Which VPN protocol is right for you?
Creating a VPN server with Windows NT 4.0 is simple, but your choices are limited. The OS offers few administrative options, and PPTP is the only VPN protocol available. Windows 2000 brings improved reliability, scalability, and manageability—and support for two VPN protocols. In addition to PPTP, Win2K supports the Layer 2 Tunneling Protocol (L2TP). When choosing which protocol to use to set up your server, you should understand how both protocols work and consider their authentication and encryption features. L2TP offers many improvements over PPTP, but you must understand the enhanced functionality to reap its benefits. Becoming familiar with PPTP and L2TP will help you pick the best VPN configuration for your situation. (For more information about Win2K VPNs, see "Related Articles in Previous Issues," page 26.)
A VPN Primer
A VPN is a secured tunnel from a remote user's computer, through the Internet, directly to your organization's private network—a pipe on top of the existing public network. A VPN gives users secure access to a private network over almost any type of Internet connection. In Microsoft's VPN implementation, the only thing needed between the client computer and the VPN server is an IP-based network. If the VPN client has an Internet connection and the VPN server has the same, you're all set.
VPNs have saved companies large amounts of money. Instead of paying for costly point-to-point connections, such as T1, ISDN, or frame-relay connections, a company can use its existing public Internet connection. VPNs let any site around the world create secure tunnels to any other site, with little administrative effort. VPNs have revolutionized the way companies communicate, and Microsoft has provided the tools in Win2K to make VPNs flexible and easy to set up.
The PPP Foundation
How different are PPTP and L2TP? If you were to compare and decode the data from both protocols in the Open System Interconnection (OSI) reference model, you would find one primary similarity: their reliance on the Point-to-Point Protocol. PPP is the foundation for both VPN protocols and is the protocol that encapsulates the data you transfer (i.e., the payload) over a private network. PPTP and L2TP then add another layer of encapsulation to tunnel the payload through a public network.
Table 1 shows the layers in which certain protocols operate within the OSI model. PPP, in the data-link layer of the OSI model, was originally developed to encapsulate data and carry it over point-to-point links. If your company has any type of point-to-point connection, such as a T1 line, your router probably uses PPP encapsulation. You can also use this protocol for asynchronous (i.e., dial-up) connections. Your remote users' Win2K or Windows 9x dial-up settings probably show that their systems dial in to a PPP server.
PPP provides many benefits—authentication and compression, for example—that its older cousin, Serial Line Internet Protocol (SLIP), doesn't provide. A subset of PPP protocols handles connections' operations: The PPP Link Control Protocol (LCP) establishes, configures, maintains, and terminates a point-to-point connection, and the PPP Network Control Protocol (NCP) establishes and configures different network-layer protocols over the PPP link. You can run Novell IPX and Microsoft IP simultaneously over one PPP link.
PPP is obviously an important part of PPTP and L2TP. PPP lets you use PPTP or L2TP to run remote applications that depend on nonroutable protocols. PPTP and L2TP are identical at the physical and data-link layers, but their similarities end there.
Tunneling
Tunneling protocols, such as PPTP and L2TP, encapsulate and usually encrypt data for transfer from one point to another over a public network. But before the tunneling encapsulation takes place, the PPP encapsulation occurs.
In the PPP encapsulation, one protocol data unit (PDU) is placed inside another PDU on the first PDU's way down the OSI model. For example, TCP (in the transport layer) is encapsulated by IP (in the network layer), which in turn is encapsulated by PPP (in the data-link layer).
Tunneling protocols are higher-layer protocols that transport encapsulated payloads. The VPN protocol encapsulates the already-encapsulated payload and sends the payload between the endpoints of the tunnel. After the far endpoint of the tunnel receives the payload, it decapsulates and processes the payload.