- The Point-to-Point Tunneling Protocol (PPTP) is defined as a network protocol that supports secure server-client data transfer by creating a VPN across TCP/IP-powered networks. PPTP supports multi-protocol, on-demand VPNs over public networks.
- The Layer 2 Tunneling Protocol (L2TP) is defined as a tunneling protocol that supports VPN and ISP service delivery. This protocol only encrypts its control messages and is not responsible for encrypting or otherwise protecting other content by itself.
- This article details the top five differences between PPTP and L2TP.
What Is Point-To-Point Tunneling Protocol (PPTP)?
The Point-to-Point Tunneling Protocol (PPTP) is one of the oldest active VPN protocols. It has been in use since the days of Microsoft Windows 95 and is a standard protocol compatible with all versions of the operating system since.
Microsoft developed PPTP as part of an initiative to encapsulate the Point-to-Point Protocol (PPP). The protocol operates on TCP port 1723 and is one of the most popular tunneling protocols even today.
PPTP is fairly simple to set up and one of the fastest protocols available. However, it is subject to certain security vulnerabilities. For instance, its underlying authentication protocols — generally MS-CHAPv1 and MS-CHAPv2 — are intrinsically non-secure, a fact repeatedly highlighted by cybersecurity personnel since the introduction of PPTP.
This makes the Point-to-Point Tunneling Protocol common in applications where speed is critical but security is not, such as video and audio streaming. It is also useful for older devices that have more constrained processors.
Nevertheless, these are not the only applications of PPTP. Despite its security shortcomings, several corporations with offices worldwide leverage PPTP to deploy VPNs in the form of large LANs using WAN architecture, such as the network of a public ISP or a telecom company. This is generally more economical than establishing enterprise network infrastructure across long geographic distances.
By constructing a VPN across a TCP/IP-powered network, such as the internet, PPTP enables users to transfer data securely and remotely from a client to a server within a private network. This is typically used by employees and contractors to securely access enterprise networks remotely over the internet as if they were present on the network itself.
See More: What Is Web Real-Time Communication (WebRTC)? Definition, Design, Importance and Examples
What Is Layer Two Tunneling Protocol (L2TP)?
The Layer 2 Tunneling Protocol (L2TP) is the merger of two protocols: Microsoft’s PPTP and Cisco’s Layer 2 Forwarding. It is known as the Virtual Dial-up Protocol as it services the PPP extension over the internet. This tunneling protocol is used by ISPs to enable VPN services.
L2TP has two key components: the L2TP access concentrator (LAC) for physically terminating a call and the L2TP network server (LNS) for terminating a call and authenticating the PPP stream. These two components work together to secure communications between internet networks.
L2TP leverages an encryption protocol to pass within the tunnel to ensure security and privacy. This protocol can transfer most L2 data types over an L3 or IP network. The process deploys a tunnel connecting LAC and LNS via the internet. This enables a PPP link layer that is encapsulated and transferred online.
L2TP is useful for reducing dial-up costs and overheads for users connected remotely to an enterprise network. Let’s assume a user in Silicon Valley is linked to a traditional dial-up modem. This user seeks to communicate with another user in London, get a connection, and deploy a dedicated link from Silicon Valley to London. This dedicated dial-up link will leverage a public switched telephone network (PSTN), giving our user the lowest data transfer speed due to shared PSTN media. The best-expected speed is around 33 Kbps, as thousands of other users would occupy the same medium at the time.
Needless to say, this speed is far too low for today’s ‘Gbps-savvy’ world. Our user has another option: to use L2TP with PPP configured at both the ISP and user sites. Once the user request is successfully authenticated, a tunnel is created to transmit user data, and the users can start their communication. A PPP connection to an ISP can be initiated by the user either through a PSTN service or an Integrated Services Digital Network (ISDN).
See More: What Is Unified Communication? Definition, System, Cloud Service, Best Practices, and Examples
PPTP vs. L2TP: 5 Leading Differences
The Point-to-Point Tunneling Protocol supports secure server-client data transfer by creating a VPN across TCP/IP-powered networks. PPTP supports multi-protocol, on-demand VPNs over public networks.
