Security of PPTP vs IPSec

security vpn pptp ipsec

Is PPTP or IPSEC VPN more secure than the other for 'dial in' VPN, if so, why?


PPTP is a tunneling protocol just like L2TP is - it does not provide security.

PPTP uses MPPE for encryption which may have some disadvantages compared to IPSEC (which is commonly used with L2TP). IPSEC can also be used on its own as a tunneling protocol and this is pretty common.

An advantage with IPSEC in general would be if it's used with certificates to authenticate on the machine-level in addition to the user-level. L2TP enforces this but IPSEC alone could be used with just a pre-shared key just as the encryption in PPTP can - lowering the level of security to similar levels in my opinion.

Most old vulnerabilities in PPTP are fixed these days and you can combine it with EAP to enhance it to require certificates as well. I'd say there's no clear winner, but PPTP is older, more light-weight, works in most cases and clients are readily pre-installed, giving it an advantage in normally being very easy to deploy and configure without EAP.

However, getting something more secure by machine-level authentication might give IPSEC an advantage in being designed for this to begin with (L2TP in particular) - and hence possibly be easier to deploy with that requirement than getting PPTP to work with EAP.

If we compare PPTP with L2TP straight off - L2TP wins by a fair amount due to the requirements for decent authentication on several levels, preventing several scenarios PPTP won't prevent (in theory).


The current wisdom is that IPSec is better, but no (known) full exploits exist for PPTP, so it's still commonly used. IPSec is certainly newer, and has more optional extras, and (IMHO) broader support.

Lot of people criticize that PPTP sends some unencrypted control packets, but, again, this hasn't resulted in a big exploit, it just makes people think that there MUST be one in there somewhere. I think a lot of it is just residual sour grapes because PPTP was a Microsoft initiative, and patent encumbered (they recently allowed open implementations, so this isn't as much of a concern.)


It should be noted that a new attack on MS-CHAPv2 by Moxie Marlinspike and David Hulton makes PPTP tunnels less desirable. Based on this I would go with an IPSEC or SSL VPN based tunnel for remote access.

More info:

  • Infosecurity Article Covering Attack
  • IT Security Article Covering Attack

Related

How is a password hash encoded in the shadow password file?
Handy parsing for numbers with unit suffixes?
Does my buddy’s friendship level reset when I change buddy Pokémon?
How to get an NBT string's length?
How to find Epic Game Store (EGS) games' launch name for their launch command?
Anyone know how to help me with prologue?
How to stop spinning rocket in space
Prolonging the time between death and loading of the latest save game
What are MInecraft snapshots named after
How to unlink a Supercell ID from CoC?
How to give tags based on offhand items? Minecraft Java
Are there any advantages between cobblestone wall and regular fence?