When behind a NAT firewall, you can't make a PPTP connection out from two internal macines to a single external server, or if you stop the connection from the first machine, you can't make a connection from another until 10 minutes is up.
Netfilter doesn't know about the connection between a PPTP connection on TCP, and the portless GRE protocol. When you create a PPTP connection, a NAT table entry with a default 10 minute timeout is added. When you disconnect the PPTP, this connection is still running and has to time out before you can connect again.
Get a kernel that supports PPTP connection tracking.
You have two options:
install 2.6.14 or higher, as it was merged into the mainline at this point
Grab a snapshot from http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ and untar it into a directory.
You also need some iptables source, so you could use the one in the version you will build below. Read that and return here.
$ cd /path/to/patch-o-matic/ $ export KERNEL_DIR=/usr/src/linux-2.6.10/ $ export IPTABLES_DIR=/tmp/iptables-1.2.10 $ $ ./runme pptp-conntrack-nat
Select 'y' to apply the patch.
I like to edit the Makefile to set EXTRAVERSION to -vpn as I also apply ipsec patches to my VPN kernels. Now, configure and build the kernel as usual - use make oldconfig to ask questions relevant to the new patch (answer Y or M to anything related to PPTP or GRE).
Build your kernel (using make-kpkg(1) if you're on Debian) and go for it.
When you've changed your kernel, the size of some structures change, so you have to recompile the userspace iptables(8) tool to match this.
On Sarge/Hoary:
$ mkdir /usr/src/iptables/ $ cd /usr/src/iptables $ apt-get source iptables $ tar -zvxf iptables_1.2.11-10.tar.gz (sub version numbers as appropriate)
These next two steps are to give you an IPTABLES_DIR for pom on the kernel, as above:
$ cd /tmp $ tar -zvxf /usr/src/iptables/iptables-1.2.11/upstream/iptables-1.2.11.tar.bz2 $ cd iptables-1.2.11 $ vim scripts/prep.sh
Add "pptp-conntrack-nat" to the line that lists pomng_extensions.
$ dch -v 1.2.11-10itp1 Add your comment; this increments the package version number. $ dpkg-buildpackage -uc -us -rfakeroot
You should end up with a iptables_1.2.11-10_i386.deb in the previous directory.
Note, this version of iptables and this kernel are married together. You can't use an unpatched iptables with a patched kernel, etc.
2 pages link to PPTPConnectionTracking: