From support at tecpro.com Tue Aug 1 00:17:33 2000 From: support at tecpro.com (Charles Peters - Tech Support) Date: Tue, 1 Aug 2000 01:17:33 -0400 Subject: [pptp-server] FreeBSD, Samba, PoPToP Connection Problems (internally and externally) Message-ID: <3986252D.13100.DC51BC@localhost> Greetings: I have a FreeBSD 4.0 server running Samba 2.0.7, and PoPToP- 1.0.0. I have 2 network interface cards in this machine, one with an internal ip address (192.168.0.4) and the other with an external ip address (24.4.xxx.xxx). This machine is connected to the internet via a cable modem, and is also connected to a lan on 192.168.0. My Windows 98 computer is also connected to the lan, with an ip address of 192.168.0.7. When this machine attempts to establish a vpn connection to the internal interface (192.168.0.4), the connection is allowed, but when I try and connect to the external network card from the win 98 box, I get the following error: Error 629: You have been disconnected from the computer that you dialed. Double click the connection to try again. I also get the same error from computers accross the internet attempting to connect to the external adapter. These other computers are also on lans, but have internet access via a cable modem and a freebsd gateway running nat and ipfw. Computers connected to the internet via real connections (no nat) also get the same error message. My first concern is where these connection rejection messages appear, they don't show up in /var/log/messages or /var/log/ppp.conf. Secondly, how do I fix the problem. As far as I can tell, the vpn is working properly inside the lan, the problem is in connecting from outside the lan. It should be noted that I am attempting to connect thru a freebsd gateway running ipfw and nat. The firewall type is OPEN. Any help would be appreciated, as I have spent a considerable amount of time and effort on this project, and am no closer to a solution after about 30 hours. Maybe it's time to cut my loses, and find another method for establishing a vpn. Suggestions to this end are also appreciated. Thanks in Advance!!! Charles support at tecpro.com Charles Peters mailto:support at tecpro.com From support at tecpro.com Tue Aug 1 00:17:31 2000 From: support at tecpro.com (Charles Peters - Tech Support) Date: Tue, 1 Aug 2000 01:17:31 -0400 Subject: [pptp-server] FreeBSD, Samba, PoPToP Connection Problems (internally and externally) Message-ID: <200008010521.AAA77269@chickenbean.com> Greetings: I have a FreeBSD 4.0 server running Samba 2.0.7, and PoPToP- 1.0.0. I have 2 network interface cards in this machine, one with an internal ip address (192.168.0.4) and the other with an external ip address (24.4.xxx.xxx). This machine is connected to the internet via a cable modem, and is also connected to a lan on 192.168.0. My Windows 98 computer is also connected to the lan, with an ip address of 192.168.0.7. When this machine attempts to establish a vpn connection to the internal interface (192.168.0.4), the connection is allowed, but when I try and connect to the external network card from the win 98 box, I get the following error: Error 629: You have been disconnected from the computer that you dialed. Double click the connection to try again. I also get the same error from computers accross the internet attempting to connect to the external adapter. These other computers are also on lans, but have internet access via a cable modem and a freebsd gateway running nat and ipfw. Computers connected to the internet via real connections (no nat) also get the same error message. My first concern is where these connection rejection messages appear, they don't show up in /var/log/messages or /var/log/ppp.conf. Secondly, how do I fix the problem. As far as I can tell, the vpn is working properly inside the lan, the problem is in connecting from outside the lan. It should be noted that I am attempting to connect thru a freebsd gateway running ipfw and nat. The firewall type is OPEN. Any help would be appreciated, as I have spent a considerable amount of time and effort on this project, and am no closer to a solution after about 30 hours. Maybe it's time to cut my loses, and find another method for establishing a vpn. Suggestions to this end are also appreciated. Thanks in Advance!!! Charles support at tecpro.com From ivanfetch at technologist.com Tue Aug 1 01:27:36 2000 From: ivanfetch at technologist.com (Ivan Fetch) Date: Tue, 01 Aug 2000 00:27:36 -0600 (MDT) Subject: [pptp-server] FreeBSD, Samba, PoPToP Connection Problems (internally and externally) In-Reply-To: <3986252D.13100.DC51BC@localhost> Message-ID: Hello, Have you ever tried connecting to your external interface via a windows machine which is not going through a firewall, but instead is directly connected to the Internet? This could help to narrow down your problem. If you are using natd on the other FreeBSD gateways (the ones you are trying to connect to your VPn machine through) you need to specify something like this to natd. I have my natd_flags set to "-f /etc/natd.conf" - This file contains: unregistered_only yes pptpalias 192.168.0.7 The address 192.168.0.7 is the address of a machine I would like to be allowed to use VPN through that gateway. You can only do this with *one* machine. If you have a need to do this with more than one machine perhaps you could look at VPN'ing the two gateways together . Hopefully some of this will help, if not please let me know and I will see what else I can do. Ivan Fetch. On Tue, 1 Aug 2000, Charles Peters - Tech Support wrote: > > Greetings: > > I have a FreeBSD 4.0 server running Samba 2.0.7, and PoPToP- > 1.0.0. I have 2 network interface cards in this machine, one with > an internal ip address (192.168.0.4) and the other with an external > ip address (24.4.xxx.xxx). This machine is connected to the > internet via a cable modem, and is also connected to a lan on > 192.168.0. > > My Windows 98 computer is also connected to the lan, with an ip > address of 192.168.0.7. When this machine attempts to establish > a vpn connection to the internal interface (192.168.0.4), the > connection is allowed, but when I try and connect to the external > network card from the win 98 box, I get the following error: > > Error 629: You have been disconnected from the computer > that you dialed. Double click the connection to try again. > > I also get the same error from computers accross the internet > attempting to connect to the external adapter. These other > computers are also on lans, but have internet access via a cable > modem and a freebsd gateway running nat and ipfw. Computers > connected to the internet via real connections (no nat) also get the > same error message. > > My first concern is where these connection rejection messages > appear, they don't show up in /var/log/messages or > /var/log/ppp.conf. > > Secondly, how do I fix the problem. As far as I can tell, the vpn is > working properly inside the lan, the problem is in connecting from > outside the lan. > > It should be noted that I am attempting to connect thru a freebsd > gateway running ipfw and nat. The firewall type is OPEN. > > Any help would be appreciated, as I have spent a considerable > amount of time and effort on this project, and am no closer to a > solution after about 30 hours. Maybe it's time to cut my loses, and > find another method for establishing a vpn. Suggestions to this end > are also appreciated. > > Thanks in Advance!!! > > Charles > > support at tecpro.com > > > Charles Peters > mailto:support at tecpro.com > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > From giuseppebordoni at tiscalinet.it Tue Aug 1 04:37:51 2000 From: giuseppebordoni at tiscalinet.it (Giuseppe Bordoni) Date: Tue, 1 Aug 2000 11:37:51 +0200 Subject: [pptp-server] (no subject) Message-ID: <01BFFBAC.ED35B590.giuseppebordoni@tiscalinet.it> > PPTP does not dial the modem/etc... it uses and ALREADY EXISTING IP > connection to establish the VPN (and thats the only way it works AFAIK). > You would use ipppd to create your ISP/dial connection, then establish > the VPN using pptp and pppd. Thank you for the answer but the problem is not clear for me (excuse me for the insistence and for my horrible English). I use a debian 2.1 (slink) with isdn4linux; when I connect to internet on my linux-box the pppd deamon don't run but _only_ ipppd. How could I use pptpd? Must I execute pppd manually? Excuse me but I'm really a beginner! Thanks, Giuseppe Bordoni From adam at morrison-ind.com Tue Aug 1 06:34:46 2000 From: adam at morrison-ind.com (Adam Tauno Williams) Date: Tue, 1 Aug 2000 07:34:46 -0400 Subject: [pptp-server] (no subject) In-Reply-To: <01BFFBAC.ED35B590.giuseppebordoni@tiscalinet.it> References: <01BFFBAC.ED35B590.giuseppebordoni@tiscalinet.it> Message-ID: <200008011134.e71BYkK23679@barracuda.morrison.iserv.net> >> PPTP does not dial the modem/etc... it uses and ALREADY EXISTING IP >> connection to establish the VPN (and thats the only way it works AFAIK). >> You would use ipppd to create your ISP/dial connection, then establish >> the VPN using pptp and pppd. >Thank you for the answer but the problem is not clear for me (excuse me >for the insistence and for my horrible English). >I use a debian 2.1 (slink) with isdn4linux; when I connect to internet >on my linux-box the pppd deamon don't run but _only_ ipppd. >How could I use pptpd? Must I execute pppd manually? Excuse me but I'm >really a beginner! That's fine. PPTP will not effect how you currently connect to the internet. That creates a IP connection through which you can contact the VPN server (your office, etc...) You then run "pptp vpn.servers.name call vpn" This starts the PPTP which does some initial negotiation with the VPN server and then starts PPPD with the options "call vpn". "call vpn" instructs pppd to read it's options out of /etc/ppp/peers/vpn (at least on my distribution), where you can set things like mru, mtu, etc.... So if the VPN is up you should see ipppd, pptp, and pppd running. There have been scripts posted on this list that "automate" the pptp connection process somewhat. Systems and Network Administrator Morrison Industries 1825 Monroe Ave NW. Grand Rapids, MI. 49505 From giuseppebordoni at tiscalinet.it Tue Aug 1 07:51:51 2000 From: giuseppebordoni at tiscalinet.it (Giuseppe Bordoni) Date: Tue, 1 Aug 2000 14:51:51 +0200 Subject: [pptp-server] (no subject) Message-ID: <01BFFBC8.087157E0.giuseppebordoni@tiscalinet.it> > That's fine. PPTP will not effect how you currently connect to the internet... > There have been scripts posted on this list that "automate" the pptp connection > process somewhat. Thank you for the exhaustive answer. I would be very grateful if you send me in private the scripts. Unfortunately I have an other doubt: to realize a "tunnel" the client and the server must have absolutely a static IP addresses? Thanks, Giuseppe Bordoni From gord at amador.ca Tue Aug 1 08:20:27 2000 From: gord at amador.ca (Gord Belsey) Date: Tue, 1 Aug 2000 07:20:27 -0600 Subject: [pptp-server] pptpd.conf localip and remoteip parameters... References: <000b01bffb5d$6f590ae0$0201a8c0@olmpi1.wa.home.com> Message-ID: <01a301bffbbb$42943ad0$280111ac@amadorinc.com> Hi Jean-Francios: The local-ip and remoteip settings in pptpd.conf tell the PoPToP server what ip addresses to allocate to each client connection. If you look at ifconfig when you have a pptp (ppp) connection up, you'll see the ip address of the server end (inet addr) and the remote (client) end P-t-P). pptpd will assign these addresses based on what you have configured. The local-ip setting is the range of addresses pptpd can use to assingn the inet addr (local) end of the ppp connection, and remote-ip is the range of addresses pptpd will assign to the remote end. In my case, my inside (LAN) addressing is 172.17.1.0. I use localip 172.17.1.190-194 and remoteip 172.17.1.195-199 in pptpd.conf. So, the first pptp client will get 172.17.1.190 assign for the PoPToP end of the ppp connection and 172.17.1.195 assigned for the client end of the ppp connection. I hope this makes it clearer. A couple of things to note.....in /etc/ppp/options, I have proxyarp as one of the settings. This "maps" the address for the server end to the LAN interface, so it acts like that address is "on" the LAN. Kind of a simplistic explanation, but it's important. Also in /etc/ppp/options I have ipcp-accept-remote and ipcp-accept-local. Here's how the ipcp-accept-remote comes into play: On the client, I also have ipcp-accept-remote and ipcp-accept-local in /etc/ppp/options. When I start my client, I specify the ip address I want to use for the client end. So, even though the pptp server is configured to assign the ip address to the client, it pptpd over-rides that and uses the ip address specified. The only reason I do this is for management. I have several clients connecting, and it's easier to assign a specific address to each of them so I can put them in my name server. I've seen different approches to how people choose the addresses for the vpn connections on this list. Maybe someone else has some comments and/or suggestions. I hope this helps to answer your question, and give you some ideas of how you can configure your server and clients. Good luck. Gord Belsey ----- Original Message ----- From: Jean-Francois Gagnon To: Sent: Monday, July 31, 2000 8:08 PM Subject: [pptp-server] pptpd.conf localip and remoteip parameters... > Hi, > > I have a hard time understanding both these parameters (localip and > remoteip) and what they should contain. > > The setup I am trying to achieve: > > Linux box at home: > eth0: 192.168.1.1 internal NIC > eth1: @Home address > Samba > firewall installed on eth1: > other computers IPs are on 192.168.1.* subnet > > I would like to have the remote connection land on this same subnet, what > should be these parameters (localip and remoteip) be containing? > > Regards > > Jean-Francois Gagnon > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From adam at morrison-ind.com Tue Aug 1 07:15:17 2000 From: adam at morrison-ind.com (Adam Tauno Williams) Date: Tue, 1 Aug 2000 08:15:17 -0400 Subject: [pptp-server] (no subject) In-Reply-To: <01BFFBC8.087157E0.giuseppebordoni@tiscalinet.it> References: <01BFFBC8.087157E0.giuseppebordoni@tiscalinet.it> Message-ID: <200008011215.e71CFHK23698@barracuda.morrison.iserv.net> >>There have been scripts posted on this list that "automate" the pptp >>connection process somewhat. >Thank you for the exhaustive answer. >I would be very grateful if you send me in private the scripts. I don't have the scripts, I've just seen them go by on the list. There was one this month (July 2000). Archives of this list are available of the PoPToP web site. >Unfortunately I have an other doubt: to realize a "tunnel" the client and >the server must have absolutely a static IP addresses? Not exactly. The client and server's IP addresses must not change during the life-time of the tunnel, which seems unlikely anyway. Systems and Network Administrator Morrison Industries 1825 Monroe Ave NW. Grand Rapids, MI. 49505 From medwards at ega.com Tue Aug 1 14:36:34 2000 From: medwards at ega.com (Mike Edwards) Date: Tue, 01 Aug 2000 14:36:34 -0500 Subject: [pptp-server] speed issues and ppp.c compile problems Message-ID: <398726C2.46C92F0D@ega.com> Hi! After successfully installing pptp and friends on a 486-66 box, we found that the VPN established was so slow as to be unusable--even with a T1 connection on the server side and a cable modem (600+Kbps downstream, 128+Kbps upstream) on the client side. My first question then is, What are the minimum hardware requirements for the PoPToP Server? I should add that our main goal is to run a client application over the VPN. (The software is a print-management system for the commercial printing industry running on an NT box with MS SQL Server. The NT pptp server wouldn't work at all and, besides, it's Not Scottish!) I am already trying to re-install on a P133 box, but have run into compilation problems. I am using a stock Red Hat 2.2.14 kernel and tarballs of OpenSSL 0.9.5 and ppp-2.3.11. I applied the appropriate ppp/openssl/mppe patch before compiling, but when I ran "make modules" it bombed out on the ppp.c compile, giving errors to the effect of "static declaration for X follows non-static" where X is ppp_register_compressor and ppp_unregister_compressor. Did I miss a patch somewhere or must I be running a 2.2.16 kernel? Thanks in advance! Mike -- Mike Edwards, MIS Edwards Graphic Arts, Inc. 2700 Bell Avenue Des Moines, IA 50321 From adam at morrison-ind.com Tue Aug 1 13:56:33 2000 From: adam at morrison-ind.com (Adam Tauno Williams) Date: Tue, 1 Aug 2000 14:56:33 -0400 Subject: [pptp-server] speed issues and ppp.c compile problems In-Reply-To: <398726C2.46C92F0D@ega.com> References: <398726C2.46C92F0D@ega.com> Message-ID: <200008011856.e71IuXd23968@barracuda.morrison.iserv.net> >After successfully installing pptp and friends on a 486-66 box, we found >that the VPN established was so slow as to be unusable--even with a T1 >connection on the server side and a cable modem (600+Kbps downstream, >128+Kbps upstream) on the client side. My first question then is, What >are the minimum hardware requirements for the PoPToP Server? I should >add that our main goal is to run a client application over the VPN. >(The software is a print-management system for the commercial printing >industry running on an NT box with MS SQL Server. The NT pptp server >wouldn't work at all and, besides, it's Not Scottish!) My VPN server is a 486DX133 with 20Mb. Handles up to 5 connects, and fast. >I am already trying to re-install on a P133 box, but have run into >compilation problems. I am using a stock Red Hat 2.2.14 kernel and >tarballs of OpenSSL 0.9.5 and ppp-2.3.11. I applied the appropriate >ppp/openssl/mppe patch before compiling, but when I ran "make modules" >it bombed out on the ppp.c compile, giving errors to the effect of >"static declaration for X follows non-static" where X is >ppp_register_compressor and ppp_unregister_compressor. Did I miss a >patch somewhere or must I be running a 2.2.16 kernel? Have you tried using the "clean" source from ftp.kernel.org. Redhat kernel source RPMS contain other patches. (And I've have no luck with 2.2.16). From opjose at ex-pressnet.com Tue Aug 1 17:24:22 2000 From: opjose at ex-pressnet.com (Jose M. Sanchez) Date: Tue, 1 Aug 2000 18:24:22 -0400 Subject: [pptp-server] speed issues and ppp.c compile problems In-Reply-To: <398726C2.46C92F0D@ega.com> Message-ID: This might be a fragmentation problem. PPTP needs to encapsulate the entire PPP TCP/IP packet WITHIN another IP packet. The problem is that the "inner" packet does not "fit". In your PPTP options file (make sure that you are getting the right one, it does no good for you to modify your PPP options file to connect to your ISP!) reduce the size of the MTU & MRU values... I.E. mru 1400 mtu 1400 Smaller still if you are using encryption... That said, note that the PPTP speed will indeed be SLOWER than your normal connection rate. I've recently read a few discussions which indicated that the maximum speed is approximately 1/2 your bandwidth speed if encryption is enabled. Post your results. Cheers. -JMS |-----Original Message----- |From: pptp-server-admin at lists.schulte.org |[mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Mike Edwards |Sent: Tuesday, August 01, 2000 3:37 PM |To: pptp-server at lists.schulte.org |Subject: [pptp-server] speed issues and ppp.c compile problems | | |Hi! | |After successfully installing pptp and friends on a 486-66 box, we found |that the VPN established was so slow as to be unusable--even with a T1 |connection on the server side and a cable modem (600+Kbps downstream, |128+Kbps upstream) on the client side. My first question then is, What |are the minimum hardware requirements for the PoPToP Server? I should |add that our main goal is to run a client application over the VPN. |(The software is a print-management system for the commercial printing |industry running on an NT box with MS SQL Server. The NT pptp server |wouldn't work at all and, besides, it's Not Scottish!) | |I am already trying to re-install on a P133 box, but have run into |compilation problems. I am using a stock Red Hat 2.2.14 kernel and |tarballs of OpenSSL 0.9.5 and ppp-2.3.11. I applied the appropriate |ppp/openssl/mppe patch before compiling, but when I ran "make modules" |it bombed out on the ppp.c compile, giving errors to the effect of |"static declaration for X follows non-static" where X is |ppp_register_compressor and ppp_unregister_compressor. Did I miss a |patch somewhere or must I be running a 2.2.16 kernel? | |Thanks in advance! |Mike | |-- |Mike Edwards, MIS |Edwards Graphic Arts, Inc. |2700 Bell Avenue |Des Moines, IA 50321 |_______________________________________________ |pptp-server maillist - pptp-server at lists.schulte.org |http://lists.schulte.org/mailman/listinfo/pptp-server |List services provided by www.schulteconsulting.com! From bdenheyer at nextcomminc.com Tue Aug 1 17:26:18 2000 From: bdenheyer at nextcomminc.com (Brian Denheyer) Date: Tue, 1 Aug 2000 23:26:18 +0100 (GMT Daylight Time) Subject: [pptp-server] getting started with pptp Message-ID: <14727.20106.460000.532782@gargle.gargle.HOWL> I've noticed that the how-to is out of date. I was wondering if there is a more up-to-date how to document somewhere. In the meantime, here is my version of the old howto modified by what I think needs to be done. I'd like to have some idea of what I am doing before I get started. 1. Grab yourself a clean copy of the PPP daemon v2.3.8 (ppp-2.3.8.tar.gz). I've got ppp 2.3.10 2. Grab yourself the MSCHAPv2/MPPE diff file from: ** I grabbed the ppp-2.3.10 diffs plus the stateless patch. 3. Grab yourself the SSLeay-0.6.6b file from: ** As far as I can tell there is no 0.6.6b so I got the latest - 0.9b 4. You should now have 3 files: ** How about 4 files : SSLeay-0.9.0b ppp-2.3.10 ppp-2.3.10-openssl-norc4-mppe-patch mppe_stateless Copy these files to your preferred location (I prefer /usr/local/src/) ** Me too. 5. Assuming your files are in /usr/local/src/ and your current working directory is also /usr/local/src/ do the following: [tar zxvf ppp-2.3.8.tar.gz] [gunzip ppp-2.3.8-mppe-others-norc4_TH7.diff.gz] [tar zxvf SSLeay-0.6.6b.tar.gz] [cp SSLeay-0.6.6b/crypto/rc4/rc4.h ppp-2.3.8/linux/] [cp SSLeay-0.6.6b/crypto/rc4/rc4_enc.c ppp-2.3.8/linux/] [cp SSLeay-0.6.6b/crypto/rc4/rc4.h /usr/src/linux/drivers/net/] [cp SSLeay-0.6.6b/crypto/rc4/rc4_enc.c /usr/src/linux/drivers/net/] [cp ppp-2.3.8-patch1 ppp-2.3.8/pppd] [cd ppp-2.3.8/pppd] [patch -p0 < ppp-2.3.8-patch1] ^^^^^^^^^^^^^^^^ Huh ?? There is no equivalent 2.3.10 file. [cd /usr/local/src/] [patch -p0 < ppp-2.3.8-mppe-others-norc4_TH7.diff] [cd ppp-2.3.8] Even with this step there are problems. Apparently you need the "key" file also. Also , does anyone know why applying the mppe_stateless patch fails ? It looks like it should work just fine.... (and no it's not the dreaded CR/NL problem. ignoring whitespace doesn't work either. Is it just me or is patch kind of sensitive program ? ) Step 6 failed miserably for me, I wasn't able to build the kernel. Any pointers will be most appreciated. Brian From bdenheyer at nextcomminc.com Tue Aug 1 18:51:34 2000 From: bdenheyer at nextcomminc.com (Brian Denheyer) Date: Wed, 2 Aug 2000 00:51:34 +0100 (GMT Daylight Time) Subject: [pptp-server] kernel fails to build Message-ID: <14727.25222.830000.101720@gargle.gargle.HOWL> I tried again to patch and build everything. ppp seems to build ok. The kernel has problems : PPP_MAGIC PPP_VERSION are both undeclared and so cause errors. I also get a strange error message about ppp_register_compressor_Rsmp_... and ppp_unregister_compressor_Rsmp... "static declaration follows non-static". Did I forget to check of something in make menuconfig ?? Brian From teastep at evergo.net Tue Aug 1 20:43:34 2000 From: teastep at evergo.net (Tom Eastep) Date: Tue, 1 Aug 2000 18:43:34 -0700 (PDT) Subject: [pptp-server] kernel fails to build In-Reply-To: <14727.25222.830000.101720@gargle.gargle.HOWL> Message-ID: Thus spoke Brian Denheyer: > > I tried again to patch and build everything. ppp seems to build ok. > The kernel has problems : > > PPP_MAGIC > PPP_VERSION > > are both undeclared and so cause errors. > Edit /usr/src/linux/include/linux/if_ppp.h and add the following: #define PPP_MAGIC 0x5002 #define PPP_VERSION "2.3.11" The second of course depends on your ppp version... -Tom -- Tom Eastep \ Eastep's First Principle of Computing: ICQ #60745924 \ "Any sane computer will tell you how it teastep at evergo.net \ works if you ask it the proper questions" Shoreline, Washington USA \___________________________________________ From leif at l3system.net Wed Aug 2 07:33:21 2000 From: leif at l3system.net (Leif Larsson) Date: Wed, 02 Aug 2000 14:33:21 +0200 Subject: [pptp-server] patch - fix Message-ID: <39881511.110EB4FA@l3system.net> Hello everyone, I saw some days ago that someone had a patch or fix/script to solve (more or less) this problem: I want to assign adresses (both local and remote) depending on who is calling. I have read a lot about pppd but i can see a solution that assigns both remote and local ip depending on username. Any help would be aapreciated Leif ________________ L3 System www.l3system.net ---------------- PGP key fingerprint = 11 81 96 E6 F0 91 ED 4D 13 82 44 99 99 DB AE 8B From P.J.Reid at earthling.net Wed Aug 2 08:05:53 2000 From: P.J.Reid at earthling.net (Patrick Reid) Date: Wed, 2 Aug 2000 10:05:53 -0300 Subject: [pptp-server] patch - fix In-Reply-To: <39881511.110EB4FA@l3system.net> Message-ID: Use your chap-secrets file. The fields are remotemachine localmachine password remoteIP localmachine remotemachine drowssap localIP Most people use remotemachine * password * * remotemachine password * but they don't have to. Patrick Reid - mailto:P.J.Reid at earthling.net -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Leif Larsson Sent: August 2, 2000 9:33 AM To: 'pptp-server at lists.schulte.org' Subject: [pptp-server] patch - fix Hello everyone, I saw some days ago that someone had a patch or fix/script to solve (more or less) this problem: I want to assign adresses (both local and remote) depending on who is calling. I have read a lot about pppd but i can see a solution that assigns both remote and local ip depending on username. Any help would be aapreciated Leif ________________ L3 System www.l3system.net ---------------- PGP key fingerprint = 11 81 96 E6 F0 91 ED 4D 13 82 44 99 99 DB AE 8B _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From bdenheyer at nextcomminc.com Wed Aug 2 09:38:18 2000 From: bdenheyer at nextcomminc.com (Brian Denheyer) Date: Wed, 2 Aug 2000 15:38:18 +0100 (GMT Daylight Time) Subject: [pptp-server] kernel fails to build In-Reply-To: References: <14727.25222.830000.101720@gargle.gargle.HOWL> Message-ID: <14728.12890.130000.545301@gargle.gargle.HOWL> Tom Eastep writes: > Thus spoke Brian Denheyer: > > > > > I tried again to patch and build everything. ppp seems to build ok. > > The kernel has problems : > > > > PPP_MAGIC > > PPP_VERSION > > > > are both undeclared and so cause errors. > > > > Edit /usr/src/linux/include/linux/if_ppp.h and add the following: > > #define PPP_MAGIC 0x5002 > #define PPP_VERSION "2.3.11" > Thanks ! Well this immediately begs the question : why isn't this included in the patch ? Wouldn't this be a problem for _everyone_ who tried to build ?? It turns out that in addition to rc4_skey.c, you also need rc4_locl.h to be copied into the kernel source tree. Everything seems to build now. I still get the strange errors about "static delcarations following non-static". Of course, I don't know if it works yet... Brian From gord at amador.ca Wed Aug 2 11:04:54 2000 From: gord at amador.ca (Gord Belsey) Date: Wed, 2 Aug 2000 10:04:54 -0600 Subject: [pptp-server] patch - fix References: Message-ID: <02f201bffc9b$65e01d20$280111ac@amadorinc.com> I could be wrong, and feel free to correct me, but the way I understand it, the ip address in the chap-secrets file is only used as part of authentication...if you specify an address, the ip address of the client (or "other side") is checked along with username and password. By using an asterick, you're saying "from any ip address". As for assigning specific addresses, I use the ipcp-accept-local and ipcp-accept-remote in the options file on the pptp server, and specify the address I want the client to use as part of running the client (linux client). I don't worry about the server end personally, but you can also specify that (ie: the address for both ends of the ppp connection) when running the client, as well. I've never actually tried it, but for a windows client you should only have to cobfigure the address in the vpn/DUN session....should work but your mileage may vary. Hope this is useful info, and feel free to correct me :o) Gord Belsey ----- Original Message ----- From: Patrick Reid To: Leif Larsson ; Sent: Wednesday, August 02, 2000 7:05 AM Subject: RE: [pptp-server] patch - fix > Use your chap-secrets file. The fields are > > remotemachine localmachine password remoteIP > localmachine remotemachine drowssap localIP > > Most people use > remotemachine * password * > * remotemachine password * > > but they don't have to. > > Patrick Reid - mailto:P.J.Reid at earthling.net > > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Leif Larsson > Sent: August 2, 2000 9:33 AM > To: 'pptp-server at lists.schulte.org' > Subject: [pptp-server] patch - fix > > > Hello everyone, > > I saw some days ago that someone had a patch or fix/script > to solve (more or less) this problem: > > I want to assign adresses (both local and remote) depending on > who is calling. > > I have read a lot about pppd but i can see a solution that > assigns both remote and local ip depending on username. > > Any help would be aapreciated > > Leif > > ________________ > L3 System > www.l3system.net > ---------------- > PGP key fingerprint = 11 81 96 E6 F0 91 ED 4D 13 82 44 99 99 DB AE 8B > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From P.J.Reid at earthling.net Wed Aug 2 11:15:16 2000 From: P.J.Reid at earthling.net (Patrick Reid) Date: Wed, 2 Aug 2000 13:15:16 -0300 Subject: [pptp-server] patch - fix In-Reply-To: <02f201bffc9b$65e01d20$280111ac@amadorinc.com> Message-ID: No, the ip address in the chap-secrets file is the IP address which is handed to the two ends of the PPP connection. If you use a * then the first available address in the allowed pool is used. Your way of doing it is fine, too though. The advantage of mine is that it allows the admin of the PPTP server to control IP addressing completely. Patrick Reid - mailto:P.J.Reid at earthling.net -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Gord Belsey Sent: August 2, 2000 1:05 PM To: Patrick Reid; Leif Larsson; pptp-server at lists.schulte.org Subject: Re: [pptp-server] patch - fix I could be wrong, and feel free to correct me, but the way I understand it, the ip address in the chap-secrets file is only used as part of authentication...if you specify an address, the ip address of the client (or "other side") is checked along with username and password. By using an asterick, you're saying "from any ip address". As for assigning specific addresses, I use the ipcp-accept-local and ipcp-accept-remote in the options file on the pptp server, and specify the address I want the client to use as part of running the client (linux client). I don't worry about the server end personally, but you can also specify that (ie: the address for both ends of the ppp connection) when running the client, as well. I've never actually tried it, but for a windows client you should only have to cobfigure the address in the vpn/DUN session....should work but your mileage may vary. Hope this is useful info, and feel free to correct me :o) Gord Belsey ----- Original Message ----- From: Patrick Reid To: Leif Larsson ; Sent: Wednesday, August 02, 2000 7:05 AM Subject: RE: [pptp-server] patch - fix > Use your chap-secrets file. The fields are > > remotemachine localmachine password remoteIP > localmachine remotemachine drowssap localIP > > Most people use > remotemachine * password * > * remotemachine password * > > but they don't have to. > > Patrick Reid - mailto:P.J.Reid at earthling.net > > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Leif Larsson > Sent: August 2, 2000 9:33 AM > To: 'pptp-server at lists.schulte.org' > Subject: [pptp-server] patch - fix > > > Hello everyone, > > I saw some days ago that someone had a patch or fix/script > to solve (more or less) this problem: > > I want to assign adresses (both local and remote) depending on > who is calling. > > I have read a lot about pppd but i can see a solution that > assigns both remote and local ip depending on username. > > Any help would be aapreciated > > Leif > > ________________ > L3 System > www.l3system.net > ---------------- > PGP key fingerprint = 11 81 96 E6 F0 91 ED 4D 13 82 44 99 99 DB AE 8B > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From sstone at taos.com Wed Aug 2 11:18:52 2000 From: sstone at taos.com (Scott M. Stone) Date: Wed, 2 Aug 2000 09:18:52 -0700 (PDT) Subject: [pptp-server] patch - fix In-Reply-To: <02f201bffc9b$65e01d20$280111ac@amadorinc.com> Message-ID: On Wed, 2 Aug 2000, Gord Belsey wrote: > I could be wrong, and feel free to correct me, but the way I understand it, > the ip address in the chap-secrets file is only used as part of > authentication...if you specify an address, the ip address of the client > (or "other side") is checked along with username and password. By using an > asterick, you're saying "from any ip address". > > As for assigning specific addresses, I use the ipcp-accept-local and > ipcp-accept-remote in the options file on the pptp server, and specify the > address I want the client to use as part of running the client (linux > client). I don't worry about the server end personally, but you can also > specify that (ie: the address for both ends of the ppp connection) when > running the client, as well. > > I've never actually tried it, but for a windows client you should only have > to cobfigure the address in the vpn/DUN session....should work but your > mileage may vary. > > Hope this is useful info, and feel free to correct me :o) yeah, if you want to assign dynamic IPs, pptpd does that, not pppd. look in the pptpd.conf file and you can set static or pools of remote IPs, as well as what local IP to give to the server end of the tunnel. > > Gord Belsey > ----- Original Message ----- > From: Patrick Reid > To: Leif Larsson ; > Sent: Wednesday, August 02, 2000 7:05 AM > Subject: RE: [pptp-server] patch - fix > > > > Use your chap-secrets file. The fields are > > > > remotemachine localmachine password remoteIP > > localmachine remotemachine drowssap localIP > > > > Most people use > > remotemachine * password * > > * remotemachine password * > > > > but they don't have to. > > > > Patrick Reid - mailto:P.J.Reid at earthling.net > > > > > > -----Original Message----- > > From: pptp-server-admin at lists.schulte.org > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Leif Larsson > > Sent: August 2, 2000 9:33 AM > > To: 'pptp-server at lists.schulte.org' > > Subject: [pptp-server] patch - fix > > > > > > Hello everyone, > > > > I saw some days ago that someone had a patch or fix/script > > to solve (more or less) this problem: > > > > I want to assign adresses (both local and remote) depending on > > who is calling. > > > > I have read a lot about pppd but i can see a solution that > > assigns both remote and local ip depending on username. > > > > Any help would be aapreciated > > > > Leif > > > > ________________ > > L3 System > > www.l3system.net > > ---------------- > > PGP key fingerprint = 11 81 96 E6 F0 91 ED 4D 13 82 44 99 99 DB AE 8B > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > -------------------------- Scott M. Stone, CCNA UNIX Systems and Network Engineer Taos - The SysAdmin Company From estern at opennetwork.com Thu Aug 3 10:28:23 2000 From: estern at opennetwork.com (Elliott Stern) Date: Thu, 03 Aug 2000 11:28:23 -0400 Subject: [pptp-server] PoPToP + 2.2.16 + ppp-2.3.11 + mppe Message-ID: <39898F97.DE38415@opennetwork.com> This is basically a combination of info from Vanja, Boris, and the PoPToP-RedHat-HOWTO. Actually, It is quite literally a combination...cut, paste, modify. Vanja and Boris helped me get a good start. Here is the way I did it [without downloading too many patches]. I am currently using a Red Hat Linux [6.2] with the Red Hat 2.2.16-3 kernel RPMed. What you need. -Linux kernel 2.2.16 [ftp.kernel.org/pub/linux/kernel/2.2/linux-2.2.16.tar.bz2] -PPP 2.3.11 [ftp.linuxcare.com.au/pub/ppp/ppp-2.3.11.tar.gz] -MPPE Patch [ftp.binarix.com/pub/ppp-mppe/ppp-2.3.11-openssl-0.9.5-mppe.patch.gz] -PoPToP 1.0.0 [http://www.moretonbay.com/vpn/releases/pptpd-1.0.0-1.i386.rpm] a) Download the files above. Download linux-2.2.16.tar.bz2 to /usr/src Download ppp-2.3.11.tar.gz to /usr/src Download ppp-2.3.11-openssl-0.9.5-mppe.patch.gz to /usr/src Download pptpd-1.0.0-1.i386.rpm to /usr/src/redhat/RPMS/i386 b) Delete the old kernel and create the symlinks Remove 'linux' directory (if it exists), or 'linux' symlink (if it exists): # rm linux (for symlink) # rm -rf linux (for directory) # tar Ixvf linux-2.2.16.tar.bz2 It is better to have 'linux' as a symlink (for maintenance reasons :): # mv linux linux-2.2.16 # ln -s linux-2.2.16 linux # cd /usr/include # ln -s ../src/linux/include/linux linux # ln -s ../src/linux/include/asm asm c) Update linux kernel files # cd /usr/src/linux # make menuconfig (or make config depending on what you like better) *Make* sure PPP is installed in the kernel either as a module or built into the kernel [I build mine as a module]. When done, remember to save your configuration. A "HOWTO" can be found at [http://www.linuxdoc.org] if you are not sure how to configure your kernel to support PPP. d) Install the PPP with MPPE patch # cp ppp-2.3.11.tar.gz /usr/src # cd /usr/src # tar -zxvf ppp-2.3.11.tar.gz # rm ppp-2.3.11.tar.gz # cp ppp-2.3.11-openssl-0.9.5-mppe.patch.gz /usr/src/ppp-2.3.11 # cd /usr/src/ppp-2.3.11 # zcat ppp-2.3.11-openssl-0.9.5-mppe.patch.gz | patch -p1 # ./configure # make # make install # make kernel # cp common/zlib.h /usr/src/linux/drivers/net/ # cp include/linux/if_pppvar.h /usr/src/linux/include/linux/ e) Time to compile our new kernel and new modules. # cd /usr/src/linux # make menuconfig Kernel configuration is covered on many other places - no need for it here; make sure that you build ppp/slip modules though :) # make dep clean NOTE: If you already have /lib/modules/2.2.16 directory, remove it before installing modules # rm -rf /lib/modules/2.2.16 # make modules modules_install # make bzImage # cp System.map /boot/System.map-2.2.16 # rm /boot/System.map (if you have it) # ln -s /boot/System.map-2.2.16 /boot/System.map # cp arch/i386/bzImage /boot/linux-2.2.16 # rm /boot/vmlinuz (if it is a link) # ln -s /boot/vmlinuz /boot/linux-2.2.16 # cp arch/i386/bzImage /boot/vmlinuz f) Enable the new kernel Edit your /etc/lilo.conf, and make new entry to this kernel. It should probably look like: -- cut -- image=/boot/vmlinuz label=linux read-only root=/dev/hda3 -- cut -- NOTE: Make sure that 'root' points to the right device, and if you are using initrd images, create one using 'mkinitrd' command, and add appropriate entry! Also, make sure that the label is unique and set the default to the label of the new kernel. # /sbin/lilo -v # depmod -a I have the kernel autoload what it needs. Read the /usr/src/linux/Documentation/kmod.txt file for more info. g) Set up PPP Create /etc/ppp/options file. The following is just an example: -- cut --- debug #kdebug 1 (you can turn this on if you require more debugging) auth +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless proxyarp ms-wins ms-dns ms-dns require-chap name servername (you can use some other name, it is up to you) netmask 255.255.255.0 mru 1400 mtu 1400 ktune -- cut -- Create /etc/ppp/chap-secrets file. The following is just an example: -- cut -- # Secrets for authentication using CHAP # client server secret IP addresses username servername password * -- cut -- Make sure permissions are properly set on /etc/ppp/chap-secrets file: # chown root:root /etc/ppp/chap-secrets # chmod 600 /etc/ppp/chap-secrets Add necessary entries into /etc/conf.modules: -- cut -- alias char-major-108 off # This will be different for 2.3.x kernels alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate alias ppp-compress-26 ppp_deflate -- cut -- h) Now, RPM pptp # cd /usr/src/redhat/RPMS/i386 # rpm -ivvh pptpd-1.0.0-1.i386.rpm Modify the /etc/pptpd.conf file. The following is just an example: -- cut -- speed 115200 option /etc/ppp/options debug localip 192.168.1.230 (IP address which PPTP server will have - can be single IP) remoteip 192.168.1.231-253 (pool of IP addresses which will be assigned to clients) listen 192.168.1.200 (IP address where pptpd will listen) -- cut -- You can add this init script into /etc/rc.d/init.d directory. It was originally made by Henri Gomez: -- cut -- #!/bin/sh # # Startup script for pptpd # # chkconfig: 345 85 15 # description: PPTP server # processname: pptpd # config: /etc/pptpd.conf # Source function library. . /etc/rc.d/init.d/functions # See how we were called. case "$1" in start) echo -n "Starting pptpd: " if [ -f /var/lock/subsys/pptpd ] ; then echo exit 1 fi /usr/local/sbin/pptpd -d echo touch /var/lock/subsys/pptpd ;; stop) echo -n "Shutting down pptpd: " killproc pptpd echo rm -f /var/lock/subsys/pptpd ;; status) status pptpd ;; restart) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 esac exit 0 -- cut -- Activate it (on RedHat) using command: # chkconfig --add pptpd If you wish to see some pptpd debugging messages, add the following entry to /etc/syslogd.conf: -- cut here -- daemon.debug /var/log/pptp.log -- cut here -- Reboot... After the reboot, you pptpd should be running. Remember I am building this on a Red Hat distribution. But yours should work as well [hopefully] :-) -Elliott ************************* Elliott Stern OpenNetwork Technologies Network Intern 727-561-9500 ext 270 estern at opennetwork.com ************************* From joey at q7.com Thu Aug 3 12:00:25 2000 From: joey at q7.com (Joe Pruett) Date: Thu, 3 Aug 2000 10:00:25 -0700 (PDT) Subject: [pptp-server] PoPToP + 2.2.16 + ppp-2.3.11 + mppe In-Reply-To: <39898F97.DE38415@opennetwork.com> Message-ID: this may be stupid of me, but i've built rpms of the kernel, pptpd, and ppp with all the appropriate patches and whatnot. they are available at: http://www.spiretech.com/~joey/pptp/ please grab what you need and if anyone else wants to mirror them, that would be great. From jsalois at mitre.org Thu Aug 3 12:50:17 2000 From: jsalois at mitre.org (Jennifer) Date: Thu, 03 Aug 2000 13:50:17 -0400 Subject: [pptp-server] PPTP Problem Message-ID: <3989B0D9.99168B80@mitre.org> I recently downloaded poptop and installed it on a linux server. Everything works fine and I can connect with one windows client and can ping inside the tunnel. The problem comes in when I connect to the server making a second connection with another windows machine. Once the second connection is made I can't ping anymore from either connection. There are no errors sent to the pptpd log either. Does anyone have any idea what could be happening? Thanks Jen From csa998360 at ait.ac.th Thu Aug 3 13:27:08 2000 From: csa998360 at ait.ac.th (can) Date: Fri, 4 Aug 2000 01:27:08 +0700 Subject: [pptp-server] PPTP Problem Message-ID: <004401bffd78$6fd50ec0$15359fcb@ait.ac.th> Dear, I install PPTP server already and I think it works. Then for VPN client on linux, I download and install pptp-linux-latest.tar.gz into my computer. But it doesn't work. There isn't pppd in /usr/bin/ or /bin/. I check in Makefile already, it is ok CFLAGS += '-DPPPD_BINARY="/usr/sbin/pppd"' But when I type make, there is no pppd in that directory. I attach the result of "make" command below too. Thank you very much > ------------------------------------------------------------------------ > [root at octopus02 pptp-linux-1.0.2]# make clean > rm -f *.o *~ > [root at octopus02 pptp-linux-1.0.2]# make > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o pptp.o pptp.c > pptp.c: In function `get_ip_address': > pptp.c:143: warning: suggest explicit braces to avoid ambiguous `else' > pptp_callmgr.c: In function `callmgr_main': > In file included from pptp.c:252: > pptp_callmgr.c:109: warning: variable `max_fd' might be clobbered by `longjmp' or `vfork' > pptp_callmgr.c:110: warning: variable `first' might be clobbered by `longjmp' or `vfork' > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o pptp_gre.o pptp_gre.c > pptp_gre.c: In function `encaps_gre': > pptp_gre.c:261: warning: suggest explicit braces to avoid ambiguous `else' > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o ppp_fcs.o ppp_fcs.c > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o pty.o pty.c > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o pptp_ctrl.o pptp_ctrl.c > pptp_ctrl.c: In function `pptp_dispatch_ctrl_packet': > pptp_ctrl.c:540: warning: unused variable `packet' > pptp_ctrl.c:558: warning: unused variable `packet' > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o dirutil.o dirutil.c > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o vector.o vector.c > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o inststr.o inststr.c > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o util.o util.c > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o version.o version.c > gcc -Wall -o pptp pptp.o pptp_gre.o ppp_fcs.o pty.o pptp_ctrl.o dirutil.o vector.o inststr.o util.o version.o > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o pptp_callmgr.o pptp_callmgr.c > pptp_callmgr.c: In function `main': > pptp_callmgr.c:109: warning: variable `max_fd' might be clobbered by `longjmp' or `vfork' > pptp_callmgr.c:110: warning: variable `first' might be clobbered by `longjmp' or `vfork' > gcc -Wall -o pptp_callmgr pptp_callmgr.o pptp_ctrl.o dirutil.o util.o vector.o version.o > [root at octopus02 pptp-linux-1.0.2]# -------------- next part -------------- An HTML attachment was scrubbed... URL: From jfinley at webwyse.com Thu Aug 3 13:54:16 2000 From: jfinley at webwyse.com (Joseph Finley) Date: Thu, 3 Aug 2000 14:54:16 -0400 Subject: [pptp-server] PPTP Problem References: <004401bffd78$6fd50ec0$15359fcb@ait.ac.th> Message-ID: <02c201bffd7c$3ddeb200$74dedede@finley> Do you have ppp compiled in the kernel? And do you have the ppp daemon installed? Joe ----- Original Message ----- From: can To: pptp-server at lists.schulte.org Sent: Thursday, August 03, 2000 2:27 PM Subject: [pptp-server] PPTP Problem Dear, I install PPTP server already and I think it works. Then for VPN client on linux, I download and install pptp-linux-latest.tar.gz into my computer. But it doesn't work. There isn't pppd in /usr/bin/ or /bin/. I check in Makefile already, it is ok CFLAGS += '-DPPPD_BINARY="/usr/sbin/pppd"' But when I type make, there is no pppd in that directory. I attach the result of "make" command below too. Thank you very much > ------------------------------------------------------------------------ > [root at octopus02 pptp-linux-1.0.2]# make clean > rm -f *.o *~ > [root at octopus02 pptp-linux-1.0.2]# make > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o pptp.o pptp.c > pptp.c: In function `get_ip_address': > pptp.c:143: warning: suggest explicit braces to avoid ambiguous `else' > pptp_callmgr.c: In function `callmgr_main': > In file included from pptp.c:252: > pptp_callmgr.c:109: warning: variable `max_fd' might be clobbered by `longjmp' or `vfork' > pptp_callmgr.c:110: warning: variable `first' might be clobbered by `longjmp' or `vfork' > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o pptp_gre.o pptp_gre.c > pptp_gre.c: In function `encaps_gre': > pptp_gre.c:261: warning: suggest explicit braces to avoid ambiguous `else' > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o ppp_fcs.o ppp_fcs.c > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o pty.o pty.c > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o pptp_ctrl.o pptp_ctrl.c > pptp_ctrl.c: In function `pptp_dispatch_ctrl_packet': > pptp_ctrl.c:540: warning: unused variable `packet' > pptp_ctrl.c:558: warning: unused variable `packet' > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o dirutil.o dirutil.c > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o vector.o vector.c > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o inststr.o inststr.c > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o util.o util.c > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o version.o version.c > gcc -Wall -o pptp pptp.o pptp_gre.o ppp_fcs.o pty.o pptp_ctrl.o dirutil.o vector.o inststr.o util.o version.o > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o pptp_callmgr.o pptp_callmgr.c > pptp_callmgr.c: In function `main': > pptp_callmgr.c:109: warning: variable `max_fd' might be clobbered by `longjmp' or `vfork' > pptp_callmgr.c:110: warning: variable `first' might be clobbered by `longjmp' or `vfork' > gcc -Wall -o pptp_callmgr pptp_callmgr.o pptp_ctrl.o dirutil.o util.o vector.o version.o > [root at octopus02 pptp-linux-1.0.2]# -------------- next part -------------- An HTML attachment was scrubbed... URL: From jorr at loudcloud.com Thu Aug 3 17:40:52 2000 From: jorr at loudcloud.com (James Orr) Date: Thu, 03 Aug 2000 15:40:52 -0700 Subject: [pptp-server] pptp Slow-down to nothing on RedHat 6.1 Message-ID: <3989F4F4.6C0E9B7D@loudcloud.com> Folks, Relatively new user -- have to admit this program is pretty slick. Brought up pptpd on RedHat 6.2 box -- working fine. However, am currently trying to configure on a RedHat 6.1 box -- can't get performant. I can log into the tunnel, everything seems to work fine. Then system slows down to nothing of the next minute or so. Any ideas? Thanks, -Jim Orr -------------- next part -------------- A non-text attachment was scrubbed... Name: jorr.vcf Type: text/x-vcard Size: 305 bytes Desc: Card for James Orr URL: From westers at versifit.com Thu Aug 3 15:02:54 2000 From: westers at versifit.com (Steve Westerhouse) Date: Thu, 3 Aug 2000 15:02:54 -0500 Subject: [pptp-server] Win VPN clients behind RedHat6.2 firewall connections to WinNT4 VPN server fails Message-ID: <010a01bffd85$d07d8d30$034ba8c0@bugs> I can't seem to get our Windows VPN clients to connect to a remote WinNT4 VPN server through our internal shared Internet connection. I setup RedHat6.2 to perform the NAT functions using ipchains. It appears that the Windows clients connect but don't authenticate. The connections timeout with error 721 (Remote computer not responding). I can ping the remote VPN server from our internal network. Win Clients -------> RedHat6.2 NAT (ipchains) --------> Internet ----------> WinNT4 VPN server Any ideas? Steve Westerhouse Senior Developer/Architect westers at versifit.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From medwards at ega.com Thu Aug 3 15:02:39 2000 From: medwards at ega.com (Mike Edwards) Date: Thu, 03 Aug 2000 15:02:39 -0500 Subject: [pptp-server] speed issues and ppp.c compile problems References: Message-ID: <3989CFDF.3A94B6A8@ega.com> OK, I'm playing with the packet size settings a bit, and I think I'm seeing an improvement. As to posting my results, I will gladly do so but am not sure how to quantify the speed of the connection. I suppose I could log pings (remote to node through VPN and back), but would that be enough? BTW, why would one NOT want to use encryption? Doesn't that help ensure the P in VPN? Thanks for everybody's input! Mike "Jose M. Sanchez" wrote: > > This might be a fragmentation problem. > > PPTP needs to encapsulate the entire PPP TCP/IP packet WITHIN another IP > packet. > > The problem is that the "inner" packet does not "fit". > > In your PPTP options file (make sure that you are getting the right one, it > does no good for you to modify your PPP options file to connect to your > ISP!) reduce the size of the MTU & MRU values... > > I.E. > > mru 1400 > mtu 1400 > > Smaller still if you are using encryption... > > That said, note that the PPTP speed will indeed be SLOWER than your normal > connection rate. > > I've recently read a few discussions which indicated that the maximum speed > is approximately 1/2 your bandwidth speed if encryption is enabled. > > Post your results. > > Cheers. > > -JMS > > |-----Original Message----- > |From: pptp-server-admin at lists.schulte.org > |[mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Mike Edwards > |Sent: Tuesday, August 01, 2000 3:37 PM > |To: pptp-server at lists.schulte.org > |Subject: [pptp-server] speed issues and ppp.c compile problems > | > | > |Hi! > | > |After successfully installing pptp and friends on a 486-66 box, we found > |that the VPN established was so slow as to be unusable--even with a T1 > |connection on the server side and a cable modem (600+Kbps downstream, > |128+Kbps upstream) on the client side. My first question then is, What > |are the minimum hardware requirements for the PoPToP Server? I should > |add that our main goal is to run a client application over the VPN. > |(The software is a print-management system for the commercial printing > |industry running on an NT box with MS SQL Server. The NT pptp server > |wouldn't work at all and, besides, it's Not Scottish!) > | > |I am already trying to re-install on a P133 box, but have run into > |compilation problems. I am using a stock Red Hat 2.2.14 kernel and > |tarballs of OpenSSL 0.9.5 and ppp-2.3.11. I applied the appropriate > |ppp/openssl/mppe patch before compiling, but when I ran "make modules" > |it bombed out on the ppp.c compile, giving errors to the effect of > |"static declaration for X follows non-static" where X is > |ppp_register_compressor and ppp_unregister_compressor. Did I miss a > |patch somewhere or must I be running a 2.2.16 kernel? > | > |Thanks in advance! > |Mike > | > |-- > |Mike Edwards, MIS > |Edwards Graphic Arts, Inc. > |2700 Bell Avenue > |Des Moines, IA 50321 > |_______________________________________________ > |pptp-server maillist - pptp-server at lists.schulte.org > |http://lists.schulte.org/mailman/listinfo/pptp-server > |List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! -- Mike Edwards, MIS Edwards Graphic Arts, Inc. 2700 Bell Avenue Des Moines, IA 50321 From leif at l3system.net Thu Aug 3 15:24:56 2000 From: leif at l3system.net (Leif Larsson) Date: Thu, 03 Aug 2000 22:24:56 +0200 Subject: [pptp-server] PPTP Problem References: <004401bffd78$6fd50ec0$15359fcb@ait.ac.th> Message-ID: <3989D517.C8F31530@l3system.net> can wrote: > In your mail you are looking at /usr/bin but shouldnt you be looking in /usr/SBIN instead ;-) If it isnt there maybe you forgot to type "make install" ? Leif > Dear, > I install PPTP server already and I think it works. Then for > VPN client on linux, I download and install pptp-linux-latest.tar.gz > into my computer. But it doesn't work. There isn't pppd in /usr/bin/ > or /bin/. I check in Makefile already, it is ok > > CFLAGS += '-DPPPD_BINARY="/usr/sbin/pppd"' > But when I type make, there is no pppd in that directory. I attach > the result of "make" command below too. > > Thank you very much > > > > ------------------------------------------------------------------------ > > > [root at octopus02 pptp-linux-1.0.2]# make clean > > rm -f *.o *~ > > [root at octopus02 pptp-linux-1.0.2]# make > > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g > '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o pptp.o pptp.c > > pptp.c: In function `get_ip_address': > > pptp.c:143: warning: suggest explicit braces to avoid ambiguous > `else' > > pptp_callmgr.c: In function `callmgr_main': > > In file included from pptp.c:252: > > pptp_callmgr.c:109: warning: variable `max_fd' might be clobbered by > `longjmp' or `vfork' > > pptp_callmgr.c:110: warning: variable `first' might be clobbered by > `longjmp' or `vfork' > > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g > '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o pptp_gre.o pptp_gre.c > > pptp_gre.c: In function `encaps_gre': > > pptp_gre.c:261: warning: suggest explicit braces to avoid ambiguous > `else' > > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g > '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o ppp_fcs.o ppp_fcs.c > > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g > '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o pty.o pty.c > > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g > '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o pptp_ctrl.o pptp_ctrl.c > > pptp_ctrl.c: In function `pptp_dispatch_ctrl_packet': > > pptp_ctrl.c:540: warning: unused variable `packet' > > pptp_ctrl.c:558: warning: unused variable `packet' > > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g > '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o dirutil.o dirutil.c > > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g > '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o vector.o vector.c > > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g > '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o inststr.o inststr.c > > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g > '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o util.o util.c > > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g > '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o version.o version.c > > gcc -Wall -o pptp pptp.o pptp_gre.o ppp_fcs.o pty.o pptp_ctrl.o > dirutil.o vector.o inststr.o util.o version.o > > gcc -Wall -O9 '-DPPTP_LINUX_VERSION="1.0.2"' -g > '-DPPPD_BINARY="/usr/sbin/pppd"' -c -o pptp_callmgr.o pptp_callmgr.c > > > pptp_callmgr.c: In function `main': > > pptp_callmgr.c:109: warning: variable `max_fd' might be clobbered by > `longjmp' or `vfork' > > pptp_callmgr.c:110: warning: variable `first' might be clobbered by > `longjmp' or `vfork' > > gcc -Wall -o pptp_callmgr pptp_callmgr.o pptp_ctrl.o dirutil.o > util.o vector.o version.o > > [root at octopus02 pptp-linux-1.0.2]# From teastep at evergo.net Thu Aug 3 15:48:15 2000 From: teastep at evergo.net (Tom Eastep) Date: Thu, 3 Aug 2000 13:48:15 -0700 (PDT) Subject: [pptp-server] Win VPN clients behind RedHat6.2 firewall connections to WinNT4 VPN server fails In-Reply-To: <010a01bffd85$d07d8d30$034ba8c0@bugs> Message-ID: Thus spoke Steve Westerhouse: > I can't seem to get our Windows VPN clients to connect to a remote WinNT4 VPN server through our internal shared Internet connection. I setup RedHat6.2 to perform the NAT functions using ipchains. It appears that the Windows clients connect but don't authenticate. The connections timeout with error 721 (Remote computer not responding). I can ping the remote VPN server from our internal network. > > > Win Clients -------> RedHat6.2 NAT (ipchains) --------> Internet ----------> WinNT4 VPN server > > > > Any ideas? > > > Have you patched your kernel per http://www.wolfenet.com/~jhardin/ip_masq_vpn.html? -Tom -- Tom Eastep \ Eastep's First Principle of Computing: ICQ #60745924 \ "Any sane computer will tell you how it teastep at evergo.net \ works if you ask it the proper questions" Shoreline, Washington USA \___________________________________________ From Steve.Cowles at gte.net Thu Aug 3 15:51:29 2000 From: Steve.Cowles at gte.net (Cowles, Steve) Date: Thu, 3 Aug 2000 15:51:29 -0500 Subject: [pptp-server] Win VPN clients behind RedHat6.2 firewall conne ctions to WinNT4 VPN server fails Message-ID: <31361954B2ADD2118B0900A0C90AFC3E05DC0D@defiant.dsl.gtei.net> If I understand your post correctly... it sounds like you need to patch your linux kernel with the ip masq VPN patch available at: http://www.wolfenet.com/~jhardin/ip_masq_vpn.html Steve Cowles -----Original Message----- From: Steve Westerhouse [mailto:westers at versifit.com] Sent: Thursday, August 03, 2000 3:03 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] Win VPN clients behind RedHat6.2 firewall connections to WinNT4 VPN server fails I can't seem to get our Windows VPN clients to connect to a remote WinNT4 VPN server through our internal shared Internet connection. I setup RedHat6.2 to perform the NAT functions using ipchains. It appears that the Windows clients connect but don't authenticate. The connections timeout with error 721 (Remote computer not responding). I can ping the remote VPN server from our internal network. Win Clients -------> RedHat6.2 NAT (ipchains) --------> Internet ----------> WinNT4 VPN server Any ideas? Steve Westerhouse Senior Developer/Architect westers at versifit.com From opjose at ex-pressnet.com Thu Aug 3 18:46:42 2000 From: opjose at ex-pressnet.com (Jose M. Sanchez) Date: Thu, 3 Aug 2000 19:46:42 -0400 Subject: [pptp-server] speed issues and ppp.c compile problems In-Reply-To: <3989CFDF.3A94B6A8@ega.com> Message-ID: |-----Original Message----- |From: Mike Edwards [mailto:medwards at ega.com] |Sent: Thursday, August 03, 2000 4:03 PM |To: opjose at ex-pressnet.com |Cc: pptp-server at lists.schulte.org |Subject: Re: [pptp-server] speed issues and ppp.c compile problems | | |OK, I'm playing with the packet size settings a bit, and I think I'm |seeing an improvement. As to posting my results, I will gladly do so |but am not sure how to quantify the speed of the connection. I suppose |I could log pings (remote to node through VPN and back), but would that |be enough? | Heh, what I meant was to post what happens to the list so that everyone can see if this worked or not. |BTW, why would one NOT want to use encryption? Doesn't that help ensure |the P in VPN? | Yes, but if you are not concerned about what is being transmitted, you get a performance increase. Frankly I believe that at times people are a little too concerned about the "p". After all, who cares about XYZ's companies financials. I use VPN for remote access sessions. I'm not exactly worried about someone looking over my shoulder. There is not a lot of valuable info that they would get.... but your results may vary... Good luck. -JMS |Thanks for everybody's input! | |Mike | |"Jose M. Sanchez" wrote: |> |> This might be a fragmentation problem. |> |> PPTP needs to encapsulate the entire PPP TCP/IP packet WITHIN another IP |> packet. |> |> The problem is that the "inner" packet does not "fit". |> |> In your PPTP options file (make sure that you are getting the |right one, it |> does no good for you to modify your PPP options file to connect to your |> ISP!) reduce the size of the MTU & MRU values... |> |> I.E. |> |> mru 1400 |> mtu 1400 |> |> Smaller still if you are using encryption... |> |> That said, note that the PPTP speed will indeed be SLOWER than |your normal |> connection rate. |> |> I've recently read a few discussions which indicated that the |maximum speed |> is approximately 1/2 your bandwidth speed if encryption is enabled. |> |> Post your results. |> |> Cheers. |> |> -JMS |> |> |-----Original Message----- |> |From: pptp-server-admin at lists.schulte.org |> |[mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Mike Edwards |> |Sent: Tuesday, August 01, 2000 3:37 PM |> |To: pptp-server at lists.schulte.org |> |Subject: [pptp-server] speed issues and ppp.c compile problems |> | |> | |> |Hi! |> | |> |After successfully installing pptp and friends on a 486-66 box, we found |> |that the VPN established was so slow as to be unusable--even with a T1 |> |connection on the server side and a cable modem (600+Kbps downstream, |> |128+Kbps upstream) on the client side. My first question then is, What |> |are the minimum hardware requirements for the PoPToP Server? I should |> |add that our main goal is to run a client application over the VPN. |> |(The software is a print-management system for the commercial printing |> |industry running on an NT box with MS SQL Server. The NT pptp server |> |wouldn't work at all and, besides, it's Not Scottish!) |> | |> |I am already trying to re-install on a P133 box, but have run into |> |compilation problems. I am using a stock Red Hat 2.2.14 kernel and |> |tarballs of OpenSSL 0.9.5 and ppp-2.3.11. I applied the appropriate |> |ppp/openssl/mppe patch before compiling, but when I ran "make modules" |> |it bombed out on the ppp.c compile, giving errors to the effect of |> |"static declaration for X follows non-static" where X is |> |ppp_register_compressor and ppp_unregister_compressor. Did I miss a |> |patch somewhere or must I be running a 2.2.16 kernel? |> | |> |Thanks in advance! |> |Mike |> | |> |-- |> |Mike Edwards, MIS |> |Edwards Graphic Arts, Inc. |> |2700 Bell Avenue |> |Des Moines, IA 50321 |> |_______________________________________________ |> |pptp-server maillist - pptp-server at lists.schulte.org |> |http://lists.schulte.org/mailman/listinfo/pptp-server |> |List services provided by www.schulteconsulting.com! |> |> _______________________________________________ |> pptp-server maillist - pptp-server at lists.schulte.org |> http://lists.schulte.org/mailman/listinfo/pptp-server |> List services provided by www.schulteconsulting.com! | |-- |Mike Edwards, MIS |Edwards Graphic Arts, Inc. |2700 Bell Avenue |Des Moines, IA 50321 From jrw at nplus1.net Thu Aug 3 23:00:38 2000 From: jrw at nplus1.net (Jacob Robert Wilkins) Date: Fri, 4 Aug 2000 00:00:38 -0400 Subject: [pptp-server] pptp client question. Message-ID: <20000804000038.A26149@nplus1.net> The last 2 enteries repeat. I don't even know where to start looking. Any suggestions? Aug 3 23:54:40 lothos pppd[3072]: pppd 2.3.11 started by root, uid 0 Aug 3 23:54:40 lothos kernel: registered device ppp1 Aug 3 23:54:40 lothos pppd[3072]: Using interface ppp1 Aug 3 23:54:40 lothos pppd[3072]: Connect: ppp1 <--> /dev/ttya1 Aug 3 23:54:40 lothos pppd[3072]: sent [LCP ConfReq id=0x1 ] Aug 3 23:54:40 lothos pppd[3072]: Timeout 0x805088c:0x8078ba0 in 3 seconds. jrw From teastep at evergo.net Fri Aug 4 09:13:47 2000 From: teastep at evergo.net (Tom Eastep) Date: Fri, 4 Aug 2000 07:13:47 -0700 (PDT) Subject: [pptp-server] pptp client question. In-Reply-To: <20000804000038.A26149@nplus1.net> Message-ID: Thus spoke Jacob Robert Wilkins: > The last 2 enteries repeat. I don't even know where to start looking. > > Any suggestions? > > Aug 3 23:54:40 lothos pppd[3072]: pppd 2.3.11 started by root, uid 0 > Aug 3 23:54:40 lothos kernel: registered device ppp1 > Aug 3 23:54:40 lothos pppd[3072]: Using interface ppp1 > Aug 3 23:54:40 lothos pppd[3072]: Connect: ppp1 <--> /dev/ttya1 > Aug 3 23:54:40 lothos pppd[3072]: sent [LCP ConfReq id=0x1 0x0> ] > Aug 3 23:54:40 lothos pppd[3072]: Timeout 0x805088c:0x8078ba0 in 3 > seconds. > These symptoms can occur if the server has existing connectons and you don't have my call Id patch applied to the pptp client. You can find the patch at: ftp://seawall.sourceforge.net/pub/Seawall/patches/callid.patch These symptoms also occur if GRE packets are being blocked somewhere between the client host and the server. -Tom -- Tom Eastep \ Eastep's First Principle of Computing: ICQ #60745924 \ "Any sane computer will tell you how it teastep at evergo.net \ works if you ask it the proper questions" Shoreline, Washington USA \___________________________________________ From westers at versifit.com Fri Aug 4 09:40:52 2000 From: westers at versifit.com (Steve Westerhouse) Date: Fri, 4 Aug 2000 09:40:52 -0500 Subject: [pptp-server] Win VPN clients behind RedHat6.2 firewall connections to WinNT4 VPN server fails References: Message-ID: <001c01bffe21$fe8e55a0$034ba8c0@bugs> I applied the VPN masq 2.2.14 patch to the source tree, created a .config file and attempted to build the kernel. Compilation fails with the following messages. gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -O2 -fom it-frame-pointer -fno-strict-aliasing -pipe -fno-strength-reduce -m486 -mali gn-loops=2 -malign-jumps=2 -malign-functions=2 -DCPU=686 -DEXPORT_SYMTAB - c ip_masq.c ip_masq.c:389: `ip_masq_hash' undeclared here (not in a function) ip_masq.c:389: initializer element for `__ksymtab_ip_masq_hash.value' is not constant ip_masq.c:390: `ip_masq_unhash' undeclared here (not in a function) ip_masq.c:390: initializer element for `__ksymtab_ip_masq_unhash.value' is not constant ip_masq.c:332: warning: `masq_port_lock' defined but not used make[3]: *** [ip_masq.o] Error 1 make[3]: Leaving directory `/usr/src/linux/net/ipv4' make[2]: *** [first_rule] Error 2 make[2]: Leaving directory `/usr/src/linux/net/ipv4' make[1]: *** [_subdir_ipv4] Error 2 make[1]: Leaving directory `/usr/src/linux/net' make: *** [_dir_net] Error 2 The patch log file indicates that everything patched ok. Is there an error in the patch itself? ----- Original Message ----- From: "Tom Eastep" To: "Steve Westerhouse" Cc: Sent: Thursday, August 03, 2000 3:48 PM Subject: Re: [pptp-server] Win VPN clients behind RedHat6.2 firewall connections to WinNT4 VPN server fails > Thus spoke Steve Westerhouse: > > > I can't seem to get our Windows VPN clients to connect to a remote WinNT4 VPN server through our internal shared Internet connection. I setup RedHat6.2 to perform the NAT functions using ipchains. It appears that the Windows clients connect but don't authenticate. The connections timeout with error 721 (Remote computer not responding). I can ping the remote VPN server from our internal network. > > > > > > Win Clients -------> RedHat6.2 NAT (ipchains) --------> Internet ----------> WinNT4 VPN server > > > > > > > > Any ideas? > > > > > > > > Have you patched your kernel per > > http://www.wolfenet.com/~jhardin/ip_masq_vpn.html? > > -Tom > -- > Tom Eastep \ Eastep's First Principle of Computing: > ICQ #60745924 \ "Any sane computer will tell you how it > teastep at evergo.net \ works if you ask it the proper questions" > Shoreline, Washington USA \___________________________________________ > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From teastep at evergo.net Fri Aug 4 09:50:59 2000 From: teastep at evergo.net (Tom Eastep) Date: Fri, 4 Aug 2000 07:50:59 -0700 (PDT) Subject: [pptp-server] Win VPN clients behind RedHat6.2 firewall connections to WinNT4 VPN server fails In-Reply-To: <001c01bffe21$fe8e55a0$034ba8c0@bugs> Message-ID: Thus spoke Steve Westerhouse: > I applied the VPN masq 2.2.14 patch to the source tree, created a .config > file and attempted to build the kernel. Compilation fails with the > following