L2TP w/ Preshared Key better than PPTP?

Archived from groups: comp.dcom.vpn (More info?)

Jeff Cooper <jscooper22@yahoo.com> wrote:
> I'm just dipping my big toe into VPNs and have read a couple of
> things:
>
> 1. L2TP over IPSec is more secure than PPTP.
> 2. Using a Certificate is more secure than a Preshared Key.
>
> Being cheap/broke, I'd rather not have to buy a certificate at this
> point. So i ask: is it more secure to use L2TP only if a Certificate
> is used? Or is L2TP more secure then PPTP even if a shared key is
> used?

You don't have to buy a certificate to use 'em, you can set up your
own certificate authority (with openssl on unix or Certificate Authority
service on Windows Server) and issue them yourself. As long as both
endpoints trust the CA they will accept each other's certificates.

That said, it's generally a lot easier and only somewhat less secure to use
PSK, presuming you pick a good PSK, and are using all WinXP or Win2003.
For win2k its actually easier to set up a CA and use certificates, see
http://support.microsoft.com/defau [...] US;q240262 for the
PSK procedure!

> Also, what are the risks with using a shared key that aren't there
> with certificates? Isn't a certificate basically a big ol' shared key
> stored in a file somewhere?

If you don't require any other authentication, that's basically true.

Microsoft PPTP is less secure in a cryptographic sense than L2TP. Check
out http://www.schneier.com/pptp.html which though old is still accurate.
But depending on what you're doing it is probably "good enough".
IMO the deal-breaker for L2TP is that it won't work through NAT.

--

- Eric Sorenson - Explosive Networking - http://eric.explosive.net -

Archived from groups: comp.dcom.vpn (More info?)

I'd be interested in seeing what you did. I am trying to convert our PPTP
VPNs to L2TP. But we can't make it work if the client user is behind a NAT.

The VPN server(s) are Windows 2000 AS SP4 , the clients Windows XP SP2. I
think we have opened most of the ports but i'd like to see how you handled
it.





"Zvuk" <tmp4@mim-sraga.hr> wrote in message
news:cvoctb$7q$1@bagan.srce.hr...
>
>> IMO the deal-breaker for L2TP is that it won't work through NAT.
>
> I would. I have Windows 2003 and ISA firewall. Windows 2003 and Windows XP
> SP2 clients behind NAT can connect to VPN. I just had to open some
> additional ports on the ISA firewall. I don't remember which ones right
> now, but if somebody is interested I can take a look.
>

Archived from groups: comp.dcom.vpn (More info?)

Briefly:
a.. Create a packet filter for inbound UDP 500 (receive/send)
b.. Create a packet filter for inbound UDP 4500 (receive/send)
c.. Create a packet filter for inbound UDP 1701 (receive/send)
I think it's all there:
http://www.tacteam.net/isaserveror [...] ilters.htm

You can connect from Windows 2003, XP SP2 (you must have SP2!). If you
install new version of Dial-Up Networking (I don't remember which version it
has to be, probably 1.3) you can connect also from 98, maybe even 95. For 2k
clients, I don't remember right now if I needed to install some updates in
odrer for them to work.

But you said you have XPSP2 clients, so you should have no trouble at all.

Enjoy!

By the way, I desperately need contact with somebody who managed to
configure a L2TP/IPSec connection with Cisco router as client and Windows
2003 as server.

" Newscene" <not_real@internet.org> schrieb im Newsbeitrag
news:42325c17$0$3300$bb4e3ad8@newscene.com...
> I'd be interested in seeing what you did. I am trying to convert our PPTP
> VPNs to L2TP. But we can't make it work if the client user is behind a
> NAT.
>
> The VPN server(s) are Windows 2000 AS SP4 , the clients Windows XP SP2. I
> think we have opened most of the ports but i'd like to see how you handled
> it.
>
>
>
>
>
> "Zvuk" <tmp4@mim-sraga.hr> wrote in message
> news:cvoctb$7q$1@bagan.srce.hr...
>>
>>> IMO the deal-breaker for L2TP is that it won't work through NAT.
>>
>> I would. I have Windows 2003 and ISA firewall. Windows 2003 and Windows
>> XP SP2 clients behind NAT can connect to VPN. I just had to open some
>> additional ports on the ISA firewall. I don't remember which ones right
>> now, but if somebody is interested I can take a look.
>>
>
>