[pptp-server] PPTP and NAT?

Eric H. Raskin eraskin at paslists.com
Tue Jul 18 09:47:52 CDT 2000 

Patrick:

  So, you're implying that I have to set up a special VPN subnet.  Right now, I
have a single external IP address (www.paslists.com in DNS land).  My PPTP
server and my web server both listen on that address.  When a PPTP connection
comes in, they get a local and remote IP for the PPP connection and off they go.

  I'm expecting to change the Cisco routing table at the client's site to
specifically route my external IP address to the Linux gateway box.  Then, all
traffic destined for me from anywhere inside their network goes to the Linux
box, which has initiated a PPTP connection to me at boot time.  The Linux box
then masquerades it, PPTP encapsulates it, and sends it back to the Cisco, which
NATs it and sends it to me.  The return path goes from my PPTP server back to
the Cisco, which un-NATs it, then to the Linux box, which un-encapsulates it and
de-masquerades it, and then back to the client.

  This seems like it will work to me, except for anyone trying to hit the web
server at www.paslists.com. They will also get PPTP encapsulated.  The solution
would be to set up a virtual IP address on my system to handle the PPTP server
(and an appropriate DNS entry, of course).  Then I could route the PPTP traffic
to the Linux gateway.

  So, have I gotten it straight?  Do I still need a special VPN subnet?

  As for the Cisco, its packet filtering can be opened up to allow GRE traffic
through.  I found an old usenet article with the commands, so that one's solved
(I think!).

   Eric


> -----Original Message-----
> From: pptp-server-admin at lists.schulte.org
> [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Patrick Reid
> Sent: Tuesday, July 18, 2000 10:05 AM
> To: eraskin at paslists.com.paslists.com; pptp-server at lists.schulte.org
> Subject: RE: [pptp-server] PPTP and NAT?
>
>
> OK, if I understand correctly, I don't think you need the
> PPTP masquerading
> patch; that would be used if you have a Linux gateway
> (instead of the Cisco)
> with a PPTP server masqueraded. You will have to find out if the Cisco
> router will allow PPTP connections through it. It probably
> can be configured
> that way. The routing rules for the client need to be
> complicated, as it
> seems that the Cisco is the gateway for all of the other
> machines. It would
> have to route all traffic requests for the VPN subnet to your
> Linux box,
> which would have the defaultroute option enabled in its ppp
> options file. I
> think that would get traffic to your VPN when needed and
> otherwise just onto
> the Internet.
>
> Your Linux box should give out remote addresses also on your
> network and use
> proxyarp to bring the client's network "into" your existing one.
>
> I think you can deal with the web page issue by only running
> your web server
> on your external interface and having the client connect to a
> domain name
> which corresponds to same.
>
> Patrick Reid - mailto:PReid at candesco.com
> Candesco Research Corp.
> Communication Centre: <http://www.mirabilis.com/1052176>
>
>
> -----Original Message-----
> From: pptp-server-admin at lists.schulte.org
> [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Eric
> H. Raskin
> Sent: July 18, 2000 9:56 AM
> To: pptp-server at lists.schulte.org
> Subject: RE: [pptp-server] PPTP and NAT?
>
>
> Patrick:
>
> Very interesting.  Their current setup is a T1 connected to a
> Cisco router
> running NAT and packet filtering.  They have a DHCP server giving out
> internal
> IP addresses.  I think I've figured out the configuration.
> Do I have it
> right?
>
> Client End:  Linux box with internal and external NICs.
> Routing rules in
> the
> Linux box to forward all traffic coming in on the internal
> NIC to my PPTP
> server
> over the PPTP/PPP interface and out the external NIC.
> Masquerading turned
> on
> with the "PPTP Patch" so that PPTP connections are
> masqueraded as well (btw,
> where is the patch located?).  A routing table entry is made
> on the Cisco
> sending anyone asking for my PPTP server address to the Linux
> gateway box,
> which
> will route the traffic.
>
> My End:  My Linux box running PPTP server.  PPTP server gives
> out remote
> addresses on a made-up sub-net and local addresses on my network.
>
> Questions:
> 1)  Did I get it?  If not, please tell me how to configure...
> 2)  Does this mean I need a separate virtual IP address for
> my PPTP server
> on my
> Linux box?  I'm worried about clients trying to access my web
> site -- which
> does
> not require a PPTP link.  I guess there's no reason why all
> their traffice
> can't
> come over the PPTP link, other than performance...  Any comments?
>
>
> > -----Original Message-----
> > From: Patrick Reid [mailto:P.J.Reid at earthling.net]
> > Sent: Tuesday, July 18, 2000 8:34 AM
> > To: eraskin at paslists.com.paslists.com; pptp-server at lists.schulte.org
> > Subject: RE: [pptp-server] PPTP and NAT?
> >
> >
> > There is another option:
> >
> > Install the PPTP client on a Linux gateway/firewall; have it
> > establish a VPN
> > connection with appropriate routing; the customer can then
> > just use the
> > Linux box as the gateway.
> >
> > Patrick Reid - mailto:PReid at candesco.com
> > Candesco Research Corp.
> > Communication Centre: <http://www.mirabilis.com/1052176>
> >
> >
> > -----Original Message-----
> > From: pptp-server-admin at lists.schulte.org
> > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Eric
> > H. Raskin
> > Sent: July 18, 2000 9:21 AM
> > To: pptp-server at lists.schulte.org
> > Subject: RE: [pptp-server] PPTP and NAT?
> >
> >
> > Stefan:
> >
> > Can you tell me more about your first option?  I'm using a
> > linux firewall
> > (2.2.16 Kernel with masquerading/firewalling rules), but I
> > don't see how
> > patching my firewall will fix the GRE routing problem at the
> > remote site.
> > The
> > packets from the different remote clients will still come in
> > with the same
> > IP
> > address, right?
> >
> > Your second option works, but doesn't scale very well. When
> my remote
> > customer
> > gets up to wanting 10 or 20 clients, I'm in big trouble! :-)
> >
> > As for the third option, where can I read more about it?
> > I've never even
> > heard
> > of 'PNS'.
> >
> >   Eric
> >
> >
> ---------------------------------------------------------------------
> > Eric H. Raskin                                 eraskin at paslists.com
> > Professional Advertising Systems Inc.          Voice: 914-741-1100
> > 70 Memorial Plaza                              Fax:   914-741-2788
> > Pleasantville, NY 10570
> >
> > > -----Original Message-----
> > > From: pptp-server-admin at lists.schulte.org
> > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of
> > > Strehle Stefan
> > > Sent: Tuesday, July 18, 2000 4:52 AM
> > > To: pptp-server at lists.schulte.org
> > > Subject: AW: [pptp-server] PPTP and NAT?
> > >
> > >
> > > You have three options:
> > > -You install a linux fireall with support of masquerading
> > > pptp clients (john
> > > harding patch...)
> > > -You have two IP adresses for your server, and you have two
> > > different pptp
> > > instances running on these two interfaces. Therefore the GRE
> > > routing problem
> > > is fixed, because the two clients do not connect at the
> > same IP adress
> > > anymore.
> > > -You wait until a proper PNS mode implementaion is applied in
> > > the pptp code.
> > >
> > > Stefan
> > > _______________________________________________
> > > pptp-server maillist  -  pptp-server at lists.schulte.org
> > > http://lists.schulte.org/mailman/listinfo/pptp-server
> > > List services provided by www.schulteconsulting.com!
> >
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
> >
>
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
>
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!

More information about the pptp-server mailing list