NAT and PPTP

Jon Newson jon.newson at sdrct.com
Thu Jul 17 22:08:58 PDT 2003


A couple of thoughts:

Is your client employing ipsec/isakmp?
If so, has your client ensured that the setkey -P entries
have been pushed into the kernel?

Correct me if i'm wrong, but from (a foggy) memory 
GRE in a tunnel mode such as this, employs the gif
device, is the routing/firewalling allowing for this?

cheers,

-jn

-----Original Message-----
From: Brett Glass [mailto:brett at lariat.org]
Sent: Friday, July 18, 2003 5:36 AM
To: net at freebsd.org
Subject: NAT and PPTP


FreeBSD makes a very good NAT router... for most applications.
But a client of mine is having terrible trouble with it when
trying to use NAT with one particular protocol: PPTP.

Here's what's going on. A client has a FreeBSD box that's serving as a
NAT router. He has one public IP, and lots of PCs behind the router on
unregistered IPs. This works fine when they're doing browsing, etc., but
fails horribly when users try to use PPTP to tunnel out into another LAN
across the Internet.

The problem appears to be that PPTP -- while it uses TCP for its control
connection -- uses GRE to encapsulate an encrypted PPP session between the
client and the server. GRE, like TCP and UDP, is in the IP protocol family
and
uses IP addressing. However, it doesn't use "ports," as IP and UDP do;
instead, it has a different mechanism for identifying packets that belong to
different sessions or connections, and the header fields that must be
inspected vary depending upon the encapsulated protocol. FreeBSD's natd
doesn't understand that mechanism, so it doesn't know how to route GRE
packets
from the outside world back to the correct client on the private LAN.

Some NAT routers (including the DI-604 from D-Link; see
http://www.dlink.com/products/?pid=62) are able to route PPTP's GRE packets
correctly when multiple clients on the private LAN want to tunnel out, so
it's
obviously possible. Who is the current maintainer of FreeBSD's NAT code
(including natd and the NAT libraries)? How difficult would it be to add
PPTP support to them?

--Brett Glass
_______________________________________________
freebsd-net at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"


More information about the freebsd-net mailing list