Remote access VPN Without PPTP

bmigette · May 22, 2009, 4:02pm

Hi all, I want to know if there’s a way to make a Remote acccess VPN (for end users) with something more secure than PPTP, like SSL of IPSec. The best would be that it support split tunneling (selecting which traffic is sent to the tunnel and which traffic is sent directly to internet).
Thanks.

bmigette · May 26, 2009, 9:31am

I can’t believe there’s no other method, nobody knows ?

normis · May 26, 2009, 9:40am

what can be more secure than ipsec? what do you need it for? even banks use ipsec

mrz · May 26, 2009, 9:41am

SSL tunnels are not supported in routerOS, but you can use l2tp+ipsec.

bmigette · May 26, 2009, 9:57am

Hi, I want to use IPSEC Or SSL, but for Remote access VPN, and on documentation, the only thing I found was PPTP, but PPTP is not very secure, and I searched L2TP/IPSEC, I found that:
http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP
But it’s not very easy on the client side, having to modify IPSec policies.

hilton · May 26, 2009, 10:38am

Hey welcome to life dude! Seriously you can’t have your cake AND eat it. If the requirements are that stringent then you need to do the hard work. It’s a known fact that PPTP on a Windows box is dead easy (to set-up and to later support) but IPSec is something that requires hair on your chest.

How ‘unsecured’ is PPTP really?

bmigette · May 26, 2009, 10:55am

Hi, the fact is that I need encryption, and PPTP does not seems to provide any encryption algorithms, and I need confidentiality. I know that there’s some IPSec client, like the cisco VPN client that are strong and easy to use. My aim is to provide a VPN service for end users, who will probably have a very limited knowledge in computing

mrz · May 26, 2009, 11:11am

in ppp profile set use-encryption=require and pptp will use encryption

hilton · May 26, 2009, 11:14am

Says who? Mikrotik provides MPPE 128 stateless encryption.

and I need confidentiality

According to RFC 3078, it states

MPPE uses the RSA RC4 [3] algorithm to provide data confidentiality.
   The length of the session key to be used for initializing encryption
   tables can be negotiated.  MPPE currently supports 40-bit and 128-bit
   session keys.

My aim is to provide a VPN service for end users, who will probably have a very limited knowledge in computing

Then you need to use PPTP.

bmigette · May 26, 2009, 11:22am

hilton:

bmigette:

Hi, the fact is that I need encryption, and PPTP does not seems to provide any encryption algorithms

Says who? Mikrotik provides MPPE 128 stateless encryption.

and I need confidentiality

According to RFC 3078, it states
MPPE uses the RSA RC4 [3] algorithm to provide data confidentiality.
   The length of the session key to be used for initializing encryption
   tables can be negotiated.  MPPE currently supports 40-bit and 128-bit
   session keys.
My aim is to provide a VPN service for end users, who will probably have a very limited knowledge in computing

Then you need to use PPTP.

Humm, I didn’t know about MPPE… i’ll take a look at that, thank you !

hilton · May 26, 2009, 11:25am

On the client side just make sure the ‘type of VPN’ is set to ‘PPTP’ and that under ‘security’ you have ‘require data encryption’ ticked and that IPv6 is NOT ticked.

I can’t remember if this is the default though.

Chupaka · May 27, 2009, 7:51am

‘require data encryption’ is by default in Windows