Home > IT Answers > Windows Server > IPSec VPN Connection
Ladrick
0 pts.
 IPSec VPN Connection
Active Directory, Application security, Database, DataCenter, DHCP, DNS, Encryption, Exchange, Firewalls, Forensics, Incident response, Instant Messaging, Intrusion management, Microsoft Windows, Network management software, Network monitoring, Network security, Networking, Networking services, Performance management, Ping, Secure Coding, Security, VPN, Wireless
Hi All, Let me explain my situation: Currently I am making use a PTPP VPN to connect to certain remote sites connected via dialup using VNC to access desktops for support issues. To do this I'm making use of dyndns dynamic ip service which allows me to map a hostname e.g. remotesite.dyndns.org to a dynamically allocated IP which is updated via dyndns's ip-updater which runs on the remote machine. I'm using Windows XP's built in VPN server to accept remote connections based on the remote machine's local user accounts and allocating my own IP on the remote network as there is only 4 workgrouped desktop pc's and 1 network printer 192.168.0.1 - 192.168.0.5 - I generally connect as 192.168.0.77 just because I like 7 and to keep well away from the local range.... This all works well and good but my only concern is security PTPP is apparently quite easy to crack see: http://crimemachine.com/Tuts/Flash/pptp-vpn.html I haven't tried it myself but I would prefer to try and change to a more secure protocol such as IPsec but this process seems much more difficult... If anyone has configured a situation that is similar to mine or knows how to could you help me out as IPsec seems to go a little deeper than just VPN. Thanks in Advance

Software/Hardware used:
ASKED: February 21, 2006  8:04 PM
UPDATED: February 22, 2006  12:03 PM
RELATED QUESTIONS
Answer Wiki:
Apart from all the other trouble a hacker would have to go through to orchestrate this attack, it relies on the fact that the VPN is set to use MS-CHAP which is known to be weak. Set your VPN to use MS-CHAPv2 or some other more modern hash and you don't really have anything to worry about in terms of session cracking. If you're really worried and you want more security (encryption-wise anyway) you can opt to use an IPSec based VPN solution but that obviously requires additional hardware/software. Some might consider that over-kill for your situation though I certainly couldn't make such a determination based on the information provided. HTH
Last Wiki Answer Submitted:  February 21, 2006  10:56 pm  by  Amigus   0 pts.
All Answer Wiki Contributors:  Amigus   0 pts.
To see all answers submitted to the Answer Wiki: View Answer History.


RSS - Discussions Help
Discuss This Question:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

 

Microsoft has a considerable amount of documentation on VPNs, both PPTP and IPSec. Here is a link in their 2003 area:
http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx
Here is another article focusing on IPSec for win2k and XP:
http://www.securityfocus.com/infocus/1519
The main problem you have with IPSec that you don’t have with PPTP is if there is NAT somewhere along the way. IPSec doesn’t like NAT. If you have NAT between your systems you will either have to do encapsulation, (I don’t know if this can be done with plain windows), or you need to set up the end points of the VPN to exclude the NAT. If you are NATing at a firewall I would suggest ending the VPN at the firewall. With most modern firewalls you can establish an IPSec VPN when you connect.

Astronomer
 0 pts.