Solved: vpn ms-chap question

marcusbrutus · ‎08-13-2011

Hi,

I was just curious. Given an ASA configured with the typical ike phases 1 and 2 settings, if i include ppp-attribute with authentication ms-chap, when the xp client connects does that mean that ms-chap uses the preshared key configured on the xp client and that 3des which was originally configured on the isakmp policy on the ASA is not used? Or does the entire ike phases 1 and 2 complete and then within the tunnel the xp client sends the the username/password via ms-chap?

Sorry am getting a bit confused where the username/password phase comes in.

Thanks in advance.

Jennifer Halim · ‎08-13-2011

Since you mention PPP with ms-chap as the authentication, I assume that you are talking about L2TP over IPSec.

With phase 1 and phase 2 that you mentions, it is only the IPSec part.

The PPP with ms-chap as the authentication is the L2TP part.

So firstly, you would create a IPSec VPN tunnel, and once you have the tunnel established, the L2TP will be encrypted within the IPSec tunnel.

So, the ms-chap part belongs to the L2TP authentication.

3DES is the IPSec encryption method, and preshared key is used by the IPSec as an authentication method to authenticate the peer.

Lastly, username and password is the extended authentication from the IPSec and is part of phase 1.

Hope this helps.

View solution in original post

Jennifer Halim · ‎08-13-2011