messages. > > > gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -O2 -fom > it-frame-pointer -fno-strict-aliasing -pipe -fno-strength-reduce -m486 -mali > gn-loops=2 -malign-jumps=2 -malign-functions=2 -DCPU=686 -DEXPORT_SYMTAB - > c ip_masq.c > ip_masq.c:389: `ip_masq_hash' undeclared here (not in a function) > ip_masq.c:389: initializer element for `__ksymtab_ip_masq_hash.value' is not > constant > ip_masq.c:390: `ip_masq_unhash' undeclared here (not in a function) > ip_masq.c:390: initializer element for `__ksymtab_ip_masq_unhash.value' is > not constant > ip_masq.c:332: warning: `masq_port_lock' defined but not used > make[3]: *** [ip_masq.o] Error 1 > make[3]: Leaving directory `/usr/src/linux/net/ipv4' > make[2]: *** [first_rule] Error 2 > make[2]: Leaving directory `/usr/src/linux/net/ipv4' > make[1]: *** [_subdir_ipv4] Error 2 > make[1]: Leaving directory `/usr/src/linux/net' > make: *** [_dir_net] Error 2 > > > > The patch log file indicates that everything patched ok. Is there an error > in the patch itself? > I've had this problem trying to build PPTP masq into the kernel -- I always compile it as a module and that works fine. -Tom -- Tom Eastep \ Eastep's First Principle of Computing: ICQ #60745924 \ "Any sane computer will tell you how it teastep at evergo.net \ works if you ask it the proper questions" Shoreline, Washington USA \___________________________________________ From cpeters2 at home.com Fri Aug 4 10:11:23 2000 From: cpeters2 at home.com (Charles Peters - Tech Support) Date: Fri, 4 Aug 2000 11:11:23 -0400 Subject: [pptp-server] Allowing GRE packets to pass through nat/ipfw firewall Message-ID: <398AA4DB.15686.3EA199C@localhost> Greetings: I have configured a VPN using poptop to allow remote users to connect to the corporate lan server, but have a problem. Most of these users are behind a Freebsd 4.0 gateway/router running nat and ipfw. As I understand, only one ip address is allowd to pass GRE packets through the gateway. I have accomplished this by creating /etc/natd.conf as follows: interface ep0 unregistered_only yes pptpalias 192.168.0.7 This work fine, but only for one machine. Is there any way to allow GRE packets from all machines to pass through the gateway. Thanks, Charles Charles Peters mailto:support at tecpro.com From adam at morrison-ind.com Fri Aug 4 08:58:45 2000 From: adam at morrison-ind.com (Adam Tauno Williams) Date: Fri, 4 Aug 2000 09:58:45 -0400 Subject: [pptp-server] pptp client question. In-Reply-To: References: Message-ID: <200008041358.e74Dwj225953@barracuda.morrison.iserv.net> > > Aug 3 23:54:40 lothos pppd[3072]: pppd 2.3.11 started by root, uid 0 > > Aug 3 23:54:40 lothos kernel: registered device ppp1 > > Aug 3 23:54:40 lothos pppd[3072]: Using interface ppp1 > > Aug 3 23:54:40 lothos pppd[3072]: Connect: ppp1 <--> /dev/ttya1 > > Aug 3 23:54:40 lothos pppd[3072]: sent [LCP ConfReq id=0x1 > 0x0> ] > > Aug 3 23:54:40 lothos pppd[3072]: Timeout 0x805088c:0x8078ba0 in 3 > These symptoms can occur if the server has existing connectons and > you don't have my call Id patch applied to the pptp client. You can find > the patch at: > ftp://seawall.sourceforge.net/pub/Seawall/patches/callid.patch > These symptoms also occur if GRE packets are being blocked somewhere > between the client host and the server. There is also modules/etc.. at the http://www.zelow.no/floppyfw/ web site. If your using a boot-floppy firewall I've already made an image of the floppyfw that contains the PPTP patches. Systems and Network Administrator Morrison Industries 1825 Monroe Ave NW. Grand Rapids, MI. 49505 From westers at versifit.com Fri Aug 4 09:59:15 2000 From: westers at versifit.com (Steve Westerhouse) Date: Fri, 4 Aug 2000 09:59:15 -0500 Subject: [pptp-server] Win VPN clients behind RedHat6.2 firewall connections to WinNT4 VPN server fails References: Message-ID: <002801bffe24$923e2fd0$034ba8c0@bugs> Using make xconfig I can see the new VPN masq options however they are grayed out and I cannot switch it module support. I could always edit the file myself but I'd like to know why the options gray. I think I have all the dependent modules selected. From teastep at evergo.net Fri Aug 4 10:03:17 2000 From: teastep at evergo.net (Tom Eastep) Date: Fri, 4 Aug 2000 08:03:17 -0700 (PDT) Subject: [pptp-server] Win VPN clients behind RedHat6.2 firewall connections to WinNT4 VPN server fails In-Reply-To: <002801bffe24$923e2fd0$034ba8c0@bugs> Message-ID: Thus spoke Steve Westerhouse: > Using make xconfig I can see the new VPN masq options however they are > grayed out and I cannot switch it module support. I could always edit the > file myself but I'd like to know why the options gray. I think I have all > the dependent modules selected. > Sounds like you haven't selected "Prompt for experimental/incomplete code/drivers" under "Code maturity options". -Tom -- Tom Eastep \ Eastep's First Principle of Computing: ICQ #60745924 \ "Any sane computer will tell you how it teastep at evergo.net \ works if you ask it the proper questions" Shoreline, Washington USA \___________________________________________ From westers at versifit.com Fri Aug 4 10:40:43 2000 From: westers at versifit.com (Steve Westerhouse) Date: Fri, 4 Aug 2000 10:40:43 -0500 Subject: [pptp-server] Win VPN clients behind RedHat6.2 firewall connections to WinNT4 VPN server fails References: Message-ID: <003b01bffe2a$5e1e5170$034ba8c0@bugs> Thanks everything builds now. My next problem is how to install these binaries on my gateway system. I didn't install any development environment on the gateway system so I'm using another system for this purpose. I know about lilo.conf and lilo. Is it a simple matter of moving the new kernel and module directories over to the gateway system, modifying the lilo.conf file and running lilo. How does the new kernel "know" where to look for the new modules and ignore the old ones. Is there some other config file that points the kernel to the proper module directory? From aaa at netman.dk Fri Aug 4 10:48:07 2000 From: aaa at netman.dk (Alaa Alamood) Date: Fri, 04 Aug 2000 17:48:07 +0200 Subject: [pptp-server] LDAP and Samba Message-ID: <398AE5B7.C44D384A@netman.dk> Hej I running linux poptop server with samba and I have seccessfully install the samba patch (pppsmb) to use smbpasswd instead of chap-secret, I would like now to use LDAP with samba, dose any one now a ducomentation or description can I use? regards Alaa From teastep at evergo.net Fri Aug 4 11:03:25 2000 From: teastep at evergo.net (Tom Eastep) Date: Fri, 4 Aug 2000 09:03:25 -0700 (PDT) Subject: [pptp-server] Win VPN clients behind RedHat6.2 firewall connections to WinNT4 VPN server fails In-Reply-To: <003b01bffe2a$5e1e5170$034ba8c0@bugs> Message-ID: Thus spoke Steve Westerhouse: > Thanks everything builds now. My next problem is how to install these > binaries on my gateway system. I didn't install any development environment > on the gateway system so I'm using another system for this purpose. I know > about lilo.conf and lilo. Is it a simple matter of moving the new kernel > and module directories over to the gateway system, modifying the lilo.conf > file and running lilo. How does the new kernel "know" where to look for the > new modules and ignore the old ones. Is there some other config file that > points the kernel to the proper module directory? > Modules are located in /lib/modules/. If the kernel source you are using is the same version as what you are running, it is a good idea to edit the top-level Makefile and modify the EXTRAVERSION variable (I usually append my initials or something similar). This makes the kernel version unique. Note that you have to rebuild after making this change. If you have NFS access from your gateway system to your build system, I recommend installing "make" on the gateway system. Then you can mount the kernel source tree on the gateway, cd to the kernel source tree and type "make modules_install". Failing that, if you've made your kernel version unique as described above, you can do the "make modules_install" on the build system. The /lib/modules/ directory created can then be tarred up and moved to the gateway. Also move the new kernel, give it a unique name, modify lilo.conf, run lilo and reboot. -Tom -- Tom Eastep \ Eastep's First Principle of Computing: ICQ #60745924 \ "Any sane computer will tell you how it teastep at evergo.net \ works if you ask it the proper questions" Shoreline, Washington USA \___________________________________________ From walterm at Gliatech.com Fri Aug 4 11:30:12 2000 From: walterm at Gliatech.com (Michael Walter) Date: Fri, 4 Aug 2000 12:30:12 -0400 Subject: [pptp-server] VPN Masquerading Woes Message-ID: Hello All, I am working on a test configuration that I am hoping to roll into production soon. I have a win2000 client connecting through a linux masq box to a poptop server. When I connect, the win2000 client makes it to the Verifying Username and Password stage and eventually gives Error 619: the specified port is not connected. I have tested the same configuration with the client connected directly to the poptop vpn and it work flawlessly. I have also tried this with several different clients against the test and our production poptop vpn's with the same results. I have the chap-secrets and pap-secrets files set up correctly and they both contain the login I am trying to use. Has anyone had these kind of problems with VPN masquerading? If so, did you find any type of resolution? Thanks in advance for any help, Michael J. Walter mcse mcp+i rhce a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com }---------- NETWORK DIAGRAM ----------{ [---------------------------] [-------------------] [---------------------------] [ VPN Client ] [ NAT Server ] [ VPN Server ] [ Win2000 sp1 40bit ]----------[ Redhat 6.2 ]----------[ Redhat 6.2 ] [ 192.0.0.89 ] [ Kernel-2.2.16-12 ] [ Kernel-2.2.16-3.pptp.joey ] [ Type of VPN: PPTP ] [ eth1: 192.0.0.200 ] [ eth0: 10.0.0.2 ] [ Obtain IP addr auto ] [ eth0: 10.0.0.1 ] [ eth1: 52.0.0.1 ] [ Obtain DNS addr auto ] [ ip_masq_pptp.o ] [ ppp-2.3.11-4.pptp.joey ] [ Do not use remote gateway ] [ ip_masq_ftp.o ] [ pptpd-1.0.0-1.pptp.joey ] [ Don't require encryption ] [ ] [ ] [ Use pap,chap,chap-v2 ] [ ] [ ] [---------------------------] [-------------------] [---------------------------] }---------- NAT SERVER ----------{ NAT Server Configuration: # test.sh ipchains -F ipchains -P input ACCEPT ipchains -P output ACCEPT ipchains -P forward ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward insmod ip_masq_pptp insmod ip_masq_ftp ipchains -A forward -i eth0 -j MASQ NAT Server LOG: Aug 4 11:24:50 proxyserver kernel: ip_masq_pptp_tcp(): OUT_CALL_REQUEST 192.0.0.89 -> 10.0.0.2 CID=C000 MCID=EE61 Aug 4 11:24:50 proxyserver kernel: ip_demasq_pptp_tcp(): OUT_CALL_REPLY 192.0.0.89 -> 10.0.0.2 CID=C000 MCID=EE61 Aug 4 11:26:20 proxyserver kernel: ip_masq_pptp_tcp(): OUT_CALL_REQUEST 192.0.0.89 -> 10.0.0.2 CID=0 MCID=EE63 Aug 4 11:26:20 proxyserver kernel: ip_demasq_pptp_tcp(): OUT_CALL_REPLY 192.0.0.89 -> 10.0.0.2 CID=0 MCID=EE63 Aug 4 11:27:43 proxyserver kernel: ip_masq_pptp_tcp(): OUT_CALL_REQUEST 192.0.0.89 -> 10.0.0.2 CID=4000 MCID=EE65 Aug 4 11:27:43 proxyserver kernel: ip_demasq_pptp_tcp(): OUT_CALL_REPLY 192.0.0.89 -> 10.0.0.2 CID=4000 MCID=EE65 Aug 4 11:32:11 proxyserver kernel: ip_masq_pptp_tcp(): OUT_CALL_REQUEST 192.0.0.89 -> 10.0.0.2 CID=8000 MCID=EE67 Aug 4 11:32:11 proxyserver kernel: ip_demasq_pptp_tcp(): OUT_CALL_REPLY 192.0.0.89 -> 10.0.0.2 CID=8000 MCID=EE67 Aug 4 11:33:00 proxyserver kernel: ip_masq_pptp_tcp(): OUT_CALL_REQUEST 192.0.0.89 -> 10.0.0.2 CID=C000 MCID=EE69 Aug 4 11:33:00 proxyserver kernel: ip_demasq_pptp_tcp(): OUT_CALL_REPLY 192.0.0.89 -> 10.0.0.2 CID=C000 MCID=EE69 Aug 4 11:33:42 proxyserver kernel: ip_masq_pptp_tcp(): OUT_CALL_REQUEST 192.0.0.89 -> 10.0.0.2 CID=0 MCID=EE6B Aug 4 11:33:42 proxyserver kernel: ip_demasq_pptp_tcp(): OUT_CALL_REPLY 192.0.0.89 -> 10.0.0.2 CID=0 MCID=EE6B Aug 4 11:38:30 proxyserver kernel: ip_masq_pptp_tcp(): OUT_CALL_REQUEST 192.0.0.89 -> 10.0.0.2 CID=4000 MCID=EE6D Aug 4 11:38:30 proxyserver kernel: ip_demasq_pptp_tcp(): OUT_CALL_REPLY 192.0.0.89 -> 10.0.0.2 CID=4000 MCID=EE6D Aug 4 11:46:31 proxyserver kernel: ip_masq_pptp_tcp(): OUT_CALL_REQUEST 192.0.0.89 -> 10.0.0.2 CID=8000 MCID=EE70 Aug 4 11:46:31 proxyserver kernel: ip_demasq_pptp_tcp(): OUT_CALL_REPLY 192.0.0.89 -> 10.0.0.2 CID=8000 MCID=EE70 }---------- VPN SERVER ----------{ VPN Server Configuration: # pptpd.conf speed 115200 debug localip 52.0.0.1 remoteip 52.0.0.11-20 listen 10.0.0.2 pidfile /var/run/pptpd.pid # conf.modules alias parport_lowlevel parport_pc alias eth0 ne alias eth1 ne options ne io=0x380,0x360 alias ppp-compress-18 ppp_mppe # options lock auth +pap +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless netmask 255.255.255.0 proxyarp # test.sh ipchains -F ipchains -P input ACCEPT ipchains -P output ACCEPT ipchains -P forward ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward VPN Server LOG: Aug 1 02:12:28 proxyserver pptpd[688]: CTRL: Client 10.0.0.1 control connection started Aug 1 02:12:28 proxyserver pptpd[688]: CTRL: Starting call (launching pppd, opening GRE) Aug 1 02:12:28 proxyserver pppd[689]: pppd 2.3.11 started by root, uid 0 Aug 1 02:12:28 proxyserver pppd[689]: Using interface ppp0 Aug 1 02:12:28 proxyserver pppd[689]: Connect: ppp0 <--> /dev/pts/0 Aug 1 02:12:58 proxyserver pppd[689]: LCP: timeout sending Config-Requests Aug 1 02:12:58 proxyserver pppd[689]: Connection terminated. Aug 1 02:12:58 proxyserver pppd[689]: Exit. Aug 1 02:12:58 proxyserver pptpd[688]: GRE: read(fd=4,buffer=804d7c0,len=8196) from PTY failed: status = -1 error = Input/output error Aug 1 02:12:58 proxyserver pptpd[688]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Aug 1 02:12:58 proxyserver pptpd[688]: CTRL: Client 10.0.0.1 control connection finished From adam at morrison-ind.com Fri Aug 4 10:48:41 2000 From: adam at morrison-ind.com (Adam Tauno Williams) Date: Fri, 4 Aug 2000 11:48:41 -0400 Subject: [pptp-server] LDAP and Samba In-Reply-To: <398AE5B7.C44D384A@netman.dk> References: <398AE5B7.C44D384A@netman.dk> Message-ID: <200008041548.e74FmfA25997@barracuda.morrison.iserv.net> >I running linux poptop server with samba and I have seccessfully install >the samba patch (pppsmb) to use smbpasswd instead of chap-secret, I >would like now to use LDAP with samba, dose any one now a ducomentation >or description can I use? I have a version of pppd that will user the "ntpassword" attribute of a user's object from an LDAP directory. I'll try and post it to my sourceforge page today or tommorrow. I'd make a patch/diff but I don't know how. Systems and Network Administrator Morrison Industries 1825 Monroe Ave NW. Grand Rapids, MI. 49505 From teastep at evergo.net Fri Aug 4 12:33:45 2000 From: teastep at evergo.net (Tom Eastep) Date: Fri, 4 Aug 2000 10:33:45 -0700 (PDT) Subject: [pptp-server] VPN Masquerading Woes In-Reply-To: Message-ID: Thus spoke Michael Walter: > Hello All, > > I am working on a test configuration that I am hoping to roll into > production soon. I have a win2000 client connecting through a linux masq > box to a poptop server. When I connect, the win2000 client makes it to the > Verifying Username and Password stage and eventually gives Error 619: the > specified port is not connected. I have tested the same configuration with > the client connected directly to the poptop vpn and it work flawlessly. I > have also tried this with several different clients against the test and our > production poptop vpn's with the same results. I have the chap-secrets and > pap-secrets files set up correctly and they both contain the login I am > trying to use. Has anyone had these kind of problems with VPN masquerading? > If so, did you find any type of resolution? Thanks in advance for any help, > You must: a) patch your kernel as described at http://www.wolfenet.com/~jhardin/ip_masq_vpn.html. b) run ipfwd on the gateway system: ipfwd --masq 47 c) Port forward port 1723 to the server. -Tom -- Tom Eastep \ Eastep's First Principle of Computing: ICQ #60745924 \ "Any sane computer will tell you how it teastep at evergo.net \ works if you ask it the proper questions" Shoreline, Washington USA \___________________________________________ From Lillian.Kulhanek at energy.on.ca Fri Aug 4 13:07:41 2000 From: Lillian.Kulhanek at energy.on.ca (Lillian Kulhanek) Date: Fri, 4 Aug 2000 14:07:41 -0400 Subject: [pptp-server] compiling ppp-2.3.10-openssl-norc-mppe.patch Message-ID: <002701bffe3e$e2628c80$2c02a8c0@Lillian.energy.on.ca> Hi all, I'm having a problem I'm assuming is associated with ppp-2.3.10-openssl-norc-mppe.patch . I am following the RedHat PoPToP howto, except I'm using kernel 2.2.16, ppp-2.3.11, SSLeay-0.9.0b (I figured on getting the most recent versions). I get up to Chapter 4, section 4 of the howto, and when I run make modules SUBDIRS=drivers/net, I get errors about variables not being declared. One of the employees at my ISP is also trying this, apparently following the howto to the letter, and he's having compilation errors. Does anyone have any ideas/suggestions? I found another install document on moretonbay, much shorter than the howto, which doesn't include some of the make steps. Is one document more right that the other? All comment are appreciated. Thanks!!! Lillian Kulhanek (Please note, I'm out of town for the next three weeks starting Monday, so after today, I won't be able to reply to anyone until I'm back). From tfasko at cyberacc.com Fri Aug 4 13:48:39 2000 From: tfasko at cyberacc.com (tfasko at cyberacc.com) Date: Fri, 4 Aug 2000 14:48:39 -0400 Subject: [pptp-server] compiling ppp-2.3.10-openssl-norc-mppe.patch Message-ID: Here is the modified HOW TO that I made after fixing the problem you were having: Travis J Fasko Notes Administrator CyberAccess, Inc. (216) 524-5005 Ext. 130 tfasko at cyberacc.com Good Luck!! without MSCHAPv2/MPPE: Note: [] are example commands to run 1. Get the following files from the RedHat (ftp.redhat.com) site or suitable mirror: ftp://ftp.redhat.com/redhat/redhat-6.1/i386/RedHat/RPMS/ kernel-headers-2.2.12-20.i386.rpm kernel-source-2.2.12-20.i386.rpm kernel-2.2.12-20.i386.rpm ppp-2.3.10-1.i386.rpm *NOTE* before performing the next step make sure you have access to a boot floppy or can access the old kernel. For more information see: http://www.linux.org/help/ldp/mini/minihowto.html and search for LILO Mini-HOWTO 2. Change lilo.conf to access your old and new kernel then issue this command: [/sbin/lilo] 3. Upgrade your 2.2.5-15 kernel to 2.2.12-20: [rpm -Uvvh kernel-2.2.12-20.i386.rpm] 4. Upgrade ppp: [rpm -Uvvh ppp-2.3.10-1.i386.rpm] 5. Grab the PoPToP rpm and init file: http://www.moretonbay.com/vpn/releases/pptpd-1.0.0-1.i386.rpm http://www.moretonbay.com/vpn/releases/pptpd.init 6. Store the pptpd.init file in the /etc/rc.d/init.d directory and make sure permissions are set correctly. You need to edit the pptpd.init file to start the pptpd daemon differently. Before: daemon /usr/sbin/pptpd After: /usr/sbin/pptpd -d 7. Rpm the PoPTop Server: [rpm -ivvh pptpd-1.0.0-1.i386.rpm] 8. Setup your chap-secrets file in the /etc/ppp directory. It should look something like this: # /etc/ppp/chap-secrets #username servername secret ipaddress validname * validpass * For authentication with windows clients use DOMAINNAME\\validname * validpass * The domain name may be in caps or lowercase. Check the logs in /var/log/messages. If you want to learn more about the chap-secrets file see: http://www.linux.org/help/ldp/howto/PPP-HOWTO-13.html#ss13.4 9. Edit /etc/inittab and comment out the reference to pptpd. We will use the pptpd daemon. [init Q] # rereads /etc/inittab 10. Your options file in /etc/ppp/ should at a minimum have the following: lock debug auth +chap proxyarp OK here I had to create a new file: /etc/ppp/ip-up.local IT is an executable script with this one line: echo 1 > /proc/sys/net/ipv4/ip_forward (This is what fixed all my problems, well actualy making it executable is what fixed them:-) 11. Modify the /etc/pptpd.conf file. Look in the configuration file for settings. Here is a working sample: debug #This can be removed when things are working localip 192.168.1.80-89 #look in the /etc/pptpd.conf file for more info about settings remoteip 192.168.1.70-79 At this point vpn should be working without encryption. 4.0 PPP with MSCHAPv2/MPPE Installation ---------------------------------------------------------------- *NOTE* You must complete section three above for this to work. *NOTE* If you want to add encryption do the following below: 1. Grab yourself a clean copy of the PPP daemon v2.3.10 (ppp-2.3.10.tar.gz). I usually go here for my PPP files: ftp://cs.anu.edu.au/pub/software/ppp/ Note: You must get the tarball (tar.gz) and *not* the RPM. 2. Grab yourself the MSCHAP/MPPE patch file from: http://www.moretonbay.com/vpn/releases/ppp-2.3.10-openssl-norc4-mppe.patch.gz 3. Grab yourself the SSLeay-0.6.6b file from: ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/SSLeay-0.6.6b.tar.gz 4. You should now have 3 files: ppp-2.3.10.tar.gz ppp-2.3.10-openssl-norc4-mppe.patch.gz SSLeay-0.6.6b.tar.gz Copy these files to your preferred location (RedHat uses /usr/src/redhat/SOURCES) Assuming your files are in /usr/src/redhat/SOURCES and your current working directory is the same, do the following: [tar -zxvf ppp-2.3.10.tar.gz] [gunzip ppp-2.3.10-openssl-norc4-mppe.patch.gz] [tar -zxvf SSLeay-0.6.6b.tar.gz] [cp SSLeay-0.6.6b/crypto/rc4/rc4.h ppp-2.3.10/linux/] [cp SSLeay-0.6.6b/crypto/rc4/rc4_enc.c ppp-2.3.10/linux/] [cd ppp-2.3.10] # should now be in /usr/local/redhat/SOURCES/ppp-2.3.10 [patch -p1 << ../ppp-2.3.10-openssl-norc4-mppe.patch] it is actualy this command: patch -p1 < ../ppp-2.3.10-openssl-norc4-mppe.patch Comment out or delete the reference to rc4_skey.c in /usr/src/redhat/SOURCES/ppp-2.3.10/linux/ppp_mppe.c Evidently it is not needed. Now rpm the kernel files we downloaded earlier: [rpm -ivvh kernel-headers-2.2.12-20.i386.rpm] [rpm -ivvh kernel-source-2.2.12-20.i386.rpm] [cd /usr/src/linux] [make menuconfig] # Unless you have a special setup you probably will not need # to change any of the settings. Just do this so that you can #save the config for later steps [make dep] [make clean] [cd /usr/src/redhat/SOURCES/ppp-2.3.10] [./configure] [make] [make kernel] [make install] [cd /usr/src/linux] There are 2 files that have to be copied to /usr/src/linux-2.2.14/drivers/net, they are the crypto files here is the command I used... [cp /usr/src/redhat/SOURCES/SSLeay-0.9.0b/crypto/rc4/rc4_locl.h /usr/src/linux-2.2.14/drivers/net] [cp /usr/src/redhat/SOURCES/SSLeay-0.9.0b/crypto/rc4/rc4_skey.c /usr/src/linux-2.2.14/drivers/net] Then vi /usr/src/linux/drivers/net/ppp.c then do a /kill_fasync after SITIO add this: ,NULL This fixes an issue with not enought arguments for that command.. [make modules SUBDIRS=drivers/net] [make modules_install] Add to your options file (/etc/ppp/options): +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless Edit the /etc/conf.modules (or modules.conf) with the following info: alias char-major-108 off # This will be different for 2.3.x kernels alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate alias ppp-compress-26 ppp_deflate [modprobe -r ppp] # if necessary remove the following modules by hand [rmmod ppp] [rmmod slhc] [rmmod bsd_comp] [rmmod ppp_deflate] # now get things rolling [depmod -a] [modprobe ppp] That should do it. Don't forget to make a link to the pptpd.init in whatever runlevel your using so that the pptpd daemon will start automatically upon boot. We use runlevel 3 so make a link like this: [ln -s /etc/rc.d/init.d/pptpd.init /etc/rc.d/rc3.d/S52pptpd] 5.0 Windows Client Setup ------------------------ Note that the Win95 routine is similar but requires Dial Up Networking Update 1.3 and both the Win95 and Win98 need the vpnupdate (free from Microsoft) to be installed first. Try here for the DUN1.3 and the vpnupdate: Windows 95 http://www.microsoft.com/windows95/downloads Windows 98 http://www.microsoft.com/windows98/downloads/corporate.asp 1a. For Win95 machines install the DUN 1.3. 1b. For Win98 machines use the add-remove programs tool to uninstall the VPN software. Some of the OEM's don't install this properly. Re-Install it using the add-remove programs tool. Go to windows setup (tab) select communications and press the details button. Scroll down and check the VPN support. 2. Install the vpupdate for your particular machine (win95/98 not 98SE). take a little nap here... Once your Machine is back 1.go to dial-up networking (usually start->programs->Accessories->communications->Dial-up Networking) YMMV 2.Click make new connection 3.Name the Connection whatever you'd like. 4.Select Microsoft VPN adapter as the device 5.click next 6.type in the ip address or hostname of your pptp server 7.click next 8.click finish 9.Right-click on the intranet icon 10.select properties 11.choose server types 12.check require encrypted password 13.uncheck netbeui, ipx/spx compatible 14.click tcp/ip settings 15.turn off use IP header compression (May not be necessary) 16.turn off use default gw on remote network 17.click ok. 18.start that connection 19.type in your username and pw (yadda, yadda, yadda) 20.once it finishes its connection your up. UPDATE: 128bit windows Client (for USA and Canada) You can download the 128 bit version of the Windows 98 Dial-Up Networking Security Update from the following URL: http://support.microsoft.com/Support/NTServer/128Eula.asp Accept the EULA, then choose the appropriate 128-bit DUN Update.7F00,0000,0000 6.0 Firewall Setup ------------------ If your using Masquerading you will probably need to add some rules to the firewall. These rules are just examples, don't rely only on them to completely shut out hackers. This section also assumes that you already have a working connection to the internet from your Linux box and any workstations that might be connected to it. I like to keep a clean firewall so we added some scripting to /etc/ppp/ip-up.local and /etc/ppp/ip-down.local. These files don't normally exist so you may have to create new ones. Here are is an example of each of the scripts: ip-up.local ---- cut ---- #!/bin/sh INTERNAL_NET1="192.168.1.0/24" case $2 in /dev/pts/*) echo "$(date): ip-up 1:$1 2:$2 3:$3 4:$4 5:$5 6:$6" >> /var/log/pptpd.log /sbin/ipchains --insert forward -j ACCEPT -s $5 -i eth0 # ^ local interface /sbin/ipchains --insert forward -j ACCEPT -d $5 -i $1 # ^ incoming pptpd interface /sbin/ipchains --insert input -i $1 -s $INTERNAL_NET1 -j ACCEPT /sbin/ipchains --insert output -i $1 -d $INTERNAL_NET1 -j ACCEPT echo "$(date): ip-up Firewall rules set for $1:$5" >> /var/log/pptpd.log ;; esac ---- cut ---- ip-down.local ---- cut ---- #!/bin/sh INTERNAL_NET1="192.168.1.0/24" case $2 in /dev/pts/*) echo "$(date): ip-down 1:$1 2:$2 3:$3 4:$4 5:$5 6:$6" >> /var/log/pptpd.log /sbin/ipchains --delete forward -j ACCEPT -s $5 -i eth0 # ^ local interface /sbin/ipchains --delete forward -j ACCEPT -d $5 -i $1 # ^ incoming pptpd interface /sbin/ipchains --delete input -i $1 -s $INTERNAL_NET1 -j ACCEPT /sbin/ipchains --delete output -i $1 -d $INTERNAL_NET1 -j ACCEPT echo "$(date): ip-down Firewall rules removed for $1:$5" >> /var/log/pptpd.log ;; esac ---- cut ---- From klussier at mclinux.com Fri Aug 4 14:41:00 2000 From: klussier at mclinux.com (Kenneth E. Lussier) Date: Fri, 04 Aug 2000 15:41:00 -0400 Subject: [pptp-server] Connection limitations? Message-ID: <398B1C4C.B2104356@mclinux.com> Does anyone know what the connection limitations are of the poptop server? I have looked at Moretonbay's documents for the NETtel 2520, which uses poptop, and it says that it can only handle 4 simultanios connections. Has this limitation carried over into the GPL'd software as well?? TIA, Kenny -- Kenny Lussier Systems Administrator Mission Critical Linux *********************************************************** Life is a lesson, you learn it at the end Reality has become increasingly less accurate *********************************************************** From dxf at dewittross.com Fri Aug 4 15:29:59 2000 From: dxf at dewittross.com (Daniell Freed) Date: Fri, 04 Aug 2000 15:29:59 -0500 Subject: [pptp-server] compiling ppp-2.3.10-openssl-norc-mppe.patch References: Message-ID: <398B27C7.38DF5230@dewittross.com> I followed you HOW-TO, and I found an error that you may want to correct In the section of the document where you say to download SSLeay-0.6.6b you should say to download SSLea-0.9.0b since that is what your later instructions tell you to use (and 0.6.6b doesn't contain a couple of files you say we need to copy to the kernel directory). Also, you do not need to add the NULL parameter in ppp.c for kill_fasync. If you do, it won't compile (too many parameters), it works fine without this added. That was it. Thanks for the updated HOW-TO. I never had been able to get ppp-2-3.10 working with pptp and MSCHAP before this. If you get time, you should add a section on setting up and running the pptp linux client. I'm sure there are those that would greatly appreciate it. tfasko at cyberacc.com wrote: -- Daniell Freed Computer Services Dewitt, Ross, & Stevens S.C. He who fights with monsters might take care lest he thereby become a monster. And if you gaze for long into an abyss, the abyss gazes also into you. Beyond Good and Evil Friedrich Wilhelm Nietzche -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthewr at moreton.com.au Fri Aug 4 13:58:42 2000 From: matthewr at moreton.com.au (Matthew Ramsay) Date: Sat, 05 Aug 2000 04:58:42 +1000 Subject: [pptp-server] Connection limitations? References: <398B1C4C.B2104356@mclinux.com> Message-ID: <398B1262.EAADE9A1@moreton.com.au> G'day Kenneth, The limitation on NETtel boxes is due to RAM constraints.. NE2520's only have 4Mb RAM.. and since PoPToP spawns a pppd process per tunnel (~200-300k) you quickly run out of RAM. On a generic Linux box you don't have this 4 tunnel problem as you have more RAM (well, I'd hope on a PC you have more RAM :-)... Cheers, Matt. "Kenneth E. Lussier" wrote: > > Does anyone know what the connection limitations are of the poptop > server? I have looked at Moretonbay's documents for the NETtel 2520, > which uses poptop, and it says that it can only handle 4 simultanios > connections. Has this limitation carried over into the GPL'd software as > well?? > > TIA, > Kenny > -- > Kenny Lussier > Systems Administrator > Mission Critical Linux > *********************************************************** > Life is a lesson, you learn it at the end > Reality has become increasingly less accurate > *********************************************************** > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From awilliam at whitemice.org Fri Aug 4 16:29:03 2000 From: awilliam at whitemice.org (Adam Williams) Date: Fri, 04 Aug 2000 21:29:03 GMT Subject: [pptp-server] LDAP and Samba In-Reply-To: <200008041548.e74FmfA25997@barracuda.morrison.iserv.net> References: <398AE5B7.C44D384A@netman.dk> <200008041548.e74FmfA25997@barracuda.morrison.iserv.net> Message-ID: <20000804.21290300@estate1.whitemice.org> >>I running linux poptop server with samba and I have seccessfully install >>the samba patch (pppsmb) to use smbpasswd instead of chap-secret, I >>would like now to use LDAP with samba, dose any one now a ducomentation >>or description can I use? >I have a version of pppd that will user the "ntpassword" attribute of a user's >object from an LDAP directory. I'll try and post it to my sourceforge page >today or tommorrow. I'd make a patch/diff but I don't know how. It's up at: http://ldapconsole.sourceforge.net From support at redware.net Fri Aug 4 18:59:12 2000 From: support at redware.net (Ronnie F. Moller, Jr.) Date: Fri, 4 Aug 2000 18:59:12 -0500 Subject: [pptp-server] KeepAlive / Heartbeat In-Reply-To: <200008041358.e74Dwj225953@barracuda.morrison.iserv.net> Message-ID: I am using a PPTP Client on linux, and have a script that runs every minute from cron, the script is the following: ping -c 1 172.16.1.4 || /etc/rc.d/init.d/pptp restart what I have noticed is that ping sometimes fails during high latency, when the connection is just busy / overloaded temporarily. Is there a better way to test, so that if it fails 5 times in a row, then it would call the restart. If it where to get 1 succesful ping out of 5, then I would assume that it is a good connection, just busy. Thanks From Lillian.Kulhanek at energy.on.ca Fri Aug 4 23:34:20 2000 From: Lillian.Kulhanek at energy.on.ca (Lillian Kulhanek) Date: Sat, 5 Aug 2000 00:34:20 -0400 Subject: [pptp-server] compiling ppp-2.3.10-openssl-norc-mppe.patch In-Reply-To: <398B27C7.38DF5230@dewittross.com> Message-ID: <000901bffe96$6cd34d80$2c02a8c0@Lillian.energy.on.ca> Just wanted to say that I am very impressed with the responses to my first question on this list. I just joined earlier today, and posted early this afternoon. By 5:00 there was a fix to the howto, a fix to the fixed howto, and a link to site where the whole shebang had been rpm'ed. Whew! You guys eat wheaties for breakfast? :) Thanks! Lillian Kulhanek Happy Network Engineer Now Going On Vacation -------------- next part -------------- An HTML attachment was scrubbed... URL: From csa998360 at ait.ac.th Sun Aug 6 13:52:22 2000 From: csa998360 at ait.ac.th (can) Date: Mon, 7 Aug 2000 01:52:22 +0700 Subject: [pptp-server] PPtP Prob... Message-ID: <002401bfffd7$761fa4a0$06359fcb@ait.ac.th> Dear, I started PPTP server and it ran as a process. However I can't connect a client to this server. In log file I saw some error as below. What should I do? Thanks Log file: Aug 5 05:34:06 octopus init: Entering runlevel: 3 Aug 5 05:34:28 octopus identd[427]: started Aug 5 05:34:42 octopus gpm[550]: Error in protocol Aug 5 05:34:57 octopus pptpd[630]: MGR: Manager process started Aug 5 05:39:08 octopus pptpd[663]: MGR: Launching /usr/sbin/pptpctrl to handle client Aug 5 05:39:08 octopus pptpd[630]: MGR: No free connection slots or IPs - no more clients can connect! Aug 5 05:39:08 octopus pptpd[663]: CTRL: local address = 192.41.170.18 -------------- next part -------------- An HTML attachment was scrubbed... URL: From stefan.vetter at ooe-versicherung.at Mon Aug 7 01:57:21 2000 From: stefan.vetter at ooe-versicherung.at (stefan.vetter at ooe-versicherung.at) Date: Mon, 7 Aug 2000 07:57:21 +0100 Subject: [pptp-server] pptp + radius Message-ID: <41256934.00264C3F.00@hermes.ooe-versicherung.at> hi !! i'd like to know if anybody is using radius to authenticate users ? is there something like a HOWTO out there or any hints for this?? thanks bye, stefan. From Gareth_Marlow at scientia.com Mon Aug 7 06:00:11 2000 From: Gareth_Marlow at scientia.com (Gareth Marlow) Date: Mon, 7 Aug 2000 12:00:11 +0100 Subject: [pptp-server] PPTP linux client with PoPToP Message-ID: <20000807120011.A31599@canna.scientia.com> Greetings, I've been running PoPToP successfully in a production environment since January. We have Win95, 98, NT and 2000 clients. However, I'm trying to get a linux client up and running. I have recompiled ppp on the client with the mschap/mppe patches but I don't know: * what is the format for /etc/ppp/chap-secrets on the client * what should be in /etc/ppp/options on the client * what is the command-line incantation for pptp on the client * what route to add after the pptp connection is made on the client * whether I need to add anything extra to /etc/ppp/chap-secrets on the server Cheers, Gareth From amacc at iron-bridge.net Mon Aug 7 07:30:53 2000 From: amacc at iron-bridge.net (Andrew McRory) Date: Mon, 7 Aug 2000 08:30:53 -0400 (EDT) Subject: [pptp-server] pptp + radius In-Reply-To: <41256934.00264C3F.00@hermes.ooe-versicherung.at> Message-ID: On Mon, 7 Aug 2000 stefan.vetter at ooe-versicherung.at wrote: > > > > hi !! > > i'd like to know if anybody is using radius to authenticate users ? > is there something like a HOWTO out there or any hints for this?? > Hello! I have never tried it myself but I don't see why it won't work to use the ppp-radius binary that comes with portslave ftp://ftp.psychosis.com/linux/portslave The big limitation is that it doesn't support CHAP authentication so MPPE is out (AFAIK). Maybe someone else offers a better solution? Andrew McRory - President/CTO amacc at iron-bridge.net ***************** The PC Doctor, Inc. www.pcdr.com 850-575-2713 ** Iron Bridge Communications by PCDR www.iron-bridge.net 850-575-0779 ** Contributed Caldera OpenLinux RPMS ftp.iron-bridge.net/pub/Caldera ** ************************************************************************** From milledel at valkyrie.net Mon Aug 7 11:14:26 2000 From: milledel at valkyrie.net (Del Miller) Date: Mon, 07 Aug 2000 12:14:26 -0400 Subject: [pptp-server] PPTP over dial-up problem... Message-ID: <398EE062.80132369@valkyrie.net> Hello all, OK, so maybe I'm being dense but here's the situation. I want to test out a PPTP setup over dial-up before I have my client fork over $100 non-refundable setup fee for a cable modem. I have the PPTP box up and running and connected to it over my LAN (that was kinda cool!). I then installed a USR Courier modem and have it dialed in to my ISP. How do I get PPTP to respond over the dial-up? Will I have two PPPd's running (one for dial-up, one for PPTP) or do I need to modify something to get PPTP and dial-up to use the same PPPd? Currently I'm stumped. If there's a doc that I missed, please feel free to save the typing and point me to it. Thanks in advance Config: RH6.2 2.2.16 Kernel (generic) pppd v 2.3.11 patched for mppe pptp v 1.0.0 openssl 0.9.5a 3com NIC (10.x.x.x) USR Courier Regards Del Miller Warner Technology Wooster, OH dmiller at warnertech.com From adam at morrison-ind.com Mon Aug 7 09:47:54 2000 From: adam at morrison-ind.com (Adam Tauno Williams) Date: Mon, 7 Aug 2000 10:47:54 -0400 Subject: [pptp-server] PPTP over dial-up problem... In-Reply-To: <398EE062.80132369@valkyrie.net> References: <398EE062.80132369@valkyrie.net> Message-ID: <200008071447.e77ElsB28068@barracuda.morrison.iserv.net> > OK, so maybe I'm being dense but here's the situation. I want to test > out a PPTP setup over dial-up before I have my client fork over $100 > non-refundable setup fee for a cable modem. I have the PPTP box up and > running and connected to it over my LAN (that was kinda cool!). I then > installed a USR Courier modem and have it dialed in to my ISP. How do I > get PPTP to respond over the dial-up? Will I have two PPPd's running > (one for dial-up, one for PPTP) or do I need to modify something to get > PPTP and dial-up to use the same PPPd? Yes, you will have two pppds running. One for the ISP connection, and one for the VPN. You must create the ISP connection first. Systems and Network Administrator Morrison Industries 1825 Monroe Ave NW. Grand Rapids, MI. 49505 From dmiller at warnertech.com Mon Aug 7 12:14:17 2000 From: dmiller at warnertech.com (Del Miller) Date: Mon, 7 Aug 2000 13:14:17 -0400 Subject: [pptp-server] PPTP over dial-up problem... In-Reply-To: <200008071447.e77ElsB28068@barracuda.morrison.iserv.net> Message-ID: <000d01c00092$eb6ba720$80a110ac@richloam.lan> Thanks for the response... that's what I thought, that there'd be two pppd's. Maybe I should elaborate a little more on the problem. Pre-modem, I successfully connected to PPTP using all the MS MPPE stuff so I know that works. Post-modem I can't get the Win98 client to connect. I fired up the modem connection first, no problem. I then fired up PPTP and have it set to respond to all requests from any interface. At this point there is no firewall to contend with. On client side (Win98) I get this: Error 678: The remote computer did not respond within a reasonable amount of time. If you specified an IP address directly please check it. If connecting over a Modem please make sure the Modem connection is already running, and then try again. My pptpd.log looks like this: Aug 7 05:22:46 vpnserver pptpd[1579]: CTRL: Received PPTP Control Message (type: 12) Aug 7 05:22:46 vpnserver pptpd[1579]: CTRL: Made a CALL DISCONNECT RPLY packet Aug 7 05:22:46 vpnserver pptpd[1579]: CTRL: Received CALL CLR request (closing call) Aug 7 05:22:46 vpnserver pptpd[1579]: CTRL: I wrote 148 bytes to the client. Aug 7 05:22:46 vpnserver pptpd[1579]: CTRL: Sent packet to client Aug 7 05:22:46 vpnserver pptpd[1579]: CTRL: Error with select(), quitting Aug 7 05:22:46 vpnserver pptpd[1579]: CTRL: Client xxx.xxx.xxx.xxx control connection finished Aug 7 05:22:46 vpnserver pptpd[1579]: CTRL: Exiting now Aug 7 05:22:46 vpnserver pptpd[1548]: MGR: Reaped child 1579 Aug 7 06:33:14 vpnserver pptpd[1707]: MGR: Manager process started Aug 7 06:35:39 vpnserver pptpd[1741]: MGR: Manager process started Aug 7 06:36:43 vpnserver pptpd[1773]: MGR: Manager process started Any help is appreciated. Regards Del -----Original Message----- From: adam at morrison-ind.com [mailto:adam at morrison-ind.com] Sent: Monday, August 07, 2000 10:48 AM To: Del Miller Cc: pptp-server at lists.schulte.org Subject: Re: [pptp-server] PPTP over dial-up problem... > OK, so maybe I'm being dense but here's the situation. I want to test > out a PPTP setup over dial-up before I have my client fork over $100 > non-refundable setup fee for a cable modem. I have the PPTP box up and > running and connected to it over my LAN (that was kinda cool!). I then > installed a USR Courier modem and have it dialed in to my ISP. How do I > get PPTP to respond over the dial-up? Will I have two PPPd's running > (one for dial-up, one for PPTP) or do I need to modify something to get > PPTP and dial-up to use the same PPPd? Yes, you will have two pppds running. One for the ISP connection, and one for the VPN. You must create the ISP connection first. Systems and Network Administrator Morrison Industries 1825 Monroe Ave NW. Grand Rapids, MI. 49505 From jhummel at fulltilt.com Mon Aug 7 14:59:39 2000 From: jhummel at fulltilt.com (Jeffrey Hummel) Date: Mon, 7 Aug 2000 15:59:39 -0400 Subject: [pptp-server] LAN to LAN pptp connection (ipchains involved) Message-ID: Hello All, I have been running Poptop and WinNT PPTP and a linux pptp client rather flawlessly several ways. My next solution is a PPTP LAN to LAN connection. I have tried several ways to configure PPTP and ipchains but I believe it is an ipchains problem where I get stupid. Here is my scenario: Windoze LAN --> Linux IPCHAINS FW / PPTP client --> Internet --> Cisco rules based FW --> PPTP Server (WinNT) If I don't have any ipchains rules running, the Linux pptp client works great and from that box I can see the entire PPTP server LAN. What I want to do is route all of the traffic from my Windoze LAN thru the PPTP server LAN. I have said to accept the PPTP client and server ip range and also the PPTP serve ip lan range. No good. I think I am missing something w/ PPTP. I can give you my ipchains script if you want. Anyone interested in tackling this one with me? I would appreciate any and all help as usual. -Jeff From danielk at ap.com Mon Aug 7 10:11:56 2000 From: danielk at ap.com (Daniel Knighten) Date: Mon, 07 Aug 2000 15:11:56 +0000 Subject: [pptp-server] PPTP and SMB Message-ID: <398ED1BC.6EC3778C@ap.com> I am having an odd problem using PoPToP. I have a private network with an NT4SP5 Primary Domain controller. I have a few Debian 2.1 Linux boxes providing file and print sharing to a bunch of Win98, NT4, and Win2K boxes. Samba is configured on the Linux boxes to slave authentication to the Domain controller using the security = domain option. Everybody inside the private network is using MS-encrypted passwords. I then setup an Slackware Linux 7.1 machine with PoPToP and MS-CHAPV2 authentication on our T1 to the Internet and then setup a Win2K and Win98 box outside the firewall to test it. I can connect just fine and get get around the internal network. I can even browse and access shares served by our Windows based machines, but when I try and access SMB shares on a Unix machine the password authentication fails. I have tried this with and without encrypted passwords. Any help, or suggestions would be appreciated. Thanks, Dan From kenlussier at mediaone.net Mon Aug 7 17:46:28 2000 From: kenlussier at mediaone.net (Kenneth E. Lussier) Date: Mon, 07 Aug 2000 18:46:28 -0400 Subject: [pptp-server] PPTP and SMB References: <398ED1BC.6EC3778C@ap.com> Message-ID: <398F3C44.FAE2E31F@mediaone.net> The problem is that Samba does a reverse lookup on the client. If it can't resolve the ip address to a hostname, then it won't allow it to access the shares. What I did to get around this was assign all of the remote IP addresses hostnames in my internal DNS. I have remote1.mycompany.com through remote128.mycompany.com. This works for NFS, too. Kenny Daniel Knighten wrote: > > I am having an odd problem using PoPToP. I have a private network with > an NT4SP5 Primary Domain controller. I have a few Debian 2.1 Linux > boxes providing file and print sharing to a bunch of Win98, NT4, and > Win2K boxes. Samba is configured on the Linux boxes to slave > authentication to the Domain controller using the security = domain > option. Everybody inside the private network is using MS-encrypted > passwords. I then setup an Slackware Linux 7.1 machine with PoPToP and > MS-CHAPV2 authentication on our T1 to the Internet and then setup a > Win2K and Win98 box outside the firewall to test it. I can connect just > fine and get get around the internal network. I can even browse and > access shares served by our Windows based machines, but when I try and > access SMB shares on a Unix machine the password authentication fails. > I have tried this with and without encrypted passwords. > > Any help, or suggestions would be appreciated. > > Thanks, > Dan > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From kenlussier at mediaone.net Mon Aug 7 17:49:07 2000 From: kenlussier at mediaone.net (Kenneth E. Lussier) Date: Mon, 07 Aug 2000 18:49:07 -0400 Subject: [pptp-server] PPTP over dial-up problem... References: <398EE062.80132369@valkyrie.net> Message-ID: <398F3CE3.D2FCFF39@mediaone.net> You will have separate devices for each connection. However, you will need to muck with the routing to make everything go where it needs to go. dial-up ISP=ppp0 pptp=ppp1 Kenny Del Miller wrote: > > Hello all, > > OK, so maybe I'm being dense but here's the situation. I want to test > out a PPTP setup over dial-up before I have my client fork over $100 > non-refundable setup fee for a cable modem. I have the PPTP box up and > running and connected to it over my LAN (that was kinda cool!). I then > installed a USR Courier modem and have it dialed in to my ISP. How do I > get PPTP to respond over the dial-up? Will I have two PPPd's running > (one for dial-up, one for PPTP) or do I need to modify something to get > PPTP and dial-up to use the same PPPd? > > Currently I'm stumped. > > If there's a doc that I missed, please feel free to save the typing and > point me to it. > > Thanks in advance > > Config: > RH6.2 > 2.2.16 Kernel (generic) > pppd v 2.3.11 patched for mppe > pptp v 1.0.0 > openssl 0.9.5a > 3com NIC (10.x.x.x) > USR Courier > > Regards > Del Miller > Warner Technology > Wooster, OH > dmiller at warnertech.com > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From kenlussier at mediaone.net Mon Aug 7 21:03:28 2000 From: kenlussier at mediaone.net (Kenneth E. Lussier) Date: Mon, 07 Aug 2000 22:03:28 -0400 Subject: [pptp-server] Config tools in the making Message-ID: <398F6A6F.1951B02C@mediaone.net> All, One *REALLY* nice feature of the commercial pptp server from Moretonbay is the web-based configuration tools. However, since the config tools are what give the Nettel boxes there value, I doubt that they will ever be released under the GPL. So, I was thinking about writing a web-based config tool (or set there of) for PoPToP myself. I want to make it as complete as possable, so I wanted to ask the list what sort options/features should be included. There is a list of things I have already thought of below. Any suggestions or comments are more than welcome. All of this is subject to files being in standard places (/etc, /etc/ppp, /usr/src/linux). The one draw back is the init file. Several systems use /etc/rc.d/init.d while others use /etc/rc.x. I'll have to study a Debian system to see exactly how to do this (probably a menu option to change the directory trees). Kenny Here is my vision: INSTALLER: An installer that applies a unified diff to the kernel to install the mppe encryption with multiple kernel patches to choose from (2.2.14-2.2.16)(up to the user to configure, build, and install new kernel), install/compile/ source and install patched/encrypted pppd, install pptpd server. Web-based configuration: PPPD Config: Authentication method Add/remove users (dependant on auth method) Server name select encryption method required (if any) DNS and/or WINS servers to be assigned to clients PPTPD (pptpd.conf) config: remote and local IP addresses allowed line speed selection options file to use ip address to listen on From Martin at McFlySr.Kurgan.Ru Mon Aug 7 23:30:06 2000 From: Martin at McFlySr.Kurgan.Ru (Martin McFlySr) Date: Tue, 8 Aug 2000 10:30:06 +0600 Subject: [pptp-server] Config tools in the making In-Reply-To: <398F6A6F.1951B02C@mediaone.net> References: <398F6A6F.1951B02C@mediaone.net> Message-ID: <28151854685.20000808103006@McFlySr.Kurgan.Ru> Hello Kenneth E. Lussier, Tuesday, August 08, 2000, 8:03:28, you wrote: KEL> below. Any suggestions or comments are more than welcome. All of KEL> this is subject to files being in standard places (/etc, KEL> /etc/ppp, /usr/src/linux). The one draw back is the init file. PoPToP also using on FreeBSD, and in FreeBSD we have files in /etc/ppp /usr/src KEL> Several systems use /etc/rc.d/init.d while others use /etc/rc.x. /usr/local/etc/rc.d KEL> Here is my vision: KEL> INSTALLER: ... KEL> Web-based configuration: i think, must be two diffrent parts: * installer; * web-based admin tool. KEL> PPPD Config: KEL> Authentication method KEL> Add/remove users (dependant on auth method) in ppp.secret must can add/change/remove line this format: billy bob 1.2.3.4 may be, you can include module for modify dhcpd config file? thank you, -- Tuesday, August 08, 2000, 10:23 Best regards from future, Martin McFlySr, HillDale. From aaa at netman.dk Tue Aug 8 02:00:45 2000 From: aaa at netman.dk (Alaa Alamood) Date: Tue, 08 Aug 2000 09:00:45 +0200 Subject: [pptp-server] PPTP linux client with PoPToP References: <20000807120011.A31599@canna.scientia.com> Message-ID: <398FB01D.A5B34149@netman.dk> Hi I have configure my client as the following 1- get a copy of linux pptp client 2- install ppp with mschap 128 bit supported 3- Client configuration - Edit and make the /etc/ppp/option look like: noauth lock debug kdebug 7 name snow.netman.dk user YOUR_USER_NAME password YOUR_PASSWORD noauth +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless lcp-echo-failure 10 lcp-echo-interval 5 defaultroute allow-ip 193.88.72.38 logfile /var/log/log.options Note: you can remove debug, kdebug and logfile after you get every thing working correct. - copy /usr/doc/ppp.2.3.10/scripts/ip-down.local.add to /etc/ppp/ip-down.loacl - copy /usr/doc/ppp-2.3.10/scripts/ip-up.local.add to /etc/ppp/ip-up.loacl - touch /var/log/log.options (you can remove this file when you have every thing done). - edit chap-secret file and add - enabling the debug - add the line below to /etc/syslog.conf daemon.debug /var/log/pptp.log - touch /var/log/pptp.log - restarting syslog daemon /etc/rc.d/init.d/syslog stop /etc/rc.d/init.d/syslog start - Manul connection (just for test resone) - pptp PPTP_SERVER_IP_ADDRESS name YOUR_USER_NAME remotename PPTP_SERVER_NAME - route add -host PPTP_SERVER_IP_ADDRESS gw YOUR_GATEWAY_IP_ADDRESS - check you connections is made ps -ef |grep pptp Gareth Marlow wrote: > Greetings, > > I've been running PoPToP successfully in a production environment since > January. We have Win95, 98, NT and 2000 clients. However, I'm trying to > get a linux client up and running. > > I have recompiled ppp on the client with the mschap/mppe patches but I > don't know: > > * what is the format for /etc/ppp/chap-secrets on the client > * what should be in /etc/ppp/options on the client > * what is the command-line incantation for pptp on the client > * what route to add after the pptp connection is made on the client > * whether I need to add anything extra to /etc/ppp/chap-secrets on the > server > > Cheers, > Gareth > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From klussier at mclinux.com Tue Aug 8 07:14:12 2000 From: klussier at mclinux.com (Kenneth E. Lussier) Date: Tue, 08 Aug 2000 08:14:12 -0400 Subject: [pptp-server] Config tools in the making References: <398F6A6F.1951B02C@mediaone.net> <28151854685.20000808103006@McFlySr.Kurgan.Ru> Message-ID: <398FF994.2A395F31@mclinux.com> Martin McFlySr wrote: > PoPToP also using on FreeBSD, and in FreeBSD we have files in > /etc/ppp > /usr/src > > KEL> Several systems use /etc/rc.d/init.d while others use /etc/rc.x. > /usr/local/etc/rc.d OK, I will admit to my ignorance of *BSD. I have never used any of them, so I'm not really sure where they put things. Thanks for the pointers. I'll look into the *BSD's and try to make the tools as well-rounded as possable. > KEL> Here is my vision: > > KEL> INSTALLER: > ... > KEL> Web-based configuration: > > i think, must be two diffrent parts: I agree. However, the installer can/will install the configuration utilities. > > * installer; > * web-based admin tool. > > KEL> PPPD Config: > KEL> Authentication method > KEL> Add/remove users (dependant on auth method) > in ppp.secret must can add/change/remove line this format: > billy bob 1.2.3.4 Is this line "USERNAME SECRET ASSIGNED IP" ? If so, then that is the same as the syntax as the chap-secrets files (at least how I do it, anyway). > may be, you can include module for modify dhcpd config file? That is a little tough. dhcpd config files are different for every dhcp server out there. The syntax changes alone would be near impossable to impliment. I'm not quite sure why it would be needed, either? But, as everything should be, this will be 100% open source (under GPL). So, if anyone wants to muck with it and add dhcp support, go for it. Kenny -- Kenny Lussier Systems Administrator Mission Critical Linux *********************************************************** Life is a lesson, you learn it at the end Reality has become increasingly less accurate *********************************************************** From gdunn at inscriber.com Tue Aug 8 08:17:57 2000 From: gdunn at inscriber.com (Graham Dunn) Date: Tue, 8 Aug 2000 09:17:57 -0400 Subject: [pptp-server] Config tools in the making In-Reply-To: <398FF994.2A395F31@mclinux.com>; from klussier@mclinux.com on Tue, Aug 08, 2000 at 08:14:12AM -0400 References: <398F6A6F.1951B02C@mediaone.net> <28151854685.20000808103006@McFlySr.Kurgan.Ru> <398FF994.2A395F31@mclinux.com> Message-ID: <20000808091756.A11275@inscriber.com> On Tue, Aug 08, 2000 at 08:14:12AM -0400, Kenneth E. Lussier wrote: [snip] > > KEL> PPPD Config: > > KEL> Authentication method > > KEL> Add/remove users (dependant on auth method) > > in ppp.secret must can add/change/remove line this format: > > billy bob 1.2.3.4 > > Is this line "USERNAME SECRET ASSIGNED IP" ? If so, then that is the > same as the syntax as the chap-secrets files (at least how I do it, > anyway). I'm curious as to how you're going to handle read/writing as root from a web script. -- gdunn at inscriber.com Graham Dunn || ||| | ||| |||| | |||| | PGP Key fingerprint = 3F 56 12 9B 8A E1 77 CB F0 62 94 B0 93 06 1E 88 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 293 bytes Desc: not available URL: From klussier at mclinux.com Tue Aug 8 08:52:26 2000 From: klussier at mclinux.com (Kenneth E. Lussier) Date: Tue, 08 Aug 2000 09:52:26 -0400 Subject: [pptp-server] Config tools in the making References: <398F6A6F.1951B02C@mediaone.net> <28151854685.20000808103006@McFlySr.Kurgan.Ru> <398FF994.2A395F31@mclinux.com> <20000808091756.A11275@inscriber.com> Message-ID: <3990109A.46BBE654@mclinux.com> Graham Dunn wrote: > > I'm curious as to how you're going to handle read/writing as root from a > web script. The script will most likely run as the same user as the web-server. There are a few ways that I can think of off the top of my head to do this: 1) suid (not pretty, but it works) 2) authenticate the user at the beginning of the script, translate to a sudo type envronment. Kenny -- Kenny Lussier Systems Administrator Mission Critical Linux *********************************************************** Life is a lesson, you learn it at the end Reality has become increasingly less accurate *********************************************************** From os at k4azl.net Tue Aug 8 09:25:07 2000 From: os at k4azl.net (os at k4azl.net) Date: Tue, 08 Aug 2000 16:25:07 +0200 Subject: [pptp-server] PPTP client works from LAN, not from dialup Message-ID: <200008081425.QAA08434@bluefish.k4azl.net> Hello, I've searched the archives but haven't found reference to this particular problem. Any suggestions would be greatly appreciated. Thanks! Running PoPoToP 1.0.0, using a win98 client, the connection works when both machines are on the same ethernet LAN, but does not work when the win98 client is dialed up. It appears that from the dialup connection, the client is sending a termination request. Here is the message from pptpd.conf: Aug 3 17:09:15 fw1 pptpd[22903]: CTRL (PPPD Launcher): remote address = 192.168.0.100 Aug 3 17:09:18 fw1 pptpd[22902]: CTRL: Received PPTP Control Message (type: 12) Aug 3 17:09:18 fw1 pptpd[22902]: CTRL: Made a CALL DISCONNECT RPLY packet Aug 3 17:09:18 fw1 pptpd[22902]: CTRL: Received CALL CLR request (closing call) Aug 3 17:09:18 fw1 pptpd[22902]: CTRL: I wrote 148 bytes to the client. Aug 3 17:09:18 fw1 pptpd[22902]: CTRL: Sent packet to client Aug 3 17:09:18 fw1 pptpd[22902]: CTRL: Error with select(), quitting Aug 3 17:09:18 fw1 pptpd[22902]: CTRL: Client 212.211.93.1 control connection finished I've tried two different dialup services, Compuserve, and a local ISP, both give the same response. Any thoughts? Thank you, Os Tyler From gord at amador.ca Tue Aug 8 09:33:34 2000 From: gord at amador.ca (Gord Belsey) Date: Tue, 8 Aug 2000 08:33:34 -0600 Subject: [pptp-server] KeepAlive / Heartbeat References: Message-ID: <00cc01c00145$a2d393c0$280111ac@amadorinc.com> Hi, Ronnie: PPP has a heartbat built in to it using LCP timeouts - lcp-echo. What I've done to accomplish what you're doing is to use them in combination with /etc/ip-down.local script.....ip-down will run ip-down.local if it exists with execute permissions. I tweaked the LCP timeouts by adding the following to /etc/ppp/options: lcp-echo-failure 10 lcp-echo-interval 1 I added this on both the pptp client and the pptp server . In this case, the timeout is 10 seconds, with a 1 second interval for the next heartbeat. In a nutshell, if an lcp-echo isn't received in 1 second it is considered failed. If 10 lcp-echo's fail in a row, the connection is considered down. On the server side, it just brings down the ppp interface used by that connection. On the client side, where I have ip-down.local script set up, the ppp interface is brought down. That automagically runs ip-down, which automagically runs ip-down.local. In ip-dwon.local, I call a start up script to reopen a client connection to the server. A couple notes: - I added the lcp-echo-timeout and lcp-echo-interval to both server and client - The numbers in my above example are from my R&D server....on my production server, I use lcp-echo-timeout 10 and lcp-failure 6, which basically says if there's no response from the other side in 60 seconds consider the link down. You can play around with the numbers a bit to find your "best mileage" - In my /etc/ppp/ip-down.local on the client, I restart the client, sleep for 30 seconds, then check to see if the client comes up. If not, I try again. This works so-so, but the intention is to deal with the server "going away" for a while (ie: loses network connectn, crashes, gets rebooted et al). The idea is that as soon as the client sees the server, it'll bring up a connection. Works great in theory, but I haven't got it perfect in production yet :o) Hope this is helpful Gord Belsey ----- Original Message ----- From: Ronnie F. Moller, Jr. To: Sent: Friday, August 04, 2000 5:59 PM Subject: [pptp-server] KeepAlive / Heartbeat > I am using a PPTP Client on linux, and have a script that runs every minute > from cron, the script is the following: > > ping -c 1 172.16.1.4 || /etc/rc.d/init.d/pptp restart > > what I have noticed is that ping sometimes fails during high latency, when > the connection is just busy / overloaded temporarily. Is there a better way > to test, so that if it fails 5 times in a row, then it would call the > restart. If it where to get 1 succesful ping out of 5, then I would assume > that it is a good connection, just busy. > > Thanks > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From adam at morrison-ind.com Tue Aug 8 08:29:25 2000 From: adam at morrison-ind.com (Adam Tauno Williams) Date: Tue, 8 Aug 2000 09:29:25 -0400 Subject: [pptp-server] Config tools in the making In-Reply-To: <20000808091756.A11275@inscriber.com> References: <398F6A6F.1951B02C@mediaone.net> <28151854685.20000808103006@McFlySr.Kurgan.Ru> <398FF994.2A395F31@mclinux.com> <20000808091756.A11275@inscriber.com> Message-ID: <200008081329.e78DTPp29077@barracuda.morrison.iserv.net> >>>KEL> PPPD Config: >>>KEL> Authentication method >>>KEL> Add/remove users (dependant on auth method) >>>in ppp.secret must can add/change/remove line this format: >>>billy bob 1.2.3.4 >> >>Is this line "USERNAME SECRET ASSIGNED IP" ? >>If so, then that is the same as the syntax as the chap-secrets files >>(at least how I do it, anyway). >I'm curious as to how you're going to handle read/writing as root from a >web script. Both LinuxConf and Webmin manage to do this in a "secure" fashion, it might be good to look at those projects. In fact Webmin has a pppd mangement module which you should look at, so as to avoid re-inventing the wheel, as pptp/pppd setup really isn't all that diffrent from pppd setup by itseld. Systems and Network Administrator Morrison Industries 1825 Monroe Ave NW. Grand Rapids, MI. 49505 From glenn.robinson at btinternet.com Tue Aug 8 09:28:53 2000 From: glenn.robinson at btinternet.com (Glenn Robinson) Date: Tue, 8 Aug 2000 15:28:53 +0100 Subject: [pptp-server] Trouble with pptp authorisation Message-ID: <001301c00144$fb2454c0$be03030a@hpis.local> I've configured PoPToP on my Linux RH6.1 box and I'm trying to connect to it from my WiNNT Workstation SP6.0a PC accross the internet. When I 'dial' my server's IP address I get the Error 629. On my Linux server I get: CTRL: Client xxx.xxx.xxx.xxx control Connection started CTRL: Starting Call (launching pppd, opening GRE) The remote system is required to authenticate itself but I couldn't find and secret (password) which would let it use an IP address. GRE: read(fd=4, buffer=804d7e0,len-8196) from PTY failed: status = -1 error = Input/output error CTRL: PTY read or GRE write failed (pty,gre)=(4,5) CTRL: Client xxx.xxx.xxx.xxx connection finished I do have an entry in my chap-secrets file. I have tried this with and without specifying a domain. The chap-secrets file has the following: mydomain//myname * mypasswd * Any clues as to what I have got wrong? Thanks Glenn -------------- next part -------------- An HTML attachment was scrubbed... URL: From gord at amador.ca Tue Aug 8 09:41:01 2000 From: gord at amador.ca (Gord Belsey) Date: Tue, 8 Aug 2000 08:41:01 -0600 Subject: [pptp-server] PPtP Prob... References: <002401bfffd7$761fa4a0$06359fcb@ait.ac.th> Message-ID: <00d801c00146$ad508e10$280111ac@amadorinc.com> Can: You don't have enough clients configured in /etc/pptpd.conf. Make sure your local and remote lines include (at least) enough ip addresses for the number of clients you'll have connecting. For example, if you have 5 clients connecting to the server, you need (at least) 5 local and 5 remote addresses configured (assuming the server will assign ip addresses for both the local and remote end of the ppp connection).So if you were using 172.16.1.0 as your network, you would have, say: local-ip 172.16.1.101-105 remote-ip 172.16.1.106-110 in your /etc/pptpd.conf file. This would assign 172.16.1.101 to the local end and 172.16.1.106 to the remote end of the first ppp connection to come up (first pptp client to connect) etc, etc. Remember to restart the pptp server daemon after you make changes to /etc/pptpd.conf :o) Hope this is helpful Gord Belsey ----- Original Message ----- From: can To: pptp-server at lists.schulte.org Sent: Sunday, August 06, 2000 12:52 PM Subject: [pptp-server] PPtP Prob... Dear, I started PPTP server and it ran as a process. However I can't connect a client to this server. In log file I saw some error as below. What should I do? Thanks Log file: Aug 5 05:34:06 octopus init: Entering runlevel: 3 Aug 5 05:34:28 octopus identd[427]: started Aug 5 05:34:42 octopus gpm[550]: Error in protocol Aug 5 05:34:57 octopus pptpd[630]: MGR: Manager process started Aug 5 05:39:08 octopus pptpd[663]: MGR: Launching /usr/sbin/pptpctrl to handle client Aug 5 05:39:08 octopus pptpd[630]: MGR: No free connection slots or IPs - no more clients can connect! Aug 5 05:39:08 octopus pptpd[663]: CTRL: local address = 192.41.170.18 -------------- next part -------------- An HTML attachment was scrubbed... URL: From gdunn at inscriber.com Tue Aug 8 09:41:18 2000 From: gdunn at inscriber.com (Graham Dunn) Date: Tue, 8 Aug 2000 10:41:18 -0400 Subject: [pptp-server] Config tools in the making In-Reply-To: <200008081329.e78DTPp29077@barracuda.morrison.iserv.net>; from adam@morrison-ind.com on Tue, Aug 08, 2000 at 09:29:25AM -0400 References: <398F6A6F.1951B02C@mediaone.net> <28151854685.20000808103006@McFlySr.Kurgan.Ru> <398FF994.2A395F31@mclinux.com> <20000808091756.A11275@inscriber.com> <200008081329.e78DTPp29077@barracuda.morrison.iserv.net> Message-ID: <20000808104118.B11275@inscriber.com> On Tue, Aug 08, 2000 at 09:29:25AM -0400, Adam Tauno Williams wrote: > >>>KEL> PPPD Config: > >>>KEL> Authentication method > >>>KEL> Add/remove users (dependant on auth method) > >>>in ppp.secret must can add/change/remove line this format: > >>>billy bob 1.2.3.4 > >> > >>Is this line "USERNAME SECRET ASSIGNED IP" ? > >>If so, then that is the same as the syntax as the chap-secrets files > >>(at least how I do it, anyway). > >I'm curious as to how you're going to handle read/writing as root from a > >web script. > > Both LinuxConf and Webmin manage to do this in a "secure" fashion, it > might be good to look at those projects. In fact Webmin has a pppd > mangement module which you should look at, so as to avoid re-inventing > the wheel, as pptp/pppd setup really isn't all that diffrent from pppd > setup by itseld. Correct me if I'm wrong, but don't those products run their own web interfaces as part of the process, i.e. not through apache? The smb daemon runs like that as well. -- gdunn at inscriber.com Graham Dunn || ||| | ||| |||| | |||| | PGP Key fingerprint = 3F 56 12 9B 8A E1 77 CB F0 62 94 B0 93 06 1E 88 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 293 bytes Desc: not available URL: From gord at amador.ca Tue Aug 8 09:52:00 2000 From: gord at amador.ca (Gord Belsey) Date: Tue, 8 Aug 2000 08:52:00 -0600 Subject: [pptp-server] PPTP over dial-up problem... References: <398EE062.80132369@valkyrie.net> Message-ID: <00ee01c00148$35738490$280111ac@amadorinc.com> Hi, Del: Here's an issue to watch for...I came accross it on a DSL connection which used PPPoE (and, obviuosly PPP). The PPP options for the PPPoE connection where VERY different from the ones required by PPTP. I ended up creating a second ppp options fiel, /etc/options.pptp. Theere's a flag used when starting pptpd to use a different options file than the default ( I can't recall at the moment, but I think it's -o....it's in the man pages). Depending on what your dialup uses, I'm guessing you'll need separate options files. I had no problems with pptpd with this configuration, even when the link went down and up....pptpd just kept on listening for connections. (PPPoE was another story....I finally tossed it for a cable connection :o) Hope this is helpful Gord Belsey ----- Original Message ----- From: Del Miller To: Sent: Monday, August 07, 2000 10:14 AM Subject: [pptp-server] PPTP over dial-up problem... > Hello all, > > OK, so maybe I'm being dense but here's the situation. I want to test > out a PPTP setup over dial-up before I have my client fork over $100 > non-refundable setup fee for a cable modem. I have the PPTP box up and > running and connected to it over my LAN (that was kinda cool!). I then > installed a USR Courier modem and have it dialed in to my ISP. How do I > get PPTP to respond over the dial-up? Will I have two PPPd's running > (one for dial-up, one for PPTP) or do I need to modify something to get > PPTP and dial-up to use the same PPPd? > > Currently I'm stumped. > > If there's a doc that I missed, please feel free to save the typing and > point me to it. > > Thanks in advance > > > Config: > RH6.2 > 2.2.16 Kernel (generic) > pppd v 2.3.11 patched for mppe > pptp v 1.0.0 > openssl 0.9.5a > 3com NIC (10.x.x.x) > USR Courier > > > > Regards > Del Miller > Warner Technology > Wooster, OH > dmiller at warnertech.com > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From gord at amador.ca Tue Aug 8 09:56:10 2000 From: gord at amador.ca (Gord Belsey) Date: Tue, 8 Aug 2000 08:56:10 -0600 Subject: [pptp-server] LAN to LAN pptp connection (ipchains involved) References: Message-ID: <00fa01c00148$ca703c00$280111ac@amadorinc.com> Hi Jeffery: One thing to watch for is the Cicso firewall....it has to allow both TCP port 1723 and protocol 47 (gre) through. The gre is a separate access list....I don't have it handy, but if you have CCO access Cisco TAC will set you up. Hope this is helpful Gord Belsey ----- Original Message ----- From: Jeffrey Hummel To: Sent: Monday, August 07, 2000 1:59 PM Subject: [pptp-server] LAN to LAN pptp connection (ipchains involved) > Hello All, > > I have been running Poptop and WinNT PPTP and a linux pptp client rather > flawlessly several ways. My next solution is a PPTP LAN to LAN connection. > I have tried several ways to configure PPTP and ipchains but I believe it is > an ipchains