[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] [pptp] problem connecting from XP clients behind firewall/NAT
 Date:  Sun, 23 May 2004 19:57:30 -0700 (PDT)
On Sun, 23 May 2004, Gianluca Bosco wrote:

> I have enabled the PPTP server on m0n0 1.0, and I'm experiencing a problem
> connecting from XP VPN clients behind a NAT/firewall over which I have no
> control.
> Specifically, from the VPN clients I'm able to establish a first connection,
> but when it comes to the authentication (user/password), XP reports a 619
> error, stating that " ... the port was disconnected ...".
> My feeling is that while the vpn clients can open a connection on 1723 to
> the m0n0 PPTP server, they cannot accept a second connection coming from the
> PPTP server itself, since the firewall is blocking it (GRE?).
> Is there any workaround for this problem?

The short answer is no.  PPTP is one of the most NAT-unfriendly protocols
ever invented.  I suspect some guys at Microsoft lay awake nights trying
to figure out how to outdo the NAT unfriendliness of active-mode FTP, and
they succeeded. :-)

*If* you have control of the NAT router, then the particular case where
you want *one* LAN client to work and don't care about incoming PPTP, then
it can be made to work via NAT redirection.  Otherwise, forget it.

The only complete solution would be a smart PPTP propxy on the router.

					Fred Wright