I am sure you must have experienced VPN reconnect – a new IKEv2 based VPN tunnel that is added in Windows 7 that allows automatic and seamless switchover of an active VPN connection when the underlying Internet interface (connection) changes thus maintaining application persistence.
Isn’t that COOL – like VPN user moving from Wifi to WWAN and back - giving a true mobile connectivity to corpnet ! Yes it is...
This means, Windows7 in-built VPN client and Windows 2008 R2 in-built VPN server (aka RRAS) supports following VPN tunnels:
· VPN Reconnect (or IKEv2)
I am sure you must be wondering what is the need for 4 different tunnel types and which one to use in a given scenario. This blog helps to clarify the same.
Let us look at the technical specs which tries to summarize the tunnel features based upon different deployment factors:
First compare on network related parameters
XP, 2003, Vista, WS08, W7, WS08 R2
Works over IPv4 network
Relay IPv4 as well as IPv6 traffic on top of tunnel
NAT via PPTP enabled NAT routers
Works over IPv4 as well as IPv6 network
Vista SP1, WS08, W7, WS08 R2
W7, WS08 R2
Now lets compare on security related parameters
User authentication via PPP*
Machine authentication via IPSec followed by user authentication via PPP*
DES, 3DES, AES****
Machine or user authentication via IKEv2**
* All PPP based user authentication supports password (MSCHAPv2) as well as certificate (EAP based user certificate in local store or smart-card) authentication
** VPN reconnect supports machine cert based authentication as well as user authentication which can be password based (EAP-MSCHAPv2) or certificate based (EAP based user certificate in local store or smart-card).
*** OS prior to Vista supports 40/56/128 bit RC4 encryption for PPTP. Vista onwards supports 128 bit RC4 based encryption only.
**** OS prior to Vista supports DES, 3DES encryption for L2TP. Vista onwards supports 3DES and AES based encryption.
Note: All the other features like Winlogon over VPN (aka PLAP), Radius connectivity, NAP based health check continue to be supported on all the VPN tunnels.
As you can see from the above table, the different deployment factors (like OS choices, PKI infrastructure) and your deployment needs (like support for firewall traversal, support for mobility, need for machine authentication, remote access or site-to-site access) will finally drive your VPN tunnel choice.
If you will like to simply ignore all technical jargons, a simple rule of thumb can be – use VPN reconnect wherever you can, else configure the fall-back to SSTP. This way you will get secured-uninterrupted-ubiquitous VPN connectivity via IKEv2 tunnel wherever it is possible (i.e. both endpoint supports IKEv2 and IKEv2 traffic is able to pass through between end-points). Else the VPN connectivity will fall-back to SSTP tunnel which can traverse any form of firewalls, NAT, web proxies. In my next post I will discuss further on how the tunnel fallback happens and how to configure the same.
If you are wondering, why I think VPN reconnect is better compared to L2TP – though both are running on top of IPSec, here is my thinking:
· L2TP/IPSec requires machine authentication followed by user authentication. Assuming no-one uses pre-shared key, this puts a restriction of deploying machine certificates on every L2TP based VPN client machine (i.e. need of PKI infrastructure) – which increases the deployment cost.
However, VPN reconnect supports simple password based user authentication (EAP-MSCHAPv2), thereby simplifying the deployment
· VPN reconnect supports IP address persistence in case of underlying link goes down/up or new link comes up – via mobility manager. This way the applications running on top of VPN tunnel sees no break in connectivity (imagine your big download doesn’t stops in between - if underlying wireless link goes down-up).
· VPN reconnect is faster in connection establishment phase (less round-trip-times) compared to L2TP/IPSec.
· Do you need anything more ....
Have a happy remote access journey ...
Senior Program Manager
[This posting is provided "AS IS" with no warranties, and confers no rights.]