[pptp-server] PPTP masquerade && MS non-compliance

[Jamin Collins]

Charlie Brady [mailto:charlieb at e-smith.com] wrote:
> The masquerading server does not have the authentication 
> information to create a server to remote server route, nor 
> should it create such a route for all its masqueraded 
> clients, as multiple clients probably don't have 
> authorization to send or receive packets from that remote server.

I never said that it should, I simply stated that a single machine should
make the connection and control the routing of any additional connections.
You're assuming that I was talking about the Masq'ing server.  I never said
that this had to be the machine to make the connection.  In one of my other
posts, I listed it as one of the possible means of doing this, not as the
only way.

> It seems reasonable to me for the masquerading server to step 
> back out of the way and allow each client to individually 
> negotiate authentication and authorization with the remote 
> server - as long as it can be done reliably and (moderately)
> securely. Sure this is inefficient, and there are other
> ways to VPN site to site, but that is not the model that we are
> considering here.

There are multiple ways not only to connect site to site, but do do what we
are talking.  You appear to be concerned with unauthorized access, this can
be controlled via many different mechanisms (many of which are more secure
than individual VPN connections from individual workstations).

Jamin W. Collins