With Windows NT 4.0, setting up a VPN server is straightforward, but your options are constrained. The sole supported VPN protocol is PPTP, and the OS doesn’t provide many administrative choices. Improved management, scalability, and dependability are all features of Windows 2000, which also supports two VPN protocols. Win2K supports the Layer 2 Tunneling Protocol in addition to PPTP (L2TP). You should be familiar with how both protocols operate and take into account their authentication and encryption capabilities when deciding which protocol to employ to set up your server. L2TP has several advantages over PPTP, but in order to take use of them, you must be familiar with the new capability. It will be easier for you to choose the ideal VPN setup for your needs if you are familiar with PPTP and L2TP. (See “Related Articles in Previous Issues,” page 26 for additional details concerning Win2K VPNs.)
A VPN primer
A VPN is a protected pipe built on top of the current public network that connects a remote user’s computer straight across the Internet to your company’s private network. Almost any sort of Internet connection may provide users with safe access to a private network using a VPN. An IP-based network is all that is required for Microsoft’s VPN implementation between the client computer and the VPN server. You’re good to go if both the VPN server and client have an Internet connection.
VPNs have helped businesses save a lot of money. A business can use its current public Internet connection in place of paying for pricey point-to-point connections like T1, ISDN, or frame-relay connections. With minimal administrative work, VPNs enable any site to construct secure tunnels to any other site. VPNs have completely changed how businesses interact, and Microsoft has given Win2K the features necessary to make VPNs adaptable and simple to set up.
The Foundation of PPP
How dissimilar are L2TP and PPTP? One key commonality would emerge if you were to compare and decode the data from both protocols using the Open System Interconnection (OSI) reference model: their dependency on the Point-to-Point Protocol. The payload—the data you send across a private network—is encapsulated by the PPP protocol, which serves as the basis for both VPN protocols. The payload is then tunneled across a public network using PPTP or L2TP by adding an additional layer of encapsulation.
Table 1 lists the OSI model layers at which specific protocols function. PPP was first created for point-to-point communications in the data-link layer of the OSI architecture to encapsulate and transport data. Your router most likely employs PPP encapsulation if your business has any sort of point-to-point connection, such a T1 line. This protocol can also be used for asynchronous (dial-up) connections. Most likely, the dial-up settings for your distant users’ Windows 2K or Windows 9x PCs indicate that they are connecting to a PPP server.
In contrast to its more established relative, Serial Line Internet Protocol (SLIP), PPP offers various advantages, such as authentication and compression. A subset of PPP protocols controls how connections are made: A point-to-point connection is established, configured, maintained, and terminated using the PPP Link Control Protocol (LCP). Different network-layer protocols are established and configured using the PPP Network Control Protocol (NCP). Over a single PPP link, you may run both Novell IPX and Microsoft IP simultaneously.
PPP is undoubtedly a crucial component of PPTP and L2TP. Running remote apps that rely on nonroutable protocols is possible with PPP when using PPTP or L2TP. The physical and data-link layers are the same for both PPTP and L2TP, but that is where their similarities end.
Tunneling
Data is often encapsulated and encrypted while being sent between two points over a public network using tunneling protocols like PPTP and L2TP. The PPP encapsulation occurs first, though, before the tunneling encapsulation.
An additional protocol data unit (PDU) is inserted within the first PDU as it descends the OSI model in the PPP encapsulation. For instance, IP (in the network layer) encapsulates TCP (in the transport layer), which is encapsulated by PPP (in the transport layer) (in the data-link layer).
Higher-layer protocols known as tunneling protocols move payloads that have been encapsulated. The payload is sent between the tunnel’s endpoints by the VPN protocol, which then encapsulates the already-encapsulated payload. After receiving the payload, the tunnel’s far endpoint decapsulates and processes it.
Reliable PPTP
For transmission across an IP-based network, the PPTP protocol wraps IP packets. PPTP clients establish a PPTP control connection for a tunnel using the destination TCP port 1723. This procedure happens at the transport layer. Following the creation of a tunnel, the host and client communicate by exchanging PPTP control-connection packets. PPTP Echo-Request and PPTP Echo-Reply messages are the main components of these control-connection packets.
PPTP employs a connection for data tunneling in addition to the control connection it uses for tunnel management. In contrast to how it operates in a regular data transmission, data encapsulation operates differently in a tunneling scenario (e.g., Telnet data transfer). In reality, there are two stages of encapsulation for tunneled data. Data goes through each tier of the OSI architecture, from the application layer to the data-link layer, to generate the PPP payload. The data goes back up the OSI model when the payload is created, and higher-layer protocols contain the payload.
The protocol is unable to convey the payload when the data reaches the transport layer since the data-link layer is responsible for that action. The Layer 2 tasks typically performed by PPP at Layer 2 are handled by PPTP, which also adds a PPP header and trailer to the PPTP data structure. The payload is encrypted by PPTP before being wrapped in a PPP header and placed into a frame at the data-link layer. The PPP frame is subsequently enclosed by PPTP in a Generic Routing Encapsulation (GRE) packet, which works at the network layer. IP networks may use GRE to encapsulate Layer 3 protocols like IPX, AppleTalk, and DECnet, however it is unable to establish sessions or offer security. In order to offer session setup and security, you utilize a PPTP control connection. PPTP can only be used with IP-based networks when GRE is used as the encapsulation technique.
PPTP wraps the PPP frame with an IP header after enclosing it in a GRE header. The packet’s source and destination addresses are included in this IP header. PPTP also includes a PPP header and trailer. The data format for PPTP tunneled data is seen in Figure 1.
The data is subsequently transmitted through the tunnel by the source system. The target system removes all headers and trailers from the data before it reaches the PPP payload.
The Most Recent Arrival
The Layer 2 Forwarding (L2F) protocol and PPTP are combined to create L2TP. PPP and SLIP are used in PPTP and L2F tunnels, respectively. In order to minimize confusion and interoperability issues in the market when Cisco Systems developed L2F, the Internet Engineering Task Force (IETF) instructed the business to integrate PPTP and L2F into one protocol. The greatest qualities of PPTP and L2F are allegedly included in L2TP.
L2TP has the advantage of operating on networks that are not IP-based, such as frame-relay, X.25, and asynchronous transfer mode (ATM) networks. However, because Win2operating K’s system only supports IP, you are unable to take use of this advantages.
L2TP employs the same message format for data tunneling and tunnel maintenance. For L2TP, UDP is the preferred transport-layer protocol. Sequencing assures data delivery in Microsoft’s L2TP implementation, which sends control messages as encrypted PPP payloads over IP as UDP packets. A Next-Received field and a Next-Sent field are included in L2TP messages, and they are analogous to TCP’s Acknowledgement Number field and Sequence Number field, respectively.
The PPP payload is where L2TP data tunneling starts, same as PPTP. In order to create an L2TP-encapsulated packet, L2TP wraps the PPP payload in both a PPP and an L2TP header. This packet is then encapsulated using UDP. The source and destination ports for L2TP both utilize UDP port 1701. L2TP may encrypt the UDP message, add an IPSec Encapsulating Security Payload (ESP) header and trailer, an IPSec Authentication trailer, and other IPSec-related components, depending on the IP Security (IPSec) policy you’ve chosen. The source and destination addresses are then included in an IP header that L2TP uses to encapsulate this IPSec packet. The data is then prepared for transmission by L2TP using a second PPP encapsulation. The L2TP tunneled data’s data structure is seen in Figure 2.
The PPP header, trailer, and IP header are processed by the destination computer once it has received the data. The computer authenticates the IP payload using the IPSec Authentication trailer, and then utilizes the IPSec ESP header to decode the packet.
The L2TP header is then used by the computer to identify the L2TP tunnel after processing the UDP header. The server either processes the PPP payload or passes it to the correct recipient as the sole remaining data.
