Re: PPTP with Encryption
30.04.02 pisze Derek J. Balling ([EMAIL PROTECTED]): Except that that patch is against 2.4.0 There's a lot of disjointed pieces, and not all of them seem to be maintained or kept current: o pptpd - which seems to (now) not require any special effort o pppd needs to be patched or include support for mppe o kernel needs to be patched or include support for mppe And that very chaos is what led me to ask if anyone has more current info on how to make this work? ;-) You have just wrote how, just do/run it in reverse order ;-) Patches are currently at http://planetmirror.com/pub/mppe/ I have patched 2.4.18 with a patch for 2.4.0 (building ppp-related things as modules), then did pppd 2.4.1 with its openssl and MSCHAPv2 patch, and finally ran pptpd with proper options. It seems to work (or I am missing something:), tried with W98 (compression end encryption enabled) as well as W2000 (default settings - require data encryption, disconnect if none). I think one could patch pppd to read encrypted passwords from chap-secrets file... Not me, though ;) Cheers, Tadeusz -- -- | Tadeusz Knapik - TxF - [EMAIL PROTECTED] | | -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
30.04.02 pisze Derek J. Balling ([EMAIL PROTECTED]): Except that that patch is against 2.4.0 There's a lot of disjointed pieces, and not all of them seem to be maintained or kept current: o pptpd - which seems to (now) not require any special effort o pppd needs to be patched or include support for mppe o kernel needs to be patched or include support for mppe And that very chaos is what led me to ask if anyone has more current info on how to make this work? ;-) You have just wrote how, just do/run it in reverse order ;-) Patches are currently at http://planetmirror.com/pub/mppe/ I have patched 2.4.18 with a patch for 2.4.0 (building ppp-related things as modules), then did pppd 2.4.1 with its openssl and MSCHAPv2 patch, and finally ran pptpd with proper options. It seems to work (or I am missing something:), tried with W98 (compression end encryption enabled) as well as W2000 (default settings - require data encryption, disconnect if none). I think one could patch pppd to read encrypted passwords from chap-secrets file... Not me, though ;) Cheers, Tadeusz -- -- | Tadeusz Knapik - TxF - [EMAIL PROTECTED] | | -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
another solution you may want to try is to use freeswan + pptp. If the windows machines are 2k or sup, you dont need to install any additional soft on the machine. however, ipsec config on 2k and XP is a pain. So, i reckon the best way to do, would be to use a vpn client on the windows machine (ssh sentinel is pretty good) and use freeswan + l2tpd for passwd authentication and address distribution. This is off course out of the scope of the question, but i think this is the best solution available (and i need people to test l2tpd as well :)) JeF On Tue, Apr 30, 2002 at 10:54:24AM -0400, Derek J. Balling wrote: Does anyone have a nice simple HOWTO on how to add encryption to the pptpd daemon, so that windows VPN users can connect using encryption? Preferred methods do NOT include patching things, if possible, because I'd like to not have to re-patch things every time new upgrades come out. Has anyone built all the necessary items simply as .deb's? D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- - Jean-Francois Dive -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
another solution you may want to try is to use freeswan + pptp. If the windows machines are 2k or sup, you dont need to install any additional soft on the machine. however, ipsec config on 2k and XP is a pain. So, i reckon the best way to do, would be to use a vpn client on the windows machine (ssh sentinel is pretty good) and use freeswan + l2tpd for passwd authentication and address distribution. This is off course out of the scope of the question, but i think this is the best solution available (and i need people to test l2tpd as well :)) JeF On Tue, Apr 30, 2002 at 10:54:24AM -0400, Derek J. Balling wrote: Does anyone have a nice simple HOWTO on how to add encryption to the pptpd daemon, so that windows VPN users can connect using encryption? Preferred methods do NOT include patching things, if possible, because I'd like to not have to re-patch things every time new upgrades come out. Has anyone built all the necessary items simply as .deb's? D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- - Jean-Francois Dive -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
