Microsoft Support for VPNs

Q. For which operating systems and with which protocols does Microsoft provide remote access VPN clients?

A. Microsoft provides Point-to-Point Tunneling Protocol (PPTP)–based remote access clients with Windows 98 (all versions), Windows Millennium Edition (Me), Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. Microsoft provides Layer Two Tunneling Protocol with Internet Protocol Security (L2TP/IPSec)–based remote access clients with Windows 98, Windows Me, Windows NT Workstation 4.0 (each with Microsoft L2TP/IPSec VPN Client), as well as Windows 2000, Windows XP, and Windows Server 2003.

Q. For which operating systems and with which protocols does Microsoft provide remote access VPN servers?

A. Microsoft supports PPTP-based remote access VPN connections in Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003. Microsoft supports L2TP/IPSec-based remote access VPN connections in Windows 2000 Server and Windows Server 2003.

Q. For which operating systems and with which protocols does Microsoft support site-to-site VPN connections?

A. Microsoft supports PPTP-based site-to-site VPN connections in Windows NT Server 4.0 (with the Routing and Remote Access Service), Windows 2000 Server, and Windows Server 2003. Microsoft supports L2TP/IPSec-based and IPSec tunnel mode™ site-to-site VPN connections in Windows 2000 Server and Windows Server 2003.

Q. What is the Microsoft plan for VPN support in Windows CE and Pocket PC?

A. Windows CE 3.0 includes PPTP support, including MS-CHAP v2 for authentication. Pocket PC 2002 is based on Windows CE 3.0 and also includes PPTP support. In Pocket PC 2003, VPN support has been expanded to include the use of Extensible Authentication Protocol (EAP) for authentication, as well as support for PPTP and L2TP/IPSec. Microsoft recommends the use of L2TP/IPSec and EAP if strong authentication is needed.

Q. Why does Microsoft continue to support PPTP? Does PPTP have fewer security issues than L2TP/IPSec?

A. PPTP provides a level of security that is suitable for most companies, and, because of the security model it uses, it has benefits that L2TP/IPSec and other IPSec-based VPN solutions don’t have. Even though IPSec offers powerful security features, the deployments are usually more costly and have limitations.

One benefit of PPTP is that it does not require a certificate infrastructure, which many organizations are not ready to deploy. Rather, it relies on a user’s logon credentials to establish trust to connect the tunnel and to create the encryption keys for the session. Additionally, the process for managing user names and passwords is well known.

For customers who want stronger security than user passwords, PPTP can be used with EAP so that smart cards or token cards can be used for authentication. This increases the strength of the encryption key generation and reduces the risk of dictionary attacks. In addition, PPTP can be used with most network address translators (NATs), with no modifications required for either the client or server. IPSec traffic, on the other hand, cannot traverse a NAT unless both the client and server support IPSec NAT traversal (IPSec NAT-T).

Until certificate infrastructure becomes ubiquitous and IPSec product implementations are updated to support IPSec NAT-T, PPTP will remain an important protocol choice for many customers.

Q. Are IPSec-based VPN connections compatible with network address translators (NAT) ?

A. For a NAT to function, it must translate either IP addresses or port numbers in the packets it is forwarding. If a NAT translates IP addresses or port numbers for either Internet Key Exchange (IKE) traffic (which is used to negotiate IPSec security associations) or IPSec-protected traffic, the integrity of the packet is invalidated.

To prevent a NAT from translating IPSec traffic, some NATs support IPSec traffic for a single connection through the NAT. Another solution is IPSec NAT traversal (NAT-T), a new standard for allowing Encapsulating Security Payload (ESP)–encapsulated traffic across one or more NATs. IPSec NAT-T is described in the Internet Engineering Task Force (IETF) Internet drafts “UDP Encapsulation of IPSec Packets” (draft-ietf- ipsec-udp-encaps-02.txt) and “Negotiation of NAT-Traversal in the IKE” (draft-ietf- ipsec-nat-t-ike-02.txt). IPSec NAT-T defines changes to IPSec protocols and new Internet Key Exchange messages and payloads that are exchanged between two IPSec NAT-T-capable peers. IPSec NAT-T must be supported by both the client and server.

Windows Server 2003 and Microsoft L2TP/IPSec VPN Client support IPSec NAT-T. Windows 2000 and Windows XP support NAT-T with the proper hotfix applied, which can be found on https://windowsupdate.microsoft.com. The hotfixes for each operating system will be incorporated into Windows 2000 Service Pack 5 (SP5) and Windows XP Service Pack 2 (SP2).

Q. I’ve heard that PPTP has many security issues and new ones are being found all the time? Is this true?

A. Negative analyses of PPTP were published over three years ago. Security analysts identified three problems that were immediately corrected. Since then, no new issues have been cited. The most serious complaint did not concern the implementation of PPTP, but rather it was that the use of a user name and password for VPN connections is not as secure as certificate-based authentication. Microsoft agrees with this conclusion, which is one reason that Windows 2000 Server and Windows Server 2003 support public key infrastructure (PKI) and include a certification authority (CA) service. If you must use user names and passwords, enforce the use of strong passwords. Strong passwords are long (more than eight characters) and contain a random mixture of uppercase and lowercase letters, numbers, and symbols. An example of a strong password is f*3L~qO2>xR3w#4o.