[pptp-server] Still unable to get pptp to work

Cowles, Steve Steve.Cowles at gte.net
Fri Sep 24 08:01:22 CDT 1999


Kevin,

Thanks for your reply. I tried your suggestions, but unfortunately had no
luck. The confusing part is the proxyarp setting was set to 0. But when I
look at the log files, I consistently see the message "found interface eth0
for proxy arp" Anyway, I tried setting proxyarp to 1. <groan> As for my
rc.firewall... what I posted is a highly modified (stripped down) version of
my main rc.firewall script. I have been using a separate script to help
debug why I can't get pptp to work. My main rc.firewall deals with the
"script kiddies" of the world, i.e. syn_floods, spoofing, pings, etc...

I guess what I am most puzzled about is the tcpdump captures. When I ping my
NT box (from Linux), I see the echo request and reply... but get 100% packet
loss. It's like pptp is not de-encapsulating the packet (if I understand how
pptp is working)
22:19:41.173435 192.168.9.1 > 192.168.9.101: icmp: echo request
22:19:41.618335 192.168.9.101 > 192.168.9.1: icmp: echo reply

but when I ping from my NT box (to Linux box) I do not see the reply.
22:23:48.428864 192.168.9.101 > 192.168.9.1: icmp: echo request
22:23:49.714634 192.168.9.101 > 192.168.9.1: icmp: echo request

The problem I am having seems similar to a problem I had with one of my
customers earlier this year. Basically, I setup a 3com Total Control Hub and
configured all analog modems for vpn authentication to a MS RAS server which
was also setup for VPN's. In short, all dialin users authenticated to their
MS Domain account NOT the 3com box. This system worked flawlessly for over a
year, until I upgraded the RAS server to SP5 (which also loaded new vpn
drivers). Once I put the SP5 RAS server back on-line, all Windows 98 clients
had the identical problem as I am having with pptp (PopTop). They could
connect, authenticate, but not a single packet would pass across the VPN.
Windows 95 clients and NT Workstations did not have this problem. After
working with 3com support, it was discovered that the WIN98 clients had to
upgrade their dialup software (DUN). This actually worked. Fricken WIN98
POS!!!. My point being, I would like to test my system with WIN95. But all
of my systems are Win NT4.0 based. In fact, where I now work (on contract),
they have mandated NO Windows 98. Just NT Workstation. Oh well

Again thanks for your help
Steve Cowles


----- Original Message -----
From: tmk <tmk at netmagic.net>
To: Cowles, Steve <Steve.Cowles at gte.net>; <pptp-server at lists.schulte.org>
Sent: Thursday, September 23, 1999 11:39 PM
Subject: Re: [pptp-server] Still unable to get pptp to work


> wow. thanks for the detailed logs. I'll truncate them for the sake of
saving
> bandwidth
>
> Packets are obviously getting into your network (tcpdump shows that much),
> and the intended host is replying, BUT it doesnt get there.
>
> Stuff i noticed:
>
> Your forward stuff is a little out of whack. unless you run a pptp client
on
> your linux box, you dont need the
> ${IPCHAINS} -A forward -p tcp -s ${EXT_IP} 1723 -j ACCEPT
> line.. pptp doesnt use 1723 to reply from.
> I think
> ${IPCHAINS} -A forward -p 47 -s ${EXT_IP} -j ACCEPT
> Is also useless. your output firewall isnt blocking this, so you're fine.
> your linux box is the source of all pptp traffic.
>
> Only thing i can think of is that proxyarp isnt enabled or isnt working
> properly
> try
> echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
> or
> echo "1" > /proc/sys/net/ipv4/conf/ppp0/proxy_arp
> if you are paranoid.. (this only works if ppp0 exists!)
>
> you probably already have ip fowrading enabled.. but check that just in
case
> echo "1" > /proc/sys/net/ipv4/ip_forward
> in case you didn't know..
>
> you might also try
> ${IPCHAINS} -A forward -j MASQ -s ${INT_NET} -d  ! ${INT_NET}
> instead of
> ${IPCHAINS} -A forward -j MASQ -s ${INT_NET} -d ${ANYWHERE}
>
> Kevin






More information about the pptp-server mailing list