Home page logo

basics logo Security Basics mailing list archives

Re: VPN: PPTP with NAT traversal ?
From: Mark Lewis <mark () mjlnet com>
Date: Sat, 11 Dec 2004 00:18:08 GMT

Simple question: Is it possible to bypass a NAT using PPTP?

I'm using Windows 98/2000/XP clients and Linux server
(debian, pptpd, pppd)

It depends on the *NAT box*, and it's configuration (there
shouldn’t be a problem with the client or server). There are
two scenarios:

Scenario #1: 'Regular' 1-to-1 NAT

Scenario #2: NAPT/PAT

PPTP has a control channel connection (TCP port 1723), and a
data channel using eGRE (IP prot 47). The control channel is
used for PPTP tunnel/session setup/maintenance/teardown, and
the data channel is used to tunnel user data packets.

NAT/NAPT/PAT boxes shouldn't have a problem with the control
channel, but the data channel can cause problems.

Some NAT/NAPT/PAT boxes *may* have problems translating data
channel eGRE packets (because they are not UDP or TCP packets).

Cisco routers shouldn't have a problem doing 1-1 NAT for data
channel (eGRE) packets, but support for NAPT/PAT for data
channel packets was only added in IOS 12.1(4)T [the NAPT/PAT
translation is based on the Call ID in the eGRE header].

So, it depends on the NAT box.

Hope that helps,


Author: http://www.amazon.com/exec/obidos/ASIN/1587051044

  By Date           By Thread  

Current thread:
  • Re: VPN: PPTP with NAT traversal ? Mark Lewis (Dec 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]