Dialog box element Description

Type of VPN

Lists the available remote access server types you can call. Choices vary, depending on the type of connection.

If a host name or Internet Protocol version 4 (IPv4) address is entered in the General tab, the type of VPN allowed is: Automatic, PPTP, or L2TP/IPsec.

If an Internet Protocol version 6 (IPv6) address is entered in the General tab, the type of VPN allowed is: Automatic or L2TP/IPsec.

If you are not sure which type to select, click Automatic. Point-to-Point Tunneling Protocol (PPTP) is attempted first, and then Layer Two Tunneling Protocl (L2TP). If you know the type of VPN server to which you are trying to connect, then select the appropriate server type.

In order to connect to an L2TP server, the Trusted Root Certification Authorities certificate store on your computer must contain the certificate of the root authority for the certification authority (CA) that issued your computer certificate and the certificate for the L2TP server.

If you select Automatic or Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec), then you can specify the IPsec authentication settings by clicking Advanced Settings.

Data encryption

Specifies whether the connection requires the use of data encryption. You can specify that encryption is not used, that encryption is optional, that encryption is required, or that maximum strength encryption is required.


Specifies the authentication methods that are used to establish the VPN. You can select one of the following options:

  • Use Extensible Authentication Protocol (EAP). EAP supports smart cards or computer certificates. The currently installed authentication types are displayed in the list. If the EAP type you need is not on the list, then you must install it. To configure EAP, click Properties.

  • Allow these protocols. You can select any of the following authentication options:

    • Unencrypted password (PAP). Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication protocol.

      Security Note

      Because PAP sends passwords over the network in plaintext, we recommend that you use this option only if another option cannot be used.

    • Challenge Handshake Authentication Protocol (CHAP). CHAP negotiates a secure form of encrypted authentication. CHAP uses challenge-response with one-way Message-Digest algorithm 5 (MD5) hashing on the response. In this way, you can prove to the server that you know your password without actually sending the password over the network.

    • Microsoft CHAP Version 2 (MS-CHAP v2). MS-CHAP-V2 provides mutual authentication, stronger initial data encryption keys, and different encryption keys for sending and receiving. To minimize the risk of password compromise during MS-CHAP exchanges, MS-CHAP v2 drops support for the MS-CHAP password change and does not transmit the encoded password.

      For VPN connections, MS-CHAP v2 is offered before MS-CHAP. Windows client computers accept MS-CHAP v2 when it is offered. Dial-up connections are not affected.

Additional references