From: Amazon, Brazil
quote: Regards,Paulo Oliveira.
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand, multiple protocol, virtual private networking over public networks such as the Internet. PPTP allows IP traffic to be encrypted, and then encapsulated in an IP header to be sent across a corporate IP network or a public IP network such as the Internet.
L2TP over IPsec
Layer Two Tunneling Protocol (L2TP) is an industry standard tunneling protocol that provides encapsulation for sending Point-to-Point Protocol (PPP) frames across packet-oriented media. L2TP allows IP traffic to be encrypted, and then sent over any medium that supports point-to-point datagram delivery, such as IP. The Microsoft implementation of the L2TP protocol uses Internet Protocol security (IPsec) encryption to protect the data stream from one VPN server to the other VPN server. IPsec tunnel mode allows IP packets to be encrypted, and then encapsulated in an IP header to be sent across a corporate IP network or a public IP network such as the Internet.
PPTP connections require only user-level authentication through a PPP-based authentication protocol. L2TP over IPsec connections require the same user-level authentication and, in addition, computer-level authentication using computer certificates or a preshared key.
When choosing between PPTP and L2TP over IPsec site-to-site VPN solutions, consider the following:
IPsec tunnel mode
- PPTP can be used for site-to-site VPN connections for servers running Microsoft Windows Server® 2003 or Windows® 2000 Server with Routing and Remote Access, or Windows NT® Server 4.0 with the Routing and Remote Access Service (RRAS). PPTP does not require a public key infrastructure (PKI) to issue computer certificates. By using encryption, PPTP-based VPN connections provide data confidentiality. Captured data cannot be interpreted without the encryption key. PPTP-based VPN connections, however, do not provide data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user).
- L2TP can be used with servers running Windows Server 2003 or Windows 2000 Server operating systems. When both types of servers are used, a PKI is required to issue computer certificates to all routers. Servers running Windows Server 2003 operating systems additionally support a single preshared key configured on the answering server and all calling servers. By using IPsec, L2TP over IPsec VPN connections provide data confidentiality, data integrity, and data origin authentication.
When Internet Protocol security (IPsec) is used in tunnel mode, IPsec itself provides encapsulation for IP traffic only. The primary reason for using IPsec tunnel mode is interoperability with other routers, gateways, or end systems that do not support L2TP over IPsec or PPTP VPN tunneling. Interoperability information is provided at the Virtual Private Network Consortium Web site.
Tunneling is the entire process of encapsulation, routing, and then removing the encapsulation. Tunneling wraps, or encapsulates, the original packet inside a new packet. This new packet might have new addressing and routing information, which enables it to travel through a network. When tunneling is combined with data confidentiality, the original packet data (as well as the original source and destination) is not revealed to those listening to traffic on the network. After the encapsulated packets reach their destination, the encapsulation is removed, and the original packet header is used to route the packet to its final destination.
The tunnel itself is the logical data path through which the encapsulated packets travel. To the original source and destination peer, the tunnel is usually transparent and appears as another point-to-point connection in the network path. The peers are unaware of any routers, switches, proxy servers, or other security gateways between the tunnel's beginning point and the tunnel's endpoint. When tunneling is combined with data confidentiality, it can be used to provide a VPN.
The encapsulated packets travel through the network inside the tunnel. In this example, the network is the Internet. The gateway might be an edge gateway that stands between the outside Internet and the private network. The edge gateway can be a router, firewall, proxy server, or other security gateway. Also, two gateways can be used inside the private network to protect traffic across untrusted parts of the network.
For more information about IPsec tunnel mode, see "IPSec Technical Reference" at the Microsoft TechNet Web site.
When you create a remote site network that uses the IPsec tunneling protocol, the Microsoft Firewall service modifies the IPsec filters on the computer, when restarting the Firewall service. This process can take up to several minutes, depending on the number of subnets included in the address ranges for the network. To minimize the effect, we recommend that you define IP address ranges that are aligned in subnet boundaries. Authentication
IPsec tunnel mode and L2TP over IPsec can use either preshared keys or certificates to authenticate incoming VPN connections. Because certificates are more secure than preshared keys, we recommend that authentication for L2TP over IPsec and IPsec tunnel mode VPN connections use certificate authentication.
For security reasons, we recommend the use of a dedicated private certification authority (CA) for certificates that will be used for IPsec authentication. This is due to the fact that IPsec does not match the name of the certificate to the name of the site. If the certificates come from the same CA, this is sufficient for authentication. For more information about security consideration for site-to-site VPN connections, see "Security Hardening and Administration Guide" at the Microsoft TechNet Web site.
Microsoft Premier Field Engineer (PFE)