PPTP, L2TP, and SSTP depend on Point-to-Point Protocol (PPP).

PPP was designed to send data across dial-up or dedicated point-to-point connections.

IKEv2 does not run on top of PPP. IKEv2 uses the IPsec Tunnel Mode protocol over UDP port 500.

An IKEv2 VPN provides resilience to the VPN client when the client moves from one wireless hotspot to another or when it switches from a wireless to a wired connection. The use of IKEv2 and IPsec allows support for strong authentication and encryption methods.

IKEv2 client computers validate the machine certificate sent by the VPN server

If the remote access server is not configured to use the right IKEv2 certificate, or if the client does not trust the root certification authority (CA) for the IKEv2 certificate, then the VPN connection fails.

Choosing between tunneling protocols

• PPTP can be used with a variety of Microsoft clients, including Microsoft Windows® 2000 and later versions of Windows. Unlike L2TP/IPsec and IKEv2, PPTP does not require the use of a public key infrastructure (PKI). By using encryption, PPTP-based VPN connections provide data confidentiality (captured packets cannot be interpreted without the encryption key). PPTP-based VPN connections, however, do not provide data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user).
  
  
• L2TP can be used with client computers running Windows 2000 and later versions of Windows. L2TP supports either computer certificates or a preshared key as the authentication method for IPsec. Computer certificate authentication, the recommended authentication method, requires a PKI to issue computer certificates to the VPN server computer and all VPN client computers. By using IPsec, L2TP/IPsec VPN connections provide data confidentiality, data integrity, and data authentication.
  
  Unlike PPTP and SSTP, L2TP/IPsec enables machine authentication at the IPsec layer and user level authentication at the PPP layer.
  
  
• SSTP can only be used with client computers running Windows Vista Service Pack 1 (SP1), Windows Server 2008, and later versions of Windows. By using SSL, SSTP VPN connections provide data confidentiality, data integrity, and data authentication.
  
  
• IKEv2 is supported only on computers running Windows 7 and Windows Server 2008 R2. By using IPsec, IKEv2 VPN connections provide data confidentiality, data integrity, and data authentication. IKEv2 supports the latest IPsec encryption algorithms. Because of its support for mobility (MOBIKE), it is much more resilient to changing network connectivity, making it a good choice for mobile users who move between access points and even switch between wired and wireless connections.

The certificate installed on the remote access server must have attributes:

Certificate Name (CN): This field should contain the fully qualified DNS name or IP address of the remote access server. If the server is located behind a network address translating (NAT) router, then the certificate must contain the fully qualified DNS name or IP address of the external connection of the NAT router.

The certificate must specify an EKU field that includes Server Authentication. If there is more than one server authentication certificate, then additionally include the IP security IKE intermediate EKU. Only one certificate should have both EKU options, otherwise IPsec cannot determine which certificate to use, and might not pick the certificate you intended.

Notes: The object identifier (OID) code for the Server Authentication EKU is 1.3.6.1.5.5.7.3.1. The object identifier (OID) code for the IP security IKE intermediate EKU is 1.3.6.1.5.5.8.2.2.

The client computer

The root CA certificate corresponding to the server certificate must be installed on the client computers in the Trusted Root Certification Authorities per-computer certificate store. The client computer must be able to validate the server certificate as being signed by a trusted root CA.

If you are already using SSTP connections, then you can use the same certificate for both SSTP and IKEv2, as long as the certificate meets the CN and EKU requirements identified previously. Because root CA certificates are required on client computers when using SSTP, adding a certificate for IKEv2 that was created by the same CA as an SSTP certificate means that no client changes are needed.