problem where I get stupid. Here is my scenario: > > Windoze LAN --> Linux IPCHAINS FW / PPTP client --> Internet --> Cisco rules > based FW --> PPTP Server (WinNT) > > If I don't have any ipchains rules running, the Linux pptp client works > great and from that box I can see the entire PPTP server LAN. What I want > to do is route all of the traffic from my Windoze LAN thru the PPTP server > LAN. I have said to accept the PPTP client and server ip range and also the > PPTP serve ip lan range. No good. I think I am missing something w/ PPTP. > I can give you my ipchains script if you want. > > Anyone interested in tackling this one with me? I would appreciate any and > all help as usual. > > -Jeff > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From jhummel at fulltilt.com Tue Aug 8 10:01:18 2000 From: jhummel at fulltilt.com (Jeffrey Hummel) Date: Tue, 8 Aug 2000 11:01:18 -0400 Subject: [pptp-server] LAN to LAN pptp connection (ipchains involved) Message-ID: Thanks for that, but thats not the problem, otherwise I wouldn't be able to access the PPTP server inside the Cisco FW. That works fine - I currently have over 100 PPTP windoze and Linux clients running without a hitch. Cisco firewall I know, its Ipchains that gets confusing to me. -J -----Original Message----- From: gord at amador.ca [mailto:gord at amador.ca] Sent: Tuesday, August 08, 2000 10:56 AM To: Jeffrey Hummel; pptp-server at lists.schulte.org Subject: Re: [pptp-server] LAN to LAN pptp connection (ipchains involved) Hi Jeffery: One thing to watch for is the Cicso firewall....it has to allow both TCP port 1723 and protocol 47 (gre) through. The gre is a separate access list....I don't have it handy, but if you have CCO access Cisco TAC will set you up. Hope this is helpful Gord Belsey ----- Original Message ----- From: Jeffrey Hummel To: Sent: Monday, August 07, 2000 1:59 PM Subject: [pptp-server] LAN to LAN pptp connection (ipchains involved) > Hello All, > > I have been running Poptop and WinNT PPTP and a linux pptp client rather > flawlessly several ways. My next solution is a PPTP LAN to LAN connection. > I have tried several ways to configure PPTP and ipchains but I believe it is > an ipchains problem where I get stupid. Here is my scenario: > > Windoze LAN --> Linux IPCHAINS FW / PPTP client --> Internet --> Cisco rules > based FW --> PPTP Server (WinNT) > > If I don't have any ipchains rules running, the Linux pptp client works > great and from that box I can see the entire PPTP server LAN. What I want > to do is route all of the traffic from my Windoze LAN thru the PPTP server > LAN. I have said to accept the PPTP client and server ip range and also the > PPTP serve ip lan range. No good. I think I am missing something w/ PPTP. > I can give you my ipchains script if you want. > > Anyone interested in tackling this one with me? I would appreciate any and > all help as usual. > > -Jeff > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From gord at amador.ca Tue Aug 8 10:38:19 2000 From: gord at amador.ca (Gord Belsey) Date: Tue, 8 Aug 2000 09:38:19 -0600 Subject: [pptp-server] LAN to LAN pptp connection (ipchains involved) References: Message-ID: <013601c0014e$ada40ba0$280111ac@amadorinc.com> Jefferey: Good point....after re-reading your original post, if I've got it right, you want to eliminate the windows PPTP clients, and just access the remote LAN via the linux PPTP to server pipe. Assuming I understand correctly, this is how I'm using PPTP. Here's some things I came across: To get the linux client working through ipchains, I opened up access for the PPTP server completely on the input chain (you can be more selective): ipchains -A input -s -d 0.0.0.0/0.0.0.0 -j ACCEPT ipchains -A input -s -d 0.0.0.0/0.0.0.0 -j ACCEPT On the client side, I use MASQuerade to let the windows PCs surf/email on the Internet. So, I have two entries, one to allow traffic from the client LAN to the server LAN unmasqed, and the rest masqd: ipchains -A forward-s -d -j ACCEPT ipchains -A forward-s -d 0.0.0.0/0.0.0.0 -j MASQ On a side note, you've probably already got this covered, but I also needed route statements on both the client and server. Becuase the client goes up and down, I do this in /etc/ppp/ip-up.local. I use the $1 through $5 variables provided by PPP to build the route statement. On the server side, I do something similar, but I have the remote LAN addressing info in a file, and grep it out. I hope this is (more) helpful. Gord Belsey ----- Original Message ----- From: Jeffrey Hummel To: ; Sent: Tuesday, August 08, 2000 9:01 AM Subject: RE: [pptp-server] LAN to LAN pptp connection (ipchains involved) > Thanks for that, but thats not the problem, otherwise I wouldn't be able to > access the PPTP server inside the Cisco FW. That works fine - I currently > have over 100 PPTP windoze and Linux clients running without a hitch. Cisco > firewall I know, its Ipchains that gets confusing to me. > > -J > > -----Original Message----- > From: gord at amador.ca [mailto:gord at amador.ca] > Sent: Tuesday, August 08, 2000 10:56 AM > To: Jeffrey Hummel; pptp-server at lists.schulte.org > Subject: Re: [pptp-server] LAN to LAN pptp connection (ipchains > involved) > > > Hi Jeffery: > > One thing to watch for is the Cicso firewall....it has to allow both TCP > port 1723 and protocol 47 (gre) through. The gre is a separate access > list....I don't have it handy, but if you have CCO access Cisco TAC will set > you up. > > Hope this is helpful > > Gord Belsey > ----- Original Message ----- > From: Jeffrey Hummel > To: > Sent: Monday, August 07, 2000 1:59 PM > Subject: [pptp-server] LAN to LAN pptp connection (ipchains involved) > > > > Hello All, > > > > I have been running Poptop and WinNT PPTP and a linux pptp client rather > > flawlessly several ways. My next solution is a PPTP LAN to LAN > connection. > > I have tried several ways to configure PPTP and ipchains but I believe it > is > > an ipchains problem where I get stupid. Here is my scenario: > > > > Windoze LAN --> Linux IPCHAINS FW / PPTP client --> Internet --> Cisco > rules > > based FW --> PPTP Server (WinNT) > > > > If I don't have any ipchains rules running, the Linux pptp client works > > great and from that box I can see the entire PPTP server LAN. What I want > > to do is route all of the traffic from my Windoze LAN thru the PPTP server > > LAN. I have said to accept the PPTP client and server ip range and also > the > > PPTP serve ip lan range. No good. I think I am missing something w/ > PPTP. > > I can give you my ipchains script if you want. > > > > Anyone interested in tackling this one with me? I would appreciate any > and > > all help as usual. > > > > -Jeff > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > From walterm at Gliatech.com Tue Aug 8 10:38:36 2000 From: walterm at Gliatech.com (Michael Walter) Date: Tue, 8 Aug 2000 11:38:36 -0400 Subject: [pptp-server] VPN Masquerading Woes Message-ID: Thanks for the advice so far, but I am still having a lot of problems with this. I have read through the last 6 months of postings on this group as well as the vpn masq howto and everything I could find through web searches on the subject and I am still at square 1, just slightly more frustrated. These are the tools I am using: kernel-2.2.16-12.i386.rpm from the rawhide section of ftp.redhat.com (This comes with the vpn masq patch built in) also tried kernel-2.2.16 from www.kernel.org with ip_masq_vpn-2.2.15.patch.gz applied succesfully. ipfwd-1.0.0-1.i386.rpm ipmasqadm-0.4.2-3.i386.rpm Here is my test configuration: ======================= | Win2000 client | | 192.168.0.10/24 | ======================= | ======================= | 192.168.0.1/24 | | Linux Masq/Firewall | | 192.0.0.200/24 | ======================= | ======================= | 192.0.0.1 | | Linux VPN | | 10.0.0.15 | ======================= I have the ip_masq_pptp.o module installed on the linux Masq/Firewall box, do I also need it on the Linux VPN? This is what my boot script looks like on the Linux Masq/Firewall: ipchains -F ipmasqadm portfw -f echo 1 > /proc/sys/net/ipv4/ip_forward insmod ip_masq_pptp insmod ip_masq_ftp ipchains -P input ACCEPT ipchains -P output ACCEPT ipchains -P forward REJECT ipchains -A forward -s 192.168.0.0/24 -j MASQ ipmasqadm portfw -a -P tcp -L 192.168.0.1 1723 -R 192.0.0.1 1723 ipmasqadm portfw -a -P udp -L 192.168.0.1 1723 -R 192.0.0.1 1723 ipfwd 192.168.0.10 47 & I have no problem connecting to the vpn server, but it basically never manages to authenticate the client. As a test too, I set all the addresses involved to non-private addresses, set the default gateway on the Vpn Server to the linux masq firewall, and enabled port forwarding without any masq-ing and things worked great. As soon as I masq the private addresses though, everything stops working. Is there some hidden issue involved in the use of private addresses that I haven't found. Has anyone gotten a configuration like this working, am I overlooking something simple? Do I need to make any changes on the VPN Server itself? Thanks, Michael J. Walter mcse mcp+i rhce a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Tom Eastep [mailto:teastep at evergo.net] Sent: Friday, August 04, 2000 1:34 PM To: Michael Walter Cc: PPTPD User Group (E-mail) Subject: Re: [pptp-server] VPN Masquerading Woes Thus spoke Michael Walter: > Hello All, > > I am working on a test configuration that I am hoping to roll into > production soon. I have a win2000 client connecting through a linux masq > box to a poptop server. When I connect, the win2000 client makes it to the > Verifying Username and Password stage and eventually gives Error 619: the > specified port is not connected. I have tested the same configuration with > the client connected directly to the poptop vpn and it work flawlessly. I > have also tried this with several different clients against the test and our > production poptop vpn's with the same results. I have the chap-secrets and > pap-secrets files set up correctly and they both contain the login I am > trying to use. Has anyone had these kind of problems with VPN masquerading? > If so, did you find any type of resolution? Thanks in advance for any help, > You must: a) patch your kernel as described at http://www.wolfenet.com/~jhardin/ip_masq_vpn.html. b) run ipfwd on the gateway system: ipfwd --masq 47 c) Port forward port 1723 to the server. -Tom -- Tom Eastep \ Eastep's First Principle of Computing: ICQ #60745924 \ "Any sane computer will tell you how it teastep at evergo.net \ works if you ask it the proper questions" Shoreline, Washington USA \___________________________________________ _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From support at tecpro.com Tue Aug 8 11:05:57 2000 From: support at tecpro.com (Charles Peters - Tech Support) Date: Tue, 8 Aug 2000 12:05:57 -0400 Subject: [pptp-server] Config tools in the making In-Reply-To: <3990109A.46BBE654@mclinux.com> Message-ID: <398FF7A5.23877.2B767CD@localhost> A non-text attachment was scrubbed... Name: not available Type: text/enriched Size: 2127 bytes Desc: not available URL: From estern at opennetwork.com Tue Aug 8 12:23:34 2000 From: estern at opennetwork.com (Elliott Stern) Date: Tue, 08 Aug 2000 13:23:34 -0400 Subject: [pptp-server] ipchains killed my networking?!?! References: <013601c0014e$ada40ba0$280111ac@amadorinc.com> Message-ID: <39904216.918AB5B7@opennetwork.com> Maybe someone here can give me a hand with this. After setting up and testing PoPToP on a new computer, I decided to make a ipchains firewall to protect the box. Well, now my system has no networking capabilities. I have reset my computer and run 'ipchains -L' to verify that all rules are clear and that the default policy for all chains is ACCEPT, but I still can't get my networking to work (including the loopback interface). When I bring up the loopback interface, I get a message: "SIOCADDRT: Network is unreachable". I have even tried shutting down and unplugging the power for 15-20 seconds to clear the cache, but that isn't helping. Anyone have any ideas? -Elliott -- ************************* Elliott Stern OpenNetwork Technologies Network Intern 727-561-9500 ext 270 estern at opennetwork.com ************************* From klussier at mclinux.com Tue Aug 8 13:01:23 2000 From: klussier at mclinux.com (Kenneth E. Lussier) Date: Tue, 08 Aug 2000 14:01:23 -0400 Subject: [pptp-server] ipchains killed my networking?!?! References: <013601c0014e$ada40ba0$280111ac@amadorinc.com> <39904216.918AB5B7@opennetwork.com> Message-ID: <39904AF3.CD5586EF@mclinux.com> I'd have to see the rules that you are using in order to make real assessment. However, what is sounds like is a malformation of rules. I put a copy of my ipchains rules at the bottom. In any event, you shouldn't need to reboot the server to clear the rules. Just run ipchains -F input; ipchains -F output; ipchains -F forward; ipchains -P ACCEPT. Kenny Elliott Stern wrote: > > Maybe someone here can give me a hand with this. After setting up and > testing PoPToP on a new computer, I decided to make a ipchains firewall > to protect the box. Well, now my system has no networking > capabilities. I have reset my computer and run 'ipchains -L' to verify > that all rules are clear and that the default policy for all chains is > ACCEPT, but I still can't get my networking to work (including the > loopback interface). When I bring up the loopback interface, I get a > message: "SIOCADDRT: Network is unreachable". I have even tried > shutting down and unplugging the power for 15-20 seconds to clear the > cache, but that isn't helping. Anyone have any ideas? > > -Elliott #!/bin/bash ipchains -F ipchains -F input ipchains -F output ipchains -F forward ipchains -A input -i 127.0.0.1 -j ACCEPT ipchains -A input -i eth0 -j ACCEPT ipchains -M -S 36000 0 0 #PPTP Rules ipchains -A input -i eth1 -p 47 -d external.ipaddress.here -j ACCEPT ipchains -A input -i eth1 -p tcp -d external.ipaddress.here 1723 -j ACCEPT ipchains -A input -i ppp+ -j ACCEPT ipchains -A forward -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT #SSH Rules ipchains -A input -i eth1 -p tcp \ -s 0/0 1024:65535 \ -d external.ipaddress.here/32 22 -j ACCEPT ipchains -A output -i eth1 -p tcp ! -y \ -s external.ipaddress.here/32 22 \ -d 0/0 1024:65535 -j ACCEPT ipchains -A input -i eth1 -p tcp \ -s 0/0 512:1023 \ -d external.ipaddress.here/32 22 -j ACCEPT ipchains -A output -i eth1 -p tcp ! -y \ -s 208.51.139.30/32 22 \ -d 0/0 512:1023 -j ACCEPT ipchains -A input -i eth1 -p tcp \ -s 0/0 0:1023 \ -d external.ipaddress.here/32 22 -j ACCEPT ipchains -A output -i eth1 -p tcp ! -y \ -s external.ipaddress.here/32 22 \ -d 0/0 512:1023 -j ACCEPT ipchains -A input -i eth0 -p tcp \ -s 0/0 1024:65535 \ -d 10.100.0.2/32 -j ACCEPT ipchains -A output -i eth0 -p tcp ! -y \ -s 10.100.0.2/32 22 \ -d 0/0 1024:65535 -j ACCEPT ipchains -A input -i eth0 -p tcp \ -s 0/0 512:1023 \ -d 10.100.0.2/32 22 -j ACCEPT ipchains -A output -i eth0 -p tcp ! -y \ -s 10.100.0.2/32 22 \ -d 0/0 512:1023 -j ACCEPT ipchains -A input -i eth0 -p tcp \ -s 0/0 0:1023 \ -d 10.100.0.2/32 22 -j ACCEPT ipchains -A output -i eth0 -p tcp ! -y \ -s 10.100.0.2/32 22 \ -d 0/0 512:1023 -j ACCEPT #IPSec rules ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT ipchains -A input -b -s 10.0.0.0/8 -j ACCEPT ipchains -A forward -b -s 10.0.0.0/8 -j ACCEPT #DENY and LOG everything else!! ipchains -A input -i eth0 -p all -j DENY -l ipchains -A input -i eth1 -p all -j DENY -l ipchains -P input DENY -- Kenny Lussier Systems Administrator Mission Critical Linux *********************************************************** Life is a lesson, you learn it at the end Reality has become increasingly less accurate *********************************************************** From estern at opennetwork.com Tue Aug 8 13:12:14 2000 From: estern at opennetwork.com (Elliott Stern) Date: Tue, 08 Aug 2000 14:12:14 -0400 Subject: [pptp-server] ipchains killed my networking?!?! Message-ID: <39904D7E.A979BB99@opennetwork.com> I just booted and did not start networking as the system loaded. After logging in, I applied your chain rules from the prompt. Then I brought up the lo interface ( 'ifup lo' ) and I got that "SIOCADDRT: Network is unreachable" message again. I have checked the chains using 'ipchains -L' and they are correct. Any other ideas? I appreciate the help. -Elliott -------- Original Message -------- Subject: Re: [pptp-server] ipchains killed my networking?!?! Date: Tue, 08 Aug 2000 14:01:23 -0400 From: "Kenneth E. Lussier" To: Elliott Stern CC: pptp-server at lists.schulte.org References: <013601c0014e$ada40ba0$280111ac at amadorinc.com> <39904216.918AB5B7 at opennetwork.com> I'd have to see the rules that you are using in order to make real assessment. However, what is sounds like is a malformation of rules. I put a copy of my ipchains rules at the bottom. In any event, you shouldn't need to reboot the server to clear the rules. Just run ipchains -F input; ipchains -F output; ipchains -F forward; ipchains -P ACCEPT. Kenny Elliott Stern wrote: > > Maybe someone here can give me a hand with this. After setting up and > testing PoPToP on a new computer, I decided to make a ipchains firewall > to protect the box. Well, now my system has no networking > capabilities. I have reset my computer and run 'ipchains -L' to verify > that all rules are clear and that the default policy for all chains is > ACCEPT, but I still can't get my networking to work (including the > loopback interface). When I bring up the loopback interface, I get a > message: "SIOCADDRT: Network is unreachable". I have even tried > shutting down and unplugging the power for 15-20 seconds to clear the > cache, but that isn't helping. Anyone have any ideas? > > -Elliott #!/bin/bash ipchains -F ipchains -F input ipchains -F output ipchains -F forward ipchains -A input -i 127.0.0.1 -j ACCEPT ipchains -A input -i eth0 -j ACCEPT ipchains -M -S 36000 0 0 #PPTP Rules ipchains -A input -i eth1 -p 47 -d external.ipaddress.here -j ACCEPT ipchains -A input -i eth1 -p tcp -d external.ipaddress.here 1723 -j ACCEPT ipchains -A input -i ppp+ -j ACCEPT ipchains -A forward -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT #SSH Rules ipchains -A input -i eth1 -p tcp \ -s 0/0 1024:65535 \ -d external.ipaddress.here/32 22 -j ACCEPT ipchains -A output -i eth1 -p tcp ! -y \ -s external.ipaddress.here/32 22 \ -d 0/0 1024:65535 -j ACCEPT ipchains -A input -i eth1 -p tcp \ -s 0/0 512:1023 \ -d external.ipaddress.here/32 22 -j ACCEPT ipchains -A output -i eth1 -p tcp ! -y \ -s 208.51.139.30/32 22 \ -d 0/0 512:1023 -j ACCEPT ipchains -A input -i eth1 -p tcp \ -s 0/0 0:1023 \ -d external.ipaddress.here/32 22 -j ACCEPT ipchains -A output -i eth1 -p tcp ! -y \ -s external.ipaddress.here/32 22 \ -d 0/0 512:1023 -j ACCEPT ipchains -A input -i eth0 -p tcp \ -s 0/0 1024:65535 \ -d 10.100.0.2/32 -j ACCEPT ipchains -A output -i eth0 -p tcp ! -y \ -s 10.100.0.2/32 22 \ -d 0/0 1024:65535 -j ACCEPT ipchains -A input -i eth0 -p tcp \ -s 0/0 512:1023 \ -d 10.100.0.2/32 22 -j ACCEPT ipchains -A output -i eth0 -p tcp ! -y \ -s 10.100.0.2/32 22 \ -d 0/0 512:1023 -j ACCEPT ipchains -A input -i eth0 -p tcp \ -s 0/0 0:1023 \ -d 10.100.0.2/32 22 -j ACCEPT ipchains -A output -i eth0 -p tcp ! -y \ -s 10.100.0.2/32 22 \ -d 0/0 512:1023 -j ACCEPT #IPSec rules ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT ipchains -A input -b -s 10.0.0.0/8 -j ACCEPT ipchains -A forward -b -s 10.0.0.0/8 -j ACCEPT #DENY and LOG everything else!! ipchains -A input -i eth0 -p all -j DENY -l ipchains -A input -i eth1 -p all -j DENY -l ipchains -P input DENY -- Kenny Lussier Systems Administrator Mission Critical Linux *********************************************************** Life is a lesson, you learn it at the end Reality has become increasingly less accurate *********************************************************** From walterm at Gliatech.com Tue Aug 8 13:22:18 2000 From: walterm at Gliatech.com (Michael Walter) Date: Tue, 8 Aug 2000 14:22:18 -0400 Subject: [pptp-server] ipchains killed my networking?!?! Message-ID: Rebooting the computer should reset any ipchains rules and default policies, so if ipchains is the root of your problem, and you reboot and still have the problem, then something is running ipchains when you reboot. Further, whatever is running ipchains is doing so prior to the network section of the boot. If you boot into text mode Check in /etc/rc.d/rc3.d and make sure none of the scripts with an S## number earlier than the S##network script run ipchains rules. Do the same if you boot into graphical mode but look at /etc/rc.d/rc5.d instead. If you don't see anything there, are you using the ipchains that was included or did you download an rpm. If the latter is the case try rpm -e ipchains (THIS WILL UN-INSTALL IPCHAINS) and see if the problem persists, you may have gotten a version incompatible with your kernel. Thanks, Michael J. Walter mcse mcp+i rhce a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Kenneth E. Lussier [mailto:klussier at mclinux.com] Sent: Tuesday, August 08, 2000 2:01 PM To: Elliott Stern Cc: pptp-server at lists.schulte.org Subject: Re: [pptp-server] ipchains killed my networking?!?! I'd have to see the rules that you are using in order to make real assessment. However, what is sounds like is a malformation of rules. I put a copy of my ipchains rules at the bottom. In any event, you shouldn't need to reboot the server to clear the rules. Just run ipchains -F input; ipchains -F output; ipchains -F forward; ipchains -P ACCEPT. Kenny Elliott Stern wrote: > > Maybe someone here can give me a hand with this. After setting up and > testing PoPToP on a new computer, I decided to make a ipchains firewall > to protect the box. Well, now my system has no networking > capabilities. I have reset my computer and run 'ipchains -L' to verify > that all rules are clear and that the default policy for all chains is > ACCEPT, but I still can't get my networking to work (including the > loopback interface). When I bring up the loopback interface, I get a > message: "SIOCADDRT: Network is unreachable". I have even tried > shutting down and unplugging the power for 15-20 seconds to clear the > cache, but that isn't helping. Anyone have any ideas? > > -Elliott #!/bin/bash ipchains -F ipchains -F input ipchains -F output ipchains -F forward ipchains -A input -i 127.0.0.1 -j ACCEPT ipchains -A input -i eth0 -j ACCEPT ipchains -M -S 36000 0 0 #PPTP Rules ipchains -A input -i eth1 -p 47 -d external.ipaddress.here -j ACCEPT ipchains -A input -i eth1 -p tcp -d external.ipaddress.here 1723 -j ACCEPT ipchains -A input -i ppp+ -j ACCEPT ipchains -A forward -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT #SSH Rules ipchains -A input -i eth1 -p tcp \ -s 0/0 1024:65535 \ -d external.ipaddress.here/32 22 -j ACCEPT ipchains -A output -i eth1 -p tcp ! -y \ -s external.ipaddress.here/32 22 \ -d 0/0 1024:65535 -j ACCEPT ipchains -A input -i eth1 -p tcp \ -s 0/0 512:1023 \ -d external.ipaddress.here/32 22 -j ACCEPT ipchains -A output -i eth1 -p tcp ! -y \ -s 208.51.139.30/32 22 \ -d 0/0 512:1023 -j ACCEPT ipchains -A input -i eth1 -p tcp \ -s 0/0 0:1023 \ -d external.ipaddress.here/32 22 -j ACCEPT ipchains -A output -i eth1 -p tcp ! -y \ -s external.ipaddress.here/32 22 \ -d 0/0 512:1023 -j ACCEPT ipchains -A input -i eth0 -p tcp \ -s 0/0 1024:65535 \ -d 10.100.0.2/32 -j ACCEPT ipchains -A output -i eth0 -p tcp ! -y \ -s 10.100.0.2/32 22 \ -d 0/0 1024:65535 -j ACCEPT ipchains -A input -i eth0 -p tcp \ -s 0/0 512:1023 \ -d 10.100.0.2/32 22 -j ACCEPT ipchains -A output -i eth0 -p tcp ! -y \ -s 10.100.0.2/32 22 \ -d 0/0 512:1023 -j ACCEPT ipchains -A input -i eth0 -p tcp \ -s 0/0 0:1023 \ -d 10.100.0.2/32 22 -j ACCEPT ipchains -A output -i eth0 -p tcp ! -y \ -s 10.100.0.2/32 22 \ -d 0/0 512:1023 -j ACCEPT #IPSec rules ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT ipchains -A input -b -s 10.0.0.0/8 -j ACCEPT ipchains -A forward -b -s 10.0.0.0/8 -j ACCEPT #DENY and LOG everything else!! ipchains -A input -i eth0 -p all -j DENY -l ipchains -A input -i eth1 -p all -j DENY -l ipchains -P input DENY -- Kenny Lussier Systems Administrator Mission Critical Linux *********************************************************** Life is a lesson, you learn it at the end Reality has become increasingly less accurate *********************************************************** _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From klussier at mclinux.com Tue Aug 8 13:38:50 2000 From: klussier at mclinux.com (Kenneth E. Lussier) Date: Tue, 08 Aug 2000 14:38:50 -0400 Subject: [pptp-server] ipchains killed my networking?!?! References: <39904D7E.A979BB99@opennetwork.com> Message-ID: <399053BA.CBEAE4F1@mclinux.com> I'm hoping that you modified my rules set to reflect your environment. This looks like it could be a routing issue. If the loopback route get's blocked, it will shut itself down. Can you get any interfaces up? if you can, what does the output of ifconfig and route -n look like? Kenny Elliott Stern wrote: > > I just booted and did not start networking as the system loaded. After > logging in, I applied your chain rules from the prompt. Then I brought > up the lo interface ( 'ifup lo' ) and I got that "SIOCADDRT: Network is > unreachable" message again. I have checked the chains using 'ipchains > -L' and they are correct. Any other ideas? I appreciate the help. > > -Elliott > > -------- Original Message -------- > Subject: Re: [pptp-server] ipchains killed my networking?!?! > Date: Tue, 08 Aug 2000 14:01:23 -0400 > From: "Kenneth E. Lussier" > To: Elliott Stern > CC: pptp-server at lists.schulte.org > References: > > <013601c0014e$ada40ba0$280111ac at amadorinc.com> > <39904216.918AB5B7 at opennetwork.com> > > I'd have to see the rules that you are using in order to make real > assessment. However, what is sounds like is a malformation of rules. I > put a copy of my ipchains rules at the bottom. In any event, you > shouldn't need to reboot the server to clear the rules. Just run > ipchains -F input; ipchains -F output; ipchains -F forward; ipchains -P > ACCEPT. > > Kenny > > Elliott Stern wrote: > > > > Maybe someone here can give me a hand with this. After setting up and > > testing PoPToP on a new computer, I decided to make a ipchains firewall > > to protect the box. Well, now my system has no networking > > capabilities. I have reset my computer and run 'ipchains -L' to verify > > that all rules are clear and that the default policy for all chains is > > ACCEPT, but I still can't get my networking to work (including the > > loopback interface). When I bring up the loopback interface, I get a > > message: "SIOCADDRT: Network is unreachable". I have even tried > > shutting down and unplugging the power for 15-20 seconds to clear the > > cache, but that isn't helping. Anyone have any ideas? > > > > -Elliott > > #!/bin/bash > > ipchains -F > ipchains -F input > ipchains -F output > ipchains -F forward > ipchains -A input -i 127.0.0.1 -j ACCEPT > ipchains -A input -i eth0 -j ACCEPT > ipchains -M -S 36000 0 0 > > #PPTP Rules > > ipchains -A input -i eth1 -p 47 -d external.ipaddress.here -j ACCEPT > > ipchains -A input -i eth1 -p tcp -d external.ipaddress.here 1723 -j > ACCEPT > > ipchains -A input -i ppp+ -j ACCEPT > > ipchains -A forward -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT > > #SSH Rules > > ipchains -A input -i eth1 -p tcp \ > -s 0/0 1024:65535 \ > -d external.ipaddress.here/32 22 -j ACCEPT > > ipchains -A output -i eth1 -p tcp ! -y \ > -s external.ipaddress.here/32 22 \ > -d 0/0 1024:65535 -j ACCEPT > > ipchains -A input -i eth1 -p tcp \ > -s 0/0 512:1023 \ > -d external.ipaddress.here/32 22 -j ACCEPT > > ipchains -A output -i eth1 -p tcp ! -y \ > -s 208.51.139.30/32 22 \ > -d 0/0 512:1023 -j ACCEPT > > ipchains -A input -i eth1 -p tcp \ > -s 0/0 0:1023 \ > -d external.ipaddress.here/32 22 -j ACCEPT > > ipchains -A output -i eth1 -p tcp ! -y \ > -s external.ipaddress.here/32 22 \ > -d 0/0 512:1023 -j ACCEPT > > ipchains -A input -i eth0 -p tcp \ > -s 0/0 1024:65535 \ > -d 10.100.0.2/32 -j ACCEPT > > ipchains -A output -i eth0 -p tcp ! -y \ > -s 10.100.0.2/32 22 \ > -d 0/0 1024:65535 -j ACCEPT > > ipchains -A input -i eth0 -p tcp \ > -s 0/0 512:1023 \ > -d 10.100.0.2/32 22 -j ACCEPT > > ipchains -A output -i eth0 -p tcp ! -y \ > -s 10.100.0.2/32 22 \ > -d 0/0 512:1023 -j ACCEPT > > ipchains -A input -i eth0 -p tcp \ > -s 0/0 0:1023 \ > -d 10.100.0.2/32 22 -j ACCEPT > > ipchains -A output -i eth0 -p tcp ! -y \ > -s 10.100.0.2/32 22 \ > -d 0/0 512:1023 -j ACCEPT > > #IPSec rules > > ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT > ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT > > ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT > ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT > > ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT > ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT > > ipchains -A input -b -s 10.0.0.0/8 -j ACCEPT > > ipchains -A forward -b -s 10.0.0.0/8 -j ACCEPT > > #DENY and LOG everything else!! > ipchains -A input -i eth0 -p all -j DENY -l > ipchains -A input -i eth1 -p all -j DENY -l > ipchains -P input DENY > > -- > Kenny Lussier > Systems Administrator > Mission Critical Linux > *********************************************************** > Life is a lesson, you learn it at the end > Reality has become increasingly less accurate > *********************************************************** > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! -- Kenny Lussier Systems Administrator Mission Critical Linux *********************************************************** Life is a lesson, you learn it at the end Reality has become increasingly less accurate *********************************************************** From estern at opennetwork.com Tue Aug 8 13:41:30 2000 From: estern at opennetwork.com (Elliott Stern) Date: Tue, 08 Aug 2000 14:41:30 -0400 Subject: [pptp-server] ipchains killed my networking?!?! References: <39904D7E.A979BB99@opennetwork.com> <399053BA.CBEAE4F1@mclinux.com> Message-ID: <3990545A.3E501419@opennetwork.com> I did modify the rules for my environment :-) I can get lo up, kind of. I am able to ping it if I explicitly make input and output rules to allow it. I cannot get the other interfaces up however. I think I am going to wipe the system :-( I just tried to run the 6.2 update, but I still don't have network connectivity. I am about to wipe the system and start from scratch...which it too bad because it WAS running so well. I didn't mention it before, but I also tried 'rpm -e ipchains' and rebooting. But even without ipchains, I still couldn't access the loopback (and then I couldn't add rules to allow loopback). Something got hosed. Oh well. Thanks for your help. -Elliott "Kenneth E. Lussier" wrote: > > I'm hoping that you modified my rules set to reflect your environment. > This looks like it could be a routing issue. If the loopback route get's > blocked, it will shut itself down. Can you get any interfaces up? if you > can, what does the output of ifconfig and route -n look like? > > Kenny > > Elliott Stern wrote: > > > > I just booted and did not start networking as the system loaded. After > > logging in, I applied your chain rules from the prompt. Then I brought > > up the lo interface ( 'ifup lo' ) and I got that "SIOCADDRT: Network is > > unreachable" message again. I have checked the chains using 'ipchains > > -L' and they are correct. Any other ideas? I appreciate the help. > > > > -Elliott > > > > -------- Original Message -------- > > Subject: Re: [pptp-server] ipchains killed my networking?!?! > > Date: Tue, 08 Aug 2000 14:01:23 -0400 > > From: "Kenneth E. Lussier" > > To: Elliott Stern > > CC: pptp-server at lists.schulte.org > > References: > > > > <013601c0014e$ada40ba0$280111ac at amadorinc.com> > > <39904216.918AB5B7 at opennetwork.com> > > > > I'd have to see the rules that you are using in order to make real > > assessment. However, what is sounds like is a malformation of rules. I > > put a copy of my ipchains rules at the bottom. In any event, you > > shouldn't need to reboot the server to clear the rules. Just run > > ipchains -F input; ipchains -F output; ipchains -F forward; ipchains -P > > ACCEPT. > > > > Kenny > > > > Elliott Stern wrote: > > > > > > Maybe someone here can give me a hand with this. After setting up and > > > testing PoPToP on a new computer, I decided to make a ipchains firewall > > > to protect the box. Well, now my system has no networking > > > capabilities. I have reset my computer and run 'ipchains -L' to verify > > > that all rules are clear and that the default policy for all chains is > > > ACCEPT, but I still can't get my networking to work (including the > > > loopback interface). When I bring up the loopback interface, I get a > > > message: "SIOCADDRT: Network is unreachable". I have even tried > > > shutting down and unplugging the power for 15-20 seconds to clear the > > > cache, but that isn't helping. Anyone have any ideas? > > > > > > -Elliott > > > > #!/bin/bash > > > > ipchains -F > > ipchains -F input > > ipchains -F output > > ipchains -F forward > > ipchains -A input -i 127.0.0.1 -j ACCEPT > > ipchains -A input -i eth0 -j ACCEPT > > ipchains -M -S 36000 0 0 > > > > #PPTP Rules > > > > ipchains -A input -i eth1 -p 47 -d external.ipaddress.here -j ACCEPT > > > > ipchains -A input -i eth1 -p tcp -d external.ipaddress.here 1723 -j > > ACCEPT > > > > ipchains -A input -i ppp+ -j ACCEPT > > > > ipchains -A forward -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT > > > > #SSH Rules > > > > ipchains -A input -i eth1 -p tcp \ > > -s 0/0 1024:65535 \ > > -d external.ipaddress.here/32 22 -j ACCEPT > > > > ipchains -A output -i eth1 -p tcp ! -y \ > > -s external.ipaddress.here/32 22 \ > > -d 0/0 1024:65535 -j ACCEPT > > > > ipchains -A input -i eth1 -p tcp \ > > -s 0/0 512:1023 \ > > -d external.ipaddress.here/32 22 -j ACCEPT > > > > ipchains -A output -i eth1 -p tcp ! -y \ > > -s 208.51.139.30/32 22 \ > > -d 0/0 512:1023 -j ACCEPT > > > > ipchains -A input -i eth1 -p tcp \ > > -s 0/0 0:1023 \ > > -d external.ipaddress.here/32 22 -j ACCEPT > > > > ipchains -A output -i eth1 -p tcp ! -y \ > > -s external.ipaddress.here/32 22 \ > > -d 0/0 512:1023 -j ACCEPT > > > > ipchains -A input -i eth0 -p tcp \ > > -s 0/0 1024:65535 \ > > -d 10.100.0.2/32 -j ACCEPT > > > > ipchains -A output -i eth0 -p tcp ! -y \ > > -s 10.100.0.2/32 22 \ > > -d 0/0 1024:65535 -j ACCEPT > > > > ipchains -A input -i eth0 -p tcp \ > > -s 0/0 512:1023 \ > > -d 10.100.0.2/32 22 -j ACCEPT > > > > ipchains -A output -i eth0 -p tcp ! -y \ > > -s 10.100.0.2/32 22 \ > > -d 0/0 512:1023 -j ACCEPT > > > > ipchains -A input -i eth0 -p tcp \ > > -s 0/0 0:1023 \ > > -d 10.100.0.2/32 22 -j ACCEPT > > > > ipchains -A output -i eth0 -p tcp ! -y \ > > -s 10.100.0.2/32 22 \ > > -d 0/0 512:1023 -j ACCEPT > > > > #IPSec rules > > > > ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT > > ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT > > > > ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT > > ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT > > > > ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT > > ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT > > > > ipchains -A input -b -s 10.0.0.0/8 -j ACCEPT > > > > ipchains -A forward -b -s 10.0.0.0/8 -j ACCEPT > > > > #DENY and LOG everything else!! > > ipchains -A input -i eth0 -p all -j DENY -l > > ipchains -A input -i eth1 -p all -j DENY -l > > ipchains -P input DENY > > > > -- > > Kenny Lussier > > Systems Administrator > > Mission Critical Linux > > *********************************************************** > > Life is a lesson, you learn it at the end > > Reality has become increasingly less accurate > > *********************************************************** > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > -- > Kenny Lussier > Systems Administrator > Mission Critical Linux > *********************************************************** > Life is a lesson, you learn it at the end > Reality has become increasingly less accurate > *********************************************************** -- ************************* Elliott Stern OpenNetwork Technologies Network Intern 727-561-9500 ext 270 estern at opennetwork.com ************************* From walterm at Gliatech.com Tue Aug 8 14:22:26 2000 From: walterm at Gliatech.com (Michael Walter) Date: Tue, 8 Aug 2000 15:22:26 -0400 Subject: [pptp-server] ipchains killed my networking?!?! Message-ID: If you have already removed ipchains, and the interfaces are still denied, have you checked your /etc/hosts.deny to make sure you are not denying your local inerface? Have you made any changes in /sbin/ifup ? If you run "ifup lo" does it report any errors? How about "ifup eth0"? Have you installed any dhcp or bootp packages aside from those stock in the kernel? Have you recompiled your kernel or changed any of your kernel modules?(its a long shot but try a depmod -a) It's been a long day and thats all I can think of at the moment, Michael J. Walter mcse mcp+i rhce a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: estern at opennetwork.com [mailto:estern at opennetwork.com] Sent: Tuesday, August 08, 2000 2:42 PM To: Kenneth E. Lussier Cc: pptp-server at lists.schulte.org Subject: Re: [pptp-server] ipchains killed my networking?!?! I did modify the rules for my environment :-) I can get lo up, kind of. I am able to ping it if I explicitly make input and output rules to allow it. I cannot get the other interfaces up however. I think I am going to wipe the system :-( I just tried to run the 6.2 update, but I still don't have network connectivity. I am about to wipe the system and start from scratch...which it too bad because it WAS running so well. I didn't mention it before, but I also tried 'rpm -e ipchains' and rebooting. But even without ipchains, I still couldn't access the loopback (and then I couldn't add rules to allow loopback). Something got hosed. Oh well. Thanks for your help. -Elliott "Kenneth E. Lussier" wrote: > > I'm hoping that you modified my rules set to reflect your environment. > This looks like it could be a routing issue. If the loopback route get's > blocked, it will shut itself down. Can you get any interfaces up? if you > can, what does the output of ifconfig and route -n look like? > > Kenny > > Elliott Stern wrote: > > > > I just booted and did not start networking as the system loaded. After > > logging in, I applied your chain rules from the prompt. Then I brought > > up the lo interface ( 'ifup lo' ) and I got that "SIOCADDRT: Network is > > unreachable" message again. I have checked the chains using 'ipchains > > -L' and they are correct. Any other ideas? I appreciate the help. > > > > -Elliott > > > > -------- Original Message -------- > > Subject: Re: [pptp-server] ipchains killed my networking?!?! > > Date: Tue, 08 Aug 2000 14:01:23 -0400 > > From: "Kenneth E. Lussier" > > To: Elliott Stern > > CC: pptp-server at lists.schulte.org > > References: > > > > <013601c0014e$ada40ba0$280111ac at amadorinc.com> > > <39904216.918AB5B7 at opennetwork.com> > > > > I'd have to see the rules that you are using in order to make real > > assessment. However, what is sounds like is a malformation of rules. I > > put a copy of my ipchains rules at the bottom. In any event, you > > shouldn't need to reboot the server to clear the rules. Just run > > ipchains -F input; ipchains -F output; ipchains -F forward; ipchains -P > > ACCEPT. > > > > Kenny > > > > Elliott Stern wrote: > > > > > > Maybe someone here can give me a hand with this. After setting up and > > > testing PoPToP on a new computer, I decided to make a ipchains firewall > > > to protect the box. Well, now my system has no networking > > > capabilities. I have reset my computer and run 'ipchains -L' to verify > > > that all rules are clear and that the default policy for all chains is > > > ACCEPT, but I still can't get my networking to work (including the > > > loopback interface). When I bring up the loopback interface, I get a > > > message: "SIOCADDRT: Network is unreachable". I have even tried > > > shutting down and unplugging the power for 15-20 seconds to clear the > > > cache, but that isn't helping. Anyone have any ideas? > > > > > > -Elliott > > > > #!/bin/bash > > > > ipchains -F > > ipchains -F input > > ipchains -F output > > ipchains -F forward > > ipchains -A input -i 127.0.0.1 -j ACCEPT > > ipchains -A input -i eth0 -j ACCEPT > > ipchains -M -S 36000 0 0 > > > > #PPTP Rules > > > > ipchains -A input -i eth1 -p 47 -d external.ipaddress.here -j ACCEPT > > > > ipchains -A input -i eth1 -p tcp -d external.ipaddress.here 1723 -j > > ACCEPT > > > > ipchains -A input -i ppp+ -j ACCEPT > > > > ipchains -A forward -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT > > > > #SSH Rules > > > > ipchains -A input -i eth1 -p tcp \ > > -s 0/0 1024:65535 \ > > -d external.ipaddress.here/32 22 -j ACCEPT > > > > ipchains -A output -i eth1 -p tcp ! -y \ > > -s external.ipaddress.here/32 22 \ > > -d 0/0 1024:65535 -j ACCEPT > > > > ipchains -A input -i eth1 -p tcp \ > > -s 0/0 512:1023 \ > > -d external.ipaddress.here/32 22 -j ACCEPT > > > > ipchains -A output -i eth1 -p tcp ! -y \ > > -s 208.51.139.30/32 22 \ > > -d 0/0 512:1023 -j ACCEPT > > > > ipchains -A input -i eth1 -p tcp \ > > -s 0/0 0:1023 \ > > -d external.ipaddress.here/32 22 -j ACCEPT > > > > ipchains -A output -i eth1 -p tcp ! -y \ > > -s external.ipaddress.here/32 22 \ > > -d 0/0 512:1023 -j ACCEPT > > > > ipchains -A input -i eth0 -p tcp \ > > -s 0/0 1024:65535 \ > > -d 10.100.0.2/32 -j ACCEPT > > > > ipchains -A output -i eth0 -p tcp ! -y \ > > -s 10.100.0.2/32 22 \ > > -d 0/0 1024:65535 -j ACCEPT > > > > ipchains -A input -i eth0 -p tcp \ > > -s 0/0 512:1023 \ > > -d 10.100.0.2/32 22 -j ACCEPT > > > > ipchains -A output -i eth0 -p tcp ! -y \ > > -s 10.100.0.2/32 22 \ > > -d 0/0 512:1023 -j ACCEPT > > > > ipchains -A input -i eth0 -p tcp \ > > -s 0/0 0:1023 \ > > -d 10.100.0.2/32 22 -j ACCEPT > > > > ipchains -A output -i eth0 -p tcp ! -y \ > > -s 10.100.0.2/32 22 \ > > -d 0/0 512:1023 -j ACCEPT > > > > #IPSec rules > > > > ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT > > ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT > > > > ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT > > ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT > > > > ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT > > ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT > > > > ipchains -A input -b -s 10.0.0.0/8 -j ACCEPT > > > > ipchains -A forward -b -s 10.0.0.0/8 -j ACCEPT > > > > #DENY and LOG everything else!! > > ipchains -A input -i eth0 -p all -j DENY -l > > ipchains -A input -i eth1 -p all -j DENY -l > > ipchains -P input DENY > > > > -- > > Kenny Lussier > > Systems Administrator > > Mission Critical Linux > > *********************************************************** > > Life is a lesson, you learn it at the end > > Reality has become increasingly less accurate > > *********************************************************** > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > -- > Kenny Lussier > Systems Administrator > Mission Critical Linux > *********************************************************** > Life is a lesson, you learn it at the end > Reality has become increasingly less accurate > *********************************************************** -- ************************* Elliott Stern OpenNetwork Technologies Network Intern 727-561-9500 ext 270 estern at opennetwork.com ************************* _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From estern at opennetwork.com Tue Aug 8 14:28:39 2000 From: estern at opennetwork.com (Elliott Stern) Date: Tue, 08 Aug 2000 15:28:39 -0400 Subject: [pptp-server] ipchains killed my networking?!?! References: Message-ID: <39905F67.1B8A4D70@opennetwork.com> Michael Walter wrote: > > If you have already removed ipchains, and the interfaces are still denied, > have you checked your /etc/hosts.deny to make sure you are not denying your > local inerface? Checked it > Have you made any changes in /sbin/ifup ? Nope > If you run "ifup lo" does it report any errors? Yes, "SIOCADDRT: Network is unreachable" > How about "ifup eth0"? No errors, but no responsiveness > Have you installed any dhcp or bootp packages aside from those stock in the > kernel? Nope > Have you recompiled your kernel or changed any of your kernel modules?(its a > long shot but try a depmod -a) Not since it last worked, but I did try 'depmod -a' anyway. > It's been a long day and thats all I can think of at the moment, > > Michael J. Walter > mcse mcp+i rhce a+ > Network Administrator > Gliatech, Inc. > 23420 Commerce Park Rd. > Beachwood, Ohio 44122 > Tel: (216) 831-3200 > Email: walterm at gliatech.com Thanks -Elliott From Josh at pollstar.com Tue Aug 8 14:36:26 2000 From: Josh at pollstar.com (Josh Massie) Date: Tue, 08 Aug 2000 12:36:26 -0700 Subject: [pptp-server] ipchains killed my networking?!?! Message-ID: What kernel version are you running? Did you recompile when you loaded IPChains? Do your NIC drivers (and lo) load as modules, and if so can you verify the modules loaded? What does ifconfig say? I've found that one of my RH boxes requires explicitly downing and re-upping the network interfaces after a reboot (but only occasionally, argh!). Try reconfiging and recompiling the latest kernel. I often beat myself about the head and neck because I missed something important in the kernel config (or in my haste to bail all the extra garbage RH puts in, I dump something I want later, like IP support :-) ). Don't dump the system yet. There's still hope. josh massie extranet administrator pollstar.com email: josh at pollstar.com phone: (559) 271-7977 x 4477 fax: (559) 271-7979 http://www.pollstar.com >>> Elliott Stern 08/08/00 10:23AM >>> Maybe someone here can give me a hand with this. After setting up and testing PoPToP on a new computer, I decided to make a ipchains firewall to protect the box. Well, now my system has no networking capabilities. I have reset my computer and run 'ipchains -L' to verify that all rules are clear and that the default policy for all chains is ACCEPT, but I still can't get my networking to work (including the loopback interface). When I bring up the loopback interface, I get a message: "SIOCADDRT: Network is unreachable". I have even tried shutting down and unplugging the power for 15-20 seconds to clear the cache, but that isn't helping. Anyone have any ideas? -Elliott -- ************************* Elliott Stern OpenNetwork Technologies Network Intern 727-561-9500 ext 270 estern at opennetwork.com ************************* _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From walterm at Gliatech.com Tue Aug 8 14:50:27 2000 From: walterm at Gliatech.com (Michael Walter) Date: Tue, 8 Aug 2000 15:50:27 -0400 Subject: [pptp-server] ipchains killed my networking?!?! Message-ID: What does your /etc/sysconfig/network-scripts/ifcfg-lo file look like? It should look like this: DEVICE=lo IPADDR=127.0.0.1 NETMASK=255.0.0.0 NETWORK=127.0.0.0 BROADCAST=127.255.255.255 ONBOOT=yes And, what does netstat -nr look like? Should at least have this line? Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo Thanks, Michael J. Walter mcse mcp+i rhce a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Kenneth E. Lussier [mailto:klussier at mclinux.com] Sent: Tuesday, August 08, 2000 2:01 PM To: Elliott Stern Cc: pptp-server at lists.schulte.org Subject: Re: [pptp-server] ipchains killed my networking?!?! I'd have to see the rules that you are using in order to make real assessment. However, what is sounds like is a malformation of rules. I put a copy of my ipchains rules at the bottom. In any event, you shouldn't need to reboot the server to clear the rules. Just run ipchains -F input; ipchains -F output; ipchains -F forward; ipchains -P ACCEPT. Kenny Elliott Stern wrote: > > Maybe someone here can give me a hand with this. After setting up and > testing PoPToP on a new computer, I decided to make a ipchains firewall > to protect the box. Well, now my system has no networking > capabilities. I have reset my computer and run 'ipchains -L' to verify > that all rules are clear and that the default policy for all chains is > ACCEPT, but I still can't get my networking to work (including the > loopback interface). When I bring up the loopback interface, I get a > message: "SIOCADDRT: Network is unreachable". I have even tried > shutting down and unplugging the power for 15-20 seconds to clear the > cache, but that isn't helping. Anyone have any ideas? > > -Elliott #!/bin/bash ipchains -F ipchains -F input ipchains -F output ipchains -F forward ipchains -A input -i 127.0.0.1 -j ACCEPT ipchains -A input -i eth0 -j ACCEPT ipchains -M -S 36000 0 0 #PPTP Rules ipchains -A input -i eth1 -p 47 -d external.ipaddress.here -j ACCEPT ipchains -A input -i eth1 -p tcp -d external.ipaddress.here 1723 -j ACCEPT ipchains -A input -i ppp+ -j ACCEPT ipchains -A forward -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT #SSH Rules ipchains -A input -i eth1 -p tcp \ -s 0/0 1024:65535 \ -d external.ipaddress.here/32 22 -j ACCEPT ipchains -A output -i eth1 -p tcp ! -y \ -s external.ipaddress.here/32 22 \ -d 0/0 1024:65535 -j ACCEPT ipchains -A input -i eth1 -p tcp \ -s 0/0 512:1023 \ -d external.ipaddress.here/32 22 -j ACCEPT ipchains -A output -i eth1 -p tcp ! -y \ -s 208.51.139.30/32 22 \ -d 0/0 512:1023 -j ACCEPT ipchains -A input -i eth1 -p tcp \ -s 0/0 0:1023 \ -d external.ipaddress.here/32 22 -j ACCEPT ipchains -A output -i eth1 -p tcp ! -y \ -s external.ipaddress.here/32 22 \ -d 0/0 512:1023 -j ACCEPT ipchains -A input -i eth0 -p tcp \ -s 0/0 1024:65535 \ -d 10.100.0.2/32 -j ACCEPT ipchains -A output -i eth0 -p tcp ! -y \ -s 10.100.0.2/32 22 \ -d 0/0 1024:65535 -j ACCEPT ipchains -A input -i eth0 -p tcp \ -s 0/0 512:1023 \ -d 10.100.0.2/32 22 -j ACCEPT ipchains -A output -i eth0 -p tcp ! -y \ -s 10.100.0.2/32 22 \ -d 0/0 512:1023 -j ACCEPT ipchains -A input -i eth0 -p tcp \ -s 0/0 0:1023 \ -d 10.100.0.2/32 22 -j ACCEPT ipchains -A output -i eth0 -p tcp ! -y \ -s 10.100.0.2/32 22 \ -d 0/0 512:1023 -j ACCEPT #IPSec rules ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT ipchains -A input -b -s 10.0.0.0/8 -j ACCEPT ipchains -A forward -b -s 10.0.0.0/8 -j ACCEPT #DENY and LOG everything else!! ipchains -A input -i eth0 -p all -j DENY -l ipchains -A input -i eth1 -p all -j DENY -l ipchains -P input DENY -- Kenny Lussier Systems Administrator Mission Critical Linux *********************************************************** Life is a lesson, you learn it at the end Reality has become increasingly less accurate *********************************************************** _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From 320016180181-0001 at t-online.de Tue Aug 8 17:34:23 2000 From: 320016180181-0001 at t-online.de (Volker Hett) Date: Tue, 8 Aug 2000 22:34:23 -0000 Subject: [pptp-server] ipchains killed my networking?!?! Message-ID: <003a01c00188$cd2c81c0$9fd7fea9@volker> Hmm, did you use something like Seawall? Possibly the Setup Skript disabled routing and/or IP-Forwarding. Although this shouldn?t relate to the local subnet, but you never know! Regards Volker P.S.: comt to think of it, have you tried tcpdump? From teastep at evergo.net Tue Aug 8 21:27:32 2000 From: teastep at evergo.net (Tom Eastep) Date: Tue, 8 Aug 2000 19:27:32 -0700 (PDT) Subject: [pptp-server] VPN Masquerading Woes In-Reply-To: Message-ID: Thus spoke Michael Walter: > Thanks for the advice so far, but I am still having a lot of problems with > this. I have read through the last 6 months of postings on this group as > well as the vpn masq howto and everything I could find through web searches > on the subject and I am still at square 1, just slightly more frustrated. > These are the tools I am using: > > kernel-2.2.16-12.i386.rpm from the rawhide section of ftp.redhat.com (This > comes with the vpn masq patch built in) > also tried kernel-2.2.16 from www.kernel.org with > ip_masq_vpn-2.2.15.patch.gz applied succesfully. > ipfwd-1.0.0-1.i386.rpm > ipmasqadm-0.4.2-3.i386.rpm > > Here is my test configuration: > ======================= > | Win2000 client | > | 192.168.0.10/24 | > ======================= > | > ======================= > | 192.168.0.1/24 | > | Linux Masq/Firewall | > | 192.0.0.200/24 | > ======================= > | > ======================= > | 192.0.0.1 | > | Linux VPN | > | 10.0.0.15 | > ======================= > > I have the ip_masq_pptp.o module installed on the linux Masq/Firewall box, > do I also need it on the Linux VPN? This is what my boot script looks like > on the Linux Masq/Firewall: > > ipchains -F > ipmasqadm portfw -f > echo 1 > /proc/sys/net/ipv4/ip_forward > insmod ip_masq_pptp > insmod ip_masq_ftp > ipchains -P input ACCEPT > ipchains -P output ACCEPT > ipchains -P forward REJECT > ipchains -A forward -s 192.168.0.0/24 -j MASQ If you are masquerading the server, the above rule is ass-backwards. It should be: ipchains -A forward -S 192.0.0.0/24 -j MASQ > ipmasqadm portfw -a -P tcp -L 192.168.0.1 1723 -R 192.0.0.1 1723 > ipmasqadm portfw -a -P udp -L 192.168.0.1 1723 -R 192.0.0.1 1723 The second rule above is harmless but unnecessary. > ipfwd 192.168.0.10 47 & Again, your have everything backward -- the address passed to ipfwd should be that of the server. > > I have no problem connecting to the vpn server, but it basically never > manages to authenticate the client. As a test too, I set all the addresses > involved to non-private addresses, set the default gateway on the Vpn Server > to the linux masq firewall, and enabled port forwarding without any masq-ing > and things worked great. As soon as I masq the private addresses though, > everything stops working. Is there some hidden issue involved in the use of > private addresses that I haven't found. Has anyone gotten a configuration > like this working, Yes... am I overlooking something simple? Do I need to make any > changes on the VPN Server itself? > Make the changes that I suggested above -- they should make a world of difference... -Tom -- Tom Eastep \ Eastep's First Principle of Computing: ICQ #60745924 \ "Any sane computer will tell you how it teastep at evergo.net \ works if you ask it the proper questions" Shoreline, Washington USA \___________________________________________ From teastep at evergo.net Tue Aug 8 21:28:25 2000 From: teastep at evergo.net (Tom Eastep) Date: Tue, 8 Aug 2000 19:28:25 -0700 (PDT) Subject: [pptp-server] ipchains killed my networking?!?! In-Reply-To: <39904216.918AB5B7@opennetwork.com> Message-ID: Thus spoke Elliott Stern: > Maybe someone here can give me a hand with this. After setting up and > testing PoPToP on a new computer, I decided to make a ipchains firewall > to protect the box. Well, now my system has no networking > capabilities. I have reset my computer and run 'ipchains -L' to verify > that all rules are clear and that the default policy for all chains is > ACCEPT, but I still can't get my networking to work (including the > loopback interface). When I bring up the loopback interface, I get a > message: "SIOCADDRT: Network is unreachable". I have even tried > shutting down and unplugging the power for 15-20 seconds to clear the > cache, but that isn't helping. Anyone have any ideas? > Not if you don't post the output from "ipchains -L -n -v" and "ifconfig"... -Tom -- Tom Eastep \ Eastep's First Principle of Computing: ICQ #60745924 \ "Any sane computer will tell you how it teastep at evergo.net \ works if you ask it the proper questions" Shoreline, Washington USA \___________________________________________ From mb at blumenstrasse.vol.at Wed Aug 9 03:09:53 2000 From: mb at blumenstrasse.vol.at (Matthias Brunner) Date: Wed, 09 Aug 2000 10:09:53 +0200 Subject: [pptp-server] Off-topic: PPTP client on OpenBSD? Message-ID: <399111D1.8CE4728F@blumenstrasse.vol.at> Hello! First of all: I'm sorry for beginning mailing to this list with an off-topic mail but I couldn't help :-) Does anyone know of any efforts being made on porting the Linux pptp-client to OpenBSD? Or has anyone already succeeded in doing this? Best regards! -- Matthias Brunner PGP FP 7862 32B3 3B75 292A F76F 5042 8587 21AB 5B89 D501 Check out http://blumenstrasse.vol.at/~mb/gpgkey.asc From Gareth_Marlow at scientia.com Wed Aug 9 03:34:57 2000 From: Gareth_Marlow at scientia.com (Gareth Marlow) Date: Wed, 9 Aug 2000 09:34:57 +0100 Subject: [pptp-server] PPTP linux client with PoPToP In-Reply-To: <398FB01D.A5B34149@netman.dk>; from aaa@netman.dk on Tue, Aug 08, 2000 at 09:00:45AM +0200 References: <20000807120011.A31599@canna.scientia.com> <398FB01D.A5B34149@netman.dk> Message-ID: <20000809093457.B6741@canna.scientia.com> On Tue, Aug 08, 2000 at 09:00:45AM +0200, Alaa Alamood wrote: > > 1- get a copy of linux pptp client Done. > 2- install ppp with mschap 128 bit supported Done. > 3- Client configuration Done > - Manul connection (just for test resone) > - pptp PPTP_SERVER_IP_ADDRESS name YOUR_USER_NAME remotename > PPTP_SERVER_NAME > - route add -host PPTP_SERVER_IP_ADDRESS gw > YOUR_GATEWAY_IP_ADDRESS Done > - check you connections is made > ps -ef |grep pptp I get the 3 processes: the call manager, the GRE gateway and the ppp1 process which is invoked. I get a successful connect message in /var/log/messages showing that the correct IP addresses have been allocated and MPPE 128 bit compression is being used. It all looks fine. BUT when I try to ping, traceroute or telnet to anything through the link I'm unsuccessful. The proxyarp stuff is working at the server end for 95/98/2000 clients so I don't think that's the problem. I can tear down the link and connect with 98 with the same username and password no problem. One thing I did notice is that when I bring down this PPTP connection, there is a very large number of bytes logged as transferred on the client side - 10MB in a couple of minutes (this is obviously an error as the modem cannot sustain that transfer rate. I even tried rolling back to ppp-2.3.8 on the client to see if that would help but it hasn't. I'm on the verge of giving up on pptp for linux-linux VPN unless someone can help me :( Gareth From stephan.fehrenbach at modulo3.de Wed Aug 9 03:51:11 2000 From: stephan.fehrenbach at modulo3.de (Stephan Fehrenbach) Date: Wed, 9 Aug 2000 10:51:11 +0200 Subject: [pptp-server] How to setup a Win NT4 VPN client? In-Reply-To: <399111D1.8CE4728F@blumenstrasse.vol.at> Message-ID: <000401c001de$f827cfa0$6500a8c0@fehrenbach.modulo3.de> Hello, i try to setup a Windows NT4 VPN Client. I have installed the Point to Point Tunneling Protokoll. My manual says I should create a new dial-up phonebook entry and should select the VPN Adapter as device. But I dont have a VPN Adapter, just the Network-Adapter und a ISDN-Adapter. How can I create a VPN Adapter? I want to connect to my poptop vpn-server as first test via lan. Does anybody know how to do this? Stephan Fehrenbach -- modulo3 gmbh fon 0211 - 876720-00 Stephan Fehrenbach fax 0211 - 876720-27 Karl-Rudolf-Stra?e 172 e-mail stephan.fehrenbach at modulo3.de D-40215 D?sseldorf web http://www.modulo3.de From aaa at netman.dk Wed Aug 9 04:07:03 2000 From: aaa at netman.dk (Alaa Alamood) Date: Wed, 09 Aug 2000 11:07:03 +0200 Subject: [pptp-server] How to setup a Win NT4 VPN client? References: <000401c001de$f827cfa0$6500a8c0@fehrenbach.modulo3.de> Message-ID: <39911F37.427F99CD@netman.dk> Hi I hope this menuall help you Windows Nt workstation 1- Start 2- Settings 3- Control Panel 4- Network - Protocols -add -Double click on the point to point tunneling protocol (pptp) - Insert Windows Nt cdrom and click OK - Select number of vpn: 1 - Click OK for Remote Access Services (Will now be installed) - On RAS Device Windows, say OK VPN-RASPPTPM - On Remote Access Setup windows, click Continue - Reboot the machine When the machine is started 5- Start 6- Programs 7- Accessories 8- Dialup Networking - Choose Denmark as Country - Close 9- On New phonebook entry wizard window, type the name of the new phonebook fx. MY_VPN ->Next -On server windows choose the last check box ( The non windows NT server ..... ) ->Next - On the phone number window type the VPN server name (snow.netman.dk) ot the IP address of of the server (VPN_Server_IPAddress) -> Next - For IP address click Next (without changing anything) -For Name Server addresses click Next (without changing anything) -Finish 10- On the Dialup Networking window - More - Edit Entry and modem - Properties - Click on TCP/IP Settings - Turn off use IP header compression - Turn off use default gw on remote network 11- After you have dialed up to your ISP, dial up again to the VPN(PPTP) server regards Alaa Stephan Fehrenbach wrote: > Hello, > > i try to setup a Windows NT4 VPN Client. > I have installed the Point to Point Tunneling Protokoll. > My manual says I should create a new dial-up phonebook entry and should > select the VPN Adapter as device. > But I dont have a VPN Adapter, just the Network-Adapter und a ISDN-Adapter. > > How can I create a VPN Adapter? > > I want to connect to my poptop vpn-server as first test via lan. > > Does anybody know how to do this? > > Stephan Fehrenbach > -- > modulo3 gmbh fon 0211 - 876720-00 > Stephan Fehrenbach fax 0211 - 876720-27 > Karl-Rudolf-Stra?e 172 e-mail stephan.fehrenbach at modulo3.de > D-40215 D?sseldorf web http://www.modulo3.de > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From aaa at netman.dk Wed Aug 9 04:14:47 2000 From: aaa at netman.dk (Alaa Alamood) Date: Wed, 09 Aug 2000 11:14:47 +0200 Subject: [pptp-server] PPTP linux client with PoPToP References: <20000807120011.A31599@canna.scientia.com> <398FB01D.A5B34149@netman.dk> <20000809093457.B6741@canna.scientia.com> Message-ID: <39912107.33BAA5D5@netman.dk> Can you give me the log err and the debug results regards Alaa Gareth Marlow wrote: > On Tue, Aug 08, 2000 at 09:00:45AM +0200, Alaa Alamood wrote: > > > > 1- get a copy of linux pptp client > > Done. > > > 2- install ppp with mschap 128 bit supported > > Done. > > > 3- Client configuration > > Done > > > - Manul connection (just for test resone) > > - pptp PPTP_SERVER_IP_ADDRESS name YOUR_USER_NAME remotename > > PPTP_SERVER_NAME > > - route add -host PPTP_SERVER_IP_ADDRESS gw > > YOUR_GATEWAY_IP_ADDRESS > > Done > > > - check you connections is made > > ps -ef |grep pptp > > I get the 3 processes: the call manager, the GRE gateway and the ppp1 > process which is invoked. > > I get a successful connect message in /var/log/messages showing that the > correct IP addresses have been allocated and MPPE 128 bit compression is > being used. > > It all looks fine. > > BUT when I try to ping, traceroute or telnet to anything through the link > I'm unsuccessful. > > The proxyarp stuff is working at the server end for 95/98/2000 clients so > I don't think that's the problem. I can tear down the link and connect > with 98 with the same username and password no problem. > > One thing I did notice is that when I bring down this PPTP connection, > there is a very large number of bytes logged as transferred on the client > side - 10MB in a couple of minutes (this is obviously an error as the > modem cannot sustain that transfer rate. > > I even tried rolling back to ppp-2.3.8 on the client to see if that would > help but it hasn't. > > I'm on the verge of giving up on pptp for linux-linux VPN unless someone > can help me :( > > Gareth From klussier at mclinux.com Wed Aug 9 07:04:13 2000 From: klussier at mclinux.com (Kenneth E. Lussier) Date: Wed, 09 Aug 2000 08:04:13 -0400 Subject: [pptp-server] PPTP linux client with PoPToP References: <20000807120011.A31599@canna.scientia.com> <398FB01D.A5B34149@netman.dk> <20000809093457.B6741@canna.scientia.com> Message-ID: <399148BD.4199492C@mclinux.com> Gareth, Can you give me more info off of the list? What I would like to see is the *EXACT* commands that you are using for the route add. The route command below looks a little incorrect. I use a net route rather than a host route (as below), and the Linux client works fine for me. ex: route add -net 10.0.0.0 (my subnet at work) gw 10.100.0.2 (internal interface of my pptp server) netmask 255.0.0.0 (anything going to 10.x.x.x) dev ppp0 (or ppp1, ppp2, whatever the pptp device is). Kenny -- Kenny Lussier Systems Administrator Mission Critical Linux *********************************************************** Life is a lesson, you learn it at the end Reality has become increasingly less accurate *********************************************************** Gareth Marlow wrote: > > On Tue, Aug 08, 2000 at 09:00:45AM +0200, Alaa Alamood wrote: > > > > 1- get a copy of linux pptp client > > Done. > > > 2- install ppp with mschap 128 bit supported > > Done. > > > 3- Client configuration > > Done > > > - Manul connection (just for test resone) > > - pptp PPTP_SERVER_IP_ADDRESS name YOUR_USER_NAME remotename > > PPTP_SERVER_NAME > > - route add -host PPTP_SERVER_IP_ADDRESS gw > > YOUR_GATEWAY_IP_ADDRESS > > Done > > > - check you connections is made > > ps -ef |grep pptp > > I get the 3 processes: the call manager, the GRE gateway and the ppp1 > process which is invoked. > > I get a successful connect message in /var/log/messages showing that the > correct IP addresses have been allocated and MPPE 128 bit compression is > being used. > > It all looks fine. > > BUT when I try to ping, traceroute or telnet to anything through the link > I'm unsuccessful. > > The proxyarp stuff is working at the server end for 95/98/2000 clients so > I don't think that's the problem. I can tear down the link and connect > with 98 with the same username and password no problem. > > One thing I did notice is that when I bring down this PPTP connection, > there is a very large number of bytes logged as transferred on the client > side - 10MB in a couple of minutes (this is obviously an error as the > modem cannot sustain that transfer rate. > > I even tried rolling back to ppp-2.3.8 on the client to see if that would > help but it hasn't. > > I'm on the verge of giving up on pptp for linux-linux VPN unless someone > can help me :( > > Gareth > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From hh at loca.net Wed Aug 9 10:29:18 2000 From: hh at loca.net (Henning Holtschneider) Date: Wed, 9 Aug 2000 17:29:18 +0200 (CEST) Subject: [pptp-server] Cannot reach remote network. Kernel problem? Message-ID: Hi, I've got a problem connecting to a remote network via a PoPToP 1.0.0 server. The server is running Linux 2.0.36. The PPTP (VPN) connection from my Windows 98 client works well and I can ping the internal IP address of the PPTP gateway server. However, I cannot reach anything beyond that server. I get the following syslog messages: Aug 9 15:23:45 gatekeeper pptpd[5144]: CTRL: Client x.x.x.x control connection started Aug 9 15:23:47 gatekeeper pptpd[5144]: CTRL: Starting call (launching pppd, opening GRE) Aug 9 15:23:47 gatekeeper pptpd[5144]: CTRL: Allocating pty/tty pair Aug 9 15:23:47 gatekeeper pptpd[5144]: CTRL: Allocated pty/tty pair (/dev/ptyp0,/dev/ttyp0) Aug 9 15:23:47 gatekeeper modprobe: can't locate module char-major-108 Aug 9 15:23:47 gatekeeper pppd[5145]: pppd 2.3.10 started by , uid 0 Aug 9 15:23:47 gatekeeper pptpd[5144]: GRE: Discarding duplicate packet Aug 9 15:23:47 gatekeeper pppd[5145]: Using interface ppp0 Aug 9 15:23:47 gatekeeper pppd[5145]: Connect: ppp0 <--> /dev/ttyp0 Aug 9 15:23:49 gatekeeper pptpd[5144]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Aug 9 15:23:49 gatekeeper pppd[5145]: CHAP peer authentication succeeded for xxx Aug 9 15:23:49 gatekeeper pppd[5145]: found interface eth1 for proxy arp Aug 9 15:23:49 gatekeeper pppd[5145]: local IP address 192.1.1.8 Aug 9 15:23:49 gatekeeper pppd[5145]: remote IP address 192.1.1.203 [...] Aug 9 15:27:52 gatekeeper pptpd[5144]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Aug 9 15:27:52 gatekeeper pppd[5145]: LCP terminated by peer (O^H1M-8^@ Hi, I just wanted to make sure of something. I read the howto/faq a few times over and I still have a question. The ptptd is always running over nyour ethernet connecton and then someone login into the poptop server right? Its not that poptop is a RAS server where someone dials in right? Sorry to ask a stupid question, but I see so many references to ppp. And why do I need to download an update for ppp if that is for RAS and dialing up? Also, do you think poptop will later include other encryption like blowfish, ipsec, and des so it is compatible with other VPN standards? Please email me back. Thanks -- Jason Toy toyboy at toy.eyep.net http://toy.eyep.net From nmeyers at javalinux.net Wed Aug 9 12:23:37 2000 From: nmeyers at javalinux.net (Nathan Meyers) Date: Wed, 9 Aug 2000 10:23:37 -0700 Subject: [pptp-server] ppp or ptpp? In-Reply-To: <39918511.751FD4FC@toy.eyep.net>; from jtoy on Wed, Aug 09, 2000 at 12:21:37PM -0400 References: <39918511.751FD4FC@toy.eyep.net> Message-ID: <20000809102337.A5144@javalinux.net> On Wed, Aug 09, 2000 at 12:21:37PM -0400, jtoy wrote: > Hi, I just wanted to make sure of something. I read the howto/faq a few > times over and I still have a question. The ptptd is always running > over nyour ethernet connecton and then someone login into the poptop > server right? Its not that poptop is a RAS server where someone dials > in right? Sorry to ask a stupid question, but I see so many references > to ppp. And why do I need to download an update for ppp if that is for > RAS and dialing up? PoPToP is a server specifically for the PPTP protocol, meaning it supports the Microsoft-style VPNs that are available on Win32 workstations through Microsoft's free VPN clients. If you want other VPN technologies like ipsec, there are other places to get them... there's no need for PoPToP to grow into a multi-protocol monster :-). PPTP does its magic by wrapping PPP in another protocol, GRE - that's why you see all the references. When you've got a PPTP VPN running, your workstation is talking to the PPTP server using PPP - yes, the same protocol used for dial-up networking - but this PPP is wrapped in GRE packets instead of driving a modem. That's why you need current PPP code. To make things even more clear (or confusing, depending on your point of view), Windows manages VPN connections just like modem connections: you use the same dialogs that you do for managing your dial-up modems. The difference is that this "modem" is a virtual