Lets descript and summarize some information about PPTP and L2TP protocols.

PPTP

The Point-to-Point Tunneling Protocol (PPTP), developed by Microsoft in conjunction with other technology companies, is the most widely supported VPN method among Windows clients. PPTP is an extension of the Internet standard Point-to-Point protocol (PPP), the link layer protocol used to transmit IP packets over serial links. PPTP uses the same types of authentication as PPP (PAP, SPAP, CHAP, MS-CHAP v.1/v.2 and EAP).

PPTP establishes the tunnel but does not provide encryption. PPTP encrypted using Microsoft Point-to-Point Encryption (MPPE) protocol to create a secure VPN. PPTP has relatively low overhead, this making it faster than some other VPN methods.

Most old vulnerabilities in PPTP are fixed these days and you can combine it with EAP to enhance it to require certificates as well. One advantage of using PPTP is that there is no requirement for a certificate infrastructure. However EAP does use digital certificates for mutual authentication (both client and server) and higher security.

How works: A PPTP tunnel is instantiated by communication to the peer on TCP port 1723. This TCP connection is then used to initiate and manage as second GRE(generic routing encapsulation) tunnel to the same peer.

Port/rotocol: 1723 TCP and protocol GRE

User Authentication Protocol: EAP-TLS or MS-CHAP v2

Encryption method: MPPE (Microsoft Point-to-Point Encryption)

Encryption Strength: MPPE 40-128 bit

L2TP

The Layer 2 Tunneling Protocol (L2TP) was developed in cooperation between Cisco and Microsoft to combine features of PPTP with those of Cisco’s proprietary Layer 2 Forwarding (L2F) protocol.

L2TP (Layer Two Tunneling Protocol) supports non-TCP/IP clients and protocols (such as Frame Relay, ATM and SONET).

L2TP does not provide any encryption orconfidentiality by itself. It relies on an encryption protocol that it passes within the tunnel to provide privacy. Nowadays L2TP connections do not negotiate the use of PPP encryption through Microsoft Point-to-Point Encryption (MPPE). Instead, encryption is provided through the use of the Internet Protocol security (IPSec) Encapsulating Security Payload (ESP) header and trailer. It is also important to note that IPsec is more resource intensive than PPTP, hence the overhead with a L2TP solution is higher than PPTP.

Port: 1701 UDP

User Authentication Protocol: EAP-TLS or MS-CHAP v2

* In addition to providing computer-level authentication, IPSec provides end-to-end encryption for data that passes between the sending and receiving nodes.

Encryption: IPSec

Encryption Strength: Advanced Encryption Standard (AES) 256, AES 192, AES 128, and 3DES encryption algorithms

L2TP vs PPTP

L2TP/IPSec and PPTP are similar in the following ways:

• provide a logical transport mechanism to send PPP payloads;
• provide tunneling or encapsulation so that PPP payloads based on any protocol can be sent across an IP network;
• rely on the PPP connection process to perform user authentication and protocol configuration.

Some facts about PPTP:

+ PPTP easy to deploy

+ PPTP use TCP, this reliable solution allow to retransmit lost packets

+ PPTP support

– PPTP less secure with MPPE(up to 128 bit)

– data encryption begins after the PPP connection process (and, therefore, PPP authentication) is completed

– PPTP connections require only user-level authentication through a PPP-based authentication protocol

Some facts about L2TP(over IPsec):

+ L2TP/IPSec data encryption begins before the PPP connection process

+ L2TP/IPSec connections use the AES(up to 256bit) or DESUup to three 56-bit keys)

+ L2TP/IPSec connections provide stronger authentication by requiring both computer-level authentication through certificates and user-level authentication through a PPP authentication protocol

+ L2TP use UDP. It is a faster, but less reliable, because it does not retransmit lost packets, is commonly used in real-time Internet communications

+ L2TP more “firewall friendly” than PPTP — a crucial advantage for an extranet protocol due to most firewalls do not support GRE

– L2TP require certificate infrastructure for issuing computer certificates

To summarize:

There’s no clear winner, but PPTP is older, more light-weight, works in most cases and clients are readily pre-installed, giving it an advantage in normally being very easy to deploy and configure (without EAP).

But for most of countries like UAE, Oman, Pakistan, Yemen, Saudi Arabia, Turkey, China, Singapore, Lebanon PPTP blocked by ISP or government so they need L2TP or SSL VPN which will describe in next posts.

Find any questions or errors? go ahead and start commenting…