Cisco Systems VPN 3000 PPTP Encryption

12 User Management

12-30 VPN 3000 Concentrator Series User Guide

and compares—only encrypted passwords, rather than cleartext passwords as in CHAP. This

protocol also generates a key for data encryption by MPPE (Microsoft Point-to-Point Encryption).

If you check Required under PPTP Encryption below, you must allow one or both MSCHAP protocols

and no other.

MSCHAPv2 = Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is

even more secure than MSCHAPv1. It requires mutual client-server authentication, uses

session-unique keys for data encryption by MPPE, and derives different encryption keys for th e

send and receive paths. The VPN Concentrator internal user authentication server supports this

protocol, but external authentication servers do not. If you check Required under PPTP Encryption

below, you must allow one or both MSCHAP protocols and no other.

PPTP Encryption

Check the boxes for the data encryption options that apply to this group’s PPTP clients.

Required = During connection setup, this group’s PPTP clients must agree to use Microsoft

encryption (MPPE) to encrypt data or they will not be connected. If you check this option, you must

also allow only MSCHAPv1 and/or MSCHAPv2 under PPTP Authentication Protocols above, and you

must also check 40-bit and/or 128-bit here.

Require Stateless = During connection setup, this group ’s PPTP clients must agree to use stateless

encryption to encrypt data or they will not be connected. With stateless encryption, the encryption

keys are changed on every packet; otherwise, the keys are changed after som e number of packets or

whenever a packet is lost. Stateless encryption is more secure, but it requires more processing.

However, it might perform better in a lossy environment (where packets are lost), such as the

Internet.

40-bit = This group’s PPTP clients are allowed to use the RSA RC4 encryption algorithm with a

40-bit key. This is significantly less secure than the 128-bit option. Microsoft encryption (MPPE)

uses this algorithm. If you check Required, you must check this option and/or the 128-bit option.

128-bit = This group’s PPTP clients are allowed to use the RSA RC4 encryption algorithm with a

128-bit key. Microsoft encryption (MPPE) uses this algorithm. If you check Required, you must

check this option and/or the 40-bit option. The U.S. government restricts the distribution of 128-bit

encryption software.

L2TP Authentication Protocols

Check the boxes for the authentication protocols that this group’s L2TP clients can use. To establish and

use a VPN tunnel, users should be authenticated according to some protocol.

Caution:Unchecking all authentication options means that no authentication is required. That is, L2TP users can

connect with no authentication. This configuration is allowed so you can test connections, but it is not

secure.

These choices specify the allowable authentication protocols in order from least secure to most secure.

You can allow a group to use fewer protocols than the base group, but not more. You cannot allow a

grayed-out protocol.

PAP = Password Authentication Protocol. This protocol passes cleartext username and pa ssword

during authentication and is not secure. We strongly recommend that you not allow this protocol.