Routing and Remote Access Blog

VPN articles - straight from Windows development team

Different VPN tunnel types in Windows - which one to use?

Different VPN tunnel types in Windows - which one to use?

  • Comments 3
  • Likes

Hello Folks,

 

I am sure you must have experienced VPN reconnect – a new IKEv2 based VPN tunnel that is added in Windows 7 that allows automatic and seamless switchover of an active VPN connection when the underlying Internet interface (connection) changes thus maintaining application persistence.

Isn’t that COOL – like VPN user moving from Wifi to WWAN and back -  giving a true mobile connectivity to corpnet ! Yes it is...

 

This means, Windows7 in-built VPN client and Windows 2008 R2 in-built VPN server (aka RRAS) supports following VPN tunnels:

·        PPTP

·        L2TP/IPSec

·        SSTP

·        VPN Reconnect (or IKEv2)

 

I am sure you must be wondering what is the need for 4 different tunnel types and which one to use in a given scenario. This blog helps to clarify the same.

 

Let us look at the technical specs which tries to summarize the tunnel features based upon different deployment factors:

 

First compare on network related parameters

Tunnel Type

OS support

Scenario

IP Addressing

Traversal

Mobility

Enabled

PPTP

XP, 2003, Vista, WS08, W7, WS08 R2

Remote Access

Site-to-Site

Works over IPv4 network

 

Relay IPv4 as well as IPv6 traffic on top of tunnel

NAT via PPTP enabled NAT routers

No

L2TP/IPSec

XP, 2003, Vista, WS08, W7, WS08 R2

Remote Access

Site-to-Site

Works over IPv4 as well as IPv6 network

 

Relay IPv4 as well as IPv6 traffic on top of tunnel

NAT

No

SSTP

Vista SP1, WS08, W7, WS08 R2

Remote Access

Works over IPv4 as well as IPv6 network

 

Relay IPv4 as well as IPv6 traffic on top of tunnel

NAT,

Firewalls,

Web Proxy

No

VPN Reconnect

W7, WS08 R2

Remote Access

Works over IPv4 as well as IPv6 network

 

Relay IPv4 as well as IPv6 traffic on top of tunnel

NAT

Yes

 

 

Now lets compare on security related parameters

Tunnel Type

Authentication

Data Confidentiality

PPTP

User authentication via PPP*

RC4***

L2TP/IPSec

Machine authentication via IPSec followed by user authentication via PPP*

DES, 3DES, AES****

SSTP

User authentication via PPP*

RC4, AES

VPN Reconnect

Machine or user authentication via IKEv2**

3DES, AES

 

Where,

* All PPP based user authentication supports password (MSCHAPv2) as well as certificate (EAP based user certificate in local store or smart-card) authentication

** VPN reconnect supports machine cert based authentication as well as user authentication which can be password based (EAP-MSCHAPv2) or certificate based (EAP based user certificate in local store or smart-card).

*** OS prior to Vista supports 40/56/128 bit RC4 encryption for PPTP. Vista onwards supports 128 bit RC4 based encryption only.

**** OS prior to Vista supports DES, 3DES encryption for L2TP. Vista onwards supports 3DES and AES based encryption.

 

Note: All the other features like Winlogon over VPN (aka PLAP), Radius connectivity, NAP based health check continue to be supported on all the VPN tunnels.

 

Summary:

As you can see from the above table, the different deployment factors (like OS choices,  PKI infrastructure) and your deployment needs (like support for firewall traversal, support for mobility, need for machine authentication, remote access or site-to-site access)  will finally drive your VPN tunnel choice.

 

If you will like to simply ignore all technical jargons, a simple rule of thumb can beuse VPN reconnect wherever you can, else configure the fall-back to SSTP. This way you will get secured-uninterrupted-ubiquitous VPN connectivity via IKEv2 tunnel wherever it is possible (i.e. both endpoint supports IKEv2 and IKEv2 traffic is able to pass through between end-points). Else the VPN connectivity will fall-back to SSTP tunnel which can traverse any form of firewalls, NAT, web proxies. In my next post I will discuss further on how the tunnel fallback happens and how to configure the same.

 

If you are wondering, why I think VPN reconnect is better compared to L2TP – though both are running on top of IPSec, here is my thinking:

·        L2TP/IPSec requires machine authentication followed by user authentication. Assuming no-one uses pre-shared key, this puts a restriction of deploying machine certificates on every L2TP based VPN client machine (i.e. need of PKI infrastructure) – which increases the deployment cost.

However, VPN reconnect supports simple password based user authentication (EAP-MSCHAPv2), thereby  simplifying the deployment

·        VPN reconnect supports IP address persistence in case of underlying link goes down/up or new link comes up – via mobility manager. This way the applications running on top of VPN tunnel sees no break in connectivity (imagine your big download doesn’t stops in between - if underlying wireless link goes down-up).

·        VPN reconnect is faster in connection establishment phase (less round-trip-times) compared to L2TP/IPSec.

·        Do you need anything more ....

 

Have a happy remote access journey ...

 

Cheers,

Samir Jain

Senior Program Manager

Windows Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Comments
  • Tak samo jak kolejny post ten rozpoczynam pytaniem. Tym razem bez zbyt długiego rozpisywania odsyłam

  • Hello Customers, As I wrote in this blog, there are four types of VPN tunnel supported by Windows 7 based

  • Hi Folks, Our team member Samir Jain has posted a nice blog on how you should decide which tunnel to

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment