Firewall Wizards mailing list archives
Re: PPTP Question
From: Tina Bird <tbird () iegroup com>
Date: Tue, 14 Apr 1998 14:55:27 -0500
According to the VPN book, the PPTP packet consists of the delivery header, the IP header, a GREv2 header and the payload. The IP header of course contains the source and destination IP addresses. But if I'm using redirection at the firewall or other NAT device (so the connection is ostensibly made between the PC's address and a particular port or virtual IP address on the external side of the firewall), where is the >internal< IP address being broadcast? The payload packet, which is what may be encrypted via MPPE, is what contains the original session data between client and server. Joseph S. D. Yao wrote:
...Many people have stated that PPTP can't be used with NAT, that it requires "real" network addresses because it's using PPTP. But further exploration reveals that the PPTP server can act as a DHCP server, handing out IP addresses to clients when they make a permitted connection. To quote the latest O'Reilly book, on VPNs, from the PPTP chapter: "When VPN users make PPTP connections with the RAS server, they can be assigned IP addresses by that server. The address can be part of the corporation's range of IP addresses..." What this says to me is that I can make PPTP use hidden network addresses, by having my firewall use its redirection functionality to hand off an incoming PPTP connection to the internal server, which assigns the appropriate private address. The private address is still hidden by the data encryption (if used). I can imagine the >routing< being a pain -- because you'd have to explicitly configure the DHCP server to pass along a route to the corporate network in addition to the default route to the Internet -- but what else breaks, or what have I gotten wrong?Disclaimer: I know little to nothing about PPTP. But maybe that helps, here. I see nothing in what you have quoted that would lead one to draw the conclusion you have drawn. It's possible, of course, that you were influenced by other things you read to make that conclusion. But what I see is that PPTP is the protocol used, directly or through a firewall that has a PPTP proxy or redirector, to contact the RAS server and get an IP address. There is nothing further there to indicate that that address can then be "hidden". If, as with several broken protocols, the IP address is then embedded in PPTP messages, then you can not do address translation at the firewall without a special proxy that modifies all packets as they go through. Nor can you have a single address be the endpoint for more than one connection made to the outside. Hope this helps. -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO Computer Support EMT-A/B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies.
Current thread:
- PPTP Question Tina Bird (Apr 14)
- Re: PPTP Question Joseph S. D. Yao (Apr 14)
- Re: PPTP Question Tina Bird (Apr 14)
- Re: PPTP Question Joseph S. D. Yao (Apr 14)
- Re: PPTP Question Ge' Weijers (Apr 17)
- Re: PPTP Question Tina Bird (Apr 14)
- Re: PPTP Question Joseph S. D. Yao (Apr 14)
- <Possible follow-ups>
- RE: PPTP Question Russ (Apr 17)
- RE: PPTP Question Webb, Andy (Apr 21)