modem that wraps the protocol in GRE and pushes the resulting packets out over an existing Internet connection. Nathan Meyers nmeyers at javalinux.net > Also, do you think poptop will later include other encryption like > blowfish, ipsec, and des so it is compatible with other VPN standards? > Please email me back. Thanks > -- > Jason Toy > toyboy at toy.eyep.net > http://toy.eyep.net > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From cliles at gw.total-web.net Wed Aug 9 15:48:59 2000 From: cliles at gw.total-web.net (Chris) Date: Wed, 9 Aug 2000 13:48:59 -0700 Subject: [pptp-server] Error 619 Message-ID: <006c01c00243$3e56e380$0200a8c0@jojostomp.net> I'm trying to connect to my pptp server only to get a 619 error. My setup includes a firewall with 1 regestered ip and 1 private ip. I'm trying to connect to the pptp server through a masq. The firewall (the one running the pptp server), is also the masqer. I have installed all the masq patches, and in /var/messages I am told that the pptp server and client authenticate but the client then drops the connection. I am convinced that it is a firewall problem. The firewall rules I have to allow connections to the pptp server are as follows: ipchains -A input -p tcp -d 209.XXX.XXX.XXX 1723 -j ACCEPT ipchains -A inout -p 47 -d 209.XXX.XXX.XXX -j ACCEPT ipchains -A output -p tcp -s 209.XXX.XXX.XXX 1723 -j ACCEPT ipchains -A output -p 47 -j ACCEPT The following rules are for masqing: ipchains -A forward -p tcp -s 192.168.0.0/24 -j MASQ ipchains -A forward -p 47 -s 192.168.0.0/24 -j MASQ and the following rules I have no clue what they do, but I got them off a couple of howtos: ipchains -A forward -p tcp -d 209.XXX.XXX.XXX 1723 -j ACCEPT ipchains -A forward -p tcp -s 209.XXX.XXX.XXX 1723 -j ACCEPT ipchains -A forward -p 47 -d 209.XXX.XXX.XXXX -j ACCEPT ipchains -A forward -p 47 -s 209.XXX.XXX.XXX -j ACCEPT I read all the masq woes posts in the archive, but I just can't figure out what the hell I'm doing wrong. Thanks, Chris Liles -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.boyer at paulboyerconsultants.fr Wed Aug 9 16:00:11 2000 From: paul.boyer at paulboyerconsultants.fr (Paul Boyer) Date: Wed, 09 Aug 2000 23:00:11 +0200 Subject: [pptp-server] UNSUBSCRIBE pptp-server@paulboyer.org References: <000b01bffb5d$6f590ae0$0201a8c0@olmpi1.wa.home.com> <01a301bffbbb$42943ad0$280111ac@amadorinc.com> <3986D040.A2943F43@paulboyerconsultants.fr> Message-ID: <3991C65B.A260254A@paulboyerconsultants.fr> Sorry to pollute the list, with such a message, the admin is not answering my calls to unsubscribe my subscribed address. Could you please remove me from the list ? Thanks Paul Boyer wrote: > > UNSUBSCRIBE pptp-server at paulboyer.org > > -- > end > It's the 3rd time I ask for a remove, I'm getting a little bit > irritated. > > Paul Boyer > [...] From xsqian at gallantry.com Wed Aug 9 18:54:56 2000 From: xsqian at gallantry.com (Xinshan Qian) Date: Wed, 09 Aug 2000 16:54:56 -0700 Subject: [pptp-server] What encryption algrithm the PoPToP uses? Message-ID: <3991EF4C.CCC04450@gallantry.com> Hi, everyone, I am new PoPToP user. I have created the VPN connection in my system with pptpd. When my boss asked me what encryption algrothm the pptpt uses, I don't have answer. I read HOWTO and FQA carefully again, but I still didn't get any clue. Do you have the answer? Thank you! Best Regards, Xinshan From kenlussier at mediaone.net Wed Aug 9 19:53:22 2000 From: kenlussier at mediaone.net (Kenneth E. Lussier) Date: Wed, 09 Aug 2000 20:53:22 -0400 Subject: [pptp-server] What encryption algrithm the PoPToP uses? References: <3991EF4C.CCC04450@gallantry.com> Message-ID: <3991FD02.53F42182@mediaone.net> pptp uses the RC4 cipher Xinshan Qian wrote: > > Hi, everyone, > > I am new PoPToP user. I have created the VPN connection in my system > with pptpd. When my boss asked me what encryption algrothm the pptpt > uses, I don't have answer. I read HOWTO and FQA carefully again, but I > still didn't get any clue. Do you have the answer? Thank you! > > Best Regards, > > Xinshan > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From Phong.Nguyen_Thanh at sdcgrp.com Wed Aug 9 20:50:30 2000 From: Phong.Nguyen_Thanh at sdcgrp.com (Nguyen Thanh Phong) Date: Thu, 10 Aug 2000 08:50:30 +0700 Subject: [pptp-server] Connecting NT to Linux Poptop with MSCHAP+MPPE References: <3919D5A0.51C8EE67@certsite.com> <391ADE38.109E4C8B@certsite.com> <002001bfbb6f$96e8daf0$0200a8c0@farslayer> Message-ID: <048f01c0026d$60360e20$420aa8c0@sdc.com> Hi all, I want to setup VPN between NT & PoPToP servers running on Linux (RH 6.1) with ms-chap & MPPE. I downloaded Adi's RPM packages, rebuilt and installed. Everything seems fine. In my /etc/ppp/options on my linux box, I put the followings lock debug +chapms +chapms-v2 +MPPE-40 +MPPE-128 +MPPE-stateless On Windows NT machine, in Security tab of the dial-up entry, I checked the box "Accept only Microsoft encrypted authentication", without checking the two boxes below it. When I make PPTP connection from NT to my Linux box, I got the NT machine authenticated and registered (?) to the network. On the linux box, I see the interface up. However I cannot ping each other (errors are 3 last line). Could someone provide me with some help? Many thanks. Phong. Aug 9 01:20:08 aurora pptpd[2843]: CTRL (PPPD Launcher): Connection speed = 115200 Aug 9 01:20:09 aurora pptpd[2843]: CTRL (PPPD Launcher): local address = 192.168.2.30 Aug 9 01:20:09 aurora pptpd[2843]: CTRL (PPPD Launcher): remote address = 192.168.2.40 Aug 9 01:20:09 aurora pppd[2843]: pppd 2.3.10 started by root, uid 0 Aug 9 01:20:09 aurora pppd[2843]: Using interface ppp0 Aug 9 01:20:09 aurora pppd[2843]: Connect: ppp0 <--> /dev/pts/1 Aug 9 01:20:09 aurora pptpd[2842]: CTRL: Received PPTP Control Message (type: 15) Aug 9 01:20:09 aurora pptpd[2842]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Aug 9 01:20:09 aurora pptpd[2842]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Aug 9 01:20:10 aurora pppd[2843]: MSCHAP peer authentication succeeded for nhdung Aug 9 01:20:10 aurora pppd[2843]: local IP address 192.168.2.30 Aug 9 01:20:10 aurora pppd[2843]: remote IP address 192.168.2.40 Aug 9 01:20:10 aurora pppd[2843]: MPPE 40 bit, stateless compression enabled Aug 9 01:20:16 aurora pppd[2843]: Unsupported protocol (0x4d40) received Aug 9 01:20:17 aurora pppd[2843]: Unsupported protocol (0xb511) received Aug 9 01:20:18 aurora pppd[2843]: Unsupported protocol (0x7a40) received From estern at opennetwork.com Wed Aug 9 20:51:42 2000 From: estern at opennetwork.com (Elliott Stern) Date: Wed, 09 Aug 2000 21:51:42 -0400 Subject: [pptp-server] Connecting NT to Linux Poptop with MSCHAP+MPPE Message-ID: <1c3e517a21.17a211c3e5@opennetwork.com> I've gotten that before. I think I just re-applied the Service Pack and the errors went away. -Elliott ----- Original Message ----- From: "Nguyen Thanh Phong" Date: Wednesday, August 9, 2000 9:50 pm Subject: [pptp-server] Connecting NT to Linux Poptop with MSCHAP+MPPE > Hi all, > > I want to setup VPN between NT & PoPToP servers running on Linux (RH > 6.1) with ms-chap & MPPE. > > I downloaded Adi's RPM packages, rebuilt and installed. Everything > seemsfine. In my /etc/ppp/options on my linux box, I put the > followings > lock > debug > +chapms > +chapms-v2 > +MPPE-40 > +MPPE-128 > +MPPE-stateless > > On Windows NT machine, in Security tab of the dial-up entry, I > checked the > box "Accept only Microsoft encrypted authentication", without > checking the > two boxes below it. > > When I make PPTP connection from NT to my Linux box, I got the NT > machineauthenticated and registered (?) to the network. On the > linux box, I see the > interface up. However I cannot ping each other (errors are 3 last > line). > Could someone provide me with some help? > > Many thanks. > > Phong. > > > Aug 9 01:20:08 aurora pptpd[2843]: CTRL (PPPD Launcher): > Connection speed = > 115200 > Aug 9 01:20:09 aurora pptpd[2843]: CTRL (PPPD Launcher): local > address = > 192.168.2.30 > Aug 9 01:20:09 aurora pptpd[2843]: CTRL (PPPD Launcher): remote > address = > 192.168.2.40 > Aug 9 01:20:09 aurora pppd[2843]: pppd 2.3.10 started by root, > uid 0 > Aug 9 01:20:09 aurora pppd[2843]: Using interface ppp0 > Aug 9 01:20:09 aurora pppd[2843]: Connect: ppp0 <--> /dev/pts/1 > Aug 9 01:20:09 aurora pptpd[2842]: CTRL: Received PPTP Control > Message(type: 15) > Aug 9 01:20:09 aurora pptpd[2842]: CTRL: Ignored a SET LINK INFO > packetwith real ACCMs! > Aug 9 01:20:09 aurora pptpd[2842]: CTRL: Ignored a SET LINK INFO > packetwith real ACCMs! > Aug 9 01:20:10 aurora pppd[2843]: MSCHAP peer authentication > succeeded for > nhdung > Aug 9 01:20:10 aurora pppd[2843]: local IP address 192.168.2.30 > Aug 9 01:20:10 aurora pppd[2843]: remote IP address 192.168.2.40 > Aug 9 01:20:10 aurora pppd[2843]: MPPE 40 bit, stateless compression > enabled > Aug 9 01:20:16 aurora pppd[2843]: Unsupported protocol (0x4d40) > receivedAug 9 01:20:17 aurora pppd[2843]: Unsupported protocol > (0xb511) received > Aug 9 01:20:18 aurora pppd[2843]: Unsupported protocol (0x7a40) > received > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From cliles at gw.total-web.net Thu Aug 10 00:09:56 2000 From: cliles at gw.total-web.net (Chris) Date: Wed, 9 Aug 2000 22:09:56 -0700 Subject: Fw: [pptp-server] Error 619 Message-ID: <003301c00289$3a4c54f0$0200a8c0@jojostomp.net> ----- Original Message ----- From: Chris To: George Csahanin-LININET Sent: Wednesday, August 09, 2000 9:54 PM Subject: Re: [pptp-server] Error 619 it was a typo in my email. if ppp0 your interface to the internet? Is there any other configuration for portforwarding and autoforward? ----- Original Message ----- From: George Csahanin-LININET To: Chris Sent: Wednesday, August 09, 2000 11:23 AM Subject: Re: [pptp-server] Error 619 Here's my setup for the outbound masq for vpn: ipchains -A forward -p all -s 192.168.0.0/24 -d 0.0.0.0/0 -i eth0 -j MASQ ipchains -A forward -p tcp -d 192.168.0.0/24 1723 -i ppp0 -j ACCEPT ipchains -A forward -p tcp -s 192.168.0.0/24 1723 -i ppp0 -j ACCEPT ipchains -A forward -p 47 -d 192.168.0.0/24 -i ppp0 -j ACCEPT ipchains -A forward -p 47 -s 192.168.0.0/24 -i ppp0 -j ACCEPT And for running poptop: (currently turned off, note) ##################################################### #START POPTOP ##################################################### #insmod ppp_deflate #insmod bsd_comp #/usr/local/sbin/pptpd -d ###################### insmod ip_masq_portfw insmod ip_masq_autofw insmod ip_masq_ipsec insmod ip_masq_pptp ########################### As I recall, missing any of the above will give a 619 or 645 error... -G -----Original Message----- From: Chris To: pptp-server at lists.schulte.org Date: Wednesday, August 09, 2000 12:54 PM Subject: [pptp-server] Error 619 I'm trying to connect to my pptp server only to get a 619 error. My setup includes a firewall with 1 regestered ip and 1 private ip. I'm trying to connect to the pptp server through a masq. The firewall (the one running the pptp server), is also the masqer. I have installed all the masq patches, and in /var/messages I am told that the pptp server and client authenticate but the client then drops the connection. I am convinced that it is a firewall problem. The firewall rules I have to allow connections to the pptp server are as follows: ipchains -A input -p tcp -d 209.XXX.XXX.XXX 1723 -j ACCEPT ipchains -A inout -p 47 -d 209.XXX.XXX.XXX -j ACCEPT ipchains -A output -p tcp -s 209.XXX.XXX.XXX 1723 -j ACCEPT ipchains -A output -p 47 -j ACCEPT The following rules are for masqing: ipchains -A forward -p tcp -s 192.168.0.0/24 -j MASQ ipchains -A forward -p 47 -s 192.168.0.0/24 -j MASQ and the following rules I have no clue what they do, but I got them off a couple of howtos: ipchains -A forward -p tcp -d 209.XXX.XXX.XXX 1723 -j ACCEPT ipchains -A forward -p tcp -s 209.XXX.XXX.XXX 1723 -j ACCEPT ipchains -A forward -p 47 -d 209.XXX.XXX.XXXX -j ACCEPT ipchains -A forward -p 47 -s 209.XXX.XXX.XXX -j ACCEPT I read all the masq woes posts in the archive, but I just can't figure out what the hell I'm doing wrong. Thanks, Chris Liles -------------- next part -------------- An HTML attachment was scrubbed... URL: From cliles at gw.total-web.net Thu Aug 10 00:09:49 2000 From: cliles at gw.total-web.net (Chris) Date: Wed, 9 Aug 2000 22:09:49 -0700 Subject: Fw: [pptp-server] Error 619 Message-ID: <002801c00289$358d9460$0200a8c0@jojostomp.net> ----- Original Message ----- From: Chris To: George Csahanin-LININET Sent: Wednesday, August 09, 2000 10:08 PM Subject: Re: [pptp-server] Error 619 well I put all your chains in its own script and only run those chains. I still get the same error and in my /var/log/messages I see this: pppd 2.3.11 started by root connect: ppp0 <--> /dev/pts/0 MSCHAP-v2 peer authentication suceeded for user found interface eth1 for proxy arp local ip address 192.168.0.1 (ip of server's internal nic) remote ip address 192.168.0.232 LCP terminated by peer (.M-rFo^@ To: pptp-server at lists.schulte.org Date: Wednesday, August 09, 2000 12:54 PM Subject: [pptp-server] Error 619 I'm trying to connect to my pptp server only to get a 619 error. My setup includes a firewall with 1 regestered ip and 1 private ip. I'm trying to connect to the pptp server through a masq. The firewall (the one running the pptp server), is also the masqer. I have installed all the masq patches, and in /var/messages I am told that the pptp server and client authenticate but the client then drops the connection. I am convinced that it is a firewall problem. The firewall rules I have to allow connections to the pptp server are as follows: ipchains -A input -p tcp -d 209.XXX.XXX.XXX 1723 -j ACCEPT ipchains -A inout -p 47 -d 209.XXX.XXX.XXX -j ACCEPT ipchains -A output -p tcp -s 209.XXX.XXX.XXX 1723 -j ACCEPT ipchains -A output -p 47 -j ACCEPT The following rules are for masqing: ipchains -A forward -p tcp -s 192.168.0.0/24 -j MASQ ipchains -A forward -p 47 -s 192.168.0.0/24 -j MASQ and the following rules I have no clue what they do, but I got them off a couple of howtos: ipchains -A forward -p tcp -d 209.XXX.XXX.XXX 1723 -j ACCEPT ipchains -A forward -p tcp -s 209.XXX.XXX.XXX 1723 -j ACCEPT ipchains -A forward -p 47 -d 209.XXX.XXX.XXXX -j ACCEPT ipchains -A forward -p 47 -s 209.XXX.XXX.XXX -j ACCEPT I read all the masq woes posts in the archive, but I just can't figure out what the hell I'm doing wrong. Thanks, Chris Liles -------------- next part -------------- An HTML attachment was scrubbed... URL: From estern at opennetwork.com Thu Aug 10 01:21:58 2000 From: estern at opennetwork.com (Elliott Stern) Date: Thu, 10 Aug 2000 02:21:58 -0400 Subject: [pptp-server] Thanks for all the help Message-ID: <1c9f4171c3.171c31c9f4@opennetwork.com> Well, my summer internship has finally come to an end. I am now going to be heading back up to school (University of Illinois), but I just wanted to thank everyone who has helped me with PoPToP over the last few weeks. My first PoPToP was set up at the beginning of the summer using a bloated RedHat 6.1 install (it was the 3rd linux system I had ever set up). I just replaced that one yesterday with a new one, running RedHat 6.2 stripped down, secured, and with a strong ipchains firewall (based on a post from the list :-) Although I just unsubscribed, I just wanted to post the final firewall rule-set that I impliemented. So here it is...and thanks again. -Elliott ebstern at uiuc.edu (formerly estern at opennetwork.com) ---------------------------- cut here --------------------------------- #!/bin/bash # Elliott Stern # August 2000 # lo = loopback interface # eth0 = dirty interface # eth1 = clean interface # ppp+ = any PPTP interface ############################################################### # Initial setup ############################################################### # Set default policies to DENY and flush all chains ipchains -F ipchains -X ipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY # Allow unlimited traffic on the loopback interface ipchains -A input -i lo -j ACCEPT ipchains -A output -i lo -j ACCEPT # Allow unlimited traffic within the internal network ipchains -A input -i eth1 -j ACCEPT ipchains -A output -i eth1 -j ACCEPT # ICMP Chain ipchains -N icmp-acc ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT ############################################################### # PPTP Rules ############################################################### # Allow PPTP traffic in on dirty interface ipchains -A input -i eth0 -p tcp -d external.ip/32 1723 -j ACCEPT ipchains -A input -i eth0 -p 47 -d external.ip/32 -j ACCEPT # Allow PPTP traffic out on dirty interface ipchains -A output -i eth0 -p tcp ! -y -s external.ip/32 1723 -j ACCEPT ipchains -A output -i eth0 -p 47 -s external.ip/32 -j ACCEPT # Allow unlimited traffic on PPTP interfaces ipchains -A input -i ppp+ -j ACCEPT ipchains -A output -i ppp+ -j ACCEPT # Allow bidirectional forwarding between PPTP interfaces and clean interface ipchains -A forward -i ppp+ -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT ipchains -A forward -i eth1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT ############################################################### # SSH Rules ############################################################### # Allow unlimited connections in on dirty interface ipchains -A input -i eth0 -p tcp -s 0/0 -d external.ip/32 22 -j ACCEPT # Allow out only established connections on dirty interface ipchains -A output -i eth0 -p tcp ! -y -s external.ip/32 22 -d 0/0 -j ACCEPT # Allow unlimited connections in on clean interface # Note: This is redundant as we have already allowed all traffic # internal interface ipchains -A input -i eth1 -p tcp -s 0/0 -d 192.168.1.180/32 -j ACCEPT # Allow only established connections out on clean interface ipchains -A output -i eth1 -p tcp ! -y -s 192.168.1.180/32 22 -d 0/0 -j ACCEPT ############################################################### # ICMP rules ############################################################### # Allow all necessary ICMP in and out ipchains -A input -p icmp -j icmp-acc ipchains -A output -p icmp -j icmp-acc # Allow pings out and pongs in # ipchains -A input -p icmp --icmp-type ping -j ACCEPT ipchains -A input -p icmp --icmp-type pong -j ACCEPT ipchains -A output -p icmp --icmp-type ping -j ACCEPT # ipchains -A output -p icmp --icmp-type pong -j ACCEPT ############################################################### # Allow DNS queries ############################################################### # Allow DNS responses in ipchains -A input -i eth0 -p udp --sport 53 -d external.ip/32 -j ACCEPT ipchains -A input -i eth0 -p tcp ! -y --sport 53 -d external.ip/32 -j ACCEPT # Allow DNS requests out ipchains -A output -i eth0 -p udp -s external.ip/32 --dport 53 -j ACCEPT ipchains -A output -i eth0 -p tcp -s external.ip/32 --dport 53 -j ACCEPT ############################################################### # DENY and LOG everything else!! ############################################################### ipchains -A input -i eth0 -p all -j DENY -l ipchains -A output -i eth0 -p all -j DENY -l From stephan.fehrenbach at modulo3.de Thu Aug 10 04:58:40 2000 From: stephan.fehrenbach at modulo3.de (Stephan Fehrenbach) Date: Thu, 10 Aug 2000 11:58:40 +0200 Subject: [pptp-server] Error 629 if I try to login with NT 4 client In-Reply-To: <1c9f4171c3.171c31c9f4@opennetwork.com> Message-ID: <000901c002b1$909eff60$6500a8c0@fehrenbach.modulo3.de> Hello, if I try to login with a Win NT 4 Client to my poptop server on my lan I get the lines /usr/sbin/pppd: The remote system is required to authenticate itself but I /usr/sbin/pppd: couldn't find any suitable secret (password) for it to use to do so. on my server console. The pptpd logfile says (logfile attached) .. GRE: read(fd=5,buffer=804d7ec,len=8196) from PTY failed: status = -1 error = Input/output error .. I connect as user vpn and domain , //vpn with and without setting a doain on the client. In my chap-secrets file I do have the lines \\VPN * VPN * How can I see as what user the client tries to log in? Stephan -- modulo3 gmbh fon 0211 - 876720-00 Stephan Fehrenbach fax 0211 - 876720-27 Karl-Rudolf-Stra?e 172 e-mail stephan.fehrenbach at modulo3.de D-40215 D?sseldorf web http://www.modulo3.de -------------- next part -------------- A non-text attachment was scrubbed... Name: pptpd.log Type: application/octet-stream Size: 2402 bytes Desc: not available URL: From walterm at Gliatech.com Thu Aug 10 07:53:04 2000 From: walterm at Gliatech.com (Michael Walter) Date: Thu, 10 Aug 2000 08:53:04 -0400 Subject: [pptp-server] Error 619 Message-ID: Well, I did finally manage to get pptp masqing to work, here is what I had to do to accomplish it, hope it helps. This conf is based on a client connecting through a linux masq firewall to a vpn server with a registered address. No additional configuration is needed on the firewall or client if they are able to connect when the masq server is not involved. On the masq server, this is a VERY open ruleset, but it will work and should be good for your testing purposes. For the purposes of this example: EXTERNAL_NIC is the nic that resides on the internet(eth0) INTERNAL_NIC is the nic that resides on the local network(eth1) EXTERNAL_IP is the ip address of the nic on the internet(206.68.10.12) INTERNAL_IP is the ip address of the nic on the local network(192.168.0.1) EXTERNAL_NET is the entire internet(any/0) INTERNAL_NET is the local network(192.168.0.0/24) echo -n "- Set the default firewall policies..................................." ipchains -F ipchains -P input DENY ipchains -P output REJECT ipchains -P forward REJECT echo -e "DONE" echo 1 > /proc/sys/net/ipv4/ip_forward # At this point if you built vpn masq as a module you will want to "insmod ip_masq_pptp" I built it into the kernel rather than using it as a module. echo -n "- Allow gre traffic to support vpn client masquerading................" ipchains -A input -p 47 -j ACCEPT ipchains -A output -p 47 -j ACCEPT echo -e "DONE" echo -n "- Allow traffic to and from the dynamic ports........................." ipchains -A input -p tcp -i $EXTERNAL_NIC -d $EXTERNAL_IP 49152:65535 -s $EXTERNAL_NET -j ACCEPT ipchains -A input -p tcp -i $EXTERNAL_NIC -d $EXTERNAL_IP 49152:65535 -s $INTERNAL_NET -j ACCEPT ipchains -A output -p tcp -i $EXTERNAL_NIC -d $EXTERNAL_NET -s $EXTERNAL_IP 49152:65535 -j ACCEPT ipchains -A output -p tcp -i $EXTERNAL_NIC -d $INTERNAL_NET -s $EXTERNAL_IP 49152:65535 -j ACCEPT ipchains -A forward -p tcp -i $EXTERNAL_NIC -d $EXTERNAL_NET -s $EXTERNAL_IP 49152:65535 -j ACCEPT ipchains -A forward -p tcp -i $EXTERNAL_NIC -d $INTERNAL_NET -s $EXTERNAL_IP 49152:65535 -j ACCEPT ipchains -A input -p udp -i $EXTERNAL_NIC -d $EXTERNAL_IP 49152:65535 -s $EXTERNAL_NET -j ACCEPT ipchains -A input -p udp -i $EXTERNAL_NIC -d $EXTERNAL_IP 49152:65535 -s $INTERNAL_NET -j ACCEPT ipchains -A output -p udp -i $EXTERNAL_NIC -d $EXTERNAL_NET -s $EXTERNAL_IP 49152:65535 -j ACCEPT ipchains -A output -p udp -i $EXTERNAL_NIC -d $INTERNAL_NET -s $EXTERNAL_IP 49152:65535 -j ACCEPT ipchains -A forward -p udp -i $EXTERNAL_NIC -d $EXTERNAL_NET -s $EXTERNAL_IP 49152:65535 -j ACCEPT ipchains -A forward -p udp -i $EXTERNAL_NIC -d $INTERNAL_NET -s $EXTERNAL_IP 49152:65535 -j ACCEPT echo -e "DONE" echo -n "- Setup syn cookie rules on the external interface...................." ipchains -A input -p tcp -i $EXTERNAL_NIC -d $EXTERNAL_IP -s $INTERNAL_NET -y -j ACCEPT ipchains -A input -p tcp -i $EXTERNAL_NIC -d $EXTERNAL_IP 49152:65535 -s $EXTERNAL_NET -y -j ACCEPT ipchains -A input -p tcp -i $EXTERNAL_NIC -d $EXTERNAL_IP -s $EXTERNAL_NET -y -j DENY -l echo -e "DONE" echo -n "- Setup masquerading.................................................." ipchains -A forward -i $INTERNAL_NIC -d $INTERNAL_NET -s $INTERNAL_NET -j ACCEPT ipchains -A forward -i $EXTERNAL_NIC -d $INTERNAL_NET -s $INTERNAL_NET -j ACCEPT ipchains -A forward -i $EXTERNAL_NIC -d $EXTERNAL_NET -s $INTERNAL_NET -j MASQ echo 1 > /proc/sys/net/ipv4/ip_forward echo -e "DONE" I downloaded kernel 2.2.16 from www.kernel.org , downloaded the ip_masq_vpn-2.2.15.patch patch from ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn-2.2.15.patch.gz I also used net-tools-1.51.tar.bz2, net-tools-1.51-masq_vpn_protos.patch, traceroute-1.4a5.tar, and pptp-traceroute.patch to help with troubleshooting. The kernel I got from Redhat 2.2.16-12 with pptp masq built in did not work I had to build my own. I chose all the kernel settings from ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-howto/VPN-Masquerade-3.ht ml#ss3.4 except CONFIG_IP_ALWAYS_DEFRAG which I never saw. After all that, things started to work. Hope this helps you out, Michael J. Walter mcse mcp+i rhce a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Chris [mailto:cliles at gw.total-web.net] Sent: Thursday, August 10, 2000 1:10 AM To: pptp-server at lists.schulte.org Subject: Fw: [pptp-server] Error 619 ----- Original Message ----- From: Chris To: George Csahanin-LININET Sent: Wednesday, August 09, 2000 10:08 PM Subject: Re: [pptp-server] Error 619 well I put all your chains in its own script and only run those chains. I still get the same error and in my /var/log/messages I see this: pppd 2.3.11 started by root connect: ppp0 <--> /dev/pts/0 MSCHAP-v2 peer authentication suceeded for user found interface eth1 for proxy arp local ip address 192.168.0.1 (ip of server's internal nic) remote ip address 192.168.0.232 LCP terminated by peer (.M-rFo^@ To: Chris Sent: Wednesday, August 09, 2000 11:23 AM Subject: Re: [pptp-server] Error 619 Here's my setup for the outbound masq for vpn: ipchains -A forward -p all -s 192.168.0.0/24 -d 0.0.0.0/0 -i eth0 -j MASQ ipchains -A forward -p tcp -d 192.168.0.0/24 1723 -i ppp0 -j ACCEPT ipchains -A forward -p tcp -s 192.168.0.0/24 1723 -i ppp0 -j ACCEPT ipchains -A forward -p 47 -d 192.168.0.0/24 -i ppp0 -j ACCEPT ipchains -A forward -p 47 -s 192.168.0.0/24 -i ppp0 -j ACCEPT And for running poptop: (currently turned off, note) ##################################################### #START POPTOP ##################################################### #insmod ppp_deflate #insmod bsd_comp #/usr/local/sbin/pptpd -d ###################### insmod ip_masq_portfw insmod ip_masq_autofw insmod ip_masq_ipsec insmod ip_masq_pptp ########################### As I recall, missing any of the above will give a 619 or 645 error... -G -----Original Message----- From: Chris < cliles at gw.total-web.net > To: pptp-server at lists.schulte.org < pptp-server at lists.schulte.org > Date: Wednesday, August 09, 2000 12:54 PM Subject: [pptp-server] Error 619 I'm trying to connect to my pptp server only to get a 619 error. My setup includes a firewall with 1 regestered ip and 1 private ip. I'm trying to connect to the pptp server through a masq. The firewall (the one running the pptp server), is also the masqer. I have installed all the masq patches, and in /var/messages I am told that the pptp server and client authenticate but the client then drops the connection. I am convinced that it is a firewall problem. The firewall rules I have to allow connections to the pptp server are as follows: ipchains -A input -p tcp -d 209.XXX.XXX.XXX 1723 -j ACCEPT ipchains -A inout -p 47 -d 209.XXX.XXX.XXX -j ACCEPT ipchains -A output -p tcp -s 209.XXX.XXX.XXX 1723 -j ACCEPT ipchains -A output -p 47 -j ACCEPT The following rules are for masqing: ipchains -A forward -p tcp -s 192.168.0.0/24 -j MASQ ipchains -A forward -p 47 -s 192.168.0.0/24 -j MASQ and the following rules I have no clue what they do, but I got them off a couple of howtos: ipchains -A forward -p tcp -d 209.XXX.XXX.XXX 1723 -j ACCEPT ipchains -A forward -p tcp -s 209.XXX.XXX.XXX 1723 -j ACCEPT ipchains -A forward -p 47 -d 209.XXX.XXX.XXXX -j ACCEPT ipchains -A forward -p 47 -s 209.XXX.XXX.XXX -j ACCEPT I read all the masq woes posts in the archive, but I just can't figure out what the hell I'm doing wrong. Thanks, Chris Liles -------------- next part -------------- An HTML attachment was scrubbed... URL: From larrydog at coqui.net Thu Aug 10 09:33:03 2000 From: larrydog at coqui.net (Larry Rivera) Date: Thu, 10 Aug 2000 10:33:03 -0400 Subject: [pptp-server] pptp vpn and masquerading Message-ID: <3992BD1E.495DA163@coqui.net> Hello: I have a dedicated connection to the internet using a linux server running kernel version 2.2.13. This server also is a member of a privat lan in the normal firewall setup that is prevalent these days. I have successfully configured the joining of two remote locations via pptp tunnels and these have their own subnet assigned. My problem is that since I had to turn off masquerading in the kernel config, (because my incoming connections were being masqueraded as the server's ethernet ip address creating problems for printing, etc.) now my outgoing clients cannot access the internet as before from behind this server (these clients have private ip numbers). I HAVE read all of the documentation out there but am still unsure of several issues. Is it possible to have the following setup?: 1. Masquerade outgoing connections for internet browsing from a private network behind firewall. 2. DO NOT Masquerade incoming pptp connections so that remote machines can access the applications server with their ip address intact. Has anyone seen a setup like this? Thanks LR From radum at onebox.com Thu Aug 10 10:06:42 2000 From: radum at onebox.com (Mihai Radu) Date: Thu, 10 Aug 2000 08:06:42 -0700 Subject: [pptp-server] I can not browse NT computers over pptp! Message-ID: <20000810150644.AHE3027.mta01.onebox.com@onebox.com> Hi all, My Linux pptp server in a NT network. I can connect with a NT Workstation to the pptp server, but when I go to Network Neighborhood, the only computer I see is my computer. On on Linux machine I have installed Samba. In etc/smb.conf I have "wins support=yes". Also, the NT Workstation is configured to use as wins server, the Linux machine..... What is the problem? Thanks! __________________________________________________ FREE voicemail, email, and fax...all in one place. Sign Up Now! http://www.onebox.com From Steve.Cowles at gte.net Thu Aug 10 11:20:46 2000 From: Steve.Cowles at gte.net (Cowles, Steve) Date: Thu, 10 Aug 2000 11:20:46 -0500 Subject: [pptp-server] pptp vpn and masquerading Message-ID: <31361954B2ADD2118B0900A0C90AFC3E05DC19@defiant.dsl.gtei.net> > -----Original Message----- > From: Larry Rivera [mailto:larrydog at coqui.net] > Sent: Thursday, August 10, 2000 9:33 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] pptp vpn and masquerading > > > Hello: > > I have a dedicated connection to the internet using a linux server > running kernel version 2.2.13. This server also is a member > of a privat lan in the normal firewall setup that is prevalent > these days. > > I have successfully configured the joining of two remote > locations via pptp tunnels and these have their own subnet > assigned. My problem is that since I had to turn off > masquerading in the kernel config, (because my incoming > connections were being masqueraded as the server's ethernet > ip address creating problems for printing, etc.) now my > outgoing clients cannot access the internet as before from > behind this server (these clients have private ip numbers). > I HAVE read all of the documentation out there but am still > unsure of several issues. > Is it possible to have the following setup?: > > 1. Masquerade outgoing connections for internet browsing from > a private > network behind firewall. > 2. DO NOT Masquerade incoming pptp connections so that remote machines > can access the applications server with their ip address intact. > Yes, The order that you enter your ipchain rules is critical in this case. 1) Specify the non-masq networks first 2) Specify the private networks last (MASQ) Example: My private network is 192.168.9.0/24 and the remote network (VPN)is 192.168.1.0/24. Notice the order that the rules are listed in the forward chain (see below). Packets destined for the remote network (192.168.1.0/24) are processed "first" then the MASQ'd rule for 192.168.9.0/24 and then DENY all others. firewall: root # ipchains -L forward -n Chain forward (policy REJECT): target prot opt source destination ports ACCEPT all ------ 0.0.0.0/0 192.168.1.0/24 n/a ACCEPT all ------ 192.168.1.0/24 0.0.0.0/0 n/a MASQ all ------ 192.168.9.0/24 0.0.0.0/0 n/a DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a Using the above rules, I am able to MASQ my internal network for internet access and also communicate with the remote LAN across the VPN. Hopefully the above will give you a good starting point to add the appropiate ipchain rules at your end. BTW:Don't forget about the other end of the tunnel. Steve Cowles > Has anyone seen a setup like this? > Thanks > LR > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From m.teunissenvanmanen at chello.nl Thu Aug 10 11:44:18 2000 From: m.teunissenvanmanen at chello.nl (m.teunissenvanmanen at chello.nl) Date: Thu, 10 Aug 2000 18:44:18 +0200 Subject: [pptp-server] Help needed! Message-ID: <20000810164500.JKFK2557.amsmta06-svc@mtm-w98> Somehow, a connection cannot be made. I've tried several things (along with a collegue) to get things right... Using SuSE 6.3 /var/log/messages shows: Aug 10 18:37:00 firewall pppd[14434]: sent [LCP ConfReq id=0x1 ] Aug 10 18:37:24 firewall last message repeated 8 times Aug 10 18:37:27 firewall pppd[14434]: LCP: timeout sending Config- Requests Aug 10 18:37:27 firewall pppd[14434]: Connection terminated. Aug 10 18:37:27 firewall pppd[14434]: Exit. Aug 10 18:37:27 firewall pptpd[14433]: GRE: read(fd=5,buffer=804daa0,len=8196) from PTY failed: status = -1 error = Input/output error Aug 10 18:37:27 firewall pptpd[14433]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6) Aug 10 18:37:27 firewall pptpd[14433]: CTRL: Client 213.46.78.13 control connection finished Aug 10 18:37:27 firewall pptpd[14433]: CTRL: Exiting now Aug 10 18:37:27 firewall pptpd[14227]: MGR: Reaped child 14433 Note: this machine is both firewall & VPN-server (with a non-private IP address). So far I've tried to: * insmod ip_gre or not * settings on VPN client (windows 2000), which always shows: Error 619: The specified port is not connected right after the Reaped child line of Linux. So far, I've no idea what;s causing this. Unfortunately, due to SuSE's somewhat strange patches, I cannot patch traceroute to see if it is somewhere along the line that some host might not pass on the GRE packets. If anyone can send me a patched source, I'd be very happy. Or if you know what's wrong, you may let me know as well. Thanks in advance. M. Teunissen van Manen From cliles at gw.total-web.net Thu Aug 10 15:25:25 2000 From: cliles at gw.total-web.net (Chris) Date: Thu, 10 Aug 2000 13:25:25 -0700 Subject: [pptp-server] Error 619 Message-ID: <004501c00309$30d5f090$0200a8c0@jojostomp.net> I'm trying to connect to a poptop server through a masq. I always get a 619 error, even if I connect to the server without going through the masq. I have yet to make my 1st connection last. I'm not sure what I'm doing wrong, but I suspect that it is somewhere in my firewalling. I have used all the sample firewalls from many HOWTOs and from the help of others on this list. I need some very very idiot proof settings here. I have patched the kernel for pptp masqing and installed all the modules : bsd_comp, ppp_deflate, ip_masq_autofw, ip_masq_portfw ip_masq_pptp . When I grep /var/log/messages ppp says that the connection authenticates but then the client drops, and pptp says that a PTY or GRE write failed. Please help me as I am at the end of my wits with this poorly documented experiment we all call settingup poptop. Thanks, Chris Liles -------------- next part -------------- An HTML attachment was scrubbed... URL: From danielk at ap.com Thu Aug 10 05:40:57 2000 From: danielk at ap.com (Daniel Knighten) Date: Thu, 10 Aug 2000 10:40:57 +0000 Subject: [pptp-server] Error 619 References: <004501c00309$30d5f090$0200a8c0@jojostomp.net> Message-ID: <399286B9.70C77C2D@ap.com> Chris, You need to setup your Masquerading proxy to masquerade the GRE protocol. If you are using Linux as the masquerading firewall, you will need to set this option in the kernel configuration and recompile. Assuming you have a relatively recent kernel, you will see the following line under firewall configuration: IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [Y/m/n/?] Good luck, Dan Chris wrote: > > I'm trying to connect to a poptop server through a masq. I always get > a 619 error, even if I connect to the server without going through the > masq. I have yet to make my 1st connection last. I'm not sure what I'm > doing wrong, but I suspect that it is somewhere in my firewalling. I > have used all the sample firewalls from many HOWTOs and from the help > of others on this list. I need some very very idiot proof settings > here. I have patched the kernel for pptp masqing and installed all the > modules : bsd_comp, ppp_deflate, ip_masq_autofw, ip_masq_portfw > ip_masq_pptp . When I grep /var/log/messages ppp says that the > connection authenticates but then the client drops, and pptp says that > a PTY or GRE write failed. Please help me as I am at the end of my > wits with this poorly documented experiment we all call settingup > poptop. > Thanks, > Chris Liles From htcengrs at pacbell.net Thu Aug 10 12:35:48 2000 From: htcengrs at pacbell.net (Waleed Alrawi) Date: Thu, 10 Aug 2000 10:35:48 -0700 Subject: [pptp-server] PPTPD with encrypition in RPM format Message-ID: Greetings Any one know of a poptop with encryption in RPM (Linux RedHat) your thanks in advance. Waleed From jhummel at fulltilt.com Thu Aug 10 13:05:18 2000 From: jhummel at fulltilt.com (Jeffrey Hummel) Date: Thu, 10 Aug 2000 14:05:18 -0400 Subject: [pptp-server] PPTPD with encrypition in RPM format Message-ID: Search the archive of this list. Someone named Adi has the RPMs for RH6.2 and 6.1 - thats what I used before. They worked great. -J -----Original Message----- From: Waleed Alrawi [mailto:htcengrs at pacbell.net] Sent: Thursday, August 10, 2000 1:36 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] PPTPD with encrypition in RPM format Greetings Any one know of a poptop with encryption in RPM (Linux RedHat) your thanks in advance. Waleed _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From MSmith at webtonetech.com Thu Aug 10 13:36:47 2000 From: MSmith at webtonetech.com (Michael Smith) Date: Thu, 10 Aug 2000 14:36:47 -0400 Subject: [pptp-server] Kernel 2.2.16-12 and inability to get PPTP working Message-ID: <0124736A07E0D311A7FA00A0C9DCE5567655A0@pantera.webtonetech.com> I just put pinstripe(linux beta 7) on a machine because it had both ip_gre and ip_masq_pptp modules compiled into the kernel but I still can't get pptp to work correctly. I have a win2k machine behind my firewall that uses masquerading to connect through the new server to a pptp machine on the net. There is really nothing distinct about the messages in the syslog but here they are: Aug 9 22:18:44 hercules kernel: ip_masq_pptp_tcp(): OUT_CALL_REQUEST 192.168.1.2 -> XXX.XXX.XXX.XXX CID=0 MCID=EE51 Aug 9 22:18:44 hercules kernel: ip_demasq_pptp_tcp(): OUT_CALL_REPLY 192.168.1.2 -> XXX.XXX.XXX.XXX CID=0 MCID=EE51 Aug 9 22:19:21 hercules kernel: ip_masq_pptp_tcp(): CALL_DISCONNECT_NOTIFY 192.168.1.2 -> XXX.XXX.XXX.XXX CID=0 MCID=EE51 If anyone has successfully used the ip_masq_pptp, I would appreciate some help. I don't see any packets being sent over GRE via ifconfig -a and I definitely have port 1723 open. I also have the ip address of the pptp server in my hosts.allow. Do ip_gre or ip_masq_pptp take some parameters? Thanks in advance. Michael A. Smith Senior Software Developer From walterm at Gliatech.com Thu Aug 10 13:58:31 2000 From: walterm at Gliatech.com (Michael Walter) Date: Thu, 10 Aug 2000 14:58:31 -0400 Subject: [pptp-server] Kernel 2.2.16-12 and inability to get PPTP work ing Message-ID: I worked with this release as well, vpn masq'ing while indeed being present in the kernel has not been applied correctly and simply doesn't work. You will still have to download and build your own kernel if you want to masq vpn traffic. Thanks, Michael J. Walter mcse mcp+i rhce a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Michael Smith [mailto:MSmith at webtonetech.com] Sent: Thursday, August 10, 2000 2:37 PM To: pptp-server at lists.schulte.org Cc: 'ale at ale.org' Subject: [pptp-server] Kernel 2.2.16-12 and inability to get PPTP working I just put pinstripe(linux beta 7) on a machine because it had both ip_gre and ip_masq_pptp modules compiled into the kernel but I still can't get pptp to work correctly. I have a win2k machine behind my firewall that uses masquerading to connect through the new server to a pptp machine on the net. There is really nothing distinct about the messages in the syslog but here they are: Aug 9 22:18:44 hercules kernel: ip_masq_pptp_tcp(): OUT_CALL_REQUEST 192.168.1.2 -> XXX.XXX.XXX.XXX CID=0 MCID=EE51 Aug 9 22:18:44 hercules kernel: ip_demasq_pptp_tcp(): OUT_CALL_REPLY 192.168.1.2 -> XXX.XXX.XXX.XXX CID=0 MCID=EE51 Aug 9 22:19:21 hercules kernel: ip_masq_pptp_tcp(): CALL_DISCONNECT_NOTIFY 192.168.1.2 -> XXX.XXX.XXX.XXX CID=0 MCID=EE51 If anyone has successfully used the ip_masq_pptp, I would appreciate some help. I don't see any packets being sent over GRE via ifconfig -a and I definitely have port 1723 open. I also have the ip address of the pptp server in my hosts.allow. Do ip_gre or ip_masq_pptp take some parameters? Thanks in advance. Michael A. Smith Senior Software Developer _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From m.teunissenvanmanen at chello.nl Thu Aug 10 14:42:50 2000 From: m.teunissenvanmanen at chello.nl (m.teunissenvanmanen at chello.nl) Date: Thu, 10 Aug 2000 21:42:50 +0200 Subject: [pptp-server] Error 619 In-Reply-To: <399286B9.70C77C2D@ap.com> Message-ID: <20000810194344.KDHQ24465.amsmta04-svc@mtm-w98> Chris, Dan, That's what I've tried as well. insmod ip_gre does not solve the problem. See the message log I included in my last message. Marco Teunissen van Manen > You need to setup your Masquerading proxy to masquerade the GRE > protocol. If you are using Linux as the masquerading firewall, you Dan > > > Chris wrote: > > > > I'm trying to connect to a poptop server through a masq. I always > > get a 619 error, even if I connect to the server without going >cut< > > then the client drops, and pptp says that a PTY or GRE write failed. From gord at amador.ca Thu Aug 10 15:01:17 2000 From: gord at amador.ca (Gord Belsey) Date: Thu, 10 Aug 2000 14:01:17 -0600 Subject: [pptp-server] pptp vpn and masquerading References: <3992BD1E.495DA163@coqui.net> Message-ID: <04e501c00305$bf0cf0b0$280111ac@amadorinc.com> If I understand correctly your problem, try adding a rule to forward the pptp clients without MASQ, and the other traffic through MASQ. Since you're able to get pptp sessions running without MASQ, something like this should do the trick: ipchains -A forward -s -d -j ACCEPT ipchains -A forward -s -d -j ACCEPT ipchains -A forward -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j MASQ This assumes that you don't want any pptp traffic MASQd and you want all other traffic MASQd. You can tweak it to better meet your needs, but it should (at least in my head.....) work. Hope this helps Gord . ----- Original Message ----- From: Larry Rivera To: Sent: Thursday, August 10, 2000 8:33 AM Subject: [pptp-server] pptp vpn and masquerading > Hello: > > I have a dedicated connection to the internet using a linux server > running kernel version 2.2.13. This server also is a member of a privat > lan in the normal firewall setup that is prevalent these days. > > I have successfully configured the joining of two remote locations via > pptp tunnels and these have their own subnet assigned. My problem is > that since I had to turn off masquerading in the kernel config, (because > my incoming connections were being masqueraded as the server's ethernet > ip address creating problems for printing, etc.) now my outgoing clients > cannot access the internet as before from behind this server (these > clients have private ip numbers). I HAVE read all of the documentation > out there but am still unsure of several issues. > Is it possible to have the following setup?: > > 1. Masquerade outgoing connections for internet browsing from a private > network behind firewall. > 2. DO NOT Masquerade incoming pptp connections so that remote machines > can access the applications server with their ip address intact. > > Has anyone seen a setup like this? > Thanks > LR > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From danielk at ap.com Thu Aug 10 07:54:11 2000 From: danielk at ap.com (Daniel Knighten) Date: Thu, 10 Aug 2000 12:54:11 +0000 Subject: [pptp-server] Error 619 References: <20000810194344.KDHQ24465.amsmta04-svc@mtm-w98> Message-ID: <3992A5F3.419563A9@ap.com> Whoops, I was gravely in error. Check out the Linux VPN Masquerading How To: ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-howto/VPN-Masquerade.html Dan m.teunissenvanmanen at chello.nl wrote: > > Chris, Dan, > > That's what I've tried as well. insmod ip_gre does not solve the > problem. See the message log I included in my last message. > > Marco Teunissen van Manen > > > You need to setup your Masquerading proxy to masquerade the GRE > > protocol. If you are using Linux as the masquerading firewall, you > Dan > > > > > > Chris wrote: > > > > > > I'm trying to connect to a poptop server through a masq. I always > > > get a 619 error, even if I connect to the server without going > >cut< > > > then the client drops, and pptp says that a PTY or GRE write failed. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From sstone at taos.com Thu Aug 10 15:01:58 2000 From: sstone at taos.com (Scott M. Stone) Date: Thu, 10 Aug 2000 13:01:58 -0700 (PDT) Subject: [pptp-server] Error 619 In-Reply-To: <20000810194344.KDHQ24465.amsmta04-svc@mtm-w98> Message-ID: On Thu, 10 Aug 2000 m.teunissenvanmanen at chello.nl wrote: > Chris, Dan, > > That's what I've tried as well. insmod ip_gre does not solve the > problem. See the message log I included in my last message. > > Marco Teunissen van Manen > > > You need to setup your Masquerading proxy to masquerade the GRE > > protocol. If you are using Linux as the masquerading firewall, you it's ipmasq_gre that you need to load.. > Dan > > > > > > Chris wrote: > > > > > > I'm trying to connect to a poptop server through a masq. I always > > > get a 619 error, even if I connect to the server without going > >cut< > > > then the client drops, and pptp says that a PTY or GRE write failed. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > -------------------------- Scott M. Stone, CCNA UNIX Systems and Network Engineer Taos - The SysAdmin Company From ddaffer at helixelectric.com Thu Aug 10 15:55:56 2000 From: ddaffer at helixelectric.com (Dan Daffer) Date: Thu, 10 Aug 2000 13:55:56 -0700 Subject: [pptp-server] PopTop on same box as firewall Message-ID: <3992B46C.11409.4950B0E@localhost> Is it possible to install PopTop on the same box as a firewall using ipchains? The firewall is masqing several windows and linux clients. If so, I assume I will need to rebuild the kernel with the masqing patches. Is this correct? Also, any recommendations as to whether installing PopTop on the firewall is a good idea? Thanks! .. . ... . .... ...... .......... ................. ........................... ........................................ ........................................................ Dan Daffer ddaffer at helixelectric.com From sstone at taos.com Thu Aug 10 16:43:39 2000 From: sstone at taos.com (Scott M. Stone) Date: Thu, 10 Aug 2000 14:43:39 -0700 (PDT) Subject: [pptp-server] PopTop on same box as firewall In-Reply-To: <3992B46C.11409.4950B0E@localhost> Message-ID: On Thu, 10 Aug 2000, Dan Daffer wrote: > Is it possible to install PopTop on the same box as a firewall using > ipchains? The firewall is masqing several windows and linux clients. If > so, I assume I will need to rebuild the kernel with the masqing patches. > Is this correct? I've set this up.. it's easy. not much to do with ipchains. you don't need the vpn-masq patches at all since you're not masquerading that, you're connecting directly to the firewall's external interface (the 'real' ip) from the outside. > > Also, any recommendations as to whether installing PopTop on the > firewall is a good idea? > don't see that it's any better or worse than any other way. certainly easier to do it that way, as well. -------------------------- Scott M. Stone, CCNA UNIX Systems and Network Engineer Taos - The SysAdmin Company From teastep at evergo.net Thu Aug 10 16:42:43 2000 From: teastep at evergo.net (Tom Eastep) Date: Thu, 10 Aug 2000 14:42:43 -0700 (PDT) Subject: [pptp-server] Kernel 2.2.16-12 and inability to get PPTP working In-Reply-To: <0124736A07E0D311A7FA00A0C9DCE5567655A0@pantera.webtonetech.com> Message-ID: Thus spoke Michael Smith: > I just put pinstripe(linux beta 7) on a machine because it had both > ip_gre and ip_masq_pptp modules compiled into the kernel but I still can't > get pptp to work correctly. I have a win2k machine behind my firewall that > uses masquerading to connect through the new server to a pptp machine on the > net. There is really nothing distinct about the messages in the syslog but > here they are: > > Aug 9 22:18:44 hercules kernel: ip_masq_pptp_tcp(): OUT_CALL_REQUEST > 192.168.1.2 -> XXX.XXX.XXX.XXX CID=0 MCID=EE51 > Aug 9 22:18:44 hercules kernel: ip_demasq_pptp_tcp(): OUT_CALL_REPLY > 192.168.1.2 -> XXX.XXX.XXX.XXX CID=0 MCID=EE51 > Aug 9 22:19:21 hercules kernel: ip_masq_pptp_tcp(): CALL_DISCONNECT_NOTIFY > 192.168.1.2 -> XXX.XXX.XXX.XXX CID=0 MCID=EE51 > > If anyone has successfully used the ip_masq_pptp, I would appreciate some > help. I've used it for 18 months now. > > I don't see any packets being sent over GRE via ifconfig -a and I definitely > have port 1723 open. I also have the ip address of the pptp server in my > hosts.allow. Do ip_gre or ip_masq_pptp take some parameters? > Are your ipchains rules on your firewall admitting GRE (protocol 47) from your pptp server? -Tom -- Tom Eastep \ Eastep's First Principle of Computing: ICQ #60745924 \ "Any sane computer will tell you how it teastep at evergo.net \ works if you ask it the proper questions" Shoreline, Washington USA \___________________________________________ From Josh at pollstar.com Thu Aug 10 16:55:47 2000 From: Josh at pollstar.com (Josh Massie) Date: Thu, 10 Aug 2000 14:55:47 -0700 Subject: [pptp-server] CryptoCard and PoPToP Message-ID: Anyone had any luck getting the CryptoCard easyRadius authentication working with PoPTop? Someone showed my boss cryptocards somewhere and he's insisting we implement. So far things are going well, but I was hoping someone out there might have fought this battle previously and have some pointers. Thanks, josh massie extranet administrator pollstar.com email: josh at pollstar.com phone: (559) 271-7977 x 4477 fax: (559) 271-7979 http://www.pollstar.com From Phong.Nguyen_Thanh at sdcgrp.com Thu Aug 10 20:11:08 2000 From: Phong.Nguyen_Thanh at sdcgrp.com (Nguyen Thanh Phong) Date: Fri, 11 Aug 2000 08:11:08 +0700 Subject: [pptp-server] Error 629 if I try to login with NT 4 client References: <000901c002b1$909eff60$6500a8c0@fehrenbach.modulo3.de> Message-ID: <055901c00333$cdabd5e0$420aa8c0@sdc.com> Try to enable debug info in PPP (yes, PPP) by putting entry "kdebug 1" into /etc/ppp/options (or whatever options file that PPTP will use). See man pppd for more details (I'm using ppp-2.3.10) Hope this help. ----- Original Message ----- From: Stephan Fehrenbach To: Sent: Thursday, August 10, 2000 4:58 PM Subject: [pptp-server] Error 629 if I try to login with NT 4 client Hello, if I try to login with a Win NT 4 Client to my poptop server on my lan I get the lines /usr/sbin/pppd: The remote system is required to authenticate itself but I /usr/sbin/pppd: couldn't find any suitable secret (password) for it to use to do so. on my server console. The pptpd logfile says (logfile attached) .. GRE: read(fd=5,buffer=804d7ec,len=8196) from PTY failed: status = -1 error = Input/output error .. I connect as user vpn and domain , //vpn with and without setting a doain on the client. In my chap-secrets file I do have the lines \\VPN * VPN * How can I see as what user the client tries to log in? Stephan -- modulo3 gmbh fon 0211 - 876720-00 Stephan Fehrenbach fax 0211 - 876720-27 Karl-Rudolf-Stra?e 172 e-mail stephan.fehrenbach at modulo3.de D-40215 D?sseldorf web http://www.modulo3.de From richard at blauvelt.com Fri Aug 11 01:15:08 2000 From: richard at blauvelt.com (Richard E Blauvelt) Date: Thu, 10 Aug 2000 23:15:08 -0700 Subject: [pptp-server] compiling ppp-2.3.10-openssl-norc-mppe.patch In-Reply-To: <398B27C7.38DF5230@dewittross.com> References: Message-ID: <4.3.2.7.2.20000810221957.00ce8620@blauvelt.com> I had to do a couple of additional things. My install used these components: Red Hat 6.2, 2.2.16-3 kernel ppp-2.3.11 pptpd-1.0.0 SSLeay-0.9.0b ppp-2.3.10-openssl-norc4-mppe.patch Here are the extra things I did to get the server to work when using a Windows 98se client with microsoft strong encryption: When doing the [patch -p1 < ../ppp-2.3.10-openssl-norc4-mppe.patch] onto the ppp-2.3.11, everything patched OK except for the pppd/lcp.c file, which I had to do by hand. Basically, I replaced "Old Stuff" with "New Stuff", as shown below (I don't yet know how to create patch files, so go easy on me): ====== Begin "Old Stuff" ====================================================== /* * We were asking for CHAP/MD5; they must want a different * algorithm. If they can't do MD5, we can ask for M$-CHAP * if we support it, otherwise we'll have to stop * asking for CHAP. */ if (cichar != go->chap_mdtype) { #ifdef CHAPMS if (cichar == CHAP_MICROSOFT) go->chap_mdtype = CHAP_MICROSOFT; else #endif /* CHAPMS */ try.neg_chap = 0; } } else { ====== End "Old Stuff" ====================================================== ====== Begin "New Stuff" ====================================================== /* * We were asking for CHAP/MD5; they must want a different * algorithm. If they can't do MD5, we can ask for M$-CHAP * if we support it, otherwise we'll have to stop * asking for CHAP. * * (failed ppp-2.3.10-openssl-norc4-mppe.patch manually * applied here by R Blauvelt 2000 08 10 */ if (go->chap_mdtype == CHAP_MICROSOFT_V2) { try.use_chapms_v2 = 0; if(try.use_chapms) try.chap_mdtype = CHAP_MICROSOFT; else if(try.use_digest) try.chap_mdtype = CHAP_DIGEST_MD5; else try.neg_chap = 0; } else if(go->chap_mdtype == CHAP_MICROSOFT) { try.use_chapms = 0; if(try.use_digest) try.chap_mdtype = CHAP_DIGEST_MD5; else try.neg_chap = 0; } else if(go->chap_mdtype == CHAP_DIGEST_MD5) { try.use_digest = 0; try.neg_chap = 0; } else try.neg_chap = 0; if ((cichar != CHAP_MICROSOFT_V2) && (cichar != CHAP_MICROSOFT) && (cichar != CHAP_DIGEST_MD5)) try.neg_chap = 0; } else { ====== End "New Stuff" ====================================================== Immediately after this, there is an instruction to "Comment out or delete the reference to rc4_skey.c in [...]/ppp_mppe.c" This DID NOT work for me, and produced an "unresolved symbol RC4_set_key", error message when I later tried to [insmod ppp_mppe], which prevented the ppp_mppe module from loading, which then did not allow the microsoft encryption to work from windows 98se (failed with an error 742 when trying to connect through VPN). When I put the rc4_skey.c reference back into ppp_mppe.c and re-did the steps from there, then everything worked well. As per Tom Eastep's suggestion from 01 August 2000, I also had to do the following for the [make modules SUBDIRS=drivers/net] to not complain that PPP_MAGIC and PPP_VERSION were undeclared: >Edit /usr/src/linux/include/linux/if_ppp.h and add the following: > >#define PPP_MAGIC 0x5002 >#define PPP_VERSION "2.3.11" > >The second of course depends on your ppp version... One final note: The "5.0 Windows Client Setup" indicates in step 12 to check "require encrypted password". To ensure that encryption is used, however, I believe that the client should also check "require data encryption". Thanks to all the previous posters, I was able to piece this together. As a [former] lurker, I hope that this can help some of the other lurkers who are subscribed to the list. Thanks, Richard Blauvelt richard at blauvelt.com At 01:29 PM 8/4/00, Daniell Freed wrote: >I followed you HOW-TO, and I found an error that you may want to correct > >In the section of the document where you say to download SSLeay-0.6.6b you should say to download SSLea-0.9.0b since that is what your later instructions tell you to use (and 0.6.6b doesn't contain a couple of files you say we need to copy to the kernel directory). > >Also, you do not need to add the NULL parameter in ppp.c for kill_fasync. If you do, it won't compile (too many parameters), it works fine without this added. > >That was it. Thanks for the updated HOW-TO. I never had been able to get ppp-2-3.10 working with pptp and MSCHAP before this. > >If you get time, you should add a section on setting up and running the pptp linux client. I'm sure there are those that would greatly appreciate it. > > > >tfasko at cyberacc.com wrote: >-- >Daniell Freed >Computer Services >Dewitt, Ross, & Stevens S.C. > >He who fights with monsters might take care >lest he thereby become a monster. >And if you gaze for long into an abyss, >the abyss gazes also into you. > >Beyond Good and Evil >Friedrich Wilhelm Nietzche > From aaa at netman.dk Fri Aug 11 02:07:29 2000 From: aaa at netman.dk (Alaa Al Amood) Date: Fri, 11 Aug 2000 09:07:29 +0200 Subject: [pptp-server] win98 Message-ID: <3993A631.ED2FE9F2@netman.dk> Hi Does any one now where can I find Windows 98 Second Edition Dial-Up Networking 128-Bit Security or send me an attachment with this file, the location to get this file in microsoft home page is beening disabled, or something rong with the link regards Alaa From palliett at accurcast.com Fri Aug 11 07:32:25 2000 From: palliett at accurcast.com (Peter Alliett) Date: Fri, 11 Aug 2000 08:32:25 -0400 Subject: [pptp-server] pptp-linux client 1.03 Problem Message-ID: I am trying to connect to my Linux poptop server from a linux workstation (Mandrake 7.1 with pptp-linux 1.03)but I can't seem to figure out the command line options. On my poptop server I have a chap-secrets file that has the following in it. user1 server1 password * I have the same thing on my linux workstation. I then dialup to my ISP and issue the following at the console pptp server1 debug name user1 user1 server1 It returns back to the console with no errors but I can't ping anything. Thus assuming something is not right somewhere. I can get it to work in Windows, but I would like to get it working in Linux as well. Thanks, Peter From MSmith at webtonetech.com Fri Aug 11 07:57:52 2000 From: MSmith at webtonetech.com (Michael Smith) Date: Fri, 11 Aug 2000 08:57:52 -0400 Subject: FW: [pptp-server] Kernel 2.2.16-12 and inability to get PPTP work ing Message-ID: <0124736A07E0D311A7FA00A0C9DCE5567655A3@pantera.webtonetech.com> I am forwarding this to the group for information purposes...... for those of you running the linux beta(pinstripe). -----Original Message----- From: Michael Walter [mailto:walterm at Gliatech.com] Sent: Thursday, August 10, 2000 2:59 PM To: 'Michael Smith' Cc: PPTPD User Group (E-mail) Subject: RE: [pptp-server] Kernel 2.2.16-12 and inability to get PPTP work ing I worked with this release as well, vpn masq'ing while indeed being present in the kernel has not been applied correctly and simply doesn't work. You will still have to download and build your own kernel if you want to masq vpn traffic. Thanks, Michael J. Walter mcse mcp+i rhce a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Michael Smith [mailto:MSmith at webtonetech.com] Sent: Thursday, August 10, 2000 2:37 PM To: pptp-server at lists.schulte.org Cc: 'ale at ale.org' Subject: [pptp-server] Kernel 2.2.16-12 and inability to get PPTP working I just put pinstripe(linux beta 7) on a machine because it had both ip_gre and ip_masq_pptp modules compiled into the kernel but I still can't get pptp to work correctly. I have a win2k machine behind my firewall that uses masquerading to connect through the new server to a pptp machine on the net. There is really nothing distinct about the messages in the syslog but here they are: Aug 9 22:18:44 hercules kernel: ip_masq_pptp_tcp(): OUT_CALL_REQUEST 192.168.1.2 -> XXX.XXX.XXX.XXX CID=0 MCID=EE51 Aug 9 22:18:44 hercules kernel: ip_demasq_pptp_tcp(): OUT_CALL_REPLY 192.168.1.2 -> XXX.XXX.XXX.XXX CID=0 MCID=EE51 Aug 9 22:19:21 hercules kernel: ip_masq_pptp_tcp(): CALL_DISCONNECT_NOTIFY 192.168.1.2 -> XXX.XXX.XXX.XXX CID=0 MCID=EE51 If anyone has successfully used the ip_masq_pptp, I would appreciate some help. I don't see any packets being sent over GRE via ifconfig -a and I definitely have port 1723 open. I also have the ip address of the pptp server in my hosts.allow. Do ip_gre or ip_masq_pptp take some parameters? Thanks in advance. Michael A. Smith Senior Software Developer _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From jmoore at sailnet.com Fri Aug 11 09:14:14 2000 From: jmoore at sailnet.com (James Moore) Date: Fri, 11 Aug 2000 14:14:14 GMT Subject: [pptp-server] Help VPN, w/PopTop Message-ID: <20000811.14141400@merlin.sailnet.com> I am trying to determine if PopTop will meet my needs. We have two offices that need to connected together. We are currently using vpnd with is constantly dieing (3 times a day on average). I have vpnd on a firewall at each location. I have 100 users at each location. Only about 30 users at each location use the VPN for a mission critical application. Most of the applications the users are using are Windows NT. We have a Windows NT trust setup between the locations using the vpn connection. My question is, will PopTop handle this type of traffic! If not should I consider a hardware based solution. (Any recommendations!) Also do I need the PopTop server just on one side and a client on the other side. How reliable is PopTop!!!!???? Will it install on our Linux Firewall (ipchains) box easily? Do I need to use the chap secrets file for every user, or just for one user that establish the connection, then let Windows NT do the authentication after that? Any suggestions would be highly appreciated. Thanx, Jay Moore www.sailnet.com From adam at morrison-ind.com Fri Aug 11 07:26:06 2000 From: adam at morrison-ind.com (Adam Tauno Williams) Date: Fri, 11 Aug 2000 08:26:06 -0400 Subject: FW: [pptp-server] Kernel 2.2.16-12 and inability to get PPTP work ing In-Reply-To: <0124736A07E0D311A7FA00A0C9DCE5567655A3@pantera.webtonetech.com> References: <0124736A07E0D311A7FA00A0C9DCE5567655A3@pantera.webtonetech.com> Message-ID: <200008111226.e7BCQ6Y31023@barracuda.morrison.iserv.net> >I am forwarding this to the group for information purposes...... for those >of you running the linux beta(pinstripe). >>I worked with this release as well, vpn masq'ing while indeed being present >>in the kernel has not been applied correctly and simply doesn't work. You >>will still have to download and build your own kernel if you want to masq >>vpn traffic. Please contact Red Hat if you haven't already done so. Then they can fix it for the final release and save us all from this headache. I've contacted them about other issues and found them very responsive, and this release is looking like it will be a big step forward for enterprise Linux. Systems and Network Administrator Morrison Industries 1825 Monroe Ave NW. Grand Rapids, MI. 49505 From walterm at Gliatech.com Fri Aug 11 08:56:18 2000 From: walterm at Gliatech.com (Michael Walter) Date: Fri, 11 Aug 2000 09:56:18 -0400 Subject: [pptp-server] FW: [Bug 15990] New - ip_masq_pptp module broken Message-ID: This is a forward of the bugzilla entry for vpn masquerading at Redhat. Thanks, Michael J. Walter rhce mcse mcp+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: bugzilla at redhat.com [mailto:bugzilla at redhat.com] Sent: Friday, August 11, 2000 9:58 AM To: harald at redhat.com; walterm at gliatech.com Subject: [Bug 15990] New - ip_masq_pptp module broken http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=15990 --- shadow/15990 Fri Aug 11 09:58:15 2000 +++ shadow/15990.tmp.17070 Fri Aug 11 09:58:15 2000 @@ -0,0 +1,20 @@ +Bug#: 15990 +Product: Red Hat Public Beta +Version: pinstripe +Platform: i386 +OS/Version: Linux +Status: NEW +Resolution: +Severity: normal +Priority: normal +Component: firewall-config +AssignedTo: harald at redhat.com +ReportedBy: walterm at gliatech.com +URL: +Summary: ip_masq_pptp module broken + +The ip_masq_pptp module built into the latest beta does not masquerade +traffic to vpn servers. It reports masq and demasq entries +in /var/log/messages. But does not allow communications correctly with +the vpn server. The same configuration vuilt into kernel 2.2.16 works +flawlessly. Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. From cliles at gw.total-web.net Fri Aug 11 14:33:35 2000 From: cliles at gw.total-web.net (Chris) Date: Fri, 11 Aug 2000 12:33:35 -0700 Subject: [pptp-server] 619 Error Message-ID: <002101c003cb$0b622640$0200a8c0@jojostomp.net> Alright guys, the kernel is patched to allow vpn masqing, everything was compiled into the kernel rather than in modules so I know that those options are working. Bascily what is still happening is that the client connects and authenticates with ppp but the pptp can't don something so it crashes. I still get a 619 error, and pptp says CTRL: PTY or GRE write failed (pty,gre) =(5,6) CTRL: Client 192.168.0.2 control connection finished and PPP says that I authenticate with mschap-v2 but then it says: LCP terminated by peer (#sBN@^@BM-f) Connection terminated. All I want to do is connect to the vpn server so I can access my home lan away from home. I am trying to connect to the vpn server from a win2000 box behind a linux masqing box that is also running poptop. Thanks, Chris Liles -------------- next part -------------- An HTML attachment was scrubbed... URL: From gr1ms4q at home.com Fri Aug 11 11:41:14 2000 From: gr1ms4q at home.com (Mr. Grim) Date: Fri, 11 Aug 2000 11:41:14 -0500 Subject: [pptp-server] IPX and network addresses Message-ID: <20000811164057.KNDI26266.mail.rdc1.tn.home.com@ci410067-a> I have been able to succeed in creating a stable IPX connection with poptop with any amount of connections, but I don't like the requirement of a seperate network address for each connection. I am trying to setup a private network where people can connect and play any game that uses IPX at any time, but unfortunatly that "any game" part won't work unless I can figure out a way to give each connection the same network address. Is there any way I can do this? Do the development kernel's support this, or is there a patch for any of the current kernels. Or is there somebody who knows' the kernel's IPX code well enough that could guide me on how to recode the kernel to allow it, and possibly pppd, poptop, and the ipx tools? Any help would be appreciated. Thank you, Mr. Grim From bjo at priMISsystems.com Fri Aug 11 13:21:17 2000 From: bjo at priMISsystems.com (Bruce J Oblander) Date: Fri, 11 Aug 2000 11:21:17 -0700 Subject: [pptp-server] funky passwords causing Message-ID: Please forgive me if this is covered but I don't recall seeing this anywhere in the docs. I *just* got PPTP working with the mppe patch and the VPN masquerade patch and was still getting the following errors with one login account: GRE: read(fd=5, buffer=804d7c0,len=8196) from PTY failed: status = -1 error=Input/output error CTRL: PTY read or GRE write failed (pty,gre)=(5,6) or I might see: CTRL: error with select(), quitting diagnosis: the account password had a '#' in it (e.g. c#isajoke) and removing it fixed the problem From csa998360 at ait.ac.th Fri Aug 11 15:52:07 2000 From: csa998360 at ait.ac.th (Piti Cherntanomwong) Date: Sat, 12 Aug 2000 03:52:07 +0700 Subject: [pptp-server] PPtP Client prob Message-ID: <200008120352.AA135266574@student.ait.ac.th> Dear, I use pptp-linux for client and when I connect to my vpn server, pptpd. Assume 1.2.3.4 to be my server. There are some error warn[open_unixsock:pptp_callmgr.c:308]: Call manager for 1.2.3.4 is alread y running. fatal[callmgr_main:pptp_callmgr.c:124]: Could not open unix socket for 1.2.3.4 fatal[launch_callmgr:pptp.c:213]: Call manager exited with error 256 What's wrong? Thank you very much Can From larrydog at coqui.net Fri Aug 11 15:51:24 2000 From: larrydog at coqui.net (Larry Rivera) Date: Fri, 11 Aug 2000 16:51:24 -0400 Subject: [pptp-server] pptpd.log Message-ID: <3994674C.B2381353@coqui.net> Hello: Some times my pptp setup starts spewing this onto the pptpd.log and the only way to recover is to reboot the system. This only happens sometimes. Can anyone decipher this? Thanks. LR Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header (exit) Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 in disco nnect sequence Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl packet length. Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header (exit) Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 in disco nnect sequence Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl packet length. Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header (exit) Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 in disco nnect sequence Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl packet length. Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header (exit) Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 in disco nnect sequence Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl packet length. Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header (exit) Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 in disco nnect sequence Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl packet length. Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header (exit) Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 in disco nnect sequence From dayton at overx.com Fri Aug 11 18:29:58 2000 From: dayton at overx.com (Soren Dayton) Date: 11 Aug 2000 18:29:58 -0500 Subject: [pptp-server] encryption not working Message-ID: <86u2crtlzd.fsf@everest.overx.com> Hi, I'm running linux 2.2.14-5.0smp (Redhat 6.2) I got the pptpd 1.0.0-1 rpm. I got the ppp 2.3.11 mppe compression stuff. My /etc/ppp/options file looks like debug name everest auth require-chap proxyarp +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless The client is win2k. When I don't require encryption, everything works great: Aug 11 18:09:26 everest pptpd[3548]: GRE: Discarding duplicate packet Aug 11 18:09:28 everest pptpd[3548]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Aug 11 18:09:29 everest kernel: PPP MPPE compression module registered Aug 11 18:09:29 everest kernel: PPP Deflate Compression module registered Aug 11 18:09:29 everest pppd[3549]: MSCHAP-v2 peer authentication succeeded for billy Aug 11 18:09:29 everest pppd[3549]: found interface eth0 for proxy arp Aug 11 18:09:29 everest pppd[3549]: local IP address 63.93.29.81 Aug 11 18:09:29 everest pppd[3549]: remote IP address 63.93.29.81 When I do require encryption, It says that encyption is not supported. This is what happens: Aug 11 18:21:15 everest pptpd[3608]: CTRL: Client 63.93.29.16 control connection started Aug 11 18:21:15 everest pptpd[3608]: CTRL: Starting call (launching pppd, opening GRE) Aug 11 18:21:15 everest pppd[3609]: pppd 2.3.11 started by root, uid 0 Aug 11 18:21:15 everest pppd[3609]: Using interface ppp0 Aug 11 18:21:15 everest pppd[3609]: Connect: ppp0 <--> /dev/pts/2 Aug 11 18:21:15 everest pptpd[3608]: GRE: Discarding duplicate packet Aug 11 18:21:17 everest pptpd[3608]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Aug 11 18:21:17 everest kernel: PPP Deflate Compression module registered Aug 11 18:21:17 everest pppd[3609]: MSCHAP-v2 peer authentication succeeded for billy Aug 11 18:21:17 everest pptpd[3608]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Aug 11 18:21:17 everest pppd[3609]: LCP terminated by peer (|M-2^Wp^@ Message-ID: That means the Linux client didn't clean up after itself from a previous run. Before running the client, ensure that there are no files in /var/run/pptp. Do a rm -f /var/run/pptp/* then run the client again. Phil > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Piti > Cherntanomwong > Sent: Friday, August 11, 2000 2:52 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] PPtP Client prob > > > Dear, > I use pptp-linux for client and when I connect to my vpn > server, pptpd. Assume 1.2.3.4 to be my server. There are some error > > warn[open_unixsock:pptp_callmgr.c:308]: Call manager for 1.2.3.4 is alread > y running. > fatal[callmgr_main:pptp_callmgr.c:124]: Could not open unix > socket for 1.2.3.4 > fatal[launch_callmgr:pptp.c:213]: Call manager exited with error 256 > > What's wrong? > > Thank you very much > > Can > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From htodd at twofifty.com Sat Aug 12 10:14:37 2000 From: htodd at twofifty.com (Hisashi T Fujinaka) Date: Sat, 12 Aug 2000 08:14:37 -0700 (PDT) Subject: [pptp-server] pptpd.log In-Reply-To: <3994674C.B2381353@coqui.net> Message-ID: I joined this list to report exactly the same problem. I'm using kernel-2.2.16-3, ppp-2.3.11-4, pptpd-1.0.0-1, and the mppe patches. It also occurred with the previous kernel. The messages spew out at several per second and can grow my logs to hundreds of megabytes by the time I see it (like overnight). On Fri, 11 Aug 2000, Larry Rivera wrote: > Hello: > Some times my pptp setup starts spewing this onto the pptpd.log and the > only way to recover is to reboot the system. This only happens > sometimes. Can anyone decipher this? > Thanks. > LR > > Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header > (exit) > Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 > in disco > nnect sequence > Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl > packet > length. > Hisashi T Fujinaka - htodd at twofifty.com BSEE (6/86) + BSChem (3/95) + BAEnglish (8/95) + $2.50 = mocha latte From georgec at dyb.com Sun Aug 13 01:21:36 2000 From: georgec at dyb.com (george csahanin) Date: Sun, 13 Aug 2000 01:21:36 -0500 Subject: [pptp-server] Source of VPN patched kernel from LRP Message-ID: <002801c004ee$bc1b30c0$0300a8c0@bdfrd1.tx.home.com> Also has the patch itself for 2.2.15, many modules, and a kernel, etc. Could be a valuable tool, judging by many of the messages. -George C http://lrp.steinkuehler.net/kernel/2.2.16%2d1%2dVPNMasq/ From larrydog at coqui.net Mon Aug 14 06:06:08 2000 From: larrydog at coqui.net (Larry Rivera) Date: Mon, 14 Aug 2000 07:06:08 -0400 Subject: [pptp-server] pptp vpn and masquerading References: <31361954B2ADD2118B0900A0C90AFC3E05DC19@defiant.dsl.gtei.net> Message-ID: <3997D2A0.9DF64968@coqui.net> Thanks Steve and Gord. Another one bites the dust! After setting up my ipchains rules per your instructions, it all worked fine. LR "Cowles, Steve" wrote: > > -----Original Message----- > > From: Larry Rivera [mailto:larrydog at coqui.net] > > Sent: Thursday, August 10, 2000 9:33 AM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] pptp vpn and masquerading > > > > > > Hello: > > > > I have a dedicated connection to the internet using a linux server > > running kernel version 2.2.13. This server also is a member > > of a privat lan in the normal firewall setup that is prevalent > > these days. > > > > I have successfully configured the joining of two remote > > locations via pptp tunnels and these have their own subnet > > assigned. My problem is that since I had to turn off > > masquerading in the kernel config, (because my incoming > > connections were being masqueraded as the server's ethernet > > ip address creating problems for printing, etc.) now my > > outgoing clients cannot access the internet as before from > > behind this server (these clients have private ip numbers). > > I HAVE read all of the documentation out there but am still > > unsure of several issues. > > Is it possible to have the following setup?: > > > > 1. Masquerade outgoing connections for internet browsing from > > a private > > network behind firewall. > > 2. DO NOT Masquerade incoming pptp connections so that remote machines > > can access the applications server with their ip address intact. > > > > Yes, The order that you enter your ipchain rules is critical in this case. > > 1) Specify the non-masq networks first > 2) Specify the private networks last (MASQ) > > Example: My private network is 192.168.9.0/24 and the remote network (VPN)is > 192.168.1.0/24. Notice the order that the rules are listed in the forward > chain (see below). Packets destined for the remote network (192.168.1.0/24) > are processed "first" then the MASQ'd rule for 192.168.9.0/24 and then DENY > all others. > > firewall: root # ipchains -L forward -n > Chain forward (policy REJECT): > target prot opt source destination ports > ACCEPT all ------ 0.0.0.0/0 192.168.1.0/24 n/a > ACCEPT all ------ 192.168.1.0/24 0.0.0.0/0 n/a > MASQ all ------ 192.168.9.0/24 0.0.0.0/0 n/a > DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a > > Using the above rules, I am able to MASQ my internal network for internet > access and also communicate with the remote LAN across the VPN. Hopefully > the above will give you a good starting point to add the appropiate ipchain > rules at your end. BTW:Don't forget about the other end of the tunnel. > > Steve Cowles > > > Has anyone seen a setup like this? > > Thanks > > LR > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From larrydog at coqui.net Mon Aug 14 09:12:51 2000 From: larrydog at coqui.net (Larry Rivera) Date: Mon, 14 Aug 2000 10:12:51 -0400 Subject: [pptp-server] pptp and routing multiple connections Message-ID: <3997FE63.9A8148F3@coqui.net> Hello: I have been working on routing multiple pptp connections and would like to share my solution and see if anyone has a better option: Problem: When implementing multiple pptp tunnels we all know that the pptpd daemon dynamically assigns ip addresses according to what is established in /etc/pptpd.conf, i.e. /etc/pptpd.conf speed 115200 option /etc/ppp/options.pptpd localip X.X.10.201-210 (needed for multiple connections) remoteip X.X.10.211-220 Other parameters are established in the options.pptpd file: /etc/ppp/options.pptpd lock #debug name federal2 auth require-chap -proxyarp (needed for full routing) I have two subnets X.X.5.0 and X.X.6.0 which must establish their routes when connecting. The only problem is that since these are virtual connections there is no parameter in /etc/ppp/ip-up & ip-down that will properly route the connections so that each subnet is routed correctly. (Example: the ppp* interface ($5 variable) will raise according to what pptpd determines) therefore there is no way I can say ppp1 will be for X.X.5.0 and ppp2 will be for X.X.6.0. Since these are not serial connections I cannot use ttyS* ($2 variable) to set these routes. Similarly, the variables that set the remote address cannot be used because pptpd will change this according to need. The following code will at least set the routes according to the name sent to the system when chap authentication occurs. ###/etc/ppp/ip-up ###Caguas tail -n 10 /usr/local/log/pptpd.log > /tmp/vpn result=`grep fed5 /tmp/vpn` if [ "$result" ] then /sbin/route add -net X.X.6.0 netmask 255.255.255.0 gw $5 fi #####Ponce tail -n 10 /usr/local/log/pptpd.log > /tmp/vpn result=`grep fed4 /tmp/vpn` if [ "$result" ] then /sbin/route add -net X.X.5.0 netmask 255.255.255.0 gw $5 fi On multiple pptp connections this will ensure that anytime "fed4" or "fed5" connect, the system will set the proper route to that subnet. Any comments? LR From leif at l3system.net Mon Aug 14 09:37:38 2000 From: leif at l3system.net (Leif Larsson) Date: Mon, 14 Aug 2000 16:37:38 +0200 Subject: [pptp-server] pptp and routing multiple connections References: <3997FE63.9A8148F3@coqui.net> Message-ID: <39980432.E37C73D3@l3system.net> We too have two subnets and need different IP's. My solution was to modify "chap-secrets". Depending on who is calling (who is authenticating really) you get a preasigned IP-adress. The "local-ip" entry in options.pptpd is not so important, as the server is routing traffic anyway. The IP-adresses in the chap-secrets file must conform to some of the subnets, else the server wont be able to proxyarp. Just my 2 cents.. Leif Larry Rivera wrote: > > Hello: > > I have been working on routing multiple pptp connections and would like > to share my solution and see if anyone has a better option: > Problem: When implementing multiple pptp tunnels we all know that the > pptpd daemon dynamically assigns ip addresses according to what is > established in /etc/pptpd.conf, i.e. > > /etc/pptpd.conf > > speed 115200 > option /etc/ppp/options.pptpd > localip X.X.10.201-210 (needed for multiple connections) > remoteip X.X.10.211-220 > > Other parameters are established in the options.pptpd file: > /etc/ppp/options.pptpd > > lock > #debug > name federal2 > auth > require-chap > -proxyarp (needed for full routing) > > I have two subnets X.X.5.0 and X.X.6.0 which must establish their routes > when connecting. The only problem is that since these are virtual > connections there is no parameter in /etc/ppp/ip-up & ip-down that will > properly route the connections so that each subnet is routed correctly. > (Example: the ppp* interface ($5 variable) will raise according to what > pptpd determines) therefore there is no way I can say ppp1 will be for > X.X.5.0 and ppp2 will be for X.X.6.0. Since these are not serial > connections I cannot use ttyS* ($2 variable) to set these routes. > Similarly, the variables that set the remote address cannot be used > because pptpd will change this according to need. > > The following code will at least set the routes according to the name > sent to the system when chap authentication occurs. > ###/etc/ppp/ip-up > > ###Caguas > tail -n 10 /usr/local/log/pptpd.log > /tmp/vpn > result=`grep fed5 /tmp/vpn` > if [ "$result" ] > then > /sbin/route add -net X.X.6.0 netmask 255.255.255.0 gw $5 > fi > > #####Ponce > tail -n 10 /usr/local/log/pptpd.log > /tmp/vpn > result=`grep fed4 /tmp/vpn` > if [ "$result" ] > then > /sbin/route add -net X.X.5.0 netmask 255.255.255.0 gw $5 > fi > > On multiple pptp connections this will ensure that anytime "fed4" or > "fed5" connect, the system will set the proper route to that subnet. > > Any comments? > LR > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! -- ________________ L3 System www.l3system.net ---------------- PGP key fingerprint = 11 81 96 E6 F0 91 ED 4D 13 82 44 99 99 DB AE 8B From cliles at gw.total-web.net Mon Aug 14 12:50:10 2000 From: cliles at gw.total-web.net (Chris) Date: Mon, 14 Aug 2000 10:50:10 -0700 Subject: Fw: [pptp-server] 619 Error Message-ID: <001901c00618$182566e0$0200a8c0@jojostomp.net> Alright guys, the kernel is patched to allow vpn masqing, everything was compiled into the kernel rather than in modules so I know that those options are working. Bascily what is still happening is that the client connects and authenticates with ppp but the pptp can't do something so it crashes. I still get a 619 error, and pptp says CTRL: PTY or GRE write failed (pty,gre) =(5,6) CTRL: Client 192.168.0.2 control connection finished and PPP says that I authenticate with mschap-v2 but then it says: LCP terminated by peer (#sBN@^@BM-f) Connection terminated. All I want to do is connect to the vpn server so I can access my home lan away from home. I am trying to connect to the vpn server from a win2000 box behind a linux masqing box that is also running poptop. Thanks, Chris Liles -------------- next part -------------- An HTML attachment was scrubbed... URL: From walterm at Gliatech.com Mon Aug 14 10:05:51 2000 From: walterm at Gliatech.com (Michael Walter) Date: Mon, 14 Aug 2000 11:05:51 -0400 Subject: [pptp-server] 619 Error Message-ID: make sure that you allow the gre protocol on your masq'ing box. ipchains -A input -p 47 -j ACCEPT ipchains -A output -p 47 -j ACCEPT Thanks, Michael J. Walter rhce mcse mcp+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Chris [mailto:cliles at gw.total-web.net] Sent: Monday, August 14, 2000 1:50 PM To: pptp-server at lists.schulte.org Subject: Fw: [pptp-server] 619 Error Alright guys, the kernel is patched to allow vpn masqing, everything was compiled into the kernel rather than in modules so I know that those options are working. Bascily what is still happening is that the client connects and authenticates with ppp but the pptp can't do something so it crashes. I still get a 619 error, and pptp says CTRL: PTY or GRE write failed (pty,gre) =(5,6) CTRL: Client 192.168.0.2 control connection finished and PPP says that I authenticate with mschap-v2 but then it says: LCP terminated by peer (#sBN@^@BM-f) Connection terminated. All I want to do is connect to the vpn server so I can access my home lan away from home. I am trying to connect to the vpn server from a win2000 box behind a linux masqing box that is also running poptop. Thanks, Chris Liles -------------- next part -------------- An HTML attachment was scrubbed... URL: From cliles at gw.total-web.net Mon Aug 14 13:41:02 2000 From: cliles at gw.total-web.net (Chris) Date: Mon, 14 Aug 2000 11:41:02 -0700 Subject: [pptp-server] 619 Error References: Message-ID: <003301c0061f$327f4bd0$0200a8c0@jojostomp.net> I've got ipchains -A input -p tcp -d externalipaddress 1723 -j ACCEPT ipchains -A input -p 47 -d externalipaddress -j ACCEPT ipchains -A output -p tcp -s 0.0.0.0/0 1723 -j ACCEPT ipchains -A output -p 47 -s 0.0.0.0/0 -j ACCEPT to allow the traffic and I've got ipchains -A forward -p tcp -s 192.168.0.0/24 -j MASQ ipchains -A forward -p 47 -s 192.168.0.0/24 -j MASQ to masq the traffic I might have something wrong with my firewalling as I have no clue what the above masqing stuff does. ----- Original Message ----- From: Michael Walter To: 'Chris' Cc: PPTPD User Group (E-mail) Sent: Monday, August 14, 2000 8:05 AM Subject: RE: [pptp-server] 619 Error make sure that you allow the gre protocol on your masq'ing box. ipchains -A input -p 47 -j ACCEPT ipchains -A output -p 47 -j ACCEPT Thanks, Michael J. Walter rhce mcse mcp+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Chris [mailto:cliles at gw.total-web.net] Sent: Monday, August 14, 2000 1:50 PM To: pptp-server at lists.schulte.org Subject: Fw: [pptp-server] 619 Error Alright guys, the kernel is patched to allow vpn masqing, everything was compiled into the kernel rather than in modules so I know that those options are working. Bascily what is still happening is that the client connects and authenticates with ppp but the pptp can't do something so it crashes. I still get a 619 error, and pptp says CTRL: PTY or GRE write failed (pty,gre) =(5,6) CTRL: Client 192.168.0.2 control connection finished and PPP says that I authenticate with mschap-v2 but then it says: LCP terminated by peer (#sBN@^@BM-f) Connection terminated. All I want to do is connect to the vpn server so I can access my home lan away from home. I am trying to connect to the vpn server from a win2000 box behind a linux masqing box that is also running poptop. Thanks, Chris Liles -------------- next part -------------- An HTML attachment was scrubbed... URL: From walterm at Gliatech.com Mon Aug 14 11:03:20 2000 From: walterm at Gliatech.com (Michael Walter) Date: Mon, 14 Aug 2000 12:03:20 -0400 Subject: [pptp-server] 619 Error Message-ID: try this(from memory): # ENABLE IP FORWARDING echo 1 > /proc/sys/net/ipv4/ip_forward # SET THE DEFAULT POLICIES ipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY # ALLOW GRE TRAFFIC ipchains -A input -p 47 -j ACCEPT ipchains -A output -p 47 -j ACCEPT # ALLOW TRAFFIC TO AND FROM THE DYNAMIC PORTS ON THE EXTERNAL INTERFACE ipchains -A input -d externalipaddress 49152:65535 -j ACCEPT ipchains -A output -d externalipaddress 49152:65535 -j ACCEPT # ALLOW ALL INTERNAL TRAFFIC ipchains -A input -s 192.168.0.0/24 -j ACCEPT ipchains -A output -d 192.168.0.0/24 -j ACCEPT # MASQ ANY TRAFFIC FROM THE INTERNAL NETWORK TO THE INTERNET ipchains -A forward -s 192.168.0.0/24 -j MASQ I don't think you need to do anything with syn cookies because there are no connections coming back, but I could be wrong. This allows all gre traffic, all internal-internal traffic, masq's internal-external, and external-internal traffic that comes in on the dynamically assigned ip ports. Thanks, Michael J. Walter rhce mcse mcp+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Chris [mailto:cliles at gw.total-web.net] Sent: Monday, August 14, 2000 2:41 PM To: pptp-server at lists.schulte.org Subject: Re: [pptp-server] 619 Error I've got ipchains -A input -p tcp -d externalipaddress 1723 -j ACCEPT ipchains -A input -p 47 -d externalipaddress -j ACCEPT ipchains -A output -p tcp -s 0.0.0.0/0 1723 -j ACCEPT ipchains -A output -p 47 -s 0.0.0.0/0 -j ACCEPT to allow the traffic and I've got ipchains -A forward -p tcp -s 192.168.0.0/24 -j MASQ ipchains -A forward -p 47 -s 192.168.0.0/24 -j MASQ to masq the traffic I might have something wrong with my firewalling as I have no clue what the above masqing stuff does. ----- Original Message ----- From: Michael Walter To: 'Chris' Cc: PPTPD User Group (E-mail) Sent: Monday, August 14, 2000 8:05 AM Subject: RE: [pptp-server] 619 Error make sure that you allow the gre protocol on your masq'ing box. ipchains -A input -p 47 -j ACCEPT ipchains -A output -p 47 -j ACCEPT Thanks, Michael J. Walter rhce mcse mcp+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Chris [ mailto:cliles at gw.total-web.net ] Sent: Monday, August 14, 2000 1:50 PM To: pptp-server at lists.schulte.org Subject: Fw: [pptp-server] 619 Error Alright guys, the kernel is patched to allow vpn masqing, everything was compiled into the kernel rather than in modules so I know that those options are working. Bascily what is still happening is that the client connects and authenticates with ppp but the pptp can't do something so it crashes. I still get a 619 error, and pptp says CTRL: PTY or GRE write failed (pty,gre) =(5,6) CTRL: Client 192.168.0.2 control connection finished and PPP says that I authenticate with mschap-v2 but then it says: LCP terminated by peer (#sBN@^@BM-f) Connection terminated. All I want to do is connect to the vpn server so I can access my home lan away from home. I am trying to connect to the vpn server from a win2000 box behind a linux masqing box that is also running poptop. Thanks, Chris Liles -------------- next part -------------- An HTML attachment was scrubbed... URL: From etienne at home.com Mon Aug 14 11:10:42 2000 From: etienne at home.com (Etienne Lau) Date: Mon, 14 Aug 2000 09:10:42 -0700 Subject: [pptp-server] Error Message-ID: <001601c0060a$3252ca20$0501a8c0@etolivia.com> I am getting an error 650 when trying to connecting via my WIN98 machine to the Linux Box. Any ideas. -------------- next part -------------- An HTML attachment was scrubbed... URL: From larrydog at coqui.net Mon Aug 14 11:20:48 2000 From: larrydog at coqui.net (Larry Rivera) Date: Mon, 14 Aug 2000 12:20:48 -0400 Subject: [pptp-server] pptp and routing multiple connections References: <3997FE63.9A8148F3@coqui.net> <39980432.E37C73D3@l3system.net> Message-ID: <39981C60.8BE50AFF@coqui.net> Hello Leif: The only problem with that is that someone at pptp server told me that you should not ask for ip addresses rather that you should allow the pptpd daemon to assign all ip's dynamically in order for it to work properly. Also, please note that I am NOT asking for proxyarp, rather turning it off with the -proxyarp option. Reason being that we need full routing throughout and proxyarp will assign the same ip address to all incoming connections. (correct me if I'm wrong please) LR Leif Larsson wrote: > We too have two subnets and need different IP's. My solution > was to modify "chap-secrets". Depending on who is calling > (who is authenticating really) you get a preasigned IP-adress. > > The "local-ip" entry in options.pptpd is not so important, as > the server is routing traffic anyway. > The IP-adresses in the chap-secrets file must conform to some > of the subnets, else the server wont be able to proxyarp. > > Just my 2 cents.. > > Leif > > Larry Rivera wrote: > > > > Hello: > > > > I have been working on routing multiple pptp connections and would like > > to share my solution and see if anyone has a better option: > > Problem: When implementing multiple pptp tunnels we all know that the > > pptpd daemon dynamically assigns ip addresses according to what is > > established in /etc/pptpd.conf, i.e. > > > > /etc/pptpd.conf > > > > speed 115200 > > option /etc/ppp/options.pptpd > > localip X.X.10.201-210 (needed for multiple connections) > > remoteip X.X.10.211-220 > > > > Other parameters are established in the options.pptpd file: > > /etc/ppp/options.pptpd > > > > lock > > #debug > > name federal2 > > auth > > require-chap > > -proxyarp (needed for full routing) > > > > I have two subnets X.X.5.0 and X.X.6.0 which must establish their routes > > when connecting. The only problem is that since these are virtual > > connections there is no parameter in /etc/ppp/ip-up & ip-down that will > > properly route the connections so that each subnet is routed correctly. > > (Example: the ppp* interface ($5 variable) will raise according to what > > pptpd determines) therefore there is no way I can say ppp1 will be for > > X.X.5.0 and ppp2 will be for X.X.6.0. Since these are not serial > > connections I cannot use ttyS* ($2 variable) to set these routes. > > Similarly, the variables that set the remote address cannot be used > > because pptpd will change this according to need. > > > > The following code will at least set the routes according to the name > > sent to the system when chap authentication occurs. > > ###/etc/ppp/ip-up > > > > ###Caguas > > tail -n 10 /usr/local/log/pptpd.log > /tmp/vpn > > result=`grep fed5 /tmp/vpn` > > if [ "$result" ] > > then > > /sbin/route add -net X.X.6.0 netmask 255.255.255.0 gw $5 > > fi > > > > #####Ponce > > tail -n 10 /usr/local/log/pptpd.log > /tmp/vpn > > result=`grep fed4 /tmp/vpn` > > if [ "$result" ] > > then > > /sbin/route add -net X.X.5.0 netmask 255.255.255.0 gw $5 > > fi > > > > On multiple pptp connections this will ensure that anytime "fed4" or > > "fed5" connect, the system will set the proper route to that subnet. > > > > Any comments? > > LR > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > -- > ________________ > L3 System > www.l3system.net > ---------------- > PGP key fingerprint = 11 81 96 E6 F0 91 ED 4D 13 82 44 99 99 DB AE 8B > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From cliles at gw.total-web.net Mon Aug 14 14:55:40 2000 From: cliles at gw.total-web.net (Chris) Date: Mon, 14 Aug 2000 12:55:40 -0700 Subject: [pptp-server] 619 Error References: Message-ID: <003701c00629$9f8e9000$0200a8c0@jojostomp.net> ok so I do that and I still get error 619, but in my var/log/messages pptp says: GRE: read(fd=5,buffer=804d7c0,len=8196) from PTY fsiled: status = -1 error = Input/output error and then CTRL: PTY read or GRE write failed (pty, gre)=(5,6) CTRL: Client 192.168.0.2 control connection finished ----- Original Message ----- From: Michael Walter To: 'Chris' Cc: PPTPD User Group (E-mail) Sent: Monday, August 14, 2000 9:03 AM Subject: RE: [pptp-server] 619 Error try this(from memory): # ENABLE IP FORWARDING echo 1 > /proc/sys/net/ipv4/ip_forward # SET THE DEFAULT POLICIES ipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY # ALLOW GRE TRAFFIC ipchains -A input -p 47 -j ACCEPT ipchains -A output -p 47 -j ACCEPT # ALLOW TRAFFIC TO AND FROM THE DYNAMIC PORTS ON THE EXTERNAL INTERFACE ipchains -A input -d externalipaddress 49152:65535 -j ACCEPT ipchains -A output -d externalipaddress 49152:65535 -j ACCEPT # ALLOW ALL INTERNAL TRAFFIC ipchains -A input -s 192.168.0.0/24 -j ACCEPT ipchains -A output -d 192.168.0.0/24 -j ACCEPT # MASQ ANY TRAFFIC FROM THE INTERNAL NETWORK TO THE INTERNET ipchains -A forward -s 192.168.0.0/24 -j MASQ I don't think you need to do anything with syn cookies because there are no connections coming back, but I could be wrong. This allows all gre traffic, all internal-internal traffic, masq's internal-external, and external-internal traffic that comes in on the dynamically assigned ip ports. Thanks, Michael J. Walter rhce mcse mcp+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Chris [mailto:cliles at gw.total-web.net] Sent: Monday, August 14, 2000 2:41 PM To: pptp-server at lists.schulte.org Subject: Re: [pptp-server] 619 Error I've got ipchains -A input -p tcp -d externalipaddress 1723 -j ACCEPT ipchains -A input -p 47 -d externalipaddress -j ACCEPT ipchains -A output -p tcp -s 0.0.0.0/0 1723 -j ACCEPT ipchains -A output -p 47 -s 0.0.0.0/0 -j ACCEPT to allow the traffic and I've got ipchains -A forward -p tcp -s 192.168.0.0/24 -j MASQ ipchains -A forward -p 47 -s 192.168.0.0/24 -j MASQ to masq the traffic I might have something wrong with my firewalling as I have no clue what the above masqing stuff does. ----- Original Message ----- From: Michael Walter To: 'Chris' Cc: PPTPD User Group (E-mail) Sent: Monday, August 14, 2000 8:05 AM Subject: RE: [pptp-server] 619 Error make sure that you allow the gre protocol on your masq'ing box. ipchains -A input -p 47 -j ACCEPT ipchains -A output -p 47 -j ACCEPT Thanks, Michael J. Walter rhce mcse mcp+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Chris [mailto:cliles at gw.total-web.net] Sent: Monday, August 14, 2000 1:50 PM To: pptp-server at lists.schulte.org Subject: Fw: [pptp-server] 619 Error Alright guys, the kernel is patched to allow vpn masqing, everything was compiled into the kernel rather than in modules so I know that those options are working. Bascily what is still happening is that the client connects and authenticates with ppp but the pptp can't do something so it crashes. I still get a 619 error, and pptp says CTRL: PTY or GRE write failed (pty,gre) =(5,6) CTRL: Client 192.168.0.2 control connection finished and PPP says that I authenticate with mschap-v2 but then it says: LCP terminated by peer (#sBN@^@BM-f) Connection terminated. All I want to do is connect to the vpn server so I can access my home lan away from home. I am trying to connect to the vpn server from a win2000 box behind a linux masqing box that is also running poptop. Thanks, Chris Liles -------------- next part -------------- An HTML attachment was scrubbed... URL: From gord at amador.ca Mon Aug 14 12:33:21 2000 From: gord at amador.ca (Gord Belsey) Date: Mon, 14 Aug 2000 11:33:21 -0600 Subject: [pptp-server] 619 Error References: <003701c00629$9f8e9000$0200a8c0@jojostomp.net> Message-ID: <075d01c00615$bec53910$280111ac@amadorinc.com> hmmm.....with a default policy of DENY, I think you need to add: ipchains -A forward -p 47 -j ACCEPT hope this is useful Gord Belsey ----- Original Message ----- From: Chris To: pptp-server at lists.schulte.org Sent: Monday, August 14, 2000 1:55 PM Subject: Re: [pptp-server] 619 Error ok so I do that and I still get error 619, but in my var/log/messages pptp says: GRE: read(fd=5,buffer=804d7c0,len=8196) from PTY fsiled: status = -1 error = Input/output error and then CTRL: PTY read or GRE write failed (pty, gre)=(5,6) CTRL: Client 192.168.0.2 control connection finished ----- Original Message ----- From: Michael Walter To: 'Chris' Cc: PPTPD User Group (E-mail) Sent: Monday, August 14, 2000 9:03 AM Subject: RE: [pptp-server] 619 Error try this(from memory): # ENABLE IP FORWARDING echo 1 > /proc/sys/net/ipv4/ip_forward # SET THE DEFAULT POLICIES ipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY # ALLOW GRE TRAFFIC ipchains -A input -p 47 -j ACCEPT ipchains -A output -p 47 -j ACCEPT # ALLOW TRAFFIC TO AND FROM THE DYNAMIC PORTS ON THE EXTERNAL INTERFACE ipchains -A input -d externalipaddress 49152:65535 -j ACCEPT ipchains -A output -d externalipaddress 49152:65535 -j ACCEPT # ALLOW ALL INTERNAL TRAFFIC ipchains -A input -s 192.168.0.0/24 -j ACCEPT ipchains -A output -d 192.168.0.0/24 -j ACCEPT # MASQ ANY TRAFFIC FROM THE INTERNAL NETWORK TO THE INTERNET ipchains -A forward -s 192.168.0.0/24 -j MASQ I don't think you need to do anything with syn cookies because there are no connections coming back, but I could be wrong. This allows all gre traffic, all internal-internal traffic, masq's internal-external, and external-internal traffic that comes in on the dynamically assigned ip ports. Thanks, Michael J. Walter rhce mcse mcp+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Chris [mailto:cliles at gw.total-web.net] Sent: Monday, August 14, 2000 2:41 PM To: pptp-server at lists.schulte.org Subject: Re: [pptp-server] 619 Error I've got ipchains -A input -p tcp -d externalipaddress 1723 -j ACCEPT ipchains -A input -p 47 -d externalipaddress -j ACCEPT ipchains -A output -p tcp -s 0.0.0.0/0 1723 -j ACCEPT ipchains -A output -p 47 -s 0.0.0.0/0 -j ACCEPT to allow the traffic and I've got ipchains -A forward -p tcp -s 192.168.0.0/24 -j MASQ ipchains -A forward -p 47 -s 192.168.0.0/24 -j MASQ to masq the traffic I might have something wrong with my firewalling as I have no clue what the above masqing stuff does. ----- Original Message ----- From: Michael Walter To: 'Chris' Cc: PPTPD User Group (E-mail) Sent: Monday, August 14, 2000 8:05 AM Subject: RE: [pptp-server] 619 Error make sure that you allow the gre protocol on your masq'ing box. ipchains -A input -p 47 -j ACCEPT ipchains -A output -p 47 -j ACCEPT Thanks, Michael J. Walter rhce mcse mcp+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Chris [mailto:cliles at gw.total-web.net] Sent: Monday, August 14, 2000 1:50 PM To: pptp-server at lists.schulte.org Subject: Fw: [pptp-server] 619 Error Alright guys, the kernel is patched to allow vpn masqing, everything was compiled into the kernel rather than in modules so I know that those options are working. Bascily what is still happening is that the client connects and authenticates with ppp but the pptp can't do something so it crashes. I still get a 619 error, and pptp says CTRL: PTY or GRE write failed (pty,gre) =(5,6) CTRL: Client 192.168.0.2 control connection finished and PPP says that I authenticate with mschap-v2 but then it says: LCP terminated by peer (#sBN@^@BM-f) Connection terminated. All I want to do is connect to the vpn server so I can access my home lan away from home. I am trying to connect to the vpn server from a win2000 box behind a linux masqing box that is also running poptop. Thanks, Chris Liles -------------- next part -------------- An HTML attachment was scrubbed... URL: From leif at l3system.net Tue Aug 15 01:49:02 2000 From: leif at l3system.net (Leif Larsson) Date: Tue, 15 Aug 2000 08:49:02 +0200 Subject: [pptp-server] pptp and routing multiple connections References: <3997FE63.9A8148F3@coqui.net> <39980432.E37C73D3@l3system.net> <39981C60.8BE50AFF@coqui.net> Message-ID: <3998E7DE.E78780FD@l3system.net> Hello Larry, Our setup goes like this: Two subnets on the inside: 192.168.1.0 (subnet interface has 192.168.1.1) 192.168.2.0 (subnet interface has 192.168.2.1) If caller A calls, the server chap-secrets file is setup so he gets 192.168.1.50 If caller B calls, the server chap-secrets file is setup so he gets 192.168.2.50 When caller A calls the server gives him 192.168.1.50 and automatically routes traffic to 192.168.1.1 (because of the proxyarp option) The only problem i see might arise is if some caller calls in 2 times, i havent tried this yet, if it fails i might have to use to your solution. Right now the users are told to hangup when they are ready. Besides of that the solution works really good (at least for 6-7 dialins). Leif Larsson Larry Rivera wrote: > > Hello Leif: > The only problem with that is that someone at pptp server told me that you > should not ask for ip addresses rather that you should allow the pptpd daemon > to assign all ip's dynamically in order for it to work properly. > > Also, please note that I am NOT asking for proxyarp, rather turning it off > with the -proxyarp option. Reason being that we need full routing throughout > and proxyarp will assign the same ip address to all incoming connections. > (correct me if I'm wrong please) > LR > > Leif Larsson wrote: > > > We too have two subnets and need different IP's. My solution > > was to modify "chap-secrets". Depending on who is calling > > (who is authenticating really) you get a preasigned IP-adress. > > > > The "local-ip" entry in options.pptpd is not so important, as > > the server is routing traffic anyway. > > The IP-adresses in the chap-secrets file must conform to some > > of the subnets, else the server wont be able to proxyarp. > > > > Just my 2 cents.. > > > > Leif > > > > Larry Rivera wrote: > > > > > > Hello: > > > > > > I have been working on routing multiple pptp connections and would like > > > to share my solution and see if anyone has a better option: > > > Problem: When implementing multiple pptp tunnels we all know that the > > > pptpd daemon dynamically assigns ip addresses according to what is > > > established in /etc/pptpd.conf, i.e. > > > > > > /etc/pptpd.conf > > > > > > speed 115200 > > > option /etc/ppp/options.pptpd > > > localip X.X.10.201-210 (needed for multiple connections) > > > remoteip X.X.10.211-220 > > > > > > Other parameters are established in the options.pptpd file: > > > /etc/ppp/options.pptpd > > > > > > lock > > > #debug > > > name federal2 > > > auth > > > require-chap > > > -proxyarp (needed for full routing) > > > > > > I have two subnets X.X.5.0 and X.X.6.0 which must establish their routes > > > when connecting. The only problem is that since these are virtual > > > connections there is no parameter in /etc/ppp/ip-up & ip-down that will > > > properly route the connections so that each subnet is routed correctly. > > > (Example: the ppp* interface ($5 variable) will raise according to what > > > pptpd determines) therefore there is no way I can say ppp1 will be for > > > X.X.5.0 and ppp2 will be for X.X.6.0. Since these are not serial > > > connections I cannot use ttyS* ($2 variable) to set these routes. > > > Similarly, the variables that set the remote address cannot be used > > > because pptpd will change this according to need. > > > > > > The following code will at least set the routes according to the name > > > sent to the system when chap authentication occurs. > > > ###/etc/ppp/ip-up > > > > > > ###Caguas > > > tail -n 10 /usr/local/log/pptpd.log > /tmp/vpn > > > result=`grep fed5 /tmp/vpn` > > > if [ "$result" ] > > > then > > > /sbin/route add -net X.X.6.0 netmask 255.255.255.0 gw $5 > > > fi > > > > > > #####Ponce > > > tail -n 10 /usr/local/log/pptpd.log > /tmp/vpn > > > result=`grep fed4 /tmp/vpn` > > > if [ "$result" ] > > > then > > > /sbin/route add -net X.X.5.0 netmask 255.255.255.0 gw $5 > > > fi > > > > > > On multiple pptp connections this will ensure that anytime "fed4" or > > > "fed5" connect, the system will set the proper route to that subnet. > > > > > > Any comments? > > > LR > > > > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > List services provided by www.schulteconsulting.com! > > > > -- > > ________________ > > L3 System > > www.l3system.net > > ---------------- > > PGP key fingerprint = 11 81 96 E6 F0 91 ED 4D 13 82 44 99 99 DB AE 8B > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! -- ________________ L3 System www.l3system.net ---------------- PGP key fingerprint = 11 81 96 E6 F0 91 ED 4D 13 82 44 99 99 DB AE 8B From walterm at Gliatech.com Tue Aug 15 08:44:33 2000 From: walterm at Gliatech.com (Michael Walter) Date: Tue, 15 Aug 2000 09:44:33 -0400 Subject: [pptp-server] FW: [Bug 15990] Changed - ip_masq_pptp module broken Message-ID: Just a little info forwarded from Redhat as to why the ip_masq_pptp module in the beta kernel does not work. Thanks, Michael J. Walter rhce mcse mcp+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: bugzilla at redhat.com [mailto:bugzilla at redhat.com] Sent: Tuesday, August 15, 2000 9:42 AM To: harald at redhat.com; walterm at gliatech.com Subject: [Bug 15990] Changed - ip_masq_pptp module broken http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=15990 --- shadow/15990 Mon Aug 14 11:46:16 2000 +++ shadow/15990.tmp.3343 Tue Aug 15 09:42:16 2000 @@ -21,3 +21,8 @@ ------- Additional comments from pbrown at redhat.com 2000-08-14 11:46 ------- Michael, stinks like a kernel issue. + +------- Additional comments from alan at redhat.com 2000-08-15 09:42 ------- +PPTP masq shouldnt be in our kernel. This is an error. It and the ipvs patch are +mutually exclusive and this is the problem. + Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. From jorr at loudcloud.com Tue Aug 15 14:51:00 2000 From: jorr at loudcloud.com (James Orr) Date: Tue, 15 Aug 2000 12:51:00 -0700 Subject: [pptp-server] Any known problems on SMP machines Message-ID: <39999F24.D92A37D6@loudcloud.com> Currently trying to lock down some instabilities in a poptop installation. The one machine which is a uniprocessor seems to be working properly, however, the 2 multiprocessor machines are flaky. Am I racing down a blind alley? Thanks, -Jim -------------- next part -------------- A non-text attachment was scrubbed... Name: jorr.vcf Type: text/x-vcard Size: 305 bytes Desc: Card for James Orr URL: From kenlussier at mediaone.net Tue Aug 15 12:16:17 2000 From: kenlussier at mediaone.net (Kenneth E. Lussier) Date: Tue, 15 Aug 2000 13:16:17 -0400 Subject: [pptp-server] Any known problems on SMP machines References: <39999F24.D92A37D6@loudcloud.com> Message-ID: <39997AE1.8422B76A@mediaone.net> Funny you should mention this.. I have a Dual proc VA Linux box that has some issues. I get random hard locks on it. It never occured that the poptop code might be the problem... Kenny James Orr wrote: > > Currently trying to lock down some instabilities in a poptop > installation. The one machine which is a uniprocessor seems to be > working properly, however, the 2 multiprocessor machines are flaky. Am I > racing down a blind alley? > > Thanks, > > -Jim From cliles at gw.total-web.net Tue Aug 15 19:38:08 2000 From: cliles at gw.total-web.net (Chris) Date: Tue, 15 Aug 2000 17:38:08 -0700 Subject: [pptp-server] data encryption Message-ID: <001401c0071a$40331e90$0200a8c0@jojostomp.net> Well I got past the 619 error, only to find that encryption is not working. I installed poptop with ppp2.3.11 that was already patched, but I can't figure out how to turn on the encryption. Part of the problem is that all the documentation on the web is old, and there is no way to search the mailing list archives. Besides that I am stuck I tried installing the modules that are listed in the general poptop howto, but since ppp is compiled into my kernel I don't know if they exist. Or mabey the modules have changed in ppp2.3.11 Thanks, Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From SK at EMAIL.CH Tue Aug 15 17:03:51 2000 From: SK at EMAIL.CH (Stefan M. Klein) Date: Wed, 16 Aug 2000 00:03:51 +0200 Subject: [pptp-server] (no subject) Message-ID: <002701c00704$b77781a0$0302a8c0@hispeed.ch> hi, I am trying to make PoPToP work on my OpenBSD 2.7 box (I succeeded under Linux before), however I cant make it work. I get the following messages: Aug 14 23:20:13 router pppd[18695]: pppd 2.3.5 started by root, uid 0 Aug 14 23:20:13 router pppd[18695]: Connect: ppp0 <--> /dev/ttyp1 Aug 14 23:20:44 router pppd[18695]: LCP: timeout sending Config-Requests Aug 14 23:20:44 router pppd[18695]: Connection terminated. Aug 14 23:20:44 router pptpd[21351]: GRE: read(fd=4,buffer=654c,len=8196) from PTY failed: status = 0 error = No error Aug 14 23:20:44 router pptpd[21351]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) ...and I guess the problem is that I shoukd have ppp 2.3.8, however I cant find a version greater than 2.3.5. Did anyone succeed in this ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From cliles at gw.total-web.net Tue Aug 15 21:39:26 2000 From: cliles at gw.total-web.net (Chris) Date: Tue, 15 Aug 2000 19:39:26 -0700 Subject: [pptp-server] (no subject) References: <002701c00704$b77781a0$0302a8c0@hispeed.ch> Message-ID: <000b01c0072b$3218fb20$0200a8c0@jojostomp.net> Well I had the same error messages coming from pptp, but I was getting a 619 error from win2000. It turned out that I didn't have encryption turned on in poptop and my client was requiring encryption to connect. ----- Original Message ----- From: Stefan M. Klein To: pptp-server at lists.schulte.org Sent: Tuesday, August 15, 2000 3:03 PM Subject: [pptp-server] (no subject) hi, I am trying to make PoPToP work on my OpenBSD 2.7 box (I succeeded under Linux before), however I cant make it work. I get the following messages: Aug 14 23:20:13 router pppd[18695]: pppd 2.3.5 started by root, uid 0 Aug 14 23:20:13 router pppd[18695]: Connect: ppp0 <--> /dev/ttyp1 Aug 14 23:20:44 router pppd[18695]: LCP: timeout sending Config-Requests Aug 14 23:20:44 router pppd[18695]: Connection terminated. Aug 14 23:20:44 router pptpd[21351]: GRE: read(fd=4,buffer=654c,len=8196) from PTY failed: status = 0 error = No error Aug 14 23:20:44 router pptpd[21351]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) ...and I guess the problem is that I shoukd have ppp 2.3.8, however I cant find a version greater than 2.3.5. Did anyone succeed in this ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From opjose at ex-pressnet.com Wed Aug 16 05:08:53 2000 From: opjose at ex-pressnet.com (Jose M. Sanchez) Date: Wed, 16 Aug 2000 06:08:53 -0400 Subject: [pptp-server] Any known problems on SMP machines In-Reply-To: <39999F24.D92A37D6@loudcloud.com> Message-ID: No problems whatsoever on an SMP (BX Motherboard) system running Dual P-III 450's. Uptime: 200 days. -JMS -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of James Orr Sent: Tuesday, August 15, 2000 3:51 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] Any known problems on SMP machines Currently trying to lock down some instabilities in a poptop installation. The one machine which is a uniprocessor seems to be working properly, however, the 2 multiprocessor machines are flaky. Am I racing down a blind alley? Thanks, -Jim From jnekl at kc.rr.com Wed Aug 16 09:02:27 2000 From: jnekl at kc.rr.com (Joshua Nekl) Date: Wed, 16 Aug 2000 09:02:27 -0500 Subject: [pptp-server] Any known problems on SMP machines References: <39999F24.D92A37D6@loudcloud.com> Message-ID: <001901c0078a$ace90ed0$0a00fa0a@austin.rr.com> What kernel are you using. There are problems on SMP boxes with kernel versions below 2.2.15 or so. Supposibly, kernel 2.2.15 or 2.2.16 works, though I haven't tried it yet (I know 2.2.14 doesn't work). - Josh ----- Original Message ----- From: "James Orr" To: Sent: Tuesday, August 15, 2000 2:51 PM Subject: [pptp-server] Any known problems on SMP machines > Currently trying to lock down some instabilities in a poptop > installation. The one machine which is a uniprocessor seems to be > working properly, however, the 2 multiprocessor machines are flaky. Am I > racing down a blind alley? > > Thanks, > > -Jim > From rik at cronyx.ru Wed Aug 16 10:19:29 2000 From: rik at cronyx.ru (Kurakin Roman) Date: Wed, 16 Aug 2000 19:19:29 +0400 Subject: [pptp-server] RedHat5.9 + pptpd + pppd (with mschap patches) Message-ID: <399AB101.DDC20D16@cronyx.ru> Hi, I have RH 5.9 with kernel 2.2.16, pppd 2.3.11 with mschap patches, pptpd (1.1.1 or 1.0.0) This is all information about system that I can give at this moment. If it is not enough I will send addition information. First problem was with pppd. It tried to get pty name and then stat it, but failed because system return wrong name (/dev/pts/0rc insted of /dev/pts/0). This was solved by changing stat to fstat. Second problem: pptpd[499]: MGR: Launching /usr/local/sbin/pptpctrl to handle client pptpd[499]: CTRL: local address = 172.16.0.1 pptpd[499]: CTRL: remote address = 172.16.0.2 pptpd[499]: CTRL: pppd speed = 115200 pptpd[499]: CTRL: Client 192.168.0.1 control connection started pptpd[499]: CTRL: Received PPTP Control Message (type: 1) pptpd[499]: CTRL: Made a START CTRL CONN RPLY packet pptpd[499]: CTRL: I wrote 156 bytes to the client. pptpd[499]: CTRL: Sent packet to client pptpd[499]: CTRL: Received PPTP Control Message (type: 7) pptpd[499]: CTRL: 0 min_bps, 0 max_bps, 32 window size pptpd[499]: CTRL: Made a OUT CALL RPLY packet pptpd[499]: CTRL: Starting call (launching pppd, opening GRE) pptpd[499]: CTRL: pty_fd = 4 pptpd[499]: CTRL: tty_fd = 5 pptpd[500]: CTRL (PPPD Launcher): Connection speed = 115200 pptpd[500]: CTRL (PPPD Launcher): local address = 172.16.0.1 pptpd[500]: CTRL (PPPD Launcher): remote address = 172.16.0.2 pptpd[499]: CTRL: I wrote 32 bytes to the client. pptpd[499]: CTRL: Sent packet to client kernel: CSLIP: code copyright 1989 Regents of the University of California kernel: PPP: version 2.3.11 (demand dialling) kernel: PPP line discipline registered. kernel: registered device ppp0 pptpd[390]: MGR: Reaped child 499 pptpd[499]: Error reading from pppd: Input/output error pptpd[499]: CTRL: GRE read or PTY write failed (gre,pty)=(5,4) pptpd[499]: CTRL: Client 192.168.0.1 control connection finished pptpd[499]: CTRL: Exiting now I have some ideas about it, but I dont have time for investigation all of them. Thanks for any help in advance. Kurakin Roman From walterm at Gliatech.com Wed Aug 16 09:43:07 2000 From: walterm at Gliatech.com (Michael Walter) Date: Wed, 16 Aug 2000 10:43:07 -0400 Subject: [pptp-server] Any known problems on SMP machines Message-ID: I have SMP and PPTPD working flawlessly on a Dell Poweredge 1300 w/ dual pentium3-500, perc2/sc raid. It was a bit of a pain to get up, but none of the problems were related to smp support. Thanks, Michael J. Walter rhce mcse mcp+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Joshua Nekl [mailto:jnekl at kc.rr.com] Sent: Wednesday, August 16, 2000 10:02 AM To: James Orr; pptp-server at lists.schulte.org Subject: Re: [pptp-server] Any known problems on SMP machines What kernel are you using. There are problems on SMP boxes with kernel versions below 2.2.15 or so. Supposibly, kernel 2.2.15 or 2.2.16 works, though I haven't tried it yet (I know 2.2.14 doesn't work). - Josh ----- Original Message ----- From: "James Orr" To: Sent: Tuesday, August 15, 2000 2:51 PM Subject: [pptp-server] Any known problems on SMP machines > Currently trying to lock down some instabilities in a poptop > installation. The one machine which is a uniprocessor seems to be > working properly, however, the 2 multiprocessor machines are flaky. Am I > racing down a blind alley? > > Thanks, > > -Jim > _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From jorr at loudcloud.com Wed Aug 16 12:58:34 2000 From: jorr at loudcloud.com (James Orr) Date: Wed, 16 Aug 2000 10:58:34 -0700 Subject: [pptp-server] Any known problems on SMP machines References: <39999F24.D92A37D6@loudcloud.com> <001901c0078a$ace90ed0$0a00fa0a@austin.rr.com> Message-ID: <399AD64A.9D190A3D@loudcloud.com> Thanks for the responses. The kernel is the default RH6.2 (2.2.15 I think), and since we put it back on a single CPU, the pptp/ppp apps seem to be more reliable (crossing my fingers). Note, never had a problem with Linux stability, it was the pptp tunnels that were dropping or becoming non-deterministic. -Jim Orr Joshua Nekl wrote: > What kernel are you using. > > There are problems on SMP boxes with kernel versions below 2.2.15 or so. > Supposibly, kernel 2.2.15 or 2.2.16 works, though I haven't tried it yet (I know 2.2.14 doesn't work). > > - Josh > > ----- Original Message ----- > From: "James Orr" > To: > Sent: Tuesday, August 15, 2000 2:51 PM > Subject: [pptp-server] Any known problems on SMP machines > > > Currently trying to lock down some instabilities in a poptop > > installation. The one machine which is a uniprocessor seems to be > > working properly, however, the 2 multiprocessor machines are flaky. Am I > > racing down a blind alley? > > > > Thanks, > > > > -Jim > > -------------- next part -------------- A non-text attachment was scrubbed... Name: jorr.vcf Type: text/x-vcard Size: 305 bytes Desc: Card for James Orr URL: From dayton at overx.com Wed Aug 16 11:58:08 2000 From: dayton at overx.com (Soren Dayton) Date: 16 Aug 2000 11:58:08 -0500 Subject: [pptp-server] ioctl(PPPIOCGUNIT): Operation not permitted(1) Message-ID: <86itt1ta73.fsf@everest.overx.com> Hi, So I've been trying to get PPTPD working on an SMP redhat 6.2 machine (server side. Client side is windows 2k) with encryption. (although not it fails both with and without encryption) So I got ppp 2.3.11. Patched it. kernel version 2.3.16. Added the ppp stuff and installed it. On windows is fails with Error 619. However, this is unrelated to the discussions that have been had here so far (I think) because right now I'm just testing over my lan. Linux syslog reports: Aug 15 17:36:18 everest pptpd[1204]: CTRL: Client 63.93.29.16 control connection started Aug 15 17:36:18 everest pptpd[1204]: CTRL: Starting call (launching pppd, opening GRE) Aug 15 17:36:18 everest kernel: registered device ppp0 Aug 15 17:36:18 everest pppd[1205]: pppd 2.3.11 started by root, uid 0 Aug 15 17:36:18 everest pppd[1205]: ioctl(PPPIOCGUNIT): Operation not permitted(1) Aug 15 17:36:18 everest pppd[1205]: tcsetattr: Operation not permitted Aug 15 17:36:18 everest pppd[1205]: Exit. Aug 15 17:36:18 everest pptpd[1204]: GRE: read(fd=4,buffer=804d7c0,len=8196) from PTY failed: status = -1 error = Input/output error Aug 15 17:36:18 everest pptpd[1204]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Aug 15 17:36:18 everest pptpd[1204]: CTRL: Client 63.93.29.16 control connection finished Aug 15 17:36:22 everest pptpd[1207]: CTRL: Client 63.93.29.16 control connection started Aug 15 17:36:22 everest pptpd[1207]: CTRL: Starting call (launching pppd, opening GRE) Aug 15 17:36:22 everest pppd[1208]: pppd 2.3.11 started by root, uid 0 Aug 15 17:36:22 everest pppd[1208]: ioctl(PPPIOCGUNIT): Operation not permitted(1) Aug 15 17:36:22 everest pppd[1208]: tcsetattr: Operation not permitted Aug 15 17:36:22 everest pppd[1208]: Exit. The PPPIOCGUNIT error seems to be a common problem with pppd talking to modems and pcmcia stuff. But that clearly doesn't apply here. Does anyone have any insight about how this could be occurring here? Thanks, Soren From solovian at workout.com.ar Wed Aug 16 20:21:31 2000 From: solovian at workout.com.ar (Matias J. Solovian) Date: Wed, 16 Aug 2000 22:21:31 -0300 Subject: [pptp-server] pptpd.log Message-ID: <017c01c007e9$7aa0b220$0701a8c0@polaris.workout.com.ar> I have the same problem . Somebody have a solution for this problem?? Matias -----Mensaje original----- De: Larry Rivera Para: pptp-server at lists.schulte.org Fecha: Viernes, 11 de Agosto de 2000 05:56 p.m. Asunto: [pptp-server] pptpd.log >Hello: >Some times my pptp setup starts spewing this onto the pptpd.log and the >only way to recover is to reboot the system. This only happens >sometimes. Can anyone decipher this? >Thanks. >LR > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header >(exit) >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 >in disco >nnect sequence >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl >packet >length. >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header >(exit) >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 >in disco >nnect sequence >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl >packet >length. >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header >(exit) >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 >in disco >nnect sequence >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl >packet >length. >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header >(exit) >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 >in disco >nnect sequence >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl >packet >length. >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header >(exit) >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 >in disco >nnect sequence >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl >packet >length. >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header >(exit) >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 >in disco >nnect sequence > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! From linmark at hotmail.com Wed Aug 16 21:54:27 2000 From: linmark at hotmail.com (Mark Lin) Date: Wed, 16 Aug 2000 22:54:27 -0400 Subject: [pptp-server] ipx over pptp Message-ID: Hi all: I've recently due to gamer's need, set up a VPN server using pptpd in redhat 6.1, kernel 2.2.20-12. Everything works, my friends can all login to my vpn server and browse each other's network neighborhood which is all good except that most important part wasn't working. We trying to set up VPN server with IPX encapsulated in IP so that we could play network game, such as half life, in LAN mode. By using VPN, we figure that since each client is given a temporary MAC address and IP, the game should recognize it as a LAN game. But so much for our anticipation, we couldn't see any thing in LAN which means that our IPX doesn't get routed. Another interesting fact, after my clients log in to VPN server, their ip will change to the ones I assigned to them in PPTP server when you use 'winipcfg' in windows98. But when the game starts up, it still use the orginal IP and MAC address instead of the one that was assigned by VPN server. I e-mailed the author of IPX+PPTP HOWTO about my question, he says and I quote "ipx usus different network numbers for each connection i believe, this is siminar to the subnet in tcp. If the game doesnt support specifying the remote ipx network then you wont be able to use ptp :( Kevin " I guess now my question is, anyone knows if there is a way to put all the incoming connection from pppd to a same IPX network number?? Or just simply anyone already experimented with VPN for LAN game purpose? (I wont believe no one ever thought of this before me, this probably has been done long time already since the introduction of VPN, but maybe NT's VPN would be easier for this kinda task??) Cheers, Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: From larrydog at coqui.net Thu Aug 17 07:32:04 2000 From: larrydog at coqui.net (Larry Rivera) Date: Thu, 17 Aug 2000 08:32:04 -0400 Subject: [pptp-server] pptpd.log References: <017c01c007e9$7aa0b220$0701a8c0@polaris.workout.com.ar> Message-ID: <399BDB43.BCB3E843@coqui.net> Which pptp client are you using? I noticed that it DOES NOT HAPPEN AT ALL with MS pptp client (vpn adapter) and it does happen with the pptp.lrp package that goes with linuxrouter. LR "Matias J. Solovian" wrote: > I have the same problem . > Somebody have a solution for this problem?? > > Matias > -----Mensaje original----- > De: Larry Rivera > Para: pptp-server at lists.schulte.org > Fecha: Viernes, 11 de Agosto de 2000 05:56 p.m. > Asunto: [pptp-server] pptpd.log > > >Hello: > >Some times my pptp setup starts spewing this onto the pptpd.log and the > >only way to recover is to reboot the system. This only happens > >sometimes. Can anyone decipher this? > >Thanks. > >LR > > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header > >(exit) > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 > >in disco > >nnect sequence > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl > >packet > >length. > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header > >(exit) > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 > >in disco > >nnect sequence > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl > >packet > >length. > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header > >(exit) > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 > >in disco > >nnect sequence > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl > >packet > >length. > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header > >(exit) > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 > >in disco > >nnect sequence > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl > >packet > >length. > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header > >(exit) > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 > >in disco > >nnect sequence > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl > >packet > >length. > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header > >(exit) > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 > >in disco > >nnect sequence > > > >_______________________________________________ > >pptp-server maillist - pptp-server at lists.schulte.org > >http://lists.schulte.org/mailman/listinfo/pptp-server > >List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From solovian at workout.com.ar Thu Aug 17 10:59:27 2000 From: solovian at workout.com.ar (Matias J. Solovian) Date: Thu, 17 Aug 2000 12:59:27 -0300 Subject: [pptp-server] pptpd.log Message-ID: <01a101c00864$1f42d7c0$0701a8c0@polaris.workout.com.ar> I'm using MS pptp client (vpn adapter) -----Mensaje original----- De: Larry Rivera Para: Matias J. Solovian CC: pptp-server at lists.schulte.org Fecha: Jueves, 17 de Agosto de 2000 09:41 a.m. Asunto: Re: [pptp-server] pptpd.log >Which pptp client are you using? >I noticed that it DOES NOT HAPPEN AT ALL with MS pptp client (vpn adapter) >and it does happen with the pptp.lrp package that goes with linuxrouter. > >LR > >"Matias J. Solovian" wrote: > >> I have the same problem . >> Somebody have a solution for this problem?? >> >> Matias >> -----Mensaje original----- >> De: Larry Rivera >> Para: pptp-server at lists.schulte.org >> Fecha: Viernes, 11 de Agosto de 2000 05:56 p.m. >> Asunto: [pptp-server] pptpd.log >> >> >Hello: >> >Some times my pptp setup starts spewing this onto the pptpd.log and the >> >only way to recover is to reboot the system. This only happens >> >sometimes. Can anyone decipher this? >> >Thanks. >> >LR >> > >> >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header >> >(exit) >> >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 >> >in disco >> >nnect sequence >> >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl >> >packet >> >length. >> >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header >> >(exit) >> >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 >> >in disco >> >nnect sequence >> >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl >> >packet >> >length. >> >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header >> >(exit) >> >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 >> >in disco >> >nnect sequence >> >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl >> >packet >> >length. >> >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header >> >(exit) >> >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 >> >in disco >> >nnect sequence >> >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl >> >packet >> >length. >> >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header >> >(exit) >> >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 >> >in disco >> >nnect sequence >> >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl >> >packet >> >length. >> >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header >> >(exit) >> >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 >> >in disco >> >nnect sequence >> > >> >_______________________________________________ >> >pptp-server maillist - pptp-server at lists.schulte.org >> >http://lists.schulte.org/mailman/listinfo/pptp-server >> >List services provided by www.schulteconsulting.com! >> >> _______________________________________________ >> pptp-server maillist - pptp-server at lists.schulte.org >> http://lists.schulte.org/mailman/listinfo/pptp-server >> List services provided by www.schulteconsulting.com! > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! From kenlussier at mediaone.net Thu Aug 17 11:58:01 2000 From: kenlussier at mediaone.net (Kenneth E. Lussier) Date: Thu, 17 Aug 2000 12:58:01 -0400 Subject: [pptp-server] Any known problems on SMP machines References: Message-ID: <399C1999.D99DD1D5@mediaone.net> Hardware could be a very real problem. Since I have been havin hard-lock issues of my own, I have been researching not only all of the software on the box, but also all of the hardware issues. I hope that this info is helpful to someone. Some things that I have found: 1)VA Linux uses an Adaptec 7986/7 SCSI controller that is not completely supported by the kernel (source-VA Linux) 2) The EEPro/100 has a tendency to take an IRQ that is reserved by a SCSI controller (source - Donald Becker) 3) SMP support in the current kernels can be flakey depending on the bus (Source - Mission Critical Linux) 4) The ethernet bonding driver is extremely flakey (Source - Mission Critical Linux) 5) DEC Tulip-based cards have trouble auto-negotiating (source - Donald Becker) Michael Walter wrote: > > I have SMP and PPTPD working flawlessly on a Dell Poweredge 1300 w/ dual > pentium3-500, perc2/sc raid. It was a bit of a pain to get up, but none of > the problems were related to smp support. > > Thanks, > > Michael J. Walter > rhce mcse mcp+i a+ > Network Administrator > Gliatech, Inc. > 23420 Commerce Park Rd. > Beachwood, Ohio 44122 > Tel: (216) 831-3200 > Email: walterm at gliatech.com > > -----Original Message----- > From: Joshua Nekl [mailto:jnekl at kc.rr.com] > Sent: Wednesday, August 16, 2000 10:02 AM > To: James Orr; pptp-server at lists.schulte.org > Subject: Re: [pptp-server] Any known problems on SMP machines > > What kernel are you using. > > There are problems on SMP boxes with kernel versions below 2.2.15 or so. > Supposibly, kernel 2.2.15 or 2.2.16 works, though I haven't tried it yet (I > know 2.2.14 doesn't work). > > - Josh > > ----- Original Message ----- > From: "James Orr" > To: > Sent: Tuesday, August 15, 2000 2:51 PM > Subject: [pptp-server] Any known problems on SMP machines > > > Currently trying to lock down some instabilities in a poptop > > installation. The one machine which is a uniprocessor seems to be > > working properly, however, the 2 multiprocessor machines are flaky. Am I > > racing down a blind alley? > > > > Thanks, > > > > -Jim > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From michael_scholl at ctsius.com Thu Aug 17 13:01:00 2000 From: michael_scholl at ctsius.com (michael_scholl at ctsius.com) Date: Thu, 17 Aug 2000 11:01:00 -0700 Subject: [pptp-server] What am I missing Message-ID: <33E6E975BEF9D211BA800008C7DF61802B0C29@EXCHANGE> I am running Red Hat 6.2 with kernel 2.2.16-12 with the pptp patch applied I have followed all the instructions in JHardins directions I have done the following Linux Firewall with NT Server running RAS and PPTP, trying to connect with a win 98 client with the connection manager loaded #Port Forwarding ipmasqadm portfw -a -P tcp -L externalip 1723 -R internalip 1723 I've checked the ipmasqadm portfw -L the forwarding is in place # GRE forwarding ipfwd --masq pptpserver internal ip 47 & # Firewall Input Rules ipchains -A input -p 47 -j ACCEPT ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 1723 -d 0.0.0.0/0 # Firewall Output rules ipchains -A output -p 47 -j ACCECT ipchains -A output -j ACCEPT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 1723 # Firewall Masquarding rules ipchains -A forward -j MASQ -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 1723 ipchains -A forward -p 47 -j MASQ To me everything looks right I checked my messages log I see the following messages Aug 17 08:24:26 firewall kernel: ip_masq_gre(): creating GRE masq for (Internal PPTP server) ---> (remote IP address) CID-0 MCID=6FC4 followed shortly by Aug 17 08:25:10 firewall kernel: ip_demasq_gre: (remote ip) --> (internal PPTP server) CID=0 mo masq table, discarding Help Please. Best Regards, Michael Scholl CTSI Moving the world CTSI-Los Angeles Tel: (800) 231-CTSI (2874) Tel: (310) 631-2856 Fax: (310) 631-5602 Email: michael_scholl at ctsius.com Visit our web site: www.ctsi-logistics.com From htodd at twofifty.com Thu Aug 17 13:01:15 2000 From: htodd at twofifty.com (Hisashi T Fujinaka) Date: Thu, 17 Aug 2000 11:01:15 -0700 (PDT) Subject: [pptp-server] pptpd.log In-Reply-To: <399BDB43.BCB3E843@coqui.net> Message-ID: I had it occur with a Win98SE systems with MS pptp client. On Thu, 17 Aug 2000, Larry Rivera wrote: > Which pptp client are you using? I noticed that it DOES NOT HAPPEN AT > ALL with MS pptp client (vpn adapter) and it does happen with the > pptp.lrp package that goes with linuxrouter. > > LR > > "Matias J. Solovian" wrote: > > > I have the same problem . > > Somebody have a solution for this problem?? > > > > Matias > > -----Mensaje original----- > > De: Larry Rivera > > Para: pptp-server at lists.schulte.org > > Fecha: Viernes, 11 de Agosto de 2000 05:56 p.m. > > Asunto: [pptp-server] pptpd.log > > > > >Hello: > > >Some times my pptp setup starts spewing this onto the pptpd.log and the > > >only way to recover is to reboot the system. This only happens > > >sometimes. Can anyone decipher this? > > >Thanks. > > >LR > > > > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header > > >(exit) > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 > > >in disco > > >nnect sequence > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl > > >packet > > >length. > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header > > >(exit) > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 > > >in disco > > >nnect sequence > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl > > >packet > > >length. > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header > > >(exit) > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 > > >in disco > > >nnect sequence > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl > > >packet > > >length. > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header > > >(exit) > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 > > >in disco > > >nnect sequence > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl > > >packet > > >length. > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header > > >(exit) > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 > > >in disco > > >nnect sequence > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: EOF or bad error reading ctrl > > >packet > > >length. > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: couldn't read packet header > > >(exit) > > >Aug 11 09:35:34 federal2 pptpd[534]: CTRL: Unexpected control message 0 > > >in disco > > >nnect sequence > > > > > >_______________________________________________ > > >pptp-server maillist - pptp-server at lists.schulte.org > > >http://lists.schulte.org/mailman/listinfo/pptp-server > > >List services provided by www.schulteconsulting.com! > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > Hisashi T Fujinaka - htodd at twofifty.com BSEE (6/86) + BSChem (3/95) + BAEnglish (8/95) + $2.50 = mocha latte From rich at cx1005202-a.elcjn1.sdca.home.com Thu Aug 17 13:19:00 2000 From: rich at cx1005202-a.elcjn1.sdca.home.com (Rich Hall) Date: Thu, 17 Aug 2000 11:19:00 -0700 (PDT) Subject: [pptp-server] Any known problems on SMP machines In-Reply-To: <399C1999.D99DD1D5@mediaone.net> Message-ID: Someplace here on the thread is a statement that 2.2.14 does not work on SMP machines.. I beg to differ.. I have 11 machines all running 2.2.14 now for the better part of a year+ all with AMD SCSI RAID controllers (Express 200 and 1400 ) with ASUS P2B motherboards and all is fine with no downtime on any of them. 3C905 NIC's too and ATI Video. -Rich On Thu, 17 Aug 2000, Kenneth E. Lussier wrote: > Date: Thu, 17 Aug 2000 12:58:01 -0400 > From: Kenneth E. Lussier > To: Michael Walter > Cc: "PPTPD User Group (E-mail)" > Subject: Re: [pptp-server] Any known problems on SMP machines > > Hardware could be a very real problem. Since I have been havin > hard-lock issues of my own, I have been researching not only all > of the software on the box, but also all of the hardware issues. > I hope that this info is helpful to someone. Some things that I > have found: > > 1)VA Linux uses an Adaptec 7986/7 SCSI controller that is not > completely supported by the kernel (source-VA Linux) > > 2) The EEPro/100 has a tendency to take an IRQ that is reserved > by a SCSI controller (source - Donald Becker) > > 3) SMP support in the current kernels can be flakey depending on > the bus (Source - Mission Critical Linux) > > 4) The ethernet bonding driver is extremely flakey (Source - > Mission Critical Linux) > > 5) DEC Tulip-based cards have trouble auto-negotiating (source - > Donald Becker) > > > > > Michael Walter wrote: > > > > I have SMP and PPTPD working flawlessly on a Dell Poweredge 1300 w/ dual > > pentium3-500, perc2/sc raid. It was a bit of a pain to get up, but none of > > the problems were related to smp support. > > > > Thanks, > > > > Michael J. Walter > > rhce mcse mcp+i a+ > > Network Administrator > > Gliatech, Inc. > > 23420 Commerce Park Rd. > > Beachwood, Ohio 44122 > > Tel: (216) 831-3200 > > Email: walterm at gliatech.com > > > > -----Original Message----- > > From: Joshua Nekl [mailto:jnekl at kc.rr.com] > > Sent: Wednesday, August 16, 2000 10:02 AM > > To: James Orr; pptp-server at lists.schulte.org > > Subject: Re: [pptp-server] Any known problems on SMP machines > > > > What kernel are you using. > > > > There are problems on SMP boxes with kernel versions below 2.2.15 or so. > > Supposibly, kernel 2.2.15 or 2.2.16 works, though I haven't tried it yet (I > > know 2.2.14 doesn't work). > > > > - Josh > > > > ----- Original Message ----- > > From: "James Orr" > > To: > > Sent: Tuesday, August 15, 2000 2:51 PM > > Subject: [pptp-server] Any known problems on SMP machines > > > > > Currently trying to lock down some instabilities in a poptop > > > installation. The one machine which is a uniprocessor seems to be > > > working properly, however, the 2 multiprocessor machines are flaky. Am I > > > racing down a blind alley? > > > > > > Thanks, > > > > > > -Jim > > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > ============================================================================== Richard Hall - email: rich at netlynx.com http://www.netlynx.com/rich/ Amateur Radio: KF6ARX ============================================================================== From jnekl at kc.rr.com Thu Aug 17 18:47:32 2000 From: jnekl at kc.rr.com (Joshua Nekl) Date: Thu, 17 Aug 2000 18:47:32 -0500 Subject: [pptp-server] Any known problems on SMP machines References: Message-ID: <00d301c008a5$963e8680$0a00fa0a@austin.rr.com> David Luyer, one of the active poptop contributors, posted the following info a while ago. It was previously posted before that. - Josh ------------- From: "David Luyer" To: "Joshua Nekl" Sent: Monday, June 19, 2000 10:33 AM Subject: Re: [pptp-server] GRE: Bad checksum from pppd > > > I posted some time ago here about SMP races in kernel tty or ppp > > code. > > > The latest 2.2.x kernels from Alan Cox should be fine SMP with ppp. > > ------------------------------------ > > We're using kernel 2.2.14. Is that recent enough, or do we need to go > > to > > 2.2.15 or 2.2.16??? >------------------------------------- > It's either 2.2.15 or 2.2.16 which fixes the SMP races in ppp/tty code. > > I know 2.2.14 is buggy for SMP high-speed ppp. > > David. > -- > ---------------------------------------------- > David Luyer > Senior Network Engineer > Pacific Internet (Aust) Pty Ltd > Phone: +61 3 9674 7525 > Fax: +61 3 9699 8693 > Mobile: +61 4 1064 2258, +61 4 1114 2258 > http://www.pacific.net.au NASDAQ: PCNTF > << fast 'n easy >> > ---------------------------------------------- > > ----- Original Message ----- From: "Rich Hall" To: Sent: Thursday, August 17, 2000 1:19 PM Subject: Re: [pptp-server] Any known problems on SMP machines > > Someplace here on the thread is a statement that 2.2.14 does not work on > SMP machines.. I beg to differ.. I have 11 machines all running 2.2.14 now > for the better part of a year+ all with AMD SCSI RAID controllers (Express > 200 and 1400 ) with ASUS P2B motherboards and all is fine with no downtime > on any of them. 3C905 NIC's too and ATI Video. > > -Rich > > On Thu, 17 Aug 2000, Kenneth E. Lussier wrote: > > > Date: Thu, 17 Aug 2000 12:58:01 -0400 > > From: Kenneth E. Lussier > > To: Michael Walter > > Cc: "PPTPD User Group (E-mail)" > > Subject: Re: [pptp-server] Any known problems on SMP machines > > > > Hardware could be a very real problem. Since I have been havin > > hard-lock issues of my own, I have been researching not only all > > of the software on the box, but also all of the hardware issues. > > I hope that this info is helpful to someone. Some things that I > > have found: > > > > 1)VA Linux uses an Adaptec 7986/7 SCSI controller that is not > > completely supported by the kernel (source-VA Linux) > > > > 2) The EEPro/100 has a tendency to take an IRQ that is reserved > > by a SCSI controller (source - Donald Becker) > > > > 3) SMP support in the current kernels can be flakey depending on > > the bus (Source - Mission Critical Linux) > > > > 4) The ethernet bonding driver is extremely flakey (Source - > > Mission Critical Linux) > > > > 5) DEC Tulip-based cards have trouble auto-negotiating (source - > > Donald Becker) > > > > > > > > > > Michael Walter wrote: > > > > > > I have SMP and PPTPD working flawlessly on a Dell Poweredge 1300 w/ dual > > > pentium3-500, perc2/sc raid. It was a bit of a pain to get up, but none of > > > the problems were related to smp support. > > > > > > Thanks, > > > > > > Michael J. Walter > > > rhce mcse mcp+i a+ > > > Network Administrator > > > Gliatech, Inc. > > > 23420 Commerce Park Rd. > > > Beachwood, Ohio 44122 > > > Tel: (216) 831-3200 > > > Email: walterm at gliatech.com > > > > > > -----Original Message----- > > > From: Joshua Nekl [mailto:jnekl at kc.rr.com] > > > Sent: Wednesday, August 16, 2000 10:02 AM > > > To: James Orr; pptp-server at lists.schulte.org > > > Subject: Re: [pptp-server] Any known problems on SMP machines > > > > > > What kernel are you using. > > > > > > There are problems on SMP boxes with kernel versions below 2.2.15 or so. > > > Supposibly, kernel 2.2.15 or 2.2.16 works, though I haven't tried it yet (I > > > know 2.2.14 doesn't work). > > > > > > - Josh > > > > > > ----- Original Message ----- > > > From: "James Orr" > > > To: > > > Sent: Tuesday, August 15, 2000 2:51 PM > > > Subject: [pptp-server] Any known problems on SMP machines > > > > > > > Currently trying to lock down some instabilities in a poptop > > > > installation. The one machine which is a uniprocessor seems to be > > > > working properly, however, the 2 multiprocessor machines are flaky. Am I > > > > racing down a blind alley? > > > > > > > > Thanks, > > > > > > > > -Jim > > > > > > > > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > List services provided by www.schulteconsulting.com! > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > > > ============================================================================== > Richard Hall - email: rich at netlynx.com > http://www.netlynx.com/rich/ > Amateur Radio: KF6ARX > ============================================================================== > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From linmark at hotmail.com Fri Aug 18 03:09:51 2000 From: linmark at hotmail.com (Mark Lin) Date: Fri, 18 Aug 2000 04:09:51 -0400 Subject: [pptp-server] ipx over pptp References: <20000818070506.UOTD7668.mail.rdc1.tn.home.com@ci410067-a> Message-ID: Mr. Grim: Maybe I should make it more clear, what I really want is to have IPX over IP VPN. I think we have a little miscommunication. First of all, I don't think all the network interfaces need to have the same network number, at least for my game purpose. They could be any number, but what I really want is to have VPN(virtual private network) server(pptpd) set the incoming connections(IP) to a same network number(IPX) and different node numbers(IPX). Secondly, does it matter if the network interfaces think it's receiving ipx data from different ipx network? It doesn't, because it's receiving IP data, not IPX. I know one thing for sure that pptpd of VPN server assigns a different network number for each connections, that is if the range of ipx nets was specified in its configuration file. I also notice that pppd, which pptpd used as dial-in server, has the options for ipx-network and ipx-node in its option file, but even when I add more node in one network in the option file(/etc/ppp/options), one the first computer can get ipx, and the next client simply wont have IPX networking. I guess ipx-node option is probably for the computers on the same lan with the connecting computer. Maybe I mess up somewhere in ppp options, but please tell me where. Lastly, i just found out there IS a program doing specifically bridging two ipx networks called IPXTUNNEL. It's available on ftp://sunsite.unc.edu/pub/Linux/system/network/daemons/ made by Andreas Godzina ag at agsc.han.de. I havn't try the program yet, but if any of you have experienced with it, please reply to me, I would really like to get this IPX over IP thing going for my game! :)) cheers, Mark ----- Original Message ----- From: Mr. Grim To: Mark Lin Sent: Friday, August 18, 2000 3:05 AM Subject: Re: [pptp-server] ipx over pptp There is no way as far as I can tell to give all network interfaces the same network number. I'm going to hopefully begin work on a server daemon that'll "trick" all the network interfaces to thinking they are all recieving ipx data from the same network number. It isn't a problem with routing. IPX broadcasts are designed to travel within their network only. If anyone on this list has any info on how to go about coding such a utility please let me know though =). I'm an experienced coder, I'm just not familiar with linux. Also, DON'T confuse ipx with tcp/p. The IP address has NOTHING at ALL to do with IPX, the ip address is a tcp/ip issue, not an ipx one. They are too completely different protocols. If you didn't even run tcp/ip and no one even had ip addresses, ipx would still work. gr1m On 16 Aug 00, at 22:54, Mark Lin wrote: Hi all:  I've recently due to gamer's need, set up a VPN server using pptpd in redhat 6.1, kernel 2.2.20-12. Everything works, my friends can all login to my vpn server and browse each other's network neighborhood which is all good except that most important part wasn't working. We trying to set up VPN server with IPX encapsulated in IP so that we could play network game, such as half life, inLAN mode. By using VPN, wefigure that sinceeach client is given a temporary MAC address and IP, the game should recognize it as aLAN game. Butso muchfor our anticipation, we couldn't see any thing in LAN which means that our IPX doesn't get routed. Another interesting fact, after my clients log in to VPN server, their ip will change to the ones I assigned to them in PPTP server when you use 'winipcfg' in windows98.But when the game starts up, it still use the orginal IP and MAC address instead of the one that was assigned by VPN server.  