[CentOS] PPTP VPN server

Mon Nov 24 18:38:06 UTC 2008
Filipe Brandenburger <filbranden at gmail.com>

Hi,

On Mon, Nov 24, 2008 at 12:56, Les Mikesell <lesmikesell at gmail.com> wrote:
> Microsoft has updated PPTP since the only paper I know about was written.
> Does anyone know if there are still problems with it or if the linux
> version is updated to match?

>From http://pptpclient.sourceforge.net/protocol-security.phtml:

"PPTP on Linux, and Microsoft's PPTP, both implement fixes for
vulnerabilities that were detected years ago in Microsoft's PPTP. *But there
remain the design vulnerabilities that cannot be fixed without changing the
design.* The changes needed would break interoperability. We can't change
the Linux PPTP design, because it would stop working with Microsoft PPTP.
They can't change their design, because it would stop working with all the
other components out there, such as Nortel and Cisco, embedded routers, ADSL
modems and their own Windows installed base."

And POPTOP (http://poptop.sourceforge.net/dox/qna.html#12):

In conclusion: *Poptop suffers the same security vulnerabilities as the NT
sever* (this is because it operates with Windows clients).
Update: MSCHAPv2 has been released and addresses *some* of the security
issues. Poptop works with MSCHAPv2, which is implemented in pppd.

Wikipedia (http://en.wikipedia.org/wiki/PPTP):

PPTP has been made obsolete by Layer 2 Tunneling Protocol (L2TP) and IPSec.


>From these sources, I can't tell for sure if the protocol has
vulnerabilities by design or not, but in any case it seems to be agreement
that other VPN protocols such as IPSec are much more secure and reliable
than PPTP. I would not recommend starting a VPN implementation using PPTP.

L2TP/IPSec seems to be the best alternative regarding client support
(built-in support on Windows XP, Mac and the iPhone), only it is very hard
to implement on a Linux server, and there are issues with NAT traversal.
OpenVPN is easy to implement and seems to work very well with NAT, but
clients must be downloaded and installed for most platforms, and are not
available, for instance, for the iPhone.

HTH,
Filipe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20081124/c4512ec4/attachment-0003.html>