PPTP、L2TP、VPN簡介(1)

阿新 • • 發佈：2019-01-14

接上一節的內容：

什麼是PPTP?

下面是微軟官方的解釋（最早是微軟提交的草案）：

Point-to-Point Tunneling Protocol (PPTP) is a network protocol thatenables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) acrossTCP/IP-based data networks. PPTP supports on-demand, multi-protocol, virtual private networking over public networks such as the Internet.

The networking technology of PPTP is an extension of the remote access Point-to-Point protocol defined in the document by the Internet Engineering Task Force (IETF) titled "The Point-to-Point Protocol for the Transmission of Multi-Protocol Datagrams over Point-to-Point Links," referred to as RFC 1171.PPTP is a network protocol that encapsulates PPP packets into IP datagrams for transmiss

ion over the Internet or other public TCP/IP-based networks. PPTP can also be used in private LAN-to-LAN networking.

解釋：PPTP是能夠用於進行安全傳輸的協議（依靠建立VPN網路），是一個PPP協議的擴充套件協議，與PPP資料鏈路層不同的是，其在TCP/IP網路的IP資料包中封裝了PPP的資料包（比如有撥號認證、IP分配等）。PPTP也能夠在私有的LAN-To-LAN網路中使用。

因此，PPTP和VPN密不可分，下面從三個方面介紹：

PPTP and secure, virtual private networking (VPN)
architecture of PPTP
PPTP security features

PPTP and Virtual Private Networking

The PPTP protocol is included with Windows NT® Server version4.0 and Windows NT Workstation version 4.0 operating systems. Computers running these operating can use the PPTP protocol to securely connect to a private network as a remote access client by using a public data network such as the Internet. In other words, PPTP enables on-demand, virtual private networks over the Internet or other public TCP/IP-based data networks.PPTP can also be used by computers connected to a LAN to create a virtual private network across the LAN.

An important feature in the use of PPTP is its support for virtual private networking by using public-switched telephone networks (PSTNs). PPTP simplifies and reduces the cost of deploying an enterprise-wide, remote access solution for remote or mobile users because it provides secure and encryptedcommunications over public telephone lines and the Internet. PPTP eliminates the need for expensive, leased-line or private enterprise-dedicated communication servers because you can use PPTP over PSTN lines.

Generally, there are three computers involved in every PPTP deployment:

a PPTP client （PPTP客戶端）
a network access server （網路接入伺服器）
a PPTP server （PPTP伺服器）

解釋：Windows NT 4.0以上的作業系統加入了PPTP協議的支援。PPTP可以提供遠端接入的安全加密傳輸方案，成本低。

Note: You do not need the network access server in order to create a PPTP tunnel when using a PPTP client connected to a LAN to connect to a PPTP server connected to the same LAN. 解釋：如果在同一個區域網中的兩臺電腦相連，不需要網路接入的伺服器

The following section describes a typical PPTP scenario using these computers and explains how they relate to each other and then fully defines each of these components.

Typical PPTP Scenario （PPTP一般應用場景）

A typical deployment of PPTP starts with a remote or mobile PPTP client that needs access to a private enterprise LAN by using a local Internet Service Provider (ISP). Clients using computers running Windows NT Server version 4.0 or Windows NT Workstation version 4.0 use Dial-up Networking and the remote access protocol PPP to connect to an ISP.

The client connects to a network access server (NAS) at the ISP facility. (Network access servers are also referred to as front-end processors (FEPs), dial-in servers or point-of-presence (POP) servers.) Once connected, the client can send and receive packets over the Internet. The network access server uses the TCP/IP protocol for all traffic to the Internet.

After the client has made the initial PPP connection to the ISP, a second Dial-Up Networking call is made over the existing PPP connection. Data sent using this second connection is in the form of IP datagrams that contain PPP packets, referred to as encapsulated PPP packets.

The second call creates the virtual private networking (VPN) connection to a PPTP server on the private enterprise LAN, this is referred to as atunnel. This is shown in the following figure:

Figure1

1. Client首先通過第一次PPP撥號連線到ISP上，保證能夠訪問internet。

2. 通過PPP連線到ISP後，在PPP連線的基礎上再一次撥號。第二次連線殘生了VPN連線到PPTP服務上，被稱作為隧道。

Tunneling is the process of sending packets to a computer on a private network by routing them over some other network, such as the Internet. The other network routers cannot access the computer that is on the private network. However, tunneling enables the routing network to transmit the packet to an intermediary computer, such as a PPTP server, that is connected to the both the routing network and the private network. Both the PPTP client and the PPTP server use tunneling to securely route packets to a computer on the private network by using routers that only know the address of the private network intermediary server.

When the PPTP server receives the packet from the routing network, it sends it across the private network to the destination computer. The PPTP server does this by processing the PPTP packet to obtain the private network computer name or address information in the encapsulated PPP packet. Note that the encapsulated PPP packet can contain multi-protocol data such as TCP/IP, IPX, or NetBEUI protocols. Because the PPTP server is configured to communicate across the private network by using private network protocols, it is able to read multi-protocol packets.

The following figure illustrates the multi-protocol support built-into PPTP. A packet sent from the PPTP client to the PPTP server passes through the PPTP tunnel to a destination computer on the private network.

Figure 2: - Connecting a Dial-Up Networking PPTP Client to the Private Network

灰色的資料被加密。

PPTP encapsulates the encrypted and compressed PPP packets into IP datagrams for transmission over the Internet. These IP datagrams are routed over the Internet until they reach the PPTP server that is connected to the Internet and the private network. The PPTP server disassembles the IP datagram into a PPP packet and then decrypts the PPP packet using the network protocol of the private network. As mentioned earlier, the network protocols on the private network that are supported by PPTP are IPX, NetBEUI, or TCP/IP.

PPTP Clients

A computer that supports the PPTP network protocol, e.g., a Microsoft client, can connect to a PPTP server intwo ways:

by using an ISP's network access server that supports inbound PPP connections（Figure1 兩次撥號）
by using a physical TCP/IP-enabled LAN connection to connect to a PPTP server （在區域網物理連線建立的基礎上，一次撥號）

PPTP clients that use an ISP's network access server must be configured with a modem and a VPN device to make the separate connections to the ISP and the PPTP server. Thefirst connection is a dial-up connection using the PPP protocol over the modem to an Internet service provider. Thesecond connection is a VPN connection using PPTP, over the modem and the ISP connection, to tunnel across the Internet to a VPN device on the PPTP server. The second connection requires the first connection because the tunnel between the VPN devices is established by using the modem and PPP connection to the Internet.

（另外一種）The exception to this two-connection requirement is using PPTP to create a virtual private network between computers physically connected to the private enterprise network LAN. In this scenario, a PPTP client isalready connected to the network and only uses Dial-Up Networking with a VPN device to create the connection to a PPTP server on theLAN.

PPTP packets from a remote access PPTP client and a local LAN PPTP client are processeddifferently. A PPTP packet from a remote access PPTP client is placed on the telecommunication device physical media, while the PPTP packet from a LAN PPTP client is placed on the network adapter physical media as illustrated in the following figure:

Windows 和Linux伺服器搭建VPN (PPTP、L2TP）非常方便，要怎麼樣搭建可以百度。如果應用IPSec VPN，客戶端需要額外安裝元件？（待證實）。下一節簡單介紹一下L2TP。