Windows 7 supports four tunneling protocols for remote access VPN connections to corporate networks.
Each of these is used in different remote access scenarios, and each
has different requirements for the operating system, configuration,
and infrastructure. The following section introduces these four VPN
protocols in more detail.
New in Windows 7 and Windows Server 2008 R2, Internet Key Exchange version 2 (IKEv2) is a tunneling
protocol that uses Internet Protocol Security (IPSec) for
encryption. An important performance advantage of an IKEv2-based VPN
is its support of VPN Reconnect (also called
Mobility). VPN Reconnect is a feature that enables VPN connections
to be maintained when a VPN client moves between wireless hotspots
or switches from a wireless to a wired connection. Another important
advantage of IKEv2 is that, like Secure Socket Tunneling Protocol (SSTP) and
Point-to-Point Tunneling Protocol (PPTP) VPNs (and unlike those based
on the Layer 2 Tunneling Protocol [L2TP]), client computers do not
need to provide authentication through a machine certificate or a
preshared key. Finally, compared to the other VPN type that is
based on IPSec encryption (L2TP), IKEv2 offers improved performance
in that the connectivity is established more quickly.
Tip
IKEv2 VPNs require a PKI. In an IKEv2 VPN, the server must
present a server authentication certificate to the client, and the
client needs to be able to validate this certificate. To perform
this validation, the root certificate for the CA that has issued the
server authentication certificate must be installed on the client
computer in the Trusted Root Certification Authorities certificate
store.
From the standpoint of performance and security, IKEv2 is the
preferred VPN type and should be deployed when operating system
requirements for such a VPN are met. Those requirements are Windows
7 for the VPN client and Windows Server 2008 R2 on the VPN
server.
SSTP VPNs were introduced in Windows Server 2008 and can be
used by clients running Windows Vista SP1 or later. This type of VPN
is based on the same HTTP-over-SSL protocol used for secure Web
sites. The most important feature of an SSTP-type VPN is that it
uses only TCP port 443 for communication, a port left open on most
firewalls for secure Web traffic. The fact that most firewalls do
not need to be reconfigured for SSTP communication enables SSTP VPN
clients to connect through most Network Address Translation (NAT)
devices, firewalls, and Web proxies. Other VPN types often cannot
traverse these network features. An SSTP VPN is therefore an
unusually flexible type of remote access VPN that can be implemented
in more network scenarios than other VPNs can.
Like IKEv2 and PPTP VPNs, and unlike L2TP-based VPNs, SSTP
VPNs do not require client computer authentication by default
(though they can be configured to require it). However, as with a
secure Web server, the SSTP VPN server must present a computer
certificate to the requesting client at the beginning of the
communication session. The VPN client must then be able to validate
the server's computer certificate. For this to occur, the root
certificate of the CA that has issued the VPN server's computer
certificate must be installed in the Trusted Root Certification
Authorities certificate store on the VPN client computer.
Note
CERTIFICATE CHECKING IN SSTP
VPNs
In a PKI, an administrator may revoke
a certificate previously issued to a user, computer, or service. A
CA publishes the lists of revoked certificates in an official
certificate revocation list (CRL). For SSTP VPN connections, by
default, the client must be able to confirm that the VPN server's
computer certificate has not been revoked by checking the server
identified in the certificate as hosting the CRL. If the server
hosting the CRL cannot be contacted, then the validation fails,
and the VPN connection is dropped. To prevent this failure, you
must either publish the CRL on a server that is accessible on the
Internet or configure the client not to require CRL checking. To
disable CRL checking, create a registry setting at the following
location:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\parameters
The setting must be a DWORD value
named NoCertRevocationCheck. Set the value to 1.
L2TP is an industry-standard tunneling protocol designed to run natively over IP
networks. Security for L2TP VPN connections is provided by IPSec,
which performs the data authentication and encryption needed to
ensure that L2TP tunnels are protected. The combination of L2TP with
IPSec for tunneling purposes is usually referred to as L2TP over
IPSec or L2TP/IPSec.
L2TP/IPSec VPNs have certain drawbacks compared to IKEv2 and
SSTP VPNs. First, besides requiring user authentication as all VPN
protocols do, L2TP/IPSec requires client computer
authentication. Because of this requirement, all VPN client
computers from which a user might connect must be configured either
with a computer certificate or a preshared key specific to the VPN
server. Therefore, L2TP/IPSec prevents a user from establishing a
VPN connection from public terminals or from any computer that has
not been specially configured for the VPN.
To configure a VPN client connection running Windows 7 to use
either a computer certificate or a preshared key for L2TP/IPSec
authentication, open the Properties dialog box of the VPN
connection, click the Security tab, and then click Advanced
Settings. This step opens the Advanced Properties dialog box, as
shown in Figure 1. By default,
certificate authentication is selected. To obtain a client
authentication certificate to use with this setting, you typically
need to submit a request to the CA on the corporate network and then
install the certificate after the request is approved. If you change
the setting to Use Preshared Key For Authentication, you need to
supply the key in the area provided.
Besides the requirement of client computer authentication,
another limitation of L2TP/IPSec VPNs is that they do not natively
support the traversal of NAT devices. However, you can enable
L2TP/IPSec to cross a NAT device if you change a particular registry
value on both the VPN client computer and the VPN server.
PPTP is the easiest VPN protocol to implement in Windows
networks. Unlike other tunneling protocols, PPTP does not require any
certificates or preshared keys on either the VPN client or server.
Another important feature of PPTP is that it can be used with older
Windows operating systems: It is the only native Windows VPN
protocol that can run on Microsoft Windows NT 4.0, and it is
compatible with all versions of Windows since Microsoft Windows
2000.
PPTP, however, includes significant disadvantages, the biggest
of which is that it is not as secure as other VPN protocols. Although PPTP does encrypt data, it does
not ensure data integrity or data origin authentication. Another
important limitation to PPTP is that it can traverse NAT devices
only through PPTP-enabled NAT routers.
Table 1 compares
important features of the four VPN protocols available in Windows
networks.
Table 1. VPN Protocols in Windows Networks
|
VPN PROTOCOL |
OS SUPPORT |
SCENARIO |
TRAVERSAL |
VPN RECONNECT/MOBILITY |
AUTHENTICATION |
|---|
|
IKEv2 |
Windows 7, Windows Server 2008
R2 |
Remote Access |
NAT |
Yes |
Machine or user authentication via IKEv2; VPN
server requires a server certificate |
|
SSTP |
Windows Vista SP1, Windows Server 2008, Windows
7, Windows Server 2008 R2 |
Remote Access |
NAT, Firewalls, Web Proxy |
No |
User authentication via Point-to-Point Protocol
(PPP); VPN server requires server certificate |
|
L2TP/IPSec |
Windows 2000 and later |
Remote Access, Site-to-Site |
NAT, only with a special registry
fix |
No |
Machine authentication via IPSec followed by
user authentication via PPP; VPN client requires a computer certificate or
a preshared key |
|
PPTP |
Windows NT 4.0, Windows 2000, and
later. |
Remote Access, Site-to-Site |
NAT, only through PPTP-enabled NAT
routers |
No |
User authentication via PPP |
