VPN TUNNELING PROTOCOLS PPTP, L2TP, L2TP/IPsec Ashkan Yousefpour Amirkabir University of Technology

PPTPPPTP 1 L2TPL2TP 2 L2TP/IPsecL2TP/IPsec 3 T ODAY ’ S O VERVIEW

W HY USING VPN S ?  fast, secure and reliable connection between separated networks  full access on resources from everywhere -> building a virtual local connection  reasonable access: building connection only to local ISP

PPTP - enables secure data transfers between a remote client and an enterprise server by creating a VPN across an IP-based internetwork

P OINT - TO -P OINT T UNNELING P ROTOCOL (PPTP) [RFC 2637] Standard method for transporting multiprotocol datagrams over point-to-point links Mainly implemented and used by Microsoft Extension of PPP Allows tunneling of PPP datagrams over IP networks Easy to use and to implement Use of 2 connections Control connection Tunnel connection Operates at layer 2 of OSI Uses TCP Port 1723

P OINT - TO -P OINT T UNNELING P ROTOCOL (PPTP) [RFC 2637] - CONTINUED PPTP is a tunneling protocol provided by Microsoft, which provides remote users, encrypted, multi protocol access to a corporate network over the Internet. It encapsulates PPP frames in IP data grams Microsoft’s implementation of PPTP has been found to have several problems that make it vulnerable to attacks, and it also lakes the scalability in that it only supports 255 concurrent connections per server. Require an IP Network between PPTP Client and PPTP Server ( either LAN or dial- up) PPTP can support only one tunnel at a time for each user.

PPTP Uses Generic Routing Encapsulation (GRE) to carry PPP packets PPP payload can be encrypted and/or compressed GRE header contains information about tunnel protocol and encryption algorithm Structure of PPTP packet:

L AYER 2 T UNNELING P ROTOCOL (L2TP) [RFC 2661] Uses UDP Can be transported over IP, Frame Relay, ATM, X.25,... Allows multiple tunnels with multiple sessions inside every tunnel UDP Port 1701 Commonly used with IPsec -> L2TP/IPsec

L AYER 2 T UNNELING P ROTOCOL (L2TP) [RFC 2661] C ONTINUED Structure of L2TP packet:

L AYER 2 T UNNELING P ROTOCOL (L2TP) [RFC 2661] C ONTINUED  A hybrid of Microsoft’s PPTP and Cisco Systems’ Layer 2 Forwarding - L2F protocol  can support multiple, simultaneous tunnels for each user.  It Uses UDP and supports any routed protocol, including IP, IPX and AppleTalk, including frame relay, ATM, X. 25  Because of L2TP’s use of PPTP, it is included as part of the remote access features of most Windows Products  It does not provide cryptographically key security features

L AYER 2 T UNNELING P ROTOCOL (L2TP) [RFC 2661] C ONTINUED L2TP allows multiprotocol traffic to be encrypted and then sent over any medium that supports point-to-point datagram delivery, such as IP or asynchronous transfer mode (ATM). L2TP is a combination of PPTP and Layer 2 Forwarding (L2F), a technology developed by Cisco Systems, Inc. It can support IPsec for data encryption and integrity

L2TP/IP SEC Uses IPsec Encapsulating Security Payload (ESP) an IPsec Authentication trailer provides message integrity and authentication Structure of encrypted packet:

L2TP/IP SEC VS. PPTP PPTPL2TP/IPsec data encryption begins after PPP connection is established data encryption begins before connection is established by negotiating an IPsec Security Association (SA) use Microsoft Point-to-Point Encryption (MPPE) stream cipher using RSA RC-4 (40, 56, 128 Bits) use Data Encryption Standard (DES) or 3-DES block cipher (56 or 168 bits) requires only user-level authentication user-level and computer-level authentication still implemented in WindowsVPN Client software needed

T HANK Y OU ! Any Questions?