[VPN] PPTP as a VPN solution

Martin Peikert lists at nolog.org
Wed Jul 23 04:38:44 EDT 2003


Hello,

Ryan Malayter wrote:
> Windows 2000/XP/2003 now support the IETF standard L2TP over IPsec for
> VPN tunnels. With the latest patches downloaded and appliend, these
> technologies also support NAT traversal just like PPTP.

the question was if all the problems found in the VPN FAQ relative to 
PPTP were solved or not. My answer was "No, they didn't solve the 
problems belonging to Microsoft's PPTP Authentication Extensions." and 
you had no argument against that.

Anyway, if all traffic (that includes the traffic that belongs to PPTP) 
is tunneled (and encrypted by mechanisms IPSec provides), MS-CHAP is 
(independent of the version of MS-CHAP ;-) tunneled, too.

So, since Microsoft's PPTP inplementation uses MS-CHAPv2, it's not a 
good idea to use that for VPNs. It's still crap - or did they fix the 
problems I gave you the URL for?

> This is a secure, "clientless" VPN, assuming all your clients are
> Windowss boxes, version 2000 SP3 or newer, and you have a method of
> deploying Windows patches automatically to get the NAT traversal
> feature. (You do deploy service packs and pathces, right?)

If you are tunneling crap using IPSec it stays crap, but encrypted and 
protected by some more effective methods to avoid compromising your VPN 
tunnel.

MS still doesn't provide a patch for MS-CHAPv2. So what patches you're 
talking about - with respect to my mail you answered?

> There are also quite a few good methods for deploying IPsec
> authentication certificates to Microsoft clients. There's a whitepapaer
> somewhere on MS's site that talks about automatic deployment and
> configuration of VPN technologies, specifically for securing 802.11
> networks, but it will work for most any VPN implementation.

Could you be a little bit more specific? "Somewhere on MS's site" is not 
really informative.

TIA
GTi
P.S.: Please trim your replies. As Hal Flynn in a mail to 
focus-sun at securityfocus.com already said: When responding, please 
include only the text to which you are responding, and preferrably put 
your responses below it, or inline. Not doing so is wasteful and 
inconsiderate to those on metered lines.




More information about the VPN mailing list