How Automatic Tunnel type works in VPN

With the various previous blogs, we already know that SSTP (Secure Socket Tunneling Protocol) is a new VPN tunnel type which is added to the list of the already existing tunnel types, PPTP and L2TP. With this addition, there have been some changes in the definition of the existing tunnel type configuration options and some new tunnel type configuration options have been added to the list of existing ones.

This post is going to talk about two topics:-
1) The existing options for configuring tunnel types whose behaviour has changed with the addition of SSTP and addition of some new options for configuring the tunnel type for dialing the VPN connection from the client.

2) The connection establishment time it takes to transition from one tunnel type to another, if first one fails to connect.

The above topics are discussed in detail below.

The various new/changed options for Configuring tunnel types:-
-------------------------------------------------------------------------------------------
[1] With VPN connection created using "Connect to a network" wizard :-
With the addition of SSTP, the existing tunnel type "Automatic" means that PPTP will be tried first and if that fails L2TP is tried and then SSTP i.e., PPTP->L2TP->SSTP.

[2] With VPN creations created by CMAK (Connection Manager Administration Kit):-
With the addition of SSTP, in the CMAK based connectoid, there are two new values which can be assigned to VpnStrategy field in the .CMS file. The significance of these values are as follows:-

- VpnStrategy=5 :- This means "SSTP Only". In this case, only SSTP based tunnel will be tried.

- VpnStrategy=6 :- This means "SSTP First". In this case, SSTP will be tried first followed by PPTP then L2TP i.e., SSTP->PPTP->L2TP

Timings for transition from one tunnel type to another:-
---------------------------------------------------------------------------------
Consider the scenario where a connection is established using a particular tunnel type 'X'and then after this, this connection is disconnected and the connection is retried again with "Automatic" tunnel type and the connection is established using a different tunnel type 'Y' (where 'Y' is not equal to 'X') due to other tunnel types blocked/disabled on the server. This section is going to specify the aprroximate time taken in switching from tunnel type 'X' to tunnel type 'Y'.

Things to note here :-
1) If currently, there is no established VPN connection and connection is tried using tunnel type as "Automatic", the tunnel sequence to be tried will be the default one which is PPTP->L2TP->SSTP

2) If a VPN connection is already established using a particular tunnel type 'X', then if this connection is retried with tunnel type as "Automatic", the tunnel type which is going to be tried first is 'X'. To be more specific,

- If PPTP is the current tunnel type, then PPTP will be the first tunnel type to be tried and the sequence of tunnel types to be tried will be the default one i.e., PPTP-> L2TP->SSTP.

- If L2TP is the current tunnel type, then L2TP will be the first tunnel type to be tried and the sequence of tunnel types to be tried will be L2TP->PPTP->SSTP.

- If SSTP is the current tunnel type, then SSTP will be the first tunnel type to be tried and the sequence of tunnel types to be tried will be SSTP->PPTP->L2TP.

Amit Kumar
Software Design Engineer/Test
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]