[plug] IPSec / L2TP and VPNs
Steve Baker
steve at iinet.net.au
Mon Feb 7 20:08:00 WST 2005
Greg wrote:
>> Steve Baker wrote:
>>
>>> I want to set up a VPN between our main office and another site. The
>>> two office networks have private IPs (192.168.100.xx and
>>> 192.168.110.xxx) and the gateways/firewalls have public IPs.
>>> Eventually there will be more site offices that will need to
>>> communicate back to home base.
>>>
> Ive be looking at using pptp to enable a windows client to vpn over
> wireless. The standard "poptop" install doesnt have support for MPPE for
> microsoft encryption. Has anyone had any experience in getting this to
> work?. I guess one option would be to upgrade to sarge, but Im not sure
> if I wish to do that yet.
>
> Regards
>
> Greg
Hey Greg,
I have this going already (actually, I inherited the setup, but I've
tweaked it since). As Craig mentioned, the right kernel options will
make it work. Just make sure in your pptpd.conf or options.pptpd file
that you force mschap-v2 and disable mschap, otherwise you get the
original v1 authentication protocols which supposedly have some
weaknesses. I don't know if using pap instead is any better, but I seem
to remember reading that chap is a more sophisticated protocol. You
might also want to force 128 bit mppe instead of the default 40 bit.
The relevant options from my own options.pptpd config file are:
require-chap
refuse-chapms
require-chapms-v2
mppe-128
mppe-stateless (can't remember what this one means exactly, rtfm)
From what I've read pptp security is pretty ordinary (although not
necessarily 'bad') but I haven't decided whether it is worth the hassle
to change everybody over to L2TP. Anyone?
Regards,
Steve
More information about the plug
mailing list