Differences between PPTP, L2TP, IPSec, and SSLVPN

VPN (Virtual Private Network) is no longer a simple encrypted access tunnel, it integrates multiple functions such as access control, transmission management, encryption, route selection, and availability management, and plays an important role in the global information security system. Also on the network, the advantages and disadvantages of various VPN protocols are benevolent, wise, and wise. For the purpose of use, many technical staff, including access control, security, and ease of use, flexible expansion and other aspects, weigh the advantages and disadvantages, it is difficult to choose; especially in the VOIP voice environment, network security is particularly important, so more and more network calls and voice gateways support VPN protocol.

PPTP

The Point-to-Point Tunneling Protocol (PPTP) is a Point-to-Point Tunneling Protocol developed by PPTP forums consisting of companies such as Microsoft and 3Com, the PPP protocol used for dialing uses encryption algorithms such as PAP or CHAP, or Microsoft's point-to-point encryption algorithm MPPE. It creates a VPN over a TCP/IP-based data network to implement secure data transmission from a remote client to a dedicated Enterprise Server. PPTP supports creating on-demand, multi-protocol, and virtual private networks through public networks (such as the Internet. PPTP allows encrypted IP communication and encapsulates it in the IP header sent across the company's IP network or public IP network (such as the Internet.

L2TP Layer 2 Tunneling Protocol (L2TP) is a later version of PPTP developed by IETF Based on L2F (Cisco Layer 2 forwarding protocol. It is an industrial standard Internet tunnel protocol that provides encapsulation for a Point-to-Point Protocol (PPP) framework that spans data packets. Both PPTP and L2TP use the PPP protocol to encapsulate data, and then add additional headers for data transmission over the Internet. PPTP can only establish a single tunnel between two points. L2TP supports multiple tunnels between two points. Users can create different tunnels for different service quality. L2TP can provide tunnel verification, while PPTP does not. However, when both L2TP or PPTP and IPSEC are used together, IPSEC can provide tunneling verification, without the need to verify that the tunneling uses L2TP on the layer-3 protocol. PPTP requires the Internet to be an IP network. L2TP only requires the tunneling media to provide packet-oriented point-to-point connections. L2TP can relay permanent virtual circuits (PVCs), X.25 virtual circuits (VCs) at IP addresses (using UDP) or use it on an ATM VCs network.

The IPSec tunneling mode is the whole process of encapsulation, routing, and unencapsulation. The tunnel hides (or encapsulates) the original data packet inside the new data packet. The new data packet may have new addressing and routing information so that it can be transmitted over the network. When the tunnel is used in combination with data confidentiality, the person who listens to the communication on the network will not be able to obtain the original data packet (as well as the original source and target ). After the encapsulated data packet arrives at the destination, the encapsulation is deleted. The original data packet header is used to route the data packet to the destination.

A tunnel is a logical data path that encapsulates data. It is invisible to the source and destination, but only to point-to-point connections in the network path. Both parties do not care about any vrouters, switches, proxies, or other security gateways between the start and end points of the tunnel. A VPN can be used to provide a VPN when a tunnel is used in combination with data confidentiality.

The encapsulated data packet is transmitted within the tunnel of the network. In this example, the network is Internet. A gateway can be a perimeter gateway between an external Internet and a private network. Perimeter gateways can be routers, firewalls, proxy servers, or other security gateways. In addition, two gateways can be used inside a private network to protect untrusted communication in the network.

When using IPSec in tunneling mode, it only provides encapsulation for IP communication. The IPSec tunneling mode is used to interact with other routers, gateways, or terminal systems that do not support the L2TP or pptp vpn tunneling technology on IPSec.

Ssl vpnssl vpn provides features such as data privacy, endpoint verification, and information integrity. The SSL protocol consists of many sub-protocols, two of which are handshake protocol and record protocol. The handshake protocol allows the server and client to confirm each other before the application protocol transmits the First Data byte and negotiate an encryption algorithm and password key. During data transmission, the record protocol uses the key generated by the handshake protocol to encrypt and decrypt subsequently exchanged data.

SSL is independent from the application, so any application can enjoy its security without worrying about the execution details. SSL is placed between the transport layer and the application layer of the network architecture. In addition, SSL is supported by almost all Web browsers. This means that the client does not need to install additional software to support SSL connections. These two features are the key points that SSL can be applied to VPN.

A typical ssl vpn application, such as OpenVPN, is a good open-source software. Our products provide PPTP and OpenVPN applications. PPTP is mainly used by users who often go out for mobile or home office work; openVPN is mainly used for non-stop on-demand VPN connections between companies in different regions, such as ERP applications in enterprises.

OpenVPN allows you to use the default private key, third-party certificate, or user name/password to authenticate a single point that participates in the establishment of a VPN. It uses a large number of OpenSSL cryptographic libraries and SSLv3/TLSv1 protocols. OpenVPN can run on Linux, xBSD, Mac OS X, and Windows 2000/XP. It is not a Web-based VPN software, and is not compatible with IPsec and other VPN software packages.

Tunnel Encryption

OpenVPN uses the OpenSSL library to encrypt data and control information: it uses the OpesSSL encryption and verification function, meaning that it can use any algorithms supported by OpenSSL. It provides optional packet HMAC functions to improve connection security. In addition, OpenSSL hardware acceleration can also improve its performance.

Verify

OpenVPN provides multiple authentication methods to confirm the identity of both parties involved in the connection, including: Pre-enjoy private key, third-party certificate and user name/password combination. Pre-access keys are the easiest, but they can only be used to establish point-to-point VPNs. PKI-based third-party certificates provide the most comprehensive functions, but require extra effort to maintain a PKI certificate system. OpenVPN2.0 introduces an authentication method that combines account names and passwords. It can omit client certificates, but there is still a server certificate that needs to be encrypted.

Network

All communication in OpenVPN is based on a single IP port. UDP protocol communication is recommended by default, and TCP is also supported. OpenVPN connections can work well in NAT environments through most proxies. The server can "push" some network configuration information to the client, including the IP address and route settings. OpenVPN provides two virtual network interfaces: Common Tun/Tap drivers, which allow you to establish a layer-3 IP tunnel or a virtual layer-2 Ethernet, the latter can transmit any type of L2 Ethernet data. Data transmitted can be compressed using the LZO algorithm. IANA (Internet Assigned Numbers Authority) specifies the official port 1194 for OpenVPN. In OpenVPN 2.0 and later versions, each process can manage several concurrent tunnels at the same time.

OpenVPN uses the features of common network protocols (TCP and UDP) to make it an ideal alternative to protocols such as IPsec, especially when the ISP (Internet service provider) filters certain VPN protocols. When selecting a protocol, pay attention to the network conditions between two encrypted tunnels. If there is a high latency or a large number of packet loss, select TCP as the underlying protocol, due to the absence of connection and retransmission mechanisms, UDP protocol is inefficient because it requires the upper-layer protocol to be retransmitted.

Security

OpenVPN has many inherent security features: it runs in the user space and does not need to modify the kernel and network protocol stack. After the initial operation, it runs in the chroot mode and gives up the root permission; use mlockall to prevent the exchange of sensitive data to the disk.

OpenVPN supports hardware-encrypted identifiers such as smart cards through PKCS #11.