We are just installing a new VPN solution and was going to look at using the windows client. We have a lot of windows 2000 clients and windows XP clients but the majority are windows 200.
When the the engineer from the company we purchased the box off came to install it he recommended that we use an IPSec client rather than the one that comes as part of windows. When I asked why he said IPSec is more secure but I could not get much more than that from him.
So I went looking on Goggle for some info about L2TP and PPTP and all I can seem to find is LOTS of guides on how to configure it but nothing that would give me any clues as to why IPSec is more secure and what possible pitfalls we may have if we chose to use the windows client.
Do any of you know of some sites where I can make an informed decision on using windows or looking for an IPSec client.
I looked into this a while ago when I was looking to implement a means of logging into remote sites. I settled for SSH, but here a few points about L2TP, PPTP.
1. In Windows 2K/XP, L2TP actually runs over IPSEC.
2. L2TP is more secure than PPTP as encryption only starts in PPTP after PPP authentication is completed.
3. L2TP requires computer-based certificates in addition to password-based authentication. You could use pre-shared keys instead, but that has its associated maintenance and security issues.
4. L2TP can not be used behind NAT without the application of a patch to windows clients apart from XP SP2.
Like with all security issues, it basically boils down to your "paranoia index". Mine's quite high and I prefer to use certificate based SSH as opposed to VPNs, although a PPTP based VPN could be appropriate for many applications.
I can confirm that Dalight is almost as paranoid as I am.
As I understand it, PPTP and L2TP are protocols which support the negotiation and establishment of the VPN tunnel, with L2TP being the newer and more sohisticated of the two. Once the tunnel is up, you can use encryption over PPTP/L2TP as Dalight has described but the point is that it's optional encryption - you can have a "secure" tunnel with no encryption on it if you want. This sounds insane, but read on. IPSec by contrast is a traffic encryption system that also provides authentication of the endpoints (the sender is really who they claim to be), but doesn't really support the tunnel setup which is why you often find L2TP with IPSec over the top. The main advantages of IPSec over the native encryption regimes provided by PPTP and L2TP is the endpoint authentication which protects against "man in the middle" and replay attacks, and the fact that the encryption used is newer and so persumably stronger. The downside is that compared to the others it can be a dog to configure and get working, particularly if you try to use the native Microsoft implementations
I read your reply for L2TP/PPTP Tunneling. I have deep interest in this technologies. I would like to know whether you have got some eBook or some material explaining the entire working of these technologies?
If you can provide me with the same then, I would be obliged.
As you've probably discovered it is difficult to find a single book or resource that properly covers these areas. I did a lot of searching on the internet and found many articles, none of which fully explained everything. But as you keep reading, like a jigsaw puzzle the pieces begin to fall in to place
Here are a few to get you started: