I can't even
-
@jaredbusch said in I can't even:
@DustinB3403 here is my home ERL.
The part that is going over with Unencrypted PAP is testuser/Testing!123.
But it is going over the Existing IPSEC tunnel that was set up with the PSK.jbusch@jared:~$ show configuration commands vpn | grep l2tp set vpn l2tp remote-access authentication local-users username testuser password 'Testing!123' set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access client-ip-pool start 10.254.203.2 set vpn l2tp remote-access client-ip-pool stop 10.254.203.10 set vpn l2tp remote-access dhcp-interface eth0 set vpn l2tp remote-access dns-servers server-1 8.8.8.8 set vpn l2tp remote-access dns-servers server-2 8.8.4.4 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret NOTGONNATELLYOU set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 set vpn l2tp remote-access mtu 1492
So without the "Require encryption" the preshared key is sent in plain text?
-
@dustinb3403 said in I can't even:
@jaredbusch said in I can't even:
@DustinB3403 here is my home ERL.
The part that is going over with Unencrypted PAP is testuser/Testing!123.
But it is going over the Existing IPSEC tunnel that was set up with the PSK.jbusch@jared:~$ show configuration commands vpn | grep l2tp set vpn l2tp remote-access authentication local-users username testuser password 'Testing!123' set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access client-ip-pool start 10.254.203.2 set vpn l2tp remote-access client-ip-pool stop 10.254.203.10 set vpn l2tp remote-access dhcp-interface eth0 set vpn l2tp remote-access dns-servers server-1 8.8.8.8 set vpn l2tp remote-access dns-servers server-2 8.8.4.4 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret NOTGONNATELLYOU set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 set vpn l2tp remote-access mtu 1492
So without the "Require encryption" the preshared key is sent in plain text?
I do not know enough about the protocols to definitively answer that, but the entire IPSEC protocol does not use the PSK until phase 2. Phase 2 is encrypted with the exchanges sent in phase 1.
The preshared key used in your example and mine is an IPSEC bit, not an L2TP bit.
-
@jaredbusch said in I can't even:
@dustinb3403 said in I can't even:
@jaredbusch said in I can't even:
@DustinB3403 here is my home ERL.
The part that is going over with Unencrypted PAP is testuser/Testing!123.
But it is going over the Existing IPSEC tunnel that was set up with the PSK.jbusch@jared:~$ show configuration commands vpn | grep l2tp set vpn l2tp remote-access authentication local-users username testuser password 'Testing!123' set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access client-ip-pool start 10.254.203.2 set vpn l2tp remote-access client-ip-pool stop 10.254.203.10 set vpn l2tp remote-access dhcp-interface eth0 set vpn l2tp remote-access dns-servers server-1 8.8.8.8 set vpn l2tp remote-access dns-servers server-2 8.8.4.4 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret NOTGONNATELLYOU set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 set vpn l2tp remote-access mtu 1492
So without the "Require encryption" the preshared key is sent in plain text?
I do not know enough about the protocols to definitively answer that, but the entire IPSEC protocol does not use the PSK until phase 2. Phase 2 is encrypted with the exchanges sent in phase 1.
The preshared key used in your example and mine is an IPSEC bit, not an L2TP bit.
So then it shouldn't matter, "Require encryption" or Optional or Minimal should do nothing to add / improve the encryption since IPSEC is doing all of it.
Does anyone know the protocols well enough to explain this? Why is "Require encryption" recommended, when it doesn't follow/appear to follow the standard and actively reports an error if you attempt set this up via powershell.
-
In Fedora 25 + Cinnamon, it looks like this by default.
-
@jaredbusch said in I can't even:
In Fedora 25 + Cinnamon, it looks like this by default.
And as expected nothing there for PAP is offering "Require encryption". I wonder if it's just weirdness or if there is some bug that without "encryption" information is passed in plain text. . . (some how. . . )
-
@jaredbusch said in I can't even:
In Fedora 25 + Cinnamon, it looks like this by default.
I wouldn't use any of those authentication protocols except MSCHAPv2... uncheck the rest of them.
-
@tim_g said in I can't even:
I wouldn't use any of those authentication protocols except MSCHAPv2... uncheck the rest of them.
He is just showing the options on Fedora, as I'm trying to figure out a weird setting recommendation by Cisco to "require encryption" when using PAP and IPSEC.
It's several posts above this. . . might be worth its own topic.
-
@jaredbusch said in I can't even:
@DustinB3403 here is my home ERL.
The part that is going over with Unencrypted PAP is testuser/Testing!123.
