Microsoft is supporting L2TP/IPSec as its only native remote access VPN protocol based on IPSec because it remains the only existing interoperable standard that addresses real customer deployment issues. In addition, Microsoft continues to support PPTP for both remote access VPN scenarios and site-to-site scenarios to meet special-needs situations that cannot be addressed with any IPSec-based solution. However, Microsoft customers, the press, and analysts have indicated they would prefer Microsoft to create a single standard VPN client for Windows because doing so would allow for easier deployment, better Windows integration, and better reliability.
As for the future of Microsoft VPN support, Microsoft is working toward stronger Network Access Quarantine Control solutions and integration with Internet Protocol version 6 (IPv6) technologies to enhance the remote user experience. IPv6 will allow for unique and consistent network addressing for every entity on the Internet, thus allowing for new functionality in remote access, mobile computing, and security solutions in peer-to-peer communications. In addition, Microsoft will continue to maintain interoperable standards for Microsoft Windows–based VPN solutions by continuing its work with VPN vendors in the industry.
Customers who plan to use an IPSec-based VPN solution for remote access should seriously evaluate interoperability issues. Because of many factors—the nature of business acquisitions, the need to let contractors and partners access your corporate networks, and the diversity of equipment within company networks—multivendor interoperability for virtual private networking is very important. Although proprietary solutions might work, it is important to consider how virtual private networking will be used over the next one to two years and how your VPN solution choice today affects your overall direction in the future.
Customers planning to use VPNs for business partnering or to support remote access by contract employees who own their own equipment should prefer VPN solutions that are based on interoperable standards and that support user-based authentication, authorization, and accounting. If proprietary implementations of IPSec TM are being considered, carefully evaluate the availability of solutions based on L2TP/IPSec to support interoperability. Customers should also consider how their L2TP/IPSec solution might be complemented by PPTP-based solutions.
Microsoft encourages gateway vendors to implement L2TP/IPSec for remote access VPNs so that Microsoft operating systems that support L2TP/IPSec can connect directly to the vendor’s gateway and other VPN solutions without customers having to change client-side code. The requirement to use a separate client for VPN causes undue administrative and support overhead for the customers.
For gateway vendors that support other IPSec-based access methods, Microsoft encourages vendors to provide support for L2TP/IPSec as an option to complement IPSec TM for site-to-site configurations, in which multiprotocol and multicast considerations come into play.
Microsoft also recommends that vendors implement or update their PPTP implementations to ensure compatibility with the most recent PPTP security enhancements, as well as to maintain interoperability with Windows-based PPTP clients.