PPTP with Encryption
Does anyone have a nice simple HOWTO on how to add encryption to the pptpd daemon, so that windows VPN users can connect using encryption? Preferred methods do NOT include patching things, if possible, because I'd like to not have to re-patch things every time new upgrades come out. Has anyone built all the necessary items simply as .deb's? D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
Last time I checked, PPTP comes with encryption. All you have to do is configure it. From Freshmeat: PoPToP About: PoPToP is a PPTP server for use in PPTP VPN environments. The current release version supports Windows 95/98/NT/2000 PPTP clients and PPTP Linux clients. With the relevant patches, PoPToP supports Windows PPTP clients with the full range of encryption and authentication features. From apt-cache: pptpd - PoPToP Point to Point Tunneling Server I don't think you should have any patching to do. :) The home page for poptop is at http://www.poptop.org. -Anne On Tue, Apr 30, 2002 at 10:54:24AM -0400, Derek J. Balling wrote: Does anyone have a nice simple HOWTO on how to add encryption to the pptpd daemon, so that windows VPN users can connect using encryption? Preferred methods do NOT include patching things, if possible, because I'd like to not have to re-patch things every time new upgrades come out. Has anyone built all the necessary items simply as .deb's? D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ msg06538/pgp0.pgp Description: PGP signature
Re: PPTP with Encryption
At 8:43 AM -0700 4/30/02, Anne Carasik wrote: Last time I checked, PPTP comes with encryption. All you have to do is configure it. I don't think you should have any patching to do. :) The home page for poptop is at http://www.poptop.org. Not unless the packaged pptpd/ppp has something else, from the poptop.org page: # Available PPPD patch allows Windows compatible encryption and authentication (MSCHAPv2 and MPPE 40-128 bit RC4 encryption) So it seems like theres SOMETHING I need to add to pppd to get encryption to work with it, and (from my reading) it seems like there's a patch that also needs to go in the kernel to make that pppd change work as well. D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
On Tue, Apr 30, 2002 at 12:03:09PM -0400, Derek J. Balling wrote: I don't think you should have any patching to do. :) The home page for poptop is at http://www.poptop.org. Not unless the packaged pptpd/ppp has something else, from the poptop.org page: # Available PPPD patch allows Windows compatible encryption and authentication (MSCHAPv2 and MPPE 40-128 bit RC4 encryption) You're right.. (I guess you do want to encrypt to a Windows box, so make sure you're using full strength RC4.. 40 bit keys can be brute forced). According to the poptop FAQ: 3.0 PPP (and MSCHAPv2/MPPE) Installation It is only necessary to use PPP 2.3.8 if you want Microsoft compatible MSCHAPv2/MPPE authentication and encryption. The reason for this is that the MSCHAPv2/MPPE patch currently supplied (19990813) is against PPP 2.3.8. If you don't need Microsoft compatible authentication/encryption any 2.3.x PPP source will be fine. [...] The instructions look like you need to make a kernel module. So it seems like theres SOMETHING I need to add to pppd to get encryption to work with it, and (from my reading) it seems like there's a patch that also needs to go in the kernel to make that pppd change work as well. Out of curiousity, why PPTP? Why not IPSec? There's better compatibility with IPSec (FreeSWAN), and it looks like poptop hasn't been updated in a long time (since 1999). Also, Win2K and I think (don't quote me on this) WinXP have builtin IPSec support. -Anne -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ msg06540/pgp0.pgp Description: PGP signature
Re: PPTP with Encryption
You need the mppe-kernel-modul *and* a patch for the pppd. It would be really nice if there were .deb's Martin On Tue, Apr 30, 2002 at 08:43:21AM -0700, Anne Carasik wrote: Last time I checked, PPTP comes with encryption. All you have to do is configure it. From Freshmeat: PoPToP About: PoPToP is a PPTP server for use in PPTP VPN environments. The current release version supports Windows 95/98/NT/2000 PPTP clients and PPTP Linux clients. With the relevant patches, PoPToP supports Windows PPTP clients with the full range of encryption and authentication features. From apt-cache: pptpd - PoPToP Point to Point Tunneling Server I don't think you should have any patching to do. :) The home page for poptop is at http://www.poptop.org. -Anne On Tue, Apr 30, 2002 at 10:54:24AM -0400, Derek J. Balling wrote: Does anyone have a nice simple HOWTO on how to add encryption to the pptpd daemon, so that windows VPN users can connect using encryption? Preferred methods do NOT include patching things, if possible, because I'd like to not have to re-patch things every time new upgrades come out. Has anyone built all the necessary items simply as .deb's? D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
looks like there's a package for the patch: kernel-patch-mppe - ppp_mppe module for pppd xn On Tue, Apr 30, 2002 at 12:03:09PM -0400, Derek J. Balling wrote: At 8:43 AM -0700 4/30/02, Anne Carasik wrote: Last time I checked, PPTP comes with encryption. All you have to do is configure it. I don't think you should have any patching to do. :) The home page for poptop is at http://www.poptop.org. Not unless the packaged pptpd/ppp has something else, from the poptop.org page: # Available PPPD patch allows Windows compatible encryption and authentication (MSCHAPv2 and MPPE 40-128 bit RC4 encryption) So it seems like theres SOMETHING I need to add to pppd to get encryption to work with it, and (from my reading) it seems like there's a patch that also needs to go in the kernel to make that pppd change work as well. D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
On Tue, Apr 30, 2002 at 10:54:24AM -0400, Derek J. Balling [EMAIL PROTECTED] wrote: Does anyone have a nice simple HOWTO on how to add encryption to the pptpd daemon, so that windows VPN users can connect using encryption? As a side note: have you considered that using the encryption in pptp forces you to store userpasswords in cleartext? For my ISP [1] that was a reason not to use pptp's encryption, especially since MS-CHAPv2 contains known security holes [2]. 1. http://www.xs4all.nl 2. http://mopo.informatik.uni-freiburg.de/pptp_mschapv2/ -- Tim van Erven [EMAIL PROTECTED] OpenPGP Key ID: 712CB811Fingerprint: F6C9 61EE 242C C012 36D5 BBF8 6310 D557 712C B811 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
At 6:52 PM +0200 4/30/02, Tim van Erven wrote: On Tue, Apr 30, 2002 at 10:54:24AM -0400, Derek J. Balling [EMAIL PROTECTED] wrote: Does anyone have a nice simple HOWTO on how to add encryption to the pptpd daemon, so that windows VPN users can connect using encryption? As a side note: have you considered that using the encryption in pptp forces you to store userpasswords in cleartext? For my ISP [1] that was a reason not to use pptp's encryption, especially since MS-CHAPv2 contains known security holes [2]. Yes, unfortunately, for our predominant workstation (Win98), M$'s PPTP client is ubiquitous and other solutions are not necessarily so commonly deployed. D (who would LOVE to move to a _MORE_ secure solution, but is content, for now, to only allow himself and one other to even have accounts on the box with the cleartext passwds) -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
yeah, it's a mess. i spent 2 days trying to get poptop working a few months ago. once i got everything patched and running and could setup a vpn between pptp-linux and pptpd, i still couldn't get win98 to connect to pptpd. i gave up and decided next time i'd try to use ipsec with freeswan. good luck, xn On Tue, Apr 30, 2002 at 01:20:21PM -0400, Derek J. Balling wrote: looks like there's a package for the patch: kernel-patch-mppe - ppp_mppe module for pppd Except that that patch is against 2.4.0 There's a lot of disjointed pieces, and not all of them seem to be maintained or kept current: o pptpd - which seems to (now) not require any special effort o pppd needs to be patched or include support for mppe o kernel needs to be patched or include support for mppe And that very chaos is what led me to ask if anyone has more current info on how to make this work? ;-) D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
