[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] PPTP versus IPsec
 Date:  Sun, 7 Jan 2007 20:30:02 -0500
On 1/7/07, Sven Brill <madde at gmx dot net> wrote:
> Sounds like from the m0n0wall standpoint, you could go either way, since
> you have a whole /28 network to play with, that leaves security, ease of
> use, and feasibility.  Security could be strong enough with PPTP,
> depends on your  own risk assessment.  For a fun read,  try this:
> http://www.schneier.com/paper-pptp.html

This is a bit of FUD, as it's based on issues that were fixed years
ago and Schneier never updated that page.  But, PPTP still has its

If you're going to run IPsec, the latest 1.3 beta is your only
feasible option for road warrior scenarios.  The latest 1.3 includes
NAT-T support, which is required for clients behind NAT devices.

As for which is less likely to get hosed by a firewall the client is
behind, I think that's pretty much a toss up...  some firewalls screw
up or don't permit IPsec, and some will break or block GRE (used by
PPTP).  Personally I've seen a lot more GRE breakage myself, but I
also have probably 10 times as many PPTP-enabled installations as I do
IPsec-enabled ones.

PPTP works, and the client built into Windows makes it easy to setup
and work with.  The majority of my clients are small businesses in
industries where they don't care much about security.  Since PPTP is
the cheapest and easiest option, and it works, that's what they want.
Personally, if it were entirely up to me, I'd never use PPTP.  A
combination of IPsec and OpenVPN is ideal IMO.  Two for redundancy,
and if one can't get through whatever firewall your client machine is
behind, you have another to try.