I can't even
-
@dustinb3403 said in I can't even:
"Despite the name "Unencrypted PAP", the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over either the WAN or the LAN."
Um... how come you'd have someone manually change the settings to something obviously broken?
Because it is not broken. It is simply unencrypted. But, it is being sent over an already encrypted channel. So the authentication is never in the clear.
This is precisely how you have to setup L2TP in Windows talking to an Ubiquiti router also.
-
@jaredbusch said in I can't even:
@dustinb3403 said in I can't even:
"Despite the name "Unencrypted PAP", the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over either the WAN or the LAN."
Um... how come you'd have someone manually change the settings to something obviously broken?
Because it is not broken. It is simply unencrypted. But, it is being sent over an already encrypted channel. So the authentication is never in the clear.
This is precisely how you have to setup L2TP in Windows talking to an Ubiquiti router also.
So is it adding something to the connection?
-
@dustinb3403 said in I can't even:
@jaredbusch said in I can't even:
@dustinb3403 said in I can't even:
"Despite the name "Unencrypted PAP", the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over either the WAN or the LAN."
Um... how come you'd have someone manually change the settings to something obviously broken?
Because it is not broken. It is simply unencrypted. But, it is being sent over an already encrypted channel. So the authentication is never in the clear.
This is precisely how you have to setup L2TP in Windows talking to an Ubiquiti router also.
So is it adding something to the connection?
It is the USER authentication being sent.
-
@DustinB3403 here is my home ERL.
The part that is going over with Unencrypted PAP is testuser/Testing!123.
But it is going over the Existing IPSEC tunnel that was set up with the PSK.jbusch@jared:~$ show configuration commands vpn | grep l2tp set vpn l2tp remote-access authentication local-users username testuser password 'Testing!123' set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access client-ip-pool start 10.254.203.2 set vpn l2tp remote-access client-ip-pool stop 10.254.203.10 set vpn l2tp remote-access dhcp-interface eth0 set vpn l2tp remote-access dns-servers server-1 8.8.8.8 set vpn l2tp remote-access dns-servers server-2 8.8.4.4 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret NOTGONNATELLYOU set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 set vpn l2tp remote-access mtu 1492
-
This just arrived in my email
Who still uses Windows 2000?
-
@nerdydad said in I can't even:
This just arrived in my email
Who still uses Windows 2000?
Believe it or not, someone on this thread from yesterday
-
Today's gem:
User: Paper shredder in [another user]'s office has died after 10 years. I can find the identical one [from a vendor] but [it's used, and I'm not comfortable buying used]. Any thoughts on where to find the same one?
Me: The odds of you finding an identical replacement for a 10 year old device are slim to none. Better approach would be determine desired features, set a price point, and go shopping.
User: Let me see what I can come up with.
-
@eddiejennings said in I can't even:
Today's gem:
User: Paper shredder in [another user]'s office has died after 10 years. I can find the identical one [from a vendor] but [it's used, and I'm not comfortable buying used]. Any thoughts on where to find the same one?
Me: The odds of you finding an identical replacement for a 10 year old device are slim to none. Better approach would be determine desired features, set a price point, and go shopping.
User: Let me see what I can come up with.
User: Desired features = at least 10 years old, looks and works just like the old one.
You : ..............
User : what are "specifications"???
-
Umm.
-
WTF is wrong with people?
-
@scottalanmiller said in I can't even:
WTF is wrong with people?
I keep getting answers to questions I ask in Slack while I type stuff in Spiceworks, causing me to be beind you :P.
-
@eddiejennings said in I can't even:
@scottalanmiller said in I can't even:
WTF is wrong with people?
I keep getting answers to questions I ask in Slack while I type stuff in Spiceworks, causing me to be beind you :P.
Slacker
-
I love how often threads are so insanely straightforward, and then the person answers something that doesn't match anything anywhere on the thread. It's like they can't read or are having a stroke or something.
-
Network drive loaded onto a Cisco router. Um... https://community.spiceworks.com/topic/2084210-need-help-with-network-storage-encryption
-
This guy doesn't seem to know what a NAS is, a router, BitLocker or encryption.
-
@scottalanmiller said in I can't even:
Network drive loaded onto a Cisco router. Um... https://community.spiceworks.com/topic/2084210-need-help-with-network-storage-encryption
So he encrypted a drive and is surprised that it is encrypted?
-
@jaredbusch said in I can't even:
@DustinB3403 here is my home ERL.
The part that is going over with Unencrypted PAP is testuser/Testing!123.
But it is going over the Existing IPSEC tunnel that was set up with the PSK.jbusch@jared:~$ show configuration commands vpn | grep l2tp set vpn l2tp remote-access authentication local-users username testuser password 'Testing!123' set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access client-ip-pool start 10.254.203.2 set vpn l2tp remote-access client-ip-pool stop 10.254.203.10 set vpn l2tp remote-access dhcp-interface eth0 set vpn l2tp remote-access dns-servers server-1 8.8.8.8 set vpn l2tp remote-access dns-servers server-2 8.8.4.4 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret NOTGONNATELLYOU set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 set vpn l2tp remote-access mtu 1492
So without the "Require encryption" the preshared key is sent in plain text?
-
@dustinb3403 said in I can't even:
@jaredbusch said in I can't even:
@DustinB3403 here is my home ERL.
The part that is going over with Unencrypted PAP is testuser/Testing!123.
But it is going over the Existing IPSEC tunnel that was set up with the PSK.jbusch@jared:~$ show configuration commands vpn | grep l2tp set vpn l2tp remote-access authentication local-users username testuser password 'Testing!123' set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access client-ip-pool start 10.254.203.2 set vpn l2tp remote-access client-ip-pool stop 10.254.203.10 set vpn l2tp remote-access dhcp-interface eth0 set vpn l2tp remote-access dns-servers server-1 8.8.8.8 set vpn l2tp remote-access dns-servers server-2 8.8.4.4 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret NOTGONNATELLYOU set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 set vpn l2tp remote-access mtu 1492
So without the "Require encryption" the preshared key is sent in plain text?
I do not know enough about the protocols to definitively answer that, but the entire IPSEC protocol does not use the PSK until phase 2. Phase 2 is encrypted with the exchanges sent in phase 1.
The preshared key used in your example and mine is an IPSEC bit, not an L2TP bit.
-
@jaredbusch said in I can't even:
@dustinb3403 said in I can't even:
@jaredbusch said in I can't even:
@DustinB3403 here is my home ERL.
The part that is going over with Unencrypted PAP is testuser/Testing!123.
But it is going over the Existing IPSEC tunnel that was set up with the PSK.jbusch@jared:~$ show configuration commands vpn | grep l2tp set vpn l2tp remote-access authentication local-users username testuser password 'Testing!123' set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access client-ip-pool start 10.254.203.2 set vpn l2tp remote-access client-ip-pool stop 10.254.203.10 set vpn l2tp remote-access dhcp-interface eth0 set vpn l2tp remote-access dns-servers server-1 8.8.8.8 set vpn l2tp remote-access dns-servers server-2 8.8.4.4 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret NOTGONNATELLYOU set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 set vpn l2tp remote-access mtu 1492
So without the "Require encryption" the preshared key is sent in plain text?
I do not know enough about the protocols to definitively answer that, but the entire IPSEC protocol does not use the PSK until phase 2. Phase 2 is encrypted with the exchanges sent in phase 1.
The preshared key used in your example and mine is an IPSEC bit, not an L2TP bit.
So then it shouldn't matter, "Require encryption" or Optional or Minimal should do nothing to add / improve the encryption since IPSEC is doing all of it.
Does anyone know the protocols well enough to explain this? Why is "Require encryption" recommended, when it doesn't follow/appear to follow the standard and actively reports an error if you attempt set this up via powershell.
-
In Fedora 25 + Cinnamon, it looks like this by default.