From owner-freebsd-net@FreeBSD.ORG Thu Jul 17 22:08:58 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9984A37B401 for ; Thu, 17 Jul 2003 22:08:58 -0700 (PDT) Received: from 203-134-120-146.cust.mel.iprimus.net.au (203-134-120-146.cust.mel.iprimus.net.au [203.134.120.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id C59AA43FA3 for ; Thu, 17 Jul 2003 22:08:56 -0700 (PDT) (envelope-from jon.newson@sdrct.com) Received: (from smap@localhost)h6I59YV00766 for ; Fri, 18 Jul 2003 15:09:34 +1000 (EST) (envelope-from jon.newson@sdrct.com) X-Authentication-Warning: outgoing-a.fw.act.domain: smap set sender to using -f Received: from if-outdmz.fw.act.domain(192.168.130.1) by outgoing-a.fw.act.domain via smap (V2.1) id xma000762; Fri, 18 Jul 03 15:09:23 +1000 Received: (from amavis@localhost) by mailfwd.au.adcomtech.net (8.11.1/8.11.1) id h6I59UH61971 for net@freebsd.org; Fri, 18 Jul 2003 15:09:30 +1000 (EST) Received: from ntserver.act.domain (ntserver [192.168.1.1]) h6I59OV61956; Fri, 18 Jul 2003 15:09:24 +1000 (EST) Received: by ntserver.act.domain with Internet Mail Service (5.5.2650.21) id <3N64DJ8S>; Fri, 18 Jul 2003 15:09:17 +1000 Message-ID: <1379FE1A8B3ED71188B8009027732E1A02446A@ntserver.act.domain> From: Jon Newson To: "'Brett Glass'" , net@freebsd.org Date: Fri, 18 Jul 2003 15:09:16 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" X-Virus-Scanned: by AMaViS perl-11 Subject: RE: NAT and PPTP X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2003 05:08:58 -0000 A couple of thoughts: Is your client employing ipsec/isakmp? If so, has your client ensured that the setkey -P entries have been pushed into the kernel? Correct me if i'm wrong, but from (a foggy) memory GRE in a tunnel mode such as this, employs the gif device, is the routing/firewalling allowing for this? cheers, -jn -----Original Message----- From: Brett Glass [mailto:brett@lariat.org] Sent: Friday, July 18, 2003 5:36 AM To: net@freebsd.org Subject: NAT and PPTP FreeBSD makes a very good NAT router... for most applications. But a client of mine is having terrible trouble with it when trying to use NAT with one particular protocol: PPTP. Here's what's going on. A client has a FreeBSD box that's serving as a NAT router. He has one public IP, and lots of PCs behind the router on unregistered IPs. This works fine when they're doing browsing, etc., but fails horribly when users try to use PPTP to tunnel out into another LAN across the Internet. The problem appears to be that PPTP -- while it uses TCP for its control connection -- uses GRE to encapsulate an encrypted PPP session between the client and the server. GRE, like TCP and UDP, is in the IP protocol family and uses IP addressing. However, it doesn't use "ports," as IP and UDP do; instead, it has a different mechanism for identifying packets that belong to different sessions or connections, and the header fields that must be inspected vary depending upon the encapsulated protocol. FreeBSD's natd doesn't understand that mechanism, so it doesn't know how to route GRE packets from the outside world back to the correct client on the private LAN. Some NAT routers (including the DI-604 from D-Link; see http://www.dlink.com/products/?pid=62) are able to route PPTP's GRE packets correctly when multiple clients on the private LAN want to tunnel out, so it's obviously possible. Who is the current maintainer of FreeBSD's NAT code (including natd and the NAT libraries)? How difficult would it be to add PPTP support to them? --Brett Glass _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"