Point-to-point tunnel protocol (PPTP) is a widely used virtual private network protocol, Windows 98, Windows Millennium Edition, Windows 2000, and Windows XP contains this protocol. PPTP is a tunnel mechanism for transferring point-to-point protocol (PPP) frames on an intermediate network. By utilizing PPP authentication, encryption, and protocol configuration mechanisms, PPTP connects to remote access and router-to-router virtual private network (VPN) connections provide a way to create a secure connection on public networks (such as: Internet). See RFC 2367 for a detailed description of PPTP.
This page
PPTP traffic overview PPTP control connection creates a PPTP data package PPTP control connection Maintain PPTP control connection Termination More Information
PPTP traffic overview
PPTP traffic consists of the following aspects:
• PPTP Control Connections This is a logical connection that represents a PPTP tunnel that must be created, maintained and terminated through a range of PPTP messages. PPTP control connection traffic uses dynamically allocated TCP ports on the PPTP client, and TCP port 1723 that is reserved by IANA on the PPTP server. • GRE Package of Data When the data is transmitted through the PPTP connection, the PPP frame will be encapsulated using a general-purpose routing encapsuSulation (GRE "header, and the header includes information for identifying a specific PPTP tunnel of the packet.
PPTP flow firewall configuration
In the most common configuration, the firewall is connected to the Internet, and the VPN server (a PPTP server) is connected to the peripheral network as an intranet resource. This configuration is shown below.
View larger image.
VPN servers have an interface on the peripheral network and intranet. In this configuration, the firewall must be configured through the input and output filters on the Internet and the peripheral network interface, allowing the PPTP tunnel to maintain traffic and transfer data through the PPTP tunnel to the VPN server.
Filter on the Internet interface
Configure the following input pack filters on the Internet interface of the firewall to allow incoming all kinds of traffic:
• The target IP address of the VPN server's peripheral network interface and TCP target port 1723 (0x6bb). This filter allows the PPTP tunnel to maintain traffic in the PPTP server. • The target IP address of the VPN server's peripheral network interface and IP protocol ID 47 (0x2f). This filter allows data to pass through the PPTP tunnel to the PPTP server. • Target IP addresses and TCP source ports 1723 (0x6bb) of the VPN server's peripheral network interface. This filter is only necessary only when the VPN server acts as a router (a VPN client) for the VPN connection of the router to the router. This filter should only be used in conjunction with the IP packet filter recommended on the peripheral network interface of the VPN server. The package screens recommended on the VPN server peripheral network interface include those that allow (TCP connections initiated by the VPN server) from the inbound TCP traffic from port 1723 and an outbound traffic to the TCP port 1723. For more information on filters recommended on the peripheral network interface of the VPN server, see VPN and Firewall.
Configure the following output filters on the Internet interface of the firewall to allow incoming all kinds of traffic:
• The source IP address of the VPN server's peripheral network interface and TCP source port 1723 (0x6bb). The filter allows the PPTP tunnel to maintain traffic from the PPTP server. • The source IP address of the VPN server's peripheral network interface and IP protocol ID 47 (0x2f). This filter allows data from the VPN server through the PPTP tunnel. • The source IP address of the VPN server's peripheral network interface and TCP target port 1723 (0x6bb). This filter is only necessary when the VPN server acts in the VPN connection of the router to the router (a VPN client). This filter should only be used in conjunction with IP package filters recommended on the peripheral network interface of the VPN server. Filter on the peripheral network interface
Configure the following input filters on the peripheral network interface of the firewall to allow incoming all kinds of traffic:
• The source IP address of the VPN server's peripheral network interface and TCP source port 1723 (0x6bb). The filter allows the PPTP tunnel to maintain traffic from the PPTP server. • The source IP address of the VPN server's peripheral network interface and IP protocol ID 47 (0x2f). This filter allows data from the VPN server through the PPTP tunnel. • The source IP address of the VPN server's peripheral network interface and TCP target port 1723 (0x6bb). This filter is only necessary when the VPN server acts in the VPN connection of the router to the router (a VPN client). This filter should only be used in conjunction with IP package filters recommended on the peripheral network interface of the VPN server.
