PPTP Question

[Tina Bird <tbird () iegroup com>]

Hi all -- I'm working on a FAQ response for PPTP, spurred not only
by the list but also by questions from a few clients and colleagues.
I'm having (probably predictable) trouble reconciling conflicting
comments from various sources, but there's one in particular that's
causing real trouble.

Many people have stated that PPTP can't be used with NAT, that it
requires "real" network addresses because it's using PPTP.  But
further exploration reveals that the PPTP server can act as a DHCP
server, handing out IP addresses to clients when they make a permitted
connection.  To quote the latest O'Reilly book, on VPNs, from the
PPTP chapter:  "When VPN users make PPTP connections with the RAS
server, they can be assigned IP addresses by that server.  The address
can be part of the corporation's range of IP addresses..."

What this says to me is that I can make PPTP use hidden network
addresses, by having my firewall use its redirection functionality
to hand off an incoming PPTP connection to the internal server, which
assigns the appropriate private address.  The private address is still
hidden by the data encryption (if used).  I can imagine the >routing<
being a pain -- because you'd have to explicitly configure the DHCP
server to pass along a route to the corporate network in addition to 
the default route to the Internet -- but what else breaks, or what 
have I gotten wrong?

thanks -- Tina

FYI - The VPN book is "Virtual Private Networks," by Charlie Scott,
Paul Wolfe and Mike Erwin, O'Reilly, ISBN 1-56592-319-7 -- it's too
superficial for my tastes, and completely doesn't discuss key
management. But it contains three chapters on the use of PPTP,
Alta Vista, and Cisco's PIX encryption, which may be helpful if the
vendor-supplied doc isn't very good...