Lets descript and summarize some information about PPTP and L2TP protocols.
PPTP
The Point-to-Point Tunneling Protocol (PPTP), developed by Microsoft in conjunction with other technology companies, is the most widely supported VPN method among Windows clients. PPTP is an extension of the Internet standard Point-to-Point protocol (PPP), the link layer protocol used to transmit IP packets over serial links. PPTP uses the same types of authentication as PPP (PAP, SPAP, CHAP, MS-CHAP v.1/v.2 and EAP).
PPTP establishes the tunnel but does not provide encryption. PPTP encrypted using Microsoft Point-to-Point Encryption (MPPE) protocol to create a secure VPN. PPTP has relatively low overhead, this making it faster than some other VPN methods.
Most old vulnerabilities in PPTP are fixed these days and you can combine it with EAP to enhance it to require certificates as well. One advantage of using PPTP is that there is no requirement for a certificate infrastructure. However EAP does use digital certificates for mutual authentication (both client and server) and higher security.
How works: A PPTP tunnel is instantiated by communication to the peer on TCP port 1723. This TCP connection is then used to initiate and manage as second GRE(generic routing encapsulation) tunnel to the same peer.
Port/rotocol: 1723 TCP and protocol GRE
User Authentication Protocol: EAP-TLS or MS-CHAP v2
Encryption method: MPPE (Microsoft Point-to-Point Encryption)
Encryption Strength: MPPE 40-128 bit
L2TP
The Layer 2 Tunneling Protocol (L2TP) was developed in cooperation between Cisco and Microsoft to combine features of PPTP with those of Cisco’s proprietary Layer 2 Forwarding (L2F) protocol.
L2TP (Layer Two Tunneling Protocol) supports non-TCP/IP clients and protocols (such as Frame Relay, ATM and SONET).
L2TP does not provide any encryption orconfidentiality by itself. It relies on an encryption protocol that it passes within the tunnel to provide privacy. Nowadays L2TP connections do not negotiate the use of PPP encryption through Microsoft Point-to-Point Encryption (MPPE). Instead, encryption is provided through the use of the Internet Protocol security (IPSec) Encapsulating Security Payload (ESP) header and trailer. It is also important to note that IPsec is more resource intensive than PPTP, hence the overhead with a L2TP solution is higher than PPTP.
Port: 1701 UDP
User Authentication Protocol: EAP-TLS or MS-CHAP v2
* In addition to providing computer-level authentication, IPSec provides end-to-end encryption for data that passes between the sending and receiving nodes.Encryption: IPSec
Encryption Strength: Advanced Encryption Standard (AES) 256, AES 192, AES 128, and 3DES encryption algorithms
L2TP vs PPTP
L2TP/IPSec and PPTP are similar in the following ways:
- provide a logical transport mechanism to send PPP payloads;
- provide tunneling or encapsulation so that PPP payloads based on any protocol can be sent across an IP network;
- rely on the PPP connection process to perform user authentication and protocol configuration.
Some facts about PPTP:
+ PPTP easy to deploy
+ PPTP use TCP, this reliable solution allow to retransmit lost packets
+ PPTP support
– PPTP less secure with MPPE(up to 128 bit)
– data encryption begins after the PPP connection process (and, therefore, PPP authentication) is completed
– PPTP connections require only user-level authentication through a PPP-based authentication protocol
Some facts about L2TP(over IPsec):
+ L2TP/IPSec data encryption begins before the PPP connection process
+ L2TP/IPSec connections use the AES(up to 256bit) or DESUup to three 56-bit keys)
+ L2TP/IPSec connections provide stronger authentication by requiring both computer-level authentication through certificates and user-level authentication through a PPP authentication protocol
+ L2TP use UDP. It is a faster, but less reliable, because it does not retransmit lost packets, is commonly used in real-time Internet communications
+ L2TP more “firewall friendly” than PPTP — a crucial advantage for an extranet protocol due to most firewalls do not support GRE
– L2TP require certificate infrastructure for issuing computer certificates
To summarize:
There’s no clear winner, but PPTP is older, more light-weight, works in most cases and clients are readily pre-installed, giving it an advantage in normally being very easy to deploy and configure (without EAP).
But for most of countries like UAE, Oman, Pakistan, Yemen, Saudi Arabia, Turkey, China, Singapore, Lebanon PPTP blocked by ISP or government so they need L2TP or SSL VPN which will describe in next posts.
Find any questions or errors? go ahead and start commenting…
PPTP和L2TP都使用PPP协议对数据进行封装,然后添加附加包头用于数据在互联网络上的传输。尽管两个协议非常相似,但是仍存在以下几方面的不同:
1.PPTP要求互联网络为IP网络。L2TP只要求隧道媒介提供面向数据包的点对点的连接。L2TP可以在IP(使用UDP),桢中继永久虚拟电路(PVCs),X.25虚拟电路(VCs)或ATM VCs网络上使用。
2.PPTP只能在两端点间建立单一隧道。L2TP支持在两端点间使用多隧道。使用L2TP,用户可以针对不同的服务质量创建不同的隧道。
3.L2TP可以提供包头压缩。当压缩包头时,系统开销(overhead)占用4个字节,而PPTP协议下要占用6个字节。
4.L2TP可以提供隧道验证,而PPTP则不支持隧道验证。但是当L2TP或PPTP与IPSEC共同使用时,可以由IPSEC提供隧道验证,不需要在第2层协议上验证隧道。
PPTP 的封装
图 1 PPTP 的封装格式
L2TP 的封装
阶段 1 :初始 L2TP 封装
阶段 2 : IPSec 封装
图 2 L2TP 的两阶段封装
VPN中PPTP/L2TP协议的联系与区别
3、两者的联系与区别:
以上是vpn中pptp与l2tp的一些基本知识,在下一篇文章中将会介绍ipsec vpn 与ssl vpn,这两种技术是现在很流行的,请大家关注!
声明: 本文由( liva )原创编译,转载请保留链接: PPTP vs L2TP
PPTP vs L2TP:等您坐沙发呢!
发表评论
