FOLLOW UP: Re: [pptp-server] IPSec *over* PPtP
Patrick Reid
P.J.Reid at earthling.net
Mon Sep 11 10:49:05 CDT 2000
The patches I was referring to are the patches which M$ issued to address
some of the weaknesses identified in the counterpane analysis of MS-Chap.
If you combine application of the most up-to-date DUN version in Windows
with some pppd options in Linux (like allowing only 128-bit ms-chap2
connections, which requires another couple of patches to add the options),
you eliminate the most grievous of the holes in M$' MS-Chap.
Patrick Reid - mailto:PReid at candesco.com
Candesco Research Corp.
Communication Centre: <http://www.mirabilis.com/1052176>
-----Original Message-----
From: pptp-server-admin at lists.schulte.org
[mailto:pptp-server-admin at lists.schulte.org]On Behalf Of John Hovell
Sent: September 9, 2000 11:20 PM
To: Patrick Reid
Cc: pptp-server at lists.schulte.org
Subject: Re: FOLLOW UP: Re: [pptp-server] IPSec *over* PPtP
Patrick --
Patrick Reid wrote:
> This could also be very useful for people who have machines which are
behind
> an NAT wall which they don't control (like my own high-speed link).
Yeah, I thought so! Or countries that don't allow proto 50 etc...
> However, if I already have a PPTP link up and can then run IPSec over it,
> this means I could have IPSec encryption, which is generally felt to be
> superior to MSChap v2 (even with the patched is place).
What do you mean, patch? You don't mean patching pppd for Linux, do you? I
mean without that in place, there is *zero* encryption. And AFAIK, the "128
bit
enc." is really insecure b/c of protocol design.
Please let me know if you are talking about something else...
Cheers,
John
>
> Thanks for this info!.
>
> Patrick Reid - mailto:PReid at candesco.com
> Candesco Research Corp.
> Communication Centre: <http://www.mirabilis.com/1052176>
>
> -----Original Message-----
> From: pptp-server-admin at lists.schulte.org
> [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of John Hovell
> Sent: September 6, 2000 12:55 AM
> To: Justin Kreger; pptp-server at lists.schulte.org
> Subject: FOLLOW UP: Re: [pptp-server] IPSec *over* PPtP
>
> Hello all --
>
> I solved the problem... IPSec over PPP is possible. This is just wacky,
but
> this
> is what to do:
>
> PGPnet only wants to bind to your "Dial Up Adapter" -- not #2 for VPN
> support as
> one might logically think. Bind it to "Dial Up" and it works like a
charm.
>
> This might actually be useful to people who aren't allowed to transmit
> protocols 50
> or 51... since they can tunnel it all over tcp/1723 and still get IPSec
data
> encryption.
>
> Cheers,
> John
>
> John Hovell wrote:
>
> > Justin --
> >
> > This is because PGPnet sucks so much, that for no discernable reason
when
> I try
> > to bind PGPnet to my Ethernet card on one of the machines, I can't get
any
> > network connectivity. I have reinstalled the ether card 3 times... and
> even
> > installed the driver files manually by hand. The card is a 3com PCMCIA
> 3c574
> > Cardbus card. It works beatifully without PGPnet... The reason I am
doing
> the
> > bass-ackwards configuration is because PGPnet will at least bind to the
> VPN
> > dial-up adapter... but that may be just my problem.
> >
> > Any other ideas? Thanks for your help...
> >
> > Cheers,
> > John
> >
> > Justin Kreger wrote:
> >
> > > Why not setup two linux boxes to do the IPSec? and just have the
> windows
> > > boxes use pptp so they can browse the remote network if you dint setup
> your
> > > ipsec wan so it passes the Browser List.
> > > -LW
> > >
> > > -----Original Message-----
> > > From: John Hovell [mailto:john.hovell at home.com]
> > > Sent: Monday, September 04, 2000 1:58 AM
> > > To: pptp-server at lists.schulte.org
> > > Subject: [pptp-server] IPSec *over* PPtP
> > >
> > > Hello all --
> > >
> > > I have some Win98 boxes that want to do IPSec over their PPTP
> > > connection... just transport mode from one computer to another. The
> > > IPSec SA is currently successful (both phase 1 and 2).. everything
seems
> > > to be set up fine, until I atually try to send data. If I try to ping
> > > the remote VPN client from the IPSec machine on the local lan I get
> > > (from tcpdump):
> > >
> > > 01:47:56.877612 < 172.16.0.4 > 172.16.0.175: ip-proto-50 76
> > > 01:47:56.972086 > 172.16.0.175 > 172.16.0.4: icmp: 172.16.0.175
protocol
> > > 50 unreachable
> > >
> > > If I do the same thing from the remote host I get:
> > >
> > > 01:53:07.586184 < 172.16.0.175 > 172.16.0.4: icmp: echo request
> > >
> > > (note the lack of encryption despite the *established* SA...)
> > >
> > > Do I need to somehow enable protocol 50 (and 51)?? IPchains forward is
> > > set up to accept all traffic between these hosts. There is no
> > > masquerading between the two machines.
> > >
> > > Does anyone know what I am missing? FYI, I am using PGPnet 6.5.8
> > > Personal Privacy (freeware) on both Windows IPSec machines.
> > >
> > > TiA for any advice or help...
> > >
> > > Cheers,
> > > John
> > >
> > > _______________________________________________
> > > pptp-server maillist - pptp-server at lists.schulte.org
> > > http://lists.schulte.org/mailman/listinfo/pptp-server
> > > List services provided by www.schulteconsulting.com!
> >
> > _______________________________________________
> > pptp-server maillist - pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
>
> _______________________________________________
> pptp-server maillist - pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
>
> _______________________________________________
> pptp-server maillist - pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
_______________________________________________
pptp-server maillist - pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
List services provided by www.schulteconsulting.com!
More information about the pptp-server
mailing list