There are many different types of Virtual Private Networks (VPN) available today. First, there is a large difference between home/personal and business/enterprise VPN. For more information on that particular subject, visit the “What is VPN?” page.
This page will focus on the various types of VPN protocols that are offered by the many VPN service providers. By understanding the various VPN protocols, you can differentiate the different types of VPN. You will also be better able to decide which VPN protocol is right for you.
First some quick background: The internet uses what is know as the “PPP” protocol for remote access (Point-to-Point Protocol). The technology behind VPN allows for the incorporation of additional functionality into PPP. This additional functionality essentially creates the different VPN protocols, such as PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer-2 Tunneling Protocol), and IPSec (IP Security Protocol).
The various VPN protocols are designed to cater to different user requirements. Some protocols are more secure than others. Some protocols are new, while others are old. Some protocols cater to remote access VPN connections from mobile users or branch offices that use a local ISP. Other protocols cater to communication between ‘LAN-to-LAN’. PPTP, L2TP and L2F (Layer Two Forwarding) have been developed for dial-up VPN’s, whereas IPSec caters to ‘LAN-to-LAN’ solutions.
Below you will find descriptions of each of the various VPN Protocols:
PPTP (Point-to-Point Tunneling Protocol)
PPTP is generally known as the least secure option for VPN, but it is often the easiest to setup and the most widely used. It is also very popular for use on mobile devices such as smart phones (iPhone, Android, etc.) PPTP is one of VPN’s first protocols built on PPP to provide remote access for VPN solutions. PPTP encapsulates PPP packets using GRE (Generic Routing Protocol). GRE was modified to give PPTP the flexibility of handling protocols other than IP, like IPX (Internet Packet Exchange), and NetBEUI (Network Basic input/output system Extended User Interface). PPTP uses authentication mechanisms within PPP, i.e. PAP-Password Authentication Protocol. Various other authentication and security mechanism have been developed by Microsoft, and others, and they are utilized in its Operating System software. PPTP is included by default in Windows XP/Vista/7 and Mac OSX. PPTP on it’s own, is unencrypted. However, if the user adds and configures encryption, then a VPN using PPTP can become more secure.
L2F (Layer Two Forwarding Protocol)
L2F was essentially designed to tunnel data from corporate sites to their respective users. This protocol is primarily implemented in CISCO products (such as routers and switches). It differs from PPTP because it does not depend on IP. L2F accepts other authentication mechanisms and allows tunnels to support more than one connection. L2F uses PPP for the authentication of a remote user. The authentication is done twice, once at the ISP, and the second at the gateway to the connecting LAN. L2F is of course a Layer-2 protocol, and therefore handles IPX and NetBEUI as well. L2F is generally not seen in the market for personal or home use, however L2F is generally considered “version 1″ of the much more popular protocol type: L2TP.
L2TP (Layer Two Tunneling Protocol)
L2TP is one of the most popular types of VPN, and is more secure than PPTP. The best features of PPTP and L2F were combined to form L2TP. It exists in the second layer (data link) of the OSI (Open Systems Interconnect) model, which is how it got its namesake – L2TP. L2TP transport is defined for packet media, Frame relay, ATM and X.25 (Standard for packet switching networks defining layers 1, 2 and 3 of the OSI model). It has its own tunneling protocol and uses PPP’s PAP and other advanced mechanisms for authentication. Its encryption method is based on that of IPSec. L2TP can be found on many popular smartphones, such as those sporting the Android OS. L2TP is a very popular offering amongst VPN service providers because it is more secure than PPTP and better suited for most user applications.
IPSec (Internet Protocol Security)
IPSec is a complete VPN protocol solution. Existing in the third layer of the OSI model it uses the IKE (Internet Key Exchange) to exchange and manage cryptographic keys used in a data encryption session. IPSec uses a number of encryption technologies to provide confidentiality and data integrity. Users can choose between which encryption technology they prefer (AES, Blowfish, etc.) IPSec allows the sender to authenticate/encrypt or authenticate AND encrypt each IP packet. For this it uses two modes either of which can be chosen dependent of situations of security and traffic. The first mode is a Transport Mode for authentication and encryption of the transport segment of an IP packet. The second mode is a Tunnel Mode for authenticating and encrypting the entire IP packet. Since L2TP has it’s encryption method based on IPSec, the two are generally combined together, and the VPN type is normally known as “L2TP/IPSec”.
OpenVPN is actually a software application, and not a traditional “protocol”. However, providers that offer “OpenVPN” services differentiate it from their other VPN protocols, for good reason. The OpenVPN application is free and open source software that implements VPN techniques for creating secure point-to-point or site-to-site connections. OpenVPN uses SSL/TLS security for encryption and is capable of traversing NATs (Network Address Translators) and firewalls. The SSL/TLS security can be seen as one key differentiator between OpenVPN and the other VPN types. Many VPN providers utilize OpenVPN and offer “very high bit” encryption – sometimes upwards of 2048 bit encryption. They are able to offer this type of encryption because OpenVPN utilizes SSL/TLS, and the OpenSSL encryption library. This gives them the ability to use many different types of encryption for the VPN connection. In addition to the ability to use SSL/TLS, providers can easily customize the OpenVPN application to suit their own needs. They can add features or functions to the VPN service, by customizing the OpenVPN software. Providers that offer OpenVPN service will either require clients to use the OpenVPN software application, or the provider will utilize their own proprietary software application. In some instances, providers use the default OpenVPN application, and only provide certificates and configuration files for the client to install. In other cases providers make extensive customizations to the OpenVPN application, and offer their customized OpenVPN application available for download from their website.
SSTP (Secure Socket Tunneling Protocol)
SSTP is a new tunneling protocol that uses the HTTPS protocol over TCP port 443 to pass traffic through firewalls and Web proxies that otherwise might block PPTP and L2TP/IPsec traffic. This is especially common in some overseas countries such as Oman, UAE, Saudi Arabia, China, and others. By utilizing HTTPS, SSTP essentially disguises itself as a regular HTTPS session, which is unblocked. The user is thus able to defeat any VPN restrictions imposed at the ISP or service provider level. SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of PPP allows support for strong authentication methods, such as EAP-TLS. SSL provides transport-level security with enhanced key negotiation, encryption, and integrity checking. When a client tries to establish a SSTP-based VPN connection, SSTP first establishes a bidirectional HTTPS layer with the SSTP server. Over this HTTPS layer, the protocol packets flow as the data payload.