Both give excellent data encryption once the VPN is established. But how well does each protect against malicious attempts to connect by guessing usernames and passwords? If the username, password, or both or known by the attacker can he then easily gain access?
Of course, using 2FA knocks this risk on the head. The newer Drayteks include 2FA for VPNs as standard, and it is easy to setup BUT requires the SmartVPN client to be installed on the user’s PC. It also requires you to enter the one-time password on every connection, which is a little irritating. (I’m sure Draytek will get around this very soon). If you want to make your VPN easy while maintaining security, or have an older router that does not support 2FA you need to be careful with certificates on IKEv2 – here’s why (I’ve included PPTP for comparison).
Imagine a cyber-criminal is trying to hack into your Draytek by firing connection attempts at it using different protocols:
- PPTP requires the hacker to guess only the username/password (if you are using PPTP, make sure you have a good long password!)
- L2TP/IPsec with PSK requires the hacker to first guess the pre-shared key, which should be very long with random characters. If he gets this, then he can proceed with guessing username/password.
- IKEv2 requires the hacker to have the root CA certificate on his computer. If he has this, he only has to guess the username/password
It is possible to setup IKEv2 with a public certificate. If you register your Draytek and use their LetsEncrypt! certificate service, this will be the case. The root CA for this cert will be included in everyone’s Windows PC. Now, the hacker only needs username/password – we are back to PPTP levels of authentication
On the other hand, you would need to be a very, very determined hacker to try cracking L2TP/IPsec – if its even possible in practice to do so.
It is important then that the root CA cert from your IKEv2 should be guarded as closely as your L2TP PSK. This means instead of using a public cert, instead using the built-in certification management to create the root CA cert. Then once the IKEv2 cert has been signed, removing the root cert and storing is somewhere safe.
See also [soon]:
- Working with certificates
- Is my Draytek under attack?