Pptp/L2Tp; Pptp; Setting Up A Pptp Server - D-Link NetDefend DFL-210 User Manual

9.4. PPTP/L2TP

9.4. PPTP/L2TP
The access by a client using a modem link over dial-up public switched networks, possibly with an
unpredictable IP address, to protected networks via a VPN poses particular problems. Both the
PPTP and L2TP protocols provide two different means of achieving VPN access from remote cli-
ents.

9.4.1. PPTP

Overview
Point to Point Tunneling Protocol (PPTP) is designed by the PPTP Forum, a consortium of compan-
ies that includes Microsoft. It is an OSI layer 2 "data-link" protocol (see Appendix D, The OSI
Framework) and is an extension of the older Point to Point Protocol (PPP), used for dial-up internet
access. It was one of the first protocols designed to offer VPN access to remote servers via dial-up
networks and is still widely used.
Implementation
PPTP can be used in the VPN context to tunnel different protocols across the internet. Tunneling is
achieved by encapsulating PPP packets in IP datagrams using Generic Routing Encapsulation (GRE
- IP protocol 47). The client first establishes a connection to an ISP in the normal way using the PPP
protocol and then establishes a TCP/IP connection across the internet to the D-Link Firewall, which
acts as the PPTP server (TCP port 1723 is used). The ISP is not aware of the VPN since the tunnel
extends from the PPTP server to the client. The PPTP standard does not define how data is encryp-
ted. Encryption is usually achieved using the Microsoft Point-to-Point Encryption (MPPE) standard.
Deployment
PPTP offers a convenient solution to client access that is simple to deploy. PPTP doesn't require the
certificate infrastructure found in L2TP but instead relies on a username/password sequence to es-
tablish trust between client and server. The level of security offered by a non-certificate based solu-
tion is arguably one of PPTP's drawbacks. PPTP also presents some scalability issues with some
PPTP servers restricting the number of simultaneous PPTP clients. Since PPTP doesn't use IPsec,
PPTP connections can be NATed and NAT traversal is not required. PPTP has been bundled by Mi-
crosoft in its operating systems since Windows95 and therefore has a large number of clients with
the software already installed.
Troubleshooting PPTP
A common problem with setting up PPTP is that a router and/or switch in a network is blocking
TCP port 1723 and/or IP protocol 47 before the PPTP connection can be made to the D-Link Fire-
wall. Examining the log can indicate if this problem occurred, with a log message of the following
form appearing:
Error PPP lcp_negotiation_stalled ppp_terminated
Example 9.8. Setting up a PPTP server
This example shows how to setup a PPTP Network Server. The example assumes that you have already created
certain address objects in the Address Book.
You will have to specify the IP address of the PPTP server interface, an outer IP address (that the PPTP server
should listen to) and an IP pool that the PPTP server will use to give out IP addresses to the clients from.
Chapter 9. Virtual Private Networks
202