Security → VPN best security protocol to use?

I've heard that PPTP has been found to have security vulnerabilities.

And I've heard if you use openVPN there are other security risks - your ISP can still see the ip's you are connected to, even the ones only the VPN is connected to because they are transmitted back to your computer via your ISP, your isp can see the ip addresses, just not the material being transmitted. is this true?

And what about L2TP?

Which is the most secure? perhaps a combination of OpenVPN and PPTP?

How do you suppose to get packets of data back to your computer, if you don't specify your address? Your ISP, as well as all routers in the middle, that transfer your data packets, should know where they (packets) come from and, more importantly, were they should go. So, it's not a security risk at all. It's how the Internet works. Of cause they know IPs (two end points) of any VPN tunnel. But they can't see what's inside it...

OpenVPN offers very secure VPN connection.

There is no such thing as combination of OpenVPN and PPTP (or any other VPN protocol). It makes no sense at all.

inshort - you answered my question - all my ISP will see in the VPN IP i am using, not the ip's that the VPN is connected to.
Which is more secure in your opinion PPTP or OpenVPN or L2TP

Everyone who route your data packets forth and back knows two endpoints (two IPs) of the VPN channel. But no one can see data within those packets. That's the main purpose of any VPN.

From security standpoint I'd put VPN protocols in this order:
1. OpenVPN and (close to it) L2TP
2. PPTP (as a less secure protocol)

Virtual PRIVATE Networks is about protecting the transmitted data and ensuring its authenticity,
not about anonymity of the endpoint(s).

Generally speaking, you want a VPN solution that has a strong encryption scheme (so the data
can't be read during transit) and a strong hashing scheme (to ensure no one tampered with it).
How to implement this depends on which solution you choose to go with; given your selection of
L2TP v PPTP, I'd agree with OZO and go with L2TP.

Regards

In VPN security there are two areas to look at -

1. How secure is the data (i.e., are good encryption practices being used including quality of the encryption key and how often the key is changed).

2. Are there any vulnerabilities in the management of the VPN connection.

Note that l2tp is not actually a security protocol. Its purpose is to provide dynamic IP addresses and other configuration information for dynamic VPN connections using IPSec.

IPSec (with and without l2tp) and SSL are both tops for item 1.

SSL however can be more vulnerable to a man in the middle attack than IPSec. Hence for item 2 IPSec is better. There are way to mitigate the attacks so the difference between IPSec and SSL in this regard is minimal if the end points are properly configured and the users properly educated.

In the end the weak point of SSL and IPSec is the management of the endpoints and education of the users.

I concur about IPsec—and don’t know what the obsession here with OpenVPN is. IPsec is the standard for VPNs—it uses well-tested cryptographic algorithms—and there is little reason to use anything else.

Obsession? No, not at all. There are pure practical reasons and here is just a couple of them:
• IPSec was designed for providers to make money. Usually its implementations have limits on number of channels, etc. OpenVPN has different goal in its design - to make VPN affordable to anyone.
• IPSec is difficult to set up (particularly if you're behind a NAT). OpenVPN is easy to setup and it works everywhere (with NAT or without NAT, no special requirements for supporting special protocols, like e.g. ESP). If computer is connected to the Internet - OpenVPN just works...
• IPSec doesn't support UDP packets. OpenVPN supports anything that could be routed (including UDP packets, broadcasts, etc).
etc. etc. etc.

What? This is madness. Numerous open source implementations have ZERO limits.Bullshit. This too depends on the implementation. IPsec works just fine—particularly alongside IKEv2—when it comes to NAT and in some cases it is easier to setup compared to OpenVPN as it’s built into most operating systems, so there’s nothing to install!Bullshit. Again. IPsec uses/tunnels UDP just fine. Go read up on IPsec and friends before you spew off nonsense.

My ISP offers a VPN connection to the Net, which sounds like a good solution to hotspot security. I wound up not too happy with it.

