Choosing MPPE or IPSec Encryption

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

For site-to-site connections, the connection type and the user authentication protocol that you choose to deploy determine the data encryption method. Table 10.6 shows the available options.

Table 10.6   Choosing a Data Encryption Method

Connection Type Recommended User Authentication Protocol Encryption Method

Dial-up connection



PPTP connection



L2TP connection



Understanding the following features can help you decide how you want to manage encryption:

  • Link encryption versus end-to-end encryption. MPPE provides link encryption. Link encryption encrypts data as it passes between the calling and answering routers. In addition to providing computer-level authentication, IPSec provides end-to-end encryption for data that passes between the sending and receiving nodes.

  • Encryption method used if VPN connection type is Automatic. If you configure a VPN connection for an Automatic server type (the default), the connection first tries to use PPTP and its associated MPPE encryption, and then it tries to use L2TP and its associated IPSec encryption. If you configure the VPN connection to connect to a PPTP server, only MPPE encryption is used. If you configure the VPN connection to connect to an L2TP server, only IPSec encryption is used.

  • No encryption needed for link to ISP. For VPN connections, you do not need to use encryption for the link between your site and the ISP, because no data is transmitted during the process that establishes this connection. After the connection to the ISP is made, the data that passes between the calling and answering routers is encrypted as it passes through the VPN tunnel.

You configure MPPE and IPSec encryption strengths on the Encryption tab for the properties of a remote access policy. For information about how to configure encryption in a remote access policy for a site-to-site connection, see "Configure a Remote Access Policy" later in this chapter. For general information about configuring encryption, see Add a remote access policy and Remote Access Policies Examples in Help and Support Center for Windows Server 2003.

Configure either MPPE or IPSec to use one of the encryption keys as shown in Table 10.7.

Table 10.7   Encryption Strength by Connection Type

Encryption Strength Dial-up or PPTP L2TP/IPSec


40-bit MPPE

56-bit DES


56-bit MPPE

56-bit DES


128-bit MPPE

3DES (three 56-bit keys)


  • Windows NT 4.0 with the 128-bit version of Service Pack 4 (SP4) can support 128-bit MPPE, but it does not support 56-bit MPPE. Therefore, any Windows operating system earlier than Windows NT 4.0 SP4 is not recommended, because security enhancements for MS-CHAP and MPPE are not included.