[pptp-server] Automatic address translation of GRE

Jan Olav Rolfsnes jor at c2i.net
Fri Sep 22 09:10:48 CDT 2000


Hi all,

have any of you had problems with dynamic address translation of GRE
packages?
Say that we have the following network:



               Internet
                       |
                       |  193.160.201.2
        +----------------+
        |            fw           |
        +----------------+
                      | .1
                      |                                  10.0.0.0
   --------------------------------------------------------
                                             |
.2                         |  .3

|                             |
                                  +-----------+          +-----------+
                                   |      m1       |           |
m2       |
                                  +-----------+          +-----------+

In my network the firewall NATs in dynamic mode and NATs the internal
addresses into one public internet address. And that works all right as
long as m1 and m2 use UDP or TCP for internet services. If m1 does a TCP
request to an internet address the internal address 10.0.0.2 is
translated to the public address 193.160.201.2. At the same time the
firewall change the source port number of the TCP packet to a unique
port number associated with m1's IP address. When the fw receives the
reply the fw recognize the TCP port number, change the IP address
associated with this port number and replace the port number with the
original.

So this works fine as long as we use TCP and UDP packages and the
firewall knows what port number is. But what happens if we want to route
GRE packages over the firewall? Its impossible for the fw to route
correctly. How can we solve this problem? Is this a disadvantage by
using tunneling protocols like PPTP? Other VPN protocols use UDP as a
tunneling protocol. Maybe that is smarter to use in this case?

Regards,
Jan Olav Rolfsnes




More information about the pptp-server mailing list