TECHMAN007
Technical User
This is for all of you security experts out there.
We are trying to create VPN connections for some of our users with the default windows VPN client using L2TP/IPSEC with Maximum encryption (AES256/SHA) using PAP as the authentication method with LDAP configured on the ASA. Sadly LDAP doesn't allow EAP or MCHAPv2 and we can't use a Radius server which would allow us to.
Watching the ASA logs it appears that authentication occurs after phase 2 is established. This in my mind (I am not expert in the authentication methods) would tell me that PAP is passing over IPSEC and would be encrypted to an outside source and while PAP is plain text it would only be sniffable by someone within our LAN where the LDAP server resides. Obviously it is the worst authentication method for a tunnel, but I am just trying to get clarity on whether the plain text authentication would be sent outside of the ipsec tunnel (I don't see why it would be).
I ran wireshark on a workstation when I connected to the asa and it didn't appear in the network stream so I am fairly satisfied that it is at least encrypted on the internet.
Any thoughts are appreciated.
Dan
We are trying to create VPN connections for some of our users with the default windows VPN client using L2TP/IPSEC with Maximum encryption (AES256/SHA) using PAP as the authentication method with LDAP configured on the ASA. Sadly LDAP doesn't allow EAP or MCHAPv2 and we can't use a Radius server which would allow us to.
Watching the ASA logs it appears that authentication occurs after phase 2 is established. This in my mind (I am not expert in the authentication methods) would tell me that PAP is passing over IPSEC and would be encrypted to an outside source and while PAP is plain text it would only be sniffable by someone within our LAN where the LDAP server resides. Obviously it is the worst authentication method for a tunnel, but I am just trying to get clarity on whether the plain text authentication would be sent outside of the ipsec tunnel (I don't see why it would be).
I ran wireshark on a workstation when I connected to the asa and it didn't appear in the network stream so I am fairly satisfied that it is at least encrypted on the internet.
Any thoughts are appreciated.
Dan
