Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

What level of encryption is PPTP?

Posted on 2004-10-19
12
Medium Priority
?
1,142 Views
Last Modified: 2013-12-04
What level of encryption is PPTP?  Are the packets encrypted at all?  How big is the hash?  How does PPTP compare to other encryption methods for VPNs?  

As you can tell, I'm looking for a bunch of info on PPTP.  Thanks!
0
Comment
Question by:robrandon
  • 5
  • 4
  • 3
12 Comments
 
LVL 16

Expert Comment

by:JamesDS
ID: 12346693
robrandon
All you need to know here:
http://www.schneier.com/pptp.html

the biggest problem with PPTP (version 2 is supplied with Windows 2003 RRAS) is that it doesn't do NAT traversal. Thins means that if your client is connected to a network that provides NATted internet access (for instance) then the PPTP packets get out, but never make it back through the gateway. L2TP over IPSec is much better and is also supported by Windows 2003 RRAS.

Cheers

JamesDS
0
 
LVL 16

Author Comment

by:robrandon
ID: 12346765
Interesting.  It looks like PPTP really isn't secure at all.  Do you have any documentation on how to setup L2TP over IPSec on a Windows 2003 Server?  Do I need a domain-wide CA, or can I somehow just setup the server running L2TP to provide them?  Is this easy to setup?



0
 
LVL 16

Accepted Solution

by:
JamesDS earned 500 total points
ID: 12346993
robrandon
PPTP version 1 isn't that good, PPTP v2 is way better, L2TP/IPSec is great!

You don't need a CA, as RRAS on W2k3 supports preshared keys - which is way simpler than a full CA deployment on small networks.

My next post give the details on configuring the wizard.

Cheers

JamesDS
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 16

Expert Comment

by:JamesDS
ID: 12346998
robrandon
Configure VPN Access using the RRAS Wizard

Wizard options

Remote Access (dial-up or VPN)
VPN only
External WAN - disable security
Internal LAN
Automatic IP Address assignment
Use RRAS to authenticate


Routing and Remote Access

Server Properties
General: Enable the computer as a LAN Router only
General: Remote Access Server

Security: Allow custom IPSEC policy with shared key (enter text to act as shared key) "Stick Some Text in HERE"

IP: Enable IP Routing
IP: This server can assign addresses by using DHCP
IP: Enable broadcast name resolution (select internal NIC)

PPP: Check all

Logging: Log all Events only

Ports: Add 5 L2TP inbound only, turn everything else off

IP Routing: only General and Static Routes, remove everything else

Remote Access Policies: Delete default policies, add new policy where tunnel type = L2TP and access is granted

Registry Change to allow 2048bit Diffie-Hellman connections:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
DWORD: NegotiateDH2048
Value: 1

Firewall Settings:

L2TP Inbound Requirements: Protocol 50, IPSec NAT-T UDP 4500, IKE UDP 500
(Just in Case you need them PPTP Inbound Requirement: Protocol 47, PPTP TCP 1723)

You will need to configure your firewall to forward traffic on all the ports you configured above to the internal IP of the your server - or it won't see the VPN traffic.

Client Settings:
You can then use the standard VPN dial up network client that comes with windows:
Set Preshared Key in IPSec Properties "Stick the SAME Text in HERE"
Install IPSec NAT-T update for XP: http://support.microsoft.com/?kbid=818043


Cheers

JamesDS
0
 
LVL 16

Author Comment

by:robrandon
ID: 12347138
Will L2TP have problems if the client machine is on a NATted network?
This is awesome by the way.


0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12347280
robrandon
not if you use the NAT-T update I posted above and the network allows those ports I also mentioned.

welcome!

Cheers

JamesDS
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 500 total points
ID: 12347405
>the biggest problem with PPTP (version 2 is supplied with Windows 2003 RRAS) is that it doesn't do NAT traversal. Thins >means that if your client is connected to a network that provides NATted internet access (for instance) then the PPTP >packets get out, but never make it back through the gateway. L2TP over IPSec is much better and is also supported by >Windows 2003 RRAS.

The PPTP client itself doesn't do NAT-T, but then most routers will support 'VPN passthrough' or 'PPTP passthrough' and handle the NAT by themselves.  Also known as UPNP (Universal Plug and Play) for some reason...  

IPSec over L2TP is what you mean.  L2TP is the transport protocol for IPSEC, and IPSec is the bit that encrypts sessions.

I would disagree that L2TP is more secure than PPTP, or IPSEC is more secure than PPTP.  I would also disagree that PPTP is more secure than either L2TP or IPSEC.  As not to contradict myself too much, they all approach security in different ways...  take a look here:

http://www.microsoft.com/ntserver/support/faqs/VPNSec_FAQ
0
 
LVL 16

Author Comment

by:robrandon
ID: 12347499
I found the article here since the link didn't work:
http://www.microsoft.com/ntserver/support/faqs/VPNSec_FAQ.asp

Is this the same one you were referencing?  It is dated December 11, 1998.  Is it still relevant with the current day implementations of PPTP and L2TP?

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12348273
Same one...  I missed off the .asp...
Still very much relevant...
PPTP is designed for user authentication, and is very quick and easy to setup so that users have an encrypted tunnel back to head office.
The main weakness in it is the fact it uses a user password, although if you can implement PPTP with user certificates instead then that's a pretty good level of security, but then you may as well use an IPSEC client with certificates if this is the case as it would be easier to setup...
There are a few more links here that may help:

http://www.iss.net/security_center/advice/Countermeasures/VPN/PPTP/default.htm

http://www.sans.org/resources/malwarefaq/pptp-vpn.php

http://www.schneier.com/paper-pptpv2.html

0
 
LVL 16

Author Comment

by:robrandon
ID: 12351252
I think I'm close to getting this setup.  I see traffic related to port 30300 UDP trying to pass through the firewall.  Is this familiar?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12352551
30300 doesn't mean much to me - is this source or destination ?  I can't find 30300 UDP as a server port on any port listings on the net ?
0
 
LVL 16

Author Comment

by:robrandon
ID: 12352954
I couldn't either, but I can't connect from a client inside the firewall so I must have done something wrong.  I'll look into it tomorrow.  Regardless, my posted question was answered.  Thank you both.  I'm splitting points.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses
Course of the Month8 days, 13 hours left to enroll

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question