On Sat, 22 Sep 2018 17:07:59 +0200 Pascal Hambourg <pas...@plouf.fr.eu.org> wrote:
> PPTP does require specific NAT support for the GRE protocol. > Use case : two clients of the same PPTP server share the same public > IP address. It doesn't work, see below. And yes, I do know, it was a common question on the MS Small Business Server Usenet group. The second person to make the attempt could not make contact until about two minutes after the first had disconnected. > The server sends a GRE packet to the public IP address. How does the > NAT device know which client the packet must be forwarded to ? > Because NAT requires the maintenance of a table of connections, with source and destination IP addresses, which is exactly what is required by both stateful firewalling and connection tracking. In this case, for the first GRE packet, it is connection tracking which uses the table data to route the packet to the machine with an existing TCP/1723 connection from the same source address. What you can't do with PPTP is make multiple connections between the same two NAT machines, for this same reason, because GRE doesn't have the means for being tied to one particular TCP/1723 path. It doesn't carry the same meta information as does the TCP protocol. It is here that IPSec is used, almost always between the network default gateways, to avoid messy routing updates to workstations. FTP doesn't have this problem, because its two paths are both TCP, and can be uniquely paired by connection tracking. There is provision in the PPTP protocol for multiple GRE connections to be handled by one TCP/1723 control channel, but I'm not aware that this has ever been implemented. That would still be a server-to-server protocol, not a multiple-workstation-to-server one. -- Joe
