Point-to-Point Tunneling Protocol is also known as PPTP. This was created by a consortium including Microsoft and other companies. PPTP is a fast protocol that, besides Windows, is also available to Linux and Mac users.

While PPTP does not have an inbuilt capability to provide traffic encryption, it relies on the Point-to-Point Protocol (PPP) to provide security measures during transmission.

PPTP allows traffic with different protocols to be encrypted and then encapsulated in an IP datagram to be sent across an IP network such as the Internet.

PPTP encapsulates PPP frames in the IP datagrams using a modified version of Generic Routing Encapsulation (GRE). A TCP connection is used for tunnel management. The encapsulated payload can be compressed, encrypted, or both before transmission. This encapsulated PPP frame is first encrypted using the Microsoft Point-to-Point Encryption (MPPE). MPPE supports 128-bit key (this is the strongest), 56-bit key, and 40-bit key (standard) encryption schemes. A point to note is that MPPE is limited to encryption and does not have any role in the compression or expansion of data in the PPP frames that are handled by Microsoft Point-to-Point Compression.

Layer 2 Tunneling Protocol is commonly known as L2TP. This protocol was jointly developed by Microsoft and Cisco with the objective of providing data integrity along with the data confidentiality offered by the PPTP protocol. Similar to the PPTP protocol, L2TP does not provide encryption and uses PPP to do this.

In the Microsoft implementation of L2TP, the encryption of PPP datagrams is not done with MPPE but with Internet Protocol security or IPSec. Therefore, this protocol is usually referred to as L2TP/IPSec. For L2TP/IPSec to work, both the VPN server and client need to have support for this.

L2TP/IPSec is built in most operating systems such as Windows, Linux, and Apple. It is very easy to implement.

IPSec is considered fairly secure from a security perspective and does not have any known major vulnerabilities (so far). However, Snowden, as part of his many revelations, did mention that IPSec was compromised by the NSA.

For the purposes of authentication, L2TP supports pre-shared keys or computer certificates. Computer certificate authentication requires a PKI to issue a certificate to the VPN server and all the VPN clients. The use of L2TP/IPSec provides the computer/server authentication at the IPSec-layer and user-layer authentication at the PPP layer. L2TP is encrypted using Data Encryption Standard (DES) or triple DES.

IPSec usage ensures data confidentiality, integrity, and authentication for VPN connections:

Secure Socket Tunneling Protocol is also known as SSTP. This is a new tunneling protocol that utilizes HTTPS over TCP port 443. This allows it to pass the traffic through firewalls and proxies that may be configured otherwise to block PPTP or L2TP/IPSec traffic. SSTP works by establishing a bi-directional HTTPS layer with the SSTP server. The SSTP data packets flow over this HTTPS layer.

This HTTPS layer or Secure Socket Layer performs traffic integrity checking, as well as encryption and transport-level security. SSTP is suited to remote client-access VPNs and usually does not support site-to-site VPN tunnels.

As SSTP operates over TCP transport, its performance is dependent on the availability of bandwidth over the TCP channel. In cases of bandwidth shortage, the phenomenon of TCP meltdown is common.

In all the previous three tunneling protocols, the PPP frames are carried on top of the network protocol stack. Therefore, the PPP features such as IPv4 and IPv6 negotiation, Network Access Protection, as well as authentication are common across all the three protocols.