VPN connection authentication and data encryption

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

VPN connection authentication and data encryption

The Typical (recommended settings) security options that you select on the Security tab result in a predefined set of authentication methods and encryption requirements that are negotiated with the server during a PPP exchange.

The following tables show the authentication and data encryption methods that you can use with each combination of Validate my identity as follows and Require data encryption (disconnect if none) selections. You can also view these settings by making your identity validation and data encryption requirement selections in Typical (recommended settings), and then clicking Settings in Advanced (custom settings).

You may individually enable, configure, and disable these combinations of security settings, by using Advanced (details for all possible settings), but this requires a knowledge of security protocols.

For more information about a specific authentication or data encryption method, click the method in the table. For information about configuring a connection, see Configure a connection to a remote network.

Point-to-Point Tunneling Protocol (PPTP) remote access server

Validate my identity as follows Require data encryption Authentication methods negotiated Encryption enforcement

Require secured password

No

Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)

Optional encryption (connect even if no encryption)

Require secured password

Yes

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)

Require encryption (disconnect if server declines)

Smart card

No

Extensible Authentication Protocol (EAP)

Optional encryption (connect even if no encryption)

Smart card

Yes

Extensible Authentication Protocol (EAP)

Require encryption (disconnect if server declines)

Layer Two Tunneling Protocol (L2TP) remote access server

Validate my identity as follows Require data encryption Authentication methods negotiated Encryption enforcement

Require secured password

No

Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)

Optional encryption (connect even if no encryption)

Require secured password

Yes

Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)

Require encryption (disconnect if server declines)

Smart card

No

Extensible Authentication Protocol (EAP)

Optional encryption (connect even if no encryption)

Smart card

Yes

Extensible Authentication Protocol (EAP)

Require encryption (disconnect if server declines)

Notes

  • In L2TP VPN connections, data is encrypted by using Internet Protocol Security (IPSec) Encryption.

  • Microsoft Point-to-Point Encryption (MPPE) encrypts data in PPTP VPN connections. Strong (128-bit key) and standard (40-bit key) MPPE encryption schemes are supported.

  • Data is only encrypted by MPPE if MS-CHAP, MS-CHAP┬áv2, or EAP-TLS authentication is negotiated. These are the only authentication protocols that generate their own initial encryption keys. MPPE requires common client and server keys as generated by these types of authentication.

  • MS-CHAP v2 and EAP-TLS are mutual authentication protocols, which means that both the client and the server prove their identities. If your connection is configured to use either MS-CHAP v2 or EAP-TLS as its only authentication method, and the server that you are connecting to does not provide proof of its identity, your connection disconnects. Previously, servers could skip authenticating themselves to clients and simply accept the call. This change ensures that you can configure a connection to connect to the expected server.