PPTP VPN pass-thru

From: usenet@xxxxxxxxxxxxxxxxxxxxxxxxxxx (James Taylor)
Date: Fri, 4 May 2007 01:08:12 +0700

Chris Ridd <chrisridd@xxxxxxx> wrote:

On 2007-05-03 11:21:46 +0100, Mentally Sub-Normal
<sarah.j.balfour@xxxxxxxxx> said:

P.S. Sorry if the above seems a little terse, but my the modem half of
my DG834G died three days ago and the replacement (a Belkin N1) - or
what I thought was the replacement - turned out to be the router
without the bloody modem!

We have one of those here. Annoyingly, it doesn't support PPTP VPN
connection pass-thru :-( Bah.

Hmmm, I thought PPTP differed from the other VPN protocols in that it
didn't encrypt or integrity-check the TCP/UDP headers themselves, so NAT
could handle it without explicit VPN pass-thru support. IPsec encrypts
and integrity checks everything above the IP layer, so the TCP/UDP port
numbers normally modified by NAT cannot be modified. My understanding is
that VPN pass-thru support is merely where the NAT device recognises
that certain IP subprotocols should not be port-translated because doing
so would break the protocol. I didn't think PPTP required this
protection.

I also believe that with IPsec no two local hosts inside a NAT can be
VPNed through to the same remote endpoint because the connections cannot
be distinguished by the NAT table (and that's regardless of VPN
pass-thru support). But again I thought PPTP didn't have this problem
because the port numbers could be translated without breaking the
protocol.

You might conclude from these two issues that PPTP is a better VPN
protocol, but bear in mind that PPTP is a Microsoft designed protocol
which is now known to be vulnerable to a man-in-the-middle attack. (This
is something I don't find surprising given Microsoft's close ties with
the NSA.)

Of course, all this VPN pass-thru stuff is complicated, so I could be
entirely mistaken about PPTP's immunity from NAT, and I would be
grateful for an explanation if someone has greater knowledge.

--
James Taylor
.

Follow-Ups:
- Re: PPTP VPN pass-thru
  - From: Sak Wathanasin
- Re: PPTP VPN pass-thru
  - From: Chris Ridd

References:
- Simple online guide to OS X Tiger?
  - From: ajmoss_throwaway_account_001
- Re: Simple online guide to OS X Tiger?
  - From: Mentally Sub-Normal
- Re: Simple online guide to OS X Tiger?
  - From: Chris Ridd

Prev by Date: Re: AppleScript: Hiding an app
Next by Date: Re: Quicktime 7.1.6 out
Previous by thread: Re: Simple online guide to OS X Tiger?
Next by thread: Re: PPTP VPN pass-thru
Index(es):
- Date
- Thread

Relevant Pages

Re: VPN & Verschlüsselung
... NAT-T bzw. NAT pass through? ... Genau, VPN über PPTP. ...
(microsoft.public.de.security.netzwerk.sicherheit)
Re: VPN & Verschlüsselung
... unterstützt Dein Router NAT-T(raverve) oder NAT pass through? ... Baut der Client eine VPN mit PPTP auf, sendet der Client zunächst den User ...
(microsoft.public.de.security.netzwerk.sicherheit)
Re: Question on VPN using static IP
... On the server I have 5 ports defined for PPTP and five for L2TP. ... Because VPN server behind NAT may be an issue. ...
(microsoft.public.win2000.ras_routing)
Re: VPN questions
... PPTP works also behind NAT and key is 128 bit long. ... PPTP is also a vpn solutions. ... Martin Schweizer ...
(freebsd-questions)
Re: SBS VPN Error: 781
... There are 2 underlying protocols that can be used to create a VPN. ... The VPN protocol you are using to create your VPN ... PPTP uses TCP port 1723 and the GRE protocol. ... L2TP uses UDP port 500 and UDP port 1701. ...
(microsoft.public.windows.server.sbs)