FOLLOW UP: Re: [pptp-server] IPSec *over* PPtP

Patrick Reid P.J.Reid at earthling.net
Wed Sep 6 10:57:59 CDT 2000


This could also be very useful for people who have machines which are behind
an NAT wall which they don't control (like my own high-speed link). My linux
box doesn't know what it's IP address is for people out on the internet, and
so it can't authenticate over IPSec, since the protocol requires that both
ends of the link agree on what the IP addresses are. This is not the case
for PPTP.

However, if I already have a PPTP link up and can then run IPSec over it,
this means I could have IPSec encryption, which is generally felt to be
superior to MSChap v2 (even with the patched is place).

Thanks for this info!.

Patrick Reid - mailto:PReid at candesco.com
Candesco Research Corp.
Communication Centre: <http://www.mirabilis.com/1052176>


-----Original Message-----
From: pptp-server-admin at lists.schulte.org
[mailto:pptp-server-admin at lists.schulte.org]On Behalf Of John Hovell
Sent: September 6, 2000 12:55 AM
To: Justin Kreger; pptp-server at lists.schulte.org
Subject: FOLLOW UP: Re: [pptp-server] IPSec *over* PPtP


Hello all --

I solved the problem... IPSec over PPP is possible.  This is just wacky, but
this
is what to do:

PGPnet only wants to bind to your "Dial Up Adapter" -- not #2 for VPN
support as
one might logically think.  Bind it to "Dial Up" and it works like a charm.

This might actually be useful to people who aren't allowed to transmit
protocols 50
or 51... since they can tunnel it all over tcp/1723 and still get IPSec data
encryption.

Cheers,
John


John Hovell wrote:

> Justin --
>
> This is because PGPnet sucks so much, that for no discernable reason when
I try
> to bind PGPnet to my Ethernet card on one of the machines, I can't get any
> network connectivity.  I have reinstalled the ether card 3 times... and
even
> installed the driver files manually by hand.  The card is a 3com PCMCIA
3c574
> Cardbus card.  It works beatifully without PGPnet... The reason I am doing
the
> bass-ackwards configuration is because PGPnet will at least bind to the
VPN
> dial-up adapter... but that may be just my problem.
>
> Any other ideas?  Thanks for your help...
>
> Cheers,
> John
>
> Justin Kreger wrote:
>
> > Why not setup two linux boxes to do the IPSec?  and just have the
windows
> > boxes use pptp so they can browse the remote network if you dint setup
your
> > ipsec wan so it passes the Browser List.
> > -LW
> >
> > -----Original Message-----
> > From: John Hovell [mailto:john.hovell at home.com]
> > Sent: Monday, September 04, 2000 1:58 AM
> > To: pptp-server at lists.schulte.org
> > Subject: [pptp-server] IPSec *over* PPtP
> >
> > Hello all --
> >
> > I have some Win98 boxes that want to do IPSec over their PPTP
> > connection... just transport mode from one computer to another.  The
> > IPSec SA is currently successful (both phase 1 and 2).. everything seems
> > to be set up fine, until I atually try to send data.  If I try to ping
> > the remote VPN client from the IPSec machine on the local lan I get
> > (from tcpdump):
> >
> > 01:47:56.877612 < 172.16.0.4 > 172.16.0.175: ip-proto-50 76
> > 01:47:56.972086 > 172.16.0.175 > 172.16.0.4: icmp: 172.16.0.175 protocol
> > 50 unreachable
> >
> > If I do the same thing from the remote host I get:
> >
> > 01:53:07.586184 < 172.16.0.175 > 172.16.0.4: icmp: echo request
> >
> > (note the lack of encryption despite the *established* SA...)
> >
> > Do I need to somehow enable protocol 50 (and 51)?? IPchains forward is
> > set up to accept all traffic between these hosts.  There is no
> > masquerading between the two machines.
> >
> > Does anyone know what I am missing?  FYI, I am using PGPnet 6.5.8
> > Personal Privacy (freeware) on both Windows IPSec machines.
> >
> > TiA for any advice or help...
> >
> > Cheers,
> > John
> >
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
>
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!

_______________________________________________
pptp-server maillist  -  pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
List services provided by www.schulteconsulting.com!




More information about the pptp-server mailing list