From owner-freebsd-questions  Thu Mar 29  8:39:55 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from matrix.dynamic-cast.com (r175-5-dsl.sea.lightrealm.net [216.122.5.175])
	by hub.freebsd.org (Postfix) with ESMTP id 2971137B718
	for <freebsd-questions@FreeBSD.ORG>; Thu, 29 Mar 2001 08:39:50 -0800 (PST)
	(envelope-from herveyw@dynamic-cast.com)
Received: from chillipepper (chillipepper.dynamic-cast.com [192.168.1.1])
	by matrix.dynamic-cast.com (8.11.1/8.11.1) with SMTP id f2TGdsf44049
	for <freebsd-questions@FreeBSD.ORG>; Thu, 29 Mar 2001 08:39:57 -0800 (PST)
	(envelope-from herveyw@dynamic-cast.com)
Message-ID: <002f01c0b86e$e886b6f0$0101a8c0@chillipepper>
From: "Hervey Wilson" <herveyw@dynamic-cast.com>
To: <freebsd-questions@FreeBSD.ORG>
References: <95B669A7D872D41182A600508BDFFB8C01BECAE5@mlbmx7.ess.harris.com> <44n1a4h9gn.fsf@lowellg.ne.mediaone.net>
Subject: Re: NATD on a VPN account
Date: Thu, 29 Mar 2001 08:40:03 -0800
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Lowell Gilbert <lowell@world.std.com> writes:
> rpotts@harris.com (Potts, Ross) writes:
>
> > Is it tru that VPN will break the SMB connectivity from NATted boxes to
another
> > LAN?  Right now we are paying a fairly good sized bill for a 256k slice
off of a
> > T1 that is mostly voice.  Every PC has it's own IP address.  My
communications
> > office says that if I were to host these PCs with NATD over a VPN
connection to
> > the main subnet(they are considering broadband on our end for cost),
that there
> > would be a breakage in the connection to their NT PDC/BDCs and shares.
Would a
> > router/firewall with carefully scripted rules keep us connected, in
regards to
> > SMB?
>
> Most VPN technology will not work through a NAT.  If encryption is applied
to
> addresses, and a router changes the addresses, then obviously it's going
to
> break.  You might be able to use an encrypted tunnel *within* the VPN, but
the
> logical topology (and the address assignments) would get pretty
complicated.
>
> I realize this explanation was very brief; ask further questions if it's
unclear.

I certainly don't profess to know all the details here; only what I've
experienced. I tunnel from a Win2k / WinXP machine through a FreeBSD server
running natd to my employers VPN (i.e. MS-PPTP). Once the connection is
established I can access all shares, www, etc on machines inside my
employers office which implies that I am authenticated with the PDC. I
haven't tried in quite a while, but in the past have also managed to connect
to the home machine from the office (note: connection is always established
from home -> office). Now, what I have seen in the past are problems
accessing other local machines at home when the PPTP connection is
established: the Win box establishes a new IP address from my employers DHCP
servers and this seems to confuse things. For the natd server, I believe
that PPTP is tunneled over GRE (protocol 47) and IP is only used for
connection establishment.

As I said, I don't know all the details, so suggest you verify this for your
own configurations.

H.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message