Point-to-Point Tunneling Protocol

If you don't want to buy new modems and data lines every year, here's a low-cost, secure way to access your network through the Internet.

Douglas Toombs

May 31, 1997

10 Min Read
ITPro Today logo in a gray background | ITPro Today

It's June 1996. You've just invested a significant amount of money in a soup-to-nuts dial-in solution for your Windows NT network. You bought a Remote Access Service (RAS) server, multiport controller, a slew of high-end 28.8Kpbs modems, a host of analog lines, and the management capabilities to run it all. Sure, your average cost-per-port was a little high, and you have recurring costs for your analog lines and administration. But the best technology costs money, right?

Well, now it's a year later, and your prized dial-in solution is starting to look like a 1972 Vega compared with the newest 33.6Kbps and 56Kbps (X2) modem technologies. To upgrade, you have to justify replacing all those 28.8Kbps modems with faster units.

The communications field is moving so quickly that you can't predict what will be in the mainstream tomorrow. Corporate IS budgets, already strained by the short life cycle of PCs, can't keep up with the blazing speed of communications developments.

A solution worth looking into is Microsoft's Point-to-Point Tunneling Protocol (PPTP), which Microsoft has integrated with RAS in NT 4.0. (For more information about RAS, see Sean K. Daily, "What's New in Windows NT 4.0 RAS?," January 1997). PPTP lets you set up Virtual Private Networks (VPNs) that let remote users access corporate networks securely across the Internet. Opinions on whether to use this protocol vary greatly because of security and performance issues. But if you implement it correctly, PPTP can provide a low-cost, high-availability dial-in solution for your organization.

PPTP helps you put the mundane task of modem management into the hands of people who are experts at it--Internet Service Providers (ISPs). Just plug your RAS server into the Internet, configure the server to accept PPTP connections, assign a valid Internet IP address to the RAS server, then give that IP address to anyone who needs remote access.

OK, the process takes a few more steps than that scenario. But if you follow the steps I outline, you can get a basic PPTP VPN functioning and see how Microsoft's model works.

How Does It Work?
Imagine PPTP as a Dial-Up Networking (DUN) connection inside a DUN connection, or a pipe within a pipe. Your first connection, or pipe, is your Point-to-Point Protocol (PPP) connection to your ISP; your second connection is your PPTP connection, which tunnels through your first connection. Because the PPTP connection is a tunnel, you can route whatever packet types you want--including IPX and NetBEUI--through the tunnel over the Internet. Your ISP sees the traffic as IP packets, but when the packets reach your PPTP-configured RAS server, they leave the tunnel and enter your corporate network.

PPTP tunneling has particular significance if your IP network is using addresses that you haven't registered with InterNIC or addresses that InterNIC has reserved for private networks (such as the 10.x.x.x range). In either case, without PPTP, you could not successfully route to those addresses through the Internet. With PPTP, you can route into this type of network.

For this article, I assume that not everyone has a dedicated connection to the Internet and that many of you will use dial-up connectivity to test the configuration. Before you start, you need a fully functional RAS server on your network. Your server also must have either a dedicated or a dial-up PPP connection to the Internet through your ISP; a valid Internet IP address; and if you refer to your server by name instead of by IP address, a registered, fully qualified domain name. Your server's configuration must let dial-in clients use all the protocols available on your private network.

On the client side, the requirements are much lighter. You need an NT 4.0 client that is configured to access an ISP via PPP.

First, the Server
To get your RAS server ready to accept incoming PPTP traffic, install PPTP. In the Control Panel Network applet, select the Protocols tab and click Add. Choose Point To Point Tunneling Protocol, as shown in Screen 1. Next, in the PPTP Configuration dialog box, define the number of VPN connections you want to support. RAS can support up to 256 connections; you can always adjust this number later.

PPTP installation then launches Remote Access Setup, shown in Screen 2, where you add all your VPN devices to your RAS server, in the same way that you add modems. Select each device from the RAS Capable Devices list and click OK to add the device to your RAS configuration. Because you will use these VPN devices for inbound PPTP connections only, verify that you have configured each device to receive calls only.

Next, configure encryption for your PPTP connections--remember, your sensitive corporate data will travel through the Internet, which is a public network. In the Remote Access Setup dialog box, click Network and select Require Microsoft encrypted authentication and Require data encryption, shown in Screen 3. Note that the changes you make here affect all connections to your RAS server, including any dial-up connections. If you haven't configured some of your remote access clients to provide Microsoft-encrypted authorizations to the network, this encryption setting will isolate the remote access clients. In that case, consider implementing a secondary RAS server just for your PPTP connections.

If you have a direct connection to the Internet, for more security, you can enable PPTP filtering on your RAS server to block any non-PPTP packets from the server. Screen 4 shows how to enable filtering. On the Control Panel Network applet's Protocolstab, change your properties for TCP/IP. Click Advanced and select the check box Enable PPTP Filtering for the network adapter that is connected to the Internet. You need PPTP filtering only for direct connections to the Internet; you can't configure filtering for dial-up adapters. Be aware that your network adapter in your RAS server will ignore incoming ping and tracert packets once you have enabled PPTP filtering.

