Choosing an Authentication Protocol

When choosing between PPTP and L2TP, keep in mind the following:

• Client support: PPTP is supported by a much larger range of clients.

• Ease of installation: L2TP/IPSec requires a PKI infrastructure to supply the client and server certificates. This significantly increases the cost and complexity of the deployment. Certificates are not required for a PPTP solution unless you are using EAP-TLS. This makes PPTP deployments significantly easier than L2TP.

• Level of security: PPTP provides only data confidentiality (encryption), while L2TP/IPSec provides data confidentiality, integrity, and authentication. Data integrity validates that packets have not been modified in transit. Data authentication validates the authenticity of the sender. It ensures that the client that claims to have sent the data is, in fact, the client that did so. Further, certificate-based solutions are inherently more secure than password-based solutions. For these reasons, L2TP/IPSec provides a much higher level of security.

Remember that you don't have to pick one technology or the other. Windows 2000 Server allows you to choose between using PPTP or L2TP—or both. This means that some users (with Windows XP or 2000) can use L2TP, while other clients can connect (at the same time) with PPTP. Unless you already have a PKI infrastructure in place, the convenience and simplicity of PPTP is very attractive. The following example walks through the steps for deploying a PPTP-based VPN server with support for L2TP if you have already deployed Active Directory, a Certificate Authority (CA) such as Microsoft Certificate Service and a RADIUS server such as Microsoft Internet Authentication Service (IAS).