IPSec vs PoPToP [Was: Re: [TCLUG] Alternative to DSL & Cable modem]

Fri May 10 10:14:55 CDT 2002

On Fri, 10 May 2002, Kelly Black wrote:
> Eh?  I am pretty sure Nate was talking about PPTP using PoPToP.  I
> have not as of yet experienced kernel panics.  The insecurity can be
> partially dealt with by applying a patch that only allows connections
> from hosts running 128 bit encryption.

OK, I'll clarify:

> It's also insecure

The PPTP protocol itself has problems with the way it does encryption and
stuff.. even with 128-bit encryption, from what I've read, it isn't really
really hard to crack it. Meaning, it isn't something you can just do on
the fly, but it is possible.

> the code is prone to causing kernel panics under certain situations.

The problem isn't the poptop daemon itself, it's the code you apply to the
kernel for MPPE encryption. In certain situations (like SMP boxes with
high load), it's been known to cause kernel panics. You also need a
special patch for the 2.4 kernel, or anytime certain types of packets go
across it, it'll panic. (In our case, the packets had to be from a Win98
client, and transfer ~1mb at a reasonably high speed.. very annoying!)

> If I had it to do over again, I would have probably gone for IPSEC and
> if the user was going to use Windows 98, buy one of the clients.  I
> think W2K has a client that can be used out of the box, but don't
> quote me.

Windows 2000 and XP have a built in client that works great with it, I
actually wrote documentation on configuring it a while ago:

http://www.natecarlson.com/include/showpage.php?cat=linux&page=ipsec-x509

(I know, I know, I need to rewrite my PHP stuff -- that URL is ugly.)

For other versions of windows, or if you want a client that 'normal'
(idiot) users can deal with, check out www.ipsec.com (SSH Sentinel) --
these guys are actually providing support for FreeS/WAN, it's pretty cool.

We just set up one of our clients [speak up if you want] with a IPSec
solution where they do a Sprint dialup from laptops, and after the link is
up, the Sprint dialer automatically launches the ipsec.exe utility [which
I discuss on my page above], and brings up a VPN connection to their
corporate network. So, all the Windows user sees is a dos box come up for
a minute while it connects, and then they can browse their domain at the
office. Pretty sweet..

-- 
Nate Carlson <natecars at real-time.com>   | Phone : (952)943-8700
http://www.real-time.com                | Fax   : (952)943-8500