< Day Day Up > |
Choosing Between PPTP and L2TP/IPSecOne of the choices to make when you're deploying Windows Server 2003 “based VPNs is whether to use L2TP/IPSec or PPTP. Windows XP and Windows 2000 VPN client and server computers support both L2TP/IPSec and PPTP by default. Both PPTP and L2TP/IPSec use PPP to provide an initial envelope for the data and then append additional headers for transport through the Internet. PPTP and L2TP also provide a logical transport mechanism to send PPP payloads and provide tunneling or encapsulation so that PPP payloads based on any protocol can be sent across the Internet. PPTP and L2TP rely on the PPP connection process to perform user authentication and protocol configuration. There are a few differences between the PPTP and L2TP protocols. First, when using PPTP, the data encryption begins after the PPP connection process is completed, which means PPP authentication is used. With L2TP/IPSec, data encryption begins before the PPP connection process by negotiating an IPSec security association. Second, PPTP connections use MPPE, a stream cipher that is based on the Rivest-Shamir-Aldeman (RSA) RC-4 encryption algorithm and uses 40-, 56-, or 128-bit encryption keys. Stream ciphers encrypt data as a bit stream. L2TP/IPSec connections use the Data Encryption Standard (DES), which is a block cipher that uses either a 56-bit key for DES or three 56-bit keys for 3-DES. Block ciphers encrypt data in discrete blocks (64-bit blocks, in the case of DES). Finally, PPTP connections require only user-level authentication through a PPP-based authentication protocol. L2TP/IPSec connections require the same user-level authentication as well as computer-level authentication using computer certificates. Advantages of L2TP/IPSec over PPTPAlthough PPTP users significantly outnumber L2TP/IPSec users, because of a higher level of security in L2TP/IPSec and several other benefits of L2TP/IPSec, organizations that seek to improve secured remote connectivity are beginning to implement L2TP/IPSec VPN as their remote and mobile access standard. The following are the advantages of using L2TP/IPSec over PPTP:
Advantages of PPTP over L2TP/IPSecAlthough L2TP/IPSec is perceived to be more secure than a PPTP VPN session, there are significant reasons why organizations choose PPTP over L2TP/IPSec. The following are advantages of PPTP over L2TP/IPSec:
IPSec functions at a layer below the TCP/IP stack. This layer is controlled by a security policy on each computer and a negotiated security association between the sender and receiver. The policy consists of a set of filters and associated security behaviors. If a packet's IP address, protocol, and port number match a filter, the packet is subject to the associated security behavior. |
< Day Day Up > |