[pptp-server] Truly newbie

John Van Ostrand john at netdirect.ca
Fri Apr 21 10:26:52 CDT 2000 

> 
> First of all let me say this VPN implementation is one of the 
> easiest I've
> seen. Since I'm realy newbie to Linux and VPN I'm realy glad 
> of getting
> something that works.
> 
> Second, and before my question, I'll introduce myself. My name is Ivan
> Montoro and I'm junion system administrator in a little corporation in
> Spain. Someone told me he wants to work from another office 
> via Internet
> with Microsoft VPN.
> 
> Then, my question: I've followed all steps in RedHat-Howto 
> and my VPN works
> fine (well, some minor errors). The only thing I'm not sure 
> if it's my fault
> or document's is I have to insmod mppe each time I start VPN 
> daemon via
> pptpd.init. Well, just a comment.

Sounds like you forgot to add the following line to the /etc/conf.modules
file:

	alias ppp-compress-18 ppp_mppe

 
> Then for testing I've set up a Windows 95 with VPN, and 
> called a local ISP.
> Then I run my VPN connection to linux box and connects! I can ping my
> "virtual" address (192.168.1.30) and remote "vitual" address 
> (192.168.1.20).
> I can also telnet linux box to check out connection, and 
> snooping I see
> crypted data. But then I can't ping any other host on my 
> network and can't
> open \\SERVER\resource. 

Sounds like you need to add the "proxyarp" argument to your /etc/ppp/options
file. You might also want to add "ms-wins w.x.y.z" arguments using your WINS
address instead of w.x.y.z. Check pppd man page for more info on these.

> I think I need to setup also ipchains 
> to masquerade
> this IP... Is that the problem?

This shouldn't be a problem. I haven't done this yet, but you might want to
try the following commands:

	# Default policy
	ipchains -P forward DENY
	# Allow same network forwarding so you can reach your servers
	ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
	# Masquerade everything else
	ipchains -A forward -s 192.168.1.0/24 -d 0.0.0.0/0 -j MASQ

> Another little thing is if I can use my domain security to 
> feed in some way
> /etc/ppp/chap.secrets, so security is managed through my PDC. 
> That's a minor
> problem, but anti-linux people here will attack penguin's OS 
> by that way.

I've been thinking about this problem for a while and haven't come up with a
solution yet. The real limitation here is that in order to use CHAP
authentication PPPD must have the clear text form of the password. WinNT
stores the password in a hash that can be reveresed, Linux/Unix does not.
This is why CHAP cannot be used with the "login" pppd option.

The only way around this, that I can think of, is to put a RADIUS server on
WinNT and compile pppd with the radius authentication extensions. I haven't
tried this, nor have I spent much time investigating this so at this point
it's just a theory.

Can anyone add to this RADIUS theory???

The work-around (until I can figure out how to do this) is to setup you
chap-secrets file with the domain and logon that is used on the PDC. The
password could be different. If this is setup then Win9x and WinNT users
will be able to access the resources on the NT domain. If the password is
not the same they may have to logon again when first accessing. Here is an
example chap-secrets file:


SALES_DOM\\JSMITH		*	"mypasswd"	*


> Thanks a lot in advice,
> 
> Ivan Montoro

More information about the pptp-server mailing list