[pptp-server] Verification of PPTP Tunnel

Cowles, Steve Steve at SteveCowles.com
Thu Aug 30 07:41:11 CDT 2001


> -----Original Message-----
> From: P39036 [mailto:P39036 at exchange.sihe.ac.uk]
> Sent: Thursday, August 30, 2001 5:05 AM
> To: 'pptp-server at lists.schulte.org'
> Subject: RE: [pptp-server] Verification of PPTP Tunnel
> 
> 
> Sorry, George, I should have been more specific. The setup is 
> very simple.
> 
> The PPTP client (Win98SE) has IP address 192.168.11.2. The 
> Linux PPTP Server has IP address 193.62.x.x, and is also the
> web server. So, we just have two machines in total here, not
> an extended LAN (this is just a demo for my MSc project).
> 
> The tunnel authenticates and runs fine (problems with MPPE, but
> that's another story). It still works when I deny all traffic
> at the Cisco interface except GRE (47) and PPTP (1723). The
> problem is that the client (192.168.11.2) can't browse to the
> web server (193.62.x.x) unless I also permit HTTP (80) at the
> Cisco interface. Doesn't this mean that the client is for some
> reason ignoring the tunnel to the server ? I just can't work it
> out.
> 
> Regards, Ken John
> BSc PGDip CCNA

If I understand your post correctly... the above behavior sounds perfectly
normal based on the fact you only have two machines in your demo/test
environment without a LAN behind the pptp server. 

To clarify... type "route print" on your win9x client after you establish
the tunnel. You should see a network address line that was added by the
win9x pptp connection software that looks something like:

192.168.11.0    255.255.255.0     193.62.x.x    <public ip>

So, the reason your having to open up port 80 on the cisco router is: You
have established a PPTP tunnel with two end points (192.168.11.2 and
193.62.x.x) Based on the Win9x clients route tables, only traffic destined
for the network address of 192.168.11.0/24 will be encapsulated and sent
across the tunnel. All other traffic will use the pptp clients public
(bound) ip address including traffic destined for the tunnels endpoint.
Which would include http requests to 193.62.x.x. This is normal. Think about
it!!!

In short, the only way to force traffic across the tunnel would be to access
http data at an ip address within the range of the 192.168.11.0/24 network,
not the public ip of your pptp server. 

Again, if I understand your post correctly, your pptp server only has one ip
address i.e. its not multi-homed. If this is the case, then in order to
achieve your goal using your test environment, I would think you need to
implement ip aliasing on your pptp server and assign (bind) an additional ip
address to its ethernet interface that is within the 192.168.11.0/24 network
range and then edit your pptp config file so that the local/remote
assignment is something like local=192.168.11.1, remote=192.168.11.2. Then
to force tunnel activity (validate)... access http://192.168.11.1 from the
pptp client.

Good luck
Steve Cowles



More information about the pptp-server mailing list