Filter
Top Products
72 Chapter 5 VPN Service
VPN and Security
VPNs stress security by strong authentication of identity, and encrypted data transport
between the nodes, for data privacy and inalterability. The following section contains
information about each supported transport and authentication method.
Authentication Method
Mac OS X Server VPN uses Microsoft’s Challenge Handshake Authentication Protocol
version 2 (MS-CHAPv2) for authentication. It is also the standard Windows
authentication scheme for VPN. This authentication method encodes passwords when
they’re sent over the network, and stores them in a scrambled form on the server
offering good security during network transmission.
This authentication method is the default and available for both transport protocols
described in the following section.
Mac OS X Server supports several authentication methods. Each has its own strengths
and requirements. It is not possible to choose your authentication method using Server
Admin. If you need to configure a different authentication scheme from the default (for
example, to use RSA Security’s SecurID authentication), you’ll need to edit the VPN
configuration file manually. The configuration file is located at:
/Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
Transport Protocols
You’ll be able to enable either or both of the encrypted transport protocols. Each has
its own strengths and requirements.
Point to Point Tunneling Protocol (PPTP)
PPTP is the Windows standard VPN protocol. PPTP offers good encryption and supports
a number of authentication schemes. It uses the user-provided password to produce an
encryption key. You can also allow 40-bit (weak) security encryption in addition to the
default 128-bit (strong) encryption if needed by your VPN clients.
PPTP is necessary if you have Windows or Mac OS X 10.2.x clients.
Layer Two Tunnelling Protocol, Secure Internet Protocol (L2TP/IPSec)
L2TP/IPSec uses strong IPSec encryption to “tunnel” data to and from the network
nodes. It is essentially a combination of Cisco’s L2F and PPTP. IPSec requires Security
Certificates from a Certificate Authority like Verisign, or a pre-defined shared secret
between connecting nodes. The shared secret must be entered on the server as well as
a client. It is not a password for authentication, but it is used to generate encryption
keys to establish secure tunnels between nodes.
LL2351.Book Page 72 Monday, September 8, 2003 2:47 PM