[pptp-server] Thoughts and suggestions for a NAT situation

Fri Sep 14 15:46:25 CDT 2001

Mad props must be given to the Freeswan developers; it is a fantastic piece of software.

We are currently using a linuxbox with freeswan to access our backside lan in the colo cage (connecting to a Netscreen100).  I am also using freeswan on both sides to connect my home LAN to my office LAN.

Freeswan is super-nice.  And, it's not that hard to implement, even if you have NAT inbetween (at least is wasn't for me), with the use of RSA certificates for the two freeswan boxes.  My home gateway is directly on the internet, but the office gateway is behind a 1-to-1 NAT device.  It works like a charm.

I was not able to get it to work with 1 freeswan box behind a 1-to-1 NAT, and a client win2k box behind another 1-to-1 NAT.

NAT is a blessing and a curse. :)

Jordan

-----Original Message-----
From: pptp-server-admin at lists.schulte.org
[mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Cowles, Steve
Sent: Friday, September 14, 2001 7:36 AM
To: 'pptp-server at lists.schulte.org'
Subject: RE: [pptp-server] Thoughts and suggestions for a NAT situation

> -----Original Message-----
> From: Chris j. Storer [mailto:cstorer at infinitisystems.com]
> Sent: Thursday, September 13, 2001 9:10 PM
> To: 'George Vieira '; 'pptp-server '
> Subject: RE: [pptp-server] Thoughts and suggestions for a NAT 
> situation
> 
> 
> That's exactly what I mean - 1 IP address that is NATing a 
> LAN - each client on the LAN maintains a PPTP connection,
> through NAT on a Win2k server, or a 3com "lanmodem".
> 
> I have main office in Cleveland with an as400 and a t1.  7 
> small, remote offices - 2 on dsl, the rest share dialup
> lines with 3com lanmodems, small analog NAT routers.  Each
> individual client at the 7 remote sites initiates a VPN
> session into cleveland (1 Win2k VPN server, 1 WinNT VPN 
> server...don't ask), through NAT, and then telnet into the
> 400.  At one site I have 25 sessions running through one
> IP address.
> 
> MS PPTP, in this situation, works - I can have 20 seperate 
> connections NATed from one IP.
> 
> PoPToP does not seem to handle this.  Once one client behind 
> the NAT has a PPTP connection, all other attempts to connect
> from behind the NAT fail.

As you've stated, you have multiple clients connecting to a single PPTP
server from behind a NAT'd firewall. The PPTP specification never accounted
for this scenario. In a perfect world (with regards to network design), you
should not have to create multiple PPTP connections (to the same server)
from behind a NAT'd firewall. 

With this in mind, you seem to have only two choices:

1) Continue using your MS PPTP server since it meets your current
requirements.

2) You touched on this option in your first post, but dismissed it due to
cost. Anyway, it might be time to "bite the bullet" and consider
implementing a LAN-to-LAN VPN solution for these remote offices. Then the
clients simply telnet into the AS400 without first creating a VPN.

I know, easier said than done. Option number two will be harder to
implement, plus you have additional security issues to deal with. But long
term though, your implementing a "sound" network design that is scalable on
down the road. Plus, from a client perspective, its easier to use since they
no longer have to deal with "first" establishing a PPTP tunnel and then
telneting into your AS400.

FWIW: I had a customer in a similar situation. i.e.. Cost was overriding
implementing a sound network design. So, we used old 486's (with
linux/ipsec) as endpoints between their offices. Checkout:
http://jixen.tripod.com I would think the "Using a central IPSEC gateway as
a tunnel hub" option applies to your case. This could also be implemented
using PPTP.

Good luck
Steve Cowles
_______________________________________________
pptp-server maillist  -  pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
--- To unsubscribe, go to the url just above this line. --