[c-nsp] VPN 3000 Concentrator, SDI, and PPTP
Brett Looney
brett at looney.id.au
Fri Aug 4 20:49:44 EDT 2006
At 05:13 5/08/2006, you wrote:
>However, I would think SDI and PPTP isn't unheard of in a the
>corporate
>world. Does someone know magic that will satisfy our (sane) security
>policy.
To the best of my knowledge, you can't use one-time passwords with
PPTP - but my understanding is (and I could be wrong) that this is an
implementation choice by Microsoft. The Microsoft PPTP client will
only encrypt the GRE tunnel if the authentication method is MS-CHAP
or MS-CHAP-V2. You can't use those encryption types with one-time
passwords for obvious reasons.
It appears as if Microsoft have said "well, if you're not using our
encrypted password scheme there is no point encrypting the tunnel".
And there you go.
Alternatives? The cisco VPN client is what we normally use - but
naturally that means installing software on remote machines. If my
reasoning is correct there could be an alternative PPTP client
implementation that does encrypt the tunnel when using (say) PAP
authentication but I haven't seen one and that gets you back to
installing software on remote machines... One other thing we have
done (once) is to use the inbuilt Microsoft L2TP client. Pain in the
butt to configure but you can use one-time passwords with it. Don't
know if that's supported on the VPN 3000.
Sorry - haven't helped at all...
B.
More information about the cisco-nsp
mailing list