Since this guide deals with the creation of Virtual Private Networks within the various Windows operating systems, we will deal in detail only with the two VPN implementations that Microsoft supports, "Point to Point Tunneling Protocol "(PPTP) and "Layer Two Tunneling Protocol with IPSec" (L2TP/IPSec).

First, let's have a look at the aptly named Point to Point Tunneling Protocol

Currently the most common method of Virtual Private Network connection, and certainly the easiest to set up in a Windows environment is Point to Point Tunneling Protocol (PPTP). Microsoft's implementation of PPTP uses the Point-to-Point Protocol (PPP) to initially encapsulate the data, then encrypts this with Microsoft's Point-to-Point Encryption (MPPE). Authentication is provided by Windows' built in dial-up authentication protocols; MS-CHAP, MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol) and EAP (Extensible Authentication Protocol).

These protocols provide a means of authenticating both the client and the VPN server by means of a user name and password, in the case of MS-CHAP, or a computer certificate or smart card in the case of EAP.

Once the data is encrypted, it is encapsulated again, this time inside a GRE (Generic Routing Encapsulation) packet, which provides the information necessary to transmit PPP information over the Internet. We now have the original data encrypted and enclosed within a Point-to point protocol data packet, then further encapsulated within a GRE packet for transmission across the Internet. To successfully transmit the data, two more layers must be added.

First, an IP header containing the source and destination IP addresses is constructed, then finally a data-link header and trailer appropriate to the type of network being used. In the case of the internet, an Ethernet header with the appropriate MAC addresses for the local network interface and the gateway. PPTP uses a separate, unencrypted command channel to carry the commands used to open, close and maintain the connection. This uses port 1723 on the server, and a dynamic port on the client.

A newer VPN technology, L2TP (Layer 2 Tunneling Protocol) combines some of the features of PPTP with Cisco's Layer 2 Forwarding (L2F) Protocol. In the Windows implementation, L2TP wraps the whole thing up in Microsoft's version of the IPSec (IP Security) encryption and authentication protocols.

IPSec is used both to encrypt the data securely and to authenticate both ends of the connection at the computer level via the exchange of a security certificate or pre-shared key. Standard PPP authentication (MS-CHAP, EAP) is still used to validate the user with a user name and password combination. As with PPTP virtual private networks, the IPSec authentication provides an extra level of security by assuring that the machines at both ends of the VPN are known and trusted.

L2TP can be used without IPSec, but this would not be a feasible option, as it uses no other form of encryption. L2TP VPNs do not use a separate, unencrypted connection to send control information as PPTP ones do. Rather, data needed to start, maintain and close a VPN tunnel through the Internet is sent and received through the same port, in the same form as the data from that tunnel, using L2TP control data instead of the PPP encapsulated data that would normally be the payload. L2TP uses IPSec to encrypt and unencrypt both the control and the data packets.

< Previous Page

© 2025 PCSTATS.com Please respect the time and effort that went into creating each PCSTATS Beginners Guide, do not illegally copy. Thank you.

Next Page >