Difference between PPTP and L2TP?

Hi guys,

I was wondering what are the exact differences between the 2 types of VPN? I know PPTP offers encryption (as i've looked at the security tab of the VPN connection and seen the option to require encryption or the line is dropped). I have only ever used PPTP in real life as i've heard L2TP is a pain in the backside to set up and if the level of encryption isn't that much better for L2TP, what are the reasons for choosing it?

:

Also, I have been looking into the whole certificates thing and it confuses me a bit for the following reason..

How does a client know whether or not it needs to use certificates to access information? For example, if I installed CA on a domain controller, would EVERYTHING that is accessed from the Server require certificates on client side? Also, if you install CA on one Server, do certificates then apply to all member Servers and other DCs in the domain or is it just for that particular Server?

I'm sorry to ask so many questions on here but I find that the MS book doesn't actually explain the reasoning behind it all and the real-life practical questions/explanations. I find it better to ask the guys who can explain it properly and how it works in the real world, i.e. this forum

Find more posts tagged with

Comments

dynamik

mr2nut wrote:

Hi guys,

Yo.

mr2nut wrote:

I was wondering what are the exact differences between the 2 types of VPN? I know PPTP offers encryption (as i've looked at the security tab of the VPN connection and seen the option to require encryption or the line is dropped). I have only ever used PPTP in real life as i've heard L2TP is a pain in the backside to set up and if the level of encryption isn't that much better for L2TP, what are the reasons for choosing it? :

Well, it is better. That matters when security is a priority. L2TP requires certificates; PPTP does not. If you have an in-house CA and only your users, it's really not that bad to setup. As you get into more complicated scenarios (3rd party access, trusts with other forests, etc.) it gets more complicated. I use PPTP here.

mr2nut wrote:

Also, I have been looking into the whole certificates thing and it confuses me a bit for the following reason..

How does a client know whether or not it needs to use certificates to access information? For example, if I installed CA on a domain controller, would EVERYTHING that is accessed from the Server require certificates on client side? Also, if you install CA on one Server, do certificates then apply to all member Servers and other DCs in the domain or is it just for that particular Server?

It knows if a certificate is required. It needs one for EFS, signing/encrypting email, SSL in some circumstances, etc. Whatever you configure. Setting up a CA doesn't just automatically require certs on everything. If you want to use SSL with IIS, you have to go into IIS and configure it, etc. You can configure certs to be distributed through autoenrollment or you can obtain them manually through the the IIS site on the CA or the certificates console.

mr2nut wrote:

I'm sorry to ask so many questions on here but I find that the MS book doesn't actually explain the reasoning behind it all and the real-life practical questions/explanations. I find it better to ask the guys who can explain it properly and how it works in the real world, i.e. this forum

No problem, the MS Press book *sucks*. Get the Syngress book or you're really going to struggle with this exam.

undomiel

For additional info and an overview of the differences between l2tp and pptp.

http://technet.microsoft.com/en-us/library/bb742553.aspx

l2tp can use pre-shared keys instead of certificates.

mr2nut

Thanks for the detailed reply man

So am I right in thinking that anything that uses SSL or https, requires certificates to be sent from either party, but with bog standard http, data has more basic encryption, or none at all?

I've heard quite a few stories about the PKI and CA stuff in this book, it confuses the hell out of me and although i'm no master of everything MS, i'm definately a good administrator who picks things up quite quickly.

dynamik

Just for the record, using PSKs with L2TP is not considered a best practice and should only be used for testing. If you don't have a CA, use PPTP.

Requiring certificates from both parties is referred to as mutual authentication, and it may or may not be required. You can configure IIS to use client certificate mappings if you want to require clients to use a certificate as well. Most often, only one certificate is required on the IIS server.

HTTP doesn't have any encryption; everything is sent in plain-text.

Here's a good PKI book that goes beyond the scope of this exam: http://www.amazon.com/Microsoft-Windows-Server-Certificate-Security/dp/0735620210/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1218205254&sr=8-1

That's definitely on my "to read" list. MS's PKI is probably my weakest subject.

Seriously, pick up that Syngress book: http://www.amazon.com/Planning-Maintaining-Windows-Network-Infrastructure/dp/1931836930/ref=sr_1_1?ie=UTF8&s=books&qid=1218205363&sr=1-1 You can get it used for $20.

undomiel

I took a look at the Certificate Security book and it was pretty interesting. I need to check it out from the library again now that I have more time to take a closer look at it. I first checked it out while studying for the 270 so I didn't dedicate that much time to it.

NetAdmin2436

Dynamikt wrote:

No problem, the MS Press book *sucks*. Get the Syngress book or you're really going to struggle with this exam.

