[pptp-server] can I have a pptp vpn between two nat's?

Cowles, Steve Steve at SteveCowles.com
Sat Apr 7 00:22:55 CDT 2001


> -----Original Message-----
> From: Lillian Kulhanek [mailto:lillian_kulhanek at yahoo.ca]
> Sent: Friday, April 06, 2001 11:25 PM
> To: pptp-server at lists.schulte.org
> Subject: [pptp-server] can I have a pptp vpn between two nat's?
> 
> 
> Here's the setup:
>   
> Lan1 (Win98SE clients) is masqueraded behind a linux
> gateway.  The linux pptp server is behind the gateway,
> with port forwarding occurring from the gateway to
> pptp server.  (vpn masquerading)
> 
> Lan2 (Wind98SE & NT4Server) is nat'ed behind a cisco
> 1600.  The NT server has a public address as well (2
> nics).  The NT server was set up as a pptp server as
> well, for the sake of testing.
> 
> The goal is for lan2 clients to log on to and access
> lan1.
> 
> Here's what we can do:
> 
> 1)  Home users can connect to Lan1 with pptp.
> Proves that the pptp server is working.
> 
> 2)  From a pc with a private address in lan1, I can
> connect to the pptp server in lan2, using its public
> address.  
> Proves that there is no port/protocol blockage, at
> least in that direction.
> 
> A pc in lan2 CANNOT make a pptp connection to the pc
> in lan1.  I was wondering if this was because of
> nat'ing on both sides?  But isn't portforwarding
> supposed to take care of this?
> 
> I don't remember reading anything that says I can't do
> this.  Can anyone enlighten me on why or why not? 
> Would this also explain why I can't run NetMeeting
> between the two lan's?  Although, I can't see a reason
> why this should not work.  Could this be a routing
> issue on the cisco box (to which the isp limits
> access)?
> 
> Answers, pointers to url's, greatly appreciated.  A
> timely response would also be appreciated, since I'm
> at lan2 flying back to lan1 in a few days.  
> 
> Thanks,
> Lillian
> 
> PS  Finally, am I missing something obvious, even an
> obvious alternate solution?

Have you considered establishing a LAN-to-LAN tunnel between lan1 and lan2
using your linux box and the NT server instead of multiple host-to-lan
tunnels? This way the clients on each lan do not have to establish tunnels
to communicate with the other lans. i.e. You establish one tunnel.

Here's an example of what I'm talking about. NOTE: Although I'm using IPSEC
in the following (real world) example, the same thing can be accomplished
using PPTP. 

My LAN (lan1) network address is: 192.168.9.0/24 (eth0)
Remote LAN (lan2) network address is: 192.168.1.0/24 (ipsec0)

NOTE: I have edited the following for clarity. 
On my linux firewall, my routing tables are:

[root at firewall mail]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   irtt Iface
x.x.113.176     0.0.0.0         255.255.255.252 U          0 eth1
192.168.9.0     0.0.0.0         255.255.255.0   U          0 eth0
192.168.1.0     x.x.113.177     255.255.255.0   UG         0 ipsec0
127.0.0.0       0.0.0.0         255.0.0.0       U          0 lo
0.0.0.0         x.x.113.177     0.0.0.0         UG         0 eth1
[root at firewall mail]# 

At the other end of the tunnel, its gateway route tables are basically
reversed. i.e. Its ipsec0 points to 192.168.9.0/24. Now all the
client/servers on LAN1 (192.168.9.0/24) can access all client/servers on
LAN2 (192.168.1.0/24) and vice-versa. The key here is that none of the
client/servers on both lans are establishing tunnels, just the linux
gateways. i.e. LAN-to-LAN tunnel.

FWIW: I also run PPTP on my linux box so that road warrior types can
establish tunnels from remote sites. 

Steve Cowles



More information about the pptp-server mailing list