There are two kinds of Microsoft VPN tunnels:
1) Microsoft added a Point to Point Tunneling Protocol (PPTP) VPN client to a Windows Dial-Up Networking upgrade for Windows 95, and PPTP has been included in every Microsoft operating system released since that time, including Pocket PC 2002. Although its most significant flaws were fixed is MS-CHAPv2 years ago, PPTP is generally considered a weak VPN tunneling protocol. To learn more, visit this URL: http://www.counterpane.com/pptp.html
2) Starting with Windows 2000, Microsoft enhanced DUN with an L2TP over IPsec VPN client. By default, every Windows VPN connection attempts to negotiate L2TP over IPsec first, then falls back to PPTP. However, connections can be explicitly configured to use PPTP or L2TP only. For example, on Windows XP, open the VPN connection's Properties panel, choose the Network tab, and pick either L2TP or PPTP under "Type of VPN." IPsec is generally considered a strong VPN tunneling protocol, particularly when configured to employ strong cryptographic algorithms and avoid vulnerable options like IKE Aggressive Mode and Extended Authentication (XAUTH). To learn more about IPsec, visit this URL: http://www.vpnc.org/vpn-standards.html
Both VPNs provide cryptographic protection for wireless data payload. Someone capturing WLAN traffic will be able to see all 802.11 management and control frames, as well as the IP headers carried in 802.11 data frames. They will also be able to see cleartext parts of VPN-encrypted packets -- for example, usernames or IDs or hashed passwords that might be sent in PPTP and IPsec (IKE) packets when a tunnel is established. Someone can't steal the data passed inside the encrypted tunnel, but they can try to use exposed headers to attack the WLAN or the VPN. For example, someone might aim a "cracking" tool at your VPN gateway to try to guess a legitimate user's password or shared secret, then gain access to the network behind the VPN.
You can help deflect these attacks by enabling WEP or WPA or WPA2 on your AP. All VPN packets, including IP headers and VPN tunnel establishment packets, passed between wireless stations and the AP will then be encrypted. WEP is notoriously easy to crack; visit this URL to learn more: http://www.drizzle.com/~aboba/IEEE/ . WPA and WPA2 can be cracked when used with easy-to-guess Preshared Secret Keys (PSKs); visit this URL for guidelines on choosing good PSKs: http://searchmobilecomputing.techtarget.com/tip/0,289483,sid40_gci1026652,00.html