Routing and Remote Access Blog

VPN articles - straight from Windows development team

Do we still need PPTP & L2TP/IPsec after Windows 7

Do we still need PPTP & L2TP/IPsec after Windows 7

  • Comments 12
  • Likes

Hi Folks,

Our team member Samir Jain has posted a nice blog on how you should decide which tunnel to use/deploy for your scenario. The details for the same are given at which tunnel to use.

In this blog, I would like to understand further on a possibility of deprecating PPTP & L2TP/IPsec VPN tunnels going forward - i.e. after Windows 7. This leaves in-the-box Microsoft VPN component supporting SSTP (SSL based ) and IKEv2 (IPsec based) VPN tunnel.

Please do not panic ! This has not happened yet. I am just trying to get your feedback and learn more about your deployment plans going forward.

Why do I think you should migrate to IKEv2/SSTP?

IKEv2 (VPN Reconnect) is a standard based tunnel that should work with any third party servers so interoperability should not be any less if compare to PPTP or L2TP. SSTP allows SSL based firewall traversal thereby supporting ubiquitous VPN connectivity.

Both tunnels are on par or better with L2TP/IPsec as well as PPTP - in terms of security, performance, connection establishment experience etc.

IKEv2

1.       Does not require client side PKI deployment or pre-shared key.

2.       Integrates well with all EAP based methods

3.       Leverages the security strength provided by IPsec

4.       Better in connectivity time compare to L2TP/IPsec

5.       Provide mobility switchover support (mobility manager) 

 

Windows 7 & WS08 R2 onwards

SSTP

1.       Does not require client side PKI deployment or pre-shared key.

2.       Integrates well with all EAP based methods

3.       Leverages the security strength provided by SSL protocol

4.       Provides firewall traversal

Vista SP1 & WS08 onwards

 

Why we would like to deprecate PPTP/L2TP?

1.      Enables better usability (less # of tunnel choices confusing admins) & better troubleshooting/diagnostics support

2.      Reduces the support: Reduces the footprint and the number of updates.

3.      Better focus from Microsoft: Our development team can focus mainly on these two tunnels and focus on improving  the remote access connectivity experience. 

I do understand that PPTP is a highly deployed VPN tunnel followed by L2TP/IPSec and Windows 7 will take sometime before it is wide-spread inside organizations (like XP is today).  However, we do feel announcing now and deprecating PPTP/L2TP after Windows 7  would have provided ample time to our customers to migrate to SSTP (Vista SP1 & WS08 onwards) and IKEv2 (available Windows 7 & WS08 R2 onwards).

Again - to re-iterate, there is no official plan in this direction and this blog post is purely a feedback gaining mechanism to hear from our enthusiastic remote access customers about their deployment and migration plans to our newer OS supporting exciting new VPN tunnels.

Please share your feedback - either as comment or by sending us an email.

Looking forward to hear back from you 

Cheers,

Abhishek Tiwari

Senior Lead Program Manager, RAS Team,

Windows Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Comments
  • There are a number of cases where our customers use PPTP for site to site RRAS VPN links because of the complexity of setting up L2TP.

    1. Is SSTP supported in Windows 2008 for site to site links? 2. Is SSTP and IKEv2 supported in Windows 2008 R2 for site to site links?

  • Joseph Worall wrote:

    Is SSTP supported in Windows 2008 for site to site links? 2. Is SSTP and IKEv2 supported in Windows 2008 R2 for site to site links?

    SAMIRJ [MSFT] response:

    You are very correct. SSTP-IKEv2 are not supported for site-to-site scenario. However that support can be added. We do feel IKEv2 for site-to-site scenario makes more sense compared to SSTP (because site-to-site scenario is more a fixed or static scenario and you don't need to worry about firewall traversal - hence SSTP is not required in this scenario). If we add IKEv2 for RAS site-to-site scenario, will that suffice ...

  • I think until you back port SSTP at least to XP it's going to be hard to deprecate PPTP. Many companies will not be Vista/win7 only for many years to come.

  • Hi Abhishek and Samir

    I very much agree with CK. The SSTP client should have been back ported to XP.