If your private internal network is strictly IPX or NetBEUI, you have finished your server configuration at this point and can proceed to client configuration. However, if your private network requires TCP/IP, you need to enable IP forwarding on your RAS server. As Screen 5 shows, go into the Control Panel Network applet and modify the properties for TCP/IP. Choose the Routing tab, and select Enable IP Forwarding.

Next, the Client
Now that you have successfully configured your server to accept PPTP traffic, you need to configure each workstation you plan to use. Install PPTP following the same steps you did for the server. Add your VPN device to RAS, but this time, configure the VPN device for Dial out only, as Screen 6 shows. Click Network to modify the protocols RAS can use to dial out. Be sure to include TCP/IP and the protocols you want to access on your private network (IPX or NetBEUI).

As I mentioned earlier, the client must have a functioning Internet connection. Connect your client to the Internet now.

Now you need to create a new entry in the DUN phone book to define the PPTP connection. Select Dial-Up Networking from Programs, Accessories. Create a new DUN connection using your VPN port, but instead of entering a phone number, enter the server's IP address or fully qualified domain name (if it is registered in Domain Name System--DNS), as Screen 7 shows. On the Server tab, select all the protocols (TCP/IP, IPX, and NetBEUI) on your private network that you need to access. On the Security tab, select the Accept only Microsoft encrypted authentication and Require data encryption options shown in Screen 8. Another option is Use current username and password. You can use this option if you expect your username and password on this workstation to be the same as they are in the domain you're dialing into. If you have configured everything correctly, you can now dial up your PPTP connection and connect to your private network.

A Word About Security and Performance
Now, before you tell your CIO that you plan to route your company's sensitive remote-access data over the Internet, make sure that you can answer some obvious questions. I can't cover these issues in depth, but let's review some basics of security and performance.

Microsoft's RAS server uses 40-bit RSA RC4 data encryption, derived from what is called a "shared secret"--your password. The client encrypts its data using your password, and the server does the same with its copy of your password from the security database. Because both systems (client and server) know what your password is, it never has to travel across the Internet unencrypted. This function solves a major security problem, key distribution. Both systems simply use that shared key to perform their encryption. This encryption method is extremely secure (as secure as it can be without exceeding US federal export regulations)so you can feel safe about your data being encrypted with this method. Thousands of credit card transactions occur on the Internet every day using encryption based on similar technologies. For more information on RSA encryption, or PPTP's use of RSA encryption, you can read RSA's FAQ 3.0 on Cryptography at http://www.rsa.com/rsalabs/newfaq, or view Microsoft's PPTP FAQ at http://www.microsoft.com/ntserver/info/pptpfaq.htm.

Obviously, performance over the public Internet won't be as fast as your dedicated dial-up circuits. First, you share a finite amount of bandwidth with several million other users. Keep in mind that the Internet is getting slower as time goes on. Second, running a tunneling protocol has unavoidable overhead, although Microsoft has designed PPTP to minimize overhead.

Because several factors come into play, I can't give you a rule of thumb about how PPTP will affect your system's performance. You will have to try PPTP for a while so you can weigh the cost benefits against the performance hits to determine whether PPTP is a workable solution for your organization.

The Future of PPTP
Although you can't underestimate Microsoft's marketing muscle, you need to evaluate the future of any new technology before rushing headlong into an implementation. In developing and promoting the PPTP standard, Microsoft has joined with several partners, including such name-brand players as 3Com, Ascend Communications, U.S. Robotics, and major ISPs such as UUNET. The primary competition for PPTP is a protocol called Layer 2 Forwarding (L2F). Cisco Systems developed L2F, and the protocol has gained support from Shiva and Northern Telecom. Each protocol has its strengths and weaknesses, and both protocols will meet your VPN needs adequately. To make things even more confusing, the Internet Engineering Task Force (IETF) apparently hasn't endorsed either protocol. Instead, IETF will release a final draft of a hybrid protocol, Layering 2 Tunneling Protocol (L2TP), later this year.

Microsoft currently supports PPTP only for NT 4.0. Microsoft originally expected to have support for Windows 95 by the end of 1996, but that date slipped into mid-1997 and is now expected as part of Memphis. In the interim, you have some options. Some ISPs are implementing PPTP services, so that you need to make only a PPP connection to these services. They will handle the tunneling back to your corporate network. Ask your ISP whether it offers PPTP and how you can configure the service.

As Easy As...
Here's another scenario for you. Joe, a manager in your company, tells you that he absolutely must have dial-in access to the company's network from his home PC, some bargain-basement clone you've never heard of. He can't quite tell you how it's configured, but he knows the PC is beige. Ideally, here is your conversation:

You: Can you surf the Net with your PC?

Joe: Oh, yeah. I configured it all myself. I'm running Netscape 97.

You (after rolling your eyes): Great. Here's our PPTP server's IP address. See you on the network.

I admit I'm oversimplifying. But as industry support for PPTP continues to grow, that scenario isn't unthinkable in the near future.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like