L2Tp Encryption; Add Or Apply / Cancel - Cisco VPN 3000 User Manual

L2TP Encryption

Check the boxes for the data encryption options that apply to this group's L2TP clients.

Add or Apply / Cancel

When you finish setting or changing parameters on all tabs, click Add or Apply at the bottom of the screen
to Add this specific group to the list of configured groups, or to Apply your changes. Both actions include
your settings in the active configuration. The Manager returns to the Configuration | User Management |
Groups
Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the
top of the Manager window.
To discard your settings, click the Cancel button. The Manager returns to the Configuration | User
Management | Groups
VPN 3000 Concentrator Series User Guide
= Challenge-Handshake Authentication Protocol. In response to the server challenge, the
CHAP
client returns the encrypted [challenge plus password], with a cleartext username. It is more secure
than PAP.
EAP = Extensible Authentication Protocol. This protocol supports -MD5 (MD5-Challenge)
authentication, which is analogous to the CHAP protocol, with the same level of security.
MSCHAPv1 = Microsoft Challenge-Handshake Authentication Protocol version 1. This protocol is
similar to, but more secure than, CHAP. In response to the server challenge, the client returns the
encrypted [challenge plus encrypted password], with a cleartext username. Thus the server stores—
and compares—only encrypted passwords, rather than cleartext passwords as in CHAP. This
protocol also generates a key for data encryption by MPPE (Microsoft Point-to-Point Encryption).
If you check Required under L2TP Encryption below, you must allow one or both MSCHAP protocols
and no other.
MSCHAPv2 = Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is
even more secure than MSCHAPv1. It requires mutual client-server authentication, uses
session-unique keys for data encryption by MPPE, and derives different encryption keys for the
send and receive paths. The VPN Concentrator internal user authentication server supports this
protocol, but external authentication servers do not. If you check Required under L2TP Encryption
below, you must allow one or both MSCHAP protocols and no other.
Required = During connection setup, this group's L2TP clients must agree to use Microsoft
encryption (MPPE) to encrypt data or they will not be connected. If you check this option, you must
also allow only MSCHAPv1 and/or MSCHAPv2 under L2TP Authentication Protocols above, and you must
also check 40-bit and/or 128-bit here.
Require Stateless = During connection setup, this group's L2TP clients must agree to use stateless
encryption to encrypt data or they will not be connected. With stateless encryption, the encryption
keys are changed on every packet; otherwise, the keys are changed after some number of packets or
whenever a packet is lost. Stateless encryption is more secure, but it requires more processing.
However, it might perform better in a lossy environment (where packets are lost), such as the
Internet.
= This group's L2TP clients are allowed to use the RSA RC4 encryption algorithm with a
40-bit
40-bit key. This is significantly less secure than the 128-bit option. Microsoft encryption (MPPE)
uses this algorithm. If you check Required , you must check this option and/or the 128-bit option.
128-bit = This group's L2TP clients are allowed to use the RSA RC4 encryption algorithm with a
128-bit key. Microsoft encryption (MPPE) uses this algorithm. If you check Required , you must
check this option and/or the 40-bit option. The U.S. government restricts the distribution of 128-bit
encryption software.
screen. Any new groups appear in alphabetical order in the Current Groups list.
screen, and the Current Groups list is unchanged.
Configuration | User Management | Groups | Add or Modify (Internal)
12-31