Q: What VPN protocol do you recommend for Windows 7 clients?
October 13, 2010
A: Windows 7 and Windows Server 2008 R2 support four VPN protocols: Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol with Internet Protocol Security (L2TP/IPsec), Secure Socket Tunneling Protocol (SSTP), and Internet Key Exchange version 2 (IKEv2, also referred to as VPN Reconnect) protocol. You can get a list of the available VPN options for remote access in Windows 7 if you open the properties of an existing RAS or VPN connection (in the Network Connections container of the Network and Sharing Center). Click the Type of VPN drop-down on the Security tab, as Figure 1 shows.
Figure 1: Available VPN types in Windows 7
On the Windows client side, VPN protocols are available through the built-in VPN client. On the server side, they're supported through the Windows Server VPN server, also known as Routing and Remote Access Services (RRAS).
PPTP uses TCP and Generic Routing Encapsulation (GRE) to tunnel Point-to-Point Protocol (PPP) packets. Even though the PPTP protocol has known security vulnerabilities and is the oldest of the four protocols, it's still highly deployed. (See this site for an illustration of some of the Microsoft PPTP vulnerabilities.) L2TP is an evolution of Microsoft’s PPTP and Cisco Layer 2 Forwarding (L2F) protocol. It uses IPsec to secure the traffic inside the VPN tunnel.
Both PPTP and L2TP/IPsec can have problems when they traverse firewalls, Network Address Translation (NAT) devices, and web proxies. SSTP—a newer VPN protocol that Microsoft added in Windows Vista Service Pack 1 (SP1) and Windows Server 2008—solves these connectivity problems by using HTTP over SSL—in short, HTTPS. HTTPS uses port 443 by default, which can be easily configured on firewalls to support SSTP traversal.
Microsoft added IKEv2 support in Windows 7 and Windows Server 2008 R2. In Windows, IKEv2 refers to a combination of the following protocols: IPsec Tunnel Mode (as defined in RFC 4301), IKEv2 (defined in RFC 4306, used by IPsec for key negotiation), Encapsulating Security Payload (ESP, defined in RFC 4303, for secure packet transmission), and MOBIKE (the IKEv2 Mobility and Multihoming Protocol, defined in RFC 4555, for switching tunnel endpoints when the underlying interface changes). MOBIKE is implemented through a new service called the Mobility Manager and it gives the IKEv2 VPN option a very powerful feature: support for IP address persistence. This means that after a temporary drop of the network connection, the VPN client and applications running on top of the VPN tunnel will see no break in connectivity and can continue without restarting the connection. For more IKEv2 insights, refer to this Technet blog article.
Table 1 lists critical variables that will drive your VPN tunnel choice. It compares the supported OSs, IP protocol versions, authentication methods, and data encryption algorithms of the four VPN protocols.
Tunnel Protocol | OS support | IPv4, IPv6 support | Authentication | Data Encryption Algorithms |
---|---|---|---|---|
PPTP | XP, 2003, Vista, WS08, W7, WS08 R2 | Only works over IPv4 Can relay IPv4 and IPv6 traffic in tunnel | User authentication (password—MSCHAPv2—or certificate—EAP) via PPP | RC4—OSs prior to Vista support 40/56/128-bit RC4. Vista and later OSs support only 128-bit RC4. |
L2TP/IPSec | XP, 2003, Vista, WS08, W7, WS08 R2 | Works over IPv4 and IPv6 networks Can relay IPv4 and IPv6 traffic in tunnel | Machine authentication via IPSec followed by user authentication (password—MSCHAPv2—or certificate—EAP) via PPP | DES, 3DES, AES—OSs prior to Vista support DES and 3DES. Vista and later OSs support 3DES and AES. |
SSTP | Vista SP1, WS08, W7, WS08 R2 | Works over IPv4 and IPv6 networks Can relay IPv4 and IPv6 traffic in tunnel | User authentication (password (MSCHAPv2) or certificate (EAP)) via PPP | RC4, AES |
IKEv2 (VPN Reconnect) | W7, WS08 R2 | Works over IPv4 and IPv6 networks Can relay IPv4 and IPv6 traffic in tunnel | Machine (certificate) or user authentication (password—EAP-MSCHAPv2—or certificate—EAP) via IKEv2 | 3DES, AES |
Note that L2TP/IPsec always requires machine authentication followed by user authentication. For machine authentication, it can use a pre-shared key or certificate. Pre-shared keys aren't very secure. Deploying machine certificates to every L2TP/IPsec-based VPN client machine, on the other hand, requires a Public Key Infrastructure (PKI). Neither SSTP nor IKEv2 require a pre-shared key or certificate for client machine authentication (even though they both require a server certificate). SSTP and IKEv2 are also better in terms of performance and connection establishment time compared to L2TP/IPsec.
To summarize, in Windows 7 and Server 2008 R2 environments, I recommend you use IKEv2 wherever you can, and use SSTP as the fallback mechanism. That way you get secure and uninterrupted VPN connectivity using an IKEv2 tunnel whenever it's possible. And VPN connectivity will also fallback to an SSTP tunnel that can traverse firewalls, NAT devices, and web proxies if IKEv2 can't be used.
About the Author
You May Also Like