Configure the following output packet filter on the peripheral network interface of the firewall to allow incoming all kinds of traffic:
• The target IP address of the VPN server's peripheral network interface and TCP target port 1723 (0x6bb). This filter allows the PPTP tunnel to maintain traffic to the PPTP server. • The target IP address of the VPN server's peripheral network interface and IP protocol ID 47 (0x2f). This filter allows data to pass through the PPTP tunnel to the PPTP server. • Target IP addresses and TCP source ports 1723 (0x6bb) of the VPN server's peripheral network interface. This filter is only necessary when the VPN server acts in the VPN connection of the router to the router (a VPN client). This filter should only be used in conjunction with IP package filters recommended on the peripheral network interface of the VPN server.
Back to top
PPTP control connection creation
The PPTP control connection is established by the following steps:
1. The TCP connection is established by a dynamically allocated TCP port on the PPTP client to the TCP port 1723 on the PPTP server. 2. PPTP client sends a PPTP Start-Control-Connection-Request message, which will be used to create a PPTP control connection. 3. PPTP server uses a PPTP Start-Control-Connection-Reply to respond. 4. The PPTP client sends a PPTP Outgoing-Call-Request message and selects a call ID to identify the PPTP tunnel used to send data from the PPTP client to the PPTP server. The PPTP client requests a PPTP tunnel from the PPTP server using the PPTP Outgoing-Call-Request message (also known as call). 5. The PPTP server sends a PPTP Outgoing-Call-Reply message and selects its own call ID, identifying the PPTP tunnel that transmits data from the PPTP server to the PPTP client. 6. The PPTP client sends a PPTP SET-LINK-INFO message to specify the PPTP negotiation option. The final result of the PPTP control connection creation process is as follows:
• The PPTP server has allowed to create a PPTP tunnel. • The PPTP client has determined the call ID used in the GRE header when sending data to the PPTP server via the PPTP tunnel. • The PPTP server has determined call IDs used in the GRE header when sending data to the PPTP client via the PPTP tunnel.
Back to top
PPTP data package
After establishing a PPTP control connection, the data can be sent between the PPTP client and the PPTP server. The first packet sent by the PPTP connection will be used to establish a PPP connection.
The packet is first encrypted and encapsulated using a PPP header. The PPP frame will be encapsulated using a general purpose routing package (GRE), which has been modified for PPTP. Then, the PPP frame of the GRE package is encapsulated using an IP header, which contains the source and destination IP address corresponding to the PPTP tunnel endpoint.
The GRE header that is modified to the PPTP packet has the structure as shown below. The initial GRE header is defined in RFC 1701.
View larger image.
The fields in the modified GRE header are as follows:
• Checksum present A 1-bit flag that indicates a checksum field when set to 1. For PPTP, this flag is always set to 0. • Routing Present A 1-bit flag, indicating a Routing field when set to 1, indicating a ROUTING field. For PPTP, this flag is always set to 0. • Key Present A 1-bit flag, indicating a KEY field when set to 1. For PPTP, this flag is always set to 1. The Key field is a combination of Protocol Type, Payload Length and Call ID fields. • SEQUENCE NUMBER Present A 1-bit flag, indicating the Sequence Number field when set to 1. • Strict Source Route Present A 1-bit flag, when set to 1, indicating a "strict source rout". For PPTP, this flag is always set to 0. • Recursion Control A 3-bit flag for recursive. For PPTP, this field is always set to 0. • Acknowledgement Number Present A 1-bit flag, indicating the ACKNOWLEDGEMENT NUMBER field when set to 1. • Flags A 4-bit field for the GRE flag. For PPTP, this field is always set to 0. • Version A 3-bit field for representing the GRE header version. For PPTP, this field is always set to 1. • ProTocol Type 16 16-bit fields for storing the EtherType value of the GRE payload (payload). For PPTP, this field is always set to 0x880B, ie the EtherType value of the PPP frame. • PayLoad Length A 16-bit field for indicating the GRE payload length. • Call ID A 16-bit field for representing the PPTP tunnel of this package. For PPTP connections, the Call ID field has two different values. A value is used in the data sent by the PPTP client, and the other value is used for the data sent by the PPTP server. • SEQUENCE NUMBER A 32-bit field for representing the serial number of this packet. This field is only available when the Sequence Number Present flag is set to 1. • ACKNOWLEDGEMENT NUMBER A 32-bit field for indicating the highest serial number of a packet of a GRE package received by this tunnel. This field is only available when the ACKNOWLEDGEMENT NUMBER Present flag is set to 1. PPTP detects the discarded packets using the SEQUENCE NUMBER and ACKNOWEDGEMENT NUMBER fields.
