PPTP VPN

  • Thread starter Thread starter Andrew M
  • Start date Start date
A

Andrew M

Hi,

Wondering if anyone can tell me at what point any data
that is transferred over a PPTP starts being encrypted? Is
user authentication (username & password) information
encrypted or is it only after the tunnel has been
established?

Thanks,
Andrew
 
The VPN tunnel is established before any authentication takes place.

In PPTP the username is never encrypted. If LCP Extensions are enabled, then
your machine name is sent in the clear as well.

The auth session is in the clear from PPP's point of view and so security
depends on the strength of the auth protocol being used. EAP-TLS is the
strongest, PAP is the weakest since the password is sent in the clear.

DATA (regular network traffic) starts being encrypted after the CCP phase of
PPP completes. The authentication protocol also affects the encryption keys
that are available for CCP.

You can see all this using netmon on the server.

If you use L2TP/IPSec then everything after IPSec negotiation completes is
3DES encrypted, including the complete PPP negotiation (LCP, auth phases,
CCP, IPCP, and data).

MS recommends L2TP/IPSec - see http://www.microsoft.com/VPN for more info on
VPN's and VPN security, if you're interested.
 
Thanks Carl,

Starting to get my head around it. What i am trying to
find out is wether the password is sent as clear text or
encrypted when using MS CHAP v2 with PPTP?

From your reply i take it that the user name is sent in
clear text, just need to confirm the password.

Is PPTP with MS CHAP v2 (in your opinion) a reasonable VPN
scenario? (As long as a strong password policy is in place
of course..)

Thanks again,
Andrew
-----Original Message-----
The VPN tunnel is established before any authentication takes place.

In PPTP the username is never encrypted. If LCP Extensions are enabled, then
your machine name is sent in the clear as well.

The auth session is in the clear from PPP's point of view and so security
depends on the strength of the auth protocol being used. EAP-TLS is the
strongest, PAP is the weakest since the password is sent in the clear.

DATA (regular network traffic) starts being encrypted after the CCP phase of
PPP completes. The authentication protocol also affects the encryption keys
that are available for CCP.

You can see all this using netmon on the server.

If you use L2TP/IPSec then everything after IPSec negotiation completes is
3DES encrypted, including the complete PPP negotiation (LCP, auth phases,
CCP, IPCP, and data).

MS recommends L2TP/IPSec - see
Click to expand...
http://www.microsoft.com/VPN for more info on
 
Back
Top