Security
The most crucial component of a VPN is security. All client data that is sent to the VPN server is sent via the Internet. The client’s data gets handled quite a bit on the way to your company’s network from this VPN server, which may be 20 hops distant and routed via five ISPs. How can you be certain that the data reaches your VPN server without being seen by anyone? Both authentication and encryption are options.
One of the PPP-based authentication protocols, such as Extensible Authentication Protocol (EAP), Microsoft Challenge Handshake Authentication Protocol (MSCHAP) version 1 and version 2, Challenge Handshake Authentication Protocol (CHAP), Shiva Password Authentication Protocol (SPAP), and Password Authentication Protocol, is used by PPTP to provide user authentication (PAP). The most secure protocols are MSCHAP version 2 and EAP-Transport Layer Security (TLS), which offer mutual authentication via which the VPN server and client may both confirm the identity of their partner machine. In the event that a client uses one of the other authentication protocols, the server will confirm the client’s identity but not that of the server.
The data is protected from seeing while it is sent over the Internet through PPTP encryption. Only MSCHAP (versions 1 and 2) and EAP-TLS may be used with Microsoft Point-to-Point Encryption (MPPE), which negotiates encryption over a PPTP connection. With MPPE, you may choose either a 40-bit, 56-bit, or 128-bit encryption key strength. The older clients do not accept longer keys, thus if you serve a mixed environment of Windows clients, you must utilize 40-bit keys.
With each received packet, PPTP updates the encryption keys. The MPPE protocol was created for point-to-point networks with little packet loss and consecutive packet arrival. In such a situation, the encryption key for one packet can be dependent on the decoding of the one before it. Because data packets typically arrive out of order in a VPN environment, this configuration is ineffective. In order to enable the decryption process to proceed without knowledge of the preceding packet, PPTP alters the encryption keys using a sequence number and decrypts packets independently of one another.
PPTP is somewhat secure, but not as secure as L2TP over IPSec. In addition to data authentication and encryption, L2TP over IPSec offers user- and computer-level authentication.
L2TP over IPSec first authenticates VPN clients and servers using local computer certificates, which you may get from a certificate authority (CA). An IPSec ESP security association is created by the client and server exchanging certificates (SA).
L2TP over IPSec conducts user-level authentication after completing the machine authentication procedure. The method is secure because L2TP over IPSec encrypts the connection, so you may use any PPP-based authentication protocol—even PAP, which provides the login and password in clear text. However, you may increase the security of user authentication by employing MSCHAP, which employs encryption keys independent of the computer-level encryption.
L2TP over IPSec’s data encryption is substantially more robust than PPTP’s since it employs the Triple Data Encryption Standard (3DES) method. 3DES is intended for high-security situations and is reserved for usage in North America. You can use DES, which employs a single 56-bit key, if you don’t require this level of protection (and its related costs) (3DES uses three 56-bit keys).
Data encryption, computer- and user-level authentication, and data authentication are all features of L2TP over IPSec. Hash Message Authentication Code (HMAC) Message Digest 5 is used by L2TP over IPSec to authenticate data (MD5). The 128-bit hash produced by this hashing technique is used to verify data.
A Simple Option
Different functionality is provided by PPTP and L2TP. L2TP’s architecture enables you to use it over networks that aren’t IP-based, and the protocol creates tunnel maintenance and control by using the same message format and protocols. While PPTP has a separate TCP control connection for tunnel management and only operates over IP, L2TP over IPSec offers a number of levels of protection in addition to PPTP’s single layer of security, which, when utilized properly, may nearly guarantee that important corporate data won’t be compromised.
With these improvements, L2TP becomes the VPN protocol of the future. The preferred VPN protocol will be L2TP over IPSec as more IT workers become aware of IPSec and its advantages. With a few mouse clicks, Microsoft has made setting up L2TP simple. In order to maximize the use of your Win2K license, consider L2TP.
