[pptp-server] Poptop and port 47

Cowles, Steve Steve.Cowles at gte.net
Thu Aug 31 21:43:41 CDT 2000


I don't consider myself an expert on this subject, but both protocol (not
port) 47 and port 1723 are needed to establish a PPTP/PPP VPN. The reasons
are explained below. See the cut/paste from Microsoft's WEB site.

Hopefully, the following scenarios might help some of you to understand what
exactly needs to be done (configuration wise) based on your particular
network architecture.

Steve Cowles

--------------------------
Common Scenarios
--------------------------
1) If your PPTP/PPP server (not the client initiating the tunnel) is located
behind a firewall, i.e. masq'd PPTP server, then you will also need to
"forward" both proto 47 and and port 1723 in addtition to ACCEPTing these at
the firewall. In the linux world, this is typically  accomplished by using
"ipfwd" for protocols and "ipmasqadm" for ports. You would also need to
apply JHardin's patches to handle the masq'd inbound PPTP connections.

2) If your PPTP/PPP server is running on the firewall itself, i.e. its not
masq'd, then you only need to ACCEPT proto 47 and port 1723. In this case,
you do NOT need to apply JHardin's patches to the kernel. Your not masqing
the PPTP VPN.

3) If you have a linux based firewall and you are trying to connect to a
PPTP/PPP server located out on the internet (like at work) from a windows
based client behind that firewall, then you will need to ACCEPT proto 47 and
port 1723 on the firewall. You will also need to apply JHardin's patches to
the kernel to handle the masq'd client PPTP connection. In this case, you
would NOT need to use ipfwd or ipmasqadm. Your ipchain MASQ forward rule
handles that.

-----------------------------------
---- From www.microsoft.com -------
-----------------------------------
Packet Filters for PPTP
Configure the following "input" filters with the filter action set to Drop
all packets except those that meet the criteria below:

Destination IP address of the VPN server's Internet interface, subnet mask
of 255.255.255.255, and TCP destination port of 1723 (0x06BB). 
This filter allows PPTP tunnel maintenance traffic from the PPTP client to
the PPTP server.

Destination IP address of the VPN server's Internet interface, subnet mask
of 255.255.255.255, and IP Protocol ID of 47 (0x2F). 
This filter allows PPTP tunneled data from the PPTP client to the PPTP
server.

Destination IP address of the VPN server's Internet interface, subnet mask
of 255.255.255.255, and TCP [established] source port of 1723 (0x06BB). 
This filter is required only if the VPN server is acting as a VPN client (a
calling router) in a router-to-router VPN connection. When you select TCP
[established], traffic is accepted only if the VPN server initiated the TCP
connection.

Configure the following "output" filters with the filter action set to Drop
all packets except those that meet the criteria below:

Source IP address of the VPN server's Internet interface, subnet mask of
255.255.255.255, and TCP source port of 1723 (0x06BB). 
This filter allows PPTP tunnel maintenance traffic from the VPN server to
the VPN client.

Source IP address of the VPN server's Internet interface, subnet mask of
255.255.255.255, and IP Protocol ID of 47 (0x2F). 
This filter allows PPTP tunneled data from the VPN server to the VPN client.

Source IP address of the VPN server's Internet interface, subnet mask of
255.255.255.255, and TCP [established] destination port of 1723 (0x06BB). 
This filter is required only if the VPN server is acting as a VPN client (a
calling router) in a router-to-router VPN connection. When you select TCP
[established], traffic is sent only if the VPN server initiated the TCP
connection.




More information about the pptp-server mailing list