Carl Farrington <carl@000compsup000.net.invalid> wrote:

> Horst Knobloch wrote:
>> Carl Farrington <carl@000compsup000.net.invalid> wrote:
>>
>> [only one of multiple pptp connections work]
[...]
>> Have a look to Linux VPN Masquerade document
>> http://www.impsec.org/linux/masquerade/ip_masq_vpn.html

> It does help, thank you. I haven't tried it yet, but I am about to.
>
> It surprises me that a third-party patch would be needed to achieve
> sucessful PPTP masquerading. Do you know if there are plans to officially
> incorporate this into the kernel?

I don't know.

> I realise PPTP is a Microsoft (and
> cisco??) invention so maybe there lies the reason for lack of effort, but
> it is quite widely used all the same.

I can only guess. I think the demand is not that great, because:

- there is a workaround to have one client connect via PPTP
over a NAT router to one VPN server (this is described in
the document above)

- other VPN clients connect directly to the Internet without a
Linux based NAT router (or have a NAT router with PPTP/VPN
masquerading capabilities)

- some sites terminate the PPTP on their NAT router, so there
is no need at all for masquerading PPTP

So you see, only the poor guys having more than one client to
connect to the same PPTP server over a Linux based NAT router
are in need of it.

Another reason might be, that PPTP was/is not the first choice
from a security point of view when you need to deploy a VPN. So
may be ...

Again, these are only my thoughts and I don't know it for sure.
Hopefully anyone else can give you the definite reasons or ask
jhardin at impsec dot org whether he knows them. It might also
be a good idea to list the reasons in the document.


Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn