Do we still need PPTP & L2TP/IPsec after Windows 7

re: Do we still need PPTP & L2TP/IPsec after Windows 7

Joseph Worrall — Thu, 12 Feb 2009 08:28:36 GMT

There are a number of cases where our customers use PPTP for site to site RRAS VPN links because of the complexity of setting up L2TP.

1. Is SSTP supported in Windows 2008 for site to site links? 2. Is SSTP and IKEv2 supported in Windows 2008 R2 for site to site links?

re: Do we still need PPTP & L2TP/IPsec after Windows 7

SamirJ [MSFT] — Thu, 12 Feb 2009 09:26:56 GMT

Joseph Worall wrote:

Is SSTP supported in Windows 2008 for site to site links? 2. Is SSTP and IKEv2 supported in Windows 2008 R2 for site to site links?

SAMIRJ [MSFT] response:

You are very correct. SSTP-IKEv2 are not supported for site-to-site scenario. However that support can be added. We do feel IKEv2 for site-to-site scenario makes more sense compared to SSTP (because site-to-site scenario is more a fixed or static scenario and you don't need to worry about firewall traversal - hence SSTP is not required in this scenario). If we add IKEv2 for RAS site-to-site scenario, will that suffice ...

re: Do we still need PPTP & L2TP/IPsec after Windows 7

ck — Thu, 12 Feb 2009 19:09:29 GMT

I think until you back port SSTP at least to XP it's going to be hard to deprecate PPTP. Many companies will not be Vista/win7 only for many years to come.

re: Do we still need PPTP & L2TP/IPsec after Windows 7

Jesper Ravn — Fri, 13 Feb 2009 02:42:01 GMT

Hi Abhishek and Samir

I very much agree with CK. The SSTP client should have been back ported to XP.

Many customers were ready for SSTP with NAP. But the lack of support in XP, and an aversion to Vista, meant they selected 3-party products eg Citrix or Cisco

With Direct Access, history repeats itself. Microsoft now requires that you must have SA to use this feature. Alternatively, you can use the UAG, which is still in beta.

Please change this SA feature strategi in generel and give us something to work with.

/Jesper

re: Do we still need PPTP & L2TP/IPsec after Windows 7

rrasblog — Fri, 13 Feb 2009 08:00:17 GMT

Jesper Wrote:

====

I very much agree with CK. The SSTP client should have been back ported to XP.

Many customers were ready for SSTP with NAP. But the lack of support in XP, and an aversion to Vista, meant they selected 3-party products eg Citrix or Cisco

====

Hi Jesper/Joseph/CK,

I agree with you that backporting SSTP in XP would have increased the penetration for SSTP but for business reasons this plan was not approved. On the other hand, I wonder if deployment for XP would be still significant for post W7 release time (PPTP/L2TP are supported in W7) which is definitly few years away.

Thanks,

Abhishek

re: Do we still need PPTP & L2TP/IPsec after Windows 7

Patrick — Fri, 13 Feb 2009 12:01:43 GMT

We have a lot of customers who are still migrateing from 2K to XP. Vista will never be used by them. If they take the step to 7 in maybe 3-4 years is not known.

Also none of our customers use a MS Server as VPN Gateway. there are some >20K Remote User customers and they would like to use the MS IPSec/L2TP Client controlled by our Client using RAS Api in the future.

As long as SSTP is not compatible with Cisco or Checkpoint Gateways it will not widely be used.

And a backport of SSTP and IKEv2 (compatible with other vendr gateways) to Vista & XP would be the right choice for you. Also on Windows Mobile. Drop that stupid Connection Manager, include RAS Custom DLLs and NAT-T and everony will be happy...

BTW. i hope you post it as soon as possible if you are going to remove PPTP or IPSec/L2TP because than we have to think about creating our own stack or start looking for SDK Vendors...

re: Do we still need PPTP & L2TP/IPsec after Windows 7

Simon — Sat, 14 Feb 2009 21:40:07 GMT

Unfortunately some devices have not yet (even with more recent releases) added support for either SSTP or IKEv2 and retain only support for PPTP and L2TP; Windows Mobile 6.1 being a perfect example, it came out recently and still doesn't have support for any new protocols.

You also really do need to retain some site-to-site VPN protocols for backwards compatibility with previous server versions of Windows so unless you can get site-to-site support in Windows 2008 R2 for both IKEv2 and SSTP removing other protocols in the version after 2008 R2 will result in no support for any prior versions, which would be a killer I suspect.

I think you actually need to retain at least one of them (perhaps L2TP as it can support IPv6 and better security) for a considerable time; at least the next TWO versions of Windows Server.

Otherwise you will need to either provide an out-of-band installable version of one of the newer protocols or just give up and recommend other manufacturers solutions.

re: Do we still need PPTP & L2TP/IPsec after Windows 7

SamirJ [MSFT] — Tue, 17 Feb 2009 07:18:11 GMT

Thanks Simon and Patrick for your feedback - related to PPTP/L2TP usage in site-to-site scenario, MS client with 3rd party VPN servers and for mobile clients. All are very valid scenarios.

And just to re-iterate what Abhishek wrote above - please do view this discussion more as your feedback to our product team - instead of product team communicating a deprecation announcement. We sincerely appreciate your feedback. And please continue to use our VPN solution - both on client as well as server side.

Regards,

Samirj

re: Do we still need PPTP & L2TP/IPsec after Windows 7

Craig — Tue, 24 Feb 2009 11:43:08 GMT

From reviewing this information, it seems that L2TP remains the only protocol makes it possible to authenticate a corporate asset (i.e. computer certificate) as well as the user (i.e. MSCHAP or user certificate).

Am I reading the summary in the "which tunnel to use" hyperlink correctly?

re: Do we still need PPTP & L2TP/IPsec after Windows 7

SamirJ [MSFT] — Tue, 24 Feb 2009 15:14:56 GMT

Craig wrote:

Am I reading the summary in the "which tunnel to use" hyperlink correctly?

SAMIRJ Response:

That is correct.

PPTP and SSTP does only user authentication at PPP layer.

L2TP/IPSec does first machine level authentication at IPSec level followed by (AND) user authentication at PPP layer.

IKEv2 aka VPN reconnect supports machine authentication OR user authentication.

re: Do we still need PPTP & L2TP/IPsec after Windows 7

anonymuos — Sun, 01 Mar 2009 10:31:21 GMT

Yes, please backport SSTP and VPN Reconnect (IKEv2) to XP. Direct Access should also be backported to Server 2008 and Server 2003.

re: Do we still need PPTP & L2TP/IPsec after Windows 7

fo — Mon, 02 Mar 2009 20:41:47 GMT

The ability to authenticate with a user certificate AND a computer certificate is a 'must' for some government agencies.