VPN connection authentication and data encryption

The Typical (recommended settings) security options that you select on the Security tab result in a predefined set of authentication methods and encryption requirements that are negotiated with the server during a PPP exchange.

The following tables show the authentication and data encryption methods that you can use with each combination of Validate my identity as follows and Require data encryption (disconnect if none) selections. You can also view these settings by making your identity validation and data encryption requirement selections in Typical (recommended settings), and then clicking Settings in Advanced (custom settings).

You may individually enable, configure, and disable these combinations of security settings, by using Advanced (details for all possible settings), but this requires a knowledge of security protocols.

For more information about a specific authentication or data encryption method, click the method in the table. For information about configuring a connection, see To configure a connection to a remote network.

Point-to-Point Tunneling Protocol (PPTP) remote access server

Validate my identity as follows	Require data encryption	Authentication methods negotiated	Encryption enforcement
Require secured password	No	CHAP, MS-CHAP, MS-CHAP v2	Optional encryption (connect even if no encryption)
Require secured password	Yes	MS-CHAP, MS-CHAP v2	Require encryption (disconnect if server declines)
Smart card	No	EAP-TLS	Optional encryption (connect even if no encryption)
Smart card	Yes	EAP-TLS	Require encryption (disconnect if server declines)

Layer Two Tunneling Protocol (L2TP) remote access server

Validate my identity as follows	Require data encryption	Authentication methods negotiated	Encryption enforcement
Require secured password	No	CHAP, MS-CHAP, MS-CHAP v2	Optional encryption (connect even if no encryption)
Require secured password	Yes	CHAP, MS-CHAP, MS-CHAP v2	Require encryption (disconnect if server declines)
Smart card	No	EAP-TLS	Optional encryption (connect even if no encryption)
Smart card	Yes	EAP-TLS	Require encryption (disconnect if server declines)

Notes

In L2TP VPN connections, data is encrypted by using Internet Protocol security (IPSec).
Microsoft Point-to-Point Encryption (MPPE) encrypts data in PPTP VPN connections. Strong (128-bit key) and standard (40-bit key) MPPE encryption schemes are supported.
Data is only encrypted by MPPE if MS-CHAP, MS-CHAP v2, or EAP-TLS authentication is negotiated. These are the only authentication protocols that generate their own initial encryption keys. MPPE requires common client and server keys as generated by these types of authentication.
MS-CHAP v2 and EAP-TLS are mutual authentication protocols, which means that both the client and the server prove their identities. If your connection is configured to use either MS-CHAP v2 or EAP-TLS as its only authentication method, and the server that you are connecting to does not provide proof of its identity, your connection disconnects. Previously, servers could skip authenticating themselves to clients and simply accept the call. This change ensures that you can configure a connection to connect to the expected server.