There are different types of VPN tunnels like L2TP, PPTP, etc. Which VPN tunnel to use?

  • Article

I agree that there are too many tunnel option :), but each has its own advantages/disadvantages and customer scenarios. Let us try to understand that in this blog.

First a basic preview - there are primarily two usage scenarios of VPN: -

First one is for remote access (a client PC trying to access corporate network – like a telecommuter). The PPTP as well as L2TP tunnel (in Microsoft RRAS) supports this scenario.

Second one is for site-to-site access (branch office to head office connectivity). The PPTP, L2TP tunnel (in Microsoft RRAS) and IPSec tunnel mode (in Microsoft ISA) supports this scenario. 

Now comes is the difference between them.  Let us try to understand the main requirements for a VPN scenario: -

            Authentication: PPTP provides user authentication, L2TP provides machine as well as user authentication, and IPSec TM provides machine authentication.  Machine authentication is provided at IPSec level through the use of machine certificates. The user authentication is at PPP layer through username/password or user certificates (smartcard or TLS).

            Dynamic Address Management:  PPTP as well as L2TP relies on PPP IPCP negotiation to hand out the address from responder to initiator. Whereas IPSec TM doesn’t provide this capability (i.e. address of both ends needs to be statically configured).

            Data Encryption (confidentiality): PPTP uses RC4 algorithm (40/56/128 bit) at PPP MPPE layer. L2TP as well as IPSec TM rely on IPSec ESP to provide the confidentiality and supported via 3DES and DES.

            Key management: PPTP generates key during PPP authentication phase, where L2TP and IPSec TM uses IKE.

I am sure I might have confused you further by providing the above data :), but that was not my goal. The bottom line is – if you plan to deploy PKI infrastructure (i.e. certificates), my recommendation is to use L2TP compared to PPTP (L2TP provides machine as well as user authentication, stronger key management) for all scenarios. But if you plan to deploy only user authentication (i.e. don’t plan to deploy machine certificates for any reason) or plan to put VPN server behind a NAT router – PPTP may be your way to go (Note: L2TP clients can work across NAT routers through NAT-T, but not the server behind NAT router). Some customers prefer to deploy PPTP as it requires no PKI infrastructure (i.e. username/password based authentication), but general recommendation is to slowly move towards a PKI based security architecture (as it is stronger).

 

Samir Jain
Lead Program Manager
RRAS, Windows Enterprise Networking

 

[This posting is provided "AS IS" with no warranties, and confers no rights.]