Re: [m0n0wall] [pptp] problem connecting from XP clients behind firewall/NAT

From:	Fred Wright <fw at well dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] [pptp] problem connecting from XP clients behind firewall/NAT
Date:	Sun, 23 May 2004 19:57:30 -0700 (PDT)

On Sun, 23 May 2004, Gianluca Bosco wrote:

> I have enabled the PPTP server on m0n0 1.0, and I'm experiencing a problem
> connecting from XP VPN clients behind a NAT/firewall over which I have no
> control.
> 
> Specifically, from the VPN clients I'm able to establish a first connection,
> but when it comes to the authentication (user/password), XP reports a 619
> error, stating that " ... the port was disconnected ...".
> 
> My feeling is that while the vpn clients can open a connection on 1723 to
> the m0n0 PPTP server, they cannot accept a second connection coming from the
> PPTP server itself, since the firewall is blocking it (GRE?).
> 
> Is there any workaround for this problem?

The short answer is no.  PPTP is one of the most NAT-unfriendly protocols
ever invented.  I suspect some guys at Microsoft lay awake nights trying
to figure out how to outdo the NAT unfriendliness of active-mode FTP, and
they succeeded. :-)

*If* you have control of the NAT router, then the particular case where
you want *one* LAN client to work and don't care about incoming PPTP, then
it can be made to work via NAT redirection.  Otherwise, forget it.

The only complete solution would be a smart PPTP propxy on the router.

					Fred Wright