Is L2TP a secure VPN?

Is L2TP better than PPTP?

I am a sysadmin, and we are working on converting our entire network to AD.

Our last step is to install our Exchange system. I have tested the functionality of AD (mostly on a windows xp virtual machine) and that works fine.

So, I would like to have a few users login from a central location which will be in the cloud and access an Exchange server via Outlook. From there, I want the user to get email and also have ability to access their files.

Our company uses IPsec for IPSec and all we need is the IPsec tunneling to happen over an L2TP or PPTP network. I know that PPTP allows multiple simultaneous connections as per IP address, and L2TP will not work because it only tunnels one session per remote system at a time, thus making it unusable if you want users to move between remote servers. Can I use L2TP over an IPsec tunnel? Any other suggestions on how to set this up for me? Or will I just need to implement IPsec with my own key exchange (which seems redundant)? We are considering using Kerberos to secure logins and use Windows certificates for authentication. But I think we would need Kerberos on every VPN client.

You can use L2TP/IPSec at the same time, no problems there. But I doubt if it's worth it - unless of course you have a specific need for L2TP over IPSec.

PPTP is easier, so easier to set up (no worries about having to get clients to agree to certain configs, they'll all get stuck into it - but it's easy, and you don't need kerberos in that case).

Why is PPTP obsolete?

PPTP uses a public/private key exchange.

This provides you with some extra security - if a user is intercepted, the key is exposed and you know the intercepted packet was not legitimate because the key is never exposed. This, however, becomes impossible to use once you have more than one client. Any device on your network can intercept the connection and then send arbitrary packets which cannot be distinguished from normal connections.

When did PPTP become obsolete? It has been for years, it has even been considered a standard part of OpenVPN's codebase since 1.3. However it was a non-standard option as a "stabilization" in 2.

Does PPTP keep state information on clients? Yes, as they are usually used with dynamic IPs, this information will usually be lost if the IP changes. The VPN connections that it maintains will however persist, but no special logic is employed to handle this; anyone will be able to perform an MITM by switching clients.

Does the VPN maintain a persistent session between clients? No, it is designed to always connect to the server. What does this VPN service do that other VPN services don't do? It doesn't do anything that other VPN services don't. What are these guys doing that we don't? They are not a VPN service. Is PPTP encrypted and is there a certificate? PPTP doesn't do encryption by itself - the certificates you're referring to are actually used to connect to the PPTP server. If you have SSH and a PPTP server on your network, you should use either a public key certificate or a smartcard to authenticate your SSH sessions.

Can I pay for VPN services now? I thought that's why people were leaving the forums - to use paid services. How do I add PPTP servers to /etc/pptpd. You just write the server address - usually something like `10.1`.
# For example: # listen 192.168.

Is L2TP outdated?

I was recently asked by a friend of mine if L2TP/IPSec is obsolete.

L2TP/IPSec is not obsolete, but it is getting much less use. The main reason is that IETF (Internet Engineering Task Force) has approved L2TP over IPSec as a replacement for L2TPv2.

If you are using L2TP/IPSec, then it is definitely outdated. The only reason to use it is to keep the same IP address for more than one session. But if you use IPsec, you can use the same IP address for more than one session and it will work just fine.

The current standard for IPsec is IKE, and it is much easier to implement and uses less resources. It will also protect traffic on both TCP and UDP.

Also, you need to have the correct set of policies set up on the server to handle IPSec, whereas with L2TP/IPSec you have to have the correct set of policies set up on the client to handle L2TP/IPSec. I'm just wondering how long it would take for IKE to become the preferred standard L2TP/IPSec is not obsolete, but it is getting much less use. The main reason is that IETF (Internet Engineering Task Force) has approved L2TP over IPSec as a replacement for L2TPv2.

That means that anyone still using IPSec is also using old L2TP. Is that right? Are you sure? I thought that there is no difference between them? Can't you use IPsec in conjunction with L2TP/IPSec? But with IKE you have to have a policy set up on both the client and the server to allow/disallow traffic. Isn't that the problem with L2TP/IPSec?