In a previous article I explained what PPTP passthrough is and how it works. In this article I will explain why multiple VPN connections fail with certain routers. This issue only affects PPTP connections and it is directly related to PPTP passthrough.
Here is a brief comparison of how NAT handles PPTP VPN connections differently to normal connections. Read the PPTP passthrough link above for more details:
- When computers make normal outbound connections the source IP address is NATed to the public IP. Source ports are used to uniquely identify the multiple connections.
- When PPTP clients make outbound connections the same thing happens but the call ID AND destination IP is used instead of source ports to uniquely identify the VPN connections.
If a computer connects to IP address 220.127.116.11 using source port 6758 and another computer connects to the same IP using port 8755 NAT uses the port numbers to uniquely identify the connections. If for any reason both computers connect using the same source port NAT can no longer identify each connection. To prevent this NAT changes the source ports to randomly unique ones, thus keeping the multiple connections unique.
PPTP passthrough works in the same manner but uses call IDs as a replacement to source ports. The difference here though is that if multiple PPTP clients try to use the same call ID certain routers won’t change the call IDs to be unique like it does with ports. This isn’t a problem when multiple VPN connections connect to different IP addresses; since the destination IP is unique NAT can use this to identify each VPN. If however they connect to the same IP and use the same call ID the multiple connections are no longer unique so only the first connection works. It is for this reason why certain NAT/Routers fail when multiple VPNs connect to the same IP address. Because the call ID and destination IP are the same the NAT thinks that all VPN connections are one connection.
Some NATs can detect the call ID “conflict” and will modify them to keep the multiple VPN connections unique. The NAT must have a PPTP editor to allow this. This of course isn’t something router manufacturers generally advertise on their spec sheets. You will need to go digging around on their website to find it like here for example on the Netgears routers VPN support page. As you will see some Netgear routers only support one VPN connection; this will be where they can’t modify the call ID’s. Routers that support multiple VPN connections are the Netgear WGR614 Wireless Router, the Netgear FWAG114 ProSafe and Microsoft RRAS server.