Different VPN tunnel types in Windows - which one to use?

Hello Folks,

 

I am sure you must have experienced VPN reconnect – a new IKEv2 based VPN tunnel that is added in Windows 7 that allows automatic and seamless switchover of an active VPN connection when the underlying Internet interface (connection) changes thus maintaining application persistence.

Isn’t that COOL – like VPN user moving from Wifi to WWAN and back - giving a true mobile connectivity to corpnet ! Yes it is...

 

This means, Windows7 in-built VPN client and Windows 2008 R2 in-built VPN server (aka RRAS) supports following VPN tunnels:

· PPTP

· L2TP/IPSec

· SSTP

· VPN Reconnect (or IKEv2)

 

I am sure you must be wondering what is the need for 4 different tunnel types and which one to use in a given scenario. This blog helps to clarify the same.

 

Let us look at the technical specs which tries to summarize the tunnel features based upon different deployment factors:

 

First compare on network related parameters

Tunnel Type

OS support

Scenario

IP Addressing

Traversal

Mobility

Enabled

PPTP

XP, 2003, Vista, WS08, W7, WS08 R2

Remote Access

Site-to-Site

Works over IPv4 network

 

Relay IPv4 as well as IPv6 traffic on top of tunnel

NAT via PPTP enabled NAT routers

No

L2TP/IPSec

XP, 2003, Vista, WS08, W7, WS08 R2

Remote Access

Site-to-Site

Works over IPv4 as well as IPv6 network

 

Relay IPv4 as well as IPv6 traffic on top of tunnel

NAT

No

SSTP

Vista SP1, WS08, W7, WS08 R2

Remote Access

Works over IPv4 as well as IPv6 network

 

Relay IPv4 as well as IPv6 traffic on top of tunnel

NAT,

Firewalls,

Web Proxy

No

VPN Reconnect

W7, WS08 R2

Remote Access

Works over IPv4 as well as IPv6 network

 

Relay IPv4 as well as IPv6 traffic on top of tunnel

NAT

Yes

 

 

Now lets compare on security related parameters

Tunnel Type

Authentication