[pptp-server] More: LCP ConfRequest failing (A hint?)

Laurent 'case' Mahieux case at clight.fr
Mon Aug 16 03:17:22 CDT 1999 

  Hi,

  sorry for the delay, lotta work ;)

On Tue, 3 Aug 1999, tmk wrote:

> The error you list means that the pptp control connection was successful,
> but the GRE (generic routing encapsulation - proto 47) did not connect. As
> such, ppp has nowhere to send it's LCP requests and it can't get any
> response to them.
> 
> Usually the problem is running behind a NAT (aka masq) system, without the
> appropriate kernel mod or ip forwarding set up. The other possible problem
  Well, the NAT is a Cisco PIX, and it's working OK. What is not working
(I traced the problem to this) is that I'm not getting thru the Cisco
router to the Internet. The router has a simple config, allowing basic
services, and denying eveything else.
  
> is that the other end (client's ISP) doesn't support protocol 47, and they
> refuse to route it to their subnet. This will squelch any possibility for
> running pptp :)
  Yup, I can see that. However, I can change config on both end. The question
is what do I need to change. Has someone knowledge of what to allow on a
cisco 2500 (and I gather on any cisco router)?

> I'm not exactly sure why NAT systems don't work, but i think it's because
> GRE isn't really TCP, it's an independant protocol, and as such it probably
> isn't recognized by ipchains or ipfwadm as something it can work with.
  That would probably be true on a linux system. The new set of 'ip' commands
might however solve this. I haven't looked at this yet, so I wouldn't know.

> ideas/comments? send them to the list
  Just did ;)

<snip>
> >   BTW, I'm not on the list, so if you intend me to read an answer, plz CC
> me.
> >
> > Problem basically looks like this on server:
<snip>
> > Aug  3 14:06:28 finet0 pppd[8743]: sent [LCP ConfReq id=0x1 <auth chap 05>
> <magic 0xfb5e95ef> <pcomp> <accomp>]
> > Aug  3 14:06:55 finet0 last message repeated 9 times
> > Aug  3 14:06:58 finet0 pptpd[8742]: GRE:
> read(fd=4,buffer=804cffc,len=8196) from PTY failed: status = -1 error =
> Input/output error
> > Aug  3 14:06:58 finet0 pptpd[8742]: CTRL: PTY read or GRE write failed
<snip>

> > I traced this to going thru a firewall (two actually).
> >
> > I went from the follownig setup:
<snip>
  Ugly ASCII. I'll try and do better:

Linux --- Cisco PIX --- Cisco Router --/Internet/-- Cisco Router --- Linux
          doing NAT     Firewalling                 Firewalling

  OK, this setup fails miserably. What I tried is that:

Linux --- Cisco PIX --- 3Com RAS 1500 --- Linux
          doing NAT        providing
		                dial-in access

  This works, so the fault is in my Cisco router acces-list configuration.
It also shows that NAT does not break the setup if properly done. Excessive
filtering on the router/firewall does ;)

  I don't have time right now, but will investigate the acces-list config
and mail any answer I can find.

  Thanks for the quick answer; apologies for my late answer.

  Regards,
    Laurent.

+------------------------------------------------------+----------------+
|case at clight.net    URL http://spring.clight.fr/~case/ | ** GO LINUX ** |
+------------------------------------------------------+----------------+
|                   Life's not fair                    |   My opinions  |
|            But the root password helps               | are my very own|
+------------------------------------------------------+----------------+

More information about the pptp-server mailing list