/IPsec vs. IKEv2

Both protocols use IPsec, but that’s about where the similarities end. IKEv2 is more modern, more nimble, and much better suited for mobile use. It can hold a connection steady while switching networks (say, from Wi-Fi to 5G) without needing to reconnect. L2TP, on the other hand, stumbles when the network shifts and often drops out entirely. IKEv2 also performs faster in most tests, thanks to its leaner structure and lack of extra tunneling layers.

L2TP/IPsec vs. OpenVPN

OpenVPN brings serious versatility. It can use different connection methods to adapt to network conditions and work on almost any port, meaning it’s less likely to be blocked by firewalls. L2TP/IPsec is more rigid by comparison; reliable, but not flexible. While OpenVPN takes a bit more effort to set up initially, most providers now offer streamlined apps that handle the configuration for you.

L2TP/IPsec vs. WireGuard

WireGuard is the newest protocol on the block, and it doesn’t pull any punches. It’s fast, light, and built around modern cryptographic principles. The entire codebase is smaller than most PDF files, making it easy to audit and tough to misconfigure. It also plays well with NAT and handles roaming more smoothly than L2TP ever could. The only downside? WireGuard lacks support on older systems. Still, for performance and simplicity, it’s hard to beat.

Should You Still Use L2TP/IPsec?

Let’s be honest: in most cases, you’re better off with something newer. But L2TP/IPsec isn’t completely irrelevant.

You might still want to reach for it if:

• You’re dealing with legacy hardware: Some routers, VPN appliances, and older OS builds just don’t play nice with modern protocols. If OpenVPN or WireGuard aren’t supported natively, L2TP/IPsec might be the only box you can check without installing extra software.
• You’re setting up a basic site-to-site tunnel: For straightforward router-to-router connections (especially in environments still running older point-to-point network setups from the dial-up era), L2TP/IPsec offers just enough structure without too much overhead. Plus, separating tunneling from encryption makes it easier to audit than older protocols like PPTP.
• You need wide compatibility across aging systems: If you’re managing a fleet of outdated endpoints, it’s often cheaper and faster to stick with what works than to overhaul the whole stack. In those situations, L2TP/IPsec remains the least disruptive option.

How Do I Set up an L2TP VPN?

If you want to use L2TP/IPsec, either because your device only supports older VPN types or because your job requires it, here’s how to set it up:

On Windows (10/11)

1. Go to Settings > Network & Internet > VPN.



2. Select Add VPN connection.



3. In the setup form, choose and enter the following:
   • • VPN provider: Windows (built-in)
     • VPN type: L2TP/IPsec with pre-shared key
     • Server name/address, username, password, and shared key: All details you get from your VPN provider.



4. Click Save, then select the new profile and click Connect.

On macOS

1. Open System Settings >Network.



2. Scroll down the left sidebar and click the “…” (More) menu at the bottom. Choose Add VPN Configuration, and in the pop-up, click VPN Type > L2TP over IPsec.



3. Enter the following VPN details:
   • • Server Address: Enter the hostname or IP of your VPN.
     • Account Name: Enter your username.
     • User Authentication: Select Password and enter it.
     • Machine Authentication: Select Shared Secret and enter the preshared IPsec key.



4. Click Create.

On iPhone/iPad

1. Go to Settings > General 



2. Navigate to VPN & Device Management.



3. Fill in the connection details:
   • • Description, server, account, and password: Get these details from your VPN provider.
     • Shared secret (PSK): Enter it in the Secret field



4. Save, then toggle the VPN on to connect.

On Android (11 or older)

(Note that newer Android versions don’t include support for L2TP.)

1. Go to Settings > Connections.



2. Navigate to More connection settings.



3. Navigate to the VPN option.



4. Tap Add VPN profile.



5. Under Type, choose L2TP/IPsec PSK.



6. Enter the following details from your VPN provider:
   • • Server address
     • IPsec pre-shared key
     • Username and password
7. Save the profile, then select it from the VPN list and tap Connect.

FAQ

What is L2TP and how does it work with VPNs?

L2TP (short for Layer 2 Tunneling Protocol) builds a virtual tunnel for data between two devices or endpoints. By itself, it doesn’t encrypt data, which is why it’s usually paired with IPsec. In this combination, called L2TP/IPsec, L2TP builds the tunnel between your device and the VPN server, while IPsec encrypts the data moving through that tunnel.



Is L2TP/IPsec a secure VPN protocol?

It can be, but only if it’s set up properly. When paired with strong encryption like AES‑256 and configured with secure key exchange (via IKE), L2TP/IPsec still provides solid privacy and integrity checks. However, misconfigurations can leave the tunnel exposed.



What are the main advantages of using L2TP/IPsec?

Mainly, legacy support. It’s still baked into a lot of routers, firewalls, and older operating systems, which means fewer headaches when setting up a basic connection. If you’re working with legacy networks or equipment that doesn’t support modern protocols, L2TP/IPsec is often the path of least resistance.



What are the disadvantages or limitations of L2TP/IPsec?

The L2TP/IPsec downsides are speed, flexibility, and firewall friendliness. L2TP/IPsec is slower because it wraps data twice: once with L2TP to build the tunnel, and again with IPsec to encrypt it. It also doesn’t have the automatic backup features newer protocols use and requires manual setup, which can be a hassle.



When should I consider using L2TP/IPsec over other VPN protocols?

Rarely. L2TP/IPsec is a niche choice today. You’d only really need to consider using it if you’re dealing with older hardware, managing a legacy network, or setting up a quick tunnel between routers. Otherwise, modern options like WireGuard or OpenVPN are faster, safer, and easier to manage.