I installed the Cisco client and found myself receiving probes. I reasoned that the VPN connection effectively bypasses the router and the software firewall and so relies on internal firewalling, which I had had to defeat to get the thing running.

The Cisco VPN client (which is IPsec based) uses ZoneAlarm functionality for its firewalling. The ZoneAlarm code clashed with the third-party firewall in the PC (I tried several), reliably leading to BSODs, so I had tried turning it off.

An alternative was to use ZoneAlarm for my main firewall, but that lead to system problems.

I don't know if any of this applies to OpenVPN or others. Do they have firewalling at the server end?

@Ravenheart
VPN has NOTHING to do with firewalling, but you can configure your VPN headend that any connecting clients
must pass some sanity checks before they're permitted to connect -- ie. have AV installed, have firewall,
client certs, etc. Again, Virtual PRIVATE Networks at its core is about protecting the transmitted data
and ensuring its authenticity, and nothing else.

Which VPN client did you use exactly?

Regards

It is the Cisco VPN Client for Windows, version 5....

Where is my thinking wrong, that the VPN connection will pass IPsec-encrypted packets through the firewall, and so bypass the firewall's normal checks (when you consider the contents of the packets)? So if the VPN server is connected not to some corporate LAN but the Net at large....

The Cisco VPN does incorporate firewall functionality (and so installs a version of vsdatant.sys and one or two other Zone Alarm files) and must do so for some reason.

That's the part that's got me confused. Again, VPN is ONLY concerned about encrypting packets
and validating them. The firewall 'feature' of the VPN client software itself is something
totally unrelated to the actual operation of the VPN.

Did alittle digging around about the Cisco VPN client, there is a way to disable the firewall
functionality within the client itself, check here

Regards

VPN can by pass through all block sites and also firewall...

@marksmithbvs
That statement is so generalized, I don't know where to begin...

Plus not sure what you're trying to contribute to the original discussion.

Regards

quote:

---

It is the Cisco VPN Client for Windows, version 5....

---

The Cisco VPN client (like VPN clients from other enterprise networking companies) is designed with two goals -

1. Be secure
2. Allow the administrator of the server the client connects to full control of the security parameters and routing on the client machine.

It is much more then a simple VPN client. As previously mentioned it includes firewall functionality which may be disabled if desired.

The vast majority of enterprises using this and other similar VPN clients usually do not allow split tunneling so all of the traffic to/from the client goes via the VPN server. The enterprise often sets firewall rules on the server and/or on the internet connect at the server site.. If they do not then they are doing a dis-service to the clients.

As previously stated these additional "services" have nothing to do with VPN nor ipsec.

I have ipsec VPN clients on my work PC (linux), my phone, my iPad and my windows PC. All except the windows PC took less then 3 minutes to configure. (I think MS hired a team to make ipsec configuration as difficult as possible.) All devices are behind a router doing NAT. The router did not need to be configured for ipsec in any way. My experience with openVPN is similar - easy to configure and works automatically behind a NAT router without configuring the router.

Interesting. I guess I was chiming in with a question about an unusual use for a VPN, to provide hotspot security for access to the public Internet. It seems Cisco provided for that, but not necessarily in the most well-executed of ways.

@ Hell Fire: Yeah exactly, it is generalized because i made it to before replying on the topic.

Hell Fire, i know what i have to contribute on the original discussion and i am doing it too...so be focus on your work please besides monitoring the post of others...

Well, Open VPN is much secure then the rest as i have also heard that PPTP and L2TP has less security measure than OPenVPN, those two can be blocked or hacked, but in OPEN VPN there is no chance fro blocking or either hacking..

regarding ISP, so there isn't any issues that your ip will be seen..
in all the three IP will be anonymous all the time, so you don't need to worry for that...

Encryption != anonymity.

Regards

I'll 2nd IPSec using IKE.

When I have more than one IT vendor servicing a customer (w/ a single gateway),
it's easier to let the other vendors fight over TCP port 1723.

NV