    Many customers were ready for SSTP with NAP. But the lack of support in XP, and an aversion to Vista, meant they selected 3-party products eg Citrix or Cisco

    With Direct Access, history repeats itself. Microsoft now requires that you must have SA to use this feature. Alternatively, you can use the UAG, which is still in beta.

    Please change this SA feature strategi in generel and give us something to work with.

    /Jesper

  • Jesper Wrote:

    ====

    I very much agree with CK. The SSTP client should have been back ported to XP.

    Many customers were ready for SSTP with NAP. But the lack of support in XP, and an aversion to Vista, meant they selected 3-party products eg Citrix or Cisco

    ====

    Hi Jesper/Joseph/CK,

    I agree with you that backporting SSTP in XP would have increased the penetration for SSTP but for business reasons this plan was not approved. On the other hand, I wonder if deployment for XP would be still significant for post W7 release time (PPTP/L2TP are supported in W7) which is definitly few years away.

    Thanks,

    Abhishek

  • We have a lot of customers who are still migrateing from 2K to XP. Vista will never be used by them. If they take the step to 7 in maybe 3-4 years is not known.

    Also none of our customers use a MS Server as VPN Gateway. there are some >20K Remote User customers and they would like to use the MS IPSec/L2TP Client controlled by our Client using RAS Api in the future.

    As long as SSTP is not compatible with Cisco or Checkpoint Gateways it will not widely be used.

    And a backport of SSTP and IKEv2 (compatible with other vendr gateways) to Vista & XP would be the right choice for you. Also on Windows Mobile. Drop that stupid Connection Manager, include RAS Custom DLLs and NAT-T and everony will be happy...

    BTW. i hope you post it as soon as possible if you are going to remove PPTP or IPSec/L2TP because than we have to think about creating our own stack or start looking for SDK Vendors...

  • Unfortunately some devices have not yet (even with more recent releases) added support for either SSTP or IKEv2 and retain only support for PPTP and L2TP; Windows Mobile 6.1 being a perfect example, it came out recently and still doesn't have support for any new protocols.

    You also really do need to retain some site-to-site VPN protocols for backwards compatibility with previous server versions of Windows so unless you can get site-to-site support in Windows 2008 R2 for both IKEv2 and SSTP removing other protocols in the version after 2008 R2 will result in no support for any prior versions, which would be a killer I suspect.

    I think you actually need to retain at least one of them (perhaps L2TP as it can support IPv6 and better security) for a considerable time; at least the next TWO versions of Windows Server.

    Otherwise you will need to either provide an out-of-band installable version of one of the newer protocols or just give up and recommend other manufacturers solutions.

  • Thanks Simon and Patrick for your feedback - related to PPTP/L2TP usage in site-to-site scenario, MS client with 3rd party VPN servers and for mobile clients. All are very valid scenarios.

    And just to re-iterate what Abhishek wrote above - please do view this discussion more as your feedback to our product team - instead of product team communicating a deprecation announcement. We sincerely appreciate your feedback. And please continue to use our VPN solution - both on client as well as server side.

    Regards,

    Samirj

  • From reviewing this information, it seems that L2TP remains the only protocol makes it possible to authenticate a corporate asset (i.e. computer certificate) as well as the user (i.e. MSCHAP or user certificate).

    Am I reading the summary in the "which tunnel to use" hyperlink correctly?

  • Craig wrote:

    From reviewing this information, it seems that L2TP remains the only protocol makes it possible to authenticate a corporate asset (i.e. computer certificate) as well as the user (i.e. MSCHAP or user certificate).

    Am I reading the summary in the "which tunnel to use" hyperlink correctly?

    SAMIRJ Response:

    That is correct.

    PPTP and SSTP does only user authentication at PPP layer.

    L2TP/IPSec does first machine level authentication at IPSec level followed by (AND) user authentication at PPP layer.

    IKEv2 aka VPN reconnect supports machine authentication OR user authentication.

  • Yes, please backport SSTP and VPN Reconnect (IKEv2) to XP. Direct Access should also be backported to Server 2008 and Server 2003.

  • The ability to authenticate with a user certificate AND a computer certificate is a 'must' for some government agencies.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment