Vista - Chap V1 for VPN Connectivity

I understand that MS decided to deprecate Chap V1 on the VPN connectivity
options, and instead provide only Chap V2. So, instead of having two decent
encryption options available for VPN, MS decided to leave two non-encrypted
options, and delete a useful and supported Chap V1 encrypted option.

This severely impacts ANYONE that utilizes Cisco PIX firewalls (we use
several Pix 501 and 506 firewalls), since they are not capable of supporting
Chap V2.

This leaves us with the less than desireable options of using an unencrypted
PAP connection, not connecting at all, or REPLACING all of our PIX firewalls.

FOR GOODNESS SAKES, PLEASE MAKE CHAP V1 AVAILABLE AGAIN IN THE VPN
CONNECTION. WHY WOULD MS MAKE THE DECISION TO REMOVE A FUNCTIONAL ENCRYPTION
STANDARD AND REPLACE IT WITH ONE THAT IS NOT FULLY SUPPORTED?

----------------
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.

http://windowshelp.microsoft.com/com...orking_sharing

"Skillmaker" <Skillmaker@discussions.microsoft.com> wrote in message
news:EE04E293-F727-4949-A029-C3DFBEE3D0CF@microsoft.com...
>I understand that MS decided to deprecate Chap V1 on the VPN connectivity
> options, and instead provide only Chap V2. So, instead of having two
> decent
> encryption options available for VPN, MS decided to leave two
> non-encrypted
> options, and delete a useful and supported Chap V1 encrypted option.
>
> This severely impacts ANYONE that utilizes Cisco PIX firewalls (we use
> several Pix 501 and 506 firewalls), since they are not capable of
> supporting
> Chap V2.
>
> This leaves us with the less than desireable options of using an
> unencrypted
> PAP connection, not connecting at all, or REPLACING all of our PIX
> firewalls.
>
> FOR GOODNESS SAKES, PLEASE MAKE CHAP V1 AVAILABLE AGAIN IN THE VPN
> CONNECTION. WHY WOULD MS MAKE THE DECISION TO REMOVE A FUNCTIONAL
> ENCRYPTION
> STANDARD AND REPLACE IT WITH ONE THAT IS NOT FULLY SUPPORTED?
>
> ----------------
> This post is a suggestion for Microsoft, and Microsoft responds to the
> suggestions with the most votes. To vote for this suggestion, click the "I
> Agree" button in the message pane. If you do not see the button, follow
> this
> link to open the suggestion in the Microsoft Web-based Newsreader and then
> click "I Agree" in the message pane.
>
> http://windowshelp.microsoft.com/com...orking_sharing

Have you seen this?

http://support.microsoft.com/kb/926170/en-us

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...

Yes, I have seen this. Again, the PIX firewalls do NOT support CHAP, they DO
support MS Chap V1. There are literally 10s of thousands of Cisco PIX
firewalls out there.

I can understand removing features that are no useful, but I cannot
understand removing features that WORK and are SUPPORTED in the industry.

What would be so difficult about putting MS Chap V1 back into the VPN
interface? The 'work arounds' suggested by Microsoft are garbage.

"Sooner Al [MVP]" wrote:

> "Skillmaker" <Skillmaker@discussions.microsoft.com> wrote in message
> news:EE04E293-F727-4949-A029-C3DFBEE3D0CF@microsoft.com...
> >I understand that MS decided to deprecate Chap V1 on the VPN connectivity
> > options, and instead provide only Chap V2. So, instead of having two
> > decent
> > encryption options available for VPN, MS decided to leave two
> > non-encrypted
> > options, and delete a useful and supported Chap V1 encrypted option.
> >
> > This severely impacts ANYONE that utilizes Cisco PIX firewalls (we use
> > several Pix 501 and 506 firewalls), since they are not capable of
> > supporting
> > Chap V2.
> >
> > This leaves us with the less than desireable options of using an
> > unencrypted
> > PAP connection, not connecting at all, or REPLACING all of our PIX
> > firewalls.
> >
> > FOR GOODNESS SAKES, PLEASE MAKE CHAP V1 AVAILABLE AGAIN IN THE VPN
> > CONNECTION. WHY WOULD MS MAKE THE DECISION TO REMOVE A FUNCTIONAL
> > ENCRYPTION
> > STANDARD AND REPLACE IT WITH ONE THAT IS NOT FULLY SUPPORTED?
> >
> > ----------------
> > This post is a suggestion for Microsoft, and Microsoft responds to the
> > suggestions with the most votes. To vote for this suggestion, click the "I
> > Agree" button in the message pane. If you do not see the button, follow
> > this
> > link to open the suggestion in the Microsoft Web-based Newsreader and then
> > click "I Agree" in the message pane.
> >
> > http://windowshelp.microsoft.com/com...orking_sharing
>
> Have you seen this?
>
> http://support.microsoft.com/kb/926170/en-us
>
> --
>
> Al Jarvi (MS-MVP Windows Networking)
>
> Please post *ALL* questions and replies to the news group for the
> mutual benefit of all of us...
> The MS-MVP Program - http://mvp.support.microsoft.com
> This posting is provided "AS IS" with no warranties, and confers no
> rights...
>

I agree here, as we have the exact same problem. I checked with Cisco TAC
and they said since we are doing L2TP over IPSec, that PAP would be OK, since
it is all encrypted by IPSec first. Otherwise, PAP should be banned. It
should have been removed long before MSCHAPv1 was.

Regardless, the article referenced still doesn't address MSCHAPv1. MS needs
to either document a fix or better explain this one.



"Skillmaker" wrote:

Please, this is awful. I have to carry around two laptops - one with XP and
my new one just so we can continue to work on our clients that use Chap V1.
Come on. Get with the program MSFT! Also, how about getting copy / paste /
delete over shared networks working? Perhaps consider not limiting network
bandwidth when streaming?

Embarrassing effort. Would love to send you an invoice for the time and
money wasted on this product.

"Skillmaker" wrote: