I am sure you must have experienced VPN reconnect – a new IKEv2 based VPN tunnel that is added in Windows 7 that allows automatic and seamless switchover of an active VPN connection when the underlying Internet interface (connection) changes thus maintaining application persistence.
Isn’t that COOL – like VPN user moving from Wifi to WWAN and back – giving a true mobile connectivity to corpnet ! Yes it is…
This means, Windows7 in-built VPN client and Windows 2008 R2 in-built VPN server (aka RRAS) supports following VPN tunnels:
- · PPTP
- · L2TP/IPSec
- · SSTP
- · VPN Reconnect (or IKEv2)
I am sure you must be wondering what is the need for 4 different tunnel types and which one to use in a given scenario. This blog helps to clarify the same.
Let us look at the technical specs which tries to summarize the tunnel features based upon different deployment factors:
First compare on network related parameters
| Tunnel Type | OS support | Scenario | IP Addressing | Traversal | Mobility
Enabled |
| PPTP | XP, 2003, Vista, WS08, W7, WS08 R2 | Remote Access
Site-to-Site |
Works over IPv4 network
Relay IPv4 as well as IPv6 traffic on top of tunnel |
NAT via PPTP enabled NAT routers | No |
| L2TP/IPSec | XP, 2003, Vista, WS08, W7, WS08 R2 | Remote Access
Site-to-Site |
Works over IPv4 as well as IPv6 network
Relay IPv4 as well as IPv6 traffic on top of tunnel |
NAT | No |
| SSTP | Vista SP1, WS08, W7, WS08 R2 | Remote Access | Works over IPv4 as well as IPv6 network
Relay IPv4 as well as IPv6 traffic on top of tunnel |
NAT,
Firewalls, Web Proxy |
No |
| VPN Reconnect | W7, WS08 R2 | Remote Access | Works over IPv4 as well as IPv6 network
Relay IPv4 as well as IPv6 traffic on top of tunnel |
NAT | Yes |
Now lets compare on security related parameters
| Tunnel Type | Authentication | Data Confidentiality |
| PPTP | User authentication via PPP* | RC4*** |
| L2TP/IPSec | Machine authentication via IPSec followed by user authentication via PPP* | DES, 3DES, AES**** |
| SSTP | User authentication via PPP* | RC4, AES |
| VPN Reconnect | Machine or user authentication via IKEv2** | 3DES, AES |
and ….