On Tue, Apr 30, 2002 at 01:24:21PM -0400, Derek J. Balling wrote: As a side note: have you considered that using the encryption in pptp forces you to store userpasswords in cleartext? For my ISP [1] that was a reason not to use pptp's encryption, especially since MS-CHAPv2 contains known security holes [2]. Yes, unfortunately, for our predominant workstation (Win98), M$'s PPTP client is ubiquitous and other solutions are not necessarily so commonly deployed. D (who would LOVE to move to a _MORE_ secure solution, but is content, for now, to only allow himself and one other to even have accounts on the box with the cleartext passwds) Ugh.. I'd never be content with cleartext passwords, especially given how many security solutions are around today. -Anne -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ msg06547/pgp0.pgp Description: PGP signature
Re: PPTP with Encryption
At 11:23 AM -0700 4/30/02, Anne Carasik wrote: (who would LOVE to move to a _MORE_ secure solution, but is content, for now, to only allow himself and one other to even have accounts on the box with the cleartext passwds) Ugh.. I'd never be content with cleartext passwords, especially given how many security solutions are around today. Falls in the category of show me another solution that's already on every user's system, and I'll happily drink of that fountain instead. I agree with you 100%, but in the environment I'm dealing with, folks are reticent to go add additional software to their expenses, and (for windows users, which like it or not is still 90+% of the userbase) almost any non-M$ solution incurs a cost. :( I'm not content with cleartext passwords, per se, but making do with such, and strictly limiting access to the box which has them visible, so maybe my choice of words was a bit wrong, but I didn't really want to have launch into the windows users are idiots who won't get REAL secure stuff, so I have to make do with what little security I can coax out of them diatribe. ;-) D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
PPTP with Encryption
Does anyone have a nice simple HOWTO on how to add encryption to the pptpd daemon, so that windows VPN users can connect using encryption? Preferred methods do NOT include patching things, if possible, because I'd like to not have to re-patch things every time new upgrades come out. Has anyone built all the necessary items simply as .deb's? D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
Last time I checked, PPTP comes with encryption. All you have to do is configure it. From Freshmeat: PoPToP About: PoPToP is a PPTP server for use in PPTP VPN environments. The current release version supports Windows 95/98/NT/2000 PPTP clients and PPTP Linux clients. With the relevant patches, PoPToP supports Windows PPTP clients with the full range of encryption and authentication features. From apt-cache: pptpd - PoPToP Point to Point Tunneling Server I don't think you should have any patching to do. :) The home page for poptop is at http://www.poptop.org. -Anne On Tue, Apr 30, 2002 at 10:54:24AM -0400, Derek J. Balling wrote: Does anyone have a nice simple HOWTO on how to add encryption to the pptpd daemon, so that windows VPN users can connect using encryption? Preferred methods do NOT include patching things, if possible, because I'd like to not have to re-patch things every time new upgrades come out. Has anyone built all the necessary items simply as .deb's? D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ pgpoTiz2GzaBc.pgp Description: PGP signature
Re: PPTP with Encryption
At 8:43 AM -0700 4/30/02, Anne Carasik wrote: Last time I checked, PPTP comes with encryption. All you have to do is configure it. I don't think you should have any patching to do. :) The home page for poptop is at http://www.poptop.org. Not unless the packaged pptpd/ppp has something else, from the poptop.org page: # Available PPPD patch allows Windows compatible encryption and authentication (MSCHAPv2 and MPPE 40-128 bit RC4 encryption) So it seems like theres SOMETHING I need to add to pppd to get encryption to work with it, and (from my reading) it seems like there's a patch that also needs to go in the kernel to make that pppd change work as well. D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
