Windows 10 Always On VPN is infrastructure independent and can be implemented using third-party VPN devices. It is not necessary to deploy any Windows servers at all to support an Always On VPN solution. However, in a recent blog post I outlined some compelling reasons to consider using Windows Server’s Routing and Remote Access Service (RRAS) feature to terminate VPN connections. RRAS supports both modern and legacy VPN protocols, each with their own advantages and disadvantages. The choice of which protocols to support will be determined by many factors, but it is important to understand the capabilities of each to make an informed decision.
RRAS VPN Protocols
Windows RRAS supports the following VPN protocols.
- Internet Key Exchange version 2 (IKEv2) – RFC7296
- Secure Sockets Tunneling Protocol (SSTP) – Microsoft
- Layer Two Tunneling Protocol over IPsec (L2TP/IPsec) – RFC2661
- Point-to-Point Tunneling Protocol (PPTP) – RFC2637
There are pros and cons associated with each of these VPN protocols. Here’s a breakdown of each.
IKEv2
This IPsec-based VPN protocol is the preferred choice for deployments where the highest level of security is required. The latest version of IKE (v2) features streamlined messaging during connection establishment and enhanced session management that reduce protocol overhead and improve performance.
Advantages: Best security options.
Disadvantages: Firewalls may block required UDP ports.
SSTP
SSTP is an excellent alternative to IKEv2 and is recommended for most deployments. It uses industry standard Transport Layer Security (TLS), making it widely accessible from most locations. It provides good security out of the box but can be improved upon with additional configuration. SSTP lends itself well to load balancing, making it much easier to scale out than IKEv2. Optionally, TLS can be offloaded to an Application Delivery Controller (ADC) to reduce resource utilization on the RRAS server and further improve performance.
Advantages: Easy to configure with firewall friendly access.
Disadvantages: Fewer security options than IKEv2.
L2TP
While technically supported for Always On VPN, L2TP is a legacy VPN protocol that offers no real advantages over IKEv2. Its use is unnecessary and should be avoided.
Advantages: None.
Disadvantages: Firewalls may block required UDP ports.
PPTP
PPTP is considered an obsolete VPN protocol with many known security vulnerabilities. Its use should be avoided at all costs.
Advantages: None.
Disadvantages: Insecure.
Summary
The recommendation is to use SSTP for user-based VPN connections to ensure operational reliability and optimum performance. Use IKEv2 only when the highest level of security is required. Avoid the use of L2TP/IPsec and PPTP at all costs.
Additional Resources
Frequently Asked Questions about Microsoft’s PPTP Implementation
Always On VPN and Windows Server Routing and Remote Access Services (RRAS)
Windows 10 Always On VPN and the Future of DirectAccess
5 Things DirectAccess Administrators Should Know about Always On VPN
3 Important Advantages of Windows 10 Always On VPN over DirectAccess
