cancel
Showing results for 
Search instead for 
Did you mean: 

PPTP VPN - [Resolved]

andy265
Grafter
Posts: 78
Registered: 30-08-2012

PPTP VPN - [Resolved]

Did a bit of general surfing and email which was fine, then found that I couldn't connect via PPTP VPN to the Small Business Server at the office, the connection just timed out. From previous experience with unfriendly NATs I would have expected it to hang at the authentication, but it didn't get that far. I reconnected with my normal login and it worked fine again.
Gave up trying to reconnect to the test account again tonight, kept getting authentication failed and don't want to sit pressing connect for 10 minutes again.
[Moderator's note by Jim (Oldjim)  title changed to mark as resolved ]
10 REPLIES
olorinhenderson
Dabbler
Posts: 13
Registered: 12-01-2013

Re: PPTP VPN

Interesting. I can use L2TP fine, but you're right no PPTP for me either. Wonder why that is?
MJN
Aspiring Pro
Posts: 1,093
Thanks: 39
Fixes: 2
Registered: 26-08-2010

Re: PPTP VPN

It'll likely be because the CG-NAT gateway will not be 'PPTP aware', or at least doesn't have that ALG functionality enabled, as there are a couple of issues that need to be addressed.
PPTP has to be able to support uniqeness amongst multiple tunnels being established between clients and the PPTP server. It achieves this through a combination of the source and destination IP addresses and, given that these two would end up being the same for multiple clients sat behind a NAT connecting to the same PPTP server, a 'Call ID' value in the PPTP header.
Now, imagine two clients sitting behind a NAT connection wishing to connect to the same PPTP server - each will be unaware of the other and so may pick the same Call ID when setting the tunnel up. The NAT gateway is required to intercept the traffic to manipulate the source IP address (and potentially port number too) as well as ensuring that a new unique Call ID is assigned to the second tunnel to stop them clashing at the PPTP server end. If the CG-NAT gateway can't, or isn't configured to, perform this PPTP header manipulation then the tunnel for the second client will fail to be established.
However, given the small trial size here and the assumption you're not both attempting to connect to the same PPTP server(!) the problem is likely down to the more fundamental issue that GRE (which PPTP uses) effectively replaces the transport layer of the protocol stack such that it can ecapsulate any layers above it. The problem here is that NAT (or rather PAT) gateways operate at this layer by translating TCP and UDP port numbers to allow overloading of the modified IP addresses. However, GRE doesn't have any concept of port numbers - it is a protocol itself (type 47) just like TCP (6) and UDP (17) - and thus the usual modifications made to TCP/UDP packets is of no use.
The CG-NAT gateway must be able to recognise GRE packets in order to retain a reversible mapping when modifying the packets such that replies can be routed back to the client. If it doesn't do this the tunnel won't get established.
Edit: Apologies if that's a bit lengthy and in the weeds - the bottom line is that the CG-NAT gateway needs to be 'PPTP aware' to make this work.
Mathew
Community Veteran
Posts: 6,341
Thanks: 481
Fixes: 44
Registered: 30-07-2007

Re: PPTP VPN

I'm a bit surprised that the CG-NAT gateway isn't PPTP aware. I haven't got around to trying my test account yet since I've been away on business. I was going to try it this weekend. I use a PPTP VPN to the office and I'm pretty sure I've used it successfully on a 3g connection, which I would have expected to be going via a CG-NAT ? 
Community Gaffer
Community Gaffer
Posts: 12,966
Thanks: 751
Fixes: 70
Registered: 04-04-2007

Re: PPTP VPN

Quote from: MJN
It'll likely be because the CG-NAT gateway will not be 'PPTP aware', or at least doesn't have that ALG functionality enabled ...

Bingo! There is an ALG available for PPTP though so we'll get it enabled. I'll bump this thread once that's been done ...

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

Community Veteran
Posts: 6,341
Thanks: 481
Fixes: 44
Registered: 30-07-2007

Re: PPTP VPN

Bob,
AFAIK there should be one for SIP as well, maybe its worth checking... see this thread http://community.plus.net/forum/index.php/topic,111434.0.html
Edit: I see you already did.
Community Gaffer
Community Gaffer
Posts: 12,966
Thanks: 751
Fixes: 70
Registered: 04-04-2007

Re: PPTP VPN

The SIP ALG is already enabled.

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

Plusnet Alumni (retired) orbrey
Plusnet Alumni (retired)
Posts: 10,540
Registered: 18-07-2007

Re: PPTP VPN

Hi there,
The PPTP ALG should now be enabled if anyone can give it a try please? Cheers.
andy265
Grafter
Posts: 78
Registered: 30-08-2012

Re: PPTP VPN

Yep, works fine now Smiley
Community Veteran
Posts: 6,341
Thanks: 481
Fixes: 44
Registered: 30-07-2007

Re: PPTP VPN - [Resolved]

Managed to get connected with test account his evening.
Tried pptp VPN to office, seemed to work OK for a while. After leaving the VPN idle for a minute or so then would no longer route traffic to VPN.
Disconnected and reconnected VPN, OK for a while then same again, no VPN traffic possible.
Edit:: something I've just thought which MIGHT explain why mine doesn't work when others do:-
I have my VPN connection set to ONLY route VPN addresses over the VPN tunnel , all other traffic goes out as normal.
That's not the default , especially on Windows where the 'Use Default Gateway on Remote Network' is checked automatically. On Linux its an 'Only route VPN addresses option' on the VPN config.
Anyone else here use their VPN in this way ?
andy265
Grafter
Posts: 78
Registered: 30-08-2012

Re: PPTP VPN - [Resolved]

Quote from: MisterW
Anyone else here use their VPN in this way ?

I do Smiley  I just tried connecting and leaving it idle for 10 minutes, it still worked fine afterwards.