Jacco's contribution to SANE 2004

Jacco de Leeuw's SANE 2004 Poster

L2TP/IPsec with Linux Openswan

If you are looking for more information about my SANE 2004 poster, then you have come to the right place. In the poster that I presented at SANE, I contend that PPTP may not be meeting today's security demands as a VPN protocol. L2TP/IPsec is suggested as an alternative. The general idea is to run this protocol on a Linux server, but it should work on other Unices as well. You can download the poster called "PPTP Must Die" in PDF format.

More information can be found on the following webpages about using Openswan with L2TP:

The first page contains a discussion of using Openswan with L2TP/IPsec. It includes information on setting up the Linux side. Start with reading this page. Be warned that it contains lots and lots of information and webdesign may not my strongest point!

The other pages contain the specifics on several clients supporting L2TP/IPsec. With "third-party" I mean add-on software that is not included with the base operating system, for instance SSH Sentinel and SafeNet SoftRemote. The "Microsoft L2TP/IPSec VPN Client" (alias MSL2TP) is a free client available for Windows 9x/Me/NT4.

Pocket PC 2003 contains a built-in L2TP/IPsec client. To make practical use of it while on the road, you need a client certificate. Unfortunately Pocket PC 2003 cannot import a PKCS#12 certificate out of the box. The official way to obtain a certificate on a Pocket PC device is through 'web enrollment', which means that the device generates a private key and submits a Certificate Signing Request to a web-based Certificate Authority for signing. True to its modus operandi, Microsoft made sure that this only works with IIS and Microsoft Certificate Services on a Windows server. However, I took it upon me to write a program which allows you to import a certificate from any Certificate Authority to Pocket PC 2003. This means that you can now connect to a Linux L2TP/IPsec server without having to buy Windows 2000/2003 Server for generating the certificates!

Updated information

There have been a few developments since the release of the paper:

Asleap: updated version of Joshua Wright's LEAP cracker can now also crack PPTP passwords. Both protocols employ MS-CHAPv2.
Article by George Ou about Asleap and possible remedies.

Identity assertions

I have done about 50 identity assertions for Thawte and CAcert at SANE. For more information about these certification programs, see my Thawte Notary / CAcert Assurer / PGP page.

Back to Homepage

Jacco de Leeuw