There are several factors in PPTP’s favor. Among these are availability, easy implementation, multiprotocol tunneling, and the ability to use corporate and unregistered IP addresses.
Because PPTP is included with Windows NT Server, Workstation, and Windows 98, it is readily available to users of these platforms. No additional software need be purchased. Microsoft is giving away the PPTP upgrade for Windows 95/98 as well. In addition, it is included free of charge in many different brands of remote access switches, including Ascend, 3Com, and ECI Telematics equipment. Because it has become part of the package of a leading network operating system and numerous remote access switches, PPTP enjoys a huge product-placement advantage. An administrator for a Windows NT network can start experimenting with a VPN right away, without spending any extra money.
On Windows NT systems, PPTP is installed as a network protocol, just like IPX/ SPX, TCP/IP, or NetBEUI. In RAS, instead of using a modem as the RAS device, you use a VPN port with the name RASPPTPM. Many Windows NT administrators will already be familiar with how to set up network protocols and RAS, so using PPTP shouldn’t be difficult for them. Likewise, on Windows 95 systems, PPTP is installed as a new version of the Dial-Up Adapter that’s already a familiar part of Windows 95 Dial-Up Networking. On Windows 98, the VPN Adapter can also be installed and used like a modem for VPN connections.
On remote access switches that support PPTP, enabling PPTP is typically straightforward. For users who wish to dial in using PPTP, you simply add the IP address of their PPTP server to their profiles. ISPs that use authentication and accounting software such as Merit Network’s RADIUS server will also find PPTP as easy to implement in a user profile as PPP. We’ll go into detail about how to set up PPTP on both RAS and remote access switches in Chapter 5.
The ability to tunnel multiple protocols is one of PPTP’s greatest advantages. Some tunneling software allows you to tunnel only IP packets. PPTP, however, can tunnel all of the protocols currently supported by RAS. Users connecting to a RAS server through a VPN will have access to the full range of protocols and servers they would normally have on their LAN. For Windows NT and Windows 95/98 users, this means that their usual username and password, and all access privileges associated with their profile, will pertain to the dial-up user. They will be able to browse the network and access file servers and network printers, as always, through their Network Neighborhood.
When VPN users make PPTP connections with the RAS server, they can be assigned IP addresses by that server. The address can be part of the corporation’s range of IP addresses (220.127.116.11 is part of the 18.104.22.168/24 CIDR address range in our earlier examples), thus making the RAS user’s system appear to be on the corporate IP network.
Sometimes corporations don’t use what are known as “registered” IP addresses on their internal networks. If a block of addresses is registered, it means that it was obtained by an address registry (such as the InterNIC) that assures that the addresses are unique on the Internet. The Internet Assigned Numbers Authority (IANA) has set aside blocks of unregistered IP addresses for use on private internets, or Intranets. These addresses can be used on IP networks that don’t have Internet access or that have access through a router that uses Network Address Translation (or NAT, which we’ll discuss more later). A listing of these unregistered blocks of addresses can be found in RFC 1918.
If a company is using an unregistered range of addresses, a RAS client using PPTP can obtain one of these addresses and have access to the corporate IP network. If the user were simply dialing into an ISP and attempting to access the network without PPTP, a hole in the corporate firewall would have to be opened up for that user. If the user obtains a dynamic IP address whenever they dial into their ISP, this would be nearly impossible.