Date: Sat, 22 Jan 2000 09:20:27 -0800 (PST) From: John Polstra <jdp@polstra.com> To: mandrews@bit0.com Cc: stable@freebsd.org Subject: Re: natd pptpalias question Message-ID: <200001221720.JAA16383@vashon.polstra.com> In-Reply-To: <Pine.BSF.4.21.0001211534060.35137-100000@mindcrime.bit0.com> References: <Pine.BSF.4.21.0001211534060.35137-100000@mindcrime.bit0.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In article <Pine.BSF.4.21.0001211534060.35137-100000@mindcrime.bit0.com>, Mike Andrews <mandrews@bit0.com> wrote: > I've got a customer who has a FreeBSD 3.3-STABLE box doing NAT for > his internal LAN. He's trying to make outgoing PPTP connections > from PC's inside this internal LAN headed for servers across the > Internet. Right now I've got a -pptpalias flag on natd to allow > this for just one of his internal PC's, but can't find a way to let > all of his PC's make connections to various outside VPN servers. Even ignoring the -pptpalias question, you'll probably have a hard time getting this to work. PPTP clients behind NAT are problematic in general. Here's why. A PPTP connection consists of two channels, a TCP connection (called the "control connection") and a GRE tunnel. The specification allows only one control connection (and one tunnel) between a given client and a given server. Since your clients are behind NAT, their outgoing connections will all appear to come from the same IP address, that of the NAT box's external interface. So if two clients try to connect to the same server, there will be two control connections between the same pairs of IP addresses, violating the standard. I have heard that "some servers" allow multiple control connections from the same IP address, but I don't know whether that's true or which servers it applies to. Depending on the flexibility of your NAT software, and if you have a whole block of public IP addresses, you may be able to set it up so that each outbound connection appears to come from a distinct IP address. But then you are still faced with the -pptpalias problem. John -- John Polstra jdp@polstra.com John D. Polstra & Co., Inc. Seattle, Washington USA "Disappointment is a good sign of basic intelligence." -- Chögyam Trungpa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001221720.JAA16383>