I read about Bruce Schneier's analysis as well and was one of the reasons for not wanting to go PPTP. I didn't necessarily want to spend money on it so went in search of other methods. Having heard of IPSEC before I thought that'd be the way to go. After the discussion and reading some of the links provided, seems like it is the way to go.
FWIW, the answer to my original problem was that I had not listed the server's key in the ipsec secrets file. In any case doing so got ipsec working. I then had another problem with ppp authentication over the L2TP tunnel - turns out you can't have * for the server field in the secrets file as man page says you can (maybe it's an l2tp thing). Anyway, got the test run workin internally, now for the "real world" thing....
Fil John Clarke wrote:
On Thu, Mar 13, 2003 at 05:14:58PM +1100, Phil Scarratt wrote:My concern with the PPTP path is the reported security issues:It's actually MS's implementation that's flawed rather than PPTP itself. However, the most likely reason for using PPTP is Windows clients and that means MS's implementation. Bruce Schneier has analysed it and found it to be severely flawed, and recommends IPSEC instead. That's good enough for me. From http://www.counterpane.com/pptp-faq.html: 3. How bad is it? Very. Microsoft PPTP is very broken, and there's no real way to fix it without taking the whole thing down and starting over. This isn't just one problem, but six different problems, any one of which breaks the protocol. Cheers, John