Choose MPPE or IPsec Encryption
Applies To: Windows Server 2008, Windows Server 2008 R2
For site-to-site connections, the connection type and the user authentication protocol that you choose to deploy determine the data encryption method. The following table shows the available options.
Connection Type | Recommended User Authentication Protocol | Encryption Method |
---|---|---|
Dial-up connection |
EAP-TLS or MS-CHAP v2 |
MPPE |
PPTP connection |
EAP-TLS or MS-CHAP v2 |
MPPE |
L2TP connection |
EAP-TLS or MS-CHAP v2 |
IPsec |
Understanding the following features can help you decide how you want to manage encryption:
Link encryption versus end-to-end encryption. MPPE provides link encryption. Link encryption encrypts data as it passes between the calling and answering routers. In addition to providing computer-level authentication, IPsec can provide end-to-end encryption for data that passes between the sending and receiving nodes.
Encryption method used if VPN connection type is Automatic. If you configure a VPN connection for an Automatic server type (the default), the connection first tries to use PPTP and its associated MPPE encryption, and then it tries to use L2TP and its associated IPsec encryption. If you configure the VPN connection to connect to a PPTP server, only MPPE encryption is used. If you configure the VPN connection to connect to an L2TP server, only IPsec encryption is used.
No encryption needed for link to ISP. For VPN connections, you do not need to use encryption for the link between your site and the ISP, because no data is transmitted during the process that establishes this connection. After the connection to the ISP is made, the data that passes between the calling and answering routers is encrypted as it passes through the VPN tunnel.
Configure MPPE and IPsec encryption strengths on the Settings tab for the properties of a network policy as shown in the following table.
Encryption Strength | Dial-up or PPTP | L2TP/IPsec |
---|---|---|
Basic |
40-bit MPPE |
56-bit DES |
Strong |
56-bit MPPE |
56-bit DES |
Strongest |
128-bit MPPE |
3DES (three 56-bit keys) |
Security Note |
---|
We recommend that you only use Strongest encryption for your VPN connections. |