I e-mailed the author of IPX+PPTP HOWTO about my question, he says and I quote "ipx usus different network numbers for each connection i believe, this is siminar to the subnet in tcp. If the game doesnt support specifying the remote ipx network then you wont be able to use ptp :(  Kevin "  I guess now my question is, anyone knows if there is a way to put all the incoming connection from pppd to a same IPX network number?? Or just simply anyone already experimented with VPN for LAN game purpose? (I wont believe no one ever thought of this before me, this probably has been done long time already since the introduction of VPN, but maybe NT's VPN would be easier for this kinda task??)  Cheers, Mark      -------------- next part -------------- An HTML attachment was scrubbed... URL: From aaa at netman.dk Fri Aug 18 06:34:39 2000 From: aaa at netman.dk (Alaa Al Amood) Date: Fri, 18 Aug 2000 13:34:39 +0200 Subject: [pptp-server] pptp Server & Client Message-ID: <399D1F4F.383226D1@netman.dk> Hi Is it possible to have pptp_server and pptp_client at same time in the same machine? regards Alaa From xsqian at gallantry.com Fri Aug 18 10:49:45 2000 From: xsqian at gallantry.com (Xinshan Qian) Date: Fri, 18 Aug 2000 08:49:45 -0700 Subject: [pptp-server] Is ppp-2.3.10-openssl-norc4-mppe.patch.gz a zip file? Message-ID: <399D5B12.44E64B17@gallantry.com> Hi All, I am trying to enable encryption with poptop on a FreeBSD. When I run "gunzip ppp-2.3.10-openssl-norc4-mppe.patch.gz" as instruction, I got message "ppp-2.3.10-openssl-norc4-mppe.patch.gz: not in gzip format". Where am I wrong? Did you meet this problem before? Thank you All. Shanna From naga_b at lycos.com Fri Aug 18 10:50:29 2000 From: naga_b at lycos.com (Nagaraja B) Date: Fri, 18 Aug 2000 08:50:29 -0700 Subject: [pptp-server] pptp Server & Client Message-ID: Hi Ala, I have not tried this stuff, but it should be possible, Because PPTP server always listens on port no.1723, but that should not in anyway affect PPTP client which does not compete to listen on this port by any means. regards, Nag -- On Fri, 18 Aug 2000 13:34:39 Alaa Al Amood wrote: >Hi > >Is it possible to have pptp_server and pptp_client at same time in the >same machine? > >regards >Alaa > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! > Send your favorite photo with any online greeting! http://www.whowhere.lycos.com/redirects/americangreetings.rdct From bam at NightStorm.com Fri Aug 18 11:20:00 2000 From: bam at NightStorm.com (Bruce A. Mallett) Date: Fri, 18 Aug 2000 12:20:00 -0400 Subject: [pptp-server] Is ppp-2.3.10-openssl-norc4-mppe.patch.gz a zip file? References: <399D5B12.44E64B17@gallantry.com> Message-ID: <399D6230.FD683853@NightStorm.com> As I recall I ran into this too. When I downloaded it it was not in .gz format. Have a look at it with less, if it looks like an ASCII file then just rename it w/o the .gz extension and then skip the gunzip step. - Bruce Xinshan Qian wrote: > Hi All, > > I am trying to enable encryption with poptop on a FreeBSD. When I run > > "gunzip ppp-2.3.10-openssl-norc4-mppe.patch.gz" as instruction, I got > message > > "ppp-2.3.10-openssl-norc4-mppe.patch.gz: not in gzip format". > > Where am I wrong? Did you meet this problem before? > > Thank you All. > > Shanna > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From rik at cronyx.ru Fri Aug 18 12:14:27 2000 From: rik at cronyx.ru (Kurakin Roman) Date: Fri, 18 Aug 2000 21:14:27 +0400 Subject: [pptp-server] Is ppp-2.3.10-openssl-norc4-mppe.patch.gz a zip file? References: <399D5B12.44E64B17@gallantry.com> Message-ID: <399D6EF3.7E2128C7@cronyx.ru> Hi, Xinshan Qian wrote: > > Hi All, > > I am trying to enable encryption with poptop on a FreeBSD. When I run > > "gunzip ppp-2.3.10-openssl-norc4-mppe.patch.gz" as instruction, I got > message > > "ppp-2.3.10-openssl-norc4-mppe.patch.gz: not in gzip format". > > Where am I wrong? Did you meet this problem before? Check this file via less or something like that. I think it is not really gziped now. This is because some www servers could say to some browsers to extract some archives on the fly. Kurakin Roman > > Thank you All. > > Shanna > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From CSinsofsky at FUTUREWAY.CA Fri Aug 18 12:47:11 2000 From: CSinsofsky at FUTUREWAY.CA (Charles Sinsofsky) Date: Fri, 18 Aug 2000 13:47:11 -0400 Subject: [pptp-server] multiple users with PoPTop Message-ID: <703D51765C3DD41187260050DA0B61FB167064@EX01> Hello all, I have successfully implemented the VPN on my Linux Red hat 6.2, with pptp 1.001. and pppd 2.3.11 and the mppe patch all works fine, I can login etc.. My question is with 'multiple' users, I am wondering about conflicts with VPN usage when multiple users login to my VPN server through my IPchains firewall. I noted in the VPN howto about needing to add Call-ID into the Kernel to permit multiple concurrent sessions of users with windows 95/98/nt outside on the internet to connect to my VPN (using a pptp ms-vpn adapter) to my poptop server on the Linux firewall machine. The question is, I can not find this 'Call-ID' in the kernel??? so far I have successfully deployed the system, I have logged into from two different dial-up ISP's and from a cable modem. all worked fine permitted me to connect to the VPN and then establish the connection, and then use my ms-exchange server, all worked fine. In a test, I logged online with my home network, this time using two different pc's from my internal network...they feed up to the internet through another ip-masqing Linux machine. I established one VPN connection, all was fine, I then established another from another point in my home network *another windows 98* machine, I logged online to the VPN with a totally different username and password.....here is where the problem began, I noticed in the /var/log/messages that GRE packets became out-of-sync....am I merely experiencing this problem because both of my VPN connections came from a single net-id ??? or will my system only permit one - user to login to the VPN at any given time, because GRE packets get confused with many users? Currently in the pptpd.conf file I use only one local ip address, with a range of 10 external addresses. the documentation is not really clear here, is my problem related to the one-local ip address? how come? the packets are defined, it should not mix-them up?? or should I use multiple -local-ip address for the other side of the VPN to ensure that GRE packets are not confused? I have yet to test it with totally -2- different ip address out on the net. tonight I will use my dial-up connection for point 1 to the vpn and my cable modem for point 2 to the vpn, and see what happens. I could easily have the potential for 30 users using the VPN at a given time...so far I have only seen one-user run properly in real time. My personal computer is a Pentium III 450mhz with 128megs of ram, and 10 gigs of disk space. This should easily permit 30 users for VPN access?? anyone have stats with regards to VPN usage with multiple users? have anyone experienced GRE packet problems with regards to multiple connections i.e.: multiple users on the vpn..external ...coming into the corporate network ...I use it for email ms-exchange use' I am willing to share my experiences with anyone ...the vpn works great with exchange...I used the seawall firewall (which is excellent) on both my systems at home and at the office. I have done vpn's both ways to and from my home network. and have users logging into the vpn at the office for their email on ms-exchange. but so far deployment has been slow due to my concern with multiple users issues? - Thank you. - Charles Sinsofsky Systems Architect - Futureway Communications -------------- next part -------------- An HTML attachment was scrubbed... URL: From admin at coldtech.com Fri Aug 18 13:27:28 2000 From: admin at coldtech.com (Michael C. Mitchell) Date: Fri, 18 Aug 2000 14:27:28 -0400 Subject: [pptp-server] Performance Message-ID: <6372D899503ED311BAC30090277681EE192E@COLDNT> I have a user complaining that performance seems lacking when he VPN's in via his cablemodem. We have a 784K SDSL link and no one was on it but him. Does pptpd speed get limited to 115K? I set speed in pptpd.conf to 512000 to no avail. Is there a any other setting I may be missing? From dereks at kd-dev.com Fri Aug 18 13:45:24 2000 From: dereks at kd-dev.com (Derek Simkowiak) Date: Fri, 18 Aug 2000 11:45:24 -0700 (PDT) Subject: [pptp-server] Performance In-Reply-To: <6372D899503ED311BAC30090277681EE192E@COLDNT> Message-ID: -> I have a user complaining that performance seems lacking when -> he VPN's in via his cablemodem. We have a 784K SDSL link and -> no one was on it but him. Does pptpd speed get limited to 115K? That seems to be the case. Check the archives; people can't seem to get faster that 115K. Setting different MTUs doesn't fix it, either. The speeds for the Linux PPTP server and WindowsNT server are roughly equal, although WindowsNT is just a little faster. What I have not seen is someone using the Linux client into the Linux PPTP server. As far as I know, the ~115K limitation might be in the MS-Windows PPTP client. Can anyone here verify? Also, we don't know where the bottleneck is. It does not seem to be in the network *or* in the CPU, which is why I think it might be in the client...(?) --Derek Simkowiak From amacc at iron-bridge.net Fri Aug 18 15:17:45 2000 From: amacc at iron-bridge.net (Andrew McRory) Date: Fri, 18 Aug 2000 16:17:45 -0400 (EDT) Subject: [pptp-server] Performance In-Reply-To: Message-ID: On Fri, 18 Aug 2000, Derek Simkowiak wrote: > -> I have a user complaining that performance seems lacking when > -> he VPN's in via his cablemodem. We have a 784K SDSL link and > -> no one was on it but him. Does pptpd speed get limited to 115K? > > That seems to be the case. Check the archives; people can't seem > to get faster that 115K. Setting different MTUs doesn't fix it, either. > The speeds for the Linux PPTP server and WindowsNT server are roughly > equal, although WindowsNT is just a little faster. > > What I have not seen is someone using the Linux client into the > Linux PPTP server. As far as I know, the ~115K limitation might be in the > MS-Windows PPTP client. > > Can anyone here verify? > I have used PoPToP across DSL, Cable Modems and point to point links. Never once saw a performance problem (except IPX routing) and get over 40kbps on a 1024kbps cable modem. The speed setting in the PoPToP config file is 115200 so it doesn't seem to matter what it's set to. Windows always reports a connection rate of 100,000,000 when I'm on a 100MB LAN routed through a Linux box with ip_mask_pptp loaded... Here's my config files: ==== /etc/pptp.conf ==== speed 115200 option /etc/pptpd.options localip 10.10.10.1 remoteip 10.10.10.240-254 listen 256.176.322.777 (intentionaly malformed address :) ==== /etc/pptpd.options ==== lock auth login proxyarp name vpnconn require-pap ms-wins 10.10.10.1 ms-dns 10.10.10.1 ==== /etc/rc.d/init.d/pptpd - Caldera OpenLinux 2.x ==== #!/bin/sh # # pptpd This shell script takes care of starting and stopping # pptpd (PPTP VPN daemon). # # NAME=pptpd DAEMON=/usr/sbin/$NAME # Source function library. . /etc/rc.d/init.d/functions # See how we were called. case "$1" in start) [ ! -e $SVIlock ] || exit 1 [ -x $DAEMON ] || exit 0 # Start daemons. echo -n "Starting PPTPD VPN service: " ssd -S -x $DAEMON -n $NAME -- $OPTIONS echo "." touch $SVIlock ;; stop) [ -e $SVIlock ] || exit 0 # Stop daemons. echo -n "Shutting down PPTPD VPN service: " ssd -K -x $DAEMON -n $NAME echo "." rm -f $SVIlock ;; reload) [ -e $SVIlock ] || exit 0 echo -n "Reloading PPTPD VPN service: " ssd -K --signal 1 -x $DAEMON -n $NAME echo "." ;; *) echo "Usage: pptpd {start|stop|reload}" exit 1 ;; esac exit 0 ==== /etc/sysconfig/daemons - Caldera OpenLinux 2.x ==== IDENT=pptpd DESCRIPTIVE="PPTPD VPN Server" ONBOOT="no" See? Nothing special me thinks... Andrew McRory - President/CTO amacc at iron-bridge.net ***************** The PC Doctor, Inc. www.pcdr.com 850-575-2713 ** Iron Bridge Communications by PCDR www.iron-bridge.net 850-575-0779 ** Contributed Caldera OpenLinux RPMS ftp.iron-bridge.net/pub/Caldera ** ************************************************************************** From xsqian at gallantry.com Fri Aug 18 18:31:41 2000 From: xsqian at gallantry.com (Xinshan Qian) Date: Fri, 18 Aug 2000 16:31:41 -0700 Subject: [pptp-server] I need a detail HOWTO for POPTOP with encryption on FreeBSD3.4 Message-ID: <399DC75C.1885F067@gallantry.com> Hi, Everyone, Do you run POPTOP with encryption on FreeBSD3.4 successfully? If you do, could you please help me to give me a detail HOWTO? I am trying to add the encryption on POPTOP on FreeBSD3.4 following the steps of "FreeBSD3.4 and encryption" in (http://www.moretonbay.com/vpn/download_pptp.html) Web site. But the instruction is too simple to me. I ran into many problems. 1. Patch the configure.freebsd-3.4.patch failed and get a "configure.rej" file and same problem for Makefile.bsd.patch. 2. Maybe due to the patch failed, when I do "configure" command, I got the message: " Support for this system has not been included in this distribution. Sorry." 3. When I followed the README and README.bsd in ppp-2.3.11 to do "make", I get many errors when compiling the if_ppp.c file. If someone setup poptop with encryption on FreeBSD successfully, please tell me how you do it. Thank you very much! Xinshan From NorthwestFrog at home.com Sat Aug 19 01:17:35 2000 From: NorthwestFrog at home.com (Jean-Francois Gagnon) Date: Fri, 18 Aug 2000 23:17:35 -0700 Subject: [pptp-server] Performance In-Reply-To: Message-ID: <000c01c009a5$2ab78d20$0201a8c0@olmpi1.wa.home.com> Be careful, Download speed on a cable modem can be very fast... in excess of 200KB per second, but Upload can be limited to 10KB per second. Also, a 56Kb modem has a similar behavior where the upload speed is a fraction of the download speed. Hope this helps JFG > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Andrew McRory > Sent: Friday, August 18, 2000 1:18 PM > To: Derek Simkowiak > Cc: Michael C. Mitchell; pptp-server at lists.schulte.org > Subject: Re: [pptp-server] Performance > > > On Fri, 18 Aug 2000, Derek Simkowiak wrote: > > > -> I have a user complaining that performance seems lacking when > > -> he VPN's in via his cablemodem. We have a 784K SDSL link and > > -> no one was on it but him. Does pptpd speed get limited to 115K? > > > > That seems to be the case. Check the archives; people can't seem > > to get faster that 115K. Setting different MTUs doesn't fix it, either. > > The speeds for the Linux PPTP server and WindowsNT server are roughly > > equal, although WindowsNT is just a little faster. > > > > What I have not seen is someone using the Linux client into the > > Linux PPTP server. As far as I know, the ~115K limitation > might be in the > > MS-Windows PPTP client. > > > > Can anyone here verify? > > > > I have used PoPToP across DSL, Cable Modems and point to point links. > Never once saw a performance problem (except IPX routing) and get over > 40kbps on a 1024kbps cable modem. The speed setting in the PoPToP config > file is 115200 so it doesn't seem to matter what it's set to. > > Windows always reports a connection rate of 100,000,000 when I'm on a > 100MB LAN routed through a Linux box with ip_mask_pptp loaded... Here's my > config files: > > ==== /etc/pptp.conf ==== > speed 115200 > option /etc/pptpd.options > localip 10.10.10.1 > remoteip 10.10.10.240-254 > listen 256.176.322.777 (intentionaly malformed address :) > > ==== /etc/pptpd.options ==== > lock > auth > login > proxyarp > name vpnconn > require-pap > ms-wins 10.10.10.1 > ms-dns 10.10.10.1 > > ==== /etc/rc.d/init.d/pptpd - Caldera OpenLinux 2.x ==== > #!/bin/sh > # > # pptpd This shell script takes care of starting and stopping > # pptpd (PPTP VPN daemon). > # > # > NAME=pptpd > DAEMON=/usr/sbin/$NAME > > # Source function library. > . /etc/rc.d/init.d/functions > > > # See how we were called. > case "$1" in > start) > [ ! -e $SVIlock ] || exit 1 > [ -x $DAEMON ] || exit 0 > > # Start daemons. > echo -n "Starting PPTPD VPN service: " > ssd -S -x $DAEMON -n $NAME -- $OPTIONS > echo "." > > touch $SVIlock > ;; > > stop) > [ -e $SVIlock ] || exit 0 > > # Stop daemons. > echo -n "Shutting down PPTPD VPN service: " > ssd -K -x $DAEMON -n $NAME > echo "." > > rm -f $SVIlock > ;; > > reload) > [ -e $SVIlock ] || exit 0 > echo -n "Reloading PPTPD VPN service: " > ssd -K --signal 1 -x $DAEMON -n $NAME > echo "." > ;; > > *) > > echo "Usage: pptpd {start|stop|reload}" > exit 1 > ;; > esac > > exit 0 > > ==== /etc/sysconfig/daemons - Caldera OpenLinux 2.x ==== > IDENT=pptpd > DESCRIPTIVE="PPTPD VPN Server" > ONBOOT="no" > > > See? Nothing special me thinks... > > > Andrew McRory - President/CTO amacc at iron-bridge.net ***************** > The PC Doctor, Inc. www.pcdr.com 850-575-2713 ** > Iron Bridge Communications by PCDR www.iron-bridge.net 850-575-0779 ** > Contributed Caldera OpenLinux RPMS ftp.iron-bridge.net/pub/Caldera ** > ************************************************************************** > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From mike at concannon.net Sun Aug 20 20:05:54 2000 From: mike at concannon.net (Michael Concannon) Date: Sun, 20 Aug 2000 21:05:54 -0400 Subject: [pptp-server] default gateway Message-ID: <39A08072.A1660853@mediaone.net> So, I managed to get me NT4 box connected to my linux pptpd server, but the lack of an appropraite gateway setting prevents any name resolution from functioning. Where is this config item controlled? Some info on my setup: Server = linux 2.2.16 ppp and pptpd patched updated per FAQ/config *************** /etc/ppp/options - lock debug name 192.168.1.1 auth +chap proxyarp **************** /etc/pptpd.conf debug localip 192.168.0.234-238 remoteip 192.168.1.234-238 **************** NT4 client: various compressions off, use default gateway off, DNS and IP retrieved from server. What did I miss? Thanks, /mike From Phong.Nguyen_Thanh at sdcgrp.com Sun Aug 20 20:14:34 2000 From: Phong.Nguyen_Thanh at sdcgrp.com (Nguyen Thanh Phong) Date: Mon, 21 Aug 2000 08:14:34 +0700 Subject: [pptp-server] Performance References: <6372D899503ED311BAC30090277681EE192E@COLDNT> Message-ID: <017b01c00b0f$720fffc0$420aa8c0@sdc.com> > I set speed in pptpd.conf to 512000 to no avail. Is there a > any other setting I may be missing? I found out that the maximum speed of PPP seems to be 460800, not 512000 (see PPP code). Maybe you should try with this to see if the performance improved. BTW, any one know how to set PPP speed above 460800bps? > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From boon-teong_ng at astro.com.my Sun Aug 20 20:23:42 2000 From: boon-teong_ng at astro.com.my (NG, Boon Teong) Date: Mon, 21 Aug 2000 09:23:42 +0800 Subject: [pptp-server] connect linux pptp client to linux pptp server Message-ID: <8D2DA67F5637D311B12D0000F82107C10126B4D0@poaabc02.astro.com.my> hello all, I just pick up Linux recently and have a question on the linux pptp client. Hope someone can spend some of his time to answer my question or direct me to any site where I can find more information on the linux pptp client installation. I downloaded a linux pptp client 1.0.2 by C.S Ananian and tried to connect it to a PoPToP server. The server is running fine using the windows VPN clients. I am using a modem to call. When I run ./pptp pptpserver.xyx.com.my at the command prompt, I see this error log (unknown)[779]:log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:531]:client connection established (unknown)[779]:log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:637]:outgoing call established pppd[781]:pppd 2.3.11 started by root,uid 0 pppd [781]:using interface ppp1 connect:ppp1<->/dev/ttya0 kernel:ppp BSD compression module registered kernel:ppp Deflate compression module registered pppd[781]:Deflate (15) compression enabled pppd[781]:peer is not authorised to use remote address 202.75.189.68 pppd[781]:connection terminated pppd[781]:connect time 0.1 min pppd[781]:sent 269bytes, receiveed 346bytes pppd[781]:exit (unknown)[779]:log[pptp.read_some:pptp_ctrl.c:368]:read error:broken pipe. What could be the problem ? Can anyone help me on this ? thanks and regards From fabrice at celestix.com Sun Aug 20 23:48:11 2000 From: fabrice at celestix.com (Fabrice MARIE) Date: Mon, 21 Aug 2000 12:48:11 +0800 Subject: [pptp-server] mppe compression error Message-ID: <00082112481108.00773@FUNKDaWaTER.celestix.com> Hi, Please forgive me if this was posted already, but I couldn't find such problem on the archive. BTW, thanks again for the developers out there!!! Ok, I've patched my pppd with ppp-2.3.10-openssl-norc4-mppe.patch and mppe_stateless.diff to support mschap-v2 & mppe. I recompiled the kernel etc...etc..etc. Then I try to connect a Windows 2000 to a pptp 1.0.0 server with a cross-cable, everything works fine (mschap v2+mppe 128 stateless). When I try *exactly* the same, but over the intranet (of course I changed the IP addresses) then the connection begins properly, I begin the download of a HUGE file through ftp to test, and then the download is stuck in the middle. The server console looks like that: The same happens with a Win98 instead of win2000. decomp err=-1 not compressed, rc_state bla bla. (and then this line appears for every packet received by pptpd). What's wrong with my mppe ? Did I do a mistake in the patch ? (I followed very closely the HOWTO without any problem though) Is pptpd discarding a packet without telling me ? Can anyone please enlighten me ? Since I'm not part of this mailing list, could you please CC me while answering (fabrice at celestix.com) Thank you very much in advance!!!! Fabrice. -- From john.hovell at home.com Mon Aug 21 01:00:08 2000 From: john.hovell at home.com (John Hovell) Date: Sun, 20 Aug 2000 23:00:08 -0700 Subject: [pptp-server] Easy PPP question (using PoPToP) Message-ID: <39A0C568.AF3D9BE4@home.com> Hello all -- Usually when we have problems with computers, we think we have everything set up correctly, and we can't figure out why it *still* won't work. Well, my problem is that I have a setup that seems bizarre and incorrect; but it works. Basically, I am configuring a PPTP gateway using PoPToP... and I am trying to decide what IP ranges I should use for local and remote. My masq'ed network on the PoPToP gateway is 172.16.0.0 ... and I assigned remote and local IP addresses _on_ this network. To my surprise, everything works fine. I was led somewhat vaguely by examples to believe that you are supposed to choose a new subnet for each (local and remote). (If I do that, it doesn't work... duh, unless you set the defroute on the client with PPP, it will never know where to send the data.) Someone please help me out here. What would be intelligent and proper ranges to choose for local and remote (I want communication from the PPTP client to the 172.16.0.0 network.) Thanks... -- John P.S. If anyone has any tips on setting up MS VPN's with Linux using IPSec, I'm all ears ... PGPNet is the biggest piece of junk I have ever seen. I got it to work successfully on 1 out of 4 computers I tested it with (and on 2 it completely disabled networking with 3com cards)... and I don't know of any alternatives. I am *really* scared to use MS PPTP for a VPN, considering what I read (dated 1998) here: http://www.counterpane.com/pptp-faq.html Does anyone know if this is still true? I mean, I might as well not apply the patch to include encryption... and I sure hope that this doesn't mean my PoPToP server is subject to the same DoS attacks that supposedly MS servers are prone to... I have tried everything... I even tried out my Checkpoint SecuRemote client that I have for the corporate LAN. sheesh... i'm practically ready to write my own program to do this... and Win 2K supposedly is really not-so-compatible with L2TP, X.509, and Kerberos. You think there would be a real demand for this sort of thing. PPTP seems to me to be a deathtrap. Thanks again for any suggestions/help... From aaa at netman.dk Mon Aug 21 02:47:58 2000 From: aaa at netman.dk (Alaa Al Amood) Date: Mon, 21 Aug 2000 09:47:58 +0200 Subject: [pptp-server] connect linux pptp client to linux pptp server References: <8D2DA67F5637D311B12D0000F82107C10126B4D0@poaabc02.astro.com.my> Message-ID: <39A0DEAE.8DB0D000@netman.dk> Hi How does /etc/ppp/options look like? How did you used route? regrads Alaa "NG, Boon Teong" wrote: > hello all, > > I just pick up Linux recently and have a question on the linux pptp client. > Hope someone can spend some of his time to answer my question or direct me > to any site where I can find more information on the linux pptp client > installation. > > I downloaded a linux pptp client 1.0.2 by C.S Ananian and tried to connect > it to a PoPToP server. The server is running fine using the windows VPN > clients. I am using a modem to call. > > When I run ./pptp pptpserver.xyx.com.my at the command prompt, I see this > error log > > (unknown)[779]:log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:531]:client > connection established > (unknown)[779]:log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:637]:outgoing call > established > pppd[781]:pppd 2.3.11 started by root,uid 0 > pppd [781]:using interface ppp1 > connect:ppp1<->/dev/ttya0 > kernel:ppp BSD compression module registered > kernel:ppp Deflate compression module registered > pppd[781]:Deflate (15) compression enabled > pppd[781]:peer is not authorised to use remote address 202.75.189.68 > pppd[781]:connection terminated > pppd[781]:connect time 0.1 min > pppd[781]:sent 269bytes, receiveed 346bytes > pppd[781]:exit > (unknown)[779]:log[pptp.read_some:pptp_ctrl.c:368]:read error:broken pipe. > > What could be the problem ? Can anyone help me on this ? > > thanks and regards > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From boon-teong_ng at astro.com.my Mon Aug 21 03:18:16 2000 From: boon-teong_ng at astro.com.my (NG, Boon Teong) Date: Mon, 21 Aug 2000 16:18:16 +0800 Subject: [pptp-server] connect linux pptp client to linux pptp server Message-ID: <8D2DA67F5637D311B12D0000F82107C10126B4D3@poaabc02.astro.com.my> Hi Alaa, Thanks for the reply. I only see "lock" under the /etc/ppp/options. May I know what route do I require ? The PPTP server is suppose to assign the ip address to my client when I log in. thanks and regards > -----Original Message----- > From: Alaa Al Amood [SMTP:aaa at netman.dk] > Sent: Monday, August 21, 2000 3:48 PM > To: NG, Boon Teong > Cc: pptp-server at lists.schulte.org > Subject: Re: [pptp-server] connect linux pptp client to linux pptp > server > > Hi > How does /etc/ppp/options look like? How did you used route? > > regrads > Alaa > > "NG, Boon Teong" wrote: > > > hello all, > > > > I just pick up Linux recently and have a question on the linux pptp > client. > > Hope someone can spend some of his time to answer my question or direct > me > > to any site where I can find more information on the linux pptp client > > installation. > > > > I downloaded a linux pptp client 1.0.2 by C.S Ananian and tried to > connect > > it to a PoPToP server. The server is running fine using the windows VPN > > clients. I am using a modem to call. > > > > When I run ./pptp pptpserver.xyx.com.my at the command prompt, I see > this > > error log > > > > (unknown)[779]:log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:531]:client > > connection established > > (unknown)[779]:log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:637]:outgoing > call > > established > > pppd[781]:pppd 2.3.11 started by root,uid 0 > > pppd [781]:using interface ppp1 > > connect:ppp1<->/dev/ttya0 > > kernel:ppp BSD compression module registered > > kernel:ppp Deflate compression module registered > > pppd[781]:Deflate (15) compression enabled > > pppd[781]:peer is not authorised to use remote address 202.75.189.68 > > pppd[781]:connection terminated > > pppd[781]:connect time 0.1 min > > pppd[781]:sent 269bytes, receiveed 346bytes > > pppd[781]:exit > > (unknown)[779]:log[pptp.read_some:pptp_ctrl.c:368]:read error:broken > pipe. > > > > What could be the problem ? Can anyone help me on this ? > > > > thanks and regards > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From klumpba at hotmail.com Mon Aug 21 09:36:54 2000 From: klumpba at hotmail.com (Brian Klump) Date: Mon, 21 Aug 2000 14:36:54 GMT Subject: [pptp-server] Speed Question Message-ID: Hello all... I recently installed poptop on a RedHat 6.2 distro...the machine is a P3 550 w/256MB of RAM. However, when I try to access the VPN from home it seems ungodly slow. I turned off the MS encryption (I custom compiled the PPPd) and that helped, but it still seems super slow. I'm at a cable modem at home and the pptp server resides on a dedicated business DSL line behind a Linux firewall...also a RH 6.2, P3 550 128MB box. Other applications, such as HTTP and POP seem fine. When I look at the messages log I see a lot of "GRE out of order packets" in the log file. Has anyone had this problem and is it something that I can fix, or di I just need a bigger pipe into the office? Any help would be apprecaited...thanks! FYI, although its slow, the VPN is really cool! It's neat to access the office files from home! -Brian Klump ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com From xsqian at gallantry.com Mon Aug 21 11:10:41 2000 From: xsqian at gallantry.com (Xinshan Qian) Date: Mon, 21 Aug 2000 09:10:41 -0700 Subject: [pptp-server] Is there somebody who installs pptpd with encryption on FreeBSD3.4? Message-ID: <39A1547D.71166442@gallantry.com> Hi, Is there someone who installs poptop with encryption on FreeBSD3.4 successfully? I have setup a vpn connect with poptop without encryption on FreeBSD3.4 and now I am trying to add the encryption. When I followed the step of "FreeBSD3.4 and encryption" on "http://www.moretonbay.com/vpn/download_pptp.html" page, I ran into many problems. So, I want to confirm if there is somebody who setups poptop with encryption on FreeBSD3.4 successfully follow the instruction on that page? Thank you! Xinshan From gdunn at inscriber.com Mon Aug 21 11:19:11 2000 From: gdunn at inscriber.com (Graham Dunn) Date: Mon, 21 Aug 2000 12:19:11 -0400 Subject: [pptp-server] Is there somebody who installs pptpd with encryption on FreeBSD3.4? In-Reply-To: <39A1547D.71166442@gallantry.com>; from xsqian@gallantry.com on Mon, Aug 21, 2000 at 09:10:41AM -0700 References: <39A1547D.71166442@gallantry.com> Message-ID: <20000821121911.C8707@inscriber.com> The patch for mppe encryption to pppd only works under Linux. This is mentioned in the patch. As far as I know, there's no way to do mppe under FreeBSD (I did look at mpd, but I seem to recall the mppe code was removed). I'd love for someone to prove me wrong here. Regards, Graham On Mon, Aug 21, 2000 at 09:10:41AM -0700, Xinshan Qian wrote: > Hi, > > Is there someone who installs poptop with encryption on FreeBSD3.4 > successfully? > I have setup a vpn connect with poptop without encryption on FreeBSD3.4 > and now I am trying to add the encryption. When I followed the step of > "FreeBSD3.4 and encryption" on > "http://www.moretonbay.com/vpn/download_pptp.html" page, I ran into many > problems. So, I want to confirm if there is somebody who setups poptop > with encryption on FreeBSD3.4 successfully follow the instruction on > that page? -- gdunn at inscriber.com Graham Dunn || ||| | ||| |||| | |||| | PGP Key fingerprint = 3F 56 12 9B 8A E1 77 CB F0 62 94 B0 93 06 1E 88 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 293 bytes Desc: not available URL: From andrew.wood at datalexuk.com Mon Aug 21 11:25:42 2000 From: andrew.wood at datalexuk.com (Andrew Wood) Date: Mon, 21 Aug 2000 17:25:42 +0100 Subject: [pptp-server] Unable to Ping Unix Boxes Message-ID: <6F6EA5048A46D41184AF0006295717340D7F@dlukex01.tslheadoffice> Howdy I am running poptop on a RedHat Linux 6.2 box without encrytion at the moment. I can connect with a Windows 2000 Client no problem and can ping to most of the machine in our internal network, however we have 2 AIX boxes that I cannot ping. I assume this is because the AIX boxes do not have a route back to my PPTP client. The default route's on the AIX boxes allow me too ping everything else on our internal network ok so I must be missing something somewhere. Can anybody give me a pointer ?? Andrew Wood System Administrator Datalex UK, Sunley Tower Piccadilly Plaza, Manchester, M1 4BT TEL: 0161 2282286 FAX: 0161 2282900 http://www.datalexuk.com mailto:andrew.wood at datalexuk.com <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>><<<<> >>><<<<>> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<< >>>><<<<>> From superhero21 at hotmail.com Mon Aug 21 13:05:53 2000 From: superhero21 at hotmail.com (Piti Cherntanomwong) Date: Mon, 21 Aug 2000 18:05:53 GMT Subject: [pptp-server] PPtP Client Problem Message-ID: Dear all, I got some problem when I connect my pptp client to pptpd server. I type ./pptp SERV_IP name USR_NAME remotename SERV_IP on my client. Then, there is error on my client side. (unknown)[202]: log[pptp_read_some:pptp_ctrl.c:368]: read error: Broken pipe What's happen wrong? Thank you very much ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com From gdunn at inscriber.com Mon Aug 21 13:38:57 2000 From: gdunn at inscriber.com (Graham Dunn) Date: Mon, 21 Aug 2000 14:38:57 -0400 Subject: [pptp-server] FreeBSD3.4 and encryption In-Reply-To: <39A1750E.D32BBF72@gallantry.com>; from xsqian@gallantry.com on Mon, Aug 21, 2000 at 11:29:36AM -0700 References: <39A1750E.D32BBF72@gallantry.com> Message-ID: <20000821143857.B9055@inscriber.com> Hrm. This is an error in the web page. It should read "FreeBSD-3.4 and _authentication_" not encryption. The method I sent only sets up pppd to do mschap/mschapv2, not mppe. Sorry for the confusion, Graham On Mon, Aug 21, 2000 at 11:29:36AM -0700, Xinshan Qian wrote: > Hi, Graham, > > Thank you for replying to me quickly. But I become confusing with your > mail. > > Whether or not is the next paragraph > ("http://www.moretonbay.com/vpn/download_pptp.html") posted by you? > > " FreeBSD 3.4 and encryption > > thanks to Graham Dunn > The Files: > Makefile.bsd.patch > stpcpy.c > configure.freebsd-3.4.patch -- gdunn at inscriber.com Graham Dunn || ||| | ||| |||| | |||| | PGP Key fingerprint = 3F 56 12 9B 8A E1 77 CB F0 62 94 B0 93 06 1E 88 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 293 bytes Desc: not available URL: From owen at volta.net Mon Aug 21 14:04:48 2000 From: owen at volta.net (Owen O Byrne) Date: Mon, 21 Aug 2000 20:04:48 +0100 Subject: [pptp-server] (no subject) Message-ID: Hello all, Having a little trouble with a Win98 client connecting to pptp 1.0.0 running on FreeBSD 3.2. I've included files and logs below but I'm completely stumped as to the problem - the pptpd and pppd processes start up and work fine but Win98 seems to never reply to the LCP ConfReq-uests (I've marked it out in the logs.) Meanwhile back on the Win98 machine I get an error 645 after a 30 second timeout: Dial-Up Networking could not complete the connection to the server. Check your configuration and try the connection again. The strange thing is it worked for about half an hour before all this started happening.. I've uninstalled and reinstalled VPN on the Win98 machine - no success. Done the same thing with pptp on the FreeBSD box. Any ideas? Thanks Owen --------------------------------------------------- Aug 21 19:57:26 venturi pptpd[14906]: MGR: Launching /usr/local/sbin/pptpctrl to handle client Aug 21 19:57:26 venturi pptpd[14906]: CTRL: local address = 10.0.0.2 Aug 21 19:57:26 venturi pptpd[14906]: CTRL: remote address = 10.0.0.100 Aug 21 19:57:26 venturi pptpd[14906]: CTRL: Client 207.46.130.14 control connection started Aug 21 19:57:26 venturi pptpd[14906]: CTRL: Received PPTP Control Message (type: 1) Aug 21 19:57:26 venturi pptpd[14906]: CTRL: Made a START CTRL CONN RPLY packet Aug 21 19:57:26 venturi pptpd[14906]: CTRL: I wrote 156 bytes to the client. Aug 21 19:57:26 venturi pptpd[14906]: CTRL: Sent packet to client Aug 21 19:57:29 venturi pptpd[14906]: CTRL: Received PPTP Control Message (type: 7) Aug 21 19:57:29 venturi pptpd[14906]: CTRL: Set parameters to 0 maxbps, 16 window size Aug 21 19:57:29 venturi pptpd[14906]: CTRL: Made a OUT CALL RPLY packet Aug 21 19:57:29 venturi pptpd[14906]: CTRL: Starting call (launching pppd, opening GRE) Aug 21 19:57:29 venturi pptpd[14906]: CTRL: pty_fd = 4 Aug 21 19:57:29 venturi pptpd[14906]: CTRL: tty_fd = 5 Aug 21 19:57:29 venturi pptpd[14907]: CTRL (PPPD Launcher): Connection speed = 115200 Aug 21 19:57:29 venturi pptpd[14906]: CTRL: I wrote 32 bytes to the client. Aug 21 19:57:29 venturi pptpd[14907]: CTRL (PPPD Launcher): local address = 10.0.0.2 Aug 21 19:57:29 venturi pptpd[14906]: CTRL: Sent packet to client Aug 21 19:57:29 venturi pptpd[14907]: CTRL (PPPD Launcher): remote address = 10.0.0.100 Aug 21 19:57:30 venturi pppd[14911]: pppd 2.3.5 started by root, uid 0 Aug 21 19:57:30 venturi pppd[14911]: Using interface ppp0 Aug 21 19:57:30 venturi pppd[14911]: Connect: ppp0 <--> /dev/ttyp1 Aug 21 19:57:30 venturi pppd[14911]: sent [LCP ConfReq id=0x1 ] Aug 21 19:57:58 venturi last message repeated 9 times <------- something wrong here methinks.... No reply from Win98.... Aug 21 19:57:58 venturi pppd[14911]: Modem hangup, connected for 1 minutes Aug 21 19:57:58 venturi pppd[14911]: Connection terminated, connected for 1 minutes Aug 21 19:57:59 venturi pppd[14911]: Exit. Aug 21 19:58:00 venturi pptpd[14906]: CTRL: Received PPTP Control Message (type: 12) Aug 21 19:58:00 venturi pptpd[14906]: CTRL: Made a CALL DISCONNECT RPLY packet Aug 21 19:58:00 venturi pptpd[14906]: CTRL: Received CALL CLR request (closing call) Aug 21 19:58:00 venturi pptpd[14906]: CTRL: I wrote 148 bytes to the client. Aug 21 19:58:00 venturi pptpd[14906]: CTRL: Sent packet to client Aug 21 19:58:00 venturi pptpd[14906]: CTRL: Error with select(), quitting Aug 21 19:58:00 venturi pptpd[14906]: CTRL: Client 207.46.130.14 control connection finished Aug 21 19:58:00 venturi pptpd[14906]: CTRL: Exiting now Aug 21 19:58:00 venturi pptpd[11952]: MGR: Reaped child 14906 --------------------------- From jason at sohonetworks.cc Mon Aug 21 15:29:19 2000 From: jason at sohonetworks.cc (Jason Osborne) Date: Mon, 21 Aug 2000 15:29:19 -0500 Subject: [pptp-server] connection closing because of select() error. please help Message-ID: I keep getting this error when i try to connect pptpd[4734]: CTRL: Starting call (launching pppd, opening GRE) pppd[4735]: pppd 2.3.10 started by root, uid 0 pppd[4735]: Using interface ppp1 pppd[4735]: Connect: ppp1 <--> /dev/pts/2 pptpd[4734]: CTRL: Error with select(), quitting pptpd[4734]: CTRL: Client 4.35.114.34 control connection finished pppd[4735]: Modem hangup pppd[4735]: Connection terminated. pppd[4735]: Exit. here is my options file: lock modem crtscts asyncmap 20A0000 noipdefault defaultroute debug user lcarpet noauth and the pptpd.conf file: speed 115200 option /etc/ppp/options.vpn debug localip 192.168.0.200-230,192.168.0.1 remoteip 192.168.1.200-230,192.168.1.1 what could be wrong here? i couldn't find the answer to this problem anywhere -- Jason Osborne - CIO/Network Technician Phone: 972-306-6176 Cell: 214-284-3337 Web Address: http://www.sohonetworks.cc E-mail Address: jason at sohonetworks.cc From michael_scholl at ctsius.com Mon Aug 21 18:36:23 2000 From: michael_scholl at ctsius.com (Michael Scholl) Date: Mon, 21 Aug 2000 16:36:23 -0700 Subject: [pptp-server] Help Me Message-ID: <025801c00bc8$9edca940$0f00a8c0@schollhome.com> I am running Red Hat 6.2 with kernel 2.2.16 from the kernel.org with the pptp patch applied I have followed all the instructions in JHardins directions I have done the following Linux Firewall with NT Server running RAS and PPTP, trying to connect with a win 98 client with the connection manager loaded #Port Forwarding ipmasqadm portfw -a -P tcp -L externalip 1723 -R internalip 1723 I've checked the ipmasqadm portfw -L the forwarding is in place # GRE forwarding ipfwd --masq pptpserver internal ip 47 & # Firewall Input Rules ipchains -A input -p 47 -j ACCEPT ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 1723 -d 0.0.0.0/0 # Firewall Output rules ipchains -A output -p 47 -j ACCECT ipchains -A output -j ACCEPT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 1723 # Firewall Masquarding rules ipchains -A forward -j MASQ -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 1723 ipchains -A forward -p 47 -j MASQ To me everything looks right I checked my messages log I see the following messages Aug 17 08:24:26 firewall kernel: ip_masq_gre(): creating GRE masq for (Internal PPTP server) ---> (remote IP address) CID-0 MCID=6FC4 followed shortly by Aug 17 08:25:10 firewall kernel: ip_demasq_gre: (remote ip) --> (internal PPTP server) CID=0 mo masq table, discarding Help Please. Best Regards, Michael Scholl CTSI Moving the world CTSI-Los Angeles Tel: (800) 231-CTSI (2874) Tel: (310) 631-2856 Fax: (310) 631-5602 Email: michael_scholl at ctsius.com Visit our web site: www.ctsi-logistics.com From Steve.Cowles at gte.net Tue Aug 22 00:31:18 2000 From: Steve.Cowles at gte.net (Cowles, Steve) Date: Tue, 22 Aug 2000 00:31:18 -0500 Subject: [pptp-server] Help Me Message-ID: <90769AF04F76D41186C700A0C90AFC3EE4CC@defiant.dsl.gtei.net> Michael, I am a little confused by the wording of your post. If I understand it correctly: 1) You have a Linux box acting as a firewall with JHardins patches applied to kernel. 2) The firewall is NOT running Poptop locally. 3) The ipchain rules (shown) are for forwarding a PPTP connection from a remote external Win98 system to a internally masq'd NT RAS server configured to receive PPTP connections. Based on the above assumptions, I can offer a few suggestions since I run a similar setup. (see my inserts below) Steve Cowles ---------------------------------- ---------------------------------- > #Port Forwarding > ipmasqadm portfw -a -P tcp -L externalip 1723 -R internalip 1723 Syntactically correct given the following: 1) External IP should be the external IP address of the Linux firewall. 2) Internal IP should be the IP address of the NT RAS server. > # GRE forwarding > ipfwd --masq pptpserver internal ip 47 & Syntactically correct given the following: 1) Internal IP should be the IP address of the NT RAS server. > # Firewall Input Rules > ipchains -A input -p 47 -j ACCEPT > ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 1723 -d 0.0.0.0/0 The above rules are only needed if your default "input" policy is set to DENY. As far as the rules shown, I beleive the destination (-d) address needs the 1723, not the source (-s). > # Firewall Output rules > ipchains -A output -p 47 -j ACCECT > ipchains -A output -j ACCEPT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 1723 If your "input" policy is set to DENY, then the above rules can be replaced with... ipchains -A output -i eth1 -j ACCEPT > # Firewall Masquarding rules > ipchains -A forward -j MASQ -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 1723 > ipchains -A forward -p 47 -j MASQ Huh!!!. Exactly what are you trying to masq with the above two rules? The first rule (typically) should have the source (-s) address set to the internal LAN's network address/netmask. i.e. 192.168.1.0/24. Also, the 1723 at the end of this rule should be deleted along with specifying a protocol. FWIW: Ipmasqadm is masqing and forwrding port 1723. EX: ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0 The second rule serves no purpose if I understand your post correctly and should be deleted. Ipfwd (above) is masqing proto 47. Also, this rule is probably causing the error message mentioned below. > I checked my messages log I see the following messages > > Aug 17 08:24:26 firewall kernel: ip_masq_gre(): creating GRE masq for > (Internal PPTP server) ---> (remote IP address) CID-0 MCID=6FC4 > > followed shortly by > > Aug 17 08:25:10 firewall kernel: ip_demasq_gre: (remote ip) --> (internal > PPTP server) CID=0 mo masq table, discarding Based on the above rules, the error message shown usually means... that the kernel is trying to de-masq a packet of data that it never masq'd in the first place. Given your forwarding rules as shown above, I'm not surprised. FWIW: You might want to check-out http://seawall.soruceforge.net Seawall will execute the appropriate proto/port ipchain rules for Poptop connections for both local PPTP servers running on a firewall and masq'd PPTP servers behind a firewall. Seawall is also very well documented and executes a stronger set of firewall rules along with running the appropiate ipfwd and ipmasqadm commands by simply editing a configuration file. This is what I use!! From Steve.Cowles at gte.net Tue Aug 22 00:45:31 2000 From: Steve.Cowles at gte.net (Cowles, Steve) Date: Tue, 22 Aug 2000 00:45:31 -0500 Subject: FW: [pptp-server] Help Me Message-ID: <90769AF04F76D41186C700A0C90AFC3EE4CD@defiant.dsl.gtei.net> Sorry for responding to my own post, but the link I referenced below has a type-o. It should be http://seawall.sourceforge.net Steve Cowles > FWIW: You might want to check-out http://seawall.soruceforge.net > Seawall will execute the appropriate proto/port ipchain rules for > Poptop connections for both local PPTP servers running on a > firewall and masq'd PPTP servers behind a firewall. Seawall is also > very well documented and executes a stronger set of firewall rules > along with running the appropiate ipfwd and ipmasqadm commands by > simply editing a configuration file. This is what I use!! From jesussoro at hotmail.com Tue Aug 22 06:35:00 2000 From: jesussoro at hotmail.com (jesus soro) Date: Tue, 22 Aug 2000 11:35:00 GMT Subject: [pptp-server] wnt4 problems Message-ID: I have achived to connect the win98 vpn clients to the pptp linux server. Now I want to setup VPN between NT client & PoPToP linux server running suse 6.4 with ms-chap & MPPE. I'm trying to connect win nt 4.0 client but I have pptp problems. I pass the authentification but I don't received the options. The pptpd logfile says (logfile attached) Aug 21 17:21:04 fw2 pppd[1464]: sent [CHAP Success id=0x1 "Welcome to fw2."] Aug 21 17:21:05 fw2 pppd[1464]: cbcp_open Aug 21 17:21:05 fw2 pppd[1464]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:21:05 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a520 in 3 seconds Aug 21 17:21:05 fw2 pppd[1464]: sent [CCP ConfReq id=0x1 ] Aug 21 17:21:05 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:21:05 fw2 pppd[1464]: MSCHAP peer authentication succeeded for jsoro Aug 21 17:21:08 fw2 pppd[1464]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:21:08 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a520 in 3 seconds. Aug 21 17:21:08 fw2 pppd[1464]: sent [CCP ConfReq id=0x1 ] Aug 21 17:21:08 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:21:09 fw2 pptpd[1426]: CTRL: Received PPTP Control Message (type: 5) Aug 21 17:21:09 fw2 pptpd[1426]: CTRL: Made a ECHO RPLY packet Aug 21 17:21:09 fw2 pptpd[1426]: CTRL: I wrote 20 bytes to the client. Aug 21 17:21:09 fw2 pptpd[1426]: CTRL: Sent packet to client Aug 21 17:21:11 fw2 pppd[1464]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:21:11 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a520 in 3 seconds. Aug 21 17:21:11 fw2 pppd[1464]: sent [CCP ConfReq id=0x1 ] Aug 21 17:21:11 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:21:14 fw2 pppd[1464]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:19:56 fw2 pptpd[1222]: CTRL: I wrote 20 bytes to the client. Aug 21 17:19:56 fw2 pptpd[1222]: CTRL: Sent packet to client Aug 21 17:19:58 fw2 pppd[1462]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:19:58 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a520 in 3 seconds. Aug 21 17:19:58 fw2 pppd[1462]: sent [CCP ConfReq id=0x1 ] Aug 21 17:19:58 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:20:01 fw2 pppd[1462]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:20:01 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a520 in 3 seconds. Aug 21 17:20:01 fw2 pppd[1462]: sent [CCP ConfReq id=0x1 ] Aug 21 17:20:01 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:20:04 fw2 pppd[1462]: IPCP: timeout sending Config-Requests Aug 21 17:20:04 fw2 pppd[1462]: cbcp_lowerdown Aug 21 17:20:04 fw2 pppd[1462]: Untimeout 0x8050ba0:0x807a640. Aug 21 17:20:04 fw2 pppd[1462]: sent [LCP TermReq id=0x3 "No network protocols r unning"] Aug 21 17:20:04 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a2c0 in 3 seconds. Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: Received PPTP Control Message (type: 15) Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Aug 21 17:20:04 fw2 pppd[1462]: rcvd [LCP TermAck id=0x3] Aug 21 17:20:04 fw2 pppd[1462]: rcvd [LCP TermAck id=0x3] Aug 21 17:20:04 fw2 pppd[1462]: Untimeout 0x8050ba0:0x807a2c0. Aug 21 17:20:04 fw2 pppd[1462]: Connection terminated. Aug 21 17:20:04 fw2 pppd[1462]: Connect time 0.6 minutes. Aug 21 17:20:04 fw2 pppd[1462]: Sent 998 bytes, received 196 bytes. Aug 21 17:20:04 fw2 pppd[1462]: Exit. Aug 21 17:20:04 fw2 pptpd[1461]: GRE: read(fd=5,buffer=804dac0,len=8196) from PT Y failed: status = -1 error = Input/output error Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: PTY read or GRE write failed (pty,gre)=(5 ,6) Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: Client 195.77.129.65 control connection f inished Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: Exiting now Any ideas? Thanks ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com From gerhard.possler at westernacher.de Tue Aug 22 09:42:31 2000 From: gerhard.possler at westernacher.de (gerhard.possler at westernacher.de) Date: Tue, 22 Aug 2000 15:42:31 +0100 Subject: [pptp-server] (no subject) Message-ID: Hi all, (hope i read carefully John Harding's howto....) but i have an Problem with my Firewall Box. Here the config: <---MASQ PC with win2k -----eth0 Linux Firewall eth1---- PPTP-Server (Linux) 192.168.0.2 192.168.0.1 | 192.168.251.20 192.168.251.5 Routing ist correct set then after: echo 1 > /proc/sys/net/ipv4/ip_forward I can ping, telnet and pptp to PPTP-Server from PC with win2k. Masquerading is also correct then when I start an FTP-Server on the win2k PC and made an ftp to 192.168.0.2 the source of the ftp request is the Linux-Firewall (192.168.0.1). Your patch is successfull applied (no errors), kernel is 2.2.14-SUSE. I start an script called fwon (to activate ipchains, etc): #!/bin/bash # # (c) Gerhard Possler 2000 # EXTIP="192.168.0.1" # externe ip adresse offiziell INTIP="192.168.251.20" # interne ip adresse privat INTNET="192.168.251.0/24" # internes netz privat PPTPSERVER="192.168.251.5" # pptp-server privat # PPTPCLIENT="0.0.0.0" # pptp-client offiziell falls bekannt # forwarding and masq echo 1 > /proc/sys/net/ipv4/ip_forward # clear ipmasqadm portfw and ipchains /usr/sbin/ipmasqadm portfw -f /sbin/ipchains -F # define new portfw /usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 1723 -R $PPTPSERVER 1723 /usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 10000 -R $PPTPSERVER 10000 # masq und modules /sbin/ipchains -M -S 7200 10 160 /sbin/insmod /lib/modules/2.2.14/ipv4/ip_masq_pptp.o /sbin/insmod /lib/modules/2.2.14/ipv4/ip_masq_ipsec.o # /sbin/insmod /lib/modules/2.2.14/ipv4/ip_masq_generic.o /sbin/insmod /lib/modules/2.2.14/ipv4/ip_masq_autofw.o /sbin/insmod /lib/modules/2.2.14/ipv4/ip_masq_mfw.o /sbin/insmod /lib/modules/2.2.14/ipv4/ip_masq_portfw.o /sbin/insmod /lib/modules/2.2.14/ipv4/ip_masq_cuseeme.o /sbin/insmod /lib/modules/2.2.14/ipv4/ip_masq_ftp.o /sbin/insmod /lib/modules/2.2.14/ipv4/ip_masq_irc.o /sbin/insmod /lib/modules/2.2.14/ipv4/ip_masq_user.o /sbin/insmod /lib/modules/2.2.14/ipv4/ip_masq_quake.o /sbin/insmod /lib/modules/2.2.14/ipv4/ip_masq_raudio.o /sbin/insmod /lib/modules/2.2.14/ipv4/ip_masq_vdolive.o /sbin/ipchains -P input ACCEPT /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward DENY # Filter rules /sbin/ipchains -A input -j ACCEPT # /sbin/ipchains -A output -d $INTNET -j ACCEPT # /sbin/ipchains -A output -s $INTNET -d 0.0.0.0/0 -j MASQ /sbin/ipchains -A forward -d $INTNET -j DENY -l /sbin/ipchains -A forward -s $INTNET -d 0.0.0.0/0 -j MASQ -l # forward von GRE /usr/sbin/ipfwd --debug --syslog --masq $PPTPSERVER 47 & # end after starting this script the Linux-Firewall seems to work 1-2 minutes then "hangup". Nothing to see, nothing moves. No entries in /var/log/messages... Have you any ideea ? Can you help me ? With kind regards ------------------------------------------------------------------------ Gerhard Possler "Wer neue Wege geht, braucht starke Partner." Westernacher AG Am Hubengut 3 76149 Karlsruhe, Germany phone: +49-721/9772-0 fax: +49-721/9772-188 http://www.westernacher.de From mconcann at BayNetworks.COM Tue Aug 22 09:33:33 2000 From: mconcann at BayNetworks.COM (Michael Concannon) Date: Tue, 22 Aug 2000 10:33:33 -0400 Subject: [pptp-server] Firewall GRE Message-ID: <39A28F3D.AF3BBB20@baynetworks.com> On to the next level... I am getting the following error(s): LCP: timeout sending Config-Requests GRE: read(******) from PTY failed: status -1 error = Input/output error CTRL: PTY read or GRE write failed (pty,gre)=4,5) When I try to connect from behind another firewall to my server out on the internet. I have opened up my server (too much for the sake of debug) with the following IPCHAINS rules (this is the target PPTP server as well): ipchains -A input ipchains -A output ipchains -A forward -j ACCEPT ipchains -A forward -p 47 -j ACCEPT The forwarding should not be required as this is the same machine that is running the pptpd server, but I did it anyway. So, this machine is wide open. My first question is could the firewall I am sitting behind (with my 98 client) be blocking the type 47 communication? My current setup looks like this: 98 client<--->firewall <---internet---> PPTP/IPCHAINS server I cannot see why that would be the case... Some config info: Server: linux 2.2.16 pptpd/pppd patched.updated per FAQ Server is both masquerade box and PPTP server (for now). Client: win98 PPTP ***** I am able to connect in a "loopback" mode from home using this same client (from behind the PPTP/IPCHAINS server above). Thoughts? Thanks again, /mike From mconcann at BayNetworks.COM Tue Aug 22 09:44:20 2000 From: mconcann at BayNetworks.COM (Michael Concannon) Date: Tue, 22 Aug 2000 10:44:20 -0400 Subject: [pptp-server] was ->Firewall GRE Message-ID: <39A291C4.E8D83EC0@baynetworks.com> >My first question is could the firewall I am sitting behind (with my 98 >client) be blocking the type 47 communication? My current setup looks >like this: >98 client<--->firewall <---internet---> PPTP/IPCHAINS server > >I cannot see why that would be the case... Ok.. I guess I can... I was thinking of outgoing traffic, not what might return for a hanshake.. So I am up a creek on this one. right? Thanks, /mike From Steve.Cowles at gte.net Tue Aug 22 09:59:45 2000 From: Steve.Cowles at gte.net (Cowles, Steve) Date: Tue, 22 Aug 2000 09:59:45 -0500 Subject: [pptp-server] Firewall GRE Message-ID: <90769AF04F76D41186C700A0C90AFC3EE4CF@defiant.dsl.gtei.net> > -----Original Message----- > From: Michael Concannon [mailto:mconcann at BayNetworks.COM] > Sent: Tuesday, August 22, 2000 9:34 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Firewall GRE > > My first question is could the firewall I am sitting behind > (with my 98 client) be blocking the type 47 communication? If this firewall has not been patched with John Hardins PPTP masq patches, then the answer to your question is YES. Checkout: http://www.wolfenet.com/~jhardin/ip_masq_vpn.html on installing this patch and loading the ip_masq_pptp.o module. > My current setup looks like this: > 98 client<--->firewall <---internet---> PPTP/IPCHAINS server > > I cannot see why that would be the case... > > Some config info: > Server: > linux 2.2.16 > pptpd/pppd patched.updated per FAQ > Server is both masquerade box and PPTP server (for now). If I understand your setup, this is the PopTop server and its sitting directly on the internet. Just make sure its firewall rules include ACCEPTing port 1723 and proto 47 on the external interface. Since it is sitting directly on the internet, it does NOT need John Hardinns patches installed. If you ever move the PopTop server behind this firewall, then you will need to install the JHardin patch. Steve Cowles From thomask at aesbus.com Tue Aug 22 10:11:56 2000 From: thomask at aesbus.com (Thomas Klettke) Date: Tue, 22 Aug 2000 10:11:56 -0500 Subject: [pptp-server] NT domain logon via PoPToP Message-ID: <000b01c00c4b$505ebb40$5602a8c0@thomaska.shadow.aesbus.com> I've setup a VPN with PoPToP (Win98 client via DSL to Linux Mandrake 7.1 server, chap). Connecting works fine, get an IP address, use win-dns in /etc/ppp/options to submit DNS. No problems with pinging machines from the client to the remote subnet. My problem is the authentication by the NT domain server on the remote network. (PDC only, no BDC present). After seatblishing the tunnel I am prompted to enter username, password and domain for the NT server, yet I get the answer back that the domain controller can't be contacted. On the PDC's logfile however I see an entry in the logfile accknowledging successful logon from the win98 client with the correct username. I have no problem mapping drives on NT servers, I have the correct permission when accessing those shares, just as I would locally. However, browsing the Network Neighborhood doesn't show anything but the local win98 client. (And yes, the settings for workgroup and domain as well as for dns are correct - checked that already.) Could it been resolved by activating Samba on the VPN server, using it's WINS proxy? But then - I don't even have WINS installed anywhere on the NT domain. Or could one of the "browse list" options in Samba help with it ? Thanks for any help. Thomas Thomas Klettke Network Administrator Aesbus Knowledge Solutions 4606 FM1960 West, Suite 610 Houston, TX 77069 phone: +1 (281) 587-2247 ext 111 fax: +1 (281) 587-1593 fax in Deutschland: (089) 2443 - 10378 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steve.Cowles at gte.net Tue Aug 22 15:20:12 2000 From: Steve.Cowles at gte.net (Cowles, Steve) Date: Tue, 22 Aug 2000 15:20:12 -0500 Subject: [pptp-server] NT domain logon via PoPToP Message-ID: <90769AF04F76D41186C700A0C90AFC3EE4D6@defiant.dsl.gtei.net> In order to authenticate to a NT PDC across a VPN, you will need to enable a WINS server on your LAN. I' not aware of any way around this requirement (unless you want to create a LMHOSTS file on the remote) since MS Networking uses broadcast packets to build the browser list. Broadcast packets are not routed across your VPN tunnel. So when your client system sends out its broadcast packet to "ask" where the PDC is to authenticate, it will never get a response. FWIW: This is exactly why MS developed WINS servers. Based on your post, you have a few of choices 1) Enable a WINS server on your NT PDC. 2) Enable the WINS server component of Samba. 