Do we still need PPTP & L2TP/IPsec after Windows 7

Hi Folks,

Our team member Samir Jain has posted a nice blog on how you should decide which tunnel to use/deploy for your scenario. The details for the same are given at which tunnel to use.

In this blog, I would like to understand further on a possibility of deprecating PPTP & L2TP/IPsec VPN tunnels going forward - i.e. after Windows 7. This leaves in-the-box Microsoft VPN component supporting SSTP (SSL based ) and IKEv2 (IPsec based) VPN tunnel.

Please do not panic ! This has not happened yet. I am just trying to get your feedback and learn more about your deployment plans going forward.

Why do I think you should migrate to IKEv2/SSTP?

IKEv2 (VPN Reconnect) is a standard based tunnel that should work with any third party servers so interoperability should not be any less if compare to PPTP or L2TP. SSTP allows SSL based firewall traversal thereby supporting ubiquitous VPN connectivity.

Both tunnels are on par or better with L2TP/IPsec as well as PPTP - in terms of security, performance, connection establishment experience etc.

IKEv2

1. Does not require client side PKI deployment or pre-shared key.

2. Integrates well with all EAP based methods

3. Leverages the security strength provided by IPsec

4. Better in connectivity time compare to L2TP/IPsec

5. Provide mobility switchover support (mobility manager

 

Windows 7 & WS08 R2 onwards

SSTP

1. Does not require client side PKI deployment or pre-shared key.

2. Integrates well with all EAP based methods

3. Leverages the security strength provided by SSL protocol

4. Provides firewall traversal

Vista SP1 & WS08 onwards

 

Why we would like to deprecate PPTP/L2TP?

1. Enables better usability (less # of tunnel choices confusing admins) & better troubleshooting/diagnostics support

2. Reduces the support: Reduces the footprint and the number of updates.

3. Better focus from Microsoft: Our development team can focus mainly on these two tunnels and focus on improving the remote access connectivity experience. 

I do understand that PPTP is a highly deployed VPN tunnel followed by L2TP/IPSec and Windows 7 will take sometime before it is wide-spread inside organizations (like XP is today). However, we do feel announcing now and deprecating PPTP/L2TP after Windows 7  would have provided ample time to our customers to migrate to SSTP (Vista SP1 & WS08 onwards) and IKEv2 (available Windows 7 & WS08 R2 onwards).

Again - to re-iterate, there is no official plan in this direction and this blog post is purely a feedback gaining mechanism to hear from our enthusiastic remote access customers about their deployment and migration plans to our newer OS supporting exciting new VPN tunnels.

Please share your feedback - either as comment or by sending us an email.

Looking forward to hear back from you 

Cheers,

Abhishek Tiwari

Senior Lead Program Manager, RAS Team,

Windows Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]