Server 2008

Compare VPN tunnel types in Windows

I am sure you must have experienced VPN reconnect – a new IKEv2 based VPN tunnel that is added in Windows 7 that allows automatic and seamless switchover of an active VPN connection when the underlying Internet interface (connection) changes thus maintaining application persistence.

Isn’t that COOL – like VPN user moving from Wifi to WWAN and back –  giving a true mobile connectivity to corpnet ! Yes it is…

 This means, Windows7 in-built VPN client and Windows 2008 R2 in-built VPN server (aka RRAS) supports following VPN tunnels:

  • ·        PPTP
  • ·        L2TP/IPSec
  • ·        SSTP
  • ·        VPN Reconnect (or IKEv2)

 

I am sure you must be wondering what is the need for 4 different tunnel types and which one to use in a given scenario. This blog helps to clarify the same.

 Let us look at the technical specs which tries to summarize the tunnel features based upon different deployment factors:

 First compare on network related parameters

 

Tunnel Type OS support Scenario IP Addressing Traversal Mobility

Enabled

PPTP XP, 2003, Vista, WS08, W7, WS08 R2 Remote Access

Site-to-Site

Works over IPv4 network

 

Relay IPv4 as well as IPv6 traffic on top of tunnel

NAT via PPTP enabled NAT routers No
L2TP/IPSec XP, 2003, Vista, WS08, W7, WS08 R2 Remote Access

Site-to-Site

Works over IPv4 as well as IPv6 network

 

Relay IPv4 as well as IPv6 traffic on top of tunnel

NAT No
SSTP Vista SP1, WS08, W7, WS08 R2 Remote Access Works over IPv4 as well as IPv6 network

 

Relay IPv4 as well as IPv6 traffic on top of tunnel

NAT,

Firewalls,

Web Proxy

No
VPN Reconnect W7, WS08 R2 Remote Access Works over IPv4 as well as IPv6 network

 

Relay IPv4 as well as IPv6 traffic on top of tunnel

NAT Yes

 

 

Now lets compare on security related parameters

 

Tunnel Type Authentication Data Confidentiality
PPTP User authentication via PPP* RC4***
L2TP/IPSec Machine authentication via IPSec followed by user authentication via PPP* DES, 3DES, AES****
SSTP User authentication via PPP* RC4, AES
VPN Reconnect Machine or user authentication via IKEv2** 3DES, AES

and  ….

source