Windows 7 / Networking

Weak Cryptography Removal from PP TP/L2TP

Support for weak or nonstandard cryptographic algorithms has been removed beginning with Windows Vista. This initiative was based on a desire by Microsoft to move customers toward stronger crypto algorithms to increase VPN security, based on recommendations by the NIST and the Internet Engineering Task Force (IETF) as well as mandates toward stronger crypto algorithms from different industry standards bodies and regulators.

The following crypto algorithms are no longer supported on Windows Vista or later versions:

  • 40- and 56-bit RC4 encryption, formerly used by the Microsoft Point-to-Point Encryption (MPPE) Protocol for PPTP-based VPN connections
  • DES encryption, formerly used by IPsec policy within L2TP/IPsec-based VPN connections
  • MD5 integrity checking, formerly used by IPsec policy within L2TP/IPsec-based VPN connections

The removal of support from the default configuration for 40- and 56-bit RC4 encryption means that PPTP-based VPN connections now support only 128-bit RC4 for data encryption and integrity checking. This means the encryption strength remains the same as 128-bit RC4-that is, independent of the encryption settings (Optional Encryption, Require Encryption, or Maximum Strength Encryption) specified by the Advanced Security Settings properties of the VPN connections. This also means that if your existing VPN server does not support 128-bit encryption and supports only incoming PPTP-based VPN connections, clients will not be able to connect. If you are unable to upgrade your existing VPN servers to support 128-bit encryption for PPTP or if 128-bit encryption is unavailable to you because of export restrictions, you can enable weak crypto for PPTP by editing the following registry value:

HKLM\System\CurrentControlSet\Services\Rasman\Parameters\AllowPPTPWeakCrypto

The default value of this DWORD registry value is 0, and by changing it to 1, you can enable 40- and 56-bit RC4 encryption on the computer for both outgoing and incoming PPTP-based VPN connections. You must restart the computer for this registry change to take effect. As an alternative to restarting the computer, you can restart the Remote Access Connection Manager service by opening a command prompt and typing net stop rasman followed by net start rasman.

The removal of support for DES encryption and MD5 integrity checking for L2TP/IPsecbased VPN connections means that L2TP/IPsec-based VPN connections now support the following data encryption and data integrity algorithms by default:

  • 128-bit AES, 256-bit AES, and 3DES for data encryption using IPsec
  • Secure Hash Algorithm (SHA1) for data integrity using IPsec

The removal of support for DES and MD5 from the default configuration means that L2TP/ IPsec-based VPN connections will not work if your existing VPN server supports only DES for data encryption and/or MD5 for data integrity checking. If you are unable to upgrade your existing VPN servers to support AES or 3DES for data encryption and/or SHA1 for integrity checking or if these crypto algorithms are unavailable to you because of export restrictions, you can disable weak crypto for L2TP by editing the following registry value:

HKLM\System\CurrentControlSet\Services\Rasman\Parameters\AllowL2TPWeakCrypto

The default value of this DWORD registry value is 0, and by changing it to 1, you can enable DES encryption and MD5 integrity checking on the computer for both outgoing and incoming L2TP/IPsec-based VPN connections. You must restart the computer for this registry change to take effect. As an alternative to restarting the computer, you can restart the Remote Access Connection Manager service by opening a command prompt and typing net stop rasman followed by net start rasman.

Note Microsoft recommends that you upgrade your VPN server to support 128-bit RC4 for PP TP and/or AES and SHA1 for L2TP instead of disabling weak crypto support on your VPN clients.

Table summarizes the differences between Windows 7, Windows Vista, and Windows XP with regard to crypto support for data integrity and encryption for VPN connections.

Data Integrity and Encryption Support for VPN Connections in Windows 7, Windows Vista, and Windows XP

Crypto AlgorithmUseWindows 7Windows VistaWindows XP
40-bit RC4Data encryption and integrity checking for PPTP only✔;
56-bit RC4Data encryption and integrity checking for PPTP only
128-bit RC4Data encryption and integrity checking for PPTP only
DESData encryption
3DESData encryption
128-bit AESData encryption *
196-bit AESData encryption *
256-bit AESData encryption *
MD5Integrity checking
SHA1Integrity checking
256-bit SHAIntegrity checking*
384-bit SHAIntegrity checking*

An asterisk (*) means that configuration is possible, but only by using the Netsh command.

[Previous] [Contents] [Next]

In this tutorial:

  1. Connecting Remote Users and Networks
  2. Enhancements for Connecting Remote Users and Networks in Windows 7
  3. Understanding IKEv2
  4. Understanding MOBIKE
  5. Understanding VPN Reconnect
  6. Protocols and Features of VPN Reconnect
  7. How VPN Reconnect Works
  8. Understanding DirectAccess
  9. Benefits of DirectAccess
  10. How DirectAccess Works
  11. Windows 7 and Windows Server 2008 R2
  12. Ipv6
  13. IPsec
  14. Perimeter Firewall Exceptions
  15. Implementing DirectAccess
  16. Understanding BranchCache
  17. Benefits of BranchCache
  18. How BranchCache Works
  19. Protocols Supported by BranchCache
  20. Implementing BranchCache
  21. Supported Connection Types
  22. Outgoing Connection Types
  23. Incoming Connection Types
  24. Deprecated Connection Types
  25. Supported Tunneling Protocols
  26. Comparing the Different Tunneling Protocols
  27. Understanding Cryptographic Enhancements
  28. Support for AES
  29. Weak Cryptography Removal from PP TP/L2TP
  30. Supported Authentication Protocols
  31. Understanding the VPN Connection Negotiation Process
  32. Creating and Configuring VPN Connection
  33. Creating a VPN Connection
  34. Initiating a Connection
  35. Terminating a Connection
  36. Viewing Connection Details
  37. Configuring a VPN Connection
  38. Configuring Security Settings for a VPN Connection
  39. Configuring the Tunneling Protocol (s) Used
  40. Configuring Advanced Connection Settings
  41. Configuring the Data Encryption Level
  42. Configuring the Authentication Method Used
  43. Configuring Authentication for IKEv2 connections
  44. Configuring Mobility for IKEv2 Connections
  45. Configuring Dial-Up Connections
  46. Creating a Dial-Up Connection
  47. Advanced Connection Settings
  48. Configuring Incoming Connections
  49. Managing Connections Using Group Policy
  50. Using Remote Desktop
  51. Understanding Remote Desktop
  52. Versions of RDP
  53. RDP 6.1 Features and Enhancements
  54. RDP 7.0 new features and enhancements
  55. RemoteApp and Desktop Connection
  56. Understanding RDC
  57. Understanding Remote Desktop Services Terminology
  58. Configuring and Using Remote Desktop
  59. Enabling Remote Desktop and Authorizing Users on a Single Computer
  60. Enabling Remote Desktop Using Group Policy
  61. Configuring and Deploying Remote Desktop Connection
  62. Configuring Remote Desktop Connection from the Command Line
  63. Configuring Remote Desktop Connection Using Notepad
  64. Configuring Remote Desktop Using Group Policy
  65. Establishing a Remote Desktop Session
  66. Improving Remote Desktop Performance
  67. Troubleshooting Remote Desktop Sessions
  68. Configuring and Using RemoteApp and Desktop Connection