PPTP(from the English. Point-to-Point Tunneling Protocol) is a point-to-point (node-to-node) tunneling protocol that allows a computer to establish a secure connection with a server by creating a tunnel in an insecure network.
PPTP encapsulates (encapsulates) PPP frames in IP packets for transmission over a global IP network such as the Internet. PPTP can also be used to establish a tunnel between two local area networks. PPTP uses an additional TCP connection to service the tunnel.
This protocol is less secure than IPSec. PPTP works by establishing a regular PPP session with the opposite side using Generic Routing Encapsulation. The second connection on TCP port 1723 is used to initiate and control the GRE connection. PPTP is difficult to redirect beyond a firewall as it requires two network sessions to be established at the same time. PPTP traffic can be encrypted using MPPE. Various mechanisms can be used to authenticate clients, such as MS-CHAPv2 and EAP-TLS.
The issue of protocol security and reliability
- MSCHAP-v1 is completely unreliable. There are utilities for easily extracting password hashes from intercepted MSCHAP-v1 exchange;
- MSCHAP-v2 is vulnerable to a dictionary attack on intercepted challenge-response packets. There are programs that perform this process;
- In 2012, it was shown that the complexity of guessing the MSCHAP-v2 key is equivalent to guessing the DES encryption key, and an online service was presented that can recover the key in 23 hours;
- When using MSCHAP-v1, MPPE uses the same RC4 session key to encrypt the traffic in both directions. Therefore, the standard technique is to XOR streams from different directions together so that the cryptanalyst can find out the key;
- MPPE uses RC4 stream for encryption. There is no method for authenticating an alphanumeric stream, and therefore the stream is vulnerable to a bit spoofing attack. An attacker can easily replace some of the bits to change the outgoing stream without the risk of being detected. This bit swapping can be fixed using protocols that read checksums.
Structure
Figure 1 shows the structure of a PPTP packet. In general - nothing special, the PPP frame and the GRE header are encapsulated in the IP packet.
Briefly about GRE. It is a tunneling protocol that operates at layer 3 of the OSI model. GRE function - encapsulation of network layer packets of the OSI network model into IP packets.
Tunneling involves three protocols:
- passenger - encapsulated protocol (IP, CLNP, IPX, Apple Talk, DECnet Phase IV, XNS, VINES and Apollo);
- Encapsulation Protocol (GRE)
- transport protocol (IP).
The header takes 4 bytes (Fig. 2) and consists of 2 parts:
1) 1-2 bytes- flags :
- ChecksumPresent- bit 0, if equal to 1, then the GRE header contains an optional checksum field - Checksumfield;
- Key Present- bit 2, if equal to 1, then the GRE header contains an optional field containing the Key field;
- Sequence Number Present- bit 3, if equal to 1, then the GRE header contains an optional sequence number field - SequenceNumberfield;
- Version Number- bits 13-15. This field indicates the version of the GRE implementation. A value of 0 is typically used for GRE. The Point-To-Point Protocol (PP2P) uses version 1.
2) 3-4 bytes. Contains the protocol type (ethertype) of the encapsulated packet.
MTU
An equally important question for the protocol is the question MTU.
Since PPTP is payload + PPP header + GRE + IP header. Ethernet MTU = 1500 bytes, header IP = 20 bytes, GRE = 4 bytes. 1500-20-4 = 1476 bytes.
Control messages
PPTP communication is based on a PPTP control connection, a sequence of control messages that establish and maintain a tunnel. A full PPTP connection consists of only one TCP / IP connection, which requires the transmission of echo commands to keep it open while transactions are in progress. Below, in Figure 3, control messages and their meanings are indicated.
On November 1, a ban on bypassing blocking using a VPN began in Russia. And many companies, including foreign ones, have asked themselves what to do for organizations using technology to create corporate networks.
According to representatives of the State Duma, there is a clause in the law, according to which encryption of networks can be used for corporate purposes. This means that companies do not have to spend significant amounts and lay private networks between their offices, since setting up a VPN connection is practically (and in some cases it is) free. Therefore, today we decided to consider two methods of organizing a VPN connection in a corporate network and several protocols used for this: PPTP, L2TP / IPsec, SSTP and OpenVPN.
