Can Windows L2TP use AES and SHA2?

[InlineFive]

Hey all,

Does anyone know if the Windows XP L2TP client supports AES and SHA2 vs 3DES and SHA1?

Thanks!

I5

 

[Smilin]

No. It does not. AES is supported in Vista.

 

[InlineFive]

Shucks. 🙁 How does the latter, older set of technologies compare in terms of security?

 

[Smilin]

If I remember right there have been collisions found in SHA1 but none of them have actually been broken. I'm behind on my reading though.

As a whole anything using IPSec should be fine. You're talking about the difference between a 10' steel door and a 12' steel door. Good luck breaking into either one. If you want to break into a system, decrypting L2TP traffic is NOT the first place you should start.

 

[stash]

Will Vista also be able to use SHA2 for L2TP? I know SHA2 is in the CNG suite, so I would think it would be able to use it, but I don't know for sure.

I'm just happy that both the kernel and usermode implementations of AES will be FIPS certified in Vista. Currently, only the usermode one is, and EFS uses the kernel mode one. So customers currently need to enable the FIPS GPO which downgrades the algorithm to a FIPS certified 3DES implementation.

 

[InlineFive]

Okay, one last question. I'm having a hard time using Certs instead of PSKs for authentication. How big of a security difference is there for these?

(I imported the user cert into the Computer - Personal folder, but my firewall just spits out malformed packet errors.)

 

[stash]

Do both the client and the firewall have the root CA cert loaded?

 

[InlineFive]

Well I'm currently using FreeS/WAN and in the instructions I only download a Host CSR for the client. Inside the PKCS#12 was only the client Cert.

Should I also import the firewall CA into the laptop?