Microsoft Windows XP/2000

Microsoft did some weird things with their VPN-standard-configuration. Microsoft claims, this is a standard, but in fact, their implementation is only based on standards. In Microsoft's implementation PPP packets are encapsulated in L2TP packets, which are encapsulated in IPsec packets. It is acceptable to use PPP for establishing a point-to-point connection, and using IPsec to establish a secure connection. But the value of L2TP in Microsoft's implementation is questionable. L2TP would come in very handy for Layer 3 independent protocols (not only IP could be transported over L2TP, as L2TP means Layer 2 Tunneling Protocol), however this doesn't make any sense, because PPP does not support this. Nevertheless, to stay compatible, we will use the same standards on the server side^2.1. If this paragraph confused you, have a look at the illustrations in .

Beyond that protocol-encapsulation-jungle, Microsoft authenticates users by using certificates for IPsec, and additionally, using the CHAP Protocol. IPsec authentication using a pre-shared key is supported, but is considered insecure, and therefore is unacceptable . It is possible to use the pure IPsec stack of Windows, but you can't use the standard client then, which would confuse users.