Modern crypto only (no PPTP / L2TP)
Demonstrate that the organization has disabled legacy VPN protocols PPTP and L2TP (without IPsec) across all remote access infrastructure and enforces the use of cryptographically modern alternatives.
Description
What this control does
This control mandates the exclusive use of cryptographically strong VPN protocols (such as IKEv2/IPsec, OpenVPN, or WireGuard) and explicitly prohibits legacy protocols PPTP (Point-to-Point Tunneling Protocol) and L2TP (Layer 2 Tunneling Protocol) without IPsec. PPTP uses weak MPPE encryption vulnerable to dictionary attacks and lacks mutual authentication, while L2TP alone provides no encryption. Organizations enforce this through VPN gateway configuration, connection profile whitelisting, and endpoint policy preventing negotiation of deprecated protocols. Modern cryptographic protocols provide authenticated key exchange, forward secrecy, and resistance to known cryptanalytic attacks.
Control objective
What auditing this proves
Demonstrate that the organization has disabled legacy VPN protocols PPTP and L2TP (without IPsec) across all remote access infrastructure and enforces the use of cryptographically modern alternatives.
Associated risks
Risks this control addresses
- Attackers passively capture VPN traffic and perform offline dictionary attacks against PPTP MPPE encryption to recover session keys and plaintext communications
- Man-in-the-middle attackers exploit PPTP's lack of certificate-based mutual authentication to impersonate VPN gateways and intercept credentials
- L2TP connections established without IPsec transmit authentication credentials and session data in cleartext, enabling network eavesdropping
- Automated exploitation tools targeting known PPTP vulnerabilities (MS-CHAPv2 weaknesses) compromise remote access sessions within hours
- Compliance violations occur when payment card data, PHI, or other regulated information traverses connections using cryptographically broken protocols
- Incident response teams cannot reliably determine scope of data exposure when legacy protocols with known cryptographic weaknesses were in use during breach windows
Testing procedure
How an auditor verifies this control
- Obtain complete inventory of all VPN concentrators, gateways, and remote access appliances including cloud-based VPN services and SD-WAN endpoints
- Export current configuration files from each VPN device showing enabled protocols, cipher suites, authentication methods, and connection policy settings
- Review VPN gateway configurations to identify any instances where PPTP or L2TP protocols are enabled or permitted as fallback options
- Examine endpoint VPN client configuration profiles and Group Policy Objects to verify PPTP and L2TP connection types are blocked or unavailable for user selection
- Query authentication logs and VPN session logs for the past 90 days to identify any successful connections using PPTP (port 1723) or standalone L2TP (port 1701)
- Perform network packet capture or port scan against VPN gateways from external network position to verify TCP/1723 and UDP/1701 are not responsive
- Review endpoint detection and response (EDR) or mobile device management (MDM) policies to confirm controls preventing users from establishing unauthorized legacy VPN tunnels
- Interview network engineering and security operations teams to validate change management procedures prevent reintroduction of deprecated protocols during upgrades or troubleshooting
Where this control is tested