[c-nsp] VPN 3000 Concentrator, SDI, and PPTP

Brett Looney brett at looney.id.au
Fri Aug 4 20:49:44 EDT 2006


At 05:13 5/08/2006, you wrote:
>However, I would think SDI and PPTP isn't unheard of in a the
>corporate
>world. Does someone know magic that will satisfy our (sane) security
>policy.

To the best of my knowledge, you can't use one-time passwords with 
PPTP - but my understanding is (and I could be wrong) that this is an 
implementation choice by Microsoft. The Microsoft PPTP client will 
only encrypt the GRE tunnel if the authentication method is MS-CHAP 
or MS-CHAP-V2. You can't use those encryption types with one-time 
passwords for obvious reasons.

It appears as if Microsoft have said "well, if you're not using our 
encrypted password scheme there is no point encrypting the tunnel". 
And there you go.

Alternatives? The cisco VPN client is what we normally use - but 
naturally that means installing software on remote machines. If my 
reasoning is correct there could be an alternative PPTP client 
implementation that does encrypt the tunnel when using (say) PAP 
authentication but I haven't seen one and that gets you back to 
installing software on remote machines... One other thing we have 
done (once) is to use the inbuilt Microsoft L2TP client. Pain in the 
butt to configure but you can use one-time passwords with it. Don't 
know if that's supported on the VPN 3000.

Sorry - haven't helped at all...

B. 



More information about the cisco-nsp mailing list