Virtual private network (VPN) connections that are enabled with Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) are authenticated by using Point-to-Point Protocol (PPP) user-level authentication methods. For PPTP connections, you can use only the Microsoft Challenge Authentication Protocol (MS-CHAP), MS-CHAP version 2 (MS-CHAP v2) or Extensible Authentication Protocol-Transport Level Security (EAP-TLS). For L2TP connections, you can use any PPP authentication protocol because the PPP authentication message exchange is encrypted with Internet Protocol Security (IPSec); however, MS-CHAP, MS-CHAP v2, or EAP-TLS is recommended.
For the most secure PPTP VPN connections, do the following:
For security reasons, you should use PPTP with either MSCHAPv2 or EAP-TLS with PPTP connections. If using EAP-TLS is not feasible, use MSCHAP v2 for secure connections.
For the most secure L2TP VPN connections, do the following:
In some environments, data is so sensitive that it needs to be hidden from the majority of corporate users. Finance data or human resources data are examples of this type of data. Corporations can store extremely sensitive data servers on a separate network segment that is connected to the corporate network by a VPN server. Authorized users use a VPN connection to connect to the VPN server, and then they can access the protected resources. All communication across the VPN connection is encrypted in order to ensure data confidentiality. Users who do not have authorization to establish a VPN connection with the VPN server cannot see the hidden server or its resources.
For information about creating a VPN connection, see To make a virtual private network (VPN) connection.