The main difference between this protocol and PPTP is that since the tunneling method is not connected to an IP (Internet Protocol) network, it can work directly in other network environments such as Frame Relay or ATM.
L2F VPN technology uses the PPP protocol for remote user authentication, and in addition, it also uses other authentication systems such as TACACS + (Terminal Access Controller Access Control System) and RADIUS (Remote Authentication Dial-In User Service).
L2F tunneling channels contain multiple connections, which makes it different from PPTP.
There are two levels of user authentication, by the ISP before the tunnel is established, and then when the connection is established with the corporate gateway.
Before establishing a tunnel between the local and remote networks, a two-user authentication method is used between the ISP and a specific corporate company gateway.
L2F operates on the data link layer according to the OSI reference model and supports protocols such as IPX or NetBEUI for users as opposed to IP such as PPTP.
In short, this protocol developed by Cisco does not depend solely on the IP protocol, as it can work directly under other protocols. It can also work with a connectivity service called VDU (Virtual Dial-Up).
PAP (Password Authentication Protocol)
When a connection is established between the server and the client, the client sends a packet of username and password, and then the user is authenticated, in which case the connection request is verified or denied.
CHAP (Challenge Handshake Authentication Protocol)
In this authentication method, the client periodically sends an authentication packet to the server.
These CHAP packets are sent periodically between the server and the client to verify the user/password form on both sides for authentication, thus establishing or terminating the connection.
How Is Tunnel Made?
Creating a L2F tunnel includes the following steps;
The remote user initiates the PPP connection via an ISP with a PSTN or ISDN gateway.
After the NAS (Network Access Server) accepts the connection, the PPP connection is established. It then performs the authentication process regarding the ISP, CHAP or PAP protocol.
Only the username part is used to determine whether to establish a VDU connection via the CHAP or PAP protocols.
A connectivity packet is then sent to the destination of the VDU after a Multiplex ID (MID) assigned.
After the connection is established, a virtual tunnel for SLIP or PPP is created and thus the data stream starts processing in both directions.
In this tunnel connection, the connection will be verified periodically between the devices connected using CHAP.