The security settings you assign to a virtual private network
(VPN) entry must match the settings on the VPN server to which this
entry corresponds. The settings are determined by the configuration
of the VPN server. You can specify whether encryption is required,
which authentication protocol is used, which VPN protocols to
attempt, and in which order.
Specifies the VPN protocols to attempt, and in which order. You
can choose Point-to-Point Tunneling Protocol (PPTP), Layer Two
Tunneling Protocol (L2TP), Secure Socket Tunneling Protocol (SSTP),
or Internet Key Exchange version 2 (IKEv2), either alone, or with
the selected protocol attempted first. If you specify a single
protocol, and the remote server does not support that protocol,
then the connection fails.
If you select one of the "try first" options, the order the
protocols are attempted are as follows:
- PPTP: PPTP, IKEv2, SSTP, and then
- L2TP: L2TP, IKEv2, PPTP, and then
- SSTP: SSTP, IKEv2, PPTP, and then
- IKEv2: IKEv2, PPTP, SSTP, and then
- IKEv2 is not supported on operating systems earlier than
Windows 7. If you select Only use IKEv2 and the profile
is run on a computer running an earlier version of Windows, then
one of the following VPN strategies is used instead:
- For clients running Windows Vista with
Service Pack 1 (SP1) or later, Try SSTP First is used.
- For clients running Windows Vista with
no service pack installed, Try PPTP First is used.
This option is available if you select a VPN strategy that
includes IKEv2 or L2TP.
- If you select an option that includes IKEv2,
then you can enable the mobility feature that allows the VPN
connection to persist for a period of time, even if the IP address
changes or the network adapter through which the computer connects
to the Internet changes. Click Advanced. In the Advanced
Settings dialog box, select the IKEv2 tab. Select
Mobility, and then select the amount of time that the VPN is
allowed to persist before it is terminated. If the client cannot
reestablish connection with the VPN server before this amount of
time has elapsed, then the connection is terminated.
Mobility is enabled by default.
- If you select an option that includes L2TP,
you can include a preshared key with the connection profile. Click
Advanced, and in the Advanced Settings dialog box,
select the L2TP tab, and then click Use a preshared
key. Use this option only if you cannot use computer
certificates as the authentication method. For more information
about including a preshared key, see Configure a Preshared
Specifies the encryption type to use for the data stream to and
from the remote VPN server. Choices include:
- No encryption. The data is sent in
plain text. The connection fails if the VPN server requires data
This option cannot be used for IKEv2 because IKEv2 requires
encryption. If you select this option and attempt to use IKEv2, the
connection will fail.
- Optional encryption. The data is
encrypted only if requested by the VPN server.
- Require encryption. The data is
encrypted. The connection fails if the VPN server does not support
- Maximum strength encryption. The data
will be encrypted using the strongest encryption supported by both
The selection made must be compatible with the encryption
requirements of the remote server or the connection fails.
Use Extensible Authentication Protocol
Specifies that logon authentication uses Extensible
Authentication Protocol (EAP), with the option of using smart cards
or other certificates. If you select this setting, you must
configure the EAP or certificate options by clicking
Properties. For more information about the Protected EAP
Properties page or the Smart Card or other Certificate
Properties page, press F1 while viewing those pages.
Specifies other means for transmitting the authentication
information to the server. These are older authentication protocols
that you can use only if the VPN server requires them.
We recommend that you avoid the use of Password Authentication
Protocol (PAP) because it transmits your user name and password in
plain text over the network.
For more information about configuring VPN entries, see Incorporating VPN Entries
(http://go.microsoft.com/fwlink/?linkid=80953) on the Microsoft Web