Is PPTP or IPSEC VPN more secure than the other for 'dial in' VPN, if so, why?
5 Answers
PPTP is a tunneling protocol just like L2TP is - it does not provide security.
PPTP uses MPPE for encryption which may have some disadvantages compared to IPSEC (which is commonly used with L2TP). IPSEC can also be used on its own as a tunneling protocol and this is pretty common.
An advantage with IPSEC in general would be if it's used with certificates to authenticate on the machine-level in addition to the user-level. L2TP enforces this but IPSEC alone could be used with just a pre-shared key just as the encryption in PPTP can - lowering the level of security to similar levels in my opinion.
Most old vulnerabilities in PPTP are fixed these days and you can combine it with EAP to enhance it to require certificates as well. I'd say there's no clear winner, but PPTP is older, more light-weight, works in most cases and clients are readily pre-installed, giving it an advantage in normally being very easy to deploy and configure without EAP.
However, getting something more secure by machine-level authentication might give IPSEC an advantage in being designed for this to begin with (L2TP in particular) - and hence possibly be easier to deploy with that requirement than getting PPTP to work with EAP.
If we compare PPTP with L2TP straight off - L2TP wins by a fair amount due to the requirements for decent authentication on several levels, preventing several scenarios PPTP won't prevent (in theory).
- 10,740
- 3
- 32
- 48
It should be noted that a new attack on MS-CHAPv2 by Moxie Marlinspike and David Hulton makes PPTP tunnels less desirable. Based on this I would go with an IPSEC or SSL VPN based tunnel for remote access.
More info:
- 51
- 1
- 2
The current wisdom is that IPSec is better, but no (known) full exploits exist for PPTP, so it's still commonly used. IPSec is certainly newer, and has more optional extras, and (IMHO) broader support.
Lot of people criticize that PPTP sends some unencrypted control packets, but, again, this hasn't resulted in a big exploit, it just makes people think that there MUST be one in there somewhere. I think a lot of it is just residual sour grapes because PPTP was a Microsoft initiative, and patent encumbered (they recently allowed open implementations, so this isn't as much of a concern.)
- 5,917
- 1
- 16
- 18
Good answers, but somewhat inaccurate. They can give wrong ideas about the role of L2TP.
L2TP does not use IPsec. It is not built on IPSec. L2TP is "Level 2 Tunneling Protocol", which performs one and only one function - tunneling other protocols. It does not provide any kind of security whatsoever, just because it is not meant to. And that is exactly why it is usually used together with IPSec. The two protocols being used together does not mean that they are dependent in any way. L2TP can be used without IPSec, just like IPSec can be used without L2TP. It does not make any sense to talk about security of L2TP - there is none. When one is talking about security of IPSec/L2TP VPN then he is talking about security of IPSec.
If you are considering microsoft PPTP you may find this useful: PPTP FAQ
Also, PPTP vs. IPSec is a bit Fish vs. Bicycles - you might want to look at L2TP rather than straight IPSec (L2TP is built on IPSec, and is supported in Windows same as PPTP, and has decent open source implementations).
- 4,021
- 2
- 23
- 28