128 bit PPTP Encryption and NAT

Pete Davis pete at ETHER.NET
Sat Aug 12 06:45:54 EDT 2000


The Cisco VPN 3000 Concentrator has always supported 128bit encryption with
PPTP to a NAT/PAT environment, as long as your NAT/PAT device has support for
GRE/PAT.

128bit PPTP requires a RADIUS server with MPPE/MSCHAP support.

Funk SBR supports 128bit with MSCHAPv1
Microsoft IAS supports 128bit with MSCHAPv2

Best Regards,
-pete


On Fri, Aug 11, 2000 at 05:23:24PM -0700, Michael Medwid wrote:
> I wonder if the Altiga will ever support 128bit encryption with PPTP to a
> NAT/PAT environment.
>
> -----Original Message-----
> From: Hugo Caye [mailto:Hugo at MICMAC.COM.BR]
> Sent: Friday, August 11, 2000 4:43 PM
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: 128 bit PPTP Encryption and NAT
>
>
> AFAIK, Eicon DIVA LAN also supports PPTP/GET NAT/PAT. Can anyboy
> confirm that this info is 100% correct?
> <http://www.eicon.com/divalan/>
>
> Cisco's IOS must be at least 12.1(3)T. See bug id CSCdk60714.
>
> Currently I have a customer with Win2K NAT with PPTP/GRE running
> pretty well.
>
>
>             Hugo Caye
>
> O__  ----
> c/ /'_ ---
> (*) \(*) --
> ~~~~~~~~
> ccna ccda
> mcne³ ncip
> mcse cne5
>
> -----Original Message-----
> From: Geir Aasen [mailto:Geir.Aasen at ASKPROXIMA.NO]
>
> Win2K NAT supports GRE(PPTP) and 3COM ISDN lanmodem, Sonicwall.
> Most NAT implementation don't.
>
> Geir Aasen
>
> > ----------
> > From: 	Jon Carnes[SMTP:jonc at HAHT.COM]
> >
> > Linux (and BSD) fully support running PPTP from behind a NAT.  They
> are
> > beyond the patch stage.  you can run multiple incidents of PPTP from
> > behind
> > a Linux firewall.
> >
> > Jon Carnes
>
> > ----- Original Message -----
> > From: "Pete Davis" <pete at ETHER.NET>
> >
> > > You can use PPTP sessions from behind a NAT (PAT) device as long
> as it
> > supports
> > > GRE PAT, which most devices do not. Many small devices do have
> this
> > support
> > > and Linux does with a special patch from John Hardin. You will
> only be
> > able
> > > to use 1 PPTP session at a time from behind this NAT device to a
> > specific
> > > central site Concentrator at a time.
> > >
> > > Regards,
> > >
> > > pete
> > >
> > > On Mon, Jul 31, 2000 at 05:59:27PM -0700, Michael Medwid wrote:
> > > > Should there be any incompatibility between 128 bit PPTP
> encryption
> > > > and users behind a NATted environment?  My Altiga (Cisco 3030)
> seems
> > to
> > kick
> > > > off the tunnels if they were originated from a NATted
> environment.
> > Cisco
> > > > TAC didn't have too much to say on the whole thing other than
> "uh yeah
> > that
> > > > won't work."  Thanks for any insight.
> > > >
> > > > -Michael
>
> VPN is sponsored by SecurityFocus.COM
>
> VPN is sponsored by SecurityFocus.COM

---
     Pete Davis - Product Manager <psd at cisco.com>  (508) 541-7300 x6154
   Cisco Systems, Inc.  - 124 Grove Street Suite 205   Franklin, MA 02038

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list