Solved

What level of encryption is PPTP?

Posted on 2004-10-19
12
1,009 Views
Last Modified: 2013-12-04
What level of encryption is PPTP?  Are the packets encrypted at all?  How big is the hash?  How does PPTP compare to other encryption methods for VPNs?  

As you can tell, I'm looking for a bunch of info on PPTP.  Thanks!
0
Comment
Question by:robrandon
  • 5
  • 4
  • 3
12 Comments
 
LVL 16

Expert Comment

by:JamesDS
ID: 12346693
robrandon
All you need to know here:
http://www.schneier.com/pptp.html

the biggest problem with PPTP (version 2 is supplied with Windows 2003 RRAS) is that it doesn't do NAT traversal. Thins means that if your client is connected to a network that provides NATted internet access (for instance) then the PPTP packets get out, but never make it back through the gateway. L2TP over IPSec is much better and is also supported by Windows 2003 RRAS.

Cheers

JamesDS
0
 
LVL 16

Author Comment

by:robrandon
ID: 12346765
Interesting.  It looks like PPTP really isn't secure at all.  Do you have any documentation on how to setup L2TP over IPSec on a Windows 2003 Server?  Do I need a domain-wide CA, or can I somehow just setup the server running L2TP to provide them?  Is this easy to setup?



0
 
LVL 16

Accepted Solution

by:
JamesDS earned 125 total points
ID: 12346993
robrandon
PPTP version 1 isn't that good, PPTP v2 is way better, L2TP/IPSec is great!

You don't need a CA, as RRAS on W2k3 supports preshared keys - which is way simpler than a full CA deployment on small networks.

My next post give the details on configuring the wizard.

Cheers

JamesDS
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12346998
robrandon
Configure VPN Access using the RRAS Wizard

Wizard options

Remote Access (dial-up or VPN)
VPN only
External WAN - disable security
Internal LAN
Automatic IP Address assignment
Use RRAS to authenticate


Routing and Remote Access

Server Properties
General: Enable the computer as a LAN Router only
General: Remote Access Server

Security: Allow custom IPSEC policy with shared key (enter text to act as shared key) "Stick Some Text in HERE"

IP: Enable IP Routing
IP: This server can assign addresses by using DHCP
IP: Enable broadcast name resolution (select internal NIC)

PPP: Check all

Logging: Log all Events only

Ports: Add 5 L2TP inbound only, turn everything else off

IP Routing: only General and Static Routes, remove everything else

Remote Access Policies: Delete default policies, add new policy where tunnel type = L2TP and access is granted

Registry Change to allow 2048bit Diffie-Hellman connections:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
DWORD: NegotiateDH2048
Value: 1

Firewall Settings:

L2TP Inbound Requirements: Protocol 50, IPSec NAT-T UDP 4500, IKE UDP 500
(Just in Case you need them PPTP Inbound Requirement: Protocol 47, PPTP TCP 1723)

You will need to configure your firewall to forward traffic on all the ports you configured above to the internal IP of the your server - or it won't see the VPN traffic.

Client Settings:
You can then use the standard VPN dial up network client that comes with windows:
Set Preshared Key in IPSec Properties "Stick the SAME Text in HERE"
Install IPSec NAT-T update for XP: http://support.microsoft.com/?kbid=818043


Cheers

JamesDS
0
 
LVL 16

Author Comment

by:robrandon
ID: 12347138
Will L2TP have problems if the client machine is on a NATted network?
This is awesome by the way.


0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12347280
robrandon
not if you use the NAT-T update I posted above and the network allows those ports I also mentioned.

welcome!

Cheers

JamesDS
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 125 total points
ID: 12347405
>the biggest problem with PPTP (version 2 is supplied with Windows 2003 RRAS) is that it doesn't do NAT traversal. Thins >means that if your client is connected to a network that provides NATted internet access (for instance) then the PPTP >packets get out, but never make it back through the gateway. L2TP over IPSec is much better and is also supported by >Windows 2003 RRAS.

The PPTP client itself doesn't do NAT-T, but then most routers will support 'VPN passthrough' or 'PPTP passthrough' and handle the NAT by themselves.  Also known as UPNP (Universal Plug and Play) for some reason...  

IPSec over L2TP is what you mean.  L2TP is the transport protocol for IPSEC, and IPSec is the bit that encrypts sessions.

I would disagree that L2TP is more secure than PPTP, or IPSEC is more secure than PPTP.  I would also disagree that PPTP is more secure than either L2TP or IPSEC.  As not to contradict myself too much, they all approach security in different ways...  take a look here:

http://www.microsoft.com/ntserver/support/faqs/VPNSec_FAQ
0
 
LVL 16

Author Comment

by:robrandon
ID: 12347499
I found the article here since the link didn't work:
http://www.microsoft.com/ntserver/support/faqs/VPNSec_FAQ.asp

Is this the same one you were referencing?  It is dated December 11, 1998.  Is it still relevant with the current day implementations of PPTP and L2TP?

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12348273
Same one...  I missed off the .asp...
Still very much relevant...
PPTP is designed for user authentication, and is very quick and easy to setup so that users have an encrypted tunnel back to head office.
The main weakness in it is the fact it uses a user password, although if you can implement PPTP with user certificates instead then that's a pretty good level of security, but then you may as well use an IPSEC client with certificates if this is the case as it would be easier to setup...
There are a few more links here that may help:

http://www.iss.net/security_center/advice/Countermeasures/VPN/PPTP/default.htm

http://www.sans.org/resources/malwarefaq/pptp-vpn.php

http://www.schneier.com/paper-pptpv2.html

0
 
LVL 16

Author Comment

by:robrandon
ID: 12351252
I think I'm close to getting this setup.  I see traffic related to port 30300 UDP trying to pass through the firewall.  Is this familiar?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12352551
30300 doesn't mean much to me - is this source or destination ?  I can't find 30300 UDP as a server port on any port listings on the net ?
0
 
LVL 16

Author Comment

by:robrandon
ID: 12352954
I couldn't either, but I can't connect from a client inside the firewall so I must have done something wrong.  I'll look into it tomorrow.  Regardless, my posted question was answered.  Thank you both.  I'm splitting points.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now