Other VPN Protocols: PPTP and L2TP | Inside Network Perimeter Security (2nd Edition)

As stated previously, IPSec is not the only tunneling set of protocols that can offer VPN-type service. At Layer 2, PPTP and L2TP are both popularly implemented VPN protocols. The greatest reason for this is that both are included with Microsoft Windows operating systems, which enjoy the greatest distribution of any operating system to date. This means that a large portion of the deployed computer base has built-in VPN capabilities using PPTP and L2TP. For this reason (and because popular VPN software often goes for as much as $100 per seat), both protocols, especially the newer L2TP, can be effective for VPN solutions in Windows environments. An interesting thing to keep in mind is that neither has inherent encryption capabilities. Encryption must be added to make either a true VPN protocol. Let's take a look at each.

PPTP

PPTP is an outgrowth of PPP, which appeared in computers everywhere with the advent of dial-up Internet access. PPTP, although popularized by Microsoft, was actually designed by a consortium of computer technology vendors, including US Robotics, Ascend, and 3Com. Microsoft's original implementation of PPTP was highly criticized as being insecure by cryptography gurus industrywide, which left a bad taste in the mouths of many IT people. For encryption, PPTP relies on Microsoft Point-to-Point Encryption (MPPE), which uses the RC4 cipher. However, most of the security issues were due to the insecurity of its authentication methodthe Microsoft authentication protocol Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). PPTP has PPP's capability of user authentication using all associated protocols, such as MS-CHAP, Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Extensible Authentication Protocol (EAP). Later PPTP implementations from Microsoft that included MS-CHAP version 2 actually resolved most of the aforementioned security issues, making it a much safer bet (although not as well regarded as IPSec) as a VPN protocol.³

PPTP operates through two channels that work together. The first is a control channel that operates on TCP port 1723. This channel sends back and forth all the commands that control the session management features for the connection. The second is an encapsulated data channel that uses a variant of the Generic Routing Encapsulation (GRE) protocol (IP protocol 47), which uses UDP as its transport protocol.⁴ PPP frames are encapsulated and sent using this method. This is the "tunnel" of PPTP. An advantage of the GRE tunnel over a standard IPSec tunnel is that it can encapsulate and carry protocols other than IP. For this reason, GRE tunnels can find their way into environments that are otherwise completely IPSec.

PPTP does have some interesting attributes that can make it useful in particular environments. First, it works without a hitch through NAT because NAT-related changes to the IP layer have no effect on Layer 2 PPTP. Second, it comes integrated with many hardware devices and is available in operating systems; with such high availability, it is more easily deployable in environments that use such products. However, on the downside, because PPTP uses PPP to initiate communications, it can be vulnerable to spoofing and man-in-the-middle attacks.

L2TP

L2TP is defined by RFC 2661. As its name implies, it is a Layer 2 tunneling solution. L2TP is actually a hybrid of two previous tunneling protocolsCisco's Layer Two Forwarding (L2F) protocol and PPTPand combines the best attributes of both. It replaced PPTP as the Layer 2 VPN protocol of choice for Microsoft Windows operating systems as of Windows 2000.

Like PPTP, L2TP uses PPP's user authentication capacities (MS-CHAP, CHAP, EAP, PAP, and so on). Also like PPTP, L2TP has two communication method types: control messages and data transmission "tunnel" messages. The first bit in the PPTP header differentiates these message types (1 for a control message; 0 for a data message). Control messages are given precedence over data messages to ensure that important session administration information gets transmitted as effectively as possible. The concept behind L2TP's operation is similar to PPTP. A control connection is set up for the tunnel, which is then followed by the initiation of an L2TP session. After both are completed, information in the form of PPP frames can begin to traverse the tunnel.⁵

Comparison of PPTP, L2TP, and IPSec

L2TP most commonly uses UDP port 1701 as its transport medium for all its packets. Because UDP is a connectionless protocol, it can actually require less communication overhead (it doesn't require TCP's response traffic to confirm connection) than PPTP, which transports control messages (only) on connection-oriented TCP.

An advantage of L2TP over PPTP or IPSec alone is that it can create multiple tunnels between two hosts. However, its disadvantage is that it relies on PPP and can be victimized by spoofing and man-in-the-middle attacks. Also, like PPTP, it supports the transmission of non-IP protocols, which is an advantage over IPSec. However, unlike PPTP, it does not require IP and TCP as its transmitting protocols. It can use other options such as X.25, Frame Relay, and ATM.

Although L2TP lacks its own encryption capability, it has the potential as a Layer 2 protocol of working in conjunction with IPSec. L2TP can be used to provide a tunnel for transport-mode IPSec traffic. For example, Windows 2000 and Windows XP rely on IPSec as the encryption method for their L2TP tunnels. This combination of IPSec and L2TP can be mutually agreeable because it allows IPSec to supply packet authentication for L2TP control messages, which lack such protection. L2TP offers IPSec multiprotocol transmission capability and multiple tunnel support. Also, the advantage of L2TP's user authentication protocols can be applied to IPSec, which has no such ability of its own.

PPTP and L2TP Examples

Now that we've discussed the details of how PPTP and L2TP tunnels work, let's look at some practical examples of how the technologies can be implemented in common network devices: a Windows XP system and a Cisco PIX firewall.

