58 L2TP combines the best features of PPTP and L2F and allows for either client-initiated or remote access switch-initiated L2TP connections. You can use L2TP in any situation where you might use PPTP or L2F. It can still use the same authentication protocols as the others, including PAP, CHAP, and MS-CHAP. IPSec is the recommended encryption mechanism for L2TP. Although that L2TP was reputed to replace PPTP, Microsoft has chosen to continue providing PPTP in Windows NT 5.0 for those who do not wish to maintain the public key infrastructure required for IPSec. PPTP is available on currently shipping versions of Windows NT Server 4.0 and Windows NT Workstation 4.0 as part of Remote Access Services RAS—NTs dial- up networking software. Microsofts PPTP support for Windows 95 is included in their Dial-Up Networking Upgrade Version 1.3. Microsoft has also released LAN-to-LAN PPTP connections for Windows NT in their Routing and Remote Access software codenamed Stronghold, as part of the Windows NT Option Pack. PPTP support is included in Windows 98. Microsoft Windows NT 5.0 will also support PPTP connections. A Macintosh PPTP client is available from Network TeleSystems http:www.nts.com . Called TunnelBuilder, it offers full PPTP support, including NT domain login and data encryption. Network TeleSystems NTS also has a version of TunnelBuilder for Windows 95, Windows 98, Windows for Workgroups, and Windows 3.1. Since Microsoft doesnt plan on supporting PPTP on down-level versions of Windows, this allows users with legacy systems to run PPTP. The NTS Windows clients support L2TP. In addition, Linux is now capable of supporting PPTP. There are also a number of hardware devices that support PPTP out of the box. These devices are known variously as remote access servers, remote hubs, terminal servers, and remote access switches. In this chapter, we will refer to them simply as remote access switches, because that term is prevalent in the industry and best describes what they do. There are a number of remote access switches that support PPTP, among them Ascends MAX line, the 3ComU.S. Robotics Total Control line, and ECI Telematics Nevada. These are typical brands used in ISP points-of-presence and corporate networks to terminate modem and ISDN calls. PPTP is included as part of all of these products free of charge—no additional activation fees are required. There are also some hardware devices that act as PPTP servers, but do not operate as a standard remote access switch. Examples of these are the Bay Networks Extranet Switch and the NTS TunnelMaster. L2F is supported by Cisco in their IOS software for their routers. Other vendors, such as Nortel and Shiva, also support L2F. L2TP is supported in Cisco IOS 11.35AA and later. In addition, many other hardware devices support it. Microsoft will include L2TP support in Windows NT 5.0. Because PPTP, L2F, and L2TP operate similarly, we will concentrate on PPTP and L2TP.

4.2 How PPTP Works

As a tunneling protocol, PPTP encapsulates network protocol datagrams within an IP envelope. After the packet is encapsulated, any router or machine that encounters it from that point on will treat it as an IP packet. The benefit of IP encapsulation is that it allows many different protocols to be routed across an IP-only medium, such as the Internet. 59 The first thing to understand about PPTP is that it revolves around Microsoft RAS for Windows NT. RAS allows a network administrator to set up a Windows NT server with a modem bank as a dial-in point for remote users. Authentication for the RAS users takes place on the NT server, and a network session is set up using the PPP protocol. Through the PPP connection, all of the protocols allowed by RAS can be transported: TCPIP, NetBEUI, and IPXSPX. To the RAS users it appears as though theyre directly connected to the corporate LAN; they notice no difference between RAS through direct dial-in and RAS over the Internet. PPTP was designed to allow users to connect to a RAS server from any point on the Internet and still have the same authentication, encryption, and corporate LAN access theyd have from dialing directly into it. Instead of dialing into a modem connected to the RAS server, the end users dial into their ISPs and use PPTP to set up a call to the server over the Internet. PPTP and RAS use authentication and encryption methods to create a virtual private network. There are two common scenarios for this type of VPN: in the first, a remote user is dialing into an ISP with a PPTP-enabled remote access switch that connects to the RAS server; in the second, the user is connecting to an ISP that doesnt offer PPTP, and must initiate the PPTP connection on their client machine.

4.2.1 Dialing into an ISP That Supports PPTP

Dialing into an ISP that supports PPTP requires three things: • The network with which you want to establish a VPN must have a PPTP- enabled Window NT 4.0 RAS server. By PPTP-enabled we mean that the PPTP protocol is installed and there are VPN dial-up ports set up in RAS. The server must also be accessible from the Internet. • Your ISP must use a remote access switch that supports PPTP, such as the Ascend MAX 4000 series or a U.S. Robotics Total Control Enterprise Network Hub. Together, these two products make up a significant portion of the ISP dial-up hardware market. • Your ISP has to actually offer the PPTP service to users, and must enable it for your account. To offer a typical scenario, a central corporate office in Denver has set up a Windows NT 4.0 server running PPTP and RAS. A sales manager named Sara N. is at a conference in Atlanta, and wants to dial into the corporate network to check her email and copy a presentation from her desktop machine. Her remote system is a Windows 95 laptop computer with a 28.8Kbps modem. Shes obviously out of the local dialing area of her office, but has an account through a national ISP that supports PPTP through their U.S. Robotics remote access switches. The ISP was told the IP address of the RAS server at Sara N.s corporate office, and has added it to her user profile. The IP address is 2.1.1.60. When the sales manager dials into her PPTP-enabled ISP, the following events occur: 1. Sara N. initiates a call into her ISPs POP using Microsofts Dial-Up Networking. She logs in with her username, saran. Doing so starts a PPTP session between the ISPs remote access switch and the corporate offices NT server, whose IP address is specified in Sara N.s user profile as 2.1.1.60.