On Tue, Apr 30, 2002 at 12:03:09PM -0400, Derek J. Balling wrote: I don't think you should have any patching to do. :) The home page for poptop is at http://www.poptop.org. Not unless the packaged pptpd/ppp has something else, from the poptop.org page: # Available PPPD patch allows Windows compatible encryption and authentication (MSCHAPv2 and MPPE 40-128 bit RC4 encryption) You're right.. (I guess you do want to encrypt to a Windows box, so make sure you're using full strength RC4.. 40 bit keys can be brute forced). According to the poptop FAQ: 3.0 PPP (and MSCHAPv2/MPPE) Installation It is only necessary to use PPP 2.3.8 if you want Microsoft compatible MSCHAPv2/MPPE authentication and encryption. The reason for this is that the MSCHAPv2/MPPE patch currently supplied (19990813) is against PPP 2.3.8. If you don't need Microsoft compatible authentication/encryption any 2.3.x PPP source will be fine. [...] The instructions look like you need to make a kernel module. So it seems like theres SOMETHING I need to add to pppd to get encryption to work with it, and (from my reading) it seems like there's a patch that also needs to go in the kernel to make that pppd change work as well. Out of curiousity, why PPTP? Why not IPSec? There's better compatibility with IPSec (FreeSWAN), and it looks like poptop hasn't been updated in a long time (since 1999). Also, Win2K and I think (don't quote me on this) WinXP have builtin IPSec support. -Anne -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ pgpx2WQb2HIoE.pgp Description: PGP signature
Re: PPTP with Encryption
You need the mppe-kernel-modul *and* a patch for the pppd. It would be really nice if there were .deb's Martin On Tue, Apr 30, 2002 at 08:43:21AM -0700, Anne Carasik wrote: Last time I checked, PPTP comes with encryption. All you have to do is configure it. From Freshmeat: PoPToP About: PoPToP is a PPTP server for use in PPTP VPN environments. The current release version supports Windows 95/98/NT/2000 PPTP clients and PPTP Linux clients. With the relevant patches, PoPToP supports Windows PPTP clients with the full range of encryption and authentication features. From apt-cache: pptpd - PoPToP Point to Point Tunneling Server I don't think you should have any patching to do. :) The home page for poptop is at http://www.poptop.org. -Anne On Tue, Apr 30, 2002 at 10:54:24AM -0400, Derek J. Balling wrote: Does anyone have a nice simple HOWTO on how to add encryption to the pptpd daemon, so that windows VPN users can connect using encryption? Preferred methods do NOT include patching things, if possible, because I'd like to not have to re-patch things every time new upgrades come out. Has anyone built all the necessary items simply as .deb's? D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
looks like there's a package for the patch: kernel-patch-mppe - ppp_mppe module for pppd xn On Tue, Apr 30, 2002 at 12:03:09PM -0400, Derek J. Balling wrote: At 8:43 AM -0700 4/30/02, Anne Carasik wrote: Last time I checked, PPTP comes with encryption. All you have to do is configure it. I don't think you should have any patching to do. :) The home page for poptop is at http://www.poptop.org. Not unless the packaged pptpd/ppp has something else, from the poptop.org page: # Available PPPD patch allows Windows compatible encryption and authentication (MSCHAPv2 and MPPE 40-128 bit RC4 encryption) So it seems like theres SOMETHING I need to add to pppd to get encryption to work with it, and (from my reading) it seems like there's a patch that also needs to go in the kernel to make that pppd change work as well. D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
On Tue, Apr 30, 2002 at 10:54:24AM -0400, Derek J. Balling [EMAIL PROTECTED] wrote: Does anyone have a nice simple HOWTO on how to add encryption to the pptpd daemon, so that windows VPN users can connect using encryption? As a side note: have you considered that using the encryption in pptp forces you to store userpasswords in cleartext? For my ISP [1] that was a reason not to use pptp's encryption, especially since MS-CHAPv2 contains known security holes [2]. 1. http://www.xs4all.nl 2. http://mopo.informatik.uni-freiburg.de/pptp_mschapv2/ -- Tim van Erven [EMAIL PROTECTED] OpenPGP Key ID: 712CB811Fingerprint: F6C9 61EE 242C C012 36D5 BBF8 6310 D557 712C B811 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
