[VPN] PPTP as a VPN solution
Martin Peikert
lists at nolog.org
Wed Jul 23 04:38:44 EDT 2003
Hello,
Ryan Malayter wrote:
> Windows 2000/XP/2003 now support the IETF standard L2TP over IPsec for
> VPN tunnels. With the latest patches downloaded and appliend, these
> technologies also support NAT traversal just like PPTP.
the question was if all the problems found in the VPN FAQ relative to
PPTP were solved or not. My answer was "No, they didn't solve the
problems belonging to Microsoft's PPTP Authentication Extensions." and
you had no argument against that.
Anyway, if all traffic (that includes the traffic that belongs to PPTP)
is tunneled (and encrypted by mechanisms IPSec provides), MS-CHAP is
(independent of the version of MS-CHAP ;-) tunneled, too.
So, since Microsoft's PPTP inplementation uses MS-CHAPv2, it's not a
good idea to use that for VPNs. It's still crap - or did they fix the
problems I gave you the URL for?
> This is a secure, "clientless" VPN, assuming all your clients are
> Windowss boxes, version 2000 SP3 or newer, and you have a method of
> deploying Windows patches automatically to get the NAT traversal
> feature. (You do deploy service packs and pathces, right?)
If you are tunneling crap using IPSec it stays crap, but encrypted and
protected by some more effective methods to avoid compromising your VPN
tunnel.
MS still doesn't provide a patch for MS-CHAPv2. So what patches you're
talking about - with respect to my mail you answered?
> There are also quite a few good methods for deploying IPsec
> authentication certificates to Microsoft clients. There's a whitepapaer
> somewhere on MS's site that talks about automatic deployment and
> configuration of VPN technologies, specifically for securing 802.11
> networks, but it will work for most any VPN implementation.
Could you be a little bit more specific? "Somewhere on MS's site" is not
really informative.
TIA
GTi
P.S.: Please trim your replies. As Hal Flynn in a mail to
focus-sun at securityfocus.com already said: When responding, please
include only the text to which you are responding, and preferrably put
your responses below it, or inline. Not doing so is wasteful and
inconsiderate to those on metered lines.
More information about the VPN
mailing list