[pptp-server] Poptop and port 47

S.Ecker emmet___ at yahoo.com
Fri Sep 1 02:16:43 CDT 2000 

If you look a little closer it says 'proto 47', not
port 47.  If you want to know what port 47 is, check
out
http://www.normos.org/en/lists/iana/port-numbers-0.html,
but to save you the trip it's NI-FTP.  If you have a
flowpoint router for instance you need to issue the
following command:

remote addserver 12.34.56.78 47 all internet
47 is the protocol # for GRE


--- "Cowles, Steve" <Steve.Cowles at gte.net> wrote:
> I don't consider myself an expert on this subject,
> but both protocol (not
> port) 47 and port 1723 are needed to establish a
> PPTP/PPP VPN. The reasons
> are explained below. See the cut/paste from
> Microsoft's WEB site.
> 
> Hopefully, the following scenarios might help some
> of you to understand what
> exactly needs to be done (configuration wise) based
> on your particular
> network architecture.
> 
> Steve Cowles
> 
> --------------------------
> Common Scenarios
> --------------------------
> 1) If your PPTP/PPP server (not the client
> initiating the tunnel) is located
> behind a firewall, i.e. masq'd PPTP server, then you
> will also need to
> "forward" both proto 47 and and port 1723 in
> addtition to ACCEPTing these at
> the firewall. In the linux world, this is typically 
> accomplished by using
> "ipfwd" for protocols and "ipmasqadm" for ports. You
> would also need to
> apply JHardin's patches to handle the masq'd inbound
> PPTP connections.
> 
> 2) If your PPTP/PPP server is running on the
> firewall itself, i.e. its not
> masq'd, then you only need to ACCEPT proto 47 and
> port 1723. In this case,
> you do NOT need to apply JHardin's patches to the
> kernel. Your not masqing
> the PPTP VPN.
> 
> 3) If you have a linux based firewall and you are
> trying to connect to a
> PPTP/PPP server located out on the internet (like at
> work) from a windows
> based client behind that firewall, then you will
> need to ACCEPT proto 47 and
> port 1723 on the firewall. You will also need to
> apply JHardin's patches to
> the kernel to handle the masq'd client PPTP
> connection. In this case, you
> would NOT need to use ipfwd or ipmasqadm. Your
> ipchain MASQ forward rule
> handles that.
> 
> -----------------------------------
> ---- From www.microsoft.com -------
> -----------------------------------
> Packet Filters for PPTP
> Configure the following "input" filters with the
> filter action set to Drop
> all packets except those that meet the criteria
> below:
> 
> Destination IP address of the VPN server's Internet
> interface, subnet mask
> of 255.255.255.255, and TCP destination port of 1723
> (0x06BB). 
> This filter allows PPTP tunnel maintenance traffic
> from the PPTP client to
> the PPTP server.
> 
> Destination IP address of the VPN server's Internet
> interface, subnet mask
> of 255.255.255.255, and IP Protocol ID of 47 (0x2F).
> 
> This filter allows PPTP tunneled data from the PPTP
> client to the PPTP
> server.
> 
> Destination IP address of the VPN server's Internet
> interface, subnet mask
> of 255.255.255.255, and TCP [established] source
> port of 1723 (0x06BB). 
> This filter is required only if the VPN server is
> acting as a VPN client (a
> calling router) in a router-to-router VPN
> connection. When you select TCP
> [established], traffic is accepted only if the VPN
> server initiated the TCP
> connection.
> 
> Configure the following "output" filters with the
> filter action set to Drop
> all packets except those that meet the criteria
> below:
> 
> Source IP address of the VPN server's Internet
> interface, subnet mask of
> 255.255.255.255, and TCP source port of 1723
> (0x06BB). 
> This filter allows PPTP tunnel maintenance traffic
> from the VPN server to
> the VPN client.
> 
> Source IP address of the VPN server's Internet
> interface, subnet mask of
> 255.255.255.255, and IP Protocol ID of 47 (0x2F). 
> This filter allows PPTP tunneled data from the VPN
> server to the VPN client.
> 
> Source IP address of the VPN server's Internet
> interface, subnet mask of
> 255.255.255.255, and TCP [established] destination
> port of 1723 (0x06BB). 
> This filter is required only if the VPN server is
> acting as a VPN client (a
> calling router) in a router-to-router VPN
> connection. When you select TCP
> [established], traffic is sent only if the VPN
> server initiated the TCP
> connection.
> 
> _______________________________________________
> pptp-server maillist  - 
> pptp-server at lists.schulte.org
>
http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!


__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/

More information about the pptp-server mailing list