On the other hand, the Layer 2 Tunneling Protocol supports VPN and ISP service delivery. This protocol only encrypts its control messages and is not responsible for encrypting or protecting other content by itself.
PPTP vs. L2TP Overview
Sources: VPN Unlimited and Network Encyclopedia
Let’s dive into the main differences between PPTP and L2TP.
1. Background |
|
| PPTP | L2TP |
| Engineers from tech stalwarts, including Microsoft and Nokia, banded together in the 1990s to create PPTP. The goal was to build a basic encryption tool for Windows users to enjoy the new frontiers of the online world, such as ecommerce.
PPTP was built as the successor of PPP and worked just like its predecessor by creating data packets that formed the basis of the tunnel. Its packet creation process was coupled with authentication solutions to ensure the legitimacy of the traffic being transmitted across the network. Encryption was used to scramble the data contained within packets. However, since its creation, PPTP servers have become risky for applications with security considerations. By 1998, cybercriminals were already well-aware of methods to extract password hashes from MS-CHAPv1 authentication users and even published their findings. In 1999, PPTP was granted an official RFC specification, RFC 2637. This document contains all the technical details of this protocol; how it operates at Data Layer 2, how it employs General Routing Encapsulation (GRE) for packet creation, how it uses the Microsoft MPPE encryption standard, how its packets use TCP port 1723 and IP port 47, and so on. PPTP was designed to function in common Windows environments. Therefore, Microsoft ensured it came with high speeds and a low footprint. As such, PPTP is simple to deploy on internal VPNs and has gained high popularity among enterprises. |
L2TP was built upon PTPP and is leveraged by ISPs to support VPN connections.
L2TP is a series of digital communication protocols and is used to enable tunneling capabilities. User data is collected via private transportation and transmitted over public networks. L2TP offers encryption and confidentiality for VPN functionality in tandem with IPSec, a Layer 3 protection protocol. This protocol was collaboratively developed by Microsoft and Cisco to serve as a replacement for PPTP. It was granted an official RFC specification at the turn of the millennium via RFC 2661. The technology behind L2TP leveraged two older tunneling protocols to establish point-to-point connectivity: PPTP and the Cisco Layer 2 Forwarding (L2F) Protocol. L2TPv3 was a later protocol version released in 2005. It provided improved encapsulation, new ways to transmit data links, and greater cybersecurity options. |
2. Working |
|
| PPTP | L2TP |
| The Point-to-Point Tunneling Protocol is compatible with most operating systems and is especially supported by all versions of the Windows operating system. It sacrifices security for speed, mainly due to its weak cryptography compared to the capabilities of modern-day computers.
Even though the popularity of PPTP is falling, this protocol is still seen in use for numerous mainstream VPN applications. So, how does PPTP work? PPTP is routed over TCP port 1723. The tunnel is deployed via General Routing Encapsulation (GRE), and PPTP also authenticates the data packets being transmitted at both ends of the tunnel. However, PPTP also features unfixable security issues such as vulnerabilities to brute force attacks, dictionary attacks, and cryptanalysis. Several PPTP components are inherently susceptible to these shortcomings, including MPPE, MS-CHAPv1, and MS-CHAPv2. Therefore, despite being a swift protocol requiring low computational power, PPTP is not well-suited for applications requiring high security. PPTP is a highly straightforward protocol for users looking to set up their own VPN server. In fact, Microsoft Windows, Linux, Google Android, and Apple macOS and iOS users can use this protocol without needing additional software installation. Even consumer VPN apps are known to still use PPTP, and even now, it is leveraged for many VPN services despite its security concerns. |
In simple terms, the function of L2TP is to offer VPNs a means to function. However, this protocol does not offer encryption security for data packets by itself. Therefore, it is usually paired with the IPSec protocol to ensure strong security and encryption for online activities.
