From owner-freebsd-stable  Sat Jan 22  9:20:38 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from wall.polstra.com (rtrwan160.accessone.com [206.213.115.74])
	by hub.freebsd.org (Postfix) with ESMTP id BE4CC156CA
	for <stable@freebsd.org>; Sat, 22 Jan 2000 09:20:28 -0800 (PST)
	(envelope-from jdp@polstra.com)
Received: from vashon.polstra.com (vashon.polstra.com [206.213.73.13])
	by wall.polstra.com (8.9.3/8.9.3) with ESMTP id JAA00967;
	Sat, 22 Jan 2000 09:20:27 -0800 (PST)
	(envelope-from jdp@polstra.com)
From: John Polstra <jdp@polstra.com>
Received: (from jdp@localhost)
	by vashon.polstra.com (8.9.3/8.9.1) id JAA16383;
	Sat, 22 Jan 2000 09:20:27 -0800 (PST)
	(envelope-from jdp@polstra.com)
Date: Sat, 22 Jan 2000 09:20:27 -0800 (PST)
Message-Id: <200001221720.JAA16383@vashon.polstra.com>
To: mandrews@bit0.com
Subject: Re: natd pptpalias question
In-Reply-To: <Pine.BSF.4.21.0001211534060.35137-100000@mindcrime.bit0.com>
References: <Pine.BSF.4.21.0001211534060.35137-100000@mindcrime.bit0.com>
Organization: Polstra & Co., Seattle, WA
Cc: stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In article
<Pine.BSF.4.21.0001211534060.35137-100000@mindcrime.bit0.com>, Mike
Andrews <mandrews@bit0.com> wrote:

> I've got a customer who has a FreeBSD 3.3-STABLE box doing NAT for
> his internal LAN.  He's trying to make outgoing PPTP connections
> from PC's inside this internal LAN headed for servers across the
> Internet.  Right now I've got a -pptpalias flag on natd to allow
> this for just one of his internal PC's, but can't find a way to let
> all of his PC's make connections to various outside VPN servers.

Even ignoring the -pptpalias question, you'll probably have a hard
time getting this to work.  PPTP clients behind NAT are problematic
in general.  Here's why.  A PPTP connection consists of two channels,
a TCP connection (called the "control connection") and a GRE tunnel.
The specification allows only one control connection (and one tunnel)
between a given client and a given server.  Since your clients are
behind NAT, their outgoing connections will all appear to come from
the same IP address, that of the NAT box's external interface.  So
if two clients try to connect to the same server, there will be two
control connections between the same pairs of IP addresses, violating
the standard.

I have heard that "some servers" allow multiple control connections
from the same IP address, but I don't know whether that's true or
which servers it applies to.

Depending on the flexibility of your NAT software, and if you have
a whole block of public IP addresses, you may be able to set it up
so that each outbound connection appears to come from a distinct IP
address.  But then you are still faced with the -pptpalias problem.

John
-- 
  John Polstra                                               jdp@polstra.com
  John D. Polstra & Co., Inc.                        Seattle, Washington USA
  "Disappointment is a good sign of basic intelligence."  -- Chögyam Trungpa



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message