[c-nsp] Can a Cisco 837 terminate a Road warrior VPN?

Brett Looney brett at looney.id.au
Sun Aug 7 19:03:16 EDT 2005


At 01:25 8/08/2005, you wrote:
>I would recommend against PPTP. It is easily compromised.

Without wanting to start a religious war, I would *love* for someone to 
point me at an example of this. I've read just about everything I can find 
and while just about everyone agrees that PPTP is somewhat less secure than 
IPSEC and *might* be easily compromised I have yet to see anything conrect.

Note that there are two distinct versions of PPTP - the original version 
really was trivial to compromise but I haven't seen anything actually 
*proven* for the later one which had a whole bunch of fixes in it. But, 
happy to be proven wrong...

>Look up and see if the 837 can do easy VPN server.
>If yes, then just search for an example of that....

Doesn't have to be Easy VPN - you can do the normal cisco VPN client with 
IPSEC, etc. We use this in many places but it does have the disadvantage of 
needing to have a VPN client installed on the remote PC (bring on extra 
support and potential compatibility issues). Hence the choice of PPTP in 
some cases.

The biggest downside of PPTP is that in the MS implementation it refuses to 
encrypt the GRE tunnel is you're using anything other than MS-CHAP. 
Therefore, it can't be used with one-time password systems like SecurID. 
Kinda sucks...

Anyway - sorry about the rant - but please tell me about the PPTP issues...

B. 



More information about the cisco-nsp mailing list