Hi Stefaan, Yes! I completely missed the significance of what you were saying during that conversation on the Web boards. The key to successfully force the clients to use the default gateway on the remote network is to give the clients an off subnet address. When you do this, the client that is not using the remote network (VPN server) as the default gateway will have internal network IDs routed through the Internet, which clearly won't work. Thanks! Tom -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] Sent: Friday, March 01, 2002 5:35 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN in ISA with L2TP vs PPTP http://www.ISAserver.org Hi Armando, if you do it the right way, PPTP can deliver good security ;-) Points to keep in mind: 1) if there is any NAT device in the path between the client and the ISA, forget L2TP/IPSec. It won't work. I was told that we have to wait for the .NET release before L2TP/IPSec would be NAT compatible. 2) make sure the WIN9X clients are up-to-date with the latest patches and DUN with the high encryption pack. 3) on ISA use the strongest possible authentication. If you cann't use EAP/TLS (with a SmartCard) enforce ONLY MS-CHAPV2. Don't allow in any case a lesser strong authentication. Also, use very good passwords. That's VERY important when using MS-CHAPV2 authentication. The strenght of the encryption keys is dependent on the strenght of the passwords used! 4) enforce strongest encryption on the ISA server. 5) don't allow split tunneling. On the clients the 'use default gateway on remote network' should be activated in the advanced properties. If possible, design your central infrastructure in such a way that the routing doesn't work if that flag is not set. For more info check out http://www.microsoft.com/windows2000/technologies/communications/vpn/def ault .asp and http://www.microsoft.com/windows2000/techinfo/planning/incremental/vpnde ploy .asp . An interesting discussion about VPN routing (split tunneling) can be found at http://www.isaserver.org/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=13;t=000 336 Hope this helps, Stefaan -----Original Message----- From: Armando Treviño López [mailto:armando.trevino@xxxxxxxxxxx] Sent: zaterdag 2 maart 2002 0:16 To: [ISAserver.org Discussion List] Subject: [isalist] VPN in ISA with L2TP vs PPTP http://www.ISAserver.org Hi all. I have configured ISA for VPN client access. I wonder what are the security risks in allowing access to a VPN in ISA in PPTP rather than L2TP. Is PPTP so insecure?? I would like to use only L2TP but I have some VPN clients that use win95/98/millenium. Does it represent a risk to an enterprise to keep allowing PPTP VPN connections? What do you think. Regards. Armando Treviño ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')