[ previous ] [ next ] [ threads ]
 From:  Falcor <falcor at netassassin dot com>
 To:  Falcor <falcor at netassassin dot com>
 Cc:  Quark AV - Hilton Travis <Hilton at QuarkAV dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Newbie ? - IPSec via Wireless (like SonicWall)
 Date:  Tue, 01 Jun 2004 23:29:35 -0500
In regard to PPTP on m0n0wall in particular, you can write firewall ACLs 
for the pptp traffic but not for IPSEC traffic.  So keep that in mind too.

Falcor wrote:

> He asked, and I answered his question.  If you want IPSEC then set 
> that up instead.  Here is a link to the IPSEC document. 
> http://m0n0.ch/wall/docbook/ipsec.html  The ssh.com IPSEC client works 
> great BTW.
> Last time I checked there are no security flaws in PPTP, just 
> Microsoft's implementation of it.  ("What Microsoft, never!" you 
> say.... but it is true!)  I believe the patch for MS was issued in 
> late 2002. But there may be newer stuff as I haven't looked.  I 
> personally use IPSEC tunnels terminated on a Cisco 3030.  I just play 
> with the tunneling on the m0n0wall because it is damn cool frankly.  
> (And you really can't beat the price.)  The MPD thing was fixed, so 
> that isn't an issue either.
> Really from a protocol standpoint PPTP vs. IPSEC only favors IPSEC in 
> regard to speed and overhead, and of course IPSEC allows you to split 
> the tunnel sending only data intended for the destination to the VPN 
> network tunnel.  PPTP is slower (more intensive on both ends of the 
> connection) and pipes all network data into the VPN tunnel making it 
> hard to limit what is on the vpn tunnel, but comparing it to WEP, 
> which is faulty because it is easy to decipher, is quite inaccurate.   
> A better comparison would be a VW Rabbit to a Porsche.  They both get 
> you from point A to point B, one just does it faster and in a cooler 
> looking vehicle.  Also IPSEC can accommodate things like a NATed 
> connection, and thus get you around firewalls NATing at a remote 
> location that would otherwise muck up a PPTP connection.
> So in conclusion, while IPSEC is faster it requires additional 
> software. PPTP is a good quick and dirty way to get your visiting 
> friends onto your WiFi network without having to have them install all 
> kinds of software.  Both offer better data security and authentication 
> to your local network then WEP so I do recommend using them.  (I even 
> suggest using them in combination with WEP on your WiFi as that will 
> serve to frustrate the person who spent all day cracking your WEP key 
> only to find all the data on the frequency is further encrypted.)    
> You could always go with WPA if your AP and clients can support it.  
> Honestly, for WiFi Access via a m0n0wall server I would suggest 
> sticking with PPTP for simple ease of use.  The speed difference will 
> be negligable on a LAN connection, even WiFi.  If your users are savvy 
> enough, go with IPSEC and configure custom clients and do fun tricks 
> like shared group keys and then personal passwords or even challenged 
> authentication.  Your own paranoia level will dictate what you are 
> most comfortable with. 
> Quark AV - Hilton Travis wrote:
>> Hi Falcor,
>> There's a **huge** difference between PPTP and IPSEC as far as 
>> security goes
>> with VPNs.
>> Personally, I'd place PPTP in the same league as WEP - untrustworthy.
>> -- 
>> Regards,
>> Hilton Travis                        Phone: +61-(0)7-3343-3889
>> Manager,                             Mobile: +61 (0)419 792 394
>> Quark IT                             http://www.QuarkIT.com.au/
>> Quark AudioVisual                    http://www.QuarkAV.net/
>> (Brisbane, Australia)
>> Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
>> Non Linear Video Editing Solutions & Digital Audio Workstations
>> Conference and Seminar AudioVisual Production and Recording
>> War doesn't determine who is right. War determines who is left.
>>> -----Original Message-----
>>> From: Falcor [mailto:falcor at netassassin dot com] Sent: Wednesday, 2 June 
>>> 2004 12:36
>>> To: James Baber
>>> Cc: m0n0wall at lists dot m0n0 dot ch
>>> Subject: Re: [m0n0wall] Newbie ? - IPSec via Wireless (like SonicWall)
>>> yes it is possible and quite easy to do.  see the pptp document at 
>>> http://m0n0.ch/wall/docbook/pptp.html
>>> James Baber wrote:
>>>> Hello,
>>>> I want to configure my W2K/XP laptop to use a VPN tunnel (IPSec) to 
>>>> my m0n0wall (with Soekris VPN1401 & NetGate 802.11B Prism 2.5) 
>>>> specifically over the wireless network.  Actually I would like to 
>>>> configure all my wireless devices to do this.
>>>> Is this possible?  If so, can someone point me to an archived 
>>>> document with instructions?  I can't seem to find exactly what I'm 
>>>> looking for, nor can I seem to get it to work.
>>>> Thanks,
>>>> James
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch