VPN tunnel strategy - defining the connection order between various tunnel types

Hello Customers,

 

As I wrote in this blog, there are four types of VPN tunnel supported by Windows 7 based VPN clients. In this blog I will focus on following things: how do you configure tunnel types on the client, how to decide on the tunnel type order while establishing connection, ...

 

Lets understand why multiple tunnel types are required. The following factors impact which tunnel gets used for the VPN connection:

· What is the tunnel type supported (at the OS level) and configured at both ends i.e. VPN client and VPN server?

· Is there any intermediate agents (like firewalls, NAT, proxies) between both ends - which can block a given tunnel type?

· What is the tunnel strategy (which I will discuss in this document) configured on the client side

 

Our recommended tunnel types for Windows 7 and above OS clients are IKEv2 followed by SSTP. And as an admin, you must be wondering – how do you migrate your existing PPTP or L2TP/IPSec users to IKEv2 followed by SSTP based deployment because you must be having clients with different OS versions thereby supporting specific tunnel types, you may have different VPN servers which needs to be migrated, etc. This is precisely the scenario where you can use the VPN tunnel strategy feature on the client side which helps you to specify the order in which VPN tunnels are tried – till a given tunnel is able to successfully connect to the VPN server.

 

There are two types of VPN client supported inside Windows OS:

· In-built Microsoft VPN client that is created using “Setup a connection or network” in “Network and Sharing Center”. This is also called as GCW client (get connected wizard). This is normally done by end-users.

· Connection Manager (CM) client created using Connection Manager Administration Kit (CMAK). This is normally created by administrators and then shared to end users via email or upload to a file server or a web server.

Note: There may be VPN clients built by 3rd party vendors. These 3rd party VPN clients can be of two types – first one which calls Microsoft VPN client stack using RAS APIs and second one who install their entire VPN client stack on Windows OS. For sake of simplicity, I am not discussing the behaviour of VPN tunnel strategy by 3rd party clients.

 

Now let us see how the tunnel strategy feature works for both types of clients:

· Using in-built VPN client, you can configure following types of tunnel strategy - going inside Connection Properties -> Security tab -> Type of VPN

o Automatic: Try IKEv2 first – if that fails try SSTP next – if that fails try PPTP next - if that fails try L2TP/IPSec last. If that fails – stop connection establishment and report error.

o PPTP: Try PPTP and if that fails – stop connection establishment and report error.

o L2TP/IPSec: Try L2TP/IPSec and if that fails – stop connection establishment and report error.

o SSTP: Try SSTP and if that fails – stop connection establishment and report error.

o IKEv2: Try VPN Reconnect and if that fails – stop connection establishment and report error.

· While creating the CM client, the admin can configure following types of tunnel strategy using CMAK

o IKEv2 first: Try IKEv2 first – if that fails try SSTP next – if that fails try PPTP next - if that fails try L2TP/IPSec last. If that fails – stop connection establishment and report error.

o IKEv2 only: Try VPN Reconnect and if that fails – stop connection establishment and report error.

o SSTP first: Try SSTP first – if that fails try IKEv2 next – if that fails try PPTP next - if that fails try L2TP/IPSec last. If that fails – stop connection establishment and report error.

o SSTP only: Try SSTP and if that fails – stop connection establishment and report error.

o PPTP first: Try PPTP first – if that fails try IKEv2 next – if that fails try SSTP next - if that fails try L2TP/IPSec last. If that fails – stop connection establishment and report error.

o PPTP only: Try PPTP and if that fails – stop connection establishment and report error.

o L2TP first: Try L2TP/IPSec first – if that fails try IKEv2 next – if that fails try SSTP next - if that fails try PPTP last. If that fails – stop connection establishment and report error.

o L2TP only: Try L2TP/IPSec and if that fails – stop connection establishment and report error.

 

Please note:

· For a given VPN tunnel type, let us say the tunnel establishment phase succeeds but the entire VPN connection fails - due to authentication issue OR IP address negotiation issue. This doesn’t mean VPN client will try the next tunnel type based upon the tunnel strategy. The VPN client tries different tunnel types only if the tunnel establishment fails. This can happen because VPN server is not configured/supports given tunnel type OR packets for a given tunnel type are getting dropped.

· The time it takes to try next tunnel – varies between each tunnel – based upon the retries. For example, IKEv2 tunnel sends 3 retries for first IKEv2 packet spaced at 1, 2 and 4 seconds – hence it will take atleast 7 seconds before next tunnel type is tried. SSTP tunnel takes 10-20 seconds (depending upon the connection is going through a proxy enabled for WPAD or not) to detect failure. And so on.

· If a given tunnel is reachable via IPv4 as well as IPv6 and VPN client is configured with “hostname” of VPN server, then both IPv4 and IPV6 addresses are tried before trying the next tunnel type as given in VPN strategy.

· For in-built VPN clients, the last successful VPN tunnel type is tried next time for “Automatic” tunnel type and if that fails it follows the order (as given above) again. However for CM based VPN clients, every VPN connection tries the same order.

 

Now let us take some deployment scenario:

· Assume you have WS2003 VPN servers configured for PPTP and have different VPN users (XP, Vista, Windows 7). And you plan to move users to IKEv2 and SSTP tunnel scenario. You can follow this deployment plan:

o Upgrade all your VPN servers to Windows 7 Server and configure PPTP, SSTP and IKEv2 on the server side.

o Create different CM package for XP and Windows 7. In the XP package give PPTP only as the VPN Strategy and in W7 package give IKEv2 first as the VPN strategy. Note: W7 package if installed on Vista machine automatically switches to SSTP first (as IKEv2 is not available on Vista).

o Send the XP package to XP users and W7 package to Vista + W7 users. And you are all set.

· Now as part of deployment plan – you may want to upgrade your VPN servers one-at-a-time. In that case at some point you may be having WS2003 (enabled for PPTP) and Windows 7 server (enabled for PPTP, SSTP, IKEv2) running at the same time. This may mean any client (XP, Vista, Windows 7) may connect to either of the VPN Servers. It should not be a connectivity establishment problem with the above CM package – however Windows 7 users may face “longer connection establishment time” (like 30 seconds) if they connect to Windows 2003 VPN servers as it tries IKEv2 followed by SSTP followed by PPTP.

 

To summarize, the VPN tunnel strategy helps your VPN client to try different tunnel types in a given order and thereby helping you to migrate your remote access users to newer secured tunnel types. Hope this blog helps you in that direction.

 

For further references:

Different VPN tunnel types in Windows

How automatic tunnel types work in Vista

Frequently asked Questions on IPv6 support of RAS

 

With Regards,

Samir Jain

Senior Program Manager

Windows Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Comments

  • Anonymous
    January 01, 2003
    In W7 the CMAK wizard can be used to create CM profiles that can run on both Vista and W7 machines (a

  • Anonymous
    January 01, 2003
    VPN Reconnect in Windows 7 RC- redux

  • Anonymous
    January 01, 2003
    Hello Customers, In this post, I will walk through the most important topic – which authentication protocol,

  • Anonymous
    March 01, 2009
    Does Agile VPN support EAP-IKEv2 authentication? Also, when is MS backporting SSTP (DirectAccess) and IKEv2 (Agile VPN) to XP SP3, Vista SP1, Server 2008 and Server 2003?