In the past article we’ve discussed a bit about VPN authentication protocols used with Windows Server Editions. We cannot talk about VPN authentication protocols without talking about the different VPN protocols that can be used with Windows Server 2008 and 2012. Based on the necessities of your company, you can opt for one of the four VPN protocols, as follows:
PPTP (Point-to-Point Tunneling Protocol) – one of the first VPN protocols that are still used today. It uses MPPE (Microsoft Point-to-Point Encryption) protocol to encrypt data sent by VPN clients. Even if this protocol provides features for data confidentiality it does not support data origin authentication nor data integrity so it’s susceptible to exploits. PPTP connections can be authenticated using either MS-CHAP, MS-CHAPv2, PEAP or EAP. PPTP can be used with EAP-TLS but for that you will need a local CA (Certification Authority) deployed with a certificate installed on the VPN Server. Note that unlike other protocols, with PPTP EAP-TLS you don’t need to install the certificate on the VPN clients. PPTP is mostly used with non-Microsoft products because it offers compatibility with all Operating Systems. You should opt for a newer VPN protocol whenever possible because others offer increased security.
L2TP/IPSec (Layer 2 Tunneling Protocol with Internet Protocol Security) – tunneling protocol that does not provide encryption or confidentiality alone. With Microsoft VPN Server, it’s used with IPSec which deals with data encryption before it’s sent on the tunnel. There are two levels of authentication that occurs within a L2TP/IPSec communication:
Computer authentication – made using digital certificates issued by a Certificate Authority trusted by both the Server and the Client.
Client authentication – this authentication mechanism is made using one of the PPP authentication Protocols discussed in the previous article.
This protocol offers data origin authentication, data confidentiality, data integrity and replay protection.
SSTP (Secure Socket Tunneling Protocol) – an authentication protocol which encapsulates PPP or L2TP traffic through an SSL 3.0 channel. The SSL traffic is passed using HTTPS (Hypertext Transfer Protocol Secure) which means that the traffic is passed by almost all routers or firewalls because 443 port is usually opened in the public Internet. The use of SSL provides transport-level security with key-negotiation, integrity checking and encryption. To successful deploy SSTP within your organization, you will need to take into consideration several factors. SSTP is supported only by Windows Server 2008 or newer Editions this is why it cannot be used with Windows Server 2003. You will also need a trusted CA to issue certificates for your Server and the Server must first install the certificate before enabling Routing and Remote Access. The client will then be able to connect using the VPN Server hostname that must be the same to the subject name specified in the SSL Certificate. Note that with SSTP you cannot create site-to-site tunnels and you cannot tunnel SSTP traffic on proxies which require authentication.
IKEv2 (Internet Key Exchange) – a VPN tunneling protocol supported by Routing and Remote Access Service (RRAS). The protocol is used to configure a SA (Security Association) in the IPSec communication. Read more about Security Associations here. You will need a local CA issuing certificates with Enhanced Key Usage (EKU) options. You will then need to generate the authentication certificate and import it to the VPN Server store. IKEv2 offers support for VPN Reconnect (also known as Agile VPN) which is a technology that tolerates network interruptions. The VPN connection is re-established without the user intervention once the Internet connection is established again. Read more about IKE on this article from Wikipedia.
This was a short introduction to VPN Protcols that can be used on Windows Server Editions. The article should provide an overview of these protocols so you will better understand VPN technologies. For any questions on this topic, use my comments section. Wish you a wonderful day!