63 Figure 4-3. A full diagram of a PPTP connection over the Internet On the corporate router and firewall, the TCPIP port on which PPTP creates a socket 1723 must be open to both inbound and outbound traffic. If the rest of the network is protected by a firewall that disallows inbound and outbound Internet traffic, then a single point of entry to the LAN is established, which is protected by the user-based authentication.

4.2.4 Dissecting a PPTP Packet

The PPTP encapsulation technique is based on another Internet standard called the Generic Routing Encapsulation GRE protocol, which can be used to tunnel protocols over the Internet. If youre interested, see RFCs 1701 and 1702. The PPTP version, known as GREv2, adds extensions for specific features such as Call ID and connection speed. A PPTP packet is made up of a delivery header, an IP header, a GREv2 header, and the payload packet. The delivery header is the framing protocol for whatever medium the packet is traveling over, whether its Ethernet, frame relay, or PPP. The IP header contains information essential to the IP datagram, such as the packet length and the source and destination addresses. The GREv2 header contains information on the type of packet 64 encapsulated, as well as PPTP-specific data that pertains to the connection between the client and server. Finally, the payload packet is the encapsulated datagram itself. In the case of PPP, this datagram is the original PPP session data that is sent between the client and server, and within it can be IP, IPX, or NetBEUI packets. Figure 4-4 illustrates the layers of PPTP encapsulation. Figure 4-4. The four layers of a PPTP packet being transported across the Internet

4.2.4.1 The encapsulation process

The encapsulation process for a user dialing into an ISP that supports PPTP is as follows: 1. The user dials into the ISPs remote access switch using PPP. Between the client and the remote access switch flow PPP packets that are surrounded by the PPP protocol- specific frames being delivered. 2. At the switch, the media-specific frames are stripped away, and the call triggers the remote access switch to open up a PPTP tunneling session over the Internet between itself and the PPTP-enabled NT RAS server specified in the users profile. The remote access switch encapsulates the PPP payload packet within a GREv2 header, then an IP header. Finally, the packet gets a delivery header before going out of the switch. Throughout the packets journey, the delivery header may change depending on the type of media through which the packet is being sent. For instance, it may go from Ethernet, to frame relay, to Ethernet again, to PPP over ISDN, and to Ethernet yet again before finally reaching its destination at the RAS server. 3. The RAS server treats the incoming PPTP connection as an incoming call, just as if it were coming in over a modem. It strips off the delivery header, the IP header, and the GREv2 header from the payload packet. It then handles the PPP connection as it normally would if the user were coming in over a modem connection. The RAS server validates the PPP client using whatever authentication method is required on the RAS server: Microsoft encrypted authentication, encrypted authentication, or any authentication type including clear text. 4. Before packets from the client reach the LAN, PPP framing is removed from the enclosed IP, NetBEUI, or IPX datagrams. Figure 4-5 is a diagram of those protocol layers that are active during each portion of the connection for dialing into ISPs that support PPTP.