Virtual Private Network Connections
Applies To: Windows Server 2008, Windows Server 2008 R2
RRAS connections that cross the Internet (or other shared network) are known as virtual private network (VPN) connections. A VPN connection typically uses a physical link to a local Internet Service Provider (ISP).
A VPN-based answering router always uses a dedicated WAN link to an ISP, such as a T-Carrier, frame relay, DSL, or cable modem link. The answering router’s link to the Internet ensures that the router is available whenever a calling router attempts to establish a connection. This link requires a static IP address, assigned by your local ISP, and accessible by the calling router, on the answering router’s Internet-connected interface.
A VPN-based calling router might use a permanent WAN link to an ISP, or it might use a temporary link (such as a modem) to the ISP. The temporary link can be either a dial-up link or a PPP over Ethernet (PPPoE) link. The calling router first establishes the dial-up or PPPoE link to the ISP and then establishes the VPN tunnel across the Internet to the answering router. Many broadband ISPs use PPPoE. PPPoE links to the ISP are faster than dial-up links.
To keep data transmission secure, a VPN connection uses PPP user authentication, routes packets encapsulated in a secure tunnel across the Internet, and uses MPPE or IPsec encryption to protect the data portion of the packet. This virtual point-to-point connection emulates a dedicated, private, physical point-to-point connection.
Choosing PPTP or L2TP/IPsec
If you choose a VPN site-to-site connection, you must next decide whether to use PPTP or L2TP/IPsec as the VPN technology. The following table lists some of the factors you need to consider in order to determine whether to deploy a PPTP or an L2TP/IPsec solution. For more information about the security options (user authentication, certificates, and encryption) described briefly in the table, see Choose Security Features.
Factor | Using PPTP | Using L2TP/IPsec |
---|---|---|
Windows version |
PPTP is supported by Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server, and most third-party VPN routers. |
L2TP/IPsec is supported by Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 Server, and most third-party VPN routers. |
User authentication |
EAP-TLS or MS-CHAP v2 is recommended. |
EAP-TLS or MS-CHAP v2 is recommended. |
Certificates |
PPTP requires certificates only when using EAP-TLS for user authentication, in which case a user certificate for the calling router and a computer certificate for the authenticating server of the answering router are required. |
|
Encryption |
For a PPTP-based VPN connection, choosing either EAP-TLS or MS-CHAP v2 for user authentication provides MPPE for data encryption. |
L2TP/IPsec uses IPsec to provide encryption, replay protection, data integrity, and data origin authentication. |
NATs |
In most cases, you can locate PPTP-based calling routers behind a network address translator (NAT), so you can configure a small or home office (SOHO) network to share a single connection to the Internet. Most NAT devices include a NAT editor that can accurately translate PPTP-tunneled data. |
You can use IPsec NAT traversal (NAT-T) to create L2TP/IPsec connections across NATs. Using NAT-T requires running Windows Server 2008 R2 or Windows Server 2008 on the calling and answering routers. With NAT-T, hosts that are hidden behind a NAT can use IPsec to connect to a remote site. |
Ease of deployment |
When using MS-CHAP v2 for user authentication, PPTP is cost-effective and easier to deploy than L2TP/IPsec with computer certificates. |
|
Using both a PPTP connection and an L2TP/IPsec connection
You can deploy both a PPTP solution and an L2TP/IPsec solution at the same time. By default, an RRAS server running Windows Server simultaneously supports both connection types.
You might want to use PPTP for some site-to-site connections and L2TP/IPsec for others. The following table lists some situations in which you might use PPTP or L2TP/IPsec for different connections on the same network.
VPN Connection Type | Typical Uses |
---|---|
PPTP |
|
L2TP/IPsec |
|