Subscribe to Windows IT Pro
August 29, 2001 12:00 AM

PPTP vs. L2TP

Ryan Norman
Windows IT Pro
InstantDoc ID #21991
Rating: (2)

Security
Security is the most important feature of a VPN. All the data coming from clients is traveling through the Internet to the VPN server. This VPN server could be 20 hops away, traveling through five ISPs, and the client's data is handled quite a bit on the way to your company's network. How can you be sure that the data makes it to your VPN server without anyone viewing it? You can employ authentication and encryption.

To provide user authentication, PPTP uses one of several PPP-based authentication protocols, including Extensible Authentication Protocol (EAP), Microsoft Challenge Handshake Authentication Protocol (MSCHAP) version 1 and version 2, Challenge Handshake Authentication Protocol (CHAP), Shiva Password Authentication Protocol (SPAP), and Password Authentication Protocol (PAP). MSCHAP version 2 and EAP-Transport Layer Security (TLS) are the most secure protocols because they provide mutual authentication, in which both the VPN server and client verify their partner computer's identity. If a client authenticates through any of the other protocols, the server verifies the client's identity, but the client doesn't verify the server's identity.

PPTP encryption ensures that no one can view the data as it travels over the Internet. Microsoft Point-to-Point Encryption (MPPE) negotiates encryption over a PPTP connection and can be used only with MSCHAP (version 1 and version 2) and EAP-TLS. You can employ one of three encryption key strengths with MPPE: 40-bit, 56-bit, or 128-bit. However, if you support a mixed environment of Windows clients, you must use 40-bit keys because older clients don't support longer keys.

PPTP changes the encryption keys with every received packet. MPPE was designed for point-to-point links in which each data packet arrives sequentially and in which few data packets are lost. In such an environment, the encryption key of one packet could depend on the decryption of the previous packet. In a VPN environment, this setup doesn't work because data packets frequently arrive out of sequence. Thus, PPTP decrypts packets independent of other packets and uses a sequence number to alter the encryption keys so that the decryption process can work without information from the previous packet.

Although PPTP is reasonably secure, it isn't as secure as L2TP over IPSec. L2TP over IPSec provides user- and computer-level authentication as well as data authentication and encryption.

L2TP over IPSec first uses local computer certificates, which you obtain from a certificate authority (CA), to authenticate both VPN clients and servers. The client and server exchange their certificates to create an IPSec ESP security association (SA).

After L2TP over IPSec completes the computer authentication process, it performs user-level authentication. You can choose any PPP-based authentication protocol—even PAP, which sends the username and password in clear text—and the process is still secure because L2TP over IPSec encrypts the session. However, you can make user authentication more secure by using MSCHAP, which uses encryption keys separate from the computer-level encryption.

Because L2TP over IPSec uses the Triple Data Encryption Standard (3DES) algorithm, its data encryption is much stronger than PPTP's. 3DES is for use only in North America and is designed for high-security environments. If you don't need this level of security (and its associated overhead), you can employ DES, which uses one 56-bit key (3DES uses three 56-bit keys).

L2TP over IPSec not only provides computer-level and user-level authentication and data encryption but also offers data authentication. To accomplish data authentication, L2TP over IPSec uses Hash Message Authentication Code (HMAC) Message Digest 5 (MD5). This hashing algorithm creates a 128-bit hash to authenticate data.

A Simple Choice
PPTP and L2TP offer different functionality. L2TP's design lets you use it over non-IP-based networks, and the protocol establishes tunnel maintenance and control using the same message format and protocols. In contrast, PPTP works only over IP and uses a separate TCP control connection for tunnel maintenance. Although PPTP is secure, L2TP over IPSec provides multiple layers of security, which, if used correctly, can almost guarantee that sensitive company data won't be compromised.

These enhancements make L2TP the VPN protocol of the future. As more IT professionals learn about IPSec and its benefits, L2TP over IPSec will become the VPN protocol of choice. Microsoft has made L2TP setup as easy as a few mouse clicks. So give L2TP a try and get the most from your Win2K license.

Related Articles in Previous Issues
You can obtain the following articles from Windows 2000 Magazine's Web site at http://www.win2000mag.com.

ROBERT MCINTOSH
"Configuring VPNs," June 2001 Web Exclusive, InstantDoc ID 21322
"Windows 2000 VPN Basics," May 2001 Web Exclusive, InstantDoc ID 21243
MICHAEL NORIAN
"VPN Gateways," April 2001, InstantDoc ID 20068
DOUGLAS TOOMBS
"Configure a Win2K VPN," September 2000, InstantDoc ID 9650
MARK SMITH
"Thin Is In," September 1997, InstantDoc ID 521

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
    There are no comments to display. Be the first one!
You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.