Re: pptp gre nat

[Niklas Hallqvist <niklas@appli.se>]

>>>>> "Leif" == Leif Larsson <leif.larsson@l3system.se> writes:


    Leif> We currently connect to a pptp server in London from behind
    Leif> our OBSD 2.7 firewall. Our IP:s are private (192.168.0.0) so
    Leif> we use NAT.

    Leif> Problem: It seems impossible to make more than one
    Leif> connection at the time.  (I can see ipnat building
    Leif> connection number two although).

    Leif> Question: Is there some limitation in ipnat (or ipf), maybe
    Leif> its not possible to NAT more than one connection (gre
    Leif> protocol) to the same server ?

For NAT to work there has to be some unique mapping.  This is usually
easy with TCP and UDP where the port number space helps you to get
uniqueness.  However in the GRE case I don't see how you can get that.
As far as I know GRE is a tunnel protocol which only uses src and
destination IP's as the identity, thus you can only have one tunnel
between any given two hosts.  For a NAT this is troublesome, unless
you have a range of outside IP addresses you can cycle through.  If it
was possible for the client to not talk GRE all the way, you could NAT
first and tunnel afterwards, in either GRE or IPSec.  OpenBSD can act
as a GRE tunnel endpoint, not 2.7 though, if I recall correctly.

    Leif> I read somewhere that Linux had that limitation, anyway when
    Leif> we run Linux on the firewall it worked OK (at least for 3
    Leif> simultaneous connections)

Seems strange, indeed.  Or hmm, maybe they know how to look inside the
GRE packet and use the inner data to get a more unique identifier?  It
is possible since GRE is just a header to look past.  I suggest you talk
to Darren Reed about this possibility, the author of ipf.

Niklas