61 switches, and some dont use these devices at all. Instead they might use modems connected to a multiport serial card in a Unix system, or some other terminal server device. Others might have the appropriate hardware, but choose not to implement PPTP because they dont want to be forced to do technical support for tunneled connections. Whatever the reason, theres a chance that your ISP may not offer PPTP; however, that doesnt mean that you cant use it. This scenario requires two things: first, you again need to have a Windows NT 4.0 RAS server with PPTP installed on your network, and it must be accessible from the Internet; second, your Windows NT Workstation, Windows 95, or Windows 98 client machine must have the PPTP protocol and Dial-Up Networking installed. Well use Sara N. for this example as well. This time, however, shes dialing into an ISP that doesnt support PPTP. In addition, shes running Windows NT 4.0 Workstation on her laptop computer. The sequence of events for a tunneling session with a non-PPTP-enabled provider is as follows: 1. Sara dials into her ISP using a dial-up networking profile for her account and establishes a standard PPP connection. 2. After the PPP connection has been made, Sara uses Dial-Up Networking again to dial into the PPTP RAS server at the corporate office. In this dial-up profile, however, she puts the IP address of the RAS server, 2.1.1.60, in the phone number field, and selects the dial device to be a VPN port set up through Dial-Up Networking well explain in Chapter 5 how to set this up. 3. A PPTP connection is made through Saras PPP connection over the Internet and to the RAS server. The RAS server then logs her into the corporate network using the username and password she supplied. The RAS server assigns her the internal IP address of 2.1.1.129, and she is then granted access to the corporate network. Figure 4-2 shows how the second PPTP call is encapsulated through the initial PPP connection to the ISP. 62 Figure 4-2. Connecting to a corporate RAS server via an ISP that doesnt support PPTP Again, once the PPTP connection is made, Sara N. will have access to the corporate LAN just as if she were connected to it via a network card or dial-up RAS connection.

4.2.3 Where PPTP Fits into Our Scenario

In Figure 4-3 we have a representation of a corporate office network with a T1 connection to the Internet. The router that connects to the Internet is also a packet-filtration firewall. User Sara N. wants to check her corporate email, and is dialing into her ISP, which is using a PPTP-enabled remote access switch. After she connects to the switch, it starts a PPTP call to the RAS server specified in her user profile. In this figure, a lightly shaded line extends the PPTP session back to the client, rather than just to the remote access switch. Sara uses this line when she has to dial into an ISP that doesnt support PPTP, and initiates the PPTP session on her workstation with a second RAS call. 63 Figure 4-3. A full diagram of a PPTP connection over the Internet On the corporate router and firewall, the TCPIP port on which PPTP creates a socket 1723 must be open to both inbound and outbound traffic. If the rest of the network is protected by a firewall that disallows inbound and outbound Internet traffic, then a single point of entry to the LAN is established, which is protected by the user-based authentication.

4.2.4 Dissecting a PPTP Packet

The PPTP encapsulation technique is based on another Internet standard called the Generic Routing Encapsulation GRE protocol, which can be used to tunnel protocols over the Internet. If youre interested, see RFCs 1701 and 1702. The PPTP version, known as GREv2, adds extensions for specific features such as Call ID and connection speed. A PPTP packet is made up of a delivery header, an IP header, a GREv2 header, and the payload packet. The delivery header is the framing protocol for whatever medium the packet is traveling over, whether its Ethernet, frame relay, or PPP. The IP header contains information essential to the IP datagram, such as the packet length and the source and destination addresses. The GREv2 header contains information on the type of packet