[pptp-server] Weird NAT problem - Windows 2000 + ADSL + NAT / Kernel 2.4.4

Mikael Lönnroth mikael.lonnroth at advancevpn.com
Tue Jul 31 12:00:42 CDT 2001


Hi,

Since I figured out (or I think I did) that PPTP connections from my home
ADSL to my work server only work randomly, I started watching the traffic
with Ethereal (splendlid program btw).

CONFIGURATION:

CLIENT:
Windows 2000 plugged into port ETH2 (second ethernet port) on a Nokia M1122
ADSL modem.
My local IP addresses are 10.125.27.17 - 10.125.27.21, the first being the
ADSL router and ETH2 using
10.125.27.19.
Somewhere in the ISP network all my IP addresses get masqueraded to a single
public IP.

SERVER:
Kernel 2.4.4, PPP 2.4.1 with mppe-openssl-0.9.6 patch, PPTP-1.1.2
Public IP address

PROBLEM:

When I connect with Windows 2000 PPTP to my Linux PPTP server

* The TCP connection to 1723 goes through OK and the negotiation seems fine
* ETH2-Server: START-CONTROL-REQUEST
* Server-ETH2: START-CONTROL-REPLY
* ETH2-Server: OUTGOING-CALL-REQUEST
* Server-ETH2. OUTGOING-CALL-REPLY

Fine up until here, I suppose.. but then..

* ETH2-Server: (GRE) PPP LCP Configuration Request
* Server-ETH1: (GRE) PPP LCP Configuration Request (!!!)
* ETH1-Server: ICMP Destination unreachable
* ETH2-Server: (GRE) PPP LCP Configuration Request
* Server-ETH1: (GRE) PPP LCP Configuration Request
* ETH1-Server: ICMP Destination unreachable
...

This keeps going on until I get a timeout message on my Windows 2000. (Error
619: The specified port is not connected)

WHAT HAPPENS is that the Client sends configuration requests using GRE to
the server, which sends configuration requests using GRE to my "un-nated"
public IP address. The GRE packet gets to my router which forwards it to the
first ETH-port (first IP address): CONNECTION ISN'T ESTABLISHED.

SOLUTION 1:

When I plug my PPTP computer into ETH1 (that is the router's first IP
address) everything goes ok. This seems natural.

SOLUTION 2:

Very often, and THIS is weird, the server's LCP Configuration Request packet
actually goes through to ETH2 (the correct address) instead of ETH1 and the
connection works fine!

QUESTIONS:

Why does SOLUTION 2 work occasionally but not always?
Do PPTP or GRE packets include information about my private IP addresses?
Does the PPTP server have knowledge of any other IP addresss than my public
masq/nat ?
How does PPTP/GRE work with NAT/masqed ADSL clients that have no public IP
addresses (it works from my experience)
Is this all in the hands of one / more firewalls between my router and my
public IP address?


Sincerely,
Mikael Lönnroth
mikael.lonnroth at advancevpn.com

P.S. I wrote a patch for PPTP-1.1.2 and PPP-2.4.1 that allows user-based
IP-restrictions, if anyone is interested, please mail.

P.P.S. I, also, had the imfamous Windows 98 / Windows 2000 problem. After
upgrading to kernel-2.4.4 with apropriate ppp and pptp packages it
disappeared! Here's how I installed it

[RedHat 7.1]
1. Unzip linux-2.4.4 (kernel) into /usr/src
2. [/usr/src] patch -p0 < linux-2.4.4-openssl-0.9.6a-mppe.patch.gz (
http://www.advancevpn.com/public/linux-2.4.4-openssl-0.9.6a-mppe.patch.gz )
3. Unzip ppp-2.4.1 into /usr/src (
http://www.advancevpn.com/public/ppp-2.4.1.tar.gz )
4. [/usr/src] patch -p0 < ppp-2.4.1-openssl-0.9.6-mppe-patch (
http://www.advancevpn.com/public/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz )
5. Unzip pptp-1.1.2 into /usr/src
6. In between, make and install all the packages, find correct ppp/options,
pptpd.conf etc files




More information about the pptp-server mailing list