Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: Mark Farey on October 18, 2001, 12:54:59 AM

Title: Roaming VPN access
Post by: Mark Farey on October 18, 2001, 12:54:59 AM

I've been experimenting a little with the PPTP VPN capability on my SME5 server but conventional wisdom seems to be that it is a lousy protocol (see http://www.counterpane.com/pptp-faq.html which reports "Microsoft PPTP is very broken, and there's no real way to fix it without taking the whole thing down and starting over"). They strongly recommend using IPSEC.

Given that analysis, why is PPTP even included on e-smith?

Is there a way to use an IPSEC VPN for roaming users (i.e. from a home dial-up or variable IP). My impression, from reading Christopher Worthington's HOW-TO and looking at the e-smith configuration, is that it is limited to a server-to-server application. Do I have to subscribe to ServiceLink to enable roaming access?

Regards,
Mark
Ottawa.

Title: Re: Roaming VPN access
Post by: Dan Brown on October 18, 2001, 01:09:11 AM

I suspect the reason PPTP is included is because it comes with Windoze, and (in theory) it's very easy to make a PPTP connection from a win client to the e-smith server.

Title: Re: Roaming VPN access
Post by: Les Mikesell on October 18, 2001, 09:03:49 AM

There is a 1998 copyright on that page so it must not address the latest versions which are required to interoperate with the e-smith server.

Title: Re: Roaming VPN access
Post by: Mark Farey on October 18, 2001, 06:27:47 PM

Interesting, but the article was pretty condemning and says that the whole protocol needed a complete rewrite, so I'm left wondering if that ever happened?

Maybe someone at e-smith, or someone with an up-to-date understanding of PPTP, can comment.

Mark.
Ottawa.

Title: Re: Roaming VPN access
Post by: Noah on October 21, 2001, 10:00:42 PM

First of all, the article does not condemn the PPTP: "They did not find flaws in PPTP, only in Microsoft's implementation of it".  I do not know if the problems they report apply to the e-smith/sme implementation of PPTP.

Secondly, MS has made changes in its PPTP implementation (and how it handles pw authentication in general) since that FAQ was published.  The same people did an analysis of MS new implementation (check out www.counterpane.com/pptpv2-paper.html) and they report significant improvements.

The basic problem with PPTP is that it relies on user passwords for authentication.  If the pw is easy to crack, the VPN is easy to crack (and this problem is not limited to PPTP).  PPTP is definitely not the best/most secure way of remotely accessing your server.  However, its relatively easy to implement and is more secure than allowing public access to your services.

Noah