On 09/15/2014 06:38 AM, Lutz Markus Willek wrote: > Hey There, > > PPTP has always been considered rather week security but a flaw in MSChapv2 > indicates it is even less secure than we ever believed. MSChapv2 is the "most > secure" authentication protocol used with PPTP! > So PPTP turns to the least secure VPN solution. > In Fact PPTP is so insecure, it should be considered unencrypted. > Avoid this.
Lutz++ PPTP's encryption strength is limited by the randomness of the user's password, which is typically weak. >From Schneider's analysis here: "However, the fundamental weakness of the authentication and encryption protocol is that it is only as secure as the password chosen by the user." (https://www.schneier.com/paper-pptpv2.html) I've set up numerous VPNs: OpenSwan, StrongSwan, FreeSwan, OpenVPN, racoon/IPSec, PoPToP, ... But lately I've been using SoftEther (on Linux) for my VPN server infrastructure. Very configurable and extremely interoperable with established VPN clients. SoftEther works with the default Android, Windows (7/8/Tablet) and Linux VPN client software without additional software installs. So it's a good solution for "working for everyone" out of the box. It also makes documenting the connection to your services a lot more manageable since you don't need to document 20+ vendor VPN client variations to get your users connected. For a SoftEther production usage case: I presently have 60 VMs on one of my Proxmox clusters that are used for System Security classes that I teach. These VMs are required to be "off the net," yet must be accessible to the students 24/7. Students have been tapping in with their clients to the SoftEther VPN all term without problems. For various logistic reasons, my SoftEther VPN server is set up on a bare metal system alongside of the Proxmox cluster that is connected to the backend network where the student VMs reside. There's no reason the SoftEther server could not be run the head of a Proxmox install, and this would be what I'd recommend if your logistics limit you to deployment only on the Proxmox head end. -- Paul Gray -o) 314 East Gym, Dept. of Computer Science /\\ University of Northern Iowa _\_V Message void if penguin violated ... Don't mess with the penguin No one says, "Hey, I can't read that ASCII attachment ya sent me." _______________________________________________ pve-user mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