That is why the term L2TP/IPSec is commonly used; L2TP provides the basis for VPN connectivity, while IPSec ensures cybersecurity. L2TP uses PPP to support the link-layer tunnel and link the client, L2TP Access Concentrator (LAC), and the L2TP network server (LNS). Thus, the tunnel simply links the user and the VPN server. It’s worth noting that this process can be completed by L2TP alone; however, this would be at the cost of security, at least until the protocol is paired with IPSec. The tunnel is configured using control packets transmitted from the sender to the receiver. Tunnels can extend either across one out of a two-segment PPP session or an entire session. Four different tunneling models are used by the L2TP protocol:
For an L2TP connection to be created, a back-and-forth transfer of numerous control packets occurs between LAC and LNS. Data packets undergo a unique process in the L2TP protocol, where they are encapsulated twice. The first encapsulation occurs via PPP, and the second via the IPSec protocol. Additionally, the packets are encrypted before being transmitted to their destination. This double encapsulation provides enhanced data security but poses a challenge in terms of connection speed since encapsulating and encrypting each packet and then decapsulating and decrypting them upon arrival takes time. |
3. Operations |
|
| PPTP | L2TP |
| PPTP uses GRE and TCP as transport protocols.
Due to the separation of the control and data streams, PPTP is less efficient than L2TP. PPTP is far less secure than L2TP and features several security vulnerabilities. PPTP leverages MS-CHAPv2, which features low complexity and can thus be brute-forced quickly. While MS-CHAPv2 can be swapped for EAP-TLS, configuring the latter on PPTP is usually difficult. Users can use certificates with PPTP by enforcing EAP-TLS authentication, but that requires certificates on both the client and server sides and entails complicated configuration. PPTP is simpler and easier to use, and faster than L2TP. It also comes with lower overheads and greater cost-effectiveness. PPTP does not need Public Key Infrastructure (PKI). It uses 128-bit encryption. Finally, PPTP can face performance problems on unstable networks and is known to be less firewall-friendly. |
The transport protocol used by L2TP can be TCP or UDP (when paired with IPSec).
Combining the data and control streams, L2TP is more efficient than PPTP. L2TP features greater security than PPTP since it carries out double encapsulation and integrity checks. Additionally, it requires certificates for authentication. When combined with IPSec, L2TP provides end-to-end encryption, provides protection against replay attacks, and ensures data integrity. L2TP uses greater computing resources than PPTP, making it slower. It also comes with higher overheads than PPTP due to its more secure encryption, which slows down performance. L2TP uses PKI in the form of digital certificates. It uses 256-bit encryption. Finally, L2TP offers steady and reliable performance on unstable networks and is known to be more firewall-friendly since most firewalls do not offer GRE support. |
4. Security considerations |
|
| PPTP | L2TP |
| PPTP is widely used as a VPN protocol due to its simple implementation and wide compatibility. However, its security flaws make it unsuitable for applications requiring secure communication.
One of the earliest vulnerabilities spotted in PPTP was the Challenge/Response Authentication Protocol (CHAP), followed closely by the RC4-based MPPE encryption that features easy-to-break encryption keys. PPTP’s hashing algorithms are also easy to crack, putting users at risk of eavesdropping attacks. PPTP implementations can also allow attackers to pose as official servers and become a node for receiving sensitive data. Network managers can also configure PPTP incorrectly, leading to even worse vulnerabilities cropping up. While Microsoft updated PPTP to PPTP v2 to address some CHAP-related issues, passwords remained a core vulnerability, and users continue to stay at risk of password-guessing attacks. Unfortunately, further updates from Microsoft have been scant, and today PPTP is highly susceptible to off-the-shelf eavesdropping and password-hacking tools. However, the security of existing PPTP implementations can be enhanced for certain applications. For instance, switching out MS-CHAP for Extensible Authentication Protocol (EAP-TLS) can enhance security at the cost of performance. However, this may not be viable for all applications since PKI might prove to be too cumbersome. Interestingly, the insecurity of PPTP has played a role in driving the innovation of protocols offering much better protection against cyber threats. OpenVPN is one such protocol that offers 256-bit SSL encryption (as compared to PPTP’s 128-bit encryption). However, these protocols are almost always more difficult to configure and may not fit seamlessly into Linux, macOS, or Windows systems. |
L2TP tunneling is widely seen as an enhancement over PPTP. However, L2TP encryption does not exist by itself, as the protocol does not use any form of intrinsic encryption for anything except its own control messages. As a result, security-conscious internet users tend to avoid using L2TP in isolation.