Comes "by default" on any VPN-compatible platform and is easy to configure without additional software. Another advantage of PPTP is its high performance. Unfortunately, PPTP is not secure enough. Since the protocol was incorporated into Windows 95 OSR2 in the late nineties, several vulnerabilities have been exposed.
The most significant is the MS-CHAP v2 unencapsulated authentication capability. This exploit made it possible to crack PPTP in two days. Microsoft patched the hole by switching to the PEAP authentication protocol, but then they themselves suggested using the L2TP / IPsec or SSTP VPN protocols. One more point - PPTP connections are easy to block, because the protocol works with one port number 1723 and uses the GRE protocol.
When a VPN tunnel is established, PPTP supports two types of transmitted messages: control messages for maintaining and disconnecting the VPN connection, and the data packets themselves.
L2TP and IPsec
Layer 2 Tunneling Protocol, or L2TP, is also present in virtually all modern operating systems and works with all VPN-capable devices.L2TP does not know how to encrypt traffic passing through it, so it is often used in conjunction with IPsec. However, this leads to the appearance of a negative effect - in L2TP / IPsec double encapsulation of data occurs, which negatively affects performance. Also L2TP uses the 500th UDP port, which is easily blocked by a firewall if you are behind NAT.
L2TP / IPsec can work with 3DES or AES ciphers. The first is vulnerable to attacks such as meet-in-the-middle and sweet32, so today it is rarely seen in practice. When working with the AES cipher, no major vulnerabilities are known, therefore, in theory, this protocol should be secure (if implemented correctly). However, John Gilmore, founder of the Electronic Frontier Foundation, indicated in a post that IPSec could have been specially weakened.
The biggest problem with L2TP / IPsec is that many VPNs don't do it well enough. They use pre-shared keys (PSK) which can be downloaded from the site. PSKs are needed to establish a connection, so even if data is compromised, it remains under AES protection. But an attacker can use the PSK to impersonate a VPN server and then eavesdrop on encrypted traffic (even injecting malicious code).
SSTP
The Secure Socket Tunneling Protocol, or SSTP, is a VPN protocol developed by Microsoft. It is based on SSL and first launched in Windows Vista SP1. Today the protocol is available for operating systems such as RouterOS, Linux, SEIL and Mac OS X, but it still finds its main use on the Windows platform. SSTP is a proprietary standard owned by Microsoft and its code is not publicly available.SSTP itself has no cryptographic functionality with the exception of one function - we are talking about a cryptographic binding that protects against MITM attacks. Data encryption is performed by SSL. A description of the procedure for establishing a VPN connection can be found on the Microsoft website.
Tight integration with Windows simplifies the work with the protocol and increases its stability on this platform. However, SSTP uses SSL 3.0, which is vulnerable to a POODLE attack, which in theory affects the security of the VPN protocol.
VPN connection types
In today's post, we'll talk about the two most commonly used VPN connection types. It will be about remote access to the corporate network (remote access) and connection "point-to-point" (site-to-site)Remote access allows company employees to securely connect to the corporate network via the Internet. This is especially important when the employee does not work in the office and connects via unsecured access points, for example, Wi-Fi in a cafe. To organize this connection, a tunnel is established between the client on the user's gadget and the VPN gateway in the company's network. The gateway authenticates and then grants (or restricts) access to network resources.
The most commonly used protocols to secure the connection are IPsec or SSL. It is also possible to use the PPTP and L2TP protocols.
/ Wikimedia / Philippe Belet / PD
Welcome to our website! In this tutorial, you will learn how to set up a PPTP VPN connection for Windows 7 operating system.
Recall that VPN (Virtual Private Network) is a technology that is used to access a secured network (s) via the public Internet. With a VPN channel, you can protect your information by encrypting it and transferring it within a VPN session. Besides, VPN is a cheap alternative to an expensive dedicated communication channel.
To configure VPN over PPTP for Windows 7, you will need:
- Windows 7 OS;
- the address of the VPN server to which the connection will be made using the PPTP protocol;
- login and password.
This concludes the theoretical part, let's get down to practice.
