Re: PPTP Question

[Tina Bird <tbird () iegroup com>]

According to the VPN book, the PPTP packet consists of the delivery
header, the IP header, a GREv2 header and the payload.  The IP
header of course contains the source and destination IP addresses.
But if I'm using redirection at the firewall or other NAT device (so
the connection is ostensibly made between the PC's address and a
particular port or virtual IP address on the external side of the
firewall), where is the >internal< IP address being broadcast?

The payload packet, which is what may be encrypted via MPPE, is what
contains the original session data between client and server. 

Joseph S. D. Yao wrote:
> ...
> > Many people have stated that PPTP can't be used with NAT, that it
> > requires "real" network addresses because it's using PPTP.  But
> > further exploration reveals that the PPTP server can act as a DHCP
> > server, handing out IP addresses to clients when they make a permitted
> > connection.  To quote the latest O'Reilly book, on VPNs, from the
> > PPTP chapter:  "When VPN users make PPTP connections with the RAS
> > server, they can be assigned IP addresses by that server.  The address
> > can be part of the corporation's range of IP addresses..."
> >
> > What this says to me is that I can make PPTP use hidden network
> > addresses, by having my firewall use its redirection functionality
> > to hand off an incoming PPTP connection to the internal server, which
> > assigns the appropriate private address.  The private address is still
> > hidden by the data encryption (if used).  I can imagine the >routing<
> > being a pain -- because you'd have to explicitly configure the DHCP
> > server to pass along a route to the corporate network in addition to
> > the default route to the Internet -- but what else breaks, or what
> > have I gotten wrong?
>
> Disclaimer: I know little to nothing about PPTP.  But maybe that helps,
> here.
>
> I see nothing in what you have quoted that would lead one to draw the
> conclusion you have drawn.  It's possible, of course, that you were
> influenced by other things you read to make that conclusion.  But what
> I see is that PPTP is the protocol used, directly or through a firewall
> that has a PPTP proxy or redirector, to contact the RAS server and get
> an IP address.  There is nothing further there to indicate that that
> address can then be "hidden".
>
> If, as with several broken protocols, the IP address is then embedded
> in PPTP messages, then you can not do address translation at the
> firewall without a special proxy that modifies all packets as they go
> through.  Nor can you have a single address be the endpoint for more
> than one connection made to the outside.
>
> Hope this helps.
>
> --
> Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
> COSPO Computer Support                                          EMT-A/B
> -----------------------------------------------------------------------
> This message is not an official statement of COSPO policies.