Difference between PPTP and L2TP?

Hi there,

We currently have a VPN solution that uses L2TP.  We are thinking of getting rid of this and simply having a Microsoft solution.  i.e setting up a server to act as a VPN Server and using PPTP instead.  What are the differences in these 2 protocols, and, indeed, what is the best way to implement this so that it is as secure as it can be?  Do I need to use RADIUS?  I have DMZ functionality on my firewall if that helps....
LVL 1
ddh76Asked:
Who is Participating?
 
PowerITCommented:
ddh76, PPTP has a reputation of not being secure.
That stems from some mistakes in the MS and also CISCO implementations a while ago (ca 5 yrs). PPTP can be set up securely but if not set up correctly it can still expose you to vulnerabilities.
I understand why you want to switch: it's very easy to set up and the client software is preinstalled on almost any OS.
The client part is also a no brainer to configure; even the most computer-illiterate can be run through it with a 3 page document with screenshots.
So I did the switch about a year ago for one environment, with the following reasoning:
- This is a low security environment, where use of use is extremely important
- I did NOT use the MS or Cisco implementation as a server, but a lesser known product with no known vulnerabilities (one of the UTM's on the market) and configured using only the highest encryption level (MPPE-128 using TLS-EAP)
- This server does a lot and thorough monitoring, and the logs are regularely reviewed.
- We are willing to take a small risk.

FYI: to be exact L2TP is not a true VPN: it does not use encryption and strong authentication. It must be used in conjunction with IPSEC to provide encryption and create a true VPN. That's also what makes it more complex to implement.

Security-wise it's better to do a correctly implemented - but technically less secure - installation then implementing something technically more secure but implemented in a flawed way.

Hope this helps.

J.

0
 
Rob WilliamsCommented:
There are 3 primary protocols used for VPN's; PPTP, L2TP, and IPSec, and the level of security provided is in that order as well. L2TP can be set up using IPSec and is much more secure that PPTP, however more difficult to configure.
Why are you going to a lower level of security ?
You do not want to use the DMZ, as it will reduce security, and using RADIUS is an option with either, but not necessary.
As to the details of the protocols themselves:
PPTP:
http://en.wikipedia.org/wiki/Point-to-point_tunneling_protocol
http://tools.ietf.org/html/rfc2637
L2TP:
http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol
http://tools.ietf.org/html/rfc2661
0
 
ddh76Author Commented:
Yes, the ease at which you can setup a PPTP connection is far better than the "messy" MUVPN client software that Watchguard provide but I presume this is partly due to the complexity of the L2TP and IPSEC protocol combination?

So, in short, there is a risk but the risk isn't as great as not encrypting at all???
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Rob WilliamsCommented:
Personally I would stick with the MUVPN solution. It's extremely secure, and if you control it's deployment, users cannot share passwords allowing others access to your domain, like they can easily do with the windows client. Also, they cannot self install the client in un-approved locations.
0
 
ddh76Author Commented:
Would like to agree with you but we have so many problems with the MUVPN solution as it stands.  Some users experience the disconnection of the client software so often that it is almost unusable.  I have spoken to Watchguard who seem quite reluctant to help. (other than offer me beta firmware which I am not prepared to go for!)

So, in summary, it "was" less secure years ago when originally deployed but now it is a lot better? (PPTP I am talking about here)


0
 
Rob WilliamsCommented:
I would test the PPTP connection first. I have never heard of connection issues with WatchGuard and their client. Sounds more like a hardware or ISP issue than the tunnel type.

PPTP is not as secure as IPSec, but has come a long way. Make sure you use complex passwords and the best available authentication protocol. I don't believe if using a Windows server, as the VPN endpoint, you have the authentication options suggested by PowerIT. Best Windows has to offer is MS-CHAP v2. However, if your router/s support better PPTP authentication options you will be better off.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.