Is OpenVPN more secure than L2TP?

Is L2TP outdated?

I'm using a L2TP (tunnel mode) setup with Cisco and Cisco routers. But I recently was told by the Cisco router to stop using the L2TP because it was "outdated". It's very hard to find information on this. I've tried searching for something like this, but there isn't any. Is L2TP obsolete? If so, then what should I use instead?

If you are using the Cisco ISR series of routers then you have to use EAP (or RADIUS) authentication and the Cisco ISR 500 series and Cisco ISR 604 series can't do MD5 hashing and have to use SHA-1 or SHA-256 in some cases. You also have to have an external RADIUS controller and use EAP (or RADIUS) as well.

MitchOct 17 '11 at 13:16. 3 Answers.
First of all, don't assume that Cisco ISR 2024 series routers are "outdated" because they haven't been updated for 4 or 5 years. They work great, they are perfectly suitable for business network and large enterprises (which is probably what you are doing, too).

Second, what "should" you use instead? In almost every case where you need a VPN solution, you need it today, not yesterday. That's simply not possible with current technology. The solutions available today either can't support existing protocols (such as PPTP), aren't available on the platforms that you currently use (IOS, or Linux) or are so immature that you shouldn't consider them.

Some vendors have recently announced new capabilities for L2TP, which might be usable in combination with their own VPN solution. For example: Cisco announced a new L2TP profile in Cisco IOS Software Release 12.1 and later. You can deploy Cisco Secure Mobility Services Engine (Cisco SME) to allow PPPoE as well as other protocols such as Xauth, PPTP, L2TPv3, and GRE. Please note that many of the L2TP functionality was originally intended for deployment with the PPPoE protocol.

There is one thing you can do that may help your case. Use IPv6 wherever possible.

Is OpenVPN more secure than L2TP?

I have VPN's set up on my computers at work.

They all use the windows built in L2TP/IPSec VPN server. However they are not very secure, someone could easily sniff the traffic and determine which device is being used. I've been looking for a more secure solution, and I found OpenVPN, with this feature, OpenVPN provides authentication to the VPN connection via a shared secret (the x-auth password). Is it more secure than L2TP/IPSec? Is it more secure than OpenSSL's TLS?

Also, what about the speed/performance of an OpenVPN connection vs L2TP/IPSec? If there are any articles/comparisons that I missed, please post them here. Thanks. You're right, OpenVPN and SSH can be used as a more secure alternative, but you're looking at it from a single use case and not the broader picture. Your security is much better by moving off of a closed source proprietary VPN product.

RohitSep 2 '10 at 1:37. 1

@Rohit - the problem is, those sites don't mention ssh or openvpn, which would be the "more secure alternative" I've been looking for. I'm looking for the best solution out there, not just the solution that works for me.

MichaelSep 2 '10 at 1:43. 1

@Michael it's more secure to use a tool that's designed for securing your communications than one that wasn't. If OpenVPN and ssh can protect your communications, then its clearly a better option than the MSL2TP/IPSec server since it was not designed for securing your communications.

RohitSep 2 '10 at 1:52. 3

@Rohit, if that was the question I'm asking, then how do you even know it wasnt designed for securing your communications? Because it was done in house? Does that make it more or less secure than any other method available? MichaelSep 2 '10 at 1:56. 1

@Rohit - you're missing the point. If you could find a solution that you're satisfied with, then there's no need to look at alternative solutions. Just make sure that the solution you choose meets your requirements, and you'll be fine.

Which is more secure PPTP or L2TP?

Pptp vs L2tp in a network that's open to the internet is it more secure.

I'm asking this because the client will be on a public network and the server will be connected to the same network. The question comes from a situation where all the computers are on the same network with a public IP address, how does the traffic get routed between the clients and the server. Is it based on IP routing, ARP or other methods?

It's a bit of a mix and match. PPTP v2 is deprecated. L2TP is secure enough that Cisco has made it standard on their Routers. You're good to go.

PPTP v3 and Cisco's L2TPv3 are not. L2TPv3 is secure enough that Cisco has made it standard on their Routers.

This isn't really a question of "how" it's a question of "what" for "who" under "where" and "when". You need to know who the "server" and "client" is (and the subnet mask on the router) and when and where the network is.

The key is that your PPTP connection should not be on a public IP address. The server's IP address should be "local" and within the NAT device. The "client" or "user" should have a "private" IP address on a private or semi-private network.

You can make an argument that PPTP is easier to understand and manage. It's also easier to deploy and you have to buy equipment from Cisco. If it is a standard VPN and they are the only vendor you want to use, then by all means buy Cisco's stuff. The only reason for PPTP is if you can't install Cisco's and you want to. (Theoretically. )
L2TP is fine if you can't or don't want to run a VPN using PPP or L2TP. You'd just deploy the client and the server on a public or semi-public IP and put an IP tunnel up. You'd need to do some routing to get the client to talk to the server.

Is PPTP outdated?

I've noticed that PPTP is being phased out in favor of L2TP/IPsec.

Has anyone else noticed this and does anyone think that PPTP is obsolete? This might be an obvious answer, but I can't find it via googling. I've used both PPTP and L2TP for years now. PPTP has been around longer and I'm still using it. Nowadays, if you need the encryption or need to be "secure", PPTP is the way to go. L2TP isn't nearly as good at encryption and security.

We're switching to L2TP/IPSec at my company because the cost to upgrade our LANs to support IPSec is too high, but the cost to upgrade our client machines to support PPTP is significantly less than upgrading our network equipment. We can't upgrade our clients unless we want to support PPTP as well.

Personally, I see PPTP as a fallback solution, but the reason it's being replaced is more than just cost. The new PPTP implementation, Windows Vista's IPsec settings, and the Windows Network Library are all better than PPTP, and a newer version of PPTP won't make any of those better.

I also see it as a fallback. It's been around for a long time, it's easy to configure, and it works with VPN clients from just about every major OS. It also doesn't require much of a change to the network to support, you just have to turn off PPTP on the server side.

PPTP is still used by small businesses and SOHO (small office home office) type applications because it's easy to set up. Once you have PPTP set up it works.

Related Answers

Is PPTP outdated?

Is it free or what? PPTP VPN, PPTP VPN. PPTP (Point-to-Point T...

What are the weaknesses of PPTP?

If you're connecting to remote computer or other networks, you can turn off PPTP to...

Should I enable PPTP VPN server?

I have to choose between PPTP and L2TP/IPSec VPN. PPTP is much lig...