[pptp-server] PPTP and NAT?

Patrick Reid P.J.Reid at earthling.net
Tue Jul 18 09:04:59 CDT 2000 

OK, if I understand correctly, I don't think you need the PPTP masquerading
patch; that would be used if you have a Linux gateway (instead of the Cisco)
with a PPTP server masqueraded. You will have to find out if the Cisco
router will allow PPTP connections through it. It probably can be configured
that way. The routing rules for the client need to be complicated, as it
seems that the Cisco is the gateway for all of the other machines. It would
have to route all traffic requests for the VPN subnet to your Linux box,
which would have the defaultroute option enabled in its ppp options file. I
think that would get traffic to your VPN when needed and otherwise just onto
the Internet.

Your Linux box should give out remote addresses also on your network and use
proxyarp to bring the client's network "into" your existing one.

I think you can deal with the web page issue by only running your web server
on your external interface and having the client connect to a domain name
which corresponds to same.

Patrick Reid - mailto:PReid at candesco.com
Candesco Research Corp.
Communication Centre: <http://www.mirabilis.com/1052176>


-----Original Message-----
From: pptp-server-admin at lists.schulte.org
[mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Eric H. Raskin
Sent: July 18, 2000 9:56 AM
To: pptp-server at lists.schulte.org
Subject: RE: [pptp-server] PPTP and NAT?


Patrick:

Very interesting.  Their current setup is a T1 connected to a Cisco router
running NAT and packet filtering.  They have a DHCP server giving out
internal
IP addresses.  I think I've figured out the configuration.  Do I have it
right?

Client End:  Linux box with internal and external NICs.  Routing rules in
the
Linux box to forward all traffic coming in on the internal NIC to my PPTP
server
over the PPTP/PPP interface and out the external NIC.  Masquerading turned
on
with the "PPTP Patch" so that PPTP connections are masqueraded as well (btw,
where is the patch located?).  A routing table entry is made on the Cisco
sending anyone asking for my PPTP server address to the Linux gateway box,
which
will route the traffic.

My End:  My Linux box running PPTP server.  PPTP server gives out remote
addresses on a made-up sub-net and local addresses on my network.

Questions:
1)  Did I get it?  If not, please tell me how to configure...
2)  Does this mean I need a separate virtual IP address for my PPTP server
on my
Linux box?  I'm worried about clients trying to access my web site -- which
does
not require a PPTP link.  I guess there's no reason why all their traffice
can't
come over the PPTP link, other than performance...  Any comments?


> -----Original Message-----
> From: Patrick Reid [mailto:P.J.Reid at earthling.net]
> Sent: Tuesday, July 18, 2000 8:34 AM
> To: eraskin at paslists.com.paslists.com; pptp-server at lists.schulte.org
> Subject: RE: [pptp-server] PPTP and NAT?
>
>
> There is another option:
>
> Install the PPTP client on a Linux gateway/firewall; have it
> establish a VPN
> connection with appropriate routing; the customer can then
> just use the
> Linux box as the gateway.
>
> Patrick Reid - mailto:PReid at candesco.com
> Candesco Research Corp.
> Communication Centre: <http://www.mirabilis.com/1052176>
>
>
> -----Original Message-----
> From: pptp-server-admin at lists.schulte.org
> [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Eric
> H. Raskin
> Sent: July 18, 2000 9:21 AM
> To: pptp-server at lists.schulte.org
> Subject: RE: [pptp-server] PPTP and NAT?
>
>
> Stefan:
>
> Can you tell me more about your first option?  I'm using a
> linux firewall
> (2.2.16 Kernel with masquerading/firewalling rules), but I
> don't see how
> patching my firewall will fix the GRE routing problem at the
> remote site.
> The
> packets from the different remote clients will still come in
> with the same
> IP
> address, right?
>
> Your second option works, but doesn't scale very well. When my remote
> customer
> gets up to wanting 10 or 20 clients, I'm in big trouble! :-)
>
> As for the third option, where can I read more about it?
> I've never even
> heard
> of 'PNS'.
>
>   Eric
>
> ---------------------------------------------------------------------
> Eric H. Raskin                                 eraskin at paslists.com
> Professional Advertising Systems Inc.          Voice: 914-741-1100
> 70 Memorial Plaza                              Fax:   914-741-2788
> Pleasantville, NY 10570
>
> > -----Original Message-----
> > From: pptp-server-admin at lists.schulte.org
> > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of
> > Strehle Stefan
> > Sent: Tuesday, July 18, 2000 4:52 AM
> > To: pptp-server at lists.schulte.org
> > Subject: AW: [pptp-server] PPTP and NAT?
> >
> >
> > You have three options:
> > -You install a linux fireall with support of masquerading
> > pptp clients (john
> > harding patch...)
> > -You have two IP adresses for your server, and you have two
> > different pptp
> > instances running on these two interfaces. Therefore the GRE
> > routing problem
> > is fixed, because the two clients do not connect at the
> same IP adress
> > anymore.
> > -You wait until a proper PNS mode implementaion is applied in
> > the pptp code.
> >
> > Stefan
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
>
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
>

_______________________________________________
pptp-server maillist  -  pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
List services provided by www.schulteconsulting.com!

More information about the pptp-server mailing list