VPN Protocols – PPTP & L2TP
PPTP (POINT-TO-POINT TUNNELING PROTOCOL)
PPTP (Point-to-Point Tunnelling Protocol
) is an OSI layer two protocols built on top of the PPP (Point-to-point protocol). PPP is a multi-protocol, dial-up protocol used to connect to the Internet. Remote users can access a private network via PPTP
by first dialling into their local ISP.
PPTP connects to the target network by creating a virtual network
for each remote client. PPTP
allows a PPP session, with non-TCP/IP protocols (e.g. IP, IPX or NetBEUI),
to be tunnelled through an IP network. PPTP is documented inRFC 2637 as an informational draft.
The same authentication mechanism used for PPP connections is supported in a PPTP-based VPN connection.
These include EAP (Extensible Authentication Protocol, MS-CHAP (Microsoft Challenge-Handshake Authentication Protocol), CHAP, SPAP (Shiva Password Authentication Protocol), and PAP (Password AuthenticationProtocol).
For encryption, PPP data can be optionally encrypted using MPPE (Microsoft Point-to-Point Encryption) which is based on the RSA RC4 (40/56/128 bit) standard for link encryption.
PPTP data tunnelling is accomplished through multiple levels of encapsulation.
PPTPencapsulates PPP frames as tunnelled data for transmission over an IP network, such as
the Internet or a private intranet, using a modified version of GRE (Generic Routing Encapsulation).
GRE provides a flow and congestion controlled encapsulated service for
carrying PPP packets. The data in the encapsulated PPP frames can be encrypted (and/or compressed).
The resulting GRE-and-PPP-encapsulated data is then encapsulated with an
IP header containing the appropriate source and destination IP addresses for the PPTP client and PPTP server.
Upon receipt of the PPTP tunnelled data, the PPTP server processes and removes the IP, GRE and PPP headers, then decrypts (and/or decompresses) the PPP data.
L2TP (LAYER 2 TUNNELING PROTOCOL)
L2TP (Layer 2Tunnelling Protocol) is a combination of Microsoft PPTP (Point-to-Point
Tunnelling Protocol) and Cisco L2F (Layer 2 Forwarding). L2TP can be used as a
tunnelling protocol to encapsulate PPP (Point-to-Point Protocol) frames to be sent over IP, X.25, Frame Relay or ATM networks.
Multiple connections are allowed through one tunnel. Like PPTP and L2F, L2TP operates on OSI layer two. Layer two VPN protocols encapsulate data in PPP frames and are capable of transmitting non-IP protocols over an IP network. L2TP is documented in RFC 3931 as standards track.
L2TP connections use the same authentication mechanisms as PPP connections, such as
EAP, CHAP, MS-CHAP, PAP and SPAP. L2TP tunnelling is accomplished through multiple levels of encapsulation.
The PPP data is encapsulated within a PPP header and an L2TP header. The L2TP encapsulated packet is further wrapped in a UDP header with the source and destination ports set to 1701.
The final packet is encapsulated with an IP header containing the source and destination IP addresses of the VPNclient and VPNserver.
Due to the lack of confidentiality provided by L2TP, it is often used in conjunction with IPsec
and referred to as L2TP/IPsec
When L2TP is running over IPsec, security services are provided by IPsec, AH and ESP.
All L2TP controls and data appear as homogeneous IP data packets to the IPsec system.