[pptp-server] Help with configuration!

Chris Williams willic2 at mail.auburn.edu
Wed Feb 9 13:46:41 CST 2000 

The way we are setup is like this:

 -----------    -------------   --------   -------    --------------
 | large   |    |           |   |      |   |     |    |            |
 | campus  |----| firewall  |---| 'net |---| ISP |----| win client |
 | network |    |           |   |      |   |     |    |            |
 -----------    -------------   --------   -------    --------------

The PPTP server is actually within the large campus network with the ports
opened at the firewall to let the PPTP traffic through.

This allows the client to dial into his ISP then start the VPN session.  I
thought that this would mean that the windows machine would only route
tcp/ip packets to/through the poptop server running inside the campus
network.

If I'm wrong then the client will route packets through the internet OR the
pptp server, whichever it thinks it needs to, right?  If this is the case,
what's the point of getting encryption working?  Why wouldn't the client
trying to access a web site like netscape.com send those packets through the
pptp server then they would be routed to the netscape server off campus?
This way, the client will have a secure connection and be (in effect) behind
a firewall.

Another big question:  If I'm wrong and the above is true about the routing,
how in the heck can I test this setup?  If I go to the engineering web page,
there are 2 different versions: one for people from off campus and one for
people on campus.  When we set up the VPN adapter and try to go the
engineering web page, we get the off campus one.

Do you understand my problem here?  Maybe you can clear up my incorrect
assumptions.

Meanwhile, I'm still waiting on the list mom to either accept or decline my
message with the logs attached.

> On Wed, 9 Feb 2000, Chris Williams wrote:
> 
>> I'm waiting on the list-mom to approve my post that has those 2 files in
>> it.
>> 
>> What we are trying to do is set up a VPN so that the client can access the
>> LAN machines within the firewall.
>> 
>> Our impression about how the VPN works is that the client will appear
>> (as far as tcp/ip is concerned) as he is on the LAN...  What's the point
>> of setting up a VPN without encryption if the traffic from the client goes
>> over the net anyway?  I thought that even traffic destined for some site
>> not on out LAN would still go through our LAN after the VPN was setup and
>> through our internet gateway...
>> 
>> Please correct me if I'm wrong...
> 
> Chris,
> 
> I think you may have made some incorrect assumptions about how PPTP/VPN
> works. I'll detail how I've used it (which is similar to what you are
> planning on, I think):
> 
> Here's the "typical" network setup that I've used pptp with:
> 
> -----------      -----------------       --------      --------------
> | win lan |------| masq firewall |-------| 'net |------| win client |
> -----------      -----------------       --------      --------------
> 
> Let's assume the following IP Addresses:
> 
> Windows Network:    192.168.0.0/24
> Unused IP's:    192.168.0.240-192.168.0.249
> Masq Firewall:        192.168.0.254 & 10.0.0.1
> "Internet":         10.0.0.0/16
> Windows Client:        10.0.1.1
> 
> Here is the PPTPD configuration I would use on the Firewall to make this work:
> 
> pptpd.conf:
> localip 192.168.0.254
> remoteip 192.168.0.240-249
> 
> So, the windows client dials in to the firewall, authenticates itself
> (with the secrets set up in /etc/ppp/chap-secrets), and is given an ip
> address between 192.168.0.240 and 192.168.0.249. You do _not_ give these
> clients real internet ip's; you give them IP's in the private network.
> Routes on the client machine should be configured to use the VPN interface
> to reach the 192.168.0.n network, which is generally done automatically by
> the program making the VPN connection (in this case, dial-up networking.)
> To get encrypted traffic over this stream, you have to recompile your
> kernel ppp modules and your ppp daemon, and configure /etc/ppp/options
> differently.
> 
> Hope this helps you; I could also be totally wrong about what you are
> trying to do. Maybe when your files come through I'll be able to tell
> better..
> 
> -- 
> Nate Carlson <carlson at real-time.com>    | Phone : (612)943-8700
> http://www.real-time.com                | Fax   : (612)943-8500
> 
>

More information about the pptp-server mailing list