Security Basics mailing list archives
Re: VPN: PPTP with NAT traversal ?
From: Mark Lewis <mark () mjlnet com>
Date: Sat, 11 Dec 2004 00:18:08 GMT
Simple question: Is it possible to bypass a NAT using PPTP? I'm using Windows 98/2000/XP clients and Linux server
(debian, pptpd, pppd) It depends on the *NAT box*, and it's configuration (there shouldn’t be a problem with the client or server). There are two scenarios: Scenario #1: 'Regular' 1-to-1 NAT Scenario #2: NAPT/PAT PPTP has a control channel connection (TCP port 1723), and a data channel using eGRE (IP prot 47). The control channel is used for PPTP tunnel/session setup/maintenance/teardown, and the data channel is used to tunnel user data packets. NAT/NAPT/PAT boxes shouldn't have a problem with the control channel, but the data channel can cause problems. Some NAT/NAPT/PAT boxes *may* have problems translating data channel eGRE packets (because they are not UDP or TCP packets). Cisco routers shouldn't have a problem doing 1-1 NAT for data channel (eGRE) packets, but support for NAPT/PAT for data channel packets was only added in IOS 12.1(4)T [the NAPT/PAT translation is based on the Call ID in the eGRE header]. So, it depends on the NAT box. Hope that helps, Mark Author: http://www.amazon.com/exec/obidos/ASIN/1587051044
Current thread:
- Re: VPN: PPTP with NAT traversal ? Mark Lewis (Dec 13)