[ previous ] [ next ] [ threads ]
 From:  Falcor <falcor at netassassin dot com>
 To:  Quark AV - Hilton Travis <Hilton at QuarkAV dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Newbie ? - IPSec via Wireless (like SonicWall)
 Date:  Tue, 01 Jun 2004 23:12:32 -0500
He asked, and I answered his question.  If you want IPSEC then set that 
up instead.  Here is a link to the IPSEC document. 
 http://m0n0.ch/wall/docbook/ipsec.html  The ssh.com IPSEC client works 
great BTW.

Last time I checked there are no security flaws in PPTP, just 
Microsoft's implementation of it.  ("What Microsoft, never!" you say.... 
but it is true!)  I believe the patch for MS was issued in late 2002. 
 But there may be newer stuff as I haven't looked.  I personally use 
IPSEC tunnels terminated on a Cisco 3030.  I just play with the 
tunneling on the m0n0wall because it is damn cool frankly.  (And you 
really can't beat the price.)  The MPD thing was fixed, so that isn't an 
issue either.

Really from a protocol standpoint PPTP vs. IPSEC only favors IPSEC in 
regard to speed and overhead, and of course IPSEC allows you to split 
the tunnel sending only data intended for the destination to the VPN 
network tunnel.  PPTP is slower (more intensive on both ends of the 
connection) and pipes all network data into the VPN tunnel making it 
hard to limit what is on the vpn tunnel, but comparing it to WEP, which 
is faulty because it is easy to decipher, is quite inaccurate.   A 
better comparison would be a VW Rabbit to a Porsche.  They both get you 
from point A to point B, one just does it faster and in a cooler looking 
vehicle.  Also IPSEC can accommodate things like a NATed connection, and 
thus get you around firewalls NATing at a remote location that would 
otherwise muck up a PPTP connection.

So in conclusion, while IPSEC is faster it requires additional software. 
 PPTP is a good quick and dirty way to get your visiting friends onto 
your WiFi network without having to have them install all kinds of 
software.  Both offer better data security and authentication to your 
local network then WEP so I do recommend using them.  (I even suggest 
using them in combination with WEP on your WiFi as that will serve to 
frustrate the person who spent all day cracking your WEP key only to 
find all the data on the frequency is further encrypted.)    You could 
always go with WPA if your AP and clients can support it.  Honestly, for 
WiFi Access via a m0n0wall server I would suggest sticking with PPTP for 
simple ease of use.  The speed difference will be negligable on a LAN 
connection, even WiFi.  If your users are savvy enough, go with IPSEC 
and configure custom clients and do fun tricks like shared group keys 
and then personal passwords or even challenged authentication.  Your own 
paranoia level will dictate what you are most comfortable with.  

Quark AV - Hilton Travis wrote:

>Hi Falcor,
>There's a **huge** difference between PPTP and IPSEC as far as security goes
>with VPNs.
>Personally, I'd place PPTP in the same league as WEP - untrustworthy.
>Hilton Travis                        Phone: +61-(0)7-3343-3889
>Manager,                             Mobile: +61 (0)419 792 394
>Quark IT                             http://www.QuarkIT.com.au/
>Quark AudioVisual                    http://www.QuarkAV.net/
>(Brisbane, Australia)
>Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
>Non Linear Video Editing Solutions & Digital Audio Workstations
>Conference and Seminar AudioVisual Production and Recording
> War doesn't determine who is right. War determines who is left.
>>-----Original Message-----
>>From: Falcor [mailto:falcor at netassassin dot com] 
>>Sent: Wednesday, 2 June 2004 12:36
>>To: James Baber
>>Cc: m0n0wall at lists dot m0n0 dot ch
>>Subject: Re: [m0n0wall] Newbie ? - IPSec via Wireless (like SonicWall)
>>yes it is possible and quite easy to do.  see the pptp 
>>document at http://m0n0.ch/wall/docbook/pptp.html
>>James Baber wrote:
>>>I want to configure my W2K/XP laptop to use a VPN tunnel 
>>>(IPSec) to my m0n0wall (with Soekris VPN1401 & NetGate 
>>>802.11B Prism 2.5) specifically over the wireless network.  
>>>Actually I would like to configure all my wireless 
>>>devices to do this.
>>>Is this possible?  If so, can someone point me to an 
>>>archived document with instructions?  I can't seem to 
>>>find exactly what I'm looking for, nor can I seem to 
>>>get it to work.
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch