VPN Router-to-Router tunneling protocols

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Tunneling protocols

Routing and Remote Access provides two tunneling protocols for creating router-to-router VPN connections:

  • Point-to-Point Tunneling Protocol (PPTP)

  • Layer Two Tunneling Protocol (L2TP)

Note

  • On Windows Server 2003, Web Edition, and Windows Server 2003, Standard Edition, you can create up to 1,000 Point-to-Point Tunneling protocol (PPTP) ports, and you can create up to 1,000 Layer Two Tunneling protocol (L2TP) ports. However, Windows Server 2003, Web Edition, can accept only one virtual private network (VPN) connection at a time. Windows Server 2003, Standard Edition, can accept up to 1,000 concurrent VPN connections. If 1,000 VPN clients are connected, further connection attempts are denied until the number of connections falls below 1,000.

PPTP

PPTP is a VPN tunneling protocol. PPTP is an extension of the Point-to-Point Protocol (PPP) and leverages the authentication, compression, and encryption mechanisms of PPP.

PPTP is installed with TCP/IP. By default, Routing and Remote Access is configured for five PPTP ports. To increase the number of PPTP ports, see Add PPTP or L2TP ports. You can enable PPTP ports for inbound remote access and demand-dial routing connections by using the Routing and Remote Access Server Setup Wizard. To enable PPTP ports for routing after the wizard is run, see Enable routing on ports.

Two primary services of virtual private networking are encapsulation and encryption.

Encapsulation

A PPP frame containing an IP datagram is wrapped with a Generic Routing Encapsulation (GRE) header and an IP header. In the IP header is the source and destination IP address that correspond to the VPN client and VPN server.

The following illustration shows PPTP encapsulation for a PPP frame.

PPTP encapsulation

Encryption

The PPP frame is encrypted with Microsoft Point-to-Point Encryption (MPPE) by using encryption keys generated from the MS-CHAP or EAP-TLS authentication process. Virtual private networking clients must use either the MS-CHAP or EAP-TLS authentication protocol in order to encrypt PPP payloads. PPTP does not provide encryption services. PPTP encapsulates a previously encrypted PPP frame.

Note

  • It is possible to have a nonencrypted PPTP connection where the PPP payload is sent in plaintext. However, a nonencrypted PPTP connection is not recommended for virtual private network connections over the Internet because communications of this type are not secure.

L2TP

L2TP is an industry-standard Internet tunnelling protocol that provides encapsulation for sending PPP frames across packet-oriented media. Like PPTP, L2TP leverages the authentication and compression mechanisms of PPP. Unlike PPTP, L2TP does not utilize Microsoft Point-to-Point Encryption (MPPE) to encrypt PPP frames. L2TP relies on Internet Protocol security (IPSec) for encryption services.

The result is that L2TP-based virtual private networking connections are a combination of L2TP and IPSec. Both L2TP and IPSec must be supported by both routers. For more information about IPSec, see Internet Protocol Security Overview. L2TP is described in RFC 2661.

L2TP is installed with TCP/IP. By default, Routing and Remote Access is configured for five L2TP ports. To increase the number of L2TP ports, see Add PPTP or L2TP ports. You can enable L2TP ports for inbound remote access and demand-dial routing connections by using the Routing and Remote Access Server Setup Wizard. To enable L2TP ports for routing after the wizard is run, see Enable routing on ports.

Two primary services of virtual private networking are encapsulation and encryption.

Encapsulation

Encapsulation for L2TP over IPSec packets consists of two layers of encapsulation.

  1. L2TP encapsulation

    A PPP frame containing an IP datagram is wrapped with an L2TP header and a UDP header.

  2. IPSec encapsulation

    The resulting L2TP message is then wrapped with an IPSec Encapsulating Security Payload (ESP) header and trailer, an IPSec Authentication trailer that provides message integrity and authentication, and a final IP header. In the IP header is the source and destination IP address that correspond to the VPN client and VPN server.

The following illustration shows L2TP and IPSec encapsulation for a PPP frame.

L2TP and IPSec encapsulation

Encryption

The L2TP message is encrypted with DES and 3DES encryption algorithms by using encryption keys generated from the IPSec authentication process.

Note

  • It is possible to have a non-IPSec-based (nonencrypted) L2TP connection where the PPP payload is sent in plaintext. However, a nonencrypted L2TP connection is not recommended for virtual private network connections over the Internet because communications of this type are not secure.