1. Open the "Start" menu and go to the "Control Panel" of your computer
2. Then select the "Network and Internet" section
3. In the window that opens, select "Network and Sharing Center"
4. At the next stage, select the item "Setting up a new connection or network"
5. In the newly opened window, select the item "Connect to the workplace"
6. In the new window, select the item "Use my Internet connection (VPN)"
8. In the window that opens, in the "Internet address" field, enter the address of your VPN server, in the "Destination name" field, enter the name of the connection, which can be selected arbitrarily
9. In the next window, enter the login and password that are registered on the VPN server. In the field "Remember this password" put a "tick" in order not to enter it every time you connect
10. After the above steps, the connection is ready to use, click the "close" button
11. After that, go back to the Start menu, then to Control Panel, Network and Internet, Network and Sharing Management, where we select the item "Change adapter settings"
12. Find our VPN connection in this window, right-click on it and go to its properties
14. In the same window, only on the "Network" tab, uncheck the boxes next to the items: "Client for Microsoft networks" and "Service for access to files and printers for Microsoft networks"
This completes the PPTP VPN configuration for the Windows 7 operating system and the VPN connection is ready to use.
Troubleshooting Guide: Route VPN Through NAT Firewalls
The popularity of telecommunications continues to grow, while the issues of information security do not lose their relevance. Therefore, small and large companies use virtual private networks (VPNs). Fortunately, companies' information departments are realizing that many employees have leased lines and broadband connections using consumer-grade routers. IT departments can make life a lot easier for users by using "NAT-friendly" VPN gateways and VPN clients that do not require home router configuration changes to establish the VPN tunnel.
If you are not so lucky, you can still fix the situation. First, you should check if your router supports PPTP or IPSEC pass-through. PPTP / IPsec "pass through." This feature is ubiquitous in routers. Linksys, so you can search for these models. On the Rice. one the bottom of the screen is shown filters Linksys BEFSR41, which contains options to separately enable PPTP or IPsec pass-through.
Rice. 1. VPN Linksys BEFSR41 pass-through.
All you need is to enable support for the used VPN protocol, restart the router. If all goes well, your VPN will work immediately.
Unfortunately, not all routers have the function of enabling VPN pass-through, but the absence of these options does not mean that it's all over.
Does not work? Then you should try to open some ports in your router's firewall to maintain VPN connection. You should only open ports (and protocol) for the IP address of the computer that the VPN client will run on. Please be aware that the port forwarding feature only works with one computer at a time... If you need to support multiple VPN clients that require concurrent network operation, your router must natively support the VPN protocol used.
If you are using the Microsoft protocol PPTP, then you need to configure port forwarding TCP 1723 to pass PPTP traffic. On the Rice. 2 screen shown Forwarding a Linksys BEFSR41 router with port forwarding to a client with an IP address 192.168.5.100 .
Rice. 2. Port forwarding VPN Linksys BEFSR41.
PPTP also requires protocol support IP 47(Generic Routing Encapsulation) for VPN traffic. Please be aware that support is needed protocol rather than a port. Support for this protocol must be built into the NAT engine, as is done on most modern routers.
Opening the firewall, continued
To support VPN based IPsec VPNs need to open port UDP 500 for key negotiation ISAKMP, protocol IP 50 for traffic Authentication Header(not always used), and the protocol IP 51 to transfer the data itself. Again, the only forwarded port here is UDP 500, which we also programmed to Rice. 2 to the same client machine on the local network; support for protocols 50 and 51 should be built into your router.
Not all routers are the same! Some support opening only one VPN tunnel and a single client. Others support multiple tunnels, but only one client per tunnel. Unfortunately, most vendors are not very clear in their documentation on how to support VPN pass-through for their products, and technical support is often not qualified to deal with this issue. In most cases, you will have to test the router on your network and return it if it doesn't work.
Does not work?
Getting some routers to support IPsec VPNs without shamanic tambourine is almost impossible. The point is that manufacturers love to implement their own mechanisms for this support. However, as the technology "matures", support for IPsec becomes more and more close to ideal, and your company can use old products that were created without any consideration for the existence of NAT at all or that require opening additional ports in the firewall.
