Advanced PPTP Configuration
PPTP requires limited configuration beyond providing a username and password. The changes that you might make beyond this are only to specify the level of encryption and the use of an alternate authentication method instead of a password. To configure these features, select the Edit Configurations from the Configuration pop-up menu.
In the Configuration dialog box (shown in Figure 2), you can change the name or description of the connection, alter the server address and account name that you use to connect (which can also be changed from the main Internet Connect window). You can also choose the authentication method using the appropriate radio buttons, designate an encryption level, and choose and configure VPN on Demand.
Figure 2 PPTP Configuration dialog box
In Mac OS X 10.4 (Tiger), PPTP can be used with one of three authentication methods. The first is a password assigned to your account by the administrator of the VPN server. This is the simplest but least secure solution because your password could be stolen and used by someone else.
The second option is RSA SecurID. Developed by the security company RSA, SecurIDs are physical devices (sometimes called tokens) that are given to VPN users. Every minute, the SecurID will display a new random series of numbers. These numbers are based on an algorithm that is associated with an account on the VPN server. When RSA SecurID is selected, you will not be asked to enter an account name but not a password in Internet Connect. When you connect, you will be asked to enter a combination of the numbers displayed on the SecurID along with a predefined PIN number. This provides a much higher level of security because it requires an account name, the SecurID token itself, and a PIN number for remote connection.
The third method is a security certificate. Much like the certificates used to establish secure website connections using SSL, VPNs using security certificates work by including certificate files on the computer. These certificate files enable the server to establish the computer as a trusted entity for connection. An account name is also associated with each certificate.
The PPTP protocol supports two levels of encryption (40-bit and 128-bit). By default, Mac OS X will connect using whichever level is supported by the server, choosing 128-bit if it is available. You can use the Encryption pop-up menu to require that 128-bit encryption (which is significantly more secure) be used, though this might create problems with older servers that support only 40-bit encryption. You can also specify the use of no encryption, although this pretty much negates the advantage of using VPN in the first place.
The final option is to enable VPN on demand. Ordinarily, you must manually connect to a VPN to access resources located on its network. VPN on demand allows you to specify network/Internet domains that can only be accessed via a VPN connection and to designate which VPN connection to use if you have multiple connections configured on a Mac. When you attempt to access a website, file server, or other network resource that requires the VPN connection, the Mac will establish it automatically. For nontechnical users, this seem like a nice feature that makes remote access easier, but it can also create a security risk if the computer is stolen and access to a secure network can be directly compromised.
On the left side of the Configuration dialog box, you will see a Configurations listbox. You can use this listbox to duplicate your first PPTP configuration and use it as a template for additional configurations (which could specify different VPN servers, user accounts, or authentication methods). You can then select which one of them to use from the Configurations pop-up menu in the main Internet Connect window.