[pptp-server] PPTP and NAT?
Eric H. Raskin
eraskin at paslists.com
Tue Jul 18 11:43:42 CDT 2000
Patrick:
Now I'm lost. So, let's make this slightly more concrete (with made-up IP
addresses):
My Internal Sub-Net = 192.168.10.x
My Internal Server = 192.168.10.2
My PPTP Server IP Address = 200.200.200.1
My PPTP Server Local IP Addresses = 192.168.10.200-209
My PPTP Server Remote IP Addresses = 192.168.10.210-219
My Client's External IP Address = 100.100.100.1
My Client's Internal Router IP Address = 192.168.1.1
My Client's Internal IP Sub-Net = 192.168.1.x
My Client's new Linux Gateway Internal IP = 192.168.1.50
My Client's new Linux Gateway External IP = 192.168.1.51 (virtual IP
address - same NIC)
The Linux Gateway's default route is 192.168.1.1.
When the Linux Gateway boots up, it connects to PPTP server (200.200.200.1).
The Cisco NAT translates it, so all my PPTP server sees is 100.100.100.1. We
establish a PPTP connection on 192.168.10.200/192.168.10.210 (local/remote).
Here's where I start to get lost. The Linux Gateway has to send any traffic
to 192.168.1.1 (the Cisco) in order to get it out of the building. When the
PPTP connection is established, the default route can't be changed. How does
this traffic move?
I'm envisioning the following:
1) Someone on 192.168.1.x net tries to access 192.168.10.2 (my Internal
server)
2) Cisco box routes that to 192.168.1.50 (Linux Gateway). Cisco routing
table knows that any packet destined for my Internal sub-net (192.168.10.x) from
the 192.168.1.x sub-net (but not from the Linux Gateway) should be sent to the
Linux Gateway.
3) Linux Gateway masquerades the packet. Now it has 192.168.1.51 as Source
IP.
4) Linux Gateway encapsulates the packet then routes it over the PPTP link.
How?
5) PPTP packet is now sent back to Cisco box. What IP address is it sending
to now?
6) Cisco NAT's the packet (IP Source is now 100.100.100.1) and sends it to my
PPTP server. Cisco routing table knows that traffic destined for my PPTP Server
(200.200.200.1) from the Linux Gateway (192.168.1.51) should be routed to the
Internet.
7) My PPTP server receives a packet from 100.100.100.1 from the Internet and
handles it.
8) Reply data is sent back to 100.100.100.1, where it is de-NAT'd.
9) Cisco sends it back to 192.168.1.51.
10) Linux Gateway un-encapsulates the packet. How?
11) Linux Gateway de-masquerades packet and sends it back to client
(192.168.1.x).
As you can see, there are a few blanks left in the setup. Can anyone fill
them in (preferrably with actual commands/config info)?
I'm getting totally confused. Every time I think I have it straight, I lose
it again!
Is anyone else getting a headache? :-)
Eric
> -----Original Message-----
> From: Patrick Reid [mailto:P.J.Reid at earthling.net]
> Sent: Tuesday, July 18, 2000 12:00 PM
> To: eraskin at paslists.com.paslists.com
> Subject: RE: [pptp-server] PPTP and NAT?
>
>
> The subnet implied by the local and remote IPs would be the
> VPN subnet.
>
> You may have a problem with the Cisco router sending all of
> the data from
> the client's Linux box back to the client's Linux box, if I
> read what you
> wrote correctly.
>
> Patrick Reid - mailto:PReid at candesco.com
> Candesco Research Corp.
> Communication Centre: <http://www.mirabilis.com/1052176>
>
>
> -----Original Message-----
> From: pptp-server-admin at lists.schulte.org
> [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Eric
> H. Raskin
> Sent: July 18, 2000 11:48 AM
> To: pptp-server at lists.schulte.org
> Subject: RE: [pptp-server] PPTP and NAT?
>
>
> Patrick:
>
> So, you're implying that I have to set up a special VPN
> subnet. Right
> now, I
> have a single external IP address (www.paslists.com in DNS
> land). My PPTP
> server and my web server both listen on that address. When a PPTP
> connection
> comes in, they get a local and remote IP for the PPP
> connection and off they
> go.
