Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Point-to-Point Tunneling Protocols (PPTP)

advertisement 
Security in
Wireless LANs
By Chrisitan Ploninger
Institute of Computer Networks
Vienna University of Technology
November 2002
Abstract
Dipl.-Ing. Chrsitian Ploninger
1 Network overview
1.1 Adding a WLAN to an existing Intranet Infrastructure
This scenario typically occurs when the computer network of an organization evolves.
Installing an additional WLAN to an existing Network Infrastructure
1.1.1 Using a separate WLAN-to-Intranet Gateway (Type A)
1.1.2 Using one central Gateway (Type B)
1.2 Stand-alone WLAN with Intenet Connectivity
This scenario may take place in small organization or at home.
Dipl.-Ing. Chrsitian Ploninger
Dipl.-Ing. Chrsitian Ploninger
1.3 Tunnelling Protocols:

Point-to-Point Tunneling Protocol (PPTP). PPTP allows IP, IPX, or NetBEUI
traffic to be encrypted, and then encapsulated in an IP header to be sent across a
corporate IP internetwork or a public IP internetwork such as the Internet.

Layer Two Tunneling Protocol (L2TP). L2TP allows IP, IPX, or NetBEUI traffic
to be encrypted, and then sent over any medium that supports point-to-point
datagram delivery, such as IP, X.25, Frame Relay, or ATM.
1.3.1 Point-to-Point Tunneling Protocol (PPTP)
PPTP is a Layer 2 protocol that encapsulates PPP frames in IP datagrams for transmission
over an IP internetwork, such as the Internet. PPTP can be used for remote access and
router-to-router VPN connections. PPTP is documented in RFC 2637.
The Point-to-Point Tunneling Protocol (PPTP) uses a TCP connection for tunnel
maintenance and a modified version of Generic Routing Encapsulation (GRE) to
encapsulate PPP frames for tunneled data. The payloads of the encapsulated PPP frames
can be encrypted and/or compressed. Figure 6 shows the structure of a PPTP packet
containing user data.
Figure 6. Structure of a PPTP packet containing user data
1.3.2 Layer Two Tunneling Protocol (L2TP)
L2TP is a combination of PPTP and Layer 2 Forwarding (L2F), a technology proposed by Cisco
Systems, Inc. L2TP represents the best features of PPTP and L2F. L2TP encapsulates PPP
frames to be sent over IP, X.25, Frame Relay, or Asynchronous Transfer Mode (ATM)
networks. When configured to use IP as its datagram transport, L2TP can be used as a
tunneling protocol over the Internet. L2TP is documented in RFC 2661.
L2TP over IP internetworks uses UDP and a series of L2TP messages for tunnel maintenance.
L2TP also uses UDP to send L2TP-encapsulated PPP frames as the tunneled data. The
payloads of encapsulated PPP frames can be encrypted and/or compressed. Figure 7 shows
the structure of an L2TP packet containing user data.
Dipl.-Ing. Chrsitian Ploninger
Figure 7. Structure of an L2TP packet containing user data
In Windows 2000, IPSec Encapsulating Security Payload (ESP) is used to encrypt the L2TP
packet. This is known as L2TP/IPSec. The result after applying ESP is shown in Figure 8.
Figure 8. Encryption of an L2TP packet with IPSec ESP
1.3.3 PPTP Compared to L2TP/IPSec
Both PPTP and L2TP/IPSec use PPP to provide an initial envelope for the data, and then
append additional headers for transport through the internetwork. However, there are the
following differences:

With PPTP, data encryption begins after the PPP connection process (and, therefore, PPP
authentication) is completed. With L2TP/IPSec, data encryption begins before the PPP
connection process by negotiating an IPSec security association.

PPTP connections use MPPE, a stream cipher that is based on the Rivest-Shamir-Aldeman
(RSA) RC-4 encryption algorithm and uses 40, 56, or 128-bit encryption keys. Stream
ciphers encrypt data as a bit stream. L2TP/IPSec connections use the Data Encryption
Standard (DES), which is a block cipher that uses either a 56-bit key for DES or three 56bit keys for 3-DES. Block ciphers encrypt data in discrete blocks (64-bit blocks, in the case
of DES).

PPTP connections require only user-level authentication through a PPP-based
authentication protocol. L2TP/IPSec connections require the same user-level
authentication and, in addition, computer-level authentication using computer certificates.
1.3.4 Advantages of L2TP/IPSec over PPTP
The following are the advantages of using L2TP/IPSec over PPTP in Windows 2000:

IPSec provides per packet data authentication (proof that the data was sent by the
authorized user), data integrity (proof that the data was not modified in transit), replay
Dipl.-Ing. Chrsitian Ploninger
protection (prevention from resending a stream of captured packets), and data
confidentiality (prevention from interpreting captured packets without the encryption key).
By contrast, PPTP provides only per-packet data confidentiality.

L2TP/IPSec connections provide stronger authentication by requiring both computer-level
authentication through certificates and user-level authentication through a PPP
authentication protocol.

PPP packets exchanged during user-level authentication are never sent in an unencrypted
form because the PPP connection process for L2TP/IPSec occurs after the IPSec security
associations (SAs) are established. If intercepted, the PPP authentication exchange for
some types of PPP authentication protocols can be used to perform offline dictionary
attacks and determine user passwords. By encrypting the PPP authentication exchange,
offline dictionary attacks are only possible after the encrypted packets have been
successfully decrypted.
1.3.5 Advantages of PPTP over L2TP/IPSec
The following are advantages of PPTP over L2TP/IPSec in Windows 2000:

PPTP does not require a certificate infrastructure. L2TP/IPSec requires a certificate
infrastructure for issuing computer certificates to the VPN server computer (or other
authenticating server) and all VPN client computers. (Nevertheless Windows 2000 can be
configured to use IPSec with Pre-Shared-Keys.)

