On Wed, 28 May 2014 22:04:34 +0300
Mike Jackson <[email protected]> wrote:
> If npppd tunnel listen address can't be changed and l2tp-ipsec-require
> isn't supported,
You can change the listen address by npppd.conf:
tunnel L2TP protocol l2tp {
listen on xxx.xxx.xxx.xxx
}
l2tp-ipsec-require isn't supported yet, but we can refuse L2TP without
IPsec packerts by pf.
> then how is one supposed to secure the npppd service from
> dictionary attacks from the entire world?
When RADIUS is used for authentication, the RADIUS authentication
server may provide something against the dictonary attacks.
Also if npppd supports EAP-RADIUS in the future, some authentication
methods including EAP-TLS (certificate authentication) will become
available.
> Ideal would be to do certificate authentication to isakmpd and then
> password authentication to npppd that is running on an internal
> IP. Is this ever going to be possible?
Sorry, I'm not sure.
--yasuoka
