Virtual Private Network Connections

Applies To: Windows Server 2008, Windows Server 2008 R2

RRAS connections that cross the Internet (or other shared network) are known as virtual private network (VPN) connections. A VPN connection typically uses a physical link to a local Internet Service Provider (ISP).

A VPN-based answering router always uses a dedicated WAN link to an ISP, such as a T-Carrier, frame relay, DSL, or cable modem link. The answering router’s link to the Internet ensures that the router is available whenever a calling router attempts to establish a connection. This link requires a static IP address, assigned by your local ISP, and accessible by the calling router, on the answering router’s Internet-connected interface.

A VPN-based calling router might use a permanent WAN link to an ISP, or it might use a temporary link (such as a modem) to the ISP. The temporary link can be either a dial-up link or a PPP over Ethernet (PPPoE) link. The calling router first establishes the dial-up or PPPoE link to the ISP and then establishes the VPN tunnel across the Internet to the answering router. Many broadband ISPs use PPPoE. PPPoE links to the ISP are faster than dial-up links.

To keep data transmission secure, a VPN connection uses PPP user authentication, routes packets encapsulated in a secure tunnel across the Internet, and uses MPPE or IPsec encryption to protect the data portion of the packet. This virtual point-to-point connection emulates a dedicated, private, physical point-to-point connection.

Choosing PPTP or L2TP/IPsec

If you choose a VPN site-to-site connection, you must next decide whether to use PPTP or L2TP/IPsec as the VPN technology. The following table lists some of the factors you need to consider in order to determine whether to deploy a PPTP or an L2TP/IPsec solution. For more information about the security options (user authentication, certificates, and encryption) described briefly in the table, see Choose Security Features.

Factor	Using PPTP	Using L2TP/IPsec
Windows version	PPTP is supported by Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server, and most third-party VPN routers.	L2TP/IPsec is supported by Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 Server, and most third-party VPN routers.
User authentication	EAP-TLS or MS-CHAP v2 is recommended.	EAP-TLS or MS-CHAP v2 is recommended.
Certificates	PPTP requires certificates only when using EAP-TLS for user authentication, in which case a user certificate for the calling router and a computer certificate for the authenticating server of the answering router are required.	Using EAP-TLS user authentication with L2TP/IPsec requires a user certificate for the calling router and a computer certificate for the authenticating server of the answering router. For computer-level authentication, L2TP/IPsec supports computer certificates or preshared keys as the authentication method for IPsec. Computer certificate authentication is recommended and requires a computer certificate on both the calling and answering routers.
Encryption	For a PPTP-based VPN connection, choosing either EAP-TLS or MS-CHAP v2 for user authentication provides MPPE for data encryption.	L2TP/IPsec uses IPsec to provide encryption, replay protection, data integrity, and data origin authentication.
NATs	In most cases, you can locate PPTP-based calling routers behind a network address translator (NAT), so you can configure a small or home office (SOHO) network to share a single connection to the Internet. Most NAT devices include a NAT editor that can accurately translate PPTP-tunneled data.	You can use IPsec NAT traversal (NAT-T) to create L2TP/IPsec connections across NATs. Using NAT-T requires running Windows Server 2008 R2 or Windows Server 2008 on the calling and answering routers. With NAT-T, hosts that are hidden behind a NAT can use IPsec to connect to a remote site.
Ease of deployment	When using MS-CHAP v2 for user authentication, PPTP is cost-effective and easier to deploy than L2TP/IPsec with computer certificates.	When you use computer certificates as the authentication method, L2TP/IPsec requires a certificate infrastructure and, therefore, requires more administration to deploy and maintain than PPTP. Using preshared keys as the authentication method, L2TP/IPsec requires less administrative overhead (for initial setup but not for long-term administration) than using L2TP/IPsec with certificates but more administration than using PPTP. Preshared keys are not considered secure. We recommend that you do not use preshared keys. For more information, see Computer-Level Authentication.

Using both a PPTP connection and an L2TP/IPsec connection

You can deploy both a PPTP solution and an L2TP/IPsec solution at the same time. By default, an RRAS server running Windows Server simultaneously supports both connection types.

You might want to use PPTP for some site-to-site connections and L2TP/IPsec for others. The following table lists some situations in which you might use PPTP or L2TP/IPsec for different connections on the same network.

VPN Connection Type	Typical Uses
PPTP	To connect from routers that do not have an installed computer certificate. To establish a VPN connection when you want to place routers behind an RRAS NAT or a third-party NAT.
L2TP/IPsec	To connect from calling routers that have an installed computer certificate. To enable hosts that are located behind a NAT (because they use private addresses) to use IPsec to connect to a remote site. This is possible because NAT-T can create L2TP/IPsec connections across a NAT. To provide the highest security solution available. To connect from calling routers that use preshared keys (not recommended for security reasons).