Security is the main function of a VPN. All data from client computers passes through the Internet to the VPN server. Such a server can be located at a great distance from the client computer, and data on the way to the organization's network passes through the equipment of many providers. How can I make sure that the data was not read or changed? Various authentication and encryption methods are used for this purpose. PPTP can use any of the protocols used for PPP to authenticate users EAP or Extensible Authentication Protocol; MSCHAP or Microsoft Challenge Handshake Authentication Protocol (versions 1 and 2); CHAP or Challenge Handshake Authentication Protocol; SPAP or Shiva Password Authentication Protocol; PAP or Password Authentication Protocol. The best protocols are MSCHAP version 2 and Transport Layer Security (EAP-TLS), because they provide mutual authentication, i.e. the VPN server and client identify each other. In all other protocols, only the server authenticates clients. Although PPTP provides a sufficient degree of security, L2TP over IPSec is more reliable. L2TP over IPSec provides authentication at the "user" and "computer" levels, as well as performs authentication and data encryption. Authentication is performed either by an open test (clear text password), or by a request / response scheme (challenge/response). With the direct text, everything is clear. The client sends the server a password. The server compares this with the reference and either denies access or says "welcome". Open authentication is almost non-existent. The request / response scheme is much more advanced. In General, it looks like this: the client sends the server a request for authentication; the server returns a random response (challenge); the client removes a hash from its password (the hash is the result of a hash function that converts an input array of arbitrary length data into an output bit string of fixed length), encrypts the response with it, and passes it to the server; the server does the same, comparing the result with the client's response; if the encrypted response matches, authentication is considered successful; In the first step of authenticating VPN clients and servers, L2TP over IPSec uses local certificates obtained from the certification service. The client and server exchange certificates and create a secure ESP SA (security association) connection. After L2TP (over IPSec) completes the computer authentication process, user-level authentication is performed. Any Protocol can be used for authentication, even PAP, which sends the user name and password in plain text. This is quite secure, since L2TP encrypts the entire session over IPSec. However, performing user authentication using MSCHAP, which uses different encryption keys to authenticate the computer and the user, can enhance security.
