In regard to PPTP on m0n0wall in particular, you can write firewall ACLs
for the pptp traffic but not for IPSEC traffic. So keep that in mind too.
> He asked, and I answered his question. If you want IPSEC then set
> that up instead. Here is a link to the IPSEC document.
> http://m0n0.ch/wall/docbook/ipsec.html The ssh.com IPSEC client works
> great BTW.
> Last time I checked there are no security flaws in PPTP, just
> Microsoft's implementation of it. ("What Microsoft, never!" you
> say.... but it is true!) I believe the patch for MS was issued in
> late 2002. But there may be newer stuff as I haven't looked. I
> personally use IPSEC tunnels terminated on a Cisco 3030. I just play
> with the tunneling on the m0n0wall because it is damn cool frankly.
> (And you really can't beat the price.) The MPD thing was fixed, so
> that isn't an issue either.
> Really from a protocol standpoint PPTP vs. IPSEC only favors IPSEC in
> regard to speed and overhead, and of course IPSEC allows you to split
> the tunnel sending only data intended for the destination to the VPN
> network tunnel. PPTP is slower (more intensive on both ends of the
> connection) and pipes all network data into the VPN tunnel making it
> hard to limit what is on the vpn tunnel, but comparing it to WEP,
> which is faulty because it is easy to decipher, is quite inaccurate.
> A better comparison would be a VW Rabbit to a Porsche. They both get
> you from point A to point B, one just does it faster and in a cooler
> looking vehicle. Also IPSEC can accommodate things like a NATed
> connection, and thus get you around firewalls NATing at a remote
> location that would otherwise muck up a PPTP connection.
> So in conclusion, while IPSEC is faster it requires additional
> software. PPTP is a good quick and dirty way to get your visiting
> friends onto your WiFi network without having to have them install all
> kinds of software. Both offer better data security and authentication
> to your local network then WEP so I do recommend using them. (I even
> suggest using them in combination with WEP on your WiFi as that will
> serve to frustrate the person who spent all day cracking your WEP key
> only to find all the data on the frequency is further encrypted.)
> You could always go with WPA if your AP and clients can support it.
> Honestly, for WiFi Access via a m0n0wall server I would suggest
> sticking with PPTP for simple ease of use. The speed difference will
> be negligable on a LAN connection, even WiFi. If your users are savvy
> enough, go with IPSEC and configure custom clients and do fun tricks
> like shared group keys and then personal passwords or even challenged
> authentication. Your own paranoia level will dictate what you are
> most comfortable with.
> Quark AV - Hilton Travis wrote:
>> Hi Falcor,
>> There's a **huge** difference between PPTP and IPSEC as far as
>> security goes
>> with VPNs.
>> Personally, I'd place PPTP in the same league as WEP - untrustworthy.
>> Hilton Travis Phone: +61-(0)7-3343-3889
>> Manager, Mobile: +61 (0)419 792 394
>> Quark IT http://www.QuarkIT.com.au/
>> Quark AudioVisual http://www.QuarkAV.net/
>> (Brisbane, Australia)
>> Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
>> Non Linear Video Editing Solutions & Digital Audio Workstations
>> Conference and Seminar AudioVisual Production and Recording
>> War doesn't determine who is right. War determines who is left.
>>> -----Original Message-----
>>> From: Falcor [mailto:falcor at netassassin dot com] Sent: Wednesday, 2 June
>>> 2004 12:36
>>> To: James Baber
>>> Cc: m0n0wall at lists dot m0n0 dot ch
>>> Subject: Re: [m0n0wall] Newbie ? - IPSec via Wireless (like SonicWall)
>>> yes it is possible and quite easy to do. see the pptp document at
>>> James Baber wrote:
>>>> I want to configure my W2K/XP laptop to use a VPN tunnel (IPSec) to
>>>> my m0n0wall (with Soekris VPN1401 & NetGate 802.11B Prism 2.5)
>>>> specifically over the wireless network. Actually I would like to
>>>> configure all my wireless devices to do this.
>>>> Is this possible? If so, can someone point me to an archived
>>>> document with instructions? I can't seem to find exactly what I'm
>>>> looking for, nor can I seem to get it to work.
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch