VPN protocols supported by Windows 7

VPNs allow users to make secure connections to remote networks over the Internet. VPNs create like secure tunnels that allow specific authorized users from the Internet to access corporate internal resources such as, shared folders, printers, databases, etc. In Windows 7 you can configure a connection to use a specific VPN protocol or let Windows automated process. By default, Windows 7 sets the VPN type to Automatic.

The VPN protocols supported by Windows 7 are:

PPTP – Windows 7 uses PPTP to support incoming VPN connections. PPTP VPNs are the least secure form of VPNs and are the most commonly used type of VPNs. PPTP VPNs do not use PKI (Public Key Infrastructure) but can use MS-CHAP, MS-CHAPv2, EAP and PEAP authentication protocols. PPTP connections provide data confidentiality but do not provide data integrity or data origin authentication. It is important to note that not all NAT devices support PPTP, especially older devices.

L2TP/IPsec – L2TP/IPsec VPN connections are more secure than PPTP. L2TP/IPsec provides data origin authentication, data integrity, replay protection, and data confidentiality. It uses digital certificates while most VPN solutions support L2TP/IPsec. It is important to note that both the client and server need to support IPsec NAT Traversal (NAT-T) to use L2TP/IPsec behind a NAT device. Windows 7, Windows Server 2003, Windows Server 2008 support NAT-T. L2TP authentication can be configured either using a certificate or a pre-shared key.

SSTP – SSTP VPN tunnels use port 443 which makes it accessible through almost all firewalls that allow basic Internet access unlike the other VPN protocols! SSTP works by encapsulating PPP traffic over the SSL channel of the HTTPS protocol. SSTP supports data origin authentication, data integrity, replay protection, and data confidentiality. It is important to note that SSTP cannot be used through a web proxy that requires authentication!

IKEv2 – IKEv2 is a new VPN protocol found in Windows 7 unlike the previous versions of Windows. IKEv2 supports IPv6 and the new VPN Reconnect feature. IKEv2 supports EAP and certificates for client-side authentication which includes MS Protected EAP (PEAP), MS Secured Password (EAP-MSCHAP v2), and MS Smart Card or Other Certificate. On the other hand, IKEv2 does not support PAP, CHAP or MS-CHAPv2 (without EAP) as authentication protocols. IKEv2 supports data origin authentication, data integrity, replay protection, and data confidentiality. IKEv2 uses UDP port 500.

The following are some data protection terms used in this post:

Data confidentiality – encrypts data so that it cannot be read by attackers while in transit.
Data integrity – exposes any data modifications done by an attacker while data is in transit.
Replay protection – protects data from re-transmission such as, an attacker captures and then resends data.
Data origin authentication – verifies that a message originates from a known sender. (Proof of the identities of sender and recipient)
VPN reconnect – allows clients running Windows 7 to reconnect automatically to a lost VPN session.