Advice on VPN usage

The VPN by default, uses a protocol called PPTP (Point-to-Point Tunneling Protocol) to achieve access. In order to facilitate the correct routing of traffic, PPTP employs another protocol called GRE (Generic Routing Encapsulated). Sadly, GRE behaves extremely badly in a NAT routed environment

So, if you configure your VPN access to be PPTP, then although this will work perfectly correctly through the Departmental Firewall from other remote networks, it may not work when you are connected to the Departmental Private Network.

We have implemented another type of VPN called L2TP (Layer 2 Transport protocol) which uses the highly secure IPSec security. This works fine in a NAT environment, so we advise you read the VPN documentation to find out how to set it up.

For those who wish to have a little more technical detail, I will briefly explain. The NAT is unable to maintain "state tables" of GRE. The state tables, are what the NAT uses to determine which system is accessing which service, where, how and how the packets should be routed. Without correct state table information, the traffic flow is effectively broken. It is unclear whether this is a flaw in the GRE specification of the way NAT handles the GRE traffic.

What actually happens is that the first PPTP connection through the NAT gets routed correctly. The second one fails. In failing it seems to corrupt the state tables for the first connection, thus causing the first connection to be torn down and rendering PPTP access almost entirely unusable.

Now, if you are accessing our Departmental VPN from an ADSL home network, it is highly likely that the home network is behind a NAT performing a similar function to ours. So if your home usage opens multiple VPNs (for example if both spouses use VPN to access their respective work VPNs), then this is likely to cause the VPN to not work from home also for precisely the same reasons.

We therefore advise all users to set up L2TP VPN rather than PPTP. This is covered in the VPN documentation.