The downside to IPSec in a Windows world is there arent many (or any) free
IPSec client utils. PPTP works outta the box so it makes life simple.
Since this is for a HotSpot, PPTP would be the least intrusive on your users.
As for PPTP vs IPSec:
MS-CHAPv2 is encrypted by the lower layer IPsec tunnel. The IPsec tunnel is
securely authenticated using IKE. MS-CHAP had a history of being easily
(relative term here) cracked. The "shared secret" or certificate use of IPSec
is considered much stronger.
That said, the use of complicated, long passwords should alleviate some fear.
Pitbull Technologies <http://www.pittech.com/>
Protecting your Digital Assets
Quoting Louis <m0n0 dot ch at hourfollowshour dot org>:
> Thanks for your response. I am using PPTP over wireless on an open non
> WEP/WPA hotspot, the idea is that I want to offer an open hotspot for
> neighbors and cafe goers but still encrypt my connection (or anyone else
> who e-mails me that wants security).
> I realize most people say IPSec is 'better'; I'll have to do some
> searches to see the issues with PPTP (other then it being a MS
> creation), I of course don't want to use something that can be hacked in
> an hour -- will do more research online regarding PPTP security though I
> imagine it is relatively secure or folks wouldn't have it in m0n0wall to
> begin with.
> Can anyone tell me why PPTP is 'bad' or less secure then IPSec?
> I'm glad to hear you think its secure over the air, I'm going to have to
> locate another wireless laptop and sniff the connection for that added
> self-verification that will make me sleep better at night ;).
> Chet Harvey wrote:
> > PPTP is not the tunneling "choice" for encrypted tunnels but it does a
> > job. 128 bit encryption via OpnSSL. How it works is the "tunnel" is
> > by the software on your system and started at the interface. It is then
> > decrypted at the endpoint interface on the other side.
> > That said, you are sending packets across open airwaves which makes it
> > to "sniff" and decrypt than on old school cat5. You didnt specify if you
> > WEP or WPA enabled which would help somewhat.
> > Personally I would IPSec to the m0n0wall via wireless instead of WEP.
> > That was the Long winded answer to your question, short answer is most
> > yes. Is it the best you can do, probably not.
> > Chet Harvey
> > Pitbull Technologies <http://www.pittech.com/>
> > Protecting your Digital Assets
> > 703.407.7311
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch