Layer 2 Tunnel Protocol (L2TP) is a VPN protocol that does not provide any encryption to traffic that passes through it. As such, IPSec encryption is added to fill the holes.
Note however that L2TP protocol uses UDP port 500 if not mistaken, which is more easily blocked by NAT firewalls, and may therefore require advanced configuration such as port forwarding when used behind a firewall (unlike SSL which can use TCP port 443 to make it indistinguishable from normal HTTPS traffic).
The L2TP payload is encrypted using the standardized IPSec protocol: RFC 4835 specifies either the 3DES or AES encryption algorithm for confidentiality. IVPN uses the AES algorithm with 256 bit keys.
The reasons why L2TP.IPSec is less secure is 2 fold:
1st: when IPSec is configured to use pre-shared keys that are made public (common with public VPN services) it is vulnerable to an active Man in the Middle attack (MITM attack). This is not a vulnerability of the IPSec protocol but in the way it is implemented.
2nd reason: Quite some time ago, there were documents and information leaked by Edward Snowden in regards to NSA and the whole thing blew apart, including L2TP protection. He recently appeared on TV in the news, and is still in Russia seeking asylum. Here is the
PDF in regards to the L2TP.
Also to note: L2TP/IPSec encapsulates data twice, therefore it is not as efficient as a SSL based solutions (such as OpenVPN and SSTP) and is therefore slightly slower.
Now to compare, OpenVPN uses the OpenSSL library to provide encryption. OpenSSL supports a number of different cryptographic algorithms such as AES and Blowfish.
Bear in mind however that AES, RSA, SHA-1 and SHA-2 ciphers were, I believe were either all developed or were certified by the United States National Institute of Standards and Technology (NIST), which as many know, they have worked with NSA for the development of ciphers.
In any case, OpenVPN uses ephemeral (temporary) key exchanges. With an ephemeral key exchanges a new key is generated for each exchange, and there is no reliance on certificates to establish trust. Even if an attacker or outsider were to obtain the private key of a certificate, the communication could not be decrypted. Nevertheless, MITM Attacks can still target an OpenVPN connection if the private key has been leaked/known/obtained.
Some notes just in case some readers do not understand:
RSA: Asymmetric public-key cryptosystem
RSA-2048 key encryption is considered secure, but can be more secure if 3072-bit or 4096-bit RSA encryption is used. RSA-2048 is now the minimum standard for commercial VPN providers.
SHA: Secure Hash Algorithm -cryptographic hash function used to authenticate SSL connections as well as OpenVPN connections.
If I am not mistaken, OpenVPN only supports SHA-1 and SHA-2 (up to SHA-384), not SHA-3.
Blowfish: 128bit Cipher, and if you are just a regular user, it is secure. OpenVPN uses by default the 128bit Blowfish cipher. Twofish however is way better but unsupported in OpenVPN.
Camellia: Non-NIST cipher
AES: Advanced Encryption Standard (128bit, 192bit and 256bit)
As such, one can say that the OpenVPN ciphers are:
Blowfish-126, AES-128, AES-192, AES-256, Camellia-128, Camellia-192 and Camellia-256