If you know English, we recommend that you check out Tin Bird's guides on IPsec and PPTP which contain ready-made configurations for many products. You can also take a look at our English-language section. VPN Links & Tools for more information.
On November 1, a ban on bypassing blocking using a VPN began in Russia. And many companies, including foreign ones, have asked themselves what to do for organizations using technology to create corporate networks.
According to representatives of the State Duma, there is a clause in the law, according to which encryption of networks can be used for corporate purposes. This means that companies do not have to spend significant amounts and lay private networks between their offices, since setting up a VPN connection is practically (and in some cases it is) free. Therefore, today we decided to consider two methods of organizing a VPN connection in a corporate network and several protocols used for this: PPTP, L2TP / IPsec, SSTP and OpenVPN.
Comes "by default" on any VPN-compatible platform and is easy to configure without additional software. Another advantage of PPTP is its high performance. Unfortunately, PPTP is not secure enough. Since the protocol was incorporated into Windows 95 OSR2 in the late nineties, several vulnerabilities have been exposed.
The most significant is the MS-CHAP v2 unencapsulated authentication capability. This exploit made it possible to crack PPTP in two days. Microsoft patched the hole by switching to the PEAP authentication protocol, but then they themselves suggested using the L2TP / IPsec or SSTP VPN protocols. One more point - PPTP connections are easy to block, because the protocol works with one port number 1723 and uses the GRE protocol.
When a VPN tunnel is established, PPTP supports two types of transmitted messages: control messages for maintaining and disconnecting the VPN connection, and the data packets themselves.
L2TP and IPsec
Layer 2 Tunneling Protocol, or L2TP, is also present in virtually all modern operating systems and works with all VPN-capable devices.L2TP does not know how to encrypt traffic passing through it, so it is often used in conjunction with IPsec. However, this leads to the appearance of a negative effect - in L2TP / IPsec double encapsulation of data occurs, which negatively affects performance. Also L2TP uses the 500th UDP port, which is easily blocked by a firewall if you are behind NAT.
L2TP / IPsec can work with 3DES or AES ciphers. The first is vulnerable to attacks such as meet-in-the-middle and sweet32, so today it is rarely seen in practice. When working with the AES cipher, no major vulnerabilities are known, therefore, in theory, this protocol should be secure (if implemented correctly). However, John Gilmore, founder of the Electronic Frontier Foundation, indicated in a post that IPSec could have been specially weakened.
The biggest problem with L2TP / IPsec is that many VPNs don't do it well enough. They use pre-shared keys (PSK) which can be downloaded from the site. PSKs are needed to establish a connection, so even if data is compromised, it remains under AES protection. But an attacker can use the PSK to impersonate a VPN server and then eavesdrop on encrypted traffic (even injecting malicious code).
SSTP
The Secure Socket Tunneling Protocol, or SSTP, is a VPN protocol developed by Microsoft. It is based on SSL and first launched in Windows Vista SP1. Today the protocol is available for operating systems such as RouterOS, Linux, SEIL and Mac OS X, but it still finds its main use on the Windows platform. SSTP is a proprietary standard owned by Microsoft and its code is not publicly available.SSTP itself has no cryptographic functionality with the exception of one function - we are talking about a cryptographic binding that protects against MITM attacks. Data encryption is performed by SSL. A description of the procedure for establishing a VPN connection can be found on the Microsoft website.
Tight integration with Windows simplifies the work with the protocol and increases its stability on this platform. However, SSTP uses SSL 3.0, which is vulnerable to a POODLE attack, which in theory affects the security of the VPN protocol.
VPN connection types
In today's post, we'll talk about the two most commonly used VPN connection types. It will be about remote access to the corporate network (remote access) and connection "point-to-point" (site-to-site)Remote access allows company employees to securely connect to the corporate network via the Internet. This is especially important when the employee does not work in the office and connects via unsecured access points, for example, Wi-Fi in a cafe. To organize this connection, a tunnel is established between the client on the user's gadget and the VPN gateway in the company's network. The gateway authenticates and then grants (or restricts) access to network resources.
The most commonly used protocols to secure the connection are IPsec or SSL. It is also possible to use the PPTP and L2TP protocols.
/ Wikimedia / Philippe Belet / PD
