Pptp/L2Tp; Pptp Servers - D-Link NetDefend DFL-210 User Manual

9.5. PPTP/L2TP

9.5. PPTP/L2TP
The access by a client using a modem link over dial-up public switched networks, possibly with an
unpredictable IP address, to protected networks via a VPN poses particular problems. Both the
PPTP and L2TP protocols provide two different means of achieving VPN access from remote
clients. The most commonly used feature that is relevant in this scenario is the ability of
NetDefendOS to act as either a PPTP or L2TP server and the first two sections below deal with this.
The third section deals with the further ability of NetDefendOS to act as a PPTP or L2TP client.
PPTP/L2TP Quick Start
This section covers L2TP and PPTP in some detail. A quick start checklist of setup steps for these
protocols in typical scenarios can be found in the following sections:
• Section 9.2.5, "L2TP Roaming Clients with Pre-Shared Keys".
• Section 9.2.6, "L2TP Roaming Clients with Certificates".
• Section 9.2.7, "PPTP Roaming Clients".

9.5.1. PPTP Servers

Overview
Point to Point Tunneling Protocol (PPTP) is designed by the PPTP Forum, a consortium of
companies that includes Microsoft. It is an OSI layer 2 "data-link" protocol (see Appendix D, The
OSI Framework) and is an extension of the older Point to Point Protocol (PPP), used for dial-up
Internet access. It was one of the first protocols designed to offer VPN access to remote servers via
dial-up networks and is still widely used.
Implementation
PPTP can be used in the VPN context to tunnel different protocols across the Internet. Tunneling is
achieved by encapsulating PPP packets in IP datagrams using Generic Routing Encapsulation (GRE
- IP protocol 47). The client first establishes a connection to an ISP in the normal way using the PPP
protocol and then establishes a TCP/IP connection across the Internet to the D-Link Firewall, which
acts as the PPTP server (TCP port 1723 is used). The ISP is not aware of the VPN since the tunnel
extends from the PPTP server to the client. The PPTP standard does not define how data is
encrypted. Encryption is usually achieved using the Microsoft Point-to-Point Encryption (MPPE)
standard.
Deployment
PPTP offers a convenient solution to client access that is simple to deploy. PPTP does not require
the certificate infrastructure found in L2TP but instead relies on a username/password sequence to
establish trust between client and server. The level of security offered by a non-certificate based
solution is arguably one of PPTP's drawbacks. PPTP also presents some scalability issues with some
PPTP servers restricting the number of simultaneous PPTP clients. Since PPTP does not use IPsec,
PPTP connections can be NATed and NAT traversal is not required. PPTP has been bundled by
Microsoft in its operating systems since Windows95 and therefore has a large number of clients
with the software already installed.
Troubleshooting PPTP
A common problem with setting up PPTP is that a router and/or switch in a network is blocking
363
Chapter 9. VPN