RE: VPN in ISA with L2TP vs PPTP
- From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 1 Mar 2002 20:47:00 -0600
Hi Stefaan,
Yes! I completely missed the significance of what you were saying during
that conversation on the Web boards. The key to successfully force the
clients to use the default gateway on the remote network is to give the
clients an off subnet address. When you do this, the client that is not
using the remote network (VPN server) as the default gateway will have
internal network IDs routed through the Internet, which clearly won't
work.
Thanks!
Tom
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx]
Sent: Friday, March 01, 2002 5:35 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN in ISA with L2TP vs PPTP
http://www.ISAserver.org
Hi Armando,
if you do it the right way, PPTP can deliver good security ;-)
Points to keep in mind:
1) if there is any NAT device in the path between the client and the
ISA,
forget L2TP/IPSec. It won't work. I was told that we have to wait for
the
.NET release before L2TP/IPSec would be NAT compatible.
2) make sure the WIN9X clients are up-to-date with the latest patches
and
DUN with the high encryption pack.
3) on ISA use the strongest possible authentication. If you cann't use
EAP/TLS (with a SmartCard) enforce ONLY MS-CHAPV2. Don't allow in any
case a
lesser strong authentication. Also, use very good passwords. That's VERY
important when using MS-CHAPV2 authentication. The strenght of the
encryption keys is dependent on the strenght of the passwords used!
4) enforce strongest encryption on the ISA server.
5) don't allow split tunneling. On the clients the 'use default gateway
on
remote network' should be activated in the advanced properties. If
possible,
design your central infrastructure in such a way that the routing
doesn't
work if that flag is not set.
For more info check out
http://www.microsoft.com/windows2000/technologies/communications/vpn/def
ault
.asp and
http://www.microsoft.com/windows2000/techinfo/planning/incremental/vpnde
ploy
.asp .
An interesting discussion about VPN routing (split tunneling) can be
found
at
http://www.isaserver.org/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=13;t=000
336
Hope this helps,
Stefaan
-----Original Message-----
From: Armando Treviño López [mailto:armando.trevino@xxxxxxxxxxx]
Sent: zaterdag 2 maart 2002 0:16
To: [ISAserver.org Discussion List]
Subject: [isalist] VPN in ISA with L2TP vs PPTP
http://www.ISAserver.org
Hi all. I have configured ISA for VPN client access. I wonder what are
the
security risks in allowing access to a VPN in ISA in PPTP rather than
L2TP.
Is PPTP so insecure?? I would like to use only L2TP but I have some VPN
clients that use win95/98/millenium. Does it represent a risk to an
enterprise to keep allowing PPTP VPN connections? What do you think.
Regards.
Armando Treviño
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
