PPTP VPN

A

Andrew M

Hi,

Wondering if anyone can tell me at what point any data
that is transferred over a PPTP starts being encrypted? Is
user authentication (username & password) information
encrypted or is it only after the tunnel has been
established?

Thanks,
Andrew
 
C

Carl DaVault [MSFT]

The VPN tunnel is established before any authentication takes place.

In PPTP the username is never encrypted. If LCP Extensions are enabled, then
your machine name is sent in the clear as well.

The auth session is in the clear from PPP's point of view and so security
depends on the strength of the auth protocol being used. EAP-TLS is the
strongest, PAP is the weakest since the password is sent in the clear.

DATA (regular network traffic) starts being encrypted after the CCP phase of
PPP completes. The authentication protocol also affects the encryption keys
that are available for CCP.

You can see all this using netmon on the server.

If you use L2TP/IPSec then everything after IPSec negotiation completes is
3DES encrypted, including the complete PPP negotiation (LCP, auth phases,
CCP, IPCP, and data).

MS recommends L2TP/IPSec - see http://www.microsoft.com/VPN for more info on
VPN's and VPN security, if you're interested.
 
A

Andrew M

Thanks Carl,

Starting to get my head around it. What i am trying to
find out is wether the password is sent as clear text or
encrypted when using MS CHAP v2 with PPTP?

From your reply i take it that the user name is sent in
clear text, just need to confirm the password.

Is PPTP with MS CHAP v2 (in your opinion) a reasonable VPN
scenario? (As long as a strong password policy is in place
of course..)

Thanks again,
Andrew
-----Original Message-----
The VPN tunnel is established before any authentication takes place.

In PPTP the username is never encrypted. If LCP Extensions are enabled, then
your machine name is sent in the clear as well.

The auth session is in the clear from PPP's point of view and so security
depends on the strength of the auth protocol being used. EAP-TLS is the
strongest, PAP is the weakest since the password is sent in the clear.

DATA (regular network traffic) starts being encrypted after the CCP phase of
PPP completes. The authentication protocol also affects the encryption keys
that are available for CCP.

You can see all this using netmon on the server.

If you use L2TP/IPSec then everything after IPSec negotiation completes is
3DES encrypted, including the complete PPP negotiation (LCP, auth phases,
CCP, IPCP, and data).

MS recommends L2TP/IPSec - see
Click to expand...
http://www.microsoft.com/VPN for more info on
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

PPTP Server 2
win2000 RRAS/VPN server and VPN client problem 2
PPTP & GRE problems? 1
Remote authentication from PPTP clients 4
VPN on Windows Server 2003 behind a D-Link DI-524 Router 5
CMAK profile for VPN using PPTP/EAP 1
VPN setup for PPTP 4
Can't connect through VPN 1

Top