I have noticed some discussion on PPTP VPN over the past couple of weeks. Although IPSec would be the optimal option for VPN with e-smith we have to work with what we are given. I'm sure that many of the developers know of the inherant weaknesses with PPTP so I have setup an environment to test these insecurities as per Bruce Schneier's white paper. There have been a couple of scripts released in the past few months that attack the CHAP and MSCHAP v1 and v2 which can then be fed through a password cracker. I have been unable to successfully break the e-smith PPTP VPN for some reason. I was expecting it to work and to be reporting on minimal password lengths for the developers but instead they seem to have me stumped for the time being. The key thing to pull from all of this is that most insecurities with PPTP lie within the implementation. If good password policies are used and enforced then PPTP is a solid alternative for most VPN solutions. If there are any specific PPTP options anyone would like tested against these known PPTP issues please let me know offline and I will see what I can do.
