I am interested in PPTP passthrough here not Ipsec etc. I have looked on the net but can't find out how it is done. I am an IT administrator myself and know a lot routing, NAT etc. I think I know how it works but have found it officially. I am just curious and would like someone to confirm my theory. here it is.
The problem first of all comes down to NAT when sharing one public IP address. NAT works using PAT to share the one public IP with with several private IP's. Without ports and PAT this woudn't be possible as when the packets come back from the destination they would all be addresseed to the public IP address. The router would have no way to distinguish the different packets from each other. By using the source ports and PAT it can though.
PPTP uses GRE which in itself is a different protocol to TCP or UDP. It doesn't actually use ports at all so this poses a problem with traversing a NAT device. When the packets come back from the internet to the router how can tell it which private IP these packets belong to without using PAT?
I think it works by monitoring the 1723 "channel". Using PPTP Passthrough the router associates the 1723 connection (which will use PAT/NAT) with the GRE packets going to the same destination IP. On other words when the GRE packets come back it doesn't know where to send them so it looks like the 1723 connection instead to find the private IP address. Is this correct, if not then how does it work?
I know there is NAT-T but I am led to believe that this is different to VPN passthrough...
I found this out msyself... PPTP Passthrough
As I suspected the GRE protocol used for the tunnel with PPTP doesn't use ports. This means it can't traverse a NAT device natively. There are two versions of GRE though; the native one and an enhanced version called Enhanced GRE used specifically for PPTP. The enhanced version adds a call ID into the header. Each VPN client behind the NAT creates it own unique call ID which is added to the GRE header. Routers that feature the VPN passthrough capability read this part of the header and match the call ID to the private IP address behind the NAT. The NAT device must support this feature. The NAT device reads this when the packet traverses it and inspects GRE packets coming back for this setting so it knows where to send it.
From http://www.shorewall.net/VPN.htm