OpenVPN is an open source Layer 2 or Layer 3 tunneling protocol. It works by encapsulating Layer 2 and Layer 3 packets inside UDP or TCP packets and sending them to the destination. It uses OpenSSL for encryption and implements SSL and TLS (the advanced and standardized version of SSL) . It uses pre-shared, certificate-based, and username/passwordbased key for authentication. It is capable of establishing direct links between computers across network address translators (NATs) and firewalls. It is easy to configure but it has not been widely used . The packet structure of OpenVPN is shown in Figure 2-5. Figure 2-5 Packet Structure of OpenVPN The main problem in OpenVPN is security. The key exchange in TLS is weak, for example completely anonymous sessions are vulnerable to man-in-the-middle attacks and public key and private keys are exposed in RSA key exchange. OpenVPN is not recommended when security is a concern . OpenVPN by itself is not useful for mobile business scenarios as it has no native ability to cope with mobile clients. Chapter 2: VPN Overview Page 14 © 2009 Chen Xu Page 14 2.3.3 PPTP PPTP (Point-to-Point Tunneling Protocol)  is a layer 2 tunneling protocol which works by sending a regular PPP session  to a peer with the Generic Routing Encapsulation (GRE) protocol. A second session is used to initiate and manage the GRE session. This session is a simple TCP connection from the PPTP client to port 1723 on the PPTP server. PPTP also works in sending IPX packets . The main disadvantage in PPTP is the security. PPTP itself does not specify any authentication or encryption algorithms, and the only algorithms used are inside the PPP sessions . Microsoft Challenge-handshake authentication protocol (MS-CHAP)  and Microsoft Point-to-Point Encryption (MPPE)  are used for PPP authentication and encryption. MSCHAP is known to be a weak algorithm, easily cracked by software such as L0phtcrack. MPPE is also weak in security because an attacker can spoof resynchronize keys packets easily . Also, there are many unauthenticated control packets that are readily spoofed . PPTP is widely used in Microsoft Windows and some parts of it are patent encumbered. It has no native ability to cope with mobile clients. 2.3.4 L2TP L2TP (Layer 2 Tunneling Protocol)  is an open source layer 2 tunneling protocol. It is originally used to encapsulate PPP frames into UDP packets and send UDP packets over existing networks. The two endpoints of an L2TP tunnel are the LAC (L2TP Access Concentrator) and the LNS (L2TP Network Server). The LAC receives PPP packets from users, encapsulates the PPP packets into UDP packets and then sends these to the LNS. The LNS decapsulates the UDP packets and sends the PPP packets to the destination computers. IP packets can also be tunnelled through L2TP and the process of tunneling IP packets is similar to that of tunneling PPP packets. L2TP does not provide strong authentication by itself and often uses IPsec to secure the tunnel . The topology of an L2TP tunnel is shown in Figure 2-6.