>
> I'm expecting to change the Cisco routing table at the
> client's site to
> specifically route my external IP address to the Linux
> gateway box. Then,
> all
> traffic destined for me from anywhere inside their network
> goes to the Linux
> box, which has initiated a PPTP connection to me at boot
> time. The Linux
> box
> then masquerades it, PPTP encapsulates it, and sends it back
> to the Cisco,
> which
> NATs it and sends it to me. The return path goes from my
> PPTP server back
> to
> the Cisco, which un-NATs it, then to the Linux box, which
> un-encapsulates it
> and
> de-masquerades it, and then back to the client.
>
> This seems like it will work to me, except for anyone
> trying to hit the
> web
> server at www.paslists.com. They will also get PPTP encapsulated. The
> solution
> would be to set up a virtual IP address on my system to
> handle the PPTP
> server
> (and an appropriate DNS entry, of course). Then I could
> route the PPTP
> traffic
> to the Linux gateway.
>
> So, have I gotten it straight? Do I still need a special
> VPN subnet?
>
> As for the Cisco, its packet filtering can be opened up to allow GRE
> traffic
> through. I found an old usenet article with the commands, so
> that one's
> solved
> (I think!).
>
> Eric
>
>
> > -----Original Message-----
> > From: pptp-server-admin at lists.schulte.org
> > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of
> Patrick Reid
> > Sent: Tuesday, July 18, 2000 10:05 AM
> > To: eraskin at paslists.com.paslists.com; pptp-server at lists.schulte.org
> > Subject: RE: [pptp-server] PPTP and NAT?
> >
> >
> > OK, if I understand correctly, I don't think you need the
> > PPTP masquerading
> > patch; that would be used if you have a Linux gateway
> > (instead of the Cisco)
> > with a PPTP server masqueraded. You will have to find out
> if the Cisco
> > router will allow PPTP connections through it. It probably
> > can be configured
> > that way. The routing rules for the client need to be
> > complicated, as it
> > seems that the Cisco is the gateway for all of the other
> > machines. It would
> > have to route all traffic requests for the VPN subnet to your
> > Linux box,
> > which would have the defaultroute option enabled in its ppp
> > options file. I
> > think that would get traffic to your VPN when needed and
> > otherwise just onto
> > the Internet.
> >
> > Your Linux box should give out remote addresses also on your
> > network and use
> > proxyarp to bring the client's network "into" your existing one.
> >
> > I think you can deal with the web page issue by only running
> > your web server
> > on your external interface and having the client connect to a
> > domain name
> > which corresponds to same.
> >
> > Patrick Reid - mailto:PReid at candesco.com
> > Candesco Research Corp.
> > Communication Centre: <http://www.mirabilis.com/1052176>
> >
> >
> > -----Original Message-----
> > From: pptp-server-admin at lists.schulte.org
> > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Eric
> > H. Raskin
> > Sent: July 18, 2000 9:56 AM
> > To: pptp-server at lists.schulte.org
> > Subject: RE: [pptp-server] PPTP and NAT?
> >
> >
> > Patrick:
> >
> > Very interesting. Their current setup is a T1 connected to a
> > Cisco router
> > running NAT and packet filtering. They have a DHCP server
> giving out
> > internal
> > IP addresses. I think I've figured out the configuration.
> > Do I have it
> > right?
> >
> > Client End: Linux box with internal and external NICs.
> > Routing rules in
> > the
> > Linux box to forward all traffic coming in on the internal
> > NIC to my PPTP
> > server
> > over the PPTP/PPP interface and out the external NIC.
> > Masquerading turned
> > on
> > with the "PPTP Patch" so that PPTP connections are
> > masqueraded as well (btw,
> > where is the patch located?). A routing table entry is made
> > on the Cisco
> > sending anyone asking for my PPTP server address to the Linux
> > gateway box,
> > which
> > will route the traffic.
> >
> > My End: My Linux box running PPTP server. PPTP server gives
> > out remote
> > addresses on a made-up sub-net and local addresses on my network.
> >
> > Questions:
> > 1) Did I get it? If not, please tell me how to configure...
> > 2) Does this mean I need a separate virtual IP address for
> > my PPTP server
> > on my
> > Linux box? I'm worried about clients trying to access my web
> > site -- which
> > does
> > not require a PPTP link. I guess there's no reason why all
> > their traffice
> > can't
> > come over the PPTP link, other than performance... Any comments?
> >
> >
> > > -----Original Message-----
> > > From: Patrick Reid [mailto:P.J.Reid at earthling.net]
> > > Sent: Tuesday, July 18, 2000 8:34 AM
> > > To: eraskin at paslists.com.paslists.com;
> pptp-server at lists.schulte.org
> > > Subject: RE: [pptp-server] PPTP and NAT?
> > >
> > >
> > > There is another option:
> > >
> > > Install the PPTP client on a Linux gateway/firewall; have it
> > > establish a VPN
> > > connection with appropriate routing; the customer can then
> > > just use the
> > > Linux box as the gateway.
> > >
> > > Patrick Reid - mailto:PReid at candesco.com
> > > Candesco Research Corp.
> > > Communication Centre: <http://www.mirabilis.com/1052176>
> > >
> > >
> > > -----Original Message-----
> > > From: pptp-server-admin at lists.schulte.org
> > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Eric
> > > H. Raskin
> > > Sent: July 18, 2000 9:21 AM
> > > To: pptp-server at lists.schulte.org
> > > Subject: RE: [pptp-server] PPTP and NAT?
> > >
> > >
> > > Stefan:
> > >
> > > Can you tell me more about your first option? I'm using a
> > > linux firewall
> > > (2.2.16 Kernel with masquerading/firewalling rules), but I
> > > don't see how
> > > patching my firewall will fix the GRE routing problem at the
> > > remote site.
> > > The
> > > packets from the different remote clients will still come in
> > > with the same
> > > IP
> > > address, right?
> > >
> > > Your second option works, but doesn't scale very well. When
> > my remote
> > > customer
> > > gets up to wanting 10 or 20 clients, I'm in big trouble! :-)
> > >
> > > As for the third option, where can I read more about it?
> > > I've never even
> > > heard
> > > of 'PNS'.
> > >
> > > Eric
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > Eric H. Raskin
> eraskin at paslists.com
> > > Professional Advertising Systems Inc. Voice: 914-741-1100
> > > 70 Memorial Plaza Fax: 914-741-2788
> > > Pleasantville, NY 10570
> > >
> > > > -----Original Message-----
> > > > From: pptp-server-admin at lists.schulte.org
> > > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of
> > > > Strehle Stefan
> > > > Sent: Tuesday, July 18, 2000 4:52 AM
> > > > To: pptp-server at lists.schulte.org
> > > > Subject: AW: [pptp-server] PPTP and NAT?
> > > >
> > > >
> > > > You have three options:
> > > > -You install a linux fireall with support of masquerading
> > > > pptp clients (john
> > > > harding patch...)
> > > > -You have two IP adresses for your server, and you have two
> > > > different pptp
> > > > instances running on these two interfaces. Therefore the GRE
> > > > routing problem
> > > > is fixed, because the two clients do not connect at the
> > > same IP adress
> > > > anymore.
> > > > -You wait until a proper PNS mode implementaion is applied in
> > > > the pptp code.
> > > >
> > > > Stefan
> > > > _______________________________________________
> > > > pptp-server maillist - pptp-server at lists.schulte.org
> > > > http://lists.schulte.org/mailman/listinfo/pptp-server
> > > > List services provided by www.schulteconsulting.com!
> > >
> > > _______________________________________________
> > > pptp-server maillist - pptp-server at lists.schulte.org
> > > http://lists.schulte.org/mailman/listinfo/pptp-server
> > > List services provided by www.schulteconsulting.com!
> > >
> >
> > _______________________________________________
> > pptp-server maillist - pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
> >
> > _______________________________________________
> > pptp-server maillist - pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
>
> _______________________________________________
> pptp-server maillist - pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
>
More information about the pptp-server
mailing list