But it is going over the Existing IPSEC tunnel that was set up with the PSK.jbusch@jared:~$ show configuration commands vpn | grep l2tp set vpn l2tp remote-access authentication local-users username testuser password 'Testing!123' set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access client-ip-pool start 10.254.203.2 set vpn l2tp remote-access client-ip-pool stop 10.254.203.10 set vpn l2tp remote-access dhcp-interface eth0 set vpn l2tp remote-access dns-servers server-1 8.8.8.8 set vpn l2tp remote-access dns-servers server-2 8.8.4.4 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret NOTGONNATELLYOU set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 set vpn l2tp remote-access mtu 1492
So with regards to this bit
The part that is going over with Unencrypted PAP is testuser/Testing!123.
I wonder if requiring encryption is actually encrypting the username and password.But how, how does it work?
-
@dustinb3403 said in I can't even:
I wonder if requiring encryption is actually encrypting the username and password.
The username/password being encrypted depends on the authentication method. If using PAP, they are sent in clear text, for example.
-
@tim_g said in I can't even:
@dustinb3403 said in I can't even:
I wonder if requiring encryption is actually encrypting the username and password.
The username/password being encrypted depends on the authentication method. If using PAP, they are sent in clear text, for example.
That is my point of contention, cisco recommends "requiring encryption" when using PAP, yet it doesn't matter.
So why bother with a recommendation that clearly doesn't work? Is it just to provide the warm and fuzzies?
-
@dustinb3403 said in I can't even:
So why bother with a recommendation that clearly doesn't work? Is it just to provide the warm and fuzzies?
Reasonably likely.
-
@scottalanmiller said in I can't even:
@dustinb3403 said in I can't even:
So why bother with a recommendation that clearly doesn't work? Is it just to provide the warm and fuzzies?
Reasonably likely.
Is that in any way reasonable to you as a professional?
-
@dustinb3403 said in I can't even:
@scottalanmiller said in I can't even:
@dustinb3403 said in I can't even:
So why bother with a recommendation that clearly doesn't work? Is it just to provide the warm and fuzzies?
Reasonably likely.
Is that in any way reasonable to you as a professional?
No, but neither is choosing Cisco
-
@scottalanmiller said in I can't even:
@dustinb3403 said in I can't even:
@scottalanmiller said in I can't even:
@dustinb3403 said in I can't even:
So why bother with a recommendation that clearly doesn't work? Is it just to provide the warm and fuzzies?
Reasonably likely.
Is that in any way reasonable to you as a professional?
No, but neither is choosing Cisco
touche.
-
That's mostly tongue in cheek, but only mostly.
-
@scottalanmiller said in I can't even:
That's mostly tongue in cheek, but only mostly.
Cisco wasn't his choice, nor Meraki...
I gotta get back to my desktop and read closer. I did see your point though originally. And is it only recommends to use PAP?
-
@tim_g said in I can't even:
@dustinb3403 said in I can't even:
I wonder if requiring encryption is actually encrypting the username and password.
The username/password being encrypted depends on the authentication method. If using PAP, they are sent in clear text, for example.
Yeah he's got that. When you click on his link search the page for PAP and read the boxes comment. That's what we are mulling over.
-
@bigbear said in I can't even:
@scottalanmiller said in I can't even:
That's mostly tongue in cheek, but only mostly.
Cisco wasn't his choice, nor Meraki...
I gotta get back to my desktop and read closer. I did see your point though originally. And is it only recommends to use PAP?
Didn't say it was. But his question was was it good for Cisco to make that decision, but the real question is... why did someone choose Cisco if it didn't meet the needs?
-
@bigbear said in I can't even:
@scottalanmiller said in I can't even:
That's mostly tongue in cheek, but only mostly.
Cisco wasn't his choice, nor Meraki...
I gotta get back to my desktop and read closer. I did see your point though originally. And is it only recommends to use PAP?
The whole setup likely won't matter soon, the issue came up because I had to setup a large number of systems with VPN, and I didn't want to have to go and by hand configure every system.
So i wrote a powershell script to do it, based on the information I had in our documentation and that is where I found the weirdness with this "require encryption".
PS 4 flat out said "nope go pound sand, that isn't a valid option". I can manually make this change, yet I want to understand why I should bother?
I can connect with "minimal" or "require encryption" in either case. Does "require encryption" do something? (not that I can see).
-
@scottalanmiller said in I can't even:
@bigbear said in I can't even:
@scottalanmiller said in I can't even:
That's mostly tongue in cheek, but only mostly.
Cisco wasn't his choice, nor Meraki...
I gotta get back to my desktop and read closer. I did see your point though originally. And is it only recommends to use PAP?
Didn't say it was. But his question was was it good for Cisco to make that decision, but the real question is... why did someone choose Cisco if it didn't meet the needs?
The real question is, why the hell is this the "configuration method" that is recommended by Cisco.
Not "why did someone choose cisco if it doesn't meed the needs".
That is a derailment from the question I have, which is "wtf is this doing, if it is clearly wrong?!"