looks like there's a package for the patch: kernel-patch-mppe - ppp_mppe module for pppd Except that that patch is against 2.4.0 There's a lot of disjointed pieces, and not all of them seem to be maintained or kept current: o pptpd - which seems to (now) not require any special effort o pppd needs to be patched or include support for mppe o kernel needs to be patched or include support for mppe And that very chaos is what led me to ask if anyone has more current info on how to make this work? ;-) D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
At 6:52 PM +0200 4/30/02, Tim van Erven wrote: On Tue, Apr 30, 2002 at 10:54:24AM -0400, Derek J. Balling [EMAIL PROTECTED] wrote: Does anyone have a nice simple HOWTO on how to add encryption to the pptpd daemon, so that windows VPN users can connect using encryption? As a side note: have you considered that using the encryption in pptp forces you to store userpasswords in cleartext? For my ISP [1] that was a reason not to use pptp's encryption, especially since MS-CHAPv2 contains known security holes [2]. Yes, unfortunately, for our predominant workstation (Win98), M$'s PPTP client is ubiquitous and other solutions are not necessarily so commonly deployed. D (who would LOVE to move to a _MORE_ secure solution, but is content, for now, to only allow himself and one other to even have accounts on the box with the cleartext passwds) -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
yeah, it's a mess. i spent 2 days trying to get poptop working a few months ago. once i got everything patched and running and could setup a vpn between pptp-linux and pptpd, i still couldn't get win98 to connect to pptpd. i gave up and decided next time i'd try to use ipsec with freeswan. good luck, xn On Tue, Apr 30, 2002 at 01:20:21PM -0400, Derek J. Balling wrote: looks like there's a package for the patch: kernel-patch-mppe - ppp_mppe module for pppd Except that that patch is against 2.4.0 There's a lot of disjointed pieces, and not all of them seem to be maintained or kept current: o pptpd - which seems to (now) not require any special effort o pppd needs to be patched or include support for mppe o kernel needs to be patched or include support for mppe And that very chaos is what led me to ask if anyone has more current info on how to make this work? ;-) D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP with Encryption
On Tue, Apr 30, 2002 at 01:24:21PM -0400, Derek J. Balling wrote: As a side note: have you considered that using the encryption in pptp forces you to store userpasswords in cleartext? For my ISP [1] that was a reason not to use pptp's encryption, especially since MS-CHAPv2 contains known security holes [2]. Yes, unfortunately, for our predominant workstation (Win98), M$'s PPTP client is ubiquitous and other solutions are not necessarily so commonly deployed. D (who would LOVE to move to a _MORE_ secure solution, but is content, for now, to only allow himself and one other to even have accounts on the box with the cleartext passwds) Ugh.. I'd never be content with cleartext passwords, especially given how many security solutions are around today. -Anne -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ pgpWoXwofngwG.pgp Description: PGP signature
Re: PPTP with Encryption
At 11:23 AM -0700 4/30/02, Anne Carasik wrote: (who would LOVE to move to a _MORE_ secure solution, but is content, for now, to only allow himself and one other to even have accounts on the box with the cleartext passwds) Ugh.. I'd never be content with cleartext passwords, especially given how many security solutions are around today. Falls in the category of show me another solution that's already on every user's system, and I'll happily drink of that fountain instead. I agree with you 100%, but in the environment I'm dealing with, folks are reticent to go add additional software to their expenses, and (for windows users, which like it or not is still 90+% of the userbase) almost any non-M$ solution incurs a cost. :( I'm not content with cleartext passwords, per se, but making do with such, and strictly limiting access to the box which has them visible, so maybe my choice of words was a bit wrong, but I didn't really want to have launch into the windows users are idiots who won't get REAL secure stuff, so I have to make do with what little security I can coax out of them diatribe. ;-) D -- +-+-+ | [EMAIL PROTECTED] | Thou art the ruins of the noblest man | | Derek J. Balling | That ever lived in the tide of times. | | | Woe to the hand that shed this costly | | | blood - Julius Caesar Act 3, Scene 1 | +-+-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
