Re: PPTP Question

["Joseph S. D. Yao" <jsdy () cospo osis gov>]

...
> Many people have stated that PPTP can't be used with NAT, that it
> requires "real" network addresses because it's using PPTP.  But
> further exploration reveals that the PPTP server can act as a DHCP
> server, handing out IP addresses to clients when they make a permitted
> connection.  To quote the latest O'Reilly book, on VPNs, from the
> PPTP chapter:  "When VPN users make PPTP connections with the RAS
> server, they can be assigned IP addresses by that server.  The address
> can be part of the corporation's range of IP addresses..."
>
> What this says to me is that I can make PPTP use hidden network
> addresses, by having my firewall use its redirection functionality
> to hand off an incoming PPTP connection to the internal server, which
> assigns the appropriate private address.  The private address is still
> hidden by the data encryption (if used).  I can imagine the >routing<
> being a pain -- because you'd have to explicitly configure the DHCP
> server to pass along a route to the corporate network in addition to 
> the default route to the Internet -- but what else breaks, or what 
> have I gotten wrong?

Disclaimer: I know little to nothing about PPTP.  But maybe that helps,
here.

I see nothing in what you have quoted that would lead one to draw the
conclusion you have drawn.  It's possible, of course, that you were
influenced by other things you read to make that conclusion.  But what
I see is that PPTP is the protocol used, directly or through a firewall
that has a PPTP proxy or redirector, to contact the RAS server and get
an IP address.  There is nothing further there to indicate that that
address can then be "hidden".

If, as with several broken protocols, the IP address is then embedded
in PPTP messages, then you can not do address translation at the
firewall without a special proxy that modifies all packets as they go
through.  Nor can you have a single address be the endpoint for more
than one connection made to the outside.

Hope this helps.

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO Computer Support                                          EMT-A/B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.