[plug] IPSec / L2TP and VPNs

Steve Baker steve at iinet.net.au
Mon Feb 7 20:08:00 WST 2005


Greg wrote:

>> Steve Baker wrote:
>>
>>> I want to set up a VPN between our main office and another site.  The 
>>> two office networks have private IPs (192.168.100.xx and 
>>> 192.168.110.xxx) and the gateways/firewalls have public IPs.  
>>> Eventually there will be more site offices that will need to 
>>> communicate back to home base.
>>>   
> Ive be looking at using pptp to enable a windows client to vpn  over 
> wireless. The standard "poptop" install doesnt have support for MPPE for 
> microsoft encryption. Has anyone had any experience in getting this to 
> work?. I guess one option would be to upgrade to sarge, but Im not sure 
> if I wish to do that yet.
> 
> Regards
> 
> Greg

Hey Greg,

I have this going already (actually, I inherited the setup, but I've 
tweaked it since).  As Craig mentioned, the right kernel options will 
make it work.  Just make sure in your pptpd.conf or options.pptpd file 
that you force mschap-v2 and disable mschap, otherwise you get the 
original v1 authentication protocols which supposedly have some 
weaknesses.  I don't know if using pap instead is any better, but I seem 
to remember reading that chap is a more sophisticated protocol.  You 
might also want to force 128 bit mppe instead of the default 40 bit.

The relevant options from my own options.pptpd config file are:
require-chap
refuse-chapms
require-chapms-v2
mppe-128
mppe-stateless  (can't remember what this one means exactly, rtfm)

 From what I've read pptp security is pretty ordinary (although not 
necessarily 'bad') but I haven't decided whether it is worth the hassle 
to change everybody over to L2TP.  Anyone?

Regards,
Steve




More information about the plug mailing list