Cisco Systems VPN 3000 L2TP Encryption

12 User Management

12-14 VPN 3000 Concentrator Series User Guide

L2TP Authentication Protocols

Check the boxes for the authentication protocols that L2TP clients can use. To establish and use a VPN

tunnel, users should be authenticated according to some protoc ol.

Caution:Unchecking all authentication options means that no authentication is required. That is, L2TP users can

connect with no authentication. This configuration is allowed so you can test connections, but it is not

secure.

These choices specify the allowable authentication protocols in order from least secure to most secure.

PAP = Password Authentication Protocol. This protocol passes cleartext username and pa ssword

during authentication and is not secure. We strongly recommend that you not allow this protocol

(the default).

CHAP = Challenge-Handshake Authentication Protocol. In response to the server challenge, the

client returns the encrypted [challenge plus password], with a cleartext username. It is more secure

than PAP, and is allowed by default.

EAP = Extensible Authentication Protocol. This protocol is allowed by default. It supports -MD5

(MD5-Challenge) authentication, which is analogous to the CHAP protocol, with the same level of

security.

MSCHAPv1 = Microsoft Challenge-Handshake Authentication Protocol version 1. This protocol is

similar to, but more secure than, CHAP. In response to the server challenge, the client returns the

encrypted [challenge plus encrypted password], with a cleartext username. Thus the server stores —

and compares—only encrypted passwords, rather than cleartext passwords as in CHAP. This

protocol also generates a key for data encryption by MPPE (Microsoft Point-to-Point Encryption).

This protocol is allowed by default. If you check Required under L2TP Encryption below, you must

allow one or both MSCHAP protocols and no other.

MSCHAPv2 = Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is

even more secure than MSCHAPv1. It requires mutual client-server authentication, uses

session-unique keys for data encryption by MPPE, and derives different encryption keys for th e

send and receive paths. This protocol is not allowed by default. The VPN Concentrator internal user

authentication server supports this protocol, but external authentication servers do not. If you check

Required under L2TP Encryption below, you must allow one or both MSCHAP protocols and no other.

L2TP Encryption

Check the boxes for the data encryption options that apply to L2TP clients.

Required = During connection setup, L2TP clients must agree to use Microsoft encryption (MPPE)

to encrypt data or they will not be connected. This option is not checked by default. If you check

this option, you must also allow only MSCHAPv1 and/or MSCHAPv2 under L2TP Authentication

Protocols above, and you must also check 40-bit and/or 128-bit here. Do not check this option if you

use NT Domain user authentication; NT Domain authentication cannot negotiate encryption.

Require Stateless = During connection setup, L2TP clients must agree to use stateless encryption to

encrypt data or they will not be connected. With stateless encryption, the encryption keys are

changed on every packet; otherwise, the keys are changed after some number of packets or

whenever a packet is lost. Stateless encryption is more secure, but it requires more processing.

However, it might perform better in a lossy environment (where packets are lost), such as the

Internet. This option is not checked by default. Do not check this option if you use NT Do main user

authentication; NT Domain authentication cannot negotiate encryption.