Several protocols support VPNs. These include:

• Point-to-Point Tunneling Protocol (PPTP)—This protocol supports Microsoft’s remote access servers and has known issues. It uses Microsoft Point-to-Point Encryption (MPPE). Although PPTP is still used for some remote access solutions, IPSec and SSL/TLS–based solutions are replacing it.
• Layer 2 Tunneling Protocol (L2TP)—Cisco and Microsoft collaborated to create this by combining strengths from Cisco’s Layer 2 Forwarding (L2F) protocol and Microsoft’s PPTP. It uses IPSec for encryption. A significant weakness is that IPSec cannot go through a network address translation (NAT) server because NAT breaks IPSec.
• SSL/TLS–based tunneling protocols—Due to the limitations of IPSec with NAT, newer tunneling protocols use SSL/TLS for encryption. For example, Microsoft can use Secure Socket Tunneling Protocol (SSTP). VPN appliances can use SSL/TLS–based tunneling protocols. SSL/TLS requires public key infrastructure (PKI) support to obtain and use a certificate.
• Internet Key Exchange v2—Internet Key Exchange v2 (IKEv2) is an IPSec-based VPN protocol that uses NAT traversal (NAT-T). NAT-T allows IPSec traffic to pass through a NAT server. IKEv2 provides significant improvements over IKE and has been adopted by several companies, including Microsoft (in Windows Server 2008 R2 and forward), Cisco, and OpenVPN Inc. OpenVPN is an open-source solution presented later in this chapter. IKEv2 requires public key infrastructure (PKI) support to obtain and use a certificate.

Each method has advantages, depending on the access requirements of your users and your organization’s IT processes. Although many solutions only offer either IPSec or SSL/TLS, some vendors, including Microsoft and Cisco, offer multiple technologies integrated on a single platform with unified management. Offering both IPSec and SSL/TLS technologies can enable organizations to customize the remote access VPN without any additional hardware or management complexity.

SSL/TLS–based VPNs enable remote access connectivity from almost any Internet-enabled location using a web browser and its native SSL/TLS encryption. It does not require pre-installation of any special-purpose client software. This makes remote access SSL/TLS VPNs capable of “anywhere” connectivity from company-managed desktops and non–company-managed systems, such as employees’ PCs, contractor or business partner desktops, and Internet kiosks. Any software required for application access across the SSL/TLS VPN connection is dynamically downloaded on an as-needed basis, thereby minimizing desktop software maintenance.

IPSec-based VPNs are the deployment-proven remote access technology used by organizations. IPSec VPN connections use pre-installed VPN client software on the user systems, focusing it primarily on company-managed desktops. IPSec-based remote access offers versatility and customizability through modification of the VPN client software. Using APIs in IPSec client software, organizations can control the appearance and function of the VPN client for use in applications such as unattended kiosks, integration with other desktop applications, and other special deployments.

Both IPSec and SSL/TLS VPN technologies offer access to virtually any network application or resource. SSL/TLS VPNs offer additional features such as easy connectivity from non– company-managed desktops, little or no desktop software maintenance, and user-customized web portals upon login. The primary drawback with IPSec is that it cannot traverse a NAT server. If you are deploying a VPN server and want the connection to go through a NAT server, SSL/TLS is a sound solution.

It is possible to use NAT traversal (NAT-T) to allow IPSec traffic to pass through a NAT server, but be aware of some issues with it. For example, Microsoft has specifically recommended that NAT-T not be used, though IT professionals still recommend NAT-T with non-Microsoft hosts.