PPTP VPNs need TCP and UDP port 1723 open and IP port 47 must pass the General Routing Encapsulation (GRE) protocol. L2TP VPNs need TCP and UDP port 1701 and GRE protocol access to port 47.

To create a tunnel between two Windows 2000 RRAS servers, you have to make sure each server contains a dedicated user account for the other server to log in with. Each server must also contain a demand-dial VPN connection named the same name as the login credentials the other computer will use. For example, if Server A will be connecting to Server B using account name VPN1, Server B must contain a user account named VPN1 and a demand-dial RRAS connection named VPN1. Likewise, the connection on Server A should be named the same as the login account Server B will authenticate with, say, VPN2. This will allow the servers to connect and create the proper routing entries.

L2TP tunnels are considered more secure than PPTP tunnels because the IP headers are encrypted under L2TP, preventing hackers from even seeing what type of tunnel traffic is being encrypted, let alone the traffic itself. There is a misconception that L2TP requires each VPN server to trust a common certificate authority. If this is a problem for your environment, the RRAS documentation includes a method for configuring each VPN server with an identical "shared secret" that can be used in place of a normal certificate. If you are not going to use certificates, make sure the shared secret is impossible to break - make it long 20+ characters with a mix of symbols, uppercase letters, lowercase letters and numbers.