[pptp-server] win2k, pptpd 1.2.2, pppd 2.4.0 and Linux 2.4.2

Tom Eastep teastep at seattlefirewall.dyndns.org
Fri Mar 30 20:33:59 CST 2001


Robert,

Thus spoke robert:

> Has anyone gotten W2K with encryption working on a pptpd setup running 2.2
> kernel series and/or pppd 2.3 series?
>
> To answer your question, the setup works fine with both windows 98 and 95
> clients.  I don't have access to w2k or me clients to test.
>
> Out of curiosity, is the w2k using NAT?  According to M$: If the Virtual
> Private Network (VPN) client is behind any network device performing Network
> Address Translation (NAT), the L2TP session fails because encrypted IPSec
> Encapsulating Security Payload (ESP) packets become corrupted.
>

That's an acknowledged limitation with IPSEC/ESP and NAT. See John
Hardin's VPN MASQ site
(http://www.impsec.org/linux/masquerade/ip_masq_vpn.html). It has to do
with the ESP checksum including not only the payload but also the IP
header;  rewriting the header (NAT) makes it impossible to generate the
correct checksum since that checksum is generated prior to encryption.

That is not an M$-specific issue and it can be worked around by
terminating the IPSec tunnel on your Linux Gateway rather than on a
masqueraded system behind that gateway.

> The problem *seems* to be w2k, not pptpd.  I know M$ purposely created
> incompatibilties with bind and kerbos (sp?).  I wonder if we have hit upon
> another incompatibilty...or a bug????
>

Regarding PPTP (as opposed to IPSEC), the problem we're all seeing does
seem to be Win2k-specific. I've drawn my own conclusions...

-Tom
-- 
Tom Eastep             \ Alt Email: tom at seattlefirewall.dyndns.org
ICQ #60745924           \ Websites: http://seawall.sourceforge.net
teastep at evergo.net       \          http://seattlefirewall.dyndns.org
Shoreline, Washington USA \         http://shorewall.sourceforge.net
                           \_________________________________________




More information about the pptp-server mailing list