Blog Post

Windows Server News and Best Practices
3 MIN READ

PPTP and L2TP deprecation: A new era of secure connectivity

Farhan_Ali's avatar
Farhan_Ali
Icon for Microsoft rankMicrosoft
Oct 08, 2024

As technology advances, so must our security protocols. As part of our ongoing commitment to provide the highest level of security and performance, we are deprecating the PPTP (Point-to-Point Tunneling Protocol) and L2TP (Layer 2 Tunneling Protocol) protocols from future Windows Server versions. While these protocols have served us well over the years and will still be available to users, it is time to transition to more secure and efficient alternatives: SSTP and IKEv2.

In this post, let’s walk through deprecation considerations, reasons, and recommendations to ensure you benefit from the best security options.

 

What deprecation means for PPTP and L2TP?

Deprecation is not removal. Deprecation refers to the stage in the product lifecycle when a feature or functionality is no longer in active development and may be removed in future releases. Features and functionalities are added or occasionally removed from new releases of a product. If they’re removed, that’s typically because we’ve added a better option. Deprecated features continue to work and are fully supported until they are officially removed. We’re certain that you already have product lifecycles incorporated into your management strategy. Even so, the deprecation notification can span a few months or years to help you make the necessary transition. After removal, the feature or capability will no longer work.

PPTP and L2TP have been reliable workhorses in the world of VPN technology. However, with the increasing sophistication of cyber threats, these protocols have become less effective in providing the robust security necessary to protect our data. Their vulnerabilities have been well-documented, and they are no longer sufficient to meet the current security standards.

 

Transitioning to SSTP and IKEv2

To ensure you continue to benefit from the best available security, we recommend transitioning to Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2). These protocols offer enhanced security features, faster connection speeds, and improved reliability.

Benefits of SSTP

  • Strong encryption: SSTP uses SSL/TLS encryption, providing a secure communication channel.
  • Firewall traversal: SSTP can easily pass through most firewalls and proxy servers, ensuring seamless connectivity.
  • Ease of use: With native support in Windows, SSTP is simple to configure and deploy.

Benefits of IKEv2

  • High security: IKEv2 supports strong encryption algorithms and robust authentication methods.
  • Mobility and multihoming: IKEv2 is particularly effective for mobile users, maintaining VPN connections during network changes.
  • Improved performance: With faster establishment of tunnels and lower latency, IKEv2 offers superior performance compared to legacy protocols.

 

Steps to transition to SSTP and IKEv2

Note that PPTP and L2TP will still remain available if you want to make outgoing VPN connections based on these protocols. This is true for future Servers and Client SKU releases. However, what is being changed is that Windows RRAS Server (VPN Server) will not accept any incoming VPN connections based on these protocols.

As a result, please refer to the detailed set of instructions here for a step-by-step guide on transitioning to SSTP/IKEv2: How to install and configure Remote Access (RAS) as a VPN server.

 

Conclusion

The deprecation of PPTP and L2TP is a necessary step in maintaining the highest security standards. By transitioning to SSTP and IKEv2, you are ensuring that your network communications remain secure, efficient, and reliable. We are here to support you through this transition. Reach out to our support team if you have any questions or need further assistance.

Updated Oct 07, 2024
Version 1.0
  • Mark935's avatar
    Mark935
    Copper Contributor

    Have the out-of-order processing/packet issues in IKEv2 detailed here http://gary-nebbett.blogspot.com/2021/07/slow-performance-of-ikev2-built-in.html been addressed yet? Earlier this year we tried rolling out a 2022 AlwaysOn VPN server with the W11 client using IKEv2 which resulted in horrid performance due to the out-of-order packet processing detailed in the previous link- clients were averaging less than 10kB/s over 100MB/s+ internet links, bad enough that we abandoned the initiative.

  • JohnB's avatar
    JohnB
    Copper Contributor

    Farhan_Ali do MS have any future plans to support the deployment of a device tunnel with SSTP?

  • JohnB  we do not have any plans to add additional support for the device tunnel, including SSTP, as Microsoft's strategy for remote management is through the internet, for example, via Intune.