I think the warning below from Best Practices Analyzer (BPA) says it all. This only appeared when we had to make provision for Virgin's Superhub 3. Rightly or wrongly, I refuse to ignore security warnings.
Many may say, "But it's just a warning!". My response is usually to ask if they also ignore a low fuel warning when in the outside lane of the M1 during the rush hour with the whole family in the car?
Title: RRAS: Use authentication protocols that are considered more secure than PAP, CHAP, or MS-CHAPv2
Date: 18/08/2017 16:11:47
Problem: The RRAS server is configured to accept remote access connections that are not authenticated, or that are authenticated with an authentication protocol that is no longer considered secure.
Impact: PAP and CHAP are no longer considered secure for protecting sensitive data. MS-CHAP v2 is better than PAP or CHAP, but we recommend EAP or computer certificates.
Resolution Use 'Routing and Remote Access' in Server Manager to select a secure authentication method on the Routing and Remote Access Properties page.
Ah, so you are saying that you would prefer to use L2TP and MSCHAPv2, but can't, so have to use PAP or CHAP?
Does that mean you are successfully using L2TP with PAP or CHAP through the superhub or are you using something else altogether? If it is L2TP, doesn't that mean the superhub lets through L2TP with PAP or CHAP, but not with MSCHAPv2.
Perhaps you have misread or misunderstood the Server's warning which I quoted earlier? It says:
"Use authentication protocols that are considered more secure than PAP, CHAP, or MS-CHAPv2"
L2TP/IPsec is considered a more secure protocol, but the Superhub 3 does not support it as it stands.
If you look back through this thread, you will see that while there is a workaround, it means spending money on additional equipment. You will also see at least one list member who would have to fork out a small fortune to have his external users with Virgin access his Servers.
I just wanted you to know this has been passed to our firmware team who are currently investigating. We have passed on a link to this thread, I appreciate that you have kindly already posted information to help diagnose the problem but anything else you can all think of to help, setups protocols etc will be most welcome.