Reprinted with permission from the Windows 2000 Resource Kits
Security is a vital part of a VPN. Described in the following sections are the security facilities of PPTP and L2TP over IPSec VPN connections.
PPTP offers user authentication and encryption.
The user attempting the PPTP connection is authenticated using PPP-based user authentication protocols such as EAP,
PPTP inherits MPPE encryption, which uses the Rivest-Shamir-Adleman (RSA) RC4 stream cipher. MPPE is only available when either the EAP-TLS or
MPPE can use 40-bit, 56-bit, or 128-bit encryption keys. The 40-bit key provides backward compatibility with non-Windows 2000 clients. By default, the highest key strength supported by the VPN client and VPN server is negotiated during the connection establishment process. If the VPN server requires a higher key strength than is supported by the VPN client, the connection attempt is rejected.
MPPE was originally designed for encryption across a point-to-point link where packets arrive in the same order in which they were sent with little packet loss. For this environment, the decryption of each packet depends on the decryption of the previous packet.
For VPNs, however, IP datagrams sent across the Internet can arrive in a different order from the one in which they were sent, and a higher proportion of packets can be lost. Therefore, MPPE for VPN connections changes the encryption key for each packet. The decryption of each packet is independent of the previous packet. MPPE includes a sequence number in the MPPE header. If packets are lost or arrive out of order, the encryption keys are changed relative to the sequence number.
A PPTP-based VPN server typically has two physical interfaces: one interface on the shared or public network like the Internet, and another on the private intranet. It also has a virtual interface connecting to all VPN clients. For the VPN server to forward traffic between VPN clients, IP forwarding must be enabled on all interfaces. However, enabling forwarding between the two physical interfaces causes the VPN server to route all IP traffic from the shared or public network to the intranet. To protect the intranet from all traffic not sent by a VPN client, PPTP packet filtering must be configured so that the VPN server only performs routing between VPN clients and the intranet and not between potentially malicious users on the shared or public network and the intranet.
PPTP packet filtering can be configured on either the VPN server or on an intermediate firewall. For more information, see "VPNs and Firewalls" later in this chapter.
L2TP over IPSec offers user authentication, mutual computer authentication, encryption, data authentication, and data integrity.
Authentication of the VPN client occurs at two different levels: the computer is authenticated, and then the user is authenticated.
Mutual computer authentication of the VPN client and the VPN server is performed when you establish an IPSec ESP security association (SA) through the exchange of computer certificates. IPSec Phase I and Phase II negotiation occurs, and an IPSec SA is established with an agreed encryption algorithm, hash algorithm, and encryption keys.
To use L2TP over IPSec, a computer certificate must be installed on both the VPN client and the VPN server. You can obtain computer certificates automatically by configuring an auto-enrollment Windows 2000 Group Policy or manually using the Certificates snap-in. For more information, see Windows 2000 Server Help.
The user attempting the L2TP connection is authenticated using PPP-based user authentication protocols such as EAP,
L2TP also provides a way to authenticate the endpoints of an L2TP tunnel during the tunnel establishment process known as L2TP tunnel authentication. By default, Windows 2000 does not perform L2TP tunnel authentication. For more information about configuring Windows 2000 for L2TP tunnel authentication, see the Microsoft Knowledge Base link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.
Encryption is determined by the establishment of the IPSec SA. The available encryption algorithms include:
Because IPSec was designed for IP internetworks where packets could be lost and arrive out of order, each IPSec packet is decrypted independent of other IPSec packets.
The initial encryption keys are derived from the IPSec authentication process. For DES-encrypted connections, new encryption keys are generated after every 5 minutes or 250 megabytes of data transferred. For 3DES-encrypted connections, new encryption keys are generated after every hour or 2 gigabytes of data transferred. For AH-protected connections, new hash keys are generated after every hour or 2 gigabytes of data transferred. For more information about IPSec, see "Internet Protocol Security" in the TCP/IP Core Networking Guide.
Data authentication and integrity is provided by one of the following:
Just as in PPTP-based VPN connections, the enabling of forwarding between the interfaces on the public or shared network and the intranet causes the VPN server to route all IP traffic from the shared or public network to the intranet. To protect the intranet from all traffic not sent by a VPN client, you must configure L2TP over IPSec packet filtering so that the VPN server only performs routing between VPN clients and the intranet and not between potentially malicious users on the shared or public network and the intranet.
L2TP over IPSec packet filtering can be configured on either the VPN server or on an intermediate firewall. For more information, see "VPNs and Firewalls" later in this chapter.
© 1985-2000 Microsoft Corporation. All rights reserved.