PPTP (Point-to-Point Tunnel Protocol)

PPTP (RFC 2637) has received quite some attention?both praise and flames?because of its integration into the Windows operating system in combination with Microsoft Point-to-Point Encryption (MPPE) to realize on-demand VPN client access. MPPE works as a subfeature of Microsoft Point-to-Point Compression (MPPC) and provides encryption for PPP links.

PPTP itself does not provide encryption. It is used in client/server setups with enterprise remote-access servers (RASs) and was not designed with support for gateway-to-gateway tunnels in mind. MPPE is multiprotocol-capable, uses MS Challenge Handshake Authentication Protocol version 2 (CHAPv2) for authentication, and supports 40-bit and 128-bit encryption based on the RSA RC4 algorithm to provide data confidentiality. PPTP is based on an enhanced GRE approach. It is documented widely, and tons of example setups for Microsoft and UNIX are available. For further information, look at the RFCs relevant to MPPC (RFC 2118) and MPPE (RFC 3078/3079).

PPTP uses TCP/1723 to set up its control channel and IP protocol 47 (GRE) to move data. Enabling PPTP traffic to flow through a firewall requires you to establish bidirectional rules for both sets of traffic.[2]

This book does not provide a thorough discussion of PPTP in practice for several reasons:

  • It is not that relevant in non-Microsoft environments. There are far better choices for tunnel setup for UNIX and Cisco integrated architectures.

  • PPTP is deprecated, and Microsoft has moved on to L2TP/IPSec as a strategic technology.

  • Many documents, recipes, and configurations are available with regard to PPTP setups involving Microsoft clients and RAS servers (and for PPTP configurations in context with DSL setups, which are common in some European countries).

The following list identifies the most mature PPTP implementations for Linux and BSD operating systems:

  • UNIX PPTP Client Package? This is the recommended client package for Linux and BSD and integrates well with the PoPToP server. (http://pptpclient.sourceforge.net/)

  • PoPToP? An OpenSource PPTP server for Linux and BSD that works perfectly with the PPTP client package. (http://www.poptop.org/)

  • MPD? A multilink PPP daemon for FreeBSD. It is a robust and mature implementation based on the FreeBSD Netgraph facility. (http://www.dellroad.org/mpd/index)

  • PPTP-Proxy? A useful daemon that forwards a PPTP VPN connection through a Linux firewall. (http://www.mgix.com/pptpproxy/)

  • The MPPE/MPPC kernel module for Linux? This is an alternative to user-space approaches. It requires patching pppd and the kernel sources. It works with the current 2.4 Linux kernel. (http://www.polbox.com/h/hs001)

Exercise 11-2: PPTP on UNIX

Use PPTP Client and PoPToP to familiarize yourself with the UNIX implementation. For example, you can set up DSL access or provide RAS services to Microsoft roaming users.