PPTP vs L2TP

Lets descript and summarize some information about PPTP and L2TP protocols.

PPTP

The Point-to-Point Tunneling Protocol (PPTP), developed by Microsoft in conjunction with other technology companies, is the most widely supported VPN method among Windows clients. PPTP is an extension of the Internet standard Point-to-Point protocol (PPP), the link layer protocol used to transmit IP packets over serial links. PPTP uses the same types of authentication as PPP (PAP, SPAP, CHAP, MS-CHAP v.1/v.2 and EAP).

PPTP establishes the tunnel but does not provide encryption. PPTP encrypted using Microsoft Point-to-Point Encryption (MPPE) protocol to create a secure VPN. PPTP has relatively low overhead, this making it faster than some other VPN methods.

Most old vulnerabilities in PPTP are fixed these days and you can combine it with EAP to enhance it to require certificates as well. One advantage of using PPTP is that there is no requirement for a certificate infrastructure. However EAP does use digital certificates for mutual authentication (both client and server) and higher security.

How works: A PPTP tunnel is instantiated by communication to the peer on TCP port 1723. This TCP connection is then used to initiate and manage as second GRE(generic routing encapsulation) tunnel to the same peer.

Port/rotocol: 1723 TCP and protocol GRE

User Authentication Protocol: EAP-TLS or MS-CHAP v2

Encryption method: MPPE (Microsoft Point-to-Point Encryption)

Encryption Strength: MPPE 40-128 bit

L2TP

The Layer 2 Tunneling Protocol (L2TP) was developed in cooperation between Cisco and Microsoft to combine features of PPTP with those of Cisco’s proprietary Layer 2 Forwarding (L2F) protocol.

L2TP (Layer Two Tunneling Protocol) supports non-TCP/IP clients and protocols (such as Frame Relay, ATM and SONET).

L2TP does not provide any encryption orconfidentiality by itself. It relies on an encryption protocol that it passes within the tunnel to provide privacy. Nowadays L2TP connections do not negotiate the use of PPP encryption through Microsoft Point-to-Point Encryption (MPPE). Instead, encryption is provided through the use of the Internet Protocol security (IPSec) Encapsulating Security Payload (ESP) header and trailer. It is also important to note that IPsec is more resource intensive than PPTP, hence the overhead with a L2TP solution is higher than PPTP.

Port: 1701 UDP

User Authentication Protocol: EAP-TLS or MS-CHAP v2

Encryption: IPSec

Encryption Strength: Advanced Encryption Standard (AES) 256, AES 192, AES 128, and 3DES encryption algorithms

L2TP vs PPTP

L2TP/IPSec and PPTP are similar in the following ways:

• provide a logical transport mechanism to send PPP payloads;
• provide tunneling or encapsulation so that PPP payloads based on any protocol can be sent across an IP network;
• rely on the PPP connection process to perform user authentication and protocol configuration.

Some facts about PPTP:

+ PPTP easy to deploy

+ PPTP use TCP, this reliable solution allow to retransmit lost packets

+ PPTP support

– PPTP less secure with MPPE(up to 128 bit)

– data encryption begins after the PPP connection process (and, therefore, PPP authentication) is completed

– PPTP connections require only user-level authentication through a PPP-based authentication protocol

Some facts about L2TP(over IPsec):

+ L2TP/IPSec data encryption begins before the PPP connection process

+ L2TP/IPSec connections use the AES(up to 256bit) or DESUup to three 56-bit keys)

+ L2TP/IPSec connections provide stronger authentication by requiring both computer-level authentication through certificates and user-level authentication through a PPP authentication protocol

+ L2TP use UDP. It is a faster, but less reliable, because it does not retransmit lost packets, is commonly used in real-time Internet communications

+ L2TP more “firewall friendly” than PPTP — a crucial advantage for an extranet protocol due to most firewalls do not support GRE

– L2TP require certificate infrastructure for issuing computer certificates

To summarize:

There’s no clear winner, but PPTP is older, more light-weight, works in most cases and clients are readily pre-installed, giving it an advantage in normally being very easy to deploy and configure (without EAP).

But for most of countries like UAE, Oman, Pakistan, Yemen, Saudi Arabia, Turkey, China, Singapore, Lebanon PPTP blocked by ISP or government so they need L2TP or SSL VPN which will describe in next posts.

Find any questions or errors? go ahead and start commenting…

PPTP和L2TP都使用PPP协议对数据进行封装，然后添加附加包头用于数据在互联网络上的传输。尽管两个协议非常相似，但是仍存在以下几方面的不同：

1.PPTP要求互联网络为IP网络。L2TP只要求隧道媒介提供面向数据包的点对点的连接。L2TP可以在IP（使用UDP），桢中继永久虚拟电路（PVCs),X.25虚拟电路（VCs）或ATM VCs网络上使用。

2.PPTP只能在两端点间建立单一隧道。L2TP支持在两端点间使用多隧道。使用L2TP，用户可以针对不同的服务质量创建不同的隧道。

3.L2TP可以提供包头压缩。当压缩包头时，系统开销（overhead）占用4个字节，而PPTP协议下要占用6个字节。

4.L2TP可以提供隧道验证，而PPTP则不支持隧道验证。但是当L2TP或PPTP与IPSEC共同使用时，可以由IPSEC提供隧道验证，不需要在第2层协议上验证隧道。

PPTP 的封装

     原始 IP 数据报在 PPTP 客户机和 PPTP 服务器之间传输时， PPTP 封装它。图 1 显示了 PPTP 信息包的封装格式：

图 1 PPTP 的封装格式

   在 上图中，原始数据报首先封装在 PPP 帧里。使用 PPP 可压缩和加密该部分数据。然后将 PPP 帧封装在 GRE （ Generic Routing Encapsulation ）帧里，该帧是 PPTP 客户机和 PPTP 服务器之间发送的新 IP 数据报的有效负载。该新数据报的源和目标 IP 地址将和 PPTP 客户机及 PPTP 服务器的 IP 地址相对应。执行中该数据报将进一步封装在数据链路层帧里并且有正确的信息头和信息尾。

L2TP 的封装    

      和PPTP 相似，当经过传输网络传送时， L2TP 封装原始 IP 数据报。由于在 L2TP 中，是靠 IPSec 提供加密功能，所以 L2TP 封装分两个阶段完成：初始 L2TP 封装和 IPSec 封装。

阶段 1 ：初始 L2TP 封装

阶段 2 ： IPSec 封装

图 2 L2TP 的两阶段封装

   如 图 2 所示， L2TP 首先将原始数据报封装在 PPP 帧里（和 PPTP 一样）；然后将 PPP 帧插入到有 UDP 信息头和 L2TP 信息头的新 IP 数据报。然后结果数据报再应用 IPSec 加密。在这里，应用了 IPSec 标准中的封装安全载荷（ ESP ）协议的信息头和信息尾以及 IPSec 验证信息尾，这样就保证了信息的完整性和机密性以及信息源的身份验证。最外层 IP 报头所包含的源和目标 IP 地址与 VPN 客户机和 VPN 服务器相对应。

VPN中PPTP/L2TP协议的联系与区别

以上是vpn中pptp与l2tp的一些基本知识，在下一篇文章中将会介绍ipsec vpn 与ssl vpn，这两种技术是现在很流行的，请大家关注！