Instead, L2TP is typically paired with IPSec, a secure protocol that can use AES and other powerful encryption ciphers and double encapsulation to secure user data. Simply put, this configuration first encapsulates traffic just like PPTP and then encapsulates it again via IPSec. Interestingly, speculation exists that L2TP/IPSec has been cracked or at least weakened by the US National Security Agency, a claim substantiated by the likes of former computer intelligence consultant turned whistleblower Edward Snowden. However, such claims should typically not hold merit over the much more prominent security flaws in PPTP. The IPSec and L2TP combination may not be as secure as other protocols, such as OpenVPN, but it is much safer than PPTP and fairly quick. When combined with a reliable, no-log VPN, L2TP/IPSec is a safe enough VPN protocol for most standard applications. In cases requiring extreme data security, users may want to consider an even more secure protocol or a methodology such as VPN cascading. |
5. Pros and cons |
|
| PPTP | L2TP |
| Let’s begin with the advantages of PPTP.
For starters, PPTP is a speedy VPN protocol and is easy to configure and set up on most devices and operating systems. Additionally, the high cross-platform compatibility of the protocol allows for PPTP connections to be established on numerous platforms. PPTP also features lower transmission costs as no additional services (besides an internet connection) are required. In addition, PPTP reduces hardware costs since it allows ISDN cards and modems to be delinked from other servers, meaning fewer devices must be purchased and managed. Finally, PPTP features low administrative overheads since administrators only need to manage the user accounts and remote access server (RAS). The need to manage varying hardware configurations does not arise. However, PTTP does have several disadvantages too. For one, PPTP encryption is low-quality and unsuitable for protecting sensitive data. Another disadvantage is the need for routers equipped with PPTP Passthrough since PPTP does not function natively with NAT. Finally, PPTP connections are easily blocked by firewalls. |
The advantages of L2TP VPN services are manifold.
Strong security, when combined with IPSec, is the most important advantage of L2TP. When Layer 2 Tunneling Protocol works in tandem with IPSec, data security and privacy is all but guaranteed. After all, IPSec encryption is reasonably strong and virtually uncrackable via traditional means. The flexibility of Level 2 networking is another main advantage. L2 connectivity lets companies share infrastructure between varying geographical locations more easily. It also makes it simpler to transfer virtual machine infrastructure among physical devices as required. In addition, unlike PPTP’s limited capability of handling IP tunnels, L2TP can use various tunnel media. However, L2TP does have its disadvantages too. For instance, it might run into problems with firewalls, even if less often than PPTP. This is because L2TP operates on port 500, which has the potential to cause issues when traversing NAT gateways and firewalls. Some applications can require an L2TP passthrough for the transparent transmission of protocols over firewalls. Speed drops due to IPSec are also a known disadvantage, especially due to double encapsulation on VPN connections. Finally, while L2TP is more stable than PPTP, it can still exhibit instability compared to alternative VPN protocols such as OpenVPN. |
See More: What Is a Cloud Contact Center? Definition and Best Practices With Examples
Takeaway
With the top differences between PPTP and L2TP now being clear, it’s important to remember that there is no ‘better’ protocol among the two since the right choice depends on the application.
PPTP may be less secure than L2TP but is faster and easier to deploy. This makes it a good choice for applications with higher speed and convenience on the priority list. On the other hand, L2TP is more stable and secure thanks to stronger encryption and digital certificates. This makes it the ideal choice for applications that require greater reliability at the cost of speed.
Ultimately, both protocols have their advantages and disadvantages. Users must weigh their network’s security and performance needs before deciding.
Did you understand the top differences between PPTP and L2TP? Let us know on Facebook, Twitter, or LinkedIn! We’d love to know what you think.
Image Source: Shutterstock
MORE ON NETWORKING
