locked
Encryption type with SSTP RRS feed

  • Question

  • I have windows server 2012 R2 with RRAS role. I've set up VPN with IKEv2 and SSTP.

    When client connects with IKEv2 I can see his status in RRAS snap-in and his encryption status in "IPSec: AES 256". But with SSTP connection encryption is always "Unknown". Is this normal behavior?

    Saturday, August 30, 2014 2:59 PM

Answers

  • Hi Sergey,

    In brief, This is normal.

    The message is encrypted with one of the following protocols by using encryption keys generated from the IKEv2 negotiation process: Advanced Encryption Standard (AES) 256, AES 192, AES 128, and 3DES encryption algorithms.

    The SSTP message is encrypted with the SSL channel of the HTTPS protocol.

    For detailed information, please refer to the link below,

    VPN Tunneling Protocols

    http://technet.microsoft.com/en-us/library/dd469817(v=ws.10).aspx

    Best Regards.



    Steven Lee

    TechNet Community Support


    Monday, September 1, 2014 2:31 PM

All replies

  • Hi Sergey,

    In brief, This is normal.

    The message is encrypted with one of the following protocols by using encryption keys generated from the IKEv2 negotiation process: Advanced Encryption Standard (AES) 256, AES 192, AES 128, and 3DES encryption algorithms.

    The SSTP message is encrypted with the SSL channel of the HTTPS protocol.

    For detailed information, please refer to the link below,

    VPN Tunneling Protocols

    http://technet.microsoft.com/en-us/library/dd469817(v=ws.10).aspx

    Best Regards.



    Steven Lee

    TechNet Community Support


    Monday, September 1, 2014 2:31 PM
  • Thanks, Steven_Lee0510 for you answer.

    I really know how things work in vpn, it was just a little strange =) Because "unknown" means that something went wrong out there and connection might not be encrypted at all somehow.

    Monday, September 1, 2014 6:49 PM
  • Hi Sergey,

    As I mentioned above, the SSTP message is encrypted with the SSL channel of the HTTPS protocol.

    At the beginning of the SSL negotiation, client will validate the server certificate. If it is not valid, the connection is broken down. No client (or user) authentication happened on the server side at the SSL stage.

    If it is valid, client then sends HTTPS request on top of the encrypted SSL session to the server.

    Therefore, if we can establish a SSTP connection, it is encrypted. Because all data is sent over the SSL and the SSL session is encrypted.

    Best Regards.



    Steven Lee

    TechNet Community Support

    Tuesday, September 2, 2014 9:06 AM