RE: PPTP Question

[Russ <Russ.Cooper () rc on ca>]

Resend due to incorrect URL...

-----Original Message-----
From: Russ 
Sent: Friday, April 17, 1998 6:17 PM
To: 'Ge' Weijers'; Joseph S. D. Yao
Cc: Tina Bird; vpn () listserv iegroup com; firewall-wizards () nfr net
Subject: RE: PPTP Question

For those of you interested in the security of PPTP, see my article "Is
PPTP secure?" at http://www.ntbugtraq.com/Editorials/ispptp.asp

To Tina's original question...

PPTP can definitely handle NAT, as long as the NAT device sits between
the GRE device (say an NT box with RAS on it) and the client.

As long as the GRE device sees that its sending/receiving packets
to/from a known IP address (i.e. one that it established a connection
with and is willing to communicate to), NATs got nothing to do with it.

Note that this all has to do with the GRE stream and the control session
(TCP1723 or whatever it is). The encapsulated traffic doesn't even have
to be IP, it could be NetBEUI or IPX, so obviously its unaffected.

Assuming it is IP, the client is going to be assigned an IP address by
the GRE device (or the RAS device within the GRE device in the case of
NT) for the virtual adapter it creates to support the tunnel. Its going
to need to be able to route to that address. If that address is, say,
8-bit 10.x.x.2, then its going to form a route to 10.x.x.x via its own
virtual adapter 10.x.x.2. If the client has another route for the same
subnet, or some segment of that network, because, say, its own another
network that also uses NAT, then standard NAT issues apply (i.e. it
ain't going to work).

The point is, the IP addresses of the remote PPTP network, the external
side of the NAT device, the local physical adapter IP network of the
client, all need to be different.

Cheers,
Russ Cooper
R.C. Consulting, Inc. - NT/Internet Security
Moderator of the NTBugtraq mailing list
http://www.ntbugtraq.com