The PPTP data package uses a separate mechanism to bring an interesting side effect to the network address conversion (NAT). For more information on NAT, see "Windows 2000 Network Address Converter (NAT)" (Cable Guy published in March 2001). Most NATs can convert TCP-based traffic to maintain tunnels. However, PPTP packets with GRE headers are usually converted with a static address map or a PPTP NAT editor.
When the PPTP server is behind the NAT, the NAT must be manually configured to use a static address map, that is, all traffic of a particular common address is mapped to a particular dedicated address. In this case, only the address in the IP header will be modified.
When the PPTP client is behind the NAT, a PPTP NAT editor is usually used. The NAT editor is an additional software component on the NAT that performs conversion services other than the IP address, TCP port, and UDP ports. Although using the PPTP NAT editor to monitor the incoming packet of the GRE payload and convert the IP address in the IP header is a simple thing, there may be multiple PPTP clients in the NAT. In this case, the NAT cannot determine which dedicated client that should be sent to the incoming PPTP package because multiple dedicated clients use the same public address. In order to determine the dedicated client that should be transmitted to the incoming packet, the PPTP NAT editor uses a call (CALL) ID in the GRE header. However, when two different PPTP clients use the same call ID, NAT cannot determine which dedicated client should be sent to the package. In order to provide a correct multiplexing of the traffic of the GRE package to different dedicated clients, the PPTP NAT editor monits the PPTP control connection settings, and converts the PPTP message and GRE package simultaneously in the same way to convert the TCP or UDP source port. The PPTP client in the package calls the id field. By converting the PPTP client calls the ID field, NAT ensures a unique call ID for each PPTP tunnel and each PPTP client.
Back to top
PPTP control connection maintenance
In order to maintain the PPTP control connection, the PPTP client sends a PPTP Echo Request message every 60 seconds, regardless of whether the GRE package is transmitted regardless of whether the PPTP client and the server are being sent. When the PPTP Echo Request message is received, the PPTP server will send a PPTP Echo Reply message. The PPTP Echo Request message contains an Identifier field that will appear in the PPTP Echo Reply message so that the PPTP client can match the PPTP Echo Request to its responses.
Back to top
PPTP control connection termination
In order to terminate the PPTP connection, the PPP connection, the PPTP protocol connection, and TCP connections must be terminated. When the PPTP client terminates the PPTP connection, it will be exchanged as follows:
1. PPTP client sends a PPTP SET-LINK-INFO message to specify the PPP parameter of the link. 2. The PPTP client sends a Link Control Protocol (LCP) Terminate-Request message to terminate the PPP connection. LCP is an agreement in the PPP protocol, which manages the configuration and maintenance of logical PPP connections. 3. The PPTP server sends a PPTP SET-LINK-INFO message to specify the PPP parameter of the link. 4. The PPTP server sends the LCP Terminate-Ack message to respond to the LCP Terminate-Request message to terminate the PPP connection. 5. The PPTP client sends a PPTP Clear-Call-Request message to indicate that the PPTP server is about to terminate. 6. The PPTP server responds using a PPTP Call-Disconnected-Notify message. 7. PPTP client sends a PPTP Stop-Control-Connection-Request message to terminate the PPTP control connection. 8. The PPTP server responds using a PPTP stop-control-connection-reply message. 9. TCP connection terminates.
If the PPTP server is terminating, the exchanged message is the same, as long as the PPTP client in the above process is replaced with a PPTP server (vice versa).