Client Windows XP Setup

Because L2TP support is integrated by default in Windows XP, setting up client software to support an L2TP VPN is not difficult, as the following steps prove:

1.	Double-click the Network Connections icon in Control Panel and click Create a New Connection to start the New Connection Wizard.
2.	After receiving the splash screen, click Next to continue. For L2TP VPN client access configuration, you will choose the Connect to the Network at My Workplace option button. Click Next to continue.
3.	In the Network Connection window, specify Virtual Private Network Connection. Click Next to continue.
4.	In the Connection Name window, enter a name for the connection. Click Next to continue.
5.	In the VPN Server Selection window, type the hostname or IP address of the entity to which you are connecting. Click Next to continue and then click Finish to save the configuration.
6.	Windows XP should then display a Connect window. Click Properties to alter the default settings.
7.	On the Options tab, select the Dial Another Connection First option if Windows XP needs to establish a dial-up connection before the VPN.
8.	On the Networking tab, change the Type of VPN setting from Automatic to L2TP IPSec VPN. (The only other choice is PPTP VPN.)
9.	The Advanced tab contains settings for Internet Connection Sharing, which allows you to specify that the system you are working on should act as a gateway for other network systems. That way, other systems can gain access to the entity you are connecting through your system. Unless you have a specific need for this type of sharing, do not check the check box.
10.	Review all other settings, such as those for authentication, and confirm that they are appropriate for your needs and environment. When finished, click OK to save the configuration changes.
11.	Windows XP will show the Connect screen again. This is where you will need to specify the logon and password information to authenticate with the L2TP device you are connecting to.

After your authentication information is entered, you are ready to connect. Simply click the Connect button, and the system will attempt to contact the remote system. If the connection fails, it returns an error and waits a predetermined time before redialing. This connection can be reached any time through the Network Connections screen.

Note

The VPN connections that are created, as explained in this section, are for PPTP or L2TP connections specifically. They do not necessarily support IPSec as listed. For IPSec support, see the example in the IPSec section.

Cisco PIX VPDN Setup for PPTP Traffic

In this example, we will specify the commands of interest in a Cisco PIX configuration that is running software version 5.1 or later. We will not go over all the standard configuration commands, just those that pertain to Virtual Private Dial-Up Network (VPDN) support for PPTP connections. VPDN is basically Cisco's way to support non-IPSec, dial-up-type protocols. The protocols are the most popular incarnations of PPP: PPTP, L2TP, and Point-to-Point Protocol over Ethernet (PPPoE), which is popularly used with DSL connections.

To begin our PIX configuration, we need to specify an access list to describe the traffic leaving our network that will need to bypass NAT. PIX firewalls have NAT integrated at the lowest level, and to keep VPN traffic from "breaking," we need to make sure it isn't translated. Here is the access list we will be matching:

 access-list 101 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

This access list simply says that it will match or allow any IP traffic that has a source address in the 10.0.0.x subnet and a destination address in the 192.168.1.x subnet.

The next section does not specifically relate to VPDN, but it's of interest because it lists our inside and outside interface addresses. This can shed some light on other IP address selections in the rest of this listing:

 ip address outside 172.16.1.2 255.255.255.0 ip address inside 10.0.0.1 255.255.255.0

The outside address or external address in this case is 172.16.1.2 and is using a class C subnet mask. The inside address also uses a class C subnet and is 10.0.0.1.

Our next statement creates an address pool to assign all connecting PPTP clients:

 ip local pool pool4pptp 192.168.1.1-192.168.1.50

The pool name is pool4pptp and the address range is 192.168.1.1-50.

Only one of the next lines is of consequence in our VPDN configuration. The lines contain the NAT settings that will be used on our PIX. The global command lists the range of external addresses that will be used for our NAT pool:

 global (outside) 1 172.16.1.3-172.16.1.4 nat (inside) 0 access-list 101 nat (inside) 1 10.0.0.0 255.255.255.0 0 0

The nat (inside) 1 command shows all IP addresses that should be NAT-translated. The command of interest is the nat (inside) 0 command. This command shows what addresses should bypass NAT. In this case, the addresses are specified by the 101 access list that we looked at previously. Therefore, traffic that has the source address of our internal network and is sent to the addresses used by connected PPTP clients (as stated in our pool) should bypass NAT. Otherwise, if the source address is in our network address range (as stated in the nat (inside) 1 command), NAT it.

The next command simply states that all PPTP traffic should be uniformly allowed access:

 sysopt connection permit-pptp

VPDN will not work without this command.

The next group of settings shows specific configuration options for our VPDN clients. The first line shows the protocols we will allow access through our VPDN configuration. L2TP could also be specified:

 vpdn group 1 accept dialin pptp

The next group of authentication settings shows acceptable protocols to use for PPTP authentication. Only specify the protocols you want to allow:

 vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap

The next line is what assigns our IP address pool mentioned previously to the connecting PPTP clients:

 vpdn group 1 client configuration address local pool4pptp

The following line chooses where the authentication information is held:

 vpdn group 1 client authentication local

In the example, the PIX will use local authentication. This is not a best practice. Ideally, it is best to have authentication information held outside of the PIX on a separate authentication system such as a RADIUS or TACACS server.

The username line then specifies the local information we alluded to in the last statement:

 vpdn username user password secret

Here, user refers to a username, as defined by the person configuring the PIX, and secret refers to a well-chosen password.

Finally, the enable outside command says that the outside interface can accept VPDN traffic. With this final statement, PPTP traffic will be allowed to traverse our PIX firewall:

 vpdn enable outside