Solved

Difference between PPTP and L2TP?

Posted on 2007-03-26
6
2,002 Views
Last Modified: 2010-08-05
Hi there,

We currently have a VPN solution that uses L2TP.  We are thinking of getting rid of this and simply having a Microsoft solution.  i.e setting up a server to act as a VPN Server and using PPTP instead.  What are the differences in these 2 protocols, and, indeed, what is the best way to implement this so that it is as secure as it can be?  Do I need to use RADIUS?  I have DMZ functionality on my firewall if that helps....
0
Comment
Question by:ddh76
  • 3
  • 2
6 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18792407
There are 3 primary protocols used for VPN's; PPTP, L2TP, and IPSec, and the level of security provided is in that order as well. L2TP can be set up using IPSec and is much more secure that PPTP, however more difficult to configure.
Why are you going to a lower level of security ?
You do not want to use the DMZ, as it will reduce security, and using RADIUS is an option with either, but not necessary.
As to the details of the protocols themselves:
PPTP:
http://en.wikipedia.org/wiki/Point-to-point_tunneling_protocol
http://tools.ietf.org/html/rfc2637
L2TP:
http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol
http://tools.ietf.org/html/rfc2661
0
 
LVL 18

Accepted Solution

by:
PowerIT earned 250 total points
ID: 18792894
ddh76, PPTP has a reputation of not being secure.
That stems from some mistakes in the MS and also CISCO implementations a while ago (ca 5 yrs). PPTP can be set up securely but if not set up correctly it can still expose you to vulnerabilities.
I understand why you want to switch: it's very easy to set up and the client software is preinstalled on almost any OS.
The client part is also a no brainer to configure; even the most computer-illiterate can be run through it with a 3 page document with screenshots.
So I did the switch about a year ago for one environment, with the following reasoning:
- This is a low security environment, where use of use is extremely important
- I did NOT use the MS or Cisco implementation as a server, but a lesser known product with no known vulnerabilities (one of the UTM's on the market) and configured using only the highest encryption level (MPPE-128 using TLS-EAP)
- This server does a lot and thorough monitoring, and the logs are regularely reviewed.
- We are willing to take a small risk.

FYI: to be exact L2TP is not a true VPN: it does not use encryption and strong authentication. It must be used in conjunction with IPSEC to provide encryption and create a true VPN. That's also what makes it more complex to implement.

Security-wise it's better to do a correctly implemented - but technically less secure - installation then implementing something technically more secure but implemented in a flawed way.

Hope this helps.

J.

0
 
LVL 1

Author Comment

by:ddh76
ID: 18793151
Yes, the ease at which you can setup a PPTP connection is far better than the "messy" MUVPN client software that Watchguard provide but I presume this is partly due to the complexity of the L2TP and IPSEC protocol combination?

So, in short, there is a risk but the risk isn't as great as not encrypting at all???
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 18793368
Personally I would stick with the MUVPN solution. It's extremely secure, and if you control it's deployment, users cannot share passwords allowing others access to your domain, like they can easily do with the windows client. Also, they cannot self install the client in un-approved locations.
0
 
LVL 1

Author Comment

by:ddh76
ID: 18793615
Would like to agree with you but we have so many problems with the MUVPN solution as it stands.  Some users experience the disconnection of the client software so often that it is almost unusable.  I have spoken to Watchguard who seem quite reluctant to help. (other than offer me beta firmware which I am not prepared to go for!)

So, in summary, it "was" less secure years ago when originally deployed but now it is a lot better? (PPTP I am talking about here)


0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18793705
I would test the PPTP connection first. I have never heard of connection issues with WatchGuard and their client. Sounds more like a hardware or ISP issue than the tunnel type.

PPTP is not as secure as IPSec, but has come a long way. Make sure you use complex passwords and the best available authentication protocol. I don't believe if using a Windows server, as the VPN endpoint, you have the authentication options suggested by PowerIT. Best Windows has to offer is MS-CHAP v2. However, if your router/s support better PPTP authentication options you will be better off.
0

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
2 routers, one cable modem 10 86
SQL 2012 database restore problem 6 67
SSH over http/https 8 110
how can I recover a forgotten Windows 8.1 login password? 10 24
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Every computer eventually fails. When that happens, your valuable data is only as safe as your current backup.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now