3) Create an LMHOSTS file on the remote and enter the proper PDC record (1Ch) If you do decide to implement a WINS server, then in your /etc/ppp/options file, specify the ms-wins option and set it to the IP address of the WINS server you installed from above. Steve Cowles -----Original Message----- From: Thomas Klettke [mailto:thomask at aesbus.com] Sent: Tuesday, August 22, 2000 10:12 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] NT domain logon via PoPToP I've setup a VPN with PoPToP (Win98 client via DSL to Linux Mandrake 7.1 server, chap). Connecting works fine, get an IP address, use win-dns in /etc/ppp/options to submit DNS. No problems with pinging machines from the client to the remote subnet. My problem is the authentication by the NT domain server on the remote network. (PDC only, no BDC present). After seatblishing the tunnel I am prompted to enter username, password and domain for the NT server, yet I get the answer back that the domain controller can't be contacted. On the PDC's logfile however I see an entry in the logfile accknowledging successful logon from the win98 client with the correct username. I have no problem mapping drives on NT servers, I have the correct permission when accessing those shares, just as I would locally. However, browsing the Network Neighborhood doesn't show anything but the local win98 client. (And yes, the settings for workgroup and domain as well as for dns are correct - checked that already.) Could it been resolved by activating Samba on the VPN server, using it's WINS proxy? But then - I don't even have WINS installed anywhere on the NT domain. Or could one of the "browse list" options in Samba help with it ? Thanks for any help. Thomas From csa998360 at ait.ac.th Tue Aug 22 14:20:28 2000 From: csa998360 at ait.ac.th (Piti Cherntanomwong) Date: Wed, 23 Aug 2000 02:20:28 +0700 Subject: [pptp-server] PPtP Client: Broken pipe problem Message-ID: <200008230220.AA26935472@student.ait.ac.th> Dear, I got some problem when I connect my pptp client to pptpd server. I type ./pptp SERV_IP name USR_NAME remotename SERV_IP on my client. Then, there is error on my client side. (unknown)[202]: log pptp_read_some:pptp_ctrl.c:368]: read error: Broken pipe What's happen wrong? Thank you very much From cliles at gw.total-web.net Tue Aug 22 22:26:32 2000 From: cliles at gw.total-web.net (Chris) Date: Tue, 22 Aug 2000 20:26:32 -0700 Subject: [pptp-server] PDC login Message-ID: <002301c00cb3$66630aa0$2c64ed0a@jojostomp.net> How do you get the win98/95/NT/2000 client to login to a PDC through the vpn ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ricardo at chapman-freeborn.es Wed Aug 23 02:22:27 2000 From: ricardo at chapman-freeborn.es (Ricardo Ranero) Date: Wed, 23 Aug 2000 09:22:27 +0200 Subject: [pptp-server] No Answer Message-ID: <003201c00cd2$e4c8bc40$c801a8c0@ricardo> After having setup a VPN Network with Windows NT SBS, from the client side (NT SBS) I can connect fine for some times, but after some connections ok the Dial-up entry for the PPTP link gives me a 678 error message: There is no answer. I can ping to my server and it works fine, but the dial-up no connects anymore until I reboot the server. Any help? Thanks in advance Ricardo Ranero Valencia-Spain -------------- next part -------------- An HTML attachment was scrubbed... URL: From jesussoro at hotmail.com Wed Aug 23 05:56:25 2000 From: jesussoro at hotmail.com (jesus soro) Date: Wed, 23 Aug 2000 10:56:25 GMT Subject: [pptp-server] client NT4 problems Message-ID: I have achived to connect the win98 vpn clients to the pptp linux server. Now I want to setup VPN between NT client & PoPToP linux server running suse 6.4 with ms-chap & MPPE. I'm trying to connect win nt 4.0 client but I have pptp problems. I pass the authentification but I don't received the options. The pptpd logfile says (logfile attached) Aug 21 17:21:04 fw2 pppd[1464]: sent [CHAP Success id=0x1 "Welcome to fw2."] Aug 21 17:21:05 fw2 pppd[1464]: cbcp_open Aug 21 17:21:05 fw2 pppd[1464]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:21:05 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a520 in 3 seconds Aug 21 17:21:05 fw2 pppd[1464]: sent [CCP ConfReq id=0x1 ] Aug 21 17:21:05 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:21:05 fw2 pppd[1464]: MSCHAP peer authentication succeeded for jsoro Aug 21 17:21:08 fw2 pppd[1464]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:21:08 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a520 in 3 seconds. Aug 21 17:21:08 fw2 pppd[1464]: sent [CCP ConfReq id=0x1 ] Aug 21 17:21:08 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:21:09 fw2 pptpd[1426]: CTRL: Received PPTP Control Message (type: 5) Aug 21 17:21:09 fw2 pptpd[1426]: CTRL: Made a ECHO RPLY packet Aug 21 17:21:09 fw2 pptpd[1426]: CTRL: I wrote 20 bytes to the client. Aug 21 17:21:09 fw2 pptpd[1426]: CTRL: Sent packet to client Aug 21 17:21:11 fw2 pppd[1464]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:21:11 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a520 in 3 seconds. Aug 21 17:21:11 fw2 pppd[1464]: sent [CCP ConfReq id=0x1 ] Aug 21 17:21:11 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:21:14 fw2 pppd[1464]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:19:56 fw2 pptpd[1222]: CTRL: I wrote 20 bytes to the client. Aug 21 17:19:56 fw2 pptpd[1222]: CTRL: Sent packet to client Aug 21 17:19:58 fw2 pppd[1462]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:19:58 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a520 in 3 seconds. Aug 21 17:19:58 fw2 pppd[1462]: sent [CCP ConfReq id=0x1 ] Aug 21 17:19:58 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:20:01 fw2 pppd[1462]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:20:01 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a520 in 3 seconds. Aug 21 17:20:01 fw2 pppd[1462]: sent [CCP ConfReq id=0x1 ] Aug 21 17:20:01 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:20:04 fw2 pppd[1462]: IPCP: timeout sending Config-Requests Aug 21 17:20:04 fw2 pppd[1462]: cbcp_lowerdown Aug 21 17:20:04 fw2 pppd[1462]: Untimeout 0x8050ba0:0x807a640. Aug 21 17:20:04 fw2 pppd[1462]: sent [LCP TermReq id=0x3 "No network protocols r unning"] Aug 21 17:20:04 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a2c0 in 3 seconds. Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: Received PPTP Control Message (type: 15) Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Aug 21 17:20:04 fw2 pppd[1462]: rcvd [LCP TermAck id=0x3] Aug 21 17:20:04 fw2 pppd[1462]: rcvd [LCP TermAck id=0x3] Aug 21 17:20:04 fw2 pppd[1462]: Untimeout 0x8050ba0:0x807a2c0. Aug 21 17:20:04 fw2 pppd[1462]: Connection terminated. Aug 21 17:20:04 fw2 pppd[1462]: Connect time 0.6 minutes. Aug 21 17:20:04 fw2 pppd[1462]: Sent 998 bytes, received 196 bytes. Aug 21 17:20:04 fw2 pppd[1462]: Exit. Aug 21 17:20:04 fw2 pptpd[1461]: GRE: read(fd=5,buffer=804dac0,len=8196) from PT Y failed: status = -1 error = Input/output error Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: PTY read or GRE write failed (pty,gre)=(5 ,6) Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: Client 195.77.129.65 control connection f inished Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: Exiting now Any ideas? Thanks ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com From andrew.wood at datalexuk.com Wed Aug 23 06:44:54 2000 From: andrew.wood at datalexuk.com (Andrew Wood) Date: Wed, 23 Aug 2000 12:44:54 +0100 Subject: [pptp-server] Encryption & RH6.2 Message-ID: <6F6EA5048A46D41184AF0006295717340D8E@DLUKEX01> Is Anybody using encryption with RH6.2 I have read the RedHat-PoPToP HOWTO but this seems to assume RH6.1 or below. Do I need to miss some steps or need different versions than mentioned ?? Andrew Wood System Administrator Datalex UK, Sunley Tower Piccadilly Plaza, Manchester, M1 4BT TEL: 0161 2282286 FAX: 0161 2282900 http://www.datalexuk.com mailto:andrew.wood at datalexuk.com <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>><<<<> >>><<<<>> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<< >>>><<<<>> From kennya at carlislefsp.com Wed Aug 23 08:11:11 2000 From: kennya at carlislefsp.com (Kenny Austin) Date: Wed, 23 Aug 2000 08:11:11 -0500 Subject: [pptp-server] Encryption & RH6.2 In-Reply-To: <6F6EA5048A46D41184AF0006295717340D8E@DLUKEX01> Message-ID: <001b01c00d03$9c8af7f0$5f020a0a@kennya> I am. I found this on the archive and it worked pretty well... http://lists.schulte.org/pipermail/pptp-server/2000-June/002488.html Would be nice if someone would stick it on the main website, took me a little time to find it. Kenny -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Andrew Wood Sent: Wednesday, August 23, 2000 6:45 AM To: PPTP Mailing List (E-mail) Subject: [pptp-server] Encryption & RH6.2 Is Anybody using encryption with RH6.2 I have read the RedHat-PoPToP HOWTO but this seems to assume RH6.1 or below. Do I need to miss some steps or need different versions than mentioned ?? Andrew Wood System Administrator Datalex UK, Sunley Tower Piccadilly Plaza, Manchester, M1 4BT TEL: 0161 2282286 FAX: 0161 2282900 http://www.datalexuk.com mailto:andrew.wood at datalexuk.com <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>><<<<> >>><<<<>> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<< >>>><<<<>> _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From jshackelford at orsys.com Wed Aug 23 12:15:07 2000 From: jshackelford at orsys.com (Jason Shackelford) Date: Wed, 23 Aug 2000 10:15:07 -0700 Subject: [pptp-server] Telnet, Ftp connections are being dropped at random Message-ID: I have a masquerading firewall running RedHat 6.2.It is also running PPTPD from the RPM. I have gotten windows clients to connect fine. The vpn connection seems to stay very solid. I am opening telnet sessions within that tunnel and they are getting kicked off at random. It doesn't seem to be a timeout issue. The people can even be doing work when it kicks them off. I ran some tests and found out that it is not happening to FTP. I am running more tests to see if it has anything to do with the Solaris server we are connecting to. After the telnet connection is lost, the VPN connection is still up and running fine. Telnet connects right back up if you re-open the session. Any help would be greatly appreciated. From tfindlay at prodevelop.com.au Wed Aug 23 09:21:03 2000 From: tfindlay at prodevelop.com.au (Timothy Findlay) Date: Thu, 24 Aug 2000 00:21:03 +1000 Subject: [pptp-server] Can't Find PDC ?!? Message-ID: <39A3DDCE.CFB61BA8@prodevelop.com.au> Hi, I know theres lots of other messages out there about this sorta one, so I'll keep it brief. I'm aiming for : Win98 -----"Internet"----> Linux Firewall + pptp -------"Private Network"-----> NT PDC I've got 2 NIC's in the Linux box, one with a real IP and one with a private thingo, and it logs in ok, and I can ping around the network, I can web-browse around our internal network, but I cant browse, and when I try to connect directly like going Start->Run and entering \\machine_name\ to get a list of shares it kinda blinks back and forth for a bit can comes up with a box asking me for a password for the \\machine_name\$IPC thing. As I know it, this mean I havent logged into the PDC. Heres what my log files say, /var/log/messages Aug 24 00:19:20 ATGWEBSRV1 pptpd[2312]: CTRL: Client 203.43.154.163 control connection started Aug 24 00:19:20 ATGWEBSRV1 pptpd[2312]: CTRL: Starting call (launching pppd, opening GRE) Aug 24 00:19:20 ATGWEBSRV1 pppd[2313]: pppd 2.3.11 started by root, uid 0 Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: Using interface ppp0 Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: Connect: ppp0 <--> /dev/pts/1 Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: CHAP peer authentication succeeded for ATG\\timf Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: found interface eth1 for proxy arp Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: local IP address 128.1.6.26 Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: remote IP address 128.1.6.27 Aug 24 00:19:22 ATGWEBSRV1 kernel: NAT: 0 dropping untracked packet c1aa34a0 1 128.1.6.27 -> 224.0.0.2 Aug 24 00:19:25 ATGWEBSRV1 kernel: NAT: 0 dropping untracked packet c1b36660 1 128.1.6.27 -> 224.0.0.2 Aug 24 00:19:28 ATGWEBSRV1 kernel: NAT: 0 dropping untracked packet c10dea80 1 128.1.6.27 -> 224.0.0.2 any my /var/log/pptpd.log Aug 24 00:19:20 ATGWEBSRV1 pptpd[2312]: CTRL: Client control connection started Aug 24 00:19:20 ATGWEBSRV1 pptpd[2312]: CTRL: Starting call (launching pppd, opening GRE) Aug 24 00:19:20 ATGWEBSRV1 pppd[2313]: pppd 2.3.11 started by root, uid 0 Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: Using interface ppp0 Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: Connect: ppp0 <--> /dev/pts/1 Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: sent [LCP ConfReq id=0x1 ] Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: rcvd [LCP ConfReq id=0x1 ] Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: sent [LCP ConfAck id=0x1 ] Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: rcvd [LCP ConfAck id=0x1 ] Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: sent [CHAP Challenge id=0x1 <132f0ecdd083f8b5a8f1e8dfd764c53257>, name = "ATGWEBSRV1"] Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: rcvd [CHAP Response id=0x1 <98b48e181afb2698d7024217009a122a>, name = "ATG\\timf"] Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: sent [CHAP Success id=0x1 "Welcome to ATGWEBSRV1."] Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: sent [IPCP ConfReq id=0x1 ] Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: sent [CCP ConfReq id=0x1 ] Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: CHAP peer authentication succeeded for ATG\\timf Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: rcvd [IPCP ConfReq id=0x1 ] Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: sent [IPCP ConfNak id=0x1 ] Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: rcvd [IPCP ConfRej id=0x1 ] Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: sent [IPCP ConfReq id=0x2 ] Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: rcvd [LCP ProtRej id=0x2 80 fd 01 01 00 0f 1a 04 78 00 18 04 78 00 15 03 2f] Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: rcvd [IPCP ConfReq id=0x2 ] Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: sent [IPCP ConfAck id=0x2 ] Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: rcvd [IPCP ConfAck id=0x2 ] Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: found interface eth1 for proxy arp Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: local IP address 128.1.6.26 Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: remote IP address 128.1.6.27 Aug 24 00:19:21 ATGWEBSRV1 pppd[2313]: Script /etc/ppp/ip-up started (pid 2314) Aug 24 00:19:22 ATGWEBSRV1 pppd[2313]: Script /etc/ppp/ip-up finished (pid 2314), status = 0x0 Thanks heaps for all your help in advance! Regards, Tim. From NorthwestFrog at home.com Wed Aug 23 10:28:29 2000 From: NorthwestFrog at home.com (Jean-Francois Gagnon) Date: Wed, 23 Aug 2000 08:28:29 -0700 Subject: [pptp-server] Win98SE2 PPTP connection problem with Encryption Message-ID: <000001c00d16$ca0f0f00$0201a8c0@olmpi1.wa.home.com> Hi, I am unable to create a pptp connection with encryption turned on error 691 in the dialup networking. In /var/log/pptpd.log: Aug 23 05:43:31 C410745-A pptpd[7179]: CTRL: Client 192.168.1.2 control connection started Aug 23 05:43:31 C410745-A pptpd[7179]: CTRL: Starting call (launching pppd, opening GRE) Aug 23 05:43:31 C410745-A modprobe: modprobe: Can't locate module char-major-108 Aug 23 05:43:32 C410745-A pptpd[7179]: GRE: read(fd=5,buffer=804d9c0,len=8196) from PTY failed: status = -1 error = Input/output error Aug 23 05:43:32 C410745-A pptpd[7179]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6) Aug 23 05:43:32 C410745-A pptpd[7179]: CTRL: Client 192.168.1.2 control connection finished My kernel is 2.2.16 and ppp is 2.3.10. I installed the various patches as indicated in the HOWTO. Settings in pptpd.options auth #require-chap #require-chapms #require-chapms-v2 +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless BTW if I only have +chap turned on and no encryption except for the password, I can connect with no problem... No problems with my firewall either. Thanks for the help Jean-Francois Gagnon From Steve.Cowles at gte.net Wed Aug 23 10:56:50 2000 From: Steve.Cowles at gte.net (Cowles, Steve) Date: Wed, 23 Aug 2000 10:56:50 -0500 Subject: [pptp-server] Can't Find PDC ?!? Message-ID: <90769AF04F76D41186C700A0C90AFC3EE4D9@defiant.dsl.gtei.net> > -----Original Message----- > From: Timothy Findlay [mailto:tfindlay at prodevelop.com.au] > Sent: Wednesday, August 23, 2000 9:21 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Can't Find PDC ?!? > > > Hi, > > I know theres lots of other messages out there about this > sorta one, so I'll keep it brief. I'm aiming for : > > > Win98 -----"Internet"----> Linux Firewall + pptp -------"Private > Network"-----> NT PDC > > I've got 2 NIC's in the Linux box, one with a real IP and one with a > private thingo, and it logs in ok, and I can ping around the > network, I can web-browse around our internal network, but I cant > browse, and when I try to connect directly like going Start->Run > and entering \\machine_name\ to get a list of shares it kinda blinks > back and forth for a bit can comes up with a box asking me for a > password for the \\machine_name\$IPC thing. > > As I know it, this mean I havent logged into the PDC. Without a WINS server on your local LAN, authenticating to a PDC (over a VPN) is next to impossible unless your willing to create a LMHOSTS file that contains the PDC entry. i.e. the 1Ch record. To understand why... read some of my previous posts on this subject. Based on your ppppd connection log file shown in this post, the "ms-wins" option was set to 128.1.6.7. 1) Is there an active WINS server running at this address? 2) Does this WINS servers database contain the 1Ch record for the MS Domain that you are trying to authenticate against? Should point to the PDC's ip address. 3) Is the client PC that has established the VPN configured to authenticate against this MS Domain? Steve Cowles From andrew.wood at datalexuk.com Wed Aug 23 11:07:06 2000 From: andrew.wood at datalexuk.com (Andrew Wood) Date: Wed, 23 Aug 2000 17:07:06 +0100 Subject: [pptp-server] Authentication Message-ID: <6F6EA5048A46D41184AF0006295717340D92@DLUKEX01> I may be reading this wrong but if I want to authenticate Windows Clients It seems to require me to put an entry into the chap-secrets file for each user I want to connect and put there password in there also. Is this right??? doesn't seem very secure. Andrew Wood System Administrator Datalex UK, Sunley Tower Piccadilly Plaza, Manchester, M1 4BT TEL: 0161 2282286 FAX: 0161 2282900 http://www.datalexuk.com mailto:andrew.wood at datalexuk.com <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>><<<<> >>><<<<>> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<< >>>><<<<>> From jesussoro at hotmail.com Wed Aug 23 11:37:21 2000 From: jesussoro at hotmail.com (jesus soro) Date: Wed, 23 Aug 2000 16:37:21 GMT Subject: [pptp-server] linux2linux Message-ID: I want to connect my remote office with a linux pptp client to the central office with the pptp linux server. I have established the pptp connection but i don't know how to route the traffic from the remote LAN to the pptp tunnel. Any ideas? Thanks ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com From philv at ridgerun.com Wed Aug 23 11:53:47 2000 From: philv at ridgerun.com (Phil Verghese) Date: Wed, 23 Aug 2000 10:53:47 -0600 Subject: [pptp-server] Encryption & RH6.2 In-Reply-To: <001b01c00d03$9c8af7f0$5f020a0a@kennya> Message-ID: I found this message the most helpful, and should be on the main website. http://lists.schulte.org/pipermail/pptp-server/2000-August/002981.html Phil > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Kenny Austin > Sent: Wednesday, August 23, 2000 7:11 AM > To: pptp-server at lists.schulte.org > Subject: RE: [pptp-server] Encryption & RH6.2 > > > I am. I found this on the archive and it worked pretty well... > http://lists.schulte.org/pipermail/pptp-server/2000-June/002488.html > Would be nice if someone would stick it on the main website, took > me a little time to find it. > Kenny > > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Andrew Wood > Sent: Wednesday, August 23, 2000 6:45 AM > To: PPTP Mailing List (E-mail) > Subject: [pptp-server] Encryption & RH6.2 > > > Is Anybody using encryption with RH6.2 > > I have read the RedHat-PoPToP HOWTO but this seems to assume > RH6.1 or below. > Do I need to miss some steps or need different versions than mentioned ?? > > Andrew Wood > System Administrator > Datalex UK, Sunley Tower > Piccadilly Plaza, Manchester, M1 4BT > TEL: 0161 2282286 > FAX: 0161 2282900 > http://www.datalexuk.com > mailto:andrew.wood at datalexuk.com > <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><< > <<>>><<<<> > >>><<<<>> > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the sender. > <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><< > <<>>>><<<< > >>>><<<<>> > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From jason at sohonetworks.cc Wed Aug 23 14:20:15 2000 From: jason at sohonetworks.cc (Jason Osborne) Date: Wed, 23 Aug 2000 14:20:15 -0500 Subject: [pptp-server] Repost: connection closing because of select() error. please help Message-ID: Anyone have an answer or reference for this? I keep getting this error when i try to connect pptpd[4734]: CTRL: Starting call (launching pppd, opening GRE) pppd[4735]: pppd 2.3.10 started by root, uid 0 pppd[4735]: Using interface ppp1 pppd[4735]: Connect: ppp1 <--> /dev/pts/2 pptpd[4734]: CTRL: Error with select(), quitting pptpd[4734]: CTRL: Client 4.35.114.34 control connection finished pppd[4735]: Modem hangup pppd[4735]: Connection terminated. pppd[4735]: Exit. here is my options file: lock modem crtscts asyncmap 20A0000 noipdefault defaultroute debug user lcarpet noauth and the pptpd.conf file: speed 115200 option /etc/ppp/options.vpn debug localip 192.168.0.200-230,192.168.0.1 remoteip 192.168.1.200-230,192.168.1.1 what could be wrong here? i couldn't find the answer to this problem anywhere -- Jason Osborne - CIO/Network Technician Phone: 972-306-6176 Cell: 214-284-3337 Web Address: http://www.sohonetworks.cc E-mail Address: jason at sohonetworks.cc From JKreger at cicteam.com Wed Aug 23 17:27:07 2000 From: JKreger at cicteam.com (Justin Kreger) Date: Wed, 23 Aug 2000 18:27:07 -0400 Subject: [pptp-server] Authentication Message-ID: <6B8A85826C35D31193BD0090278589C80FE5DF@CIC-EXCHANGE> You can patch pppd so that it authenicates off of your smbpasswd file for chap secrets. -LW -----Original Message----- From: Andrew Wood To: PPTP Mailing List (E-mail) Sent: 8/23/00 12:07 PM Subject: [pptp-server] Authentication I may be reading this wrong but if I want to authenticate Windows Clients It seems to require me to put an entry into the chap-secrets file for each user I want to connect and put there password in there also. Is this right??? doesn't seem very secure. Andrew Wood System Administrator Datalex UK, Sunley Tower Piccadilly Plaza, Manchester, M1 4BT TEL: 0161 2282286 FAX: 0161 2282900 http://www.datalexuk.com mailto:andrew.wood at datalexuk.com <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>< <<<> >>><<<<>> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>> <<<< >>>><<<<>> _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From Steve.Cowles at gte.net Wed Aug 23 17:59:49 2000 From: Steve.Cowles at gte.net (Cowles, Steve) Date: Wed, 23 Aug 2000 17:59:49 -0500 Subject: [pptp-server] linux2linux Message-ID: <90769AF04F76D41186C700A0C90AFC3EE4DB@defiant.dsl.gtei.net> I'm confused on what your referring to as remote lan. The central office LAN or the LAN where the pptp client is running. If your referring to the LAN where the PPTP client is running routing to the Central Office, then... The pptp client does NOT add the network route automatically when the tunnel is brought up. Thus you will need to add this route manually. I simply wrote a script to 1) bring up the tunnel (pptp client) and 2) add the network route. Say that your central office lan's address is 192.168.1.0/24 and your linux system running the pptp client is assigned an address of 192.168.1.51 after the tunnel is brought up, you would then execute the following (as root) to add the network route to the system running pptp client. I'm going from memory here... but I think this is correct syntax route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.51 or route add -net 192.168.1.0 netmask 255.255.255.0 dev ppp0 Now if your referring to the "Central Office" LAN systems being able to route back to your pptp client, then the PopTop server "MUST" be setup to proxyarp for your remote ip address. In your /etc/ppp/options file, make sure you include the "proxyarp" option. You can tell if pppd (PopTop) is properly assigning eth* to act as a proxarp for your connection by examining /var/log/messages and look for a line that says something like "Found eth* for proxyarp" shortly after the lines that specifies the local/remote ip addresses when the tunnel is brought up. BTW: If PopTop is running on the linux firewall, the proper ipchain rules "might" need to be added. Your post does not mention any relevant info regarding this area. Steve Cowles > -----Original Message----- > From: jesus soro [mailto:jesussoro at hotmail.com] > Sent: Wednesday, August 23, 2000 11:37 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] linux2linux > > > I want to connect my remote office with a linux pptp client > to the central office with the pptp linux server. I have > established the pptp connection but i don't know how to route > the traffic from the remote LAN to the pptp tunnel. > > Any ideas? > > Thanks From csa998360 at ait.ac.th Thu Aug 24 04:05:17 2000 From: csa998360 at ait.ac.th (csa998360 at ait.ac.th) Date: Thu, 24 Aug 2000 16:05:17 +0700 (GMT+0700) Subject: [pptp-server] PPtP linux client Message-ID: <967107917.39a4e54d20b9f@compserv.ait.ac.th> Dear all, I got the problem with pptp linux client. When I run " ./pptp SERVER_IP_ADDRESS name USER_NAME remotename SERVER_IP_ADDRESS" and then run " route add -host SERVER_IP_ADDRESS gw GATEWAY_ADDRESS". I got some error (unknown)[148]: log [pptp_dispatch_ctrl_packet:pptp_ctrl.c:549]: Client connection established. (unknown)[148]: log [pptp_dispatch_ctrl_packet:pptp_ctrl.c:655]: Outgoing call established. (unknown)[148]: log[pptp_conn_close:pptp_ctrl.c:275]: Closing PPTP connection On my server side, the log fie /var/log/pptpd.log shows Aug 24 14:50:27 octopus pptpd[13030]: CTRL: Client 192.41.170.17 control connection started Aug 24 14:50:27 octopus pptpd[13030]: CTRL: Received PPTP Control Message (type: 1) Aug 24 14:50:27 octopus pptpd[13030]: CTRL: Made a START CTRL CONN RPLY packet Aug 24 14:50:27 octopus pptpd[13030]: CTRL: I wrote 156 bytes to the client. Aug 24 14:50:27 octopus pptpd[13030]: CTRL: Sent packet to client Aug 24 14:50:28 octopus pptpd[13030]: CTRL: Received PPTP Control Message (type: 7) Aug 24 14:50:28 octopus pptpd[13030]: CTRL: Set parameters to 152 maxbps, 3 window size Aug 24 14:50:28 octopus pptpd[13030]: CTRL: Made a OUT CALL RPLY packet Aug 24 14:50:28 octopus pptpd[13030]: CTRL: Starting call (launching pppd, opening GRE) Aug 24 14:50:28 octopus pptpd[13030]: CTRL: pty_fd = 5 Aug 24 14:50:28 octopus pptpd[13030]: CTRL: tty_fd = 6 Aug 24 14:50:28 octopus pptpd[13031]: CTRL (PPPD Launcher): Connection speed = 115200 Aug 24 14:50:28 octopus pptpd[13031]: CTRL (PPPD Launcher): local address = 192.41.170.18 Aug 24 14:50:28 octopus pptpd[13031]: CTRL (PPPD Launcher): remote address = 192.41.170.17 Aug 24 14:50:28 octopus pptpd[13030]: CTRL: I wrote 32 bytes to the client. Aug 24 14:50:28 octopus pptpd[13030]: CTRL: Sent packet to client Aug 24 14:50:30 octopus pptpd[13030]: GRE: Discarding duplicate packet Aug 24 14:51:28 octopus pptpd[13030]: CTRL: Received PPTP Control Message (type: 5) Aug 24 14:51:28 octopus pptpd[13030]: CTRL: Made a ECHO RPLY packet Aug 24 14:51:28 octopus pptpd[13030]: CTRL: I wrote 20 bytes to the client. Aug 24 14:51:28 octopus pptpd[13030]: CTRL: Sent packet to client Aug 24 14:52:30 octopus pptpd[13030]: CTRL: Received PPTP Control Message (type: 12) Aug 24 14:52:30 octopus pptpd[13030]: CTRL: Made a CALL DISCONNECT RPLY packet Aug 24 14:52:30 octopus pptpd[13030]: CTRL: Received CALL CLR request (closing call) Aug 24 14:52:30 octopus pptpd[13030]: CTRL: I wrote 148 bytes to the client. Aug 24 14:52:30 octopus pptpd[13030]: CTRL: Sent packet to client Aug 24 14:52:30 octopus pptpd[13030]: CTRL: Error with select(), quitting Aug 24 14:52:30 octopus pptpd[13030]: CTRL: Client 192.41.170.17 control connection finished Aug 24 14:52:30 octopus pptpd[13030]: CTRL: Exiting now Aug 24 14:52:30 octopus pptpd[11719]: MGR: Reaped child 13030 Does anyone face this problem? How can I solve it? Thank you very much From jesussoro at hotmail.com Thu Aug 24 04:57:11 2000 From: jesussoro at hotmail.com (jesus soro) Date: Thu, 24 Aug 2000 09:57:11 GMT Subject: [pptp-server] linux2linux Message-ID: Thanks to Steve Cowles,Marcus Rapp and Jason Shakelford for their help, but we still need a little more. I have a picture of the connection we are implementing. PC |192.168.129.2 | | |_______________|__________| | | |192.168.129.1 192.168.29.102 Linux pptp client........................ |195.77.129.64 . | . ________|________ . / \ . | | . | INTERNET | . PPTP conection | | . \_______________/ . | . |195.77.129.59 . Linux pptp server........................ | 192.168.29.100 | |192.168.29.0 |_______|_______________| |................| The routes done are: Linux pptp client: route add -net 192.168.29.0 netmask 255.255.255.0 gw 192.168.29.100 Linux pptp server: route add -net 19.168.129.0 netmask 255.255.255.0 gw 192.168.29.102 After this, we can make pings from linux pptp client to the PC and to the 192.168.29.0 intranet, but we cannot make ping from linux pptp server to the PC and from the PC to linux pptp server neither 192.168.29.0 Intranet. Any ideas? Thanks >From: "Cowles, Steve" >To: "'pptp-server at lists.schulte.org'" >CC: "'jesus soro'" >Subject: RE: [pptp-server] linux2linux >Date: Wed, 23 Aug 2000 17:59:49 -0500 > >I'm confused on what your referring to as remote lan. The central office >LAN >or the LAN where the pptp client is running. > >If your referring to the LAN where the PPTP client is running routing to >the >Central Office, then... > >The pptp client does NOT add the network route automatically when the >tunnel >is brought up. Thus you will need to add this route manually. I simply >wrote >a script to 1) bring up the tunnel (pptp client) and 2) add the network >route. > >Say that your central office lan's address is 192.168.1.0/24 and your linux >system running the pptp client is assigned an address of 192.168.1.51 after >the tunnel is brought up, you would then execute the following (as root) to >add the network route to the system running pptp client. > >I'm going from memory here... but I think this is correct syntax > >route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.51 > or >route add -net 192.168.1.0 netmask 255.255.255.0 dev ppp0 > >Now if your referring to the "Central Office" LAN systems being able to >route back to your pptp client, then the PopTop server "MUST" be setup to >proxyarp for your remote ip address. In your /etc/ppp/options file, make >sure you include the "proxyarp" option. You can tell if pppd (PopTop) is >properly assigning eth* to act as a proxarp for your connection by >examining >/var/log/messages and look for a line that says something like "Found eth* >for proxyarp" shortly after the lines that specifies the local/remote ip >addresses when the tunnel is brought up. BTW: If PopTop is running on the >linux firewall, the proper ipchain rules "might" need to be added. Your >post >does not mention any relevant info regarding this area. > >Steve Cowles > > > -----Original Message----- > > From: jesus soro [mailto:jesussoro at hotmail.com] > > Sent: Wednesday, August 23, 2000 11:37 AM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] linux2linux > > > > > > I want to connect my remote office with a linux pptp client > > to the central office with the pptp linux server. I have > > established the pptp connection but i don't know how to route > > the traffic from the remote LAN to the pptp tunnel. > > > > Any ideas? > > > > Thanks >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com From Stefan.Strehle at JAW.AT Thu Aug 24 05:35:29 2000 From: Stefan.Strehle at JAW.AT (Strehle Stefan) Date: Thu, 24 Aug 2000 12:35:29 +0200 Subject: [pptp-server] PPTP client -> NT RAS Message-ID: I know this is slightly offtopic, but this setup is driving me crazy.... I try to connect with my pptp client to a NT RAS. If i connect to my PPTP linux server everything works fine (including bsd+mppe). But with my NT RAS there are always LCP timeouts. A NT client is connecting fine though. I searched through the archives, usenet, inet and found several posts which deal with this problem, but with no real solution. My config files: -/etc/ppp/options (tried a few) noauth lock nodetach default-asyncmap passive defaultroute noipdefault noauth -/etc/ppp/chap-secrets (with tabs) * domain\\my_user passwd * domain\\my_user * passwd * * my_user passwd * my_user * passwd * -command line (tried name and different options as well): pptp server_IP debug user my_user -errors: Using interface ppp0 Connect: ppp0 <--> /dev/ttya0 sent [LCP ConfReq id=0x1 ] sent [LCP ConfReq id=0x1 ] sent [LCP ConfReq id=0x1 ] sent [LCP ConfReq id=0x1 ] sent [LCP ConfReq id=0x1 ] sent [LCP ConfReq id=0x1 ] sent [LCP ConfReq id=0x1 ] sent [LCP ConfReq id=0x1 ] sent [LCP ConfReq id=0x1 ] sent [LCP ConfReq id=0x1 ] LCP: timeout sending Config-Requests Terminating on signal 2. Terminating on signal 15. Connection terminated. Any response is welcome! Stefan From jesussoro at hotmail.com Thu Aug 24 06:10:50 2000 From: jesussoro at hotmail.com (jesus soro) Date: Thu, 24 Aug 2000 11:10:50 GMT Subject: [pptp-server] linux2linux Message-ID: Thanks to Steve Cowles,Marcus Rapp and Jason Shakelford for their help, but we still need a little more. I have a picture of the connection we are implementing. PC |192.168.129.2 | | |_______________|__________| | | |192.168.129.1 192.168.29.102 Linux pptp client........................ |195.77.129.64 . | . _______|_______ . / \ . | | . | INTERNET | . PPTP conection | | . \_______________/ . | . |195.77.129.59 . Linux pptp server........................ | 192.168.29.100 | |192.168.29.0 |_______|_______________| |................| The routes done are: Linux pptp client: route add -net 192.168.29.0 netmask 255.255.255.0 gw 192.168.29.100 Linux pptp server: route add -net 19.168.129.0 netmask 255.255.255.0 gw 192.168.29.102 After this, we can make pings from linux pptp client to the PC and to the 192.168.29.0 intranet, but we cannot make ping from linux pptp server to the PC and from the PC to linux pptp server neither 192.168.29.0 Intranet. Any ideas? Thanks From: "Cowles, Steve" To: "'pptp-server at lists.schulte.org'" CC: "'jesus soro'" Subject: RE: [pptp-server] linux2linux Date: Wed, 23 Aug 2000 17:59:49 -0500 I'm confused on what your referring to as remote lan. The central office LAN or the LAN where the pptp client is running. If your referring to the LAN where the PPTP client is running routing to the Central Office, then... The pptp client does NOT add the network route automatically when the tunnel is brought up. Thus you will need to add this route manually. I simply wrote a script to 1) bring up the tunnel (pptp client) and 2) add the network route. Say that your central office lan's address is 192.168.1.0/24 and your linux system running the pptp client is assigned an address of 192.168.1.51 after the tunnel is brought up, you would then execute the following (as root) to add the network route to the system running pptp client. I'm going from memory here... but I think this is correct syntax route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.51 or route add -net 192.168.1.0 netmask 255.255.255.0 dev ppp0 Now if your referring to the "Central Office" LAN systems being able to route back to your pptp client, then the PopTop server "MUST" be setup to proxyarp for your remote ip address. In your /etc/ppp/options file, make sure you include the "proxyarp" option. You can tell if pppd (PopTop) is properly assigning eth* to act as a proxarp for your connection by examining /var/log/messages and look for a line that says something like "Found eth* for proxyarp" shortly after the lines that specifies the local/remote ip addresses when the tunnel is brought up. BTW: If PopTop is running on the linux firewall, the proper ipchain rules "might" need to be added. Your post does not mention any relevant info regarding this area. Steve Cowles >-----Original Message----- From: jesus soro [mailto:jesussoro at hotmail.com] >Sent: Wednesday, August 23, 2000 11:37 AM To: pptp-server at lists.schulte.org >Subject: [pptp-server] linux2linux > > >I want to connect my remote office with a linux pptp client to the central >office with the pptp linux server. I have established the pptp connection >but i don't know how to route the traffic from the remote LAN to the pptp >tunnel. > >Any ideas? > >Thanks _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com From dave.mills at fortel.com Thu Aug 24 14:41:51 2000 From: dave.mills at fortel.com (Dave Mills) Date: Thu, 24 Aug 2000 20:41:51 +0100 Subject: [pptp-server] PPTPD on Solaris 8I Message-ID: Hello, I notice from the Moretonbay website that Solaris 2.6 is supported, has anyone tried it ion Solaris 8 (Intel) yet, any advice would be appreciated. Cheers Dave Mills From hartmann.schaffer at mikotel.com Thu Aug 24 15:10:59 2000 From: hartmann.schaffer at mikotel.com (Hartmann Schaffer) Date: Thu, 24 Aug 2000 16:10:59 -0400 Subject: [pptp-server] GRE error Message-ID: <200008242010.QAA19534@develop.leadsource.ca> I have noticed quite a number of messages about this problem. I ran into it myself and dug a little bit into it by running an strace on pptpctrl. It turns out that the problem appears when ppdp tries to send an error message via stderr, which is passed from pptpctrl by dup2-ing the slave terminal of the pty. The same slave terminal is also dup2-ed to stdout (of pppd). When pppd tries to write to stderr, it blows up with a broken pipe. I strongly suspect that there is a problem with Unix98 ptys when you have two file descriptors connecting to the same pty (I was digging around in pppd as well and noticed that they have special treatment for ptys in quite a number of places, so there must be something special about them). Unfortunately I have been unable to find any documentations about the Unix98 ptys, does anybody have any suggestions? If my suspicion is correct, the best way to deal with it (short of fixing up ptys if that is possible) to change pptpctrl to open two pty / tty pairs, so that it can pass two different ttys to pppd on stdout and stderr (maybe a simple pipe would be good enough for stderr), use select (or poll) to catch the datastream from pppd, and merge the two streams when sending to the other end of the connection. Hartmann Schaffer Mikotel Networks Inc. From jvonau at home.com Thu Aug 24 19:19:24 2000 From: jvonau at home.com (Jerry Vonau) Date: Thu, 24 Aug 2000 19:19:24 -0500 Subject: [pptp-server] PPTP client -> NT RAS References: Message-ID: <39A5BB8C.839091E2@home.com> I was playing around with these last night. The combo that worked for me is: ppp options: lock noauth debug user DOMAIN\\user #domain s/b upper password USERPASSWORD #s/b upper noauth +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless lcp-echo-failure 10 lcp-echo-interval 5 proxyarp On the command line : /usr/sbin/pptp IP ADDRESS lock noauth debug user DOMAIN\\user +chapms-v2 mppe-128 mppe-stateless noauth Jest my 2 cents worth, good luck, your mileage may vary. Jerry Strehle Stefan wrote: > I know this is slightly offtopic, but this setup is driving me crazy.... > > I try to connect with my pptp client to a NT RAS. If i connect to my PPTP > linux server everything works fine (including bsd+mppe). But with my NT RAS > there are always LCP timeouts. A NT client is connecting fine though. I > searched through the archives, usenet, inet and found several posts which > deal with this problem, but with no real solution. > > My config files: > -/etc/ppp/options (tried a few) > noauth > lock > nodetach > default-asyncmap > passive > defaultroute > noipdefault > noauth > > -/etc/ppp/chap-secrets (with tabs) > * domain\\my_user passwd * > domain\\my_user * passwd * > * my_user passwd * > my_user * passwd * > > -command line (tried name and different options as well): > > pptp server_IP debug user my_user > > -errors: > > Using interface ppp0 > Connect: ppp0 <--> /dev/ttya0 > sent [LCP ConfReq id=0x1 ] > sent [LCP ConfReq id=0x1 ] > sent [LCP ConfReq id=0x1 ] > sent [LCP ConfReq id=0x1 ] > sent [LCP ConfReq id=0x1 ] > sent [LCP ConfReq id=0x1 ] > sent [LCP ConfReq id=0x1 ] > sent [LCP ConfReq id=0x1 ] > sent [LCP ConfReq id=0x1 ] > sent [LCP ConfReq id=0x1 ] > LCP: timeout sending Config-Requests > Terminating on signal 2. > Terminating on signal 15. > Connection terminated. > > Any response is welcome! > > Stefan > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From veste at gmx.at Fri Aug 25 02:34:36 2000 From: veste at gmx.at (stefan vetter) Date: Fri, 25 Aug 2000 09:34:36 +0200 Subject: [pptp-server] (no subject) Message-ID: <4.3.2.7.0.20000825093409.00acf3c0@proxy> hi i'm trying to compile the whole thing on a RH with 2.2.14 kernel, and it works all well until the modules. i'm getting following error-message: # make modules SUBDIRS=drivers/net/ make -C drivers/net CFLAGS="-Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-strict-aliasing -pipe -fno-strength-reduce -m486 -malign-loops=0 -malign-jumps=0 -malign-functions=0 -DCPU=686 -DMODULE -DMODVERSIONS -include /usr/src/linux-2.2.14/include/linux/modversions.h" MAKING_MODULES=1 modules make[1]: Entering directory `/usr/src/linux-2.2.14/drivers/net' gcc -D__KERNEL__ -I/usr/src/linux-2.2.14/include -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-strict-aliasing -pipe -fno-strength-reduce -m486 -malign-loops=0 -malign-jumps=0 -malign-functions=0 -DCPU=686 -DMODULE -DMODVERSIONS -include /usr/src/linux-2.2.14/include/linux/modversions.h -DEXPORT_SYMTAB -c ppp.c ppp.c:188: warning: static declaration for `ppp_register_compressor_R9682e733' follows non-static ppp.c:189: warning: static declaration for `ppp_unregister_compressor_Ra1b928df' follows non-static ppp.c: In function `rcv_proto_unknown': ppp.c:2563: too few arguments to function `kill_fasync_R5e73d35d' make[1]: *** [ppp.o] Error 1 make[1]: Leaving directory `/usr/src/linux-2.2.14/drivers/net' make: *** [_mod_drivers/net] Error 2 thanks for any help. stefan From jesussoro at hotmail.com Fri Aug 25 03:52:02 2000 From: jesussoro at hotmail.com (jesus soro) Date: Fri, 25 Aug 2000 08:52:02 GMT Subject: [pptp-server] client NT4 + SP6 Message-ID: I have achived to connect the win98 vpn clients to the pptp linux server. Now I want to setup VPN between NT client & PoPToP linux server running suse 6.4 with ms-chap & MPPE. I'm trying to connect win nt 4.0 client but I have pptp problems. I pass the authentification but I don't received the options. The pptpd logfile says (logfile attached) Aug 21 17:21:04 fw2 pppd[1464]: sent [CHAP Success id=0x1 "Welcome to fw2."] Aug 21 17:21:05 fw2 pppd[1464]: cbcp_open Aug 21 17:21:05 fw2 pppd[1464]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:21:05 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a520 in 3 seconds Aug 21 17:21:05 fw2 pppd[1464]: sent [CCP ConfReq id=0x1 ] Aug 21 17:21:05 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:21:05 fw2 pppd[1464]: MSCHAP peer authentication succeeded for jsoro Aug 21 17:21:08 fw2 pppd[1464]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:21:08 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a520 in 3 seconds. Aug 21 17:21:08 fw2 pppd[1464]: sent [CCP ConfReq id=0x1 ] Aug 21 17:21:08 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:21:09 fw2 pptpd[1426]: CTRL: Received PPTP Control Message (type: 5) Aug 21 17:21:09 fw2 pptpd[1426]: CTRL: Made a ECHO RPLY packet Aug 21 17:21:09 fw2 pptpd[1426]: CTRL: I wrote 20 bytes to the client. Aug 21 17:21:09 fw2 pptpd[1426]: CTRL: Sent packet to client Aug 21 17:21:11 fw2 pppd[1464]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:21:11 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a520 in 3 seconds. Aug 21 17:21:11 fw2 pppd[1464]: sent [CCP ConfReq id=0x1 ] Aug 21 17:21:11 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:21:14 fw2 pppd[1464]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:19:56 fw2 pptpd[1222]: CTRL: I wrote 20 bytes to the client. Aug 21 17:19:56 fw2 pptpd[1222]: CTRL: Sent packet to client Aug 21 17:19:58 fw2 pppd[1462]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:19:58 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a520 in 3 seconds. Aug 21 17:19:58 fw2 pppd[1462]: sent [CCP ConfReq id=0x1 ] Aug 21 17:19:58 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:20:01 fw2 pppd[1462]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:20:01 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a520 in 3 seconds. Aug 21 17:20:01 fw2 pppd[1462]: sent [CCP ConfReq id=0x1 ] Aug 21 17:20:01 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:20:04 fw2 pppd[1462]: IPCP: timeout sending Config-Requests Aug 21 17:20:04 fw2 pppd[1462]: cbcp_lowerdown Aug 21 17:20:04 fw2 pppd[1462]: Untimeout 0x8050ba0:0x807a640. Aug 21 17:20:04 fw2 pppd[1462]: sent [LCP TermReq id=0x3 "No network protocols r unning"] Aug 21 17:20:04 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a2c0 in 3 seconds. Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: Received PPTP Control Message (type: 15) Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Aug 21 17:20:04 fw2 pppd[1462]: rcvd [LCP TermAck id=0x3] Aug 21 17:20:04 fw2 pppd[1462]: rcvd [LCP TermAck id=0x3] Aug 21 17:20:04 fw2 pppd[1462]: Untimeout 0x8050ba0:0x807a2c0. Aug 21 17:20:04 fw2 pppd[1462]: Connection terminated. Aug 21 17:20:04 fw2 pppd[1462]: Connect time 0.6 minutes. Aug 21 17:20:04 fw2 pppd[1462]: Sent 998 bytes, received 196 bytes. Aug 21 17:20:04 fw2 pppd[1462]: Exit. Aug 21 17:20:04 fw2 pptpd[1461]: GRE: read(fd=5,buffer=804dac0,len=8196) from PT Y failed: status = -1 error = Input/output error Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: PTY read or GRE write failed (pty,gre)=(5 ,6) Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: Client 195.77.129.65 control connection f inished Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: Exiting now Any ideas? Thanks ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com From christian.jung at professional-solution.com Fri Aug 25 06:48:34 2000 From: christian.jung at professional-solution.com (christian.jung at professional-solution.com) Date: Fri, 25 Aug 2000 12:48:34 +0100 Subject: [pptp-server] Linux to Linux pptp-connection ? Message-ID: <41256946.00419C92.00@mail.professional-solution.com> Hi, I Still haven't found a solution to the below problem. Any advice you can give would be appreciated. I am trying to connect to my Linux pptp server from a Linux client (Suse 6.4 with Kernel 2.2.16, ppp-2.3.11 and pptp 1.0.2) my options-file on the client looks like this: #lock debug name test remotename fdhqw060 auth -pap #proxyarp +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless #ms-wins 192.168.1.16 #ms-dns 192.168.1.3 require-chap netmask 255.255.255.0 mru 512 mtu 512 ktune #lcp-echo-failure 10 #lcp-echo-interval 5 #deflate 0 defaultroute logfile /var/log/log.options And this is the options-file on the server: lock debug name fdhqw060 auth -pap #proxyarp +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless ms-wins 192.168.1.16 ms-dns 192.168.1.3 require-chap netmask 255.255.255.0 mru 512 mtu 512 ktune If I try to connect to the Server I get the following messages: (unknown)[20059]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:531]: Client connection established. (unknown)[20059]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:637]: Outgoing call established. but I have no working connection and there is no ppp - interface. The pptp - Server (Suse 6.4 with Kernel 2.2.16 and pptpd 1.0.0) writes the following lines into the /var/log/messages - File and repeats the last 6 lines : Aug 25 10:24:12 fdhqw060 pptpd[25278]: CTRL: Client 192.168.1.195 control connection started Aug 25 10:24:13 fdhqw060 pptpd[25278]: CTRL: Starting call (launching pppd, opening GRE) Aug 25 10:24:13 fdhqw060 pppd[25279]: pppd 2.3.11 started by root, uid 0 Aug 25 10:24:13 fdhqw060 pppd[25279]: Using interface ppp0 Aug 25 10:24:13 fdhqw060 pppd[25279]: Connect: ppp0 <--> /dev/pts/2 Aug 25 10:24:13 fdhqw060 pppd[25279]: sent [LCP ConfReq id=0x1 ] Aug 25 10:24:13 fdhqw060 pppd[25279]: Timeout 0x8050af0:0x807a160 in 3 seconds. Aug 25 10:24:15 fdhqw060 pptpd[25278]: GRE: Discarding duplicate packet Aug 25 10:24:16 fdhqw060 pppd[25279]: sent [LCP ConfReq id=0x1 ] Aug 25 10:24:16 fdhqw060 pppd[25279]: Timeout 0x8050af0:0x807a160 in 3 seconds. Aug 25 10:24:16 fdhqw060 pppd[25279]: rcvd [LCP ConfAck id=0x1 ] Aug 25 10:24:16 fdhqw060 pppd[25279]: rcvd [LCP ConfReq id=0x1 ] Aug 25 10:24:16 fdhqw060 pppd[25279]: lcp_reqci: returning CONFACK. Aug 25 10:24:16 fdhqw060 pppd[25279]: sent [LCP ConfAck id=0x1 ] Aug 25 10:24:16 fdhqw060 pppd[25279]: Untimeout 0x8050af0:0x807a160. Aug 25 10:24:16 fdhqw060 pppd[25279]: sent [CHAP Challenge id=0x1 , name = "fdhqw060"] Aug 25 10:24:16 fdhqw060 pppd[25279]: Timeout 0x8056860:0x807a440 in 3 seconds. Aug 25 10:24:16 fdhqw060 pppd[25279]: rcvd [CHAP Challenge id=0x1 , name = "test"] Aug 25 10:24:16 fdhqw060 pppd[25279]: ChapReceiveChallenge: rcvd type MS-CHAP-V2. This configuration works with a Windows Nt and a Win 98 Client. Thanks for your help. Christian Jung From Frederic.Celse at sema.fr Fri Aug 25 06:37:21 2000 From: Frederic.Celse at sema.fr (CELSE Frederic - GRE) Date: Fri, 25 Aug 2000 13:37:21 +0200 Subject: [pptp-server] Linux to Linux pptp-connection ? References: <41256946.00419C92.00@mail.professional-solution.com> Message-ID: <39A65A71.DC4E6F8F@sema.fr> christian.jung at professional-solution.com wrote: > ... > > my options-file on the client looks like this: > > #lock > debug > name test > remotename fdhqw060 > auth > ... I think you should have noauth in the client options file. What about the log on the client ? Regards. -- Frederic CELSE From msh8r at swbell.net Fri Aug 25 08:10:41 2000 From: msh8r at swbell.net (Thomas Klettke) Date: Fri, 25 Aug 2000 08:10:41 -0500 Subject: [pptp-server] delay when authenticating by NT PDC Message-ID: <004d01c00e95$deb08440$6401a8c0@arnold> I connect with a Win98SE client to a NT4 PDC via a Linux PoPToP server. (Had problem first finding the PDC, has been solved by installing WINS on the PDC - thanks, Steve) After entering the login information for the NT domain it takes between 1 and 3 minutes before the authentication is completed (the NT logon script starts). The logs for both the pptp server and client show that a connection was established after a few seconds, the PDC's log show that I was repaetedly logging in and out before the logon script actually runs. Once I'm logged in everything works fine, just like I was on the remote network locally (except for speed, sure). Any ideas why the long delay? Oh, yes: the W98 client knows the addresses for WINS and DNS. Thanks for all help! Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: From Stefan.Strehle at JAW.AT Fri Aug 25 09:03:52 2000 From: Stefan.Strehle at JAW.AT (Strehle Stefan) Date: Fri, 25 Aug 2000 16:03:52 +0200 Subject: [pptp-server] PPTP client -> NT RAS Message-ID: Thanks for your help Jerry, but for some strange reason it's still not working, although i followed your steps closely. I should dump the RRAS servers, and replace them with Linux boxes alltogether :) From gmader at geoanalytics.com Fri Aug 25 14:17:08 2000 From: gmader at geoanalytics.com (Greg Mader) Date: Fri, 25 Aug 2000 14:17:08 -0500 Subject: [pptp-server] where is PopTop at? Message-ID: <3.0.6.32.20000825141708.00ab4790@127.0.0.1> Hi folks, I have been away from this list for awhile, so I am sure that things have changed. I am trying to get to the PopTop website, and www.moretonbay.com isn't working. Where is everything at now? Thanks, Greg Mader From gatgul at voicenet.com Fri Aug 25 11:08:31 2000 From: gatgul at voicenet.com (Uncle George) Date: Fri, 25 Aug 2000 11:08:31 -0500 Subject: [pptp-server] pptp/linux-client & date encryption Message-ID: <39A699FF.29568DA4@voicenet.com> is there such an animal ? From dereks at kd-dev.com Fri Aug 25 15:19:15 2000 From: dereks at kd-dev.com (Derek Simkowiak) Date: Fri, 25 Aug 2000 13:19:15 -0700 (PDT) Subject: [pptp-server] where is PopTop at? In-Reply-To: <3.0.6.32.20000825141708.00ab4790@127.0.0.1> Message-ID: -> isn't working. Where is everything at now? Can you be more specific? From matthewr at moreton.com.au Fri Aug 25 04:48:24 2000 From: matthewr at moreton.com.au (Matthew Ramsay) Date: Fri, 25 Aug 2000 19:48:24 +1000 Subject: [pptp-server] where is PopTop at? References: <3.0.6.32.20000825141708.00ab4790@127.0.0.1> Message-ID: <005701c00e79$a1070f40$4d00a8c0@qld.bigpond.net.au> Should still be there (I just checked): http://www.moretonbay.com/vpn/pptp.html Moreton Bay was acquired by Lineo in May though.. so PoPToP is slowly being moved to here: http://poptop.lineo.com Seeya! Matt ----- Original Message ----- From: Greg Mader To: Sent: Saturday, August 26, 2000 5:17 AM Subject: [pptp-server] where is PopTop at? > Hi folks, > > I have been away from this list for awhile, so I am sure that things have > changed. I am trying to get to the PopTop website, and www.moretonbay.com > isn't working. Where is everything at now? > > > Thanks, > > Greg Mader > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From matthewr at moreton.com.au Fri Aug 25 04:50:29 2000 From: matthewr at moreton.com.au (Matthew Ramsay) Date: Fri, 25 Aug 2000 19:50:29 +1000 Subject: [pptp-server] pptp/linux-client & date encryption References: <39A699FF.29568DA4@voicenet.com> Message-ID: <007b01c00e79$ebbc6d00$4d00a8c0@qld.bigpond.net.au> I've had it working for ages :-) pptp-linux-client --> poptop w/ data encryption i run it on my uClinux NETtel router boxes though and not PCs seeya! -m ----- Original Message ----- From: Uncle George To: Sent: Saturday, August 26, 2000 2:08 AM Subject: [pptp-server] pptp/linux-client & date encryption > is there such an animal ? > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From richard at blauvelt.com Fri Aug 25 17:28:37 2000 From: richard at blauvelt.com (Richard E Blauvelt) Date: Fri, 25 Aug 2000 15:28:37 -0700 Subject: [pptp-server] where is PopTop at? In-Reply-To: <3.0.6.32.20000825141708.00ab4790@127.0.0.1> Message-ID: <4.3.2.7.2.20000825152708.00d354a0@blauvelt.com> Greg, Try: http://www.moretonbay.com/vpn/pptp.html It works for me as of 30 seconds ago. Good luck, Richard At 12:17 PM 8/25/00, Greg Mader wrote: >Hi folks, > >I have been away from this list for awhile, so I am sure that things have >changed. I am trying to get to the PopTop website, and www.moretonbay.com >isn't working. Where is everything at now? > > >Thanks, > >Greg Mader > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! From jvonau at home.com Fri Aug 25 18:03:33 2000 From: jvonau at home.com (Jerry Vonau) Date: Fri, 25 Aug 2000 18:03:33 -0500 Subject: [pptp-server] PPTP client -> NT RAS References: Message-ID: <39A6FB45.7FEBBEF9@home.com> What you do is up to you, I just can't help for a while. I'm going for a short trip, so I can't help for a couple of days. What is the setup on the RAS servers? What does the log say? Jerry Strehle Stefan wrote: > Thanks for your help Jerry, but for some strange reason it's still not > working, although i followed your steps closely. > I should dump the RRAS servers, and replace them with Linux boxes > alltogether :) From gstammw at gmx.net Fri Aug 25 18:06:32 2000 From: gstammw at gmx.net (Gunther Stammwitz) Date: Sat, 26 Aug 2000 01:06:32 +0200 Subject: [pptp-server] where is PopTop at? References: <4.3.2.7.2.20000825152708.00d354a0@blauvelt.com> Message-ID: <001301c00ee9$1c9883e0$6501a8c0@windows> Just try www.POPTOP.de bye, Gunther ----- Original Message ----- From: "Richard E Blauvelt" To: "Greg Mader" ; Sent: Saturday, August 26, 2000 12:28 AM Subject: Re: [pptp-server] where is PopTop at? > Greg, > > Try: http://www.moretonbay.com/vpn/pptp.html > > It works for me as of 30 seconds ago. > > Good luck, > > Richard > > At 12:17 PM 8/25/00, Greg Mader wrote: > >Hi folks, > > > >I have been away from this list for awhile, so I am sure that things have > >changed. I am trying to get to the PopTop website, and www.moretonbay.com > >isn't working. Where is everything at now? > > > > > >Thanks, > > > >Greg Mader > > > >_______________________________________________ > >pptp-server maillist - pptp-server at lists.schulte.org > >http://lists.schulte.org/mailman/listinfo/pptp-server > >List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From NorthwestFrog at home.com Sat Aug 26 18:01:21 2000 From: NorthwestFrog at home.com (Jean-Francois Gagnon) Date: Sat, 26 Aug 2000 16:01:21 -0700 Subject: [pptp-server] Win98SE2 PPTP connection problem with Encryption In-Reply-To: <000001c00d16$ca0f0f00$0201a8c0@olmpi1.wa.home.com> Message-ID: <000d01c00fb1$8cfd1c40$0201a8c0@olmpi1.wa.home.com> This is a repost. I did a complete reinstall of the MSCHAPV2/MPPE patch on a fresh version of ppp 2.3.10 and the kernel 2.2.16. Same error again. The pptp connection is tried from within the firewall I simply do not get it. Did someone overcome this one ? Regards JFG > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jean-Francois > Gagnon > Sent: Wednesday, August 23, 2000 8:28 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Win98SE2 PPTP connection problem with Encryption > > > Hi, > > I am unable to create a pptp connection with encryption turned on > error 691 > in the dialup networking. > > In /var/log/pptpd.log: > Aug 23 05:43:31 C410745-A pptpd[7179]: CTRL: Client 192.168.1.2 control > connection started > Aug 23 05:43:31 C410745-A pptpd[7179]: CTRL: Starting call > (launching pppd, > opening GRE) > Aug 23 05:43:31 C410745-A modprobe: modprobe: Can't locate module > char-major-108 > Aug 23 05:43:32 C410745-A pptpd[7179]: GRE: > read(fd=5,buffer=804d9c0,len=8196) from PTY failed: status = -1 error = > Input/output error > Aug 23 05:43:32 C410745-A pptpd[7179]: CTRL: PTY read or GRE write failed > (pty,gre)=(5,6) > Aug 23 05:43:32 C410745-A pptpd[7179]: CTRL: Client 192.168.1.2 control > connection finished > > My kernel is 2.2.16 and ppp is 2.3.10. I installed the various patches as > indicated in the HOWTO. > > Settings in pptpd.options > auth > #require-chap > #require-chapms > #require-chapms-v2 > +chap > +chapms > +chapms-v2 > mppe-40 > mppe-128 > mppe-stateless > > BTW if I only have +chap turned on and no encryption except for the > password, I can connect with no problem... No problems with my firewall > either. > > Thanks for the help > > Jean-Francois Gagnon > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From john.hovell at home.com Sat Aug 26 20:15:54 2000 From: john.hovell at home.com (John Hovell) Date: Sat, 26 Aug 2000 18:15:54 -0700 Subject: [pptp-server] Win98SE2 PPTP connection problem with Encryption References: <000d01c00fb1$8cfd1c40$0201a8c0@olmpi1.wa.home.com> Message-ID: <39A86BC9.4E0A6337@home.com> Just a shot in the dark, but do you need to get the Windows 98 SE patch for 128-bit dialup networking? I don't even know what the patch is for, but I'd be sure to be running the latest software before getting to frustrated. Cheers, John Jean-Francois Gagnon wrote: > This is a repost. > > I did a complete reinstall of the MSCHAPV2/MPPE patch on a fresh version of > ppp 2.3.10 and the kernel 2.2.16. > > Same error again. > > The pptp connection is tried from within the firewall > > I simply do not get it. > > Did someone overcome this one ? > > Regards > > JFG > > > -----Original Message----- > > From: pptp-server-admin at lists.schulte.org > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jean-Francois > > Gagnon > > Sent: Wednesday, August 23, 2000 8:28 AM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] Win98SE2 PPTP connection problem with Encryption > > > > > > Hi, > > > > I am unable to create a pptp connection with encryption turned on > > error 691 > > in the dialup networking. > > > > In /var/log/pptpd.log: > > Aug 23 05:43:31 C410745-A pptpd[7179]: CTRL: Client 192.168.1.2 control > > connection started > > Aug 23 05:43:31 C410745-A pptpd[7179]: CTRL: Starting call > > (launching pppd, > > opening GRE) > > Aug 23 05:43:31 C410745-A modprobe: modprobe: Can't locate module > > char-major-108 > > Aug 23 05:43:32 C410745-A pptpd[7179]: GRE: > > read(fd=5,buffer=804d9c0,len=8196) from PTY failed: status = -1 error = > > Input/output error > > Aug 23 05:43:32 C410745-A pptpd[7179]: CTRL: PTY read or GRE write failed > > (pty,gre)=(5,6) > > Aug 23 05:43:32 C410745-A pptpd[7179]: CTRL: Client 192.168.1.2 control > > connection finished > > > > My kernel is 2.2.16 and ppp is 2.3.10. I installed the various patches as > > indicated in the HOWTO. > > > > Settings in pptpd.options > > auth > > #require-chap > > #require-chapms > > #require-chapms-v2 > > +chap > > +chapms > > +chapms-v2 > > mppe-40 > > mppe-128 > > mppe-stateless > > > > BTW if I only have +chap turned on and no encryption except for the > > password, I can connect with no problem... No problems with my firewall > > either. > > > > Thanks for the help > > > > Jean-Francois Gagnon > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From Steve.Cowles at gte.net Sat Aug 26 21:00:16 2000 From: Steve.Cowles at gte.net (Cowles, Steve) Date: Sat, 26 Aug 2000 21:00:16 -0500 Subject: [pptp-server] Win98SE2 PPTP connection problem with Encryptio n Message-ID: <90769AF04F76D41186C700A0C90AFC3EE4DF@defiant.dsl.gtei.net> > -----Original Message----- > From: Jean-Francois Gagnon [mailto:NorthwestFrog at home.com] > Sent: Saturday, August 26, 2000 6:01 PM > To: pptp-server at lists.schulte.org > Subject: RE: [pptp-server] Win98SE2 PPTP connection problem with > Encryption > > > This is a repost. > > I did a complete reinstall of the MSCHAPV2/MPPE patch on a > fresh version of ppp 2.3.10 and the kernel 2.2.16. > > Same error again. > > The pptp connection is tried from within the firewall > > I simply do not get it. > > Did someone overcome this one ? > > Regards > > JFG I think you still might have a problem with your kernel and/or pppd compilation, but the following might help you achieve your goal. This connection was made from a W2K system with MSCHAP-v2 and "Require Data Encryption" enabled. Unfortunatly, I don't have a W98 system available, but I have been successful with W98 in the past. Good Luck Steve Cowles ---- /etc/ppp/options --------- lock auth ms-dns 192.168.9.3 ms-dns 192.168.9.2 ms-wins 192.168.9.2 +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless proxyarp ------------ /etc/pptpd.conf ----------- speed 115200 option /etc/ppp/options localip 192.168.9.4 remoteip 192.168.9.100-105 listen 192.168.9.3 pidfile /var/run/pptpd.pid ------ /etc/conf.modules -------- alias eth0 3c59x alias eth1 3c59x alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate alias ppp-compress-26 ppp_deflate alias tty-ldisc-3 ppp_async alias tty-ldisc-14 ppp_synctty alias char-major-108 ppp_generic ------- Loaded modules before/after pptp connection ------- c[root at voyager /etc]# lsmod Module Size Used by 3c59x 19496 2 (autoclean) [root at voyager /etc]# lsmod Module Size Used by ppp_deflate 40536 0 (autoclean) ppp_mppe 13572 2 (autoclean) bsd_comp 3620 0 (autoclean) 3c59x 19496 2 (autoclean) ------- /etc/ppp/chap-secrets -------- # Secrets for authentication using CHAP # client server secret IP addresses scowles * MY_PASS * COWLES\\scowles * MY_PASS * ------- /var/log/messages --------- Aug 26 20:23:02 voyager pptpd[20327]: CTRL: Client 192.168.9.21 control connection started Aug 26 20:23:02 voyager pptpd[20327]: CTRL: Starting call (launching pppd, opening GRE) Aug 26 20:23:02 voyager pppd[20328]: pppd 2.3.11 started by root, uid 0 Aug 26 20:23:02 voyager pppd[20328]: Using interface ppp0 Aug 26 20:23:02 voyager pppd[20328]: Connect: ppp0 <--> /dev/pts/3 Aug 26 20:23:05 voyager kernel: PPP BSD Compression module registered Aug 26 20:23:05 voyager kernel: PPP MPPE compression module registered Aug 26 20:23:06 voyager kernel: PPP Deflate Compression module registered Aug 26 20:23:06 voyager pppd[20328]: MSCHAP-v2 peer authentication succeeded for scowles Aug 26 20:23:06 voyager pppd[20328]: found interface eth0 for proxy arp Aug 26 20:23:06 voyager pppd[20328]: local IP address 192.168.9.4 Aug 26 20:23:06 voyager pppd[20328]: remote IP address 192.168.9.100 Aug 26 20:23:13 voyager pppd[20328]: MPPE 128 bit, stateless compression enabled From NorthwestFrog at home.com Sat Aug 26 21:47:54 2000 From: NorthwestFrog at home.com (Jean-Francois Gagnon) Date: Sat, 26 Aug 2000 19:47:54 -0700 Subject: [pptp-server] Win98SE2 PPTP connection problem with Encryption In-Reply-To: <39A86BC9.4E0A6337@home.com> Message-ID: <000001c00fd1$336ae980$0201a8c0@olmpi1.wa.home.com> That was worth the try, but it did not work. > -----Original Message----- > From: John Hovell [mailto:john.hovell at home.com] > Sent: Saturday, August 26, 2000 6:16 PM > To: Jean-Francois Gagnon > Cc: pptp-server at lists.schulte.org > Subject: Re: [pptp-server] Win98SE2 PPTP connection problem with > Encryption > > > Just a shot in the dark, but do you need to get the Windows 98 SE > patch for > 128-bit dialup networking? > > I don't even know what the patch is for, but I'd be sure to be running the > latest software before getting to frustrated. > > Cheers, > John > > Jean-Francois Gagnon wrote: > > > This is a repost. > > > > I did a complete reinstall of the MSCHAPV2/MPPE patch on a > fresh version of > > ppp 2.3.10 and the kernel 2.2.16. > > > > Same error again. > > > > The pptp connection is tried from within the firewall > > > > I simply do not get it. > > > > Did someone overcome this one ? > > > > Regards > > > > JFG > > > > > -----Original Message----- > > > From: pptp-server-admin at lists.schulte.org > > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jean-Francois > > > Gagnon > > > Sent: Wednesday, August 23, 2000 8:28 AM > > > To: pptp-server at lists.schulte.org > > > Subject: [pptp-server] Win98SE2 PPTP connection problem with > Encryption > > > > > > > > > Hi, > > > > > > I am unable to create a pptp connection with encryption turned on > > > error 691 > > > in the dialup networking. > > > > > > In /var/log/pptpd.log: > > > Aug 23 05:43:31 C410745-A pptpd[7179]: CTRL: Client > 192.168.1.2 control > > > connection started > > > Aug 23 05:43:31 C410745-A pptpd[7179]: CTRL: Starting call > > > (launching pppd, > > > opening GRE) > > > Aug 23 05:43:31 C410745-A modprobe: modprobe: Can't locate module > > > char-major-108 > > > Aug 23 05:43:32 C410745-A pptpd[7179]: GRE: > > > read(fd=5,buffer=804d9c0,len=8196) from PTY failed: status = > -1 error = > > > Input/output error > > > Aug 23 05:43:32 C410745-A pptpd[7179]: CTRL: PTY read or GRE > write failed > > > (pty,gre)=(5,6) > > > Aug 23 05:43:32 C410745-A pptpd[7179]: CTRL: Client > 192.168.1.2 control > > > connection finished > > > > > > My kernel is 2.2.16 and ppp is 2.3.10. I installed the > various patches as > > > indicated in the HOWTO. > > > > > > Settings in pptpd.options > > > auth > > > #require-chap > > > #require-chapms > > > #require-chapms-v2 > > > +chap > > > +chapms > > > +chapms-v2 > > > mppe-40 > > > mppe-128 > > > mppe-stateless > > > > > > BTW if I only have +chap turned on and no encryption except for the > > > password, I can connect with no problem... No problems with > my firewall > > > either. > > > > > > Thanks for the help > > > > > > Jean-Francois Gagnon > > > > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > List services provided by www.schulteconsulting.com! > > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > From gmader at GeoAnalytics.com Sun Aug 27 13:29:47 2000 From: gmader at GeoAnalytics.com (Greg Mader) Date: Sun, 27 Aug 2000 13:29:47 -0500 Subject: [pptp-server] Config questions Message-ID: Hi, I get the following error when I try to start PopTop: createHostSocket: Address already in use Here is my etc/pptpd.conf file: # TAG: speed # # Specifies the speed for the PPP daemon to talk at. # Some PPP daemons will ignore this value. # speed 115200 # TAG: option # # Specifies the location of the PPP options file. # By default PPP looks in '/etc/ppp/options' # #option /this/is/the/options/file # TAG: debug # # Turns on (more) debugging to syslog. # #debug # TAG: localip # TAG: remoteip # # Specifies the local and remote IP address ranges. # # You can specify single IP addresses seperated by commas or you can # specify ranges, or both. For example: # # 192.168.0.234,192.168.0.245-249,192.168.0.254 # # IMPORTANT RESTRICTIONS: # # 1. No spaces are permitted between commas or within addresses. # # 2. If you give more IP addresses than MAX_CONNECTIONS, it will # start at the beginning of the list and go until it gets # MAX_CONNECTIONS IPs. Others will be ignored. # # 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238, # you must type 234-238 if you mean this. # # 4. If you give a single localIP, that's ok - all local IPs will # be set to the given one. You MUST still give at least one remote # IP for each simultaneous client. # localip 192.168.40.11 remoteip 192.168.40.21-24 # TAG: ipxnets # # This gives the range of IPX networks to allocate to clients. By # default IPX network number allocation is not handled internally. # By putting a low and high network number here a pool of IPX networks # can be defined. If this is done then there must be one IPX network # per client. # # The format is a pair of hex numbers without any 0x prefix separated # by a hyphen. # #ipxnets 00001000-00001FFF # TAG: listen # # Defines the IP address of the local interface on which pptpd # should listen for connections. The default is to listen on all # local interfaces (even ones brought up by pptp connections, thus # permitting pptp tunnels inside the pptp tunnels). # listen 192.168.40.11 # TAG: pidfile # # This defines the file name in which pptpd should store its process # ID (or pid). The default is /var/run/pptpd.pid. # #pidfile /var/run/pptpd.pid My Ip address for the desired interface is 192.168.40.11. Ideas? Thanks, Greg Mader From gsi22642 at gsaix2.cc.gasou.edu Mon Aug 28 03:50:45 2000 From: gsi22642 at gsaix2.cc.gasou.edu (Chris) Date: Mon, 28 Aug 2000 01:50:45 -0700 Subject: [pptp-server] Data Compression Message-ID: <000a01c010cd$0e57a960$2c64ed0a@jojostomp.net> Does PoPTop support data compression ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From BAdler at BrainHouse.net Mon Aug 28 07:05:39 2000 From: BAdler at BrainHouse.net (=?iso-8859-1?Q?Bj=F6rn_Adler?