Skip to content
PortsDB

Port reference

Port 1701 (UDP) – L2TP (VPN)

Layer 2 Tunneling Protocol — tunnels PPP for VPNs, typically wrapped in IPsec for encryption.

udpRegisteredCommonly attacked

Default state

Open on VPN concentrators, routers, and firewalls offering L2TP/IPsec remote access, usually alongside IKE on 500/4500.

Common attacks

  • Offline cracking of weak IPsec pre-shared keys (PSK)
  • Aggressive-mode IKE PSK hash capture
  • Unencrypted L2TP traffic when IPsec is absent
  • Credential brute force against the PPP/VPN login

Hardening

  • Always wrap L2TP in IPsec; never run L2TP alone
  • Use strong, unique PSKs or move to certificate auth
  • Disable IKE aggressive mode; prefer IKEv2
  • Enforce MFA on VPN logins and lock out brute force
  • Restrict access and keep the VPN appliance patched

nmap snippet

nmap -sU -p1701 --script l2tp-version <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 1701?

Port 1701 is the Layer 2 Tunneling Protocol (L2TP), used to build VPN tunnels by encapsulating PPP frames between a client and a VPN concentrator. L2TP on its own only tunnels — it has no encryption — so in practice it is deployed as L2TP/IPsec, with IPsec providing confidentiality and the IKE negotiation happening on UDP 500 and 4500.

Why it matters for security

Because L2TP carries no encryption, the security of the VPN rests entirely on the IPsec layer. The weak point is the pre-shared key (PSK): if a short or guessable PSK is used, especially with IKE aggressive mode, an attacker can capture the handshake and crack it offline, then decrypt or join the tunnel. Plain L2TP without IPsec exposes the tunneled traffic in cleartext, and the VPN login is a brute-force target.

How it's attacked

Attackers probe UDP 1701 and the IKE ports, capture an aggressive-mode PSK hash, and crack it offline with a wordlist. Where IPsec is misconfigured or absent, L2TP traffic is read directly. The PPP/VPN credential layer is also hit with brute force and password spraying to gain remote access.

Hardening checklist

Always wrap L2TP in IPsec — never run it alone. Use strong, unique PSKs or move to certificate authentication, disable IKE aggressive mode, and prefer IKEv2. Enforce MFA on VPN logins, apply lockout against brute force, restrict source addresses, and keep the VPN appliance patched. Use the nmap snippet above to fingerprint L2TP on endpoints you are authorized to test.

Related ports

Port 500Port 4500Port 1723Port 1812

Frequently asked questions

Does L2TP encrypt traffic on its own?
No. L2TP only tunnels; it provides no confidentiality. It is paired with IPsec (L2TP/IPsec) on ports 500/4500 for the actual encryption. L2TP alone is plaintext.
Is L2TP/IPsec secure?
It can be, with a strong pre-shared key or certificate auth, IKEv2, and aggressive mode disabled. Weak PSKs are crackable offline, so prefer certificates and MFA.