PPTP vpn secure or not so secure?

[markm75]

I recall reading about security with PPTP vpn (2003 server) in the past and mentioning something along the lines of.. PPTP is secure but only after authentication..

IE: Password is sent in clear text.

Are there any methods around this.. like certificates etc.

Thanks for any info.

 

[burtsbees]

When you encrypt with IPSec, it is very secure.

Burt

 

[markm75]

By encrypt do you mean use EAP and an SSL certificate or some other means?

Cheers

 

[burtsbees]

I'm sorry---what I mean is that IPSec VPN's are definitely more secure, but I know that in the past there have been issues with interoperability between clients and VPN routers (like Microsoft PPTP and L2TP do not jive well with IPSec routers, etc.). Security-wise, GRE tunnels can be encrypted with IPSec.
PPTP uses a 128 bit encryption, versus IPSec, which uses 3DES, or 168 bit encryption (which is actually 56 bit encryption back and forth, but three times---3X56=168). Now whether or not one needs stronger than 128 bit...also, I believe PPTP connections can be subject to man-in-the-middle attacks, and the authentication is not so hot.
In summary, IPSec is much more secure---the fact that it uses pre-shared public and private keys---public sent over the Internet only encrypts the keys, so capturing this key is useless, while private keys stay at the client/router(s), and they are what decrypt---makes IPSec more secure, along with the unbreakable (for now)3DES encryption.

Burt

 

[burtsbees]

Man---I'm sorry---this does not answer the original question of how to encrypt the authentication of PPTP---sorry man---don't know that one.

Burt