PPTP and encryption / RC4 weaknesses
hi all, I was wondering: PPTP use RC4 up to 128 bit keys as an encryption mechanism. I'd like to have the impressions from people of the list about the cryptographic strenght of such algorithm, especially now that wireless WEP RC4 based encryption have been broken. I understand that the problem in WEP is the key extrapolation which is the problem, but i'd like to know if RC4 in PPTP can be considered as secure, purely on encryption side. Thanks for any pointer on this.( except the 'read the applied cryptography book ;) JeF -- - Jean-Francois Dive -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP and encryption / RC4 weaknesses
## Jean-Francois Dive ([EMAIL PROTECTED]): I was wondering: PPTP use RC4 up to 128 bit keys as an encryption mechanism. I'd like to have the impressions from people of the list about the cryptographic strenght of such algorithm, especially now that wireless WEP RC4 based encryption have been broken. PPTP can easily be broken if MS-CHAPv2 is used: http://mopo.informatik.uni-freiburg.de/pptp_mschapv2/ Regards, cmt -- Spare Space -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PPTP and encryption / RC4 weaknesses
On Mon, Mar 04, 2002 at 03:20:44PM +0100, Christoph Moench-Tegeder wrote: thanks, this confirm me that i really have to avoid it ;) cheers, JeF ## Jean-Francois Dive ([EMAIL PROTECTED]): I was wondering: PPTP use RC4 up to 128 bit keys as an encryption mechanism. I'd like to have the impressions from people of the list about the cryptographic strenght of such algorithm, especially now that wireless WEP RC4 based encryption have been broken. PPTP can easily be broken if MS-CHAPv2 is used: http://mopo.informatik.uni-freiburg.de/pptp_mschapv2/ Regards, cmt -- Spare Space -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- - Jean-Francois Dive -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
PPTP and encryption / RC4 weaknesses
hi all, I was wondering: PPTP use RC4 up to 128 bit keys as an encryption mechanism. I'd like to have the impressions from people of the list about the cryptographic strenght of such algorithm, especially now that wireless WEP RC4 based encryption have been broken. I understand that the problem in WEP is the key extrapolation which is the problem, but i'd like to know if RC4 in PPTP can be considered as secure, purely on encryption side. Thanks for any pointer on this.( except the 'read the applied cryptography book ;) JeF -- - Jean-Francois Dive -- [EMAIL PROTECTED]
Re: PPTP and encryption / RC4 weaknesses
## Jean-Francois Dive ([EMAIL PROTECTED]): I was wondering: PPTP use RC4 up to 128 bit keys as an encryption mechanism. I'd like to have the impressions from people of the list about the cryptographic strenght of such algorithm, especially now that wireless WEP RC4 based encryption have been broken. PPTP can easily be broken if MS-CHAPv2 is used: http://mopo.informatik.uni-freiburg.de/pptp_mschapv2/ Regards, cmt -- Spare Space
Re: PPTP and encryption / RC4 weaknesses
On Mon, Mar 04, 2002 at 03:20:44PM +0100, Christoph Moench-Tegeder wrote: thanks, this confirm me that i really have to avoid it ;) cheers, JeF ## Jean-Francois Dive ([EMAIL PROTECTED]): I was wondering: PPTP use RC4 up to 128 bit keys as an encryption mechanism. I'd like to have the impressions from people of the list about the cryptographic strenght of such algorithm, especially now that wireless WEP RC4 based encryption have been broken. PPTP can easily be broken if MS-CHAPv2 is used: http://mopo.informatik.uni-freiburg.de/pptp_mschapv2/ Regards, cmt -- Spare Space -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- - Jean-Francois Dive -- [EMAIL PROTECTED]
