+ Reply to Thread
Results 1 to 16 of 16
  1. Senior Member
    Join Date
    Feb 2008
    Location
    West Yorkshire, UK
    Posts
    269

    Certifications
    A+, N+, 70-270, 70-290, 70-291, 70-293, 70-294, 70-298. MCSE 2003! 70-620
    #1

    Default Difference between PPTP and L2TP?

    Hi guys,

    I was wondering what are the exact differences between the 2 types of VPN? I know PPTP offers encryption (as i've looked at the security tab of the VPN connection and seen the option to require encryption or the line is dropped). I have only ever used PPTP in real life as i've heard L2TP is a pain in the backside to set up and if the level of encryption isn't that much better for L2TP, what are the reasons for choosing it?

    Also, I have been looking into the whole certificates thing and it confuses me a bit for the following reason..

    How does a client know whether or not it needs to use certificates to access information? For example, if I installed CA on a domain controller, would EVERYTHING that is accessed from the Server require certificates on client side? Also, if you install CA on one Server, do certificates then apply to all member Servers and other DCs in the domain or is it just for that particular Server?

    I'm sorry to ask so many questions on here but I find that the MS book doesn't actually explain the reasoning behind it all and the real-life practical questions/explanations. I find it better to ask the guys who can explain it properly and how it works in the real world, i.e. this forum
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #2

    Default Re: Difference between PPTP and L2TP?

    Quote Originally Posted by mr2nut
    Hi guys,
    Yo.

    Quote Originally Posted by mr2nut
    I was wondering what are the exact differences between the 2 types of VPN? I know PPTP offers encryption (as i've looked at the security tab of the VPN connection and seen the option to require encryption or the line is dropped). I have only ever used PPTP in real life as i've heard L2TP is a pain in the backside to set up and if the level of encryption isn't that much better for L2TP, what are the reasons for choosing it?
    Well, it is better. That matters when security is a priority. L2TP requires certificates; PPTP does not. If you have an in-house CA and only your users, it's really not that bad to setup. As you get into more complicated scenarios (3rd party access, trusts with other forests, etc.) it gets more complicated. I use PPTP here.

    Quote Originally Posted by mr2nut
    Also, I have been looking into the whole certificates thing and it confuses me a bit for the following reason..

    How does a client know whether or not it needs to use certificates to access information? For example, if I installed CA on a domain controller, would EVERYTHING that is accessed from the Server require certificates on client side? Also, if you install CA on one Server, do certificates then apply to all member Servers and other DCs in the domain or is it just for that particular Server?
    It knows if a certificate is required. It needs one for EFS, signing/encrypting email, SSL in some circumstances, etc. Whatever you configure. Setting up a CA doesn't just automatically require certs on everything. If you want to use SSL with IIS, you have to go into IIS and configure it, etc. You can configure certs to be distributed through autoenrollment or you can obtain them manually through the the IIS site on the CA or the certificates console.

    Quote Originally Posted by mr2nut
    I'm sorry to ask so many questions on here but I find that the MS book doesn't actually explain the reasoning behind it all and the real-life practical questions/explanations. I find it better to ask the guys who can explain it properly and how it works in the real world, i.e. this forum
    No problem, the MS Press book *sucks*. Get the Syngress book or you're really going to struggle with this exam.
    Reply With Quote Quote  

  4. Virtual Member undomiel's Avatar
    Join Date
    Sep 2007
    Location
    Bellevue, WA
    Posts
    2,813

    Certifications
    MCSA:2008, VCP4/5, CCA (XS), MCITP: EA/VA, MCSE, MCSA, Linux+, Security+, Server+, A+
    #3
    For additional info and an overview of the differences between l2tp and pptp.

    http://technet.microsoft.com/en-us/l.../bb742553.aspx

    l2tp can use pre-shared keys instead of certificates.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Feb 2008
    Location
    West Yorkshire, UK
    Posts
    269

    Certifications
    A+, N+, 70-270, 70-290, 70-291, 70-293, 70-294, 70-298. MCSE 2003! 70-620
    #4
    Thanks for the detailed reply man

    So am I right in thinking that anything that uses SSL or https, requires certificates to be sent from either party, but with bog standard http, data has more basic encryption, or none at all?

    I've heard quite a few stories about the PKI and CA stuff in this book, it confuses the hell out of me and although i'm no master of everything MS, i'm definately a good administrator who picks things up quite quickly.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #5
    Just for the record, using PSKs with L2TP is not considered a best practice and should only be used for testing. If you don't have a CA, use PPTP.

    Requiring certificates from both parties is referred to as mutual authentication, and it may or may not be required. You can configure IIS to use client certificate mappings if you want to require clients to use a certificate as well. Most often, only one certificate is required on the IIS server.

    HTTP doesn't have any encryption; everything is sent in plain-text.

    Here's a good PKI book that goes beyond the scope of this exam: http://www.amazon.com/Microsoft-Wind...8205254&sr=8-1

    That's definitely on my "to read" list. MS's PKI is probably my weakest subject.

    Seriously, pick up that Syngress book: http://www.amazon.com/Planning-Maint...8205363&sr=1-1 You can get it used for $20.
    Reply With Quote Quote  

  7. Virtual Member undomiel's Avatar
    Join Date
    Sep 2007
    Location
    Bellevue, WA
    Posts
    2,813

    Certifications
    MCSA:2008, VCP4/5, CCA (XS), MCITP: EA/VA, MCSE, MCSA, Linux+, Security+, Server+, A+
    #6
    I took a look at the Certificate Security book and it was pretty interesting. I need to check it out from the library again now that I have more time to take a closer look at it. I first checked it out while studying for the 270 so I didn't dedicate that much time to it.
    Reply With Quote Quote  

  8. One Man Wolfpac NetAdmin2436's Avatar
    Join Date
    Mar 2008
    Location
    Minnesota
    Posts
    1,077

    Certifications
    AAS in Computer Networking, MCSE 2003, Network+, Security+, A+
    #7

    Default Re: Difference between PPTP and L2TP?

    Quote Originally Posted by Dynamikt
    No problem, the MS Press book *sucks*. Get the Syngress book or you're really going to struggle with this exam.

    +1

    I can attest to the MS Press Book coming up short on the 70-293 test. *sigh*

    L2TP is more flexible as it can be used over ATM, frame relay, X.25. PPTP is only supported by Microsoft. I've only used PPTP personally though.
    http://www.microsoft.com/technet/pro....mspx?mfr=true
    Reply With Quote Quote  

  9. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #8
    Yes the MSPress for 293 sucks and the Syngress one is really good.

    Here are a couple of good articles:

    http://technet.microsoft.com/en-us/l.../cc780018.aspx
    http://technet.microsoft.com/en-us/l.../bb878088.aspx

    One of the main things to keep in mind is that PPTP uses Microsoft Point to Point Encryption whereas L2TP uses IPSec. PPTP only starts to use encryption after authentication whereas L2TP starts the entire session with IPSEC and then starts the authentication process.

    IPSEC can still do MS Chap authentication and things of that sort but that'll all be encapsulated inside IPSEC due to what I stated above. PPTP can still have the user authentication encrypted I believe but it's not the job of PPTP to use MPPE to ensure that happens. You can have PPTP use EAP-TLS with user/computer authentication using certificates and it'll be the job of EAP-TLS to do so. But as I said, with IPSEC, you ensure that ALL VPN traffic is inside your IPSEC encryption so it's basically being double encrypted.
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Feb 2008
    Location
    West Yorkshire, UK
    Posts
    269

    Certifications
    A+, N+, 70-270, 70-290, 70-291, 70-293, 70-294, 70-298. MCSE 2003! 70-620
    #9
    Cheers for the heads up.

    Just to clarify, it seems that most people wouldn't go with standard CA as it's a load of manual for for the administrator. Enterprise CA is the way to go as it includes autoenrollment, i've got my head around that bit now.

    So if I installed CA from the add/remove windows components, and choose enterprise CA, it then intergrates it into AD, but from then on does everything that CAN be encrypted such as files, e-mails etc. now automatically use CA to encrpt data between the Server and all computer objects that are in active directory, or is there still some manual work to do?
    Reply With Quote Quote  

  11. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #10
    Quote Originally Posted by mr2nut
    Cheers for the heads up.

    Just to clarify, it seems that most people wouldn't go with standard CA as it's a load of manual for for the administrator. Enterprise CA is the way to go as it includes autoenrollment, i've got my head around that bit now.
    Good timing on the CA stuff. I wrote a blog entry last night that talks about OCS and its' requirements on certificates and what the differences are between Standard/Enterprise CA and installing them on Standard Edition vs Enterprise Edition of Windows. I would give it a read even if it's in regards to OCS but still gives a lot of fundamental information on CA versions.
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #11
    Quote Originally Posted by mr2nut
    Just to clarify, it seems that most people wouldn't go with standard CA as it's a load of manual for for the administrator. Enterprise CA is the way to go as it includes autoenrollment, i've got my head around that bit now.
    As always, it depends. If you're creating a hierarchy, you'll likely use a stand-alone CA as the root and take it offline as soon as you're done using it. You'll almost always want to use an Enterprise CA as your issuing CA for it's ease of use and features.

    Quote Originally Posted by mr2nut
    So if I installed CA from the add/remove windows components, and choose enterprise CA, it then intergrates it into AD, but from then on does everything that CAN be encrypted such as files, e-mails etc. now automatically use CA to encrpt data between the Server and all computer objects that are in active directory, or is there still some manual work to do?
    No. You'll need to configure autoenrollment policies, etc. There is still some configuration with autoenrollment, but it will greatly reduce the amount of overall administration. You might want to check this out for more information: http://technet.microsoft.com/en-us/l.../bb456981.aspx

    Nice blog entry Royal. It's nice to see one I can actually understand
    Reply With Quote Quote  

  13. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #12
    I probably should have created a link:
    http://www.shudnow.net/2008/08/07/of...se-edition-ca/
    Reply With Quote Quote  

  14. ROFL-Copter pilot snadam's Avatar
    Join Date
    Dec 2006
    Location
    AZ
    Posts
    2,235

    Certifications
    JNCIP-SEC, JNCIS-SEC, JNCIA-JunOS, CCNA, CCENT, MCSE 2003, MCSA 2003, MCP, Network+, Security+
    #13

    Default Re: Difference between PPTP and L2TP?

    Quote Originally Posted by dynamik

    No problem, the MS Press book *sucks*. Get the Syngress book or you're really going to struggle with this exam.

    REALLY? that bad? okay ill just keep referencing syngress now...I purchased the syngress book to fill in the gaps that mspress didnt.

    man, thats like the 3rd time I said that
    Reply With Quote Quote  

  15. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #14

    Default Re: Difference between PPTP and L2TP?

    Quote Originally Posted by snadam
    Quote Originally Posted by dynamik

    No problem, the MS Press book *sucks*. Get the Syngress book or you're really going to struggle with this exam.

    REALLY? that bad? okay ill just keep referencing syngress now...I purchased the syngress book to fill in the gaps that mspress didnt.

    man, thats like the 3rd time I said that
    Yes, it's that bad.
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #15
    A better title would have been "Intro to 70-293". I actually thought it was pretty well written. It just doesn't go into the depth you need for the exam or real-world application.
    Reply With Quote Quote  

  17. Member
    Join Date
    Jul 2006
    Location
    Wheatfield, NY
    Posts
    46

    Certifications
    A+, Network+, MCSE - 2003
    #16

    Default Re: Difference between PPTP and L2TP?

    Quote Originally Posted by snadam
    Quote Originally Posted by dynamik

    No problem, the MS Press book *sucks*. Get the Syngress book or you're really going to struggle with this exam.

    REALLY? that bad? okay ill just keep referencing syngress now...I purchased the syngress book to fill in the gaps that mspress didnt.

    man, thats like the 3rd time I said that
    I can attest to this as well. I am currently studying for the 293, and finished the MS press book. I started doing the Transcender exams, and kept getting hit with concepts I didn't know. I am know reading the Syngress book, and can see the difference. Syngress covers everything, and in depth as well.

    I am hoping to take the 293 within a week or two.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks