0

Should you use PPTP or L2TP OR SSL for VPN connections?

Which ones are preferred?

CJ7
  • 653
  • 10
  • 24

1 Answers1

2

PPTP is very simple to set up, but both Microsoft's original and v2 implementations use weak password hashing methods and have been demonstrated to be relatively easy to crack. There are extensions to PPTP such as EAP/TLS that help to mitigate some of these flaws, but they increase the complexity of implementation.

L2TP is much more secure, but can be hard to get through firewalls and NAT translation.

OpenVPN is a great open source VPN solution. It is NOT a browser-based VPN, but uses the OpenSSL libraries to securely establish and encrypt connections. There are lots of ways to implement it that lower the expertise required -- my personal favorite is pfSense, a FreeBSD-based firewall that is easy to install and configure via a browser-based management console and works great as an OpenVPN gateway (though it can also be a PPTP or L2TP gateway). The web interface even allows users to log in and download the OpenVPN client software package pre-configured specifically for their account as an exe installer or *nix config file. pfSense even runs great on almost any old beige box you might have kicking around waiting for the scrap heap.

nedm
  • 5,630
  • 5
  • 32
  • 52
  • @medm: your "relatively easy to crack" link mentions that the new version has addressed the major security weaknesses apart from "offline passwords guessing attacks", which means that if a strong password is used then it should be reasonably secure. – CJ7 Jun 20 '10 at 08:28
  • @Craig: This apparently depends on your definition of 'reasonably secure.' I don't consider the following conclusion at the end of the linked post be a ringing endorsement of PPTP, with or without a strong password: "These changes address most of the major security weaknesses of the orginal protocol. However, the revised protocol is still vulnerable to offline password-guessing attacks from hacker tools such as L0phtcrack. At this point we still do not recommend Microsoft PPTP for applications where security is a factor." – nedm Jun 21 '10 at 05:50
  • However, as @Zoredache pointed out, it depends entirely on your requirements. If you work in an industry with any sort of regulatory compliance threshold I would avoid PPTP, especially since there are alternatives that are relatively easy (and free!) to implement. Your question reads "Should *you* use PPTP or L2TP OR SSL for VPN connections?" and I can tell you confidently that *I* should not use PPTP. – nedm Jun 21 '10 at 05:53
  • @medm: their recommendation is worthless without an explanation, and all they have mentioned is 'offline password guessing attacks', which means that 14 char length password with number, alpha and symbols will require about 10,000 years to crack. I plan to be around that long, but do you? – CJ7 Jun 21 '10 at 07:38
  • -1, My $DEITY, people still think the Windows 95/98 version of PPTP is in use... It was replaced 10 years ago! The newer version is more secure than the short and easily guessed passwords users typically pick. – Chris S Sep 10 '10 at 03:48
  • @Chris, thought I acknowledged the improvements pretty thoroughly in the first paragraph -- and as per my first comment, I completely agree that the password is the weak link, and to add, not just in PPTP but in most VPN systems. – nedm Sep 10 '10 at 17:05