Resend due to incorrect URL... -----Original Message----- From: Russ Sent: Friday, April 17, 1998 6:17 PM To: 'Ge' Weijers'; Joseph S. D. Yao Cc: Tina Bird; vpnat_private; firewall-wizardsat_private Subject: RE: PPTP Question For those of you interested in the security of PPTP, see my article "Is PPTP secure?" at http://www.ntbugtraq.com/Editorials/ispptp.asp To Tina's original question... PPTP can definitely handle NAT, as long as the NAT device sits between the GRE device (say an NT box with RAS on it) and the client. As long as the GRE device sees that its sending/receiving packets to/from a known IP address (i.e. one that it established a connection with and is willing to communicate to), NATs got nothing to do with it. Note that this all has to do with the GRE stream and the control session (TCP1723 or whatever it is). The encapsulated traffic doesn't even have to be IP, it could be NetBEUI or IPX, so obviously its unaffected. Assuming it is IP, the client is going to be assigned an IP address by the GRE device (or the RAS device within the GRE device in the case of NT) for the virtual adapter it creates to support the tunnel. Its going to need to be able to route to that address. If that address is, say, 8-bit 10.x.x.2, then its going to form a route to 10.x.x.x via its own virtual adapter 10.x.x.2. If the client has another route for the same subnet, or some segment of that network, because, say, its own another network that also uses NAT, then standard NAT issues apply (i.e. it ain't going to work). The point is, the IP addresses of the remote PPTP network, the external side of the NAT device, the local physical adapter IP network of the client, all need to be different. Cheers, Russ Cooper R.C. Consulting, Inc. - NT/Internet Security Moderator of the NTBugtraq mailing list http://www.ntbugtraq.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:22 PDT