[pptp-server] Encryption with MS VPN

Bruce Elrick belrick at home.com
Thu Feb 10 12:29:10 CST 2000 

I've got pptpd running on my system and can "dial-in" successfully from Win98
systems without the "data encryption" option on the latter side.

I am aware of the patching required to pppd to support this encryption and
even managed to get the patches applied to the source from the Redhat 6.1 SRPM
(there is a collision between Redhat's patches and the encrytion patches, but
in the end the collision was minor).

However, I am not comfortable recompiling my kernel or compiling kernel
modules, specifically the module that accompanies the pppd patch.  Actually,
my main concern is supportability since I'd like to be able to upgrade using
the distribution and not have things break.  While I may be able to set things
up once, I am willing to admit that I don't have a firm enough grasp to want
to be responsible for re-fixing things after an upgrade.

My concern is with levels of encrytion.  I assume that the initial negotiation
for the GRE channel (is that the correct term?) takes place over a TCP
connection.  Is that connection encrypted (is that what MS Win98 refers to
when it talks about requiring an encrypted password?)?

Once the channel is set up and pppd is envoked to provide the IP connection
that the GRE protocol is carrying, I assume the encrypted connection at the
ppp level is identical an encryted ppp connection running over a modem.  Yes? 
Does the GRE encapsulation provide any (if even poor) encryption around the
ppp connection?

How open is a VPN connection from a Win98 machine when the "require data
encryption" is not checked?  Forgive me for referring to these things in terms
of the Win98 VPN options :-)

Is it simply security through obscurity because the protocol is GRE(47)
instead of TCP(6)?

Does anyone know whether the efforts here will be rolled into the pppd source
tree in the future and whether this will be rolled into distributions?  My
impression is not anytime soon, but I'm hoping the recent changes to the U.S.
export regulations will change this.

My apologies for bursting into this list with all these questions.  I _have_
looked through the archives.

Cheers & thanks...
Bruce
--
Bruce Elrick, Ph.D.                       Saltus Technology Consulting Group
Personal: belrick at home.com                          IBM Certified Specialist
Business: belrick at saltus.ab.ca          ADSM, AIX Support, RS/6000 SP, HACMP

More information about the pptp-server mailing list