[ale] Poptop

Tue Mar 14 09:00:50 EST 2006

On Tue, 2006-03-14 at 08:28 -0500, Geoffrey wrote:
> Christopher Fowler wrote:
> > On Mon, 2006-03-13 at 19:44 -0500, Tony Carter wrote:
> >>> will need client software.  I know CISCO makes a nice 
> >>> package, but I don't know if it works with Linux.  
> >> Yup, it works like a charm.. The Mac client even works well.
> >>
> > 
> > But you still have to have a public IP on the VPN server right?
> 
> I didn't want to jump into this fray as I don't recall all the 
> specifics, but....

> Back when I was with AT&T I had a successful solution for pptp from a 
> nat'ed machine at my home to a nat'ed machine on the AT&T network.

> So, I know it can be done, I just don't recall all the specifics.  I do 
> have some old scripts I believe assisted in this process and I'll share 
> the PPTP specifics here.  I've not researched this, so I don't know that 
> these are the working scripts, but I saved them for a reason. :)

> # PPTP for vpn

> VPN_SVR=XXX.XXX.XXX.XXX

> $IPCHAINS -A forward -j MASQ   -p tcp -s 172.16.10.215/32 \
>      -d $VPN_SVR/32 1723 -i ppp0
> $IPCHAINS -A output  -j ACCEPT -p tcp -s $IPADDR/24 \
>      -d $VPN_SVR/32 1723 -i ppp0
> $IPCHAINS -A input   -j ACCEPT -p tcp -s $VPN_SVR/32 1723 \
>      -d $IPADDR/24  -i ppp0
> $IPCHAINS -A forward -j MASQ   -p 47  -s 172.16.10.215/32      \
>      -d $VPN_SVR/32      -i ppp0
> $IPCHAINS -A output  -j ACCEPT -p 47  -s $IPADDR/24 \
>      -d $VPN_SVR/32      -i ppp0
> $IPCHAINS -A input   -j ACCEPT -p 47  -s $VPN_SVR/32     \
>      -d $IPADDR/24  -i ppp0

	Based on your chains above, I would have to guess that $VPN_SVR was the
global address on which you could contact that PPTP server.  It might
have been relayed, passed through, or SNAT'ed to another server on a
private address but that address had to be public.

> I also recall that I had some modules that had to be loaded as well, but 
> don't recall the specifics of them either. (gre??)

	Yes, the older (W2K) PPTP used GRE (Generic Routing Encapsulation)
tunnels for its transport.

> Note the references above to the 172.16.10.* network was my internal 
> nat'ed subnet.

	How was the other end "nat'ed"?  Did you set that up or did someone
else?  How does the "nat'ed machine" at the other end come into play
here?  Was he a VPN endpoint or were you merely able to reach him, once
the VPN was up (VPN server on a global unicast address).

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: This is a digitally signed message part