[pptp-server] win2k, pptpd 1.2.2, pppd 2.4.0 and Linux 2.4.2
Tom Eastep
teastep at seattlefirewall.dyndns.org
Fri Mar 30 20:33:59 CST 2001
Robert,
Thus spoke robert:
> Has anyone gotten W2K with encryption working on a pptpd setup running 2.2
> kernel series and/or pppd 2.3 series?
>
> To answer your question, the setup works fine with both windows 98 and 95
> clients. I don't have access to w2k or me clients to test.
>
> Out of curiosity, is the w2k using NAT? According to M$: If the Virtual
> Private Network (VPN) client is behind any network device performing Network
> Address Translation (NAT), the L2TP session fails because encrypted IPSec
> Encapsulating Security Payload (ESP) packets become corrupted.
>
That's an acknowledged limitation with IPSEC/ESP and NAT. See John
Hardin's VPN MASQ site
(http://www.impsec.org/linux/masquerade/ip_masq_vpn.html). It has to do
with the ESP checksum including not only the payload but also the IP
header; rewriting the header (NAT) makes it impossible to generate the
correct checksum since that checksum is generated prior to encryption.
That is not an M$-specific issue and it can be worked around by
terminating the IPSec tunnel on your Linux Gateway rather than on a
masqueraded system behind that gateway.
> The problem *seems* to be w2k, not pptpd. I know M$ purposely created
> incompatibilties with bind and kerbos (sp?). I wonder if we have hit upon
> another incompatibilty...or a bug????
>
Regarding PPTP (as opposed to IPSEC), the problem we're all seeing does
seem to be Win2k-specific. I've drawn my own conclusions...
-Tom
--
Tom Eastep \ Alt Email: tom at seattlefirewall.dyndns.org
ICQ #60745924 \ Websites: http://seawall.sourceforge.net
teastep at evergo.net \ http://seattlefirewall.dyndns.org
Shoreline, Washington USA \ http://shorewall.sourceforge.net
\_________________________________________
More information about the pptp-server
mailing list