PPTP can be used by computers running Windows XP, Windows 2000, Windows NT version
4.0, Windows Millennium Edition (ME), Windows 98, and Windows 95 with the Windows
Dial-Up Networking 1.3 Performance & Security Update. L2TP/IPSec can only be used with
Windows XP and Windows 2000 VPN clients. Only these clients support the L2TP protocol,
IPSec, and the use of certificates. (Windows 2000 and Windows XP are state-of-the-art
software.)

PPTP clients and server can be placed behind a network address translator (NAT) if the
NAT has the appropriate editors for PPTP traffic. L2TP/IPSec-based VPN clients or servers
cannot be placed behind a NAT because Internet Key Exchange (IKE) (the protocol used
to negotiate SAs) and IPSec-protected traffic are not NAT-translatable. (?? This means
that the NAT service cannot be used within the tunnel (betwenn the tunnel endpoints).)
Dipl.-Ing. Chrsitian Ploninger
1.4 Setting up DHCP
Setup the Server
Setup the Clients
1.5 Setting up NAT
Dipl.-Ing. Chrsitian Ploninger
1.6 Setting up the Tunnel
1.6.1 VPN Server Setup
Setup VPN Connection:
With the Virtual private network (VPN) server option, the Routing and Remote
Access server operates in the role of a VPN server supporting both remote access and
router-to-router VPN connections. To configure a Windows 2000 VPN remote access
server using the Virtual private network (VPN) server option in the Routing and
Remote Access Server Setup Wizard, perform the following:
1. Click Start, point to Programs, point to Administrative Tools, and then click
Routing and Remote Access.
2. Right-click your server name, and then click Configure and Enable Routing and
Remote Access.
3. In the Welcome to the Routing and Remote Access Server Setup Wizard dialog
box, click Next.
4. In the Common Configurations dialog box, click Remote access server and then
click Next.
5. In the Remote Client Protocols dialog box, verify that all data protocols used by
your VPN clients are present, and then click Next. (Ordinary this will include TCP/IP)
6. In Internet Connection, click the connection that corresponds to the interface
connected to your Wireless LAN, and then click Next. You will only see the Internet
Connection dialog box if you have more than one LAN connection.
7. In the Network Selection dialog box, click the connection that corresponds to the
connection connected to your intranet, and then click Next. You will only see the
Network Selection dialog box if you have more than two LAN connections.
8. In the IP Address Assignment dialog box, click Automatic if the remote access
server should use DHCP to obtain IP addresses for VPN clients. Otherwise, click From
a specified range of addresses and configure one or more static ranges of
addresses. Click Next.
9. In the Managing Multiple Remote Access Servers dialog box, click No, I don't
want to set up this server to use RADIUS now, and then click Next.
10. In the Completing the Routing and Remote Access Server Setup Wizard dialog
box, click Finish.
11. Start the Routing and Remote Access service when prompted.
Dipl.-Ing. Chrsitian Ploninger
Add VPN User:
Add a new local user called “VPN” to the VPN Server. Configure the dial-in option to grant
access according to RAS. Per default this option is set. Because of this, chakch all other
users and deactivate the dial-in permission is neccecary.
Configure IPSec:
Secure VPN Connection:
1.6.2 VPN Client Setup
Setup VPN Connection:
If you have a small number of VPN remote access clients, you can manually configure
VPN connections for each client. For Windows XP VPN clients, use the following
instructions to create the VPN connection:
1. Click Start, click Control Panel, click Network and Internet Connections, and
then click Network Connections.
2. Under Network Tasks, click Create a new connection, and then click Next.
3. Click Connect to the network at my workplace, and then click Next.
4. Click Virtual Private Network connection, and then click Next.
5. Type the name of the VPN connection, and then click Next.
6. Click Do not dial the initial connection. Click Next.
7. Type the IP address of the VPN server, and then click Next.
8. Click Anyone's use if you want this VPN connection to be available to all users who
log on to this computer. Otherwise, click My use only. Click Next. You will only see
this choice if the computer is a member of a domain.
9. Click Add a shortcut to my desktop. Click Finish.
In the Connect dialog box, type the user name and password that will be sent as your
security credentials when you connect. If you want to save the password so that it does
not have to be typed for each connection attempt, click Save this user name and
password for the following users.
To make a VPN connection, click Connect.
To create a VPN connection on a computer running Windows 2000, double-click the
Make New Connection icon in the Network Connections folder and select the Connect
to a private network through the Internet connection type.
Configure IPSec:
Secure VPN Connection:
Dipl.-Ing. Chrsitian Ploninger
Dipl.-Ing. Chrsitian Ploninger
Related documents
Internet and Intranet Fundamentals
Internet and Intranet Fundamentals
Network Connectivity Options
Network Connectivity Options
Peplink SpeedFusion
Peplink SpeedFusion
Establishment of the VPN connection with the
Establishment of the VPN connection with the
DFL-200_700_1100_A2_Release - D-Link
DFL-200_700_1100_A2_Release - D-Link
VPN Tunneling Protocols
VPN Tunneling Protocols
VPN 70-680 Study Guide - Configure Remote Connections
VPN 70-680 Study Guide - Configure Remote Connections
Workshop 5: IPSec Security
Workshop 5: IPSec Security
Chapter 13
Chapter 13
514-11-L2TP
514-11-L2TP
Download
advertisement