The End of PPTP and L2TP IPsec VPN Networking in Windows

image “This is the end
Beautiful friend
This is the end
My only friend, the end
Of our elaborate plans, the end
Of everything that stands, the end
No safety or surprise, the end
Ill never look into your eyes…again…”

http://blogs.technet.com/rrasblog/archive/2009/02/10/do-we-still-need-pptp-l2tp-ipsec-after-windows-7.aspx

OK, maybe a little melodramatic, but this blog post really seemed to come out of left field. Actually, it’s not as bad as you might think it is. The RRAS just wants to know what the community thinks of removing PPTP and L2TP/IPsec support for operating systems after Windows 7 and Windows Server 2008 R2.

Microsoft clients starting with Windows Vista SP1 support the SSTP VPN protocol, which is superior to PPTP and L2TP/IPsec in terms of usability. Users can be located anywhere, behind NAT and Web proxies and still connect – not something you see with PPTP and L2TP/IPsec all the time. In addition, beginning with Windows 7, you’ll have access to VPN Reconnect, with is a new VPN protocol that uses IKEv2.

There are some problems with dropping support for these legacy VPN protocols that will need to be solved or addressed:

  • What about non-Windows clients? Will Microsoft create VPN clients that will support SSTP and IKEv2 VPN Reconnect?
  • What about site to site VPNs? Neither IKEv2 (as far as I know) nor SSTP are enabled for site to site VPN configuration or support
  • What about site to site VPN connections to Windows Server 2008 R2 and earlier? I expect to see these VPN gateways still being in place for at least the next 5-8 years. If future versions of RRAS remove support for PPTP or L2TP/IPsec, there will need to be some sort of back port of the new site to site VPN protocols at least for Windows Server 2008
  • Since ISA and TMG leverage RRAS for VPN connections, updates to at least TMG will need to be made to support the new site to site VPN protocols

None of these issues are insurmountable. However, it might be better to wait a little longer before retiring these protocols, and let the community know long in advance that this is going to happen, so plans can be made.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

image
Prowess Consulting www.prowessconsulting.com

PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top