+1

I can attest to the MS Press Book coming up short on the 70-293 test. *sigh*

L2TP is more flexible as it can be used over ATM, frame relay, X.25. PPTP is only supported by Microsoft. I've only used PPTP personally though.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/deploy/dgfb_emp_fqnc.mspx?mfr=true

royal

Yes the MSPress for 293 sucks and the Syngress one is really good.

Here are a couple of good articles:

http://technet.microsoft.com/en-us/library/cc780018.aspx
http://technet.microsoft.com/en-us/library/bb878088.aspx

One of the main things to keep in mind is that PPTP uses Microsoft Point to Point Encryption whereas L2TP uses IPSec. PPTP only starts to use encryption after authentication whereas L2TP starts the entire session with IPSEC and then starts the authentication process.

IPSEC can still do MS Chap authentication and things of that sort but that'll all be encapsulated inside IPSEC due to what I stated above. PPTP can still have the user authentication encrypted I believe but it's not the job of PPTP to use MPPE to ensure that happens. You can have PPTP use EAP-TLS with user/computer authentication using certificates and it'll be the job of EAP-TLS to do so. But as I said, with IPSEC, you ensure that ALL VPN traffic is inside your IPSEC encryption so it's basically being double encrypted.

mr2nut

Cheers for the heads up.

Just to clarify, it seems that most people wouldn't go with standard CA as it's a load of manual for for the administrator. Enterprise CA is the way to go as it includes autoenrollment, i've got my head around that bit now.

So if I installed CA from the add/remove windows components, and choose enterprise CA, it then intergrates it into AD, but from then on does everything that CAN be encrypted such as files, e-mails etc. now automatically use CA to encrpt data between the Server and all computer objects that are in active directory, or is there still some manual work to do?

royal

mr2nut wrote:

Cheers for the heads up.

Just to clarify, it seems that most people wouldn't go with standard CA as it's a load of manual for for the administrator. Enterprise CA is the way to go as it includes autoenrollment, i've got my head around that bit now.

Good timing on the CA stuff. I wrote a blog entry last night that talks about OCS and its' requirements on certificates and what the differences are between Standard/Enterprise CA and installing them on Standard Edition vs Enterprise Edition of Windows. I would give it a read even if it's in regards to OCS but still gives a lot of fundamental information on CA versions.

dynamik

mr2nut wrote:

Just to clarify, it seems that most people wouldn't go with standard CA as it's a load of manual for for the administrator. Enterprise CA is the way to go as it includes autoenrollment, i've got my head around that bit now.

As always, it depends. If you're creating a hierarchy, you'll likely use a stand-alone CA as the root and take it offline as soon as you're done using it. You'll almost always want to use an Enterprise CA as your issuing CA for it's ease of use and features.

mr2nut wrote:

So if I installed CA from the add/remove windows components, and choose enterprise CA, it then intergrates it into AD, but from then on does everything that CAN be encrypted such as files, e-mails etc. now automatically use CA to encrpt data between the Server and all computer objects that are in active directory, or is there still some manual work to do?

No. You'll need to configure autoenrollment policies, etc. There is still some configuration with autoenrollment, but it will greatly reduce the amount of overall administration. You might want to check this out for more information: http://technet.microsoft.com/en-us/library/bb456981.aspx

Nice blog entry Royal. It's nice to see one I can actually understand

royal

I probably should have created a link:
http://www.shudnow.net/2008/08/07/office-communicator-web-access-cwa-requires-server-2003-enterprise-edition-ca/

snadam

dynamik wrote:

No problem, the MS Press book *sucks*. Get the Syngress book or you're really going to struggle with this exam.

REALLY? that bad?

okay ill just keep referencing syngress now...I purchased the syngress book to fill in the gaps that mspress didnt.

man, thats like the 3rd time I said that

royal

snadam wrote:

dynamik wrote:

No problem, the MS Press book *sucks*. Get the Syngress book or you're really going to struggle with this exam.

REALLY? that bad? okay ill just keep referencing syngress now...I purchased the syngress book to fill in the gaps that mspress didnt.

man, thats like the 3rd time I said that

Yes, it's that bad.

dynamik

A better title would have been "Intro to 70-293". I actually thought it was pretty well written. It just doesn't go into the depth you need for the exam or real-world application.

penberth

snadam wrote:

dynamik wrote:

No problem, the MS Press book *sucks*. Get the Syngress book or you're really going to struggle with this exam.

REALLY? that bad? okay ill just keep referencing syngress now...I purchased the syngress book to fill in the gaps that mspress didnt.

man, thats like the 3rd time I said that

I can attest to this as well. I am currently studying for the 293, and finished the MS press book. I started doing the Transcender exams, and kept getting hit with concepts I didn't know. I am know reading the Syngress book, and can see the difference. Syngress covers everything, and in depth as well.

I am hoping to take the 293 within a week or two.