In regard to PPTP on m0n0wall in particular, you can write firewall ACLs 
for the pptp traffic but not for IPSEC traffic.  So keep that in mind too.

Falcor wrote:

> He asked, and I answered his question.  If you want IPSEC then set 
> that up instead.  Here is a link to the IPSEC document. 
> http://m0n0.ch/wall/docbook/ipsec.html  The ssh.com IPSEC client works 
> great BTW.
>
> Last time I checked there are no security flaws in PPTP, just 
> Microsoft's implementation of it.  ("What Microsoft, never!" you 
> say.... but it is true!)  I believe the patch for MS was issued in 
> late 2002. But there may be newer stuff as I haven't looked.  I 
> personally use IPSEC tunnels terminated on a Cisco 3030.  I just play 
> with the tunneling on the m0n0wall because it is damn cool frankly.  
> (And you really can't beat the price.)  The MPD thing was fixed, so 
> that isn't an issue either.
>
> Really from a protocol standpoint PPTP vs. IPSEC only favors IPSEC in 
> regard to speed and overhead, and of course IPSEC allows you to split 
> the tunnel sending only data intended for the destination to the VPN 
> network tunnel.  PPTP is slower (more intensive on both ends of the 
> connection) and pipes all network data into the VPN tunnel making it 
> hard to limit what is on the vpn tunnel, but comparing it to WEP, 
> which is faulty because it is easy to decipher, is quite inaccurate.   
> A better comparison would be a VW Rabbit to a Porsche.  They both get 
> you from point A to point B, one just does it faster and in a cooler 
> looking vehicle.  Also IPSEC can accommodate things like a NATed 
> connection, and thus get you around firewalls NATing at a remote 
> location that would otherwise muck up a PPTP connection.
>
> So in conclusion, while IPSEC is faster it requires additional 
> software. PPTP is a good quick and dirty way to get your visiting 
> friends onto your WiFi network without having to have them install all 
> kinds of software.  Both offer better data security and authentication 
> to your local network then WEP so I do recommend using them.  (I even 
> suggest using them in combination with WEP on your WiFi as that will 
> serve to frustrate the person who spent all day cracking your WEP key 
> only to find all the data on the frequency is further encrypted.)    
> You could always go with WPA if your AP and clients can support it.  
> Honestly, for WiFi Access via a m0n0wall server I would suggest 
> sticking with PPTP for simple ease of use.  The speed difference will 
> be negligable on a LAN connection, even WiFi.  If your users are savvy 
> enough, go with IPSEC and configure custom clients and do fun tricks 
> like shared group keys and then personal passwords or even challenged 
> authentication.  Your own paranoia level will dictate what you are 
> most comfortable with. 
>
>
>
> Quark AV - Hilton Travis wrote:
>
>> Hi Falcor,
>>
>> There's a **huge** difference between PPTP and IPSEC as far as 
>> security goes
>> with VPNs.
>>
>> Personally, I'd place PPTP in the same league as WEP - untrustworthy.
>>
>> -- 
>>
>> Regards,
>>
>> Hilton Travis                        Phone: +61-(0)7-3343-3889
>> Manager,                             Mobile: +61 (0)419 792 394
>> Quark IT                             http://www.QuarkIT.com.au/
>> Quark AudioVisual                    http://www.QuarkAV.net/
>> (Brisbane, Australia)
>>
>> Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
>> Non Linear Video Editing Solutions & Digital Audio Workstations
>> Conference and Seminar AudioVisual Production and Recording
>>
>> War doesn't determine who is right. War determines who is left.
>>
>>
>>  
>>
>>> -----Original Message-----
>>> From: Falcor [mailto:falcor at netassassin dot com] Sent: Wednesday, 2 June 
>>> 2004 12:36
>>> To: James Baber
>>> Cc: m0n0wall at lists dot m0n0 dot ch
>>> Subject: Re: [m0n0wall] Newbie ? - IPSec via Wireless (like SonicWall)
>>>
>>> yes it is possible and quite easy to do.  see the pptp document at 
>>> http://m0n0.ch/wall/docbook/pptp.html
>>>
>>> James Baber wrote:
>>>
>>>   
>>>
>>>> Hello,
>>>>
>>>> I want to configure my W2K/XP laptop to use a VPN tunnel (IPSec) to 
>>>> my m0n0wall (with Soekris VPN1401 & NetGate 802.11B Prism 2.5) 
>>>> specifically over the wireless network.  Actually I would like to 
>>>> configure all my wireless devices to do this.
>>>>
>>>> Is this possible?  If so, can someone point me to an archived 
>>>> document with instructions?  I can't seem to find exactly what I'm 
>>>> looking for, nor can I seem to get it to work.
>>>>
>>>> Thanks,
>>>> James
>>>>     
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>  
>>
>
>