Point-to-Point Tunneling Protocol

It's June 1996. You've just invested a significant amount of money in a soup-to-nuts dial-in solution for your Windows NT network. You bought a Remote Access Service (RAS) server, multiport controller, a slew of high-end 28.8Kpbs modems, a host of analog lines, and the management capabilities to run it all. Sure, your average cost-per-port was a little high, and you have recurring costs for your analog lines and administration. But the best technology costs money, right?

Well, now it's a year later, and your prized dial-in solution is starting to look like a 1972 Vega compared with the newest 33.6Kbps and 56Kbps (X2) modem technologies. To upgrade, you have to justify replacing all those 28.8Kbps modems with faster units.

The communications field is moving so quickly that you can't predict what will be in the mainstream tomorrow. Corporate IS budgets, already strained by the short life cycle of PCs, can't keep up with the blazing speed of communications developments.

A solution worth looking into is Microsoft's Point-to-Point Tunneling Protocol (PPTP), which Microsoft has integrated with RAS in NT 4.0. (For more information about RAS, see Sean K. Daily, "What's New in Windows NT 4.0 RAS?," January 1997). PPTP lets you set up Virtual Private Networks (VPNs) that let remote users access corporate networks securely across the Internet. Opinions on whether to use this protocol vary greatly because of security and performance issues. But if you implement it correctly, PPTP can provide a low-cost, high-availability dial-in solution for your organization.

PPTP helps you put the mundane task of modem management into the hands of people who are experts at it--Internet Service Providers (ISPs). Just plug your RAS server into the Internet, configure the server to accept PPTP connections, assign a valid Internet IP address to the RAS server, then give that IP address to anyone who needs remote access.

OK, the process takes a few more steps than that scenario. But if you follow the steps I outline, you can get a basic PPTP VPN functioning and see how Microsoft's model works.

How Does It Work?
Imagine PPTP as a Dial-Up Networking (DUN) connection inside a DUN connection, or a pipe within a pipe. Your first connection, or pipe, is your Point-to-Point Protocol (PPP) connection to your ISP; your second connection is your PPTP connection, which tunnels through your first connection. Because the PPTP connection is a tunnel, you can route whatever packet types you want--including IPX and NetBEUI--through the tunnel over the Internet. Your ISP sees the traffic as IP packets, but when the packets reach your PPTP-configured RAS server, they leave the tunnel and enter your corporate network.

PPTP tunneling has particular significance if your IP network is using addresses that you haven't registered with InterNIC or addresses that InterNIC has reserved for private networks (such as the 10.x.x.x range). In either case, without PPTP, you could not successfully route to those addresses through the Internet. With PPTP, you can route into this type of network.

For this article, I assume that not everyone has a dedicated connection to the Internet and that many of you will use dial-up connectivity to test the configuration. Before you start, you need a fully functional RAS server on your network. Your server also must have either a dedicated or a dial-up PPP connection to the Internet through your ISP; a valid Internet IP address; and if you refer to your server by name instead of by IP address, a registered, fully qualified domain name. Your server's configuration must let dial-in clients use all the protocols available on your private network.

On the client side, the requirements are much lighter. You need an NT 4.0 client that is configured to access an ISP via PPP.

First, the Server
To get your RAS server ready to accept incoming PPTP traffic, install PPTP. In the Control Panel Network applet, select the Protocols tab and click Add. Choose Point To Point Tunneling Protocol, as shown in Screen 1. Next, in the PPTP Configuration dialog box, define the number of VPN connections you want to support. RAS can support up to 256 connections; you can always adjust this number later.

PPTP installation then launches Remote Access Setup, shown in Screen 2, where you add all your VPN devices to your RAS server, in the same way that you add modems. Select each device from the RAS Capable Devices list and click OK to add the device to your RAS configuration. Because you will use these VPN devices for inbound PPTP connections only, verify that you have configured each device to receive calls only.

Next, configure encryption for your PPTP connections--remember, your sensitive corporate data will travel through the Internet, which is a public network. In the Remote Access Setup dialog box, click Network and select Require Microsoft encrypted authentication and Require data encryption, shown in Screen 3. Note that the changes you make here affect all connections to your RAS server, including any dial-up connections. If you haven't configured some of your remote access clients to provide Microsoft-encrypted authorizations to the network, this encryption setting will isolate the remote access clients. In that case, consider implementing a secondary RAS server just for your PPTP connections.

If you have a direct connection to the Internet, for more security, you can enable PPTP filtering on your RAS server to block any non-PPTP packets from the server. Screen 4 shows how to enable filtering. On the Control Panel Network applet's Protocolstab, change your properties for TCP/IP. Click Advanced and select the check box Enable PPTP Filtering for the network adapter that is connected to the Internet. You need PPTP filtering only for direct connections to the Internet; you can't configure filtering for dial-up adapters. Be aware that your network adapter in your RAS server will ignore incoming ping and tracert packets once you have enabled PPTP filtering.

If your private internal network is strictly IPX or NetBEUI, you have finished your server configuration at this point and can proceed to client configuration. However, if your private network requires TCP/IP, you need to enable IP forwarding on your RAS server. As Screen 5 shows, go into the Control Panel Network applet and modify the properties for TCP/IP. Choose the Routing tab, and select Enable IP Forwarding.

Previous [1] 2 Next

I was pleased Douglas Toombs wrote a seemingly thorough article on the basics of setting up PPTP, “Point-to-Point Tunneling Protocol,” June 1997. When I set up a server for my company, I couldn’t find any step-by-step information about how to do it. So I didn’t know what I did wrong when the setup didn’t work. I discovered that our router is too old and doesn’t support GRE packets, which pass PPTP through to a server. Also TCP port 1723 must be open. I wish Douglas’ article had included that information for people with servers hooked up to dedicated Internet connections. I found the information in an FAQ on PPTP from a third-party vendor who makes PPTP clients for Windows and Mac. (The documentation for the beta of the Windows 95 PPTP client does mention protocol ID 47—GRE—and TCP port 1723.) 
--Edward Baichtal 

Thanks for sharing your findings. As you noted, the beta for PPTP in Win95 has been released and is available for public download. Your information will be very useful for people with older routers and certain firewall configurations. 
--Doug Toombs

Edward Baichtal August 13, 1999

Having read the June “Point-to-Point Tunneling Protocol” article by Douglas Toombs, I believe his review of the security of information exchanged between a RAS server and client is incorrect. True, the encryption is based on “shared secrets” initialized in the client and the server, and this approach means that these shared secrets are never sent over the Internet. However, to then state that the encryption method is extremely secure and that you can feel safe about your data being encrypted with this method is completely incorrect.
Even if you don’t send the shared encryption key over the Internet, you cannot escape the fact that the 40-bit RC4 encryption algorithm is being used. An exhaustive key search (i.e., a search through all keys) can easily decrypt a message encrypted with a 40-bit RC4 key, in a matter of hours. Therefore, it does not matter whether the key used to encrypt the message is actually sent over the Internet.
I suggest that if information is important enough to require encryption, you should not rely on 40-bit RC4. Instead, use a strong algorithm (e.g., IDEA, DES, RC4), with a large key size (i.e., at least above 56 bits, ideally 128 bits). Because the number of keys to search through would be so huge, a key size of 128 bits with a strong algorithm can stop even the most determined attacker (even governments) from decrypting information by searching through all keys. 
--Liaquat Khan 

Thanks for your input. You are probably referring to Berkeley’s Network of Workstations (NOW) project, which, earlier this year, broke a 40-bit RC5 encryption by brute force in 3.5 hours. Although that feat is reason for concern, an equally important consideration is that the NOW system is the 190th fastest supercomputer in the universe.
Obviously, not everyone has that type of computing power readily available, and bringing that type of computing power to bear on an encryption is not necessarily easy. But even clusters of not-so-super computers, all working in unison, have broken even stronger encryption methods, such as the US government’s DES standard, a mainstay in the world’s banking and financial institutions.
To be fair, RSA RC4 was first cracked (that I am aware of) on August 15, 1995. The first-announced decryption used 120 workstations and 2 parallel supercomputers at 3 major research centers. All that processing power took 8 days to break the encryption by brute force. Again, this amount of computing power is relatively significant, but demonstrates the amount of computing power that someone can harness by using the spare cycles of a large number of machines. An estimated 70,000 computers worldwide performed the 56-bit DES break in June this year, and even as I write this email, my computer is participating in an ongoing attempt to break a RC5 56-bit encryption.
The question most people face is how much encryption is enough? Do you feel safe with the current exportable encryption technologies used to protect secure transactions on the Internet? If so, PPTP will suit your needs. If you require a level of encryption that even a government couldn’t crack, PPTP won’t be secure enough. Obviously each organization must decide, but you raise a very valid point: Most organizations will probably want to use the maximum amount of encryption available. 
--Douglas Toombs

Liaquat Khan August 13, 1999

I have spent weeks trying to implement a PPTP connection using the step-by-step instructions covered in this article.
There are two crucial steps that will must be followed in order to successfully create a PPTP connection:
1. Remote Access Server and Remote Access Connection Manager
services must be started and set to Automtic startup.
2. The latest service pack used on your system must be applied after you set up PPTP.

If you skip these two steps PPTP won't work. Trust me, I spent hours scratching my head with this one.

Ronnie Saada March 01, 2000

I am a relative newcomer to this field, and I have found coverage of the subject to be pretty dismal (including the coverage in Microsoft's own MCSE books). This article instantly made PPTP clear to me.

Marvin Freedland July 23, 2000

You must log on before posting a comment.

If you don't have a username & password, please register now.