Use the EAP-TLS authentication protocol for both PPTP and L2TP connections.
Use EAP-TLS if a smartcard will be used or if a certificate infrastructure that issues user certificates exists.
Use MS-CHAP v2 and enforce strong passwords using Group Policy if you must use a password-based authentication protocol.
Use IPSec to provide per-packet data authentication (proof that the data was sent by the authorized user), data integrity (proof that the data was not modified in transit), replay protection (prevention from resending a stream of captured packets), and data confidentiality (prevention from interpreting captured packets without the encryption key).
L2TP/IPSec connections provide stronger authentication by requiring both computer-level authentication through certificates and user-level authentication through a PPP authentication protocol.
PPTP does not require a certificate infrastructure. L2TP/IPSec requires a certificate infrastructure for issuing computer certificates to the VPN server computer (or other authenticating server) and all VPN client computers.
Use PPTP for versions of Windows prior to Windows 2000 and Windows XP.
Configure a remote access solution automatically using the Connection Manager Administration Kit for an environment with a hundred or more remote access VPN clients.
Use logging sparingly to help identify network problems because logging remote access activity uses system resources.
To minimize the risk of remote-access users bringing viruses and worms into the network, use the Quarantine Client Check utility in the Windows Resource Kit to make sure remote systems meet minimum organizational update policies.
Do not leave tracing enabled on multiprocessor computers.
