The End of PPTP and L2TP IPsec VPN Networking in Windows
“This is the end
Beautiful friend
This is the end
My only friend, the end
Of our elaborate plans, the end
Of everything that stands, the end
No safety or surprise, the end
Ill never look into your eyes…again…”
http://blogs.technet.com/rrasblog/archive/2009/02/...7.aspx
OK, maybe a little melodramatic, but this blog post really seemed to come out of left field. Actually, it’s not as bad as you might think it is. The RRAS just wants to know what the community thinks of removing PPTP and L2TP/IPsec support for operating systems after Windows 7 and Windows Server 2008 R2.
Microsoft clients starting with Windows Vista SP1 support the SSTP VPN protocol, which is superior to PPTP and L2TP/IPsec in terms of usability. Users can be located anywhere, behind NAT and Web proxies and still connect – not something you see with PPTP and L2TP/IPsec all the time. In addition, beginning with Windows 7, you’ll have access to VPN Reconnect, with is a new VPN protocol that uses IKEv2.
There are some problems with dropping support for these legacy VPN protocols that will need to be solved or addressed:
- What about non-Windows clients? Will Microsoft create VPN clients that will support SSTP and IKEv2 VPN Reconnect?
- What about site to site VPNs? Neither IKEv2 (as far as I know) nor SSTP are enabled for site to site VPN configuration or support
- What about site to site VPN connections to Windows Server 2008 R2 and earlier? I expect to see these VPN gateways still being in place for at least the next 5-8 years. If future versions of RRAS remove support for PPTP or L2TP/IPsec, there will need to be some sort of back port of the new site to site VPN protocols at least for Windows Server 2008
- Since ISA and TMG leverage RRAS for VPN connections, updates to at least TMG will need to be made to support the new site to site VPN protocols
None of these issues are insurmountable. However, it might be better to wait a little longer before retiring these protocols, and let the community know long in advance that this is going to happen, so plans can be made.
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)
Paulo Oliveira Says:
June 25th, 2009 at 7:18 am
Hi Tom,
totally agree with you. I don´t think it is a great idea retiring these VPNs protocols right now. Also, like any other changing plans, they need to alert us long time before do it.
There still many companies that uses legacy version of Windows out there.
PS: Liked about The Doors quote!
Regards,
Paulo Oliveira.
Thomas Shinder Says:
June 25th, 2009 at 7:23 am
Hi Paulo,
Thanks!
Tom
anonymous Says:
January 4th, 2010 at 9:34 am
MS were planning to port SSTP to XP in SP3 but the plan was dropped for business reasons. Provide SSTP on XP and problem is solved.