1

I'm setting up a VPN test server, on Windows 2008 R2. I seem to remember that PPTP isn't ideal, as on a Cisco firewall you need to allow quite a large range of ports open (with the GRE protocol too?)

Anyway, my vague memories of this aren't brilliant, so I would like to know, what's the more secure protocol for setting up remote VPN access (from users dialling in from home, so not a VPN tunnel or anything).

kafka
  • 547
  • 1
  • 15
  • 27

3 Answers3

3

You should probably use IKEv2 as a primary if you have Windows Vista/7 clients and 2008r2 servers, with a fallback to SSTP if for whatever reason UDP port 500 is blocked at the client's site.

SSTP has a severe performance problem in that you get TCP-in-TCP for most data traffic. This causes the "inner" TCP layer to be mis-informed about the actual packet loss on the network, resulting in huge delays or disconnections. See this link for detailed information on that issue.

Our own tests showed SSTP performing terribly on lossy networks, particularly wireless networks at hotels, coffee shops, mobile broadband, etc. So we intially chose IKEv2 as our primary mechanism with SSTP as a fallback. Neither SSTP or IKEv2 require client certificate deployment, but they do require all clients to trust the certificate of the VPN server. The VPN server certificate is easily deployed via Group Policy.

Another problem common to PPTP, SSTP, and IKEv2 in the Windows implementations is that they do not verify that the client computer is trusted, only that the user who is connecting knows a password and has VPN permissions. This issue ultimately led us to go back to L2TP with client-side certificate deployment using Microsoft Certificate Authority to issue certificates to trusted machines. You can configure NAT traversal for L2TP with a registry setting (again deployed via Group Policy).

rmalayter
  • 3,744
  • 19
  • 27
  • Useful information. I would imagine that being IPsec-based, IKEv2 avoids the TCP-in-TCP problems of SSTP, and therefore improves performance. Is that correct, or is there some other factor that reduces IKEv2 performance? – Spinner Nov 09 '12 at 13:22
  • 1
    Actually IKEv2 performs the best, as it doesn't have the PPP overhead that is common to other VPN solutions (PPTP, SSTP, L2TP). It is actually just IP-in-IPsec, potentially with an additional outer UDP layer if you need NAT traversal. It performed the best in our testing, but the issue with not verifying the client machine as well as user kept us from using it. SSTP is the worst from a performance perspective, as it is effectively TCP-in-PPP-in-SSL-in-TCP. Ugh. – rmalayter Nov 09 '12 at 22:05
2

Don't use PPTP--it's completely insecure if you're using the MSChapv2 protocol. https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

If you're using a different encryption method such as certificates--it's significantly more work to set up, obviating any benefits of PPTP in the first place.

I'm planning to replace PPTP in my own organization with OpenVPN. IPSec / L2TP is another good option.

Quinten
  • 1,076
  • 1
  • 11
  • 25
  • Yeah I knew PPTP isn't secure - we stopped using that as a VPN solution recently. We've been using a third party app in the interim, but would rather use IPSec or SSTP if that's secure enough. – kafka Oct 03 '12 at 13:42
  • Yes, they are both reasonably secure. I would look at setup time for you, ease of use for dial-in users, and availability of the client on the platforms your users rely on. SSTP, for example, isn't available on Windows XP. – Quinten Oct 03 '12 at 17:47
1

If you have a newer Cisco firewall you can use the SSL VPN features if you license it. You can also use the normal Cisco VPN client/server setup.

For using W2k8 R2, I'd recommend going the SSTP route over PPTP. PPTP might be easier to deploy but, security aside, there are quite a few places nowadays (other biz, hotels, etc.) that don't allow you to connect to one from them (outbound) which frustrates employees, guests.

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
  • The licensing for SSL VPN on the Cisco would presumably incur more expense though? PPTP not an option, so if SSTP uses SSL presumably it's a secure solution. – kafka Oct 03 '12 at 13:54
  • The SSL VPN license on an ASA is very cheap if I remember correctly...at least compared to most licenses for networking products. – TheCleaner Oct 03 '12 at 21:43