=) Date: Mon, 28 Aug 2000 14:05:39 +0200 Subject: AW: [pptp-server] client NT4 + SP6 Message-ID: <81AD9F5D013BD411900500D0B7173E23011865@trillian> I'm having exactly the same problem with NT4 client and also with a W2K Client. Anybody got a hint for us ? Thanks Bjoern Adler -----Urspr?ngliche Nachricht----- Von: jesus soro [mailto:jesussoro at hotmail.com] Gesendet: Freitag, 25. August 2000 10:52 An: pptp-server at lists.schulte.org Betreff: [pptp-server] client NT4 + SP6 I have achived to connect the win98 vpn clients to the pptp linux server. Now I want to setup VPN between NT client & PoPToP linux server running suse 6.4 with ms-chap & MPPE. I'm trying to connect win nt 4.0 client but I have pptp problems. I pass the authentification but I don't received the options. The pptpd logfile says (logfile attached) Aug 21 17:21:04 fw2 pppd[1464]: sent [CHAP Success id=0x1 "Welcome to fw2."] Aug 21 17:21:05 fw2 pppd[1464]: cbcp_open Aug 21 17:21:05 fw2 pppd[1464]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:21:05 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a520 in 3 seconds Aug 21 17:21:05 fw2 pppd[1464]: sent [CCP ConfReq id=0x1 ] Aug 21 17:21:05 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:21:05 fw2 pppd[1464]: MSCHAP peer authentication succeeded for jsoro Aug 21 17:21:08 fw2 pppd[1464]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:21:08 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a520 in 3 seconds. Aug 21 17:21:08 fw2 pppd[1464]: sent [CCP ConfReq id=0x1 ] Aug 21 17:21:08 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:21:09 fw2 pptpd[1426]: CTRL: Received PPTP Control Message (type: 5) Aug 21 17:21:09 fw2 pptpd[1426]: CTRL: Made a ECHO RPLY packet Aug 21 17:21:09 fw2 pptpd[1426]: CTRL: I wrote 20 bytes to the client. Aug 21 17:21:09 fw2 pptpd[1426]: CTRL: Sent packet to client Aug 21 17:21:11 fw2 pppd[1464]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:21:11 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a520 in 3 seconds. Aug 21 17:21:11 fw2 pppd[1464]: sent [CCP ConfReq id=0x1 ] Aug 21 17:21:11 fw2 pppd[1464]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:21:14 fw2 pppd[1464]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:19:56 fw2 pptpd[1222]: CTRL: I wrote 20 bytes to the client. Aug 21 17:19:56 fw2 pptpd[1222]: CTRL: Sent packet to client Aug 21 17:19:58 fw2 pppd[1462]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:19:58 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a520 in 3 seconds. Aug 21 17:19:58 fw2 pppd[1462]: sent [CCP ConfReq id=0x1 ] Aug 21 17:19:58 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:20:01 fw2 pppd[1462]: sent [IPCP ConfReq id=0x1 ] Aug 21 17:20:01 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a520 in 3 seconds. Aug 21 17:20:01 fw2 pppd[1462]: sent [CCP ConfReq id=0x1 ] Aug 21 17:20:01 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a640 in 3 seconds. Aug 21 17:20:04 fw2 pppd[1462]: IPCP: timeout sending Config-Requests Aug 21 17:20:04 fw2 pppd[1462]: cbcp_lowerdown Aug 21 17:20:04 fw2 pppd[1462]: Untimeout 0x8050ba0:0x807a640. Aug 21 17:20:04 fw2 pppd[1462]: sent [LCP TermReq id=0x3 "No network protocols r unning"] Aug 21 17:20:04 fw2 pppd[1462]: Timeout 0x8050ba0:0x807a2c0 in 3 seconds. Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: Received PPTP Control Message (type: 15) Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Aug 21 17:20:04 fw2 pppd[1462]: rcvd [LCP TermAck id=0x3] Aug 21 17:20:04 fw2 pppd[1462]: rcvd [LCP TermAck id=0x3] Aug 21 17:20:04 fw2 pppd[1462]: Untimeout 0x8050ba0:0x807a2c0. Aug 21 17:20:04 fw2 pppd[1462]: Connection terminated. Aug 21 17:20:04 fw2 pppd[1462]: Connect time 0.6 minutes. Aug 21 17:20:04 fw2 pppd[1462]: Sent 998 bytes, received 196 bytes. Aug 21 17:20:04 fw2 pppd[1462]: Exit. Aug 21 17:20:04 fw2 pptpd[1461]: GRE: read(fd=5,buffer=804dac0,len=8196) from PT Y failed: status = -1 error = Input/output error Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: PTY read or GRE write failed (pty,gre)=(5 ,6) Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: Client 195.77.129.65 control connection f inished Aug 21 17:20:04 fw2 pptpd[1461]: CTRL: Exiting now Any ideas? Thanks ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From walterm at Gliatech.com Mon Aug 28 08:02:46 2000 From: walterm at Gliatech.com (Michael Walter) Date: Mon, 28 Aug 2000 09:02:46 -0400 Subject: [pptp-server] Data Compression Message-ID: I did a bit of playing with this, I don't believe that pppd can support microsofts mppc compressionm scheme. From the pppd readme: Compression methods. ******************** This package supports two packet compression methods: Deflate and BSD-Compress. Other compression methods which are in common use include Predictor, LZS, and MPPC. These methods are not supported for two reasons - they are patent-encumbered, and they cause some packets to expand slightly, which pppd doesn't currently allow for. BSD-Compress is also patent-encumbered (its inclusion in this package can be considered a historical anomaly :-) but it doesn't ever expand packets. Neither does Deflate, which uses the same algorithm as gzip. Thanks, Michael J. Walter rhce mcse mcp+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Chris [mailto:gsi22642 at gsaix2.cc.gasou.edu] Sent: Monday, August 28, 2000 4:51 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] Data Compression Does PoPTop support data compression ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From gmader at GeoAnalytics.com Mon Aug 28 08:24:10 2000 From: gmader at GeoAnalytics.com (Greg Mader) Date: Mon, 28 Aug 2000 08:24:10 -0500 Subject: [pptp-server] SSLeay lib version Message-ID: Hello again, and sorry for the extra traffic. I started out with the RPM version of PoPToP, to learn how to set up and use PoPToP. I now wish to compile and use the secure version. As I follow the directions, there is this line. 3. Grab yourself the SSLeay-0.6.6b file from: ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/SSLeay-0.6.6b.tar.gz Well, there is no more SSLeay-0.6.6b.tar.gzat that website. It seems the whole world is going to OpenSSL. Before I get too much further, what version should I use? Thanks, Greg From andrew.wood at datalexuk.com Mon Aug 28 09:54:27 2000 From: andrew.wood at datalexuk.com (Andrew Wood) Date: Mon, 28 Aug 2000 15:54:27 +0100 Subject: [pptp-server] Pinging AIX Servers Message-ID: <6F6EA5048A46D41184AF0006295717340DA9@DLUKEX01> Still having problems with pinging AIX Servers. Setup: RH6.2 running PoPToP, Win98\Win2000 PPTP Clients When I ping Any Windows or Linux box from my PPTP Clients I get replies no problems works great. When I ping an AIX Server I get Timed out. When I run a traceroute i get from the client to the IP address of the PPTP Interface on the PoPToP server and then thats it!! If I go onto and AIX box and attempt to ping a PPTP client I get to the IP Address of the Ethernet card of the PoPToP server and no futher, again all Windows and Linux Boxes can ping the PPTP client no problem. Why the inconsistant behaviour?? I have tried adding a route on the AIX boxes specifically for a PPTP client IP Address but it still stops at the IP Address of the Ethernet card of the PoPToP server. Am I doing something wrong or is this just a bug?? Hope somebody can help me out Andrew Wood From rage at sohonetworks.cc Mon Aug 28 12:04:33 2000 From: rage at sohonetworks.cc (Jason Osborne) Date: Mon, 28 Aug 2000 12:04:33 -0500 Subject: [pptp-server] select() error In-Reply-To: Message-ID: does anyone have an answer for this? its sorta important i find a solution -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jason Osborne Sent: Wednesday, August 23, 2000 2:20 PM To: Tallyman Mailing List; pptp-server at lists.schulte.org Subject: [pptp-server] Repost: connection closing because of select() error. please help Anyone have an answer or reference for this? I keep getting this error when i try to connect pptpd[4734]: CTRL: Starting call (launching pppd, opening GRE) pppd[4735]: pppd 2.3.10 started by root, uid 0 pppd[4735]: Using interface ppp1 pppd[4735]: Connect: ppp1 <--> /dev/pts/2 pptpd[4734]: CTRL: Error with select(), quitting pptpd[4734]: CTRL: Client 4.35.114.34 control connection finished pppd[4735]: Modem hangup pppd[4735]: Connection terminated. pppd[4735]: Exit. here is my options file: lock modem crtscts asyncmap 20A0000 noipdefault defaultroute debug user lcarpet noauth and the pptpd.conf file: speed 115200 option /etc/ppp/options.vpn debug localip 192.168.0.200-230,192.168.0.1 remoteip 192.168.1.200-230,192.168.1.1 what could be wrong here? i couldn't find the answer to this problem anywhere -- Jason Osborne - CIO/Network Technician Phone: 972-306-6176 Cell: 214-284-3337 Web Address: http://www.sohonetworks.cc E-mail Address: jason at sohonetworks.cc _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From david_luyer at pacific.net.au Mon Aug 28 19:02:50 2000 From: david_luyer at pacific.net.au (David Luyer) Date: Tue, 29 Aug 2000 11:02:50 +1100 Subject: [pptp-server] select() error In-Reply-To: Message from "Jason Osborne" of "Mon, 28 Aug 2000 12:04:33 CDT." References: Message-ID: <200008290002.e7T02op22198@typhaon.pacific.net.au> > does anyone have an answer for this? its sorta important i find a solution It's not actually a problem it's an error because some Windows versions don't follow the spec which Microsoft designed and the code prints an error message when they close the connection in a different way to specified in the spec. David. -- ---------------------------------------------- David Luyer Senior Network Engineer Pacific Internet (Aust) Pty Ltd Phone: +61 3 9674 7525 Fax: +61 3 9699 8693 Mobile: +61 4 1064 2258, +61 4 1114 2258 http://www.pacific.net.au NASDAQ: PCNTF << fast 'n easy >> ---------------------------------------------- From rage at sohonetworks.cc Mon Aug 28 20:46:50 2000 From: rage at sohonetworks.cc (Jason Osborne) Date: Mon, 28 Aug 2000 20:46:50 -0500 Subject: [pptp-server] select() error In-Reply-To: <200008290002.e7T02op22198@typhaon.pacific.net.au> Message-ID: here is the problem though, i have used this same computer to setup various vpn servers before so i don't think that is an issue. the only thing i can think i could be is the fact that this client is running off of isdn therefore i think it might be a pppd problem, but i do not know how to prove it. -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of David Luyer Sent: Monday, August 28, 2000 7:03 PM To: Jason Osborne Cc: Jason Osborne; Tallyman Mailing List; pptp-server at lists.schulte.org Subject: Re: [pptp-server] select() error > does anyone have an answer for this? its sorta important i find a solution It's not actually a problem it's an error because some Windows versions don't follow the spec which Microsoft designed and the code prints an error message when they close the connection in a different way to specified in the spec. David. -- ---------------------------------------------- David Luyer Senior Network Engineer Pacific Internet (Aust) Pty Ltd Phone: +61 3 9674 7525 Fax: +61 3 9699 8693 Mobile: +61 4 1064 2258, +61 4 1114 2258 http://www.pacific.net.au NASDAQ: PCNTF << fast 'n easy >> ---------------------------------------------- _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From iharris at quadtel.com Mon Aug 28 22:26:19 2000 From: iharris at quadtel.com (Ian Harris) Date: Tue, 29 Aug 2000 13:26:19 +1000 Subject: [pptp-server] pptp clients Message-ID: Hi people, I just wanted to see if anyone's got the pptp client for linux working. I can get it to connect and get through the initial ppp authentication, but after that it fails to transfer any data. regards Ian. From david_luyer at pacific.net.au Mon Aug 28 21:57:49 2000 From: david_luyer at pacific.net.au (David Luyer) Date: Tue, 29 Aug 2000 13:57:49 +1100 Subject: [pptp-server] Patch for pptpd-1.0.0 Message-ID: <200008290257.e7T2vnp25542@typhaon.pacific.net.au> After all this time, I have a patch :-) Does anyone else see infinite loops resembling: Aug 29 13:54:38 pptpd[27781]: CTRL: Unexpected control message 0 in disconnect sequence Aug 29 13:54:38 pptpd[27781]: CTRL: EOF or bad error reading ctrl packet length. Aug 29 13:54:38 pptpd[27781]: CTRL: couldn't read packet header (exit) Aug 29 13:54:38 pptpd[27781]: CTRL: Unexpected control message 0 in disconnect sequence Aug 29 13:54:38 pptpd[27781]: CTRL: EOF or bad error reading ctrl packet length. Aug 29 13:54:38 pptpd[27781]: CTRL: couldn't read packet header (exit) Aug 29 13:54:38 pptpd[27781]: CTRL: Unexpected control message 0 in disconnect sequence Aug 29 13:54:38 pptpd[27781]: CTRL: EOF or bad error reading ctrl packet length. Aug 29 13:54:38 pptpd[27781]: CTRL: couldn't read packet header (exit) Aug 29 13:54:38 pptpd[27781]: CTRL: Unexpected control message 0 in disconnect sequence Aug 29 13:54:38 pptpd[27781]: CTRL: EOF or bad error reading ctrl packet length. Aug 29 13:54:38 pptpd[27781]: CTRL: couldn't read packet header (exit) Aug 29 13:54:38 pptpd[27781]: CTRL: Unexpected control message 0 in disconnect sequence Aug 29 13:54:38 pptpd[27781]: CTRL: EOF or bad error reading ctrl packet length. Aug 29 13:54:38 pptpd[27781]: CTRL: couldn't read packet header (exit) Aug 29 13:54:38 pptpd[27781]: CTRL: Unexpected control message 0 in disconnect sequence Aug 29 13:54:38 pptpd[27781]: CTRL: EOF or bad error reading ctrl packet length. Aug 29 13:54:38 pptpd[27781]: CTRL: couldn't read packet header (exit) The fix is very simple. I'll try to remember the CVS details to submit a fix (if the repository even still exists...). David. -- ---------------------------------------------- David Luyer Senior Network Engineer Pacific Internet (Aust) Pty Ltd Phone: +61 3 9674 7525 Fax: +61 3 9699 8693 Mobile: +61 4 1064 2258, +61 4 1114 2258 http://www.pacific.net.au NASDAQ: PCNTF << fast 'n easy >> ---------------------------------------------- From matthewr at moreton.com.au Mon Aug 28 10:38:16 2000 From: matthewr at moreton.com.au (Matthew Ramsay) Date: Tue, 29 Aug 2000 01:38:16 +1000 Subject: [pptp-server] Patch for pptpd-1.0.0 References: <200008290257.e7T2vnp25542@typhaon.pacific.net.au> Message-ID: <002701c01105$fd509800$4d00a8c0@qld.bigpond.net.au> Send to me if ya like David. I was moving all that over to poptop.lineo.com Seeya! -matt ----- Original Message ----- From: David Luyer To: Sent: Tuesday, August 29, 2000 12:57 PM Subject: [pptp-server] Patch for pptpd-1.0.0 > > After all this time, I have a patch :-) > > Does anyone else see infinite loops resembling: > > Aug 29 13:54:38 pptpd[27781]: CTRL: Unexpected control message 0 in disconnect sequence > Aug 29 13:54:38 pptpd[27781]: CTRL: EOF or bad error reading ctrl packet length. > Aug 29 13:54:38 pptpd[27781]: CTRL: couldn't read packet header (exit) > Aug 29 13:54:38 pptpd[27781]: CTRL: Unexpected control message 0 in disconnect sequence > Aug 29 13:54:38 pptpd[27781]: CTRL: EOF or bad error reading ctrl packet length. > Aug 29 13:54:38 pptpd[27781]: CTRL: couldn't read packet header (exit) > Aug 29 13:54:38 pptpd[27781]: CTRL: Unexpected control message 0 in disconnect sequence > Aug 29 13:54:38 pptpd[27781]: CTRL: EOF or bad error reading ctrl packet length. > Aug 29 13:54:38 pptpd[27781]: CTRL: couldn't read packet header (exit) > Aug 29 13:54:38 pptpd[27781]: CTRL: Unexpected control message 0 in disconnect sequence > Aug 29 13:54:38 pptpd[27781]: CTRL: EOF or bad error reading ctrl packet length. > Aug 29 13:54:38 pptpd[27781]: CTRL: couldn't read packet header (exit) > Aug 29 13:54:38 pptpd[27781]: CTRL: Unexpected control message 0 in disconnect sequence > Aug 29 13:54:38 pptpd[27781]: CTRL: EOF or bad error reading ctrl packet length. > Aug 29 13:54:38 pptpd[27781]: CTRL: couldn't read packet header (exit) > Aug 29 13:54:38 pptpd[27781]: CTRL: Unexpected control message 0 in disconnect sequence > Aug 29 13:54:38 pptpd[27781]: CTRL: EOF or bad error reading ctrl packet length. > Aug 29 13:54:38 pptpd[27781]: CTRL: couldn't read packet header (exit) > > The fix is very simple. I'll try to remember the CVS details to submit a fix > (if the repository even still exists...). > > David. > -- > ---------------------------------------------- > David Luyer > Senior Network Engineer > Pacific Internet (Aust) Pty Ltd > Phone: +61 3 9674 7525 > Fax: +61 3 9699 8693 > Mobile: +61 4 1064 2258, +61 4 1114 2258 > http://www.pacific.net.au NASDAQ: PCNTF > << fast 'n easy >> > ---------------------------------------------- > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From Gareth_Marlow at scientia.com Tue Aug 29 04:04:06 2000 From: Gareth_Marlow at scientia.com (Gareth Marlow) Date: Tue, 29 Aug 2000 10:04:06 +0100 Subject: [pptp-server] pptp clients In-Reply-To: ; from iharris@quadtel.com on Tue, Aug 29, 2000 at 01:26:19PM +1000 References: Message-ID: <20000829100406.B24286@canna.scientia.com> On Tue, Aug 29, 2000 at 01:26:19PM +1000, Ian Harris wrote: > > Hi people, I just wanted to see if anyone's got the pptp client for linux > working. I can get it to connect and get through the initial ppp > authentication, but after that it fails to transfer any data. That's exactly where I got to - I set up the routes but could never get data through, although windows clients worked fine. Gareth From david_luyer at pacific.net.au Tue Aug 29 06:41:38 2000 From: david_luyer at pacific.net.au (David Luyer) Date: Tue, 29 Aug 2000 22:41:38 +1100 Subject: [pptp-server] Patch for pptpd-1.0.0 In-Reply-To: Message from David Luyer of "Tue, 29 Aug 2000 13:57:49 +1100." <200008290257.e7T2vnp25542@typhaon.pacific.net.au> References: <200008290257.e7T2vnp25542@typhaon.pacific.net.au> Message-ID: <200008291141.e7TBfcp02000@typhaon.pacific.net.au> Also looked into the out of order packet problem. I think you can see what's happening here... look at the client IPs and times! Aug 29 21:20:44 kryten pptpd[1848]: CTRL: Client 203.143.254.228 control connection started Aug 29 21:20:44 kryten pptpd[1848]: CTRL: Starting call (launching pppd, opening GRE) Aug 29 21:20:44 kryten pptpd[1848]: GRE: Discarding duplicate packet Aug 29 21:35:07 kryten pptpd[1848]: GRE: Discarding out of order packet (expected: 2896 received: 0) Aug 29 21:35:07 kryten pptpd[1848]: GRE: Discarding out of order packet (expected: 2896 received: 1) Aug 29 21:35:10 kryten pptpd[1848]: GRE: Discarding out of order packet (expected: 2896 received: 2) Aug 29 21:35:10 kryten pptpd[1848]: GRE: Discarding out of order packet (expected: 2896 received: 3) [...] Aug 29 21:44:26 kryten pptpd[1848]: GRE: Discarding out of order packet (expected: 2896 received: 2891) Aug 29 21:44:26 kryten pptpd[1848]: GRE: Discarding out of order packet (expected: 2896 received: 2892) Aug 29 21:44:26 kryten pptpd[1848]: GRE: Discarding out of order packet (expected: 2896 received: 2893) Aug 29 21:44:26 kryten pptpd[1848]: GRE: Discarding out of order packet (expected: 2896 received: 2894) Aug 29 21:44:26 kryten pptpd[1848]: GRE: Discarding out of order packet (expected: 2896 received: 2895) Aug 29 21:44:26 kryten pptpd[1848]: GRE: Discarding duplicate packet Aug 29 21:35:07 kryten pptpd[1908]: CTRL: Client 203.143.254.228 control connection started Aug 29 21:35:07 kryten pptpd[1908]: CTRL: Starting call (launching pppd, opening GRE) Aug 29 21:35:07 kryten pptpd[1908]: GRE: Discarding duplicate packet Aug 29 22:06:42 kryten pptpd[1908]: GRE: Discarding out of order packet (expected: 4740 received: 0) Aug 29 22:06:43 kryten pptpd[1908]: GRE: Discarding out of order packet (expected: 4740 received: 1) Aug 29 22:06:42 kryten pptpd[2064]: CTRL: Client 203.143.254.228 control connection started Aug 29 22:06:42 kryten pptpd[2064]: CTRL: Starting call (launching pppd, opening GRE) Aug 29 22:06:42 kryten pptpd[2064]: GRE: Discarding duplicate packet Client brings up new connection, old connection sees packets from new connection, old connection sits around listening to packets for some time. The thing is, we've just switched one network portion over to pptpd and we've had 5 clients do this within the first day (as well as a couple of dozen processes doing the infinite loop I've sent a patch off to Matt for). So I'll see what I can do about this one too. Never saw either problem to any significant degree at UWA - and we had around 64 simultaneous ethernet-connected PPTP clients there, we're running around the same number here (on the first day though - it may increase; the connection is via 2Mbps AiroNet bridges to Ethernet wired building but essentially similar), but seeing a whole new set of problems straight off. David. -- ---------------------------------------------- David Luyer Senior Network Engineer Pacific Internet (Aust) Pty Ltd Phone: +61 3 9674 7525 Fax: +61 3 9699 8693 Mobile: +61 4 1064 2258, +61 4 1114 2258 http://www.pacific.net.au NASDAQ: PCNTF << fast 'n easy >> ---------------------------------------------- From aludwig at imagestor.com Tue Aug 29 12:25:06 2000 From: aludwig at imagestor.com (Al Ludwig) Date: Tue, 29 Aug 2000 13:25:06 -0400 Subject: [pptp-server] How do I Uninstall PoPToP? In-Reply-To: <005701c00e79$a1070f40$4d00a8c0@qld.bigpond.net.au> Message-ID: Hello, Is there a quick and easy way to stop PoPToP from running on my machine? I installed the RPM to perform a quick test on connectivity; and I want to install the tarball now in order to use MPPE-128 etc. What would my best course of action be? Thank you, Al Ludwig From aludwig at imagestor.com Tue Aug 29 14:19:50 2000 From: aludwig at imagestor.com (Al Ludwig) Date: Tue, 29 Aug 2000 15:19:50 -0400 Subject: [pptp-server] How do I Uninstall PoPToP? In-Reply-To: <39ABF45F.B6027FE2@cardinalengineering.com> Message-ID: I'm sorry, I should have mentioned in my first email that the rpm mgr is telling me that package is not installed... How can I manually disable it? -AL -----Original Message----- From: yan at cardinalengineering.com [mailto:yan at cardinalengineering.com] Sent: Tuesday, August 29, 2000 1:35 PM To: Al Ludwig Subject: Re: [pptp-server] How do I Uninstall PoPToP? rpm -e man rpm --Yan Al Ludwig wrote: > > Hello, > > Is there a quick and easy way to stop PoPToP from running on my machine? I > installed the RPM to perform a quick test on connectivity; and I want to > install the tarball now in order to use MPPE-128 etc. What would my best > course of action be? > > Thank you, > > Al Ludwig > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From aludwig at imagestor.com Tue Aug 29 15:21:17 2000 From: aludwig at imagestor.com (Al Ludwig) Date: Tue, 29 Aug 2000 16:21:17 -0400 Subject: [pptp-server] Installing PoPToP; missing files? In-Reply-To: Message-ID: In file included from ppp_mppe.c:67: rc4_enc.c:60: rc4_locl.h: No such file or directory make[1]: *** [ppp_mppe.o] Error 1 make[1]: Leaving directory `/usr/src/linux-2.2.14/drivers/net' make: *** [_mod_drivers/net] Error 2 This is an except from "make modules" and below is the error from trying to insert the mppe module: [root at LNX linux]# insmod ppp_mppe insmod: ppp_mppe: no module by that name found Can anyone tell me where to get ppp_mppe.o? And if anyone can tell me where to find it; where do I put it? Thanks, AL PS: I'm using ppp-2.3.8 w/ SSLeay-0.9.0b, I was trying to duplicate the HOWTO versions of software exactly since I've been unsuccessful at making this work. From kennya at carlislefsp.com Tue Aug 29 15:36:38 2000 From: kennya at carlislefsp.com (Kenny Austin) Date: Tue, 29 Aug 2000 15:36:38 -0500 Subject: [pptp-server] How do I Uninstall PoPToP? In-Reply-To: Message-ID: <001a01c011f8$d5a2ed00$5f020a0a@kennya> Are you trying to do "rpm -e pptpd-1.0.0-1.i386.rpm"? If so you need to run "rpm -e pptpd", should work.. If that still didn't work or you just want to make sure it can't run then edit /etc/inittab and with put a # in front of or delete the line that you see that looks something like: pptp:35:respawn:/usr/sbin/pptpd -f If it was in there you will probably need to turn it off now, the easiest way would be to reboot the machine, if this is not possible type "ps -ef" should find a line in there something like this: root XXXX 1 0 16:54 ? 00:00:00 /usr/sbin/pptpd -f pptpd being what you want to look for... where XXXX will be a number then type "kill -9 ####" to shutup the pptpd daemon and all is good... i might have made this too simple, but i wanted to try covering all the bases... most was from my head so if i screwed something up just let me know, Kenny Austin kennya at carlislefsp.com -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Al Ludwig Sent: Tuesday, August 29, 2000 2:20 PM To: pptp-server at lists.schulte.org Subject: RE: [pptp-server] How do I Uninstall PoPToP? I'm sorry, I should have mentioned in my first email that the rpm mgr is telling me that package is not installed... How can I manually disable it? -AL -----Original Message----- From: yan at cardinalengineering.com [mailto:yan at cardinalengineering.com] Sent: Tuesday, August 29, 2000 1:35 PM To: Al Ludwig Subject: Re: [pptp-server] How do I Uninstall PoPToP? rpm -e man rpm --Yan Al Ludwig wrote: > > Hello, > > Is there a quick and easy way to stop PoPToP from running on my machine? I > installed the RPM to perform a quick test on connectivity; and I want to > install the tarball now in order to use MPPE-128 etc. What would my best > course of action be? > > Thank you, > > Al Ludwig > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From aludwig at imagestor.com Tue Aug 29 16:17:31 2000 From: aludwig at imagestor.com (Al Ludwig) Date: Tue, 29 Aug 2000 17:17:31 -0400 Subject: [pptp-server] How do I Uninstall PoPToP? In-Reply-To: <001a01c011f8$d5a2ed00$5f020a0a@kennya> Message-ID: Kenny, Thank you very much for the answers; I've killed it, now on to installing again; I'm still attempting to make my data encryption work. I've got it connecting OK w/o data encryption using MS CHAP V2, and routing is all working (so far). I think that rc4_locl.h was the file keeping it from compiling normally. I'm re-running the makefiles and I'll let you guys know... Brian, I'm almost positive that the rc4_locl.h being copied over as well is going to fix it, thanks for the tip. On another subject, I'm using 192.168.0.x and 192.168.1.x IP's on a /24 subnet internally; the Linux system is acting as a router between the two networks. I'd like to make all of my VPN Clients come in on the 192.168.2.x/24 network. When PoPToP is configured to use the 192.168.2.x network; I can't reach the other two nets. Is this something that needs to be configured within ipchains or does PoPToP handle this as well? Talk to you all soon, AL -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Kenny Austin Sent: Tuesday, August 29, 2000 4:37 PM To: 'Al Ludwig'; pptp-server at lists.schulte.org Subject: RE: [pptp-server] How do I Uninstall PoPToP? Are you trying to do "rpm -e pptpd-1.0.0-1.i386.rpm"? If so you need to run "rpm -e pptpd", should work.. If that still didn't work or you just want to make sure it can't run then edit /etc/inittab and with put a # in front of or delete the line that you see that looks something like: pptp:35:respawn:/usr/sbin/pptpd -f If it was in there you will probably need to turn it off now, the easiest way would be to reboot the machine, if this is not possible type "ps -ef" should find a line in there something like this: root XXXX 1 0 16:54 ? 00:00:00 /usr/sbin/pptpd -f pptpd being what you want to look for... where XXXX will be a number then type "kill -9 ####" to shutup the pptpd daemon and all is good... i might have made this too simple, but i wanted to try covering all the bases... most was from my head so if i screwed something up just let me know, Kenny Austin kennya at carlislefsp.com -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Al Ludwig Sent: Tuesday, August 29, 2000 2:20 PM To: pptp-server at lists.schulte.org Subject: RE: [pptp-server] How do I Uninstall PoPToP? I'm sorry, I should have mentioned in my first email that the rpm mgr is telling me that package is not installed... How can I manually disable it? -AL -----Original Message----- From: yan at cardinalengineering.com [mailto:yan at cardinalengineering.com] Sent: Tuesday, August 29, 2000 1:35 PM To: Al Ludwig Subject: Re: [pptp-server] How do I Uninstall PoPToP? rpm -e man rpm --Yan Al Ludwig wrote: > > Hello, > > Is there a quick and easy way to stop PoPToP from running on my machine? I > installed the RPM to perform a quick test on connectivity; and I want to > install the tarball now in order to use MPPE-128 etc. What would my best > course of action be? > > Thank you, > > Al Ludwig > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From kennya at carlislefsp.com Tue Aug 29 16:59:29 2000 From: kennya at carlislefsp.com (Kenny Austin) Date: Tue, 29 Aug 2000 16:59:29 -0500 Subject: [pptp-server] How do I Uninstall PoPToP? In-Reply-To: Message-ID: <001e01c01204$68aa6320$5f020a0a@kennya> Ipchains will need to be setup to allow forwarding between the 192.168.0.x and 192.168.1.x (intranet) to the (vpn) 192.168.2.x, unless the default policy for it is already to forward (if this is the case why use a vpn???) /sbin/ipchains -b -A forward -s 192.168.0.0/24 -d 192.168.2.0/24 -j ACCEPT /sbin/ipchains -b -A forward -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT this isn't the strongest firewall policy, but it is the quickest, checkout the ipchains howto for something a LOT better. this is also assuming that you don't have any input or output rule or any other rule already in the forward policy that would block us from forwarding these networks to each other... or anything setup wrong in the /etc/ppp/options or /etc/pptpd.conf of course your linux box is set as the router for all of these networks, or at least as the router for the connected networks... let me know how this goes. oh, and i noticed from another post that you are using the 2.2.14 kernel, as a general rule use the latest stable (2.2.16), i think redhat has the updates for this and the link below helped me a lot in getting the encryption going nicely. http://lists.schulte.org/pipermail/pptp-server/2000-August/002981.html kenny austin, kennya at carlislefsp.com -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Al Ludwig Sent: Tuesday, August 29, 2000 4:18 PM To: pptp-server at lists.schulte.org Subject: RE: [pptp-server] How do I Uninstall PoPToP? Kenny, Thank you very much for the answers; I've killed it, now on to installing again; I'm still attempting to make my data encryption work. I've got it connecting OK w/o data encryption using MS CHAP V2, and routing is all working (so far). I think that rc4_locl.h was the file keeping it from compiling normally. I'm re-running the makefiles and I'll let you guys know... Brian, I'm almost positive that the rc4_locl.h being copied over as well is going to fix it, thanks for the tip. On another subject, I'm using 192.168.0.x and 192.168.1.x IP's on a /24 subnet internally; the Linux system is acting as a router between the two networks. I'd like to make all of my VPN Clients come in on the 192.168.2.x/24 network. When PoPToP is configured to use the 192.168.2.x network; I can't reach the other two nets. Is this something that needs to be configured within ipchains or does PoPToP handle this as well? Talk to you all soon, AL > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From larrydog at coqui.net Wed Aug 30 07:30:57 2000 From: larrydog at coqui.net (Larry Rivera) Date: Wed, 30 Aug 2000 08:30:57 -0400 Subject: [pptp-server] pptpd processes not killed after disconnect Message-ID: <39ACFE81.3801473@coqui.net> Hello: I'm getting pptpd processes that are remaining active after closing the connection from my pptp linux clients. Has anyone encountered this? See process 557 below which has been going since yesterday. (The only way to kill it was with: kill -HUP 557) 1939 and 2055 are today's connections (one is from the same machine as process 557). Has anyone encountered this? LR PID TTY STAT TIME COMMAND 1 ? S 0:04 init [3] 2 ? SW 0:00 [kflushd] 3 ? SW 0:00 [kupdate] 4 ? SW 0:00 [kpiod] 5 ? SW 0:00 [kswapd] 102 ? S 0:00 /sbin/rpc.portmap 106 ? R 634:24 /usr/sbin/syslogd 109 ? S 0:00 /usr/sbin/klogd -c 3 111 ? S 0:00 /usr/sbin/inetd 113 ? S 0:00 /usr/sbin/lpd 115 ? S 0:00 /usr/sbin/rpc.mountd 118 ? S 0:00 /usr/sbin/rpc.nfsd 120 ? S 0:00 /usr/sbin/crond -l10 122 ? S 0:00 /usr/sbin/atd -b 15 -l 1 129 ? S 0:00 sendmail: accepting connections on port 25 133 ? S 0:00 /usr/sbin/apmd 136 ? S 0:00 /var/lib/apache/sbin/httpd 138 ? S 0:00 /var/lib/apache/sbin/httpd 139 ? S 0:00 /var/lib/apache/sbin/httpd 140 ? S 0:00 /var/lib/apache/sbin/httpd 141 ? S 0:00 /var/lib/apache/sbin/httpd 142 ? S 0:00 /var/lib/apache/sbin/httpd 143 ? S 0:00 /usr/sbin/smbd -D 145 ? S 0:00 /usr/sbin/nmbd -D 147 ? S 0:00 /usr/sbin/nmbd -D 164 ? S 0:00 /usr/local/sbin/pptpd -d 166 ? S 0:00 /usr/local/sbin/radiusd 168 ? S 0:00 /usr/local/sbin/radiusd 176 ? S 0:00 /usr/sbin/pppd -detach file /etc/ppp/options.coqui co 178 ? S 0:00 /usr/local/psionic/portsentry/portsentry -tcp 180 ? S 0:00 /usr/local/psionic/portsentry/portsentry -udp 181 tty1 S 0:00 /sbin/agetty 38400 tty1 linux 182 tty2 S 0:00 /sbin/agetty 38400 tty2 linux 183 tty3 S 0:00 /sbin/agetty 38400 tty3 linux 184 tty4 S 0:00 /sbin/agetty 38400 tty4 linux 185 tty5 S 0:00 /sbin/agetty 38400 tty5 linux 186 tty6 S 0:00 /sbin/agetty 38400 tty6 linux 557 ? R 805:03 pptpd [196.42.53.240] 1939 ? S 0:00 pptpd [196.42.31.169] 1940 ? S 0:00 /usr/sbin/pppd local file /etc/ppp/options.pptpd 1152 2025 ? S 0:00 /usr/sbin/smbd -D 2055 ? S 0:00 pptpd [196.42.31.147] 2057 ? S 0:00 /usr/sbin/pppd local file /etc/ppp/options.pptpd 1152 2080 ? S 0:09 /usr/sbin/smbd -D 2083 ? S 0:00 in.telnetd: ppp-196-42-31-119.coqui.net 2084 pts/2 S 0:00 -bash 2095 pts/2 S 0:00 bash 2106 pts/2 R 0:00 ps ax From ajlill at ajlc.waterloo.on.ca Wed Aug 30 11:55:29 2000 From: ajlill at ajlc.waterloo.on.ca (Tony Lill) Date: Wed, 30 Aug 2000 12:55:29 EDT Subject: [pptp-server] pptpd processes not killed after disconnect In-Reply-To: Your message of "Wed, 30 Aug 2000 08:30:57 EDT." <39ACFE81.3801473@coqui.net> Message-ID: <200008301655.MAA18061@spider.ajlc.waterloo.on.ca> if it's also blithering in the log files and filling up your disk, it's an old bug. Here's the patch: Index: network/vpn/pptpd/pptpctrl.c diff -c network/vpn/pptpd/pptpctrl.c:1.1.1.1 network/vpn/pptpd/pptpctrl.c:1.2 *** network/vpn/pptpd/pptpctrl.c:1.1.1.1 Sat Sep 4 20:41:42 1999 --- network/vpn/pptpd/pptpctrl.c Mon Nov 8 11:21:28 1999 *************** *** 460,465 **** --- 460,468 ---- break; case STOP_CTRL_CONN_RPLY: goto skip; + case 0: + /* Read error, bail */ + goto skip; default: syslog(LOG_WARNING, "CTRL: Unexpected control message %d in disconnect sequence", pkt); } -- Tony Lill, Tony.Lill at AJLC.Waterloo.ON.CA President, A. J. Lill Consultants fax/data (519) 650 3571 539 Grand Valley Dr., Cambridge, Ont. N3H 2S2 (519) 241 2461 --------------- http://www.ajlc.waterloo.on.ca/ ---------------- "Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!" From jmr504 at hotmail.com Wed Aug 30 18:31:54 2000 From: jmr504 at hotmail.com (J R) Date: Wed, 30 Aug 2000 18:31:54 CDT Subject: [pptp-server] VPN under Windows NT network (Sygate) Message-ID: Hello! At my office, we have an NT domain. Internet comes through ADSL through one machine (gateway, 192.168.0.7). I am using Sygate for this. I setup a Linux box (RH 6.2) w/ PoPToP to cheaply and quickly accomplish a VPN. The VPN works great internally (using 192.168.0.x addressing only). However, the same machine that will connect to the linux box locally cannot if the connect is going to the Internet address (DSL). In sygate's apprule.cfg, I have opened port 1723. Must I open any others? Ie. 47? (If so, any ideas on HOW. From what I can make of the apprule.cfg it only applies to TCP ports). Any other suggestions? Thanks. Jonathan _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. From jmr504 at hotmail.com Wed Aug 30 19:36:16 2000 From: jmr504 at hotmail.com (J R) Date: Wed, 30 Aug 2000 19:36:16 CDT Subject: [pptp-server] Further investigation into Sygate Message-ID: I have determined that Sygate can open both TCP and UDP. Is GRE (47) UDP? Also, what is a good reference to learn the various protocols? Thanks. Jonathan _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. From jvonau at home.com Wed Aug 30 20:15:38 2000 From: jvonau at home.com (Jerry Vonau) Date: Wed, 30 Aug 2000 20:15:38 -0500 Subject: [pptp-server] VPN under Windows NT network (Sygate) References: Message-ID: <39ADB1BA.441588F1@home.com> Replace Sygate with the linux box and let it masq the private lan. Not to sure on how to do the DSL part, but I'm sure if you ask some one will help. Jerry Vonau J R wrote: > Hello! > > At my office, we have an NT domain. Internet comes through ADSL through one > machine (gateway, 192.168.0.7). I am using Sygate for this. > > I setup a Linux box (RH 6.2) w/ PoPToP to cheaply and quickly accomplish a > VPN. The VPN works great internally (using 192.168.0.x addressing only). > However, the same machine that will connect to the linux box locally cannot > if the connect is going to the Internet address (DSL). > > In sygate's apprule.cfg, I have opened port 1723. Must I open any others? > Ie. 47? (If so, any ideas on HOW. From what I can make of the apprule.cfg > it only applies to TCP ports). > > Any other suggestions? > > Thanks. > Jonathan > > _________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > Share information about yourself, create your own public profile at > http://profiles.msn.com. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From westers at versifit.com Wed Aug 30 20:25:35 2000 From: westers at versifit.com (Steve Westerhouse) Date: Wed, 30 Aug 2000 20:25:35 -0500 Subject: [pptp-server] Problems accessing private PPTP server behind linux firwall. Message-ID: <009501c012ea$5e22cc80$034ba8c0@bugs> I have a Windows PPTP server running on our local (private) network that I want to be able to access through our Linux (RedHat6.2 2.2.14) gateway. I recompiled and patched the kernel to allow PPTP to be masq. Port forwarding is also enabled. All our internal VPN clients can connect with external VPN servers. I setup ipmasqadm to forward port 1723 (tcp) and 500 (udp) packet to our internal machine. I'm getting close because now it gets stuck on the "Verifying username and password" instead of no connection at all. What am I missing? NOTE: The Linux box has two internal NICs. One's private the other is public. thanks for your help. Steve Westerhouse Senior Developer/Architect westers at versifit.com Steve Westerhouse Senior Developer/Architect westers at versifit.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jvonau at home.com Wed Aug 30 21:06:08 2000 From: jvonau at home.com (Jerry Vonau) Date: Wed, 30 Aug 2000 21:06:08 -0500 Subject: [pptp-server] Problems accessing private PPTP server behind linux firwall. References: <009501c012ea$5e22cc80$034ba8c0@bugs> Message-ID: <39ADBD90.1875A385@home.com> Should that not be P47 that get forwarded? You need ipfwd for that. 500 udp is for ipsec not PPTP. Jerry Vonau Steve Westerhouse wrote: > I have a Windows PPTP server running on our local (private) network > that I want to be able to access through our Linux (RedHat6.2 > 2.2.14) gateway. I recompiled and patched the kernel to allow PPTP to > be masq. Port forwarding is also enabled. All our internal VPN > clients can connect with external VPN servers. I setup ipmasqadm to > forward port 1723 (tcp) and 500 (udp) packet to our internal machine. > I'm getting close because now it gets stuck on the "Verifying username > and password" instead of no connection at all. What am I > missing? NOTE: The Linux box has two internal NICs. One's private the > other is public. thanks for your help. Steve Westerhouse > Senior Developer/Architect > westers at versifit.comSteve Westerhouse > Senior Developer/Architect > westers at versifit.com From Steve.Cowles at gte.net Wed Aug 30 22:58:08 2000 From: Steve.Cowles at gte.net (Cowles, Steve) Date: Wed, 30 Aug 2000 22:58:08 -0500 Subject: [pptp-server] Problems accessing private PPTP server behind l inux firwall. Message-ID: <90769AF04F76D41186C700A0C90AFC3EE4F2@defiant.infohiiway.com> I've been running a masq'd PPTP server for months now. On my linux firewall (not the masq'd PopTop server) I "port forward" TCP/1723, not UDP/1723 and protocol 47 (GRE). I use ipmasqadm to port forward TCP/1723 and ipfwd to forward protocol 47. FWIW: Port 500 and proto 50/51 are used for IPSEC VPN's. Also, don't forget to load the ip_masq_pptp.o module along with ACCEPTing the corresponding ports/protos in your ipchain rules on your firewall system. For reference: The corresponding port/proto rules needed to allow inbound pptp connections to a masq'd PopTop and/ot NT PPTP server. NOTE: The x.x.x.x is the external IP address of my firewall. [root at firewall] # ipmasqadm portfw -l -n prot localaddr rediraddr lport rport pcnt pref TCP x.x.x.x 192.168.9.3 1723 1723 10 10 [root at firewall] # ipchains -L input -n | grep 1723 ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1723 [root at firewall] # ipchains -L input -n | grep 47 ACCEPT 47 ------ 0.0.0.0/0 x.x.x.x n/a [root at firewall] # ps auwx | grep ipfwd root 950 0.0 0.7 788 240 ? S Aug 28 0:00 ipfwd --masq 192.168.9.3 47 Steve Cowles -----Original Message----- From: Steve Westerhouse [mailto:westers at versifit.com] Sent: Wednesday, August 30, 2000 8:26 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] Problems accessing private PPTP server behind linux firwall. I have a Windows PPTP server running on our local (private) network that I want to be able to access through our Linux (RedHat6.2 2.2.14) gateway. I recompiled and patched the kernel to allow PPTP to be masq. Port forwarding is also enabled. All our internal VPN clients can connect with external VPN servers. I setup ipmasqadm to forward port 1723 (tcp) and 500 (udp) packet to our internal machine. I'm getting close because now it gets stuck on the "Verifying username and password" instead of no connection at all. What am I missing? NOTE: The Linux box has two internal NICs. One's private the other is public. thanks for your help. Steve Westerhouse Senior Developer/Architect westers at versifit.com Steve Westerhouse Senior Developer/Architect westers at versifit.com From paul at kcbbs.gen.nz Thu Aug 31 04:49:01 2000 From: paul at kcbbs.gen.nz (Paul Kendall) Date: Thu, 31 Aug 2000 21:49:01 +1200 Subject: [pptp-server] Problems accessing private PPTP server behind linux firwall. In-Reply-To: <90769AF04F76D41186C700A0C90AFC3EE4F2@defiant.infohiiway.com> Message-ID: How come everybody mentions using ipfwd for forwarding GRE? I have PoPToP running behind my linux masq'd firewall and don't need that. I do have the ip_masq_pptp module loaded and I also portfwd is ipmasqadm my 1723 port to the poptop machine as well. -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Cowles, Steve Sent: Thursday, 31 August 2000 3:58 p.m. To: pptp-server at lists.schulte.org Subject: RE: [pptp-server] Problems accessing private PPTP server behind linux firwall. I've been running a masq'd PPTP server for months now. On my linux firewall (not the masq'd PopTop server) I "port forward" TCP/1723, not UDP/1723 and protocol 47 (GRE). I use ipmasqadm to port forward TCP/1723 and ipfwd to forward protocol 47. FWIW: Port 500 and proto 50/51 are used for IPSEC VPN's. Also, don't forget to load the ip_masq_pptp.o module along with ACCEPTing the corresponding ports/protos in your ipchain rules on your firewall system. For reference: The corresponding port/proto rules needed to allow inbound pptp connections to a masq'd PopTop and/ot NT PPTP server. NOTE: The x.x.x.x is the external IP address of my firewall. [root at firewall] # ipmasqadm portfw -l -n prot localaddr rediraddr lport rport pcnt pref TCP x.x.x.x 192.168.9.3 1723 1723 10 10 [root at firewall] # ipchains -L input -n | grep 1723 ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1723 [root at firewall] # ipchains -L input -n | grep 47 ACCEPT 47 ------ 0.0.0.0/0 x.x.x.x n/a [root at firewall] # ps auwx | grep ipfwd root 950 0.0 0.7 788 240 ? S Aug 28 0:00 ipfwd --masq 192.168.9.3 47 Steve Cowles -----Original Message----- From: Steve Westerhouse [mailto:westers at versifit.com] Sent: Wednesday, August 30, 2000 8:26 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] Problems accessing private PPTP server behind linux firwall. I have a Windows PPTP server running on our local (private) network that I want to be able to access through our Linux (RedHat6.2 2.2.14) gateway. I recompiled and patched the kernel to allow PPTP to be masq. Port forwarding is also enabled. All our internal VPN clients can connect with external VPN servers. I setup ipmasqadm to forward port 1723 (tcp) and 500 (udp) packet to our internal machine. I'm getting close because now it gets stuck on the "Verifying username and password" instead of no connection at all. What am I missing? NOTE: The Linux box has two internal NICs. One's private the other is public. thanks for your help. Steve Westerhouse Senior Developer/Architect westers at versifit.com Steve Westerhouse Senior Developer/Architect westers at versifit.com _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From kris at netsoft.ee Thu Aug 31 04:33:18 2000 From: kris at netsoft.ee (Kristian Liivak) Date: Thu, 31 Aug 2000 12:33:18 +0300 Subject: [pptp-server] Problems accessing private PPTP server behind linux firwall. In-Reply-To: <90769AF04F76D41186C700A0C90AFC3EE4F2@defiant.infohiiway.com> Message-ID: <000901c0132e$7fa24c20$e6acfac3@netsoft.ee> Hi Does anyone know how to to same thing with FreeBSD 4.0 ipfw ? or some kernel module? regards, ---------------------------- Kristian Liivak NetSoft Systems Ltd. T?nism?gi 3a, 10119 Tallinn ESTONIA Tel: +3726461191 Fax: +372 6461074 E-Mail: kris at netsoft.ee -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Cowles, Steve Sent: 31. august 2000. a. 6:58 To: pptp-server at lists.schulte.org Subject: RE: [pptp-server] Problems accessing private PPTP server behind linux firwall. I've been running a masq'd PPTP server for months now. On my linux firewall (not the masq'd PopTop server) I "port forward" TCP/1723, not UDP/1723 and protocol 47 (GRE). I use ipmasqadm to port forward TCP/1723 and ipfwd to forward protocol 47. FWIW: Port 500 and proto 50/51 are used for IPSEC VPN's. Also, don't forget to load the ip_masq_pptp.o module along with ACCEPTing the corresponding ports/protos in your ipchain rules on your firewall system. For reference: The corresponding port/proto rules needed to allow inbound pptp connections to a masq'd PopTop and/ot NT PPTP server. NOTE: The x.x.x.x is the external IP address of my firewall. [root at firewall] # ipmasqadm portfw -l -n prot localaddr rediraddr lport rport pcnt pref TCP x.x.x.x 192.168.9.3 1723 1723 10 10 [root at firewall] # ipchains -L input -n | grep 1723 ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1723 [root at firewall] # ipchains -L input -n | grep 47 ACCEPT 47 ------ 0.0.0.0/0 x.x.x.x n/a [root at firewall] # ps auwx | grep ipfwd root 950 0.0 0.7 788 240 ? S Aug 28 0:00 ipfwd --masq 192.168.9.3 47 Steve Cowles -----Original Message----- From: Steve Westerhouse [mailto:westers at versifit.com] Sent: Wednesday, August 30, 2000 8:26 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] Problems accessing private PPTP server behind linux firwall. I have a Windows PPTP server running on our local (private) network that I want to be able to access through our Linux (RedHat6.2 2.2.14) gateway. I recompiled and patched the kernel to allow PPTP to be masq. Port forwarding is also enabled. All our internal VPN clients can connect with external VPN servers. I setup ipmasqadm to forward port 1723 (tcp) and 500 (udp) packet to our internal machine. I'm getting close because now it gets stuck on the "Verifying username and password" instead of no connection at all. What am I missing? NOTE: The Linux box has two internal NICs. One's private the other is public. thanks for your help. Steve Westerhouse Senior Developer/Architect westers at versifit.com Steve Westerhouse Senior Developer/Architect westers at versifit.com _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From kimoppalfens at freegates.be Thu Aug 31 07:22:27 2000 From: kimoppalfens at freegates.be (kim oppalfens) Date: Thu, 31 Aug 2000 14:22:27 +0200 Subject: [pptp-server] Poptop and port 47 Message-ID: <007701c01346$90702140$c00f23d4@kopl> Hi, I am running poptop versie 0.9.1 on a Linux Router Project based pc. The problem I have is when I try to connect from the outside, a pc connected to the internet somewhere, I cannot connect. (He stops during the verify username and password.) If I do the same from my internal net I can connect without any problem. In my firewall rules I let 1723 and 47 through the firewall. Which brings me to the probable cause of my problem. My isp is blocking alot of ports under the 1024 boundary. These ports are denied for anyone not coming from my isp's network. So the 47 port is probably locked. Can anyone tell me what this port 47 is for? And if there is anyway to change the port to something above the 1024 boundary. If so what should I do to tell the windows vpn clients to use the other port? Tnx in advance Kim Oppalfens From kimoppalfens at freegates.be Thu Aug 31 09:57:33 2000 From: kimoppalfens at freegates.be (kim oppalfens) Date: Thu, 31 Aug 2000 16:57:33 +0200 Subject: [pptp-server] Poptop and port 47 References: <20000831141852.1818.rocketmail@web221.mail.yahoo.com> Message-ID: <004101c0135c$2c9dec40$d90f23d4@kopl> Huh? I am pretty much confused right now. How do I specify an firewall rule to allow a specific protocol through? And should I open up a specific port in my firewall for this 47 protocol? Is there something happening on port 47 that is pptp related?? > It's protocol 47 (GRE) which you have to forward (not > port 47). > > -Scott > --- kim oppalfens wrote: > > Hi, > > > > I am running poptop versie 0.9.1 on a Linux Router > > Project based pc. > > The problem I have is when I try to connect from the > > outside, a pc connected > > to the internet somewhere, I cannot connect. (He > > stops during the verify > > username > > and password.) If I do the same from my internal net > > I can connect without > > any problem. > > > > In my firewall rules I let 1723 and 47 through the > > firewall. > > Which brings me to the probable cause of my problem. > > My isp is blocking alot of ports under the 1024 > > boundary. > > These ports are denied for anyone not coming from my > > isp's network. > > So the 47 port is probably locked. > > Can anyone tell me what this port 47 is for? > > And if there is anyway to change the port to > > something above the 1024 > > boundary. > > If so what should I do to tell the windows vpn > > clients to use the other > > port? > > > > Tnx in advance > > Kim Oppalfens > > > > > > > > _______________________________________________ > > pptp-server maillist - > > pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Mail - Free email you can access from anywhere! > http://mail.yahoo.com/ > From j.krigovszky at wirtschaftsblatt.at Thu Aug 31 07:41:28 2000 From: j.krigovszky at wirtschaftsblatt.at (Josef Krigovszky) Date: Thu, 31 Aug 2000 14:41:28 +0200 Subject: [pptp-server] Please help with pptp-server problems Message-ID: I set up an pptp-server under linux (suse 6.4) and a windows 2000 client, as described in the pptp howto. I am using an ethernet-lan connection for the tunnel. Whenever I try to connect with the windows 2000 client, I get the following log-entries in the pptp.log. I hope someone can help me with this problem cause I have no clue whats wrong. Aug 31 11:31:37 test pptpd[2502]: MGR: Reaped child 2503 Aug 31 11:51:34 test pptpd[2543]: MGR: Manager process started Aug 31 11:51:37 test pptpd[2544]: MGR: Launching /usr/sbin/pptpctrl to handle client Aug 31 11:51:37 test pptpd[2544]: CTRL: local address = 10.1.72.15 Aug 31 11:51:37 test pptpd[2544]: CTRL: remote address = 10.1.72.41 Aug 31 11:51:37 test pptpd[2544]: CTRL: pppd speed = 115200 Aug 31 11:51:37 test pptpd[2544]: CTRL: Client 192.168.0.2 control connection started Aug 31 11:51:37 test pptpd[2544]: CTRL: Received PPTP Control Message (type: 1) Aug 31 11:51:37 test pptpd[2544]: CTRL: Made a START CTRL CONN RPLY packet Aug 31 11:51:37 test pptpd[2544]: CTRL: I wrote 156 bytes to the client. Aug 31 11:51:37 test pptpd[2544]: CTRL: Sent packet to client Aug 31 11:51:40 test pptpd[2544]: CTRL: Received PPTP Control Message (type: 7) Aug 31 11:51:40 test pptpd[2544]: CTRL: Set parameters to 1525 maxbps, 64 window size Aug 31 11:51:40 test pptpd[2544]: CTRL: Made a OUT CALL RPLY packet Aug 31 11:51:40 test pptpd[2544]: CTRL: Starting call (launching pppd, opening GRE) Aug 31 11:51:40 test pptpd[2544]: CTRL: pty_fd = 4 Aug 31 11:51:40 test pptpd[2544]: CTRL: tty_fd = 5 Aug 31 11:51:40 test pptpd[2545]: CTRL (PPPD Launcher): Connection speed = 115200 Aug 31 11:51:40 test pptpd[2544]: CTRL: I wrote 32 bytes to the client. Aug 31 11:51:40 test pptpd[2544]: CTRL: Sent packet to client Aug 31 11:51:40 test pptpd[2544]: CTRL: Received PPTP Control Message (type: 15) Aug 31 11:51:40 test pptpd[2544]: CTRL: Got a SET LINK INFO packet with standard ACCMs Aug 31 11:51:40 test pptpd[2545]: CTRL (PPPD Launcher): local address = 10.1.72.15 Aug 31 11:51:40 test pptpd[2545]: CTRL (PPPD Launcher): remote address = 10.1.72.41 Aug 31 11:51:40 test pptpd[2544]: GRE: Discarding duplicate packet Aug 31 11:51:42 test pptpd[2544]: GRE: read(fd=4,buffer=804dac0,len=8196) from PTY failed: status = -1 error = Input/output error Aug 31 11:51:42 test pptpd[2544]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Aug 31 11:51:42 test pptpd[2544]: CTRL: Client 192.168.0.2 control connection finished Aug 31 11:51:42 test pptpd[2544]: CTRL: Exiting now thanks in advance, Josef Krigovszky From emmet___ at yahoo.com Thu Aug 31 09:18:52 2000 From: emmet___ at yahoo.com (S.Ecker) Date: Thu, 31 Aug 2000 07:18:52 -0700 (PDT) Subject: [pptp-server] Poptop and port 47 Message-ID: <20000831141852.1818.rocketmail@web221.mail.yahoo.com> It's protocol 47 (GRE) which you have to forward (not port 47). -Scott --- kim oppalfens wrote: > Hi, > > I am running poptop versie 0.9.1 on a Linux Router > Project based pc. > The problem I have is when I try to connect from the > outside, a pc connected > to the internet somewhere, I cannot connect. (He > stops during the verify > username > and password.) If I do the same from my internal net > I can connect without > any problem. > > In my firewall rules I let 1723 and 47 through the > firewall. > Which brings me to the probable cause of my problem. > My isp is blocking alot of ports under the 1024 > boundary. > These ports are denied for anyone not coming from my > isp's network. > So the 47 port is probably locked. > Can anyone tell me what this port 47 is for? > And if there is anyway to change the port to > something above the 1024 > boundary. > If so what should I do to tell the windows vpn > clients to use the other > port? > > Tnx in advance > Kim Oppalfens > > > > _______________________________________________ > pptp-server maillist - > pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! __________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ From gord at amador.ca Thu Aug 31 11:18:29 2000 From: gord at amador.ca (Gord Belsey) Date: Thu, 31 Aug 2000 10:18:29 -0600 Subject: [pptp-server] Further investigation into Sygate References: Message-ID: <09f401c01367$1aaa9500$280111ac@amadorinc.com> TCP is IP PROTOCOL 6 and UDP is IP PROTOCOL 17. GRE is IP PROTOCOL 47. O'Reilly's TCP/IP Illustrated is a good IP book, although I'm sure there are lots of others, as well as some good web pages. Try searching on TCP/IP reference or something like that. You'll probably get a ton'o'stuff to read :o) Hope this is helpful Gord Belsey ----- Original Message ----- From: J R To: Sent: Wednesday, August 30, 2000 6:36 PM Subject: [pptp-server] Further investigation into Sygate > I have determined that Sygate can open both TCP and UDP. Is GRE (47) UDP? > > Also, what is a good reference to learn the various protocols? > > Thanks. > Jonathan > > _________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > Share information about yourself, create your own public profile at > http://profiles.msn.com. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From gord at amador.ca Thu Aug 31 11:15:32 2000 From: gord at amador.ca (Gord Belsey) Date: Thu, 31 Aug 2000 10:15:32 -0600 Subject: [pptp-server] Poptop and port 47 References: <007701c01346$90702140$c00f23d4@kopl> Message-ID: <09ee01c01366$b0ce35b0$280111ac@amadorinc.com> PPTP uses TCP port 1723 and PROTOCOL 47..... use -p 47 in your firewall ruleset to open it up (for ipchains, anyway). Hope this helps Gord Belsey ----- Original Message ----- From: kim oppalfens To: Sent: Thursday, August 31, 2000 6:22 AM Subject: [pptp-server] Poptop and port 47 > Hi, > > I am running poptop versie 0.9.1 on a Linux Router Project based pc. > The problem I have is when I try to connect from the outside, a pc connected > to the internet somewhere, I cannot connect. (He stops during the verify > username > and password.) If I do the same from my internal net I can connect without > any problem. > > In my firewall rules I let 1723 and 47 through the firewall. > Which brings me to the probable cause of my problem. > My isp is blocking alot of ports under the 1024 boundary. > These ports are denied for anyone not coming from my isp's network. > So the 47 port is probably locked. > Can anyone tell me what this port 47 is for? > And if there is anyway to change the port to something above the 1024 > boundary. > If so what should I do to tell the windows vpn clients to use the other > port? > > Tnx in advance > Kim Oppalfens > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From gord at amador.ca Thu Aug 31 11:29:22 2000 From: gord at amador.ca (Gord Belsey) Date: Thu, 31 Aug 2000 10:29:22 -0600 Subject: [pptp-server] VPN under Windows NT network (Sygate) References: <39ADB1BA.441588F1@home.com> Message-ID: <0a0001c01368$9f267c80$280111ac@amadorinc.com> If you were to follow Jerry's (good) advice, you'd use ipchains under linux with the vpn-masq patch. You also could use the PoPToP linux box for both the vpn and the firewall....set up ipchains, and drop it in place of the sygate. If you did this, you don't have to worry about the vpn-masq patch. A note about DSL: I run ipchains firewall and PoPToP (on the same ox) over DSL. It works fine (I also do it over cablemodems - no problems). However, I had one DSL connection (sympatico in Canada) that used PPPoE (PPP over Ethernet). This was a nightmare.....PPPoE for linux (about a year ago) wasn't ready for primetime. Seems to be better now(roaring penguin seems to keep people happy...) but I swapped it for cablemodem access. The point is watch out for PPPoE with DSL, as it adds some "hoops" to setting up linux firewalls/vpns. Hope this is helpful Gord Belsey ----- Original Message ----- From: Jerry Vonau To: J R Cc: Sent: Wednesday, August 30, 2000 7:15 PM Subject: Re: [pptp-server] VPN under Windows NT network (Sygate) > Replace Sygate with the linux box and let it masq the private lan. Not to sure > on how to do the DSL part, but I'm sure if you ask some one will help. > > Jerry Vonau > > > > J R wrote: > > > Hello! > > > > At my office, we have an NT domain. Internet comes through ADSL through one > > machine (gateway, 192.168.0.7). I am using Sygate for this. > > > > I setup a Linux box (RH 6.2) w/ PoPToP to cheaply and quickly accomplish a > > VPN. The VPN works great internally (using 192.168.0.x addressing only). > > However, the same machine that will connect to the linux box locally cannot > > if the connect is going to the Internet address (DSL). > > > > In sygate's apprule.cfg, I have opened port 1723. Must I open any others? > > Ie. 47? (If so, any ideas on HOW. From what I can make of the apprule.cfg > > it only applies to TCP ports). > > > > Any other suggestions? > > > > Thanks. > > Jonathan > > > > _________________________________________________________________________ > > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > > > Share information about yourself, create your own public profile at > > http://profiles.msn.com. > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From don at darkphoton.com Thu Aug 31 11:26:47 2000 From: don at darkphoton.com (Don Laursen) Date: Thu, 31 Aug 2000 10:26:47 -0600 Subject: [pptp-server] Poptop and port 47 References: <007701c01346$90702140$c00f23d4@kopl> Message-ID: <017e01c01368$459e9080$1287f99f@nis001> I've tried the same thing, with the same result, but have reached a couple of different conclusions 1. The LRP image uses the ip utility and doesn't have ifconfig and route - for the PPP ip-up, ip-down scripts - I think. But even after adding ifconfig and route, still didn't work. 2. I think the kernel needs to be patched to support GRE packets. The log shows failure when negotiating LCP config parameters. Don Laursen ----- Original Message ----- From: "kim oppalfens" To: Sent: Thursday, August 31, 2000 6:22 AM Subject: [pptp-server] Poptop and port 47 > Hi, > > I am running poptop versie 0.9.1 on a Linux Router Project based pc. > The problem I have is when I try to connect from the outside, a pc connected > to the internet somewhere, I cannot connect. (He stops during the verify > username > and password.) If I do the same from my internal net I can connect without > any problem. > > In my firewall rules I let 1723 and 47 through the firewall. > Which brings me to the probable cause of my problem. > My isp is blocking alot of ports under the 1024 boundary. > These ports are denied for anyone not coming from my isp's network. > So the 47 port is probably locked. > Can anyone tell me what this port 47 is for? > And if there is anyway to change the port to something above the 1024 > boundary. > If so what should I do to tell the windows vpn clients to use the other > port? > > Tnx in advance > Kim Oppalfens > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From spinneyj at flashcom.net Thu Aug 31 11:46:12 2000 From: spinneyj at flashcom.net (Jeff Spinney) Date: 31 Aug 2000 09:46:12 -0700 Subject: [pptp-server] PPTP setup/connect problem Message-ID: <20000831164612.21785.cpmta@c014.sfo.cp.net> An embedded and charset-unspecified text was scrubbed... Name: not available URL: From spinneyj at flashcom.net Thu Aug 31 11:46:42 2000 From: spinneyj at flashcom.net (Jeff Spinney) Date: 31 Aug 2000 09:46:42 -0700 Subject: [pptp-server] PPTP setup/connect problem Message-ID: <20000831164642.21808.cpmta@c014.sfo.cp.net> An embedded and charset-unspecified text was scrubbed... Name: not available URL: From jspinney at securify.com Thu Aug 31 11:41:52 2000 From: jspinney at securify.com (Jeff Spinney) Date: Thu, 31 Aug 2000 12:41:52 -0400 Subject: [pptp-server] PPTP problem with win2000 client Message-ID: <000601c0136a$b5e3a4f0$e7010a0a@jspinney> Hi...i was wondering if anybody on this list might know what i did incorrectly to get this error log in the /var/log/pptpd.log file. i am runnign Mandrake 7.1 on my server, trying to connect with a win 2000 vpn client. the error message i get on the client system is "error 619: the specified port is not connected" thanks in advance, -j [root at gweep log]# more pptpd.log Aug 31 12:20:34 gweep pptpd[12070]: CTRL: Client 12.38.211.39 control connection started Aug 31 12:20:34 gweep pptpd[12070]: CTRL: Starting call (launching pppd, opening GRE) Aug 31 12:20:34 gweep pppd[12071]: pppd 2.3.11 started by root, uid 0 Aug 31 12:20:34 gweep pppd[12071]: Using interface ppp0 Aug 31 12:20:34 gweep pppd[12071]: Connect: ppp0 <--> /dev/pts/0 Aug 31 12:20:34 gweep pppd[12071]: sent [LCP ConfReq id=0x1 ] Aug 31 12:21:01 gweep last message repeated 9 times Aug 31 12:21:04 gweep pppd[12071]: LCP: timeout sending Config-Requests Aug 31 12:21:04 gweep pppd[12071]: Connection terminated. Aug 31 12:21:04 gweep pppd[12071]: Exit. Aug 31 12:21:04 gweep pptpd[12070]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Input/output error Aug 31 12:21:04 gweep pptpd[12070]: CTRL: PTY read or GRE write failed (pty,gre) =(4,5) Aug 31 12:21:04 gweep pptpd[12070]: CTRL: Client 12.38.211.39 control connection finished Aug 31 12:21:39 gweep pptpd[13101]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13101]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13102]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13102]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13103]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13103]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13104]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13104]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13105]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13105]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13106]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13106]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13107]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13107]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13108]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13108]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13109]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13109]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13110]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13110]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep init: Id "pptp" respawning too fast: disabled for 5 minute s Aug 31 12:22:00 gweep pptpd[13329]: CTRL: Client 12.38.211.39 control connection started Aug 31 12:22:00 gweep pptpd[13329]: CTRL: Starting call (launching pppd, opening GRE) Aug 31 12:22:00 gweep pppd[13334]: pppd 2.3.11 started by root, uid 0 Aug 31 12:22:00 gweep pppd[13334]: Using interface ppp0 Aug 31 12:22:00 gweep pppd[13334]: Connect: ppp0 <--> /dev/pts/0 Aug 31 12:22:00 gweep pppd[13334]: sent [LCP ConfReq id=0x1 ] Aug 31 12:22:15 gweep last message repeated 5 times Aug 31 12:22:16 gweep dhcpd: DHCPACK on 10.1.1.101 to 00:60:08:1c:45:bf via eth0 Aug 31 12:22:18 gweep pppd[13334]: sent [LCP ConfReq id=0x1 ] Aug 31 12:22:27 gweep last message repeated 3 times Aug 31 12:22:30 gweep pppd[13334]: LCP: timeout sending Config-Requests Aug 31 12:22:30 gweep pppd[13334]: Connection terminated. Aug 31 12:22:30 gweep pppd[13334]: Exit. Aug 31 12:22:30 gweep pptpd[13329]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Input/output error Aug 31 12:22:30 gweep pptpd[13329]: CTRL: PTY read or GRE write failed (pty,gre) =(4,5) Aug 31 12:22:30 gweep pptpd[13329]: CTRL: Client 12.38.211.39 control connection finished Aug 31 12:23:31 gweep pptpd[14485]: CTRL: Client 12.38.211.39 control connection started Aug 31 12:23:31 gweep pptpd[14485]: CTRL: Starting call (launching pppd, opening GRE) Aug 31 12:23:31 gweep pppd[14486]: pppd 2.3.11 started by root, uid 0 Aug 31 12:23:31 gweep pppd[14486]: Using interface ppp0 Aug 31 12:23:31 gweep pppd[14486]: Connect: ppp0 <--> /dev/pts/0 Aug 31 12:23:31 gweep pppd[14486]: sent [LCP ConfReq id=0x1 ] Aug 31 12:23:58 gweep last message repeated 9 times Aug 31 12:24:01 gweep pppd[14486]: LCP: timeout sending Config-Requests Aug 31 12:24:01 gweep pppd[14486]: Connection terminated. Aug 31 12:24:01 gweep pppd[14486]: Exit. Aug 31 12:24:01 gweep pptpd[14485]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Input/output error Aug 31 12:24:01 gweep pptpd[14485]: CTRL: PTY read or GRE write failed (pty,gre) =(4,5) Aug 31 12:24:01 gweep pptpd[14485]: CTRL: Client 12.38.211.39 control connection finished Aug 31 12:26:40 gweep pptpd[16938]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16938]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16939]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16939]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16940]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16940]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16941]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16941]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16948]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16948]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16949]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16949]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16950]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16950]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16960]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16960]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16961]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16961]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16962]: MGR: Manager process started Aug 31 12:26:41 gweep pptpd[16962]: MGR: Couldn't create host socket Aug 31 12:26:41 gweep init: Id "pptp" respawning too fast: disabled for 5 minute s Aug 31 12:27:16 gweep dhcpd: DHCPREQUEST for 10.1.1.101 from 00:60:08:1c:45:bf v ia eth0 Aug 31 12:27:16 gweep dhcpd: DHCPACK on 10.1.1.101 to 00:60:08:1c:45:bf via eth0 Aug 31 12:31:42 gweep pptpd[20870]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20870]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20871]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20871]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20872]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20872]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20873]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20873]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20874]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20874]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20875]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20875]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20876]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20876]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20877]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20877]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20889]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20889]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20890]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20890]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep init: Id "pptp" respawning too fast: disabled for 5 minute s Aug 31 12:32:16 gweep dhcpd: DHCPREQUEST for 10.1.1.101 from 00:60:08:1c:45:bf v ia eth0 Aug 31 12:32:16 gweep dhcpd: DHCPACK on 10.1.1.101 to 00:60:08:1c:45:bf via eth0 [root at gweep log]# -------------- next part -------------- An HTML attachment was scrubbed... URL: From aludwig at imagestor.com Thu Aug 31 12:52:38 2000 From: aludwig at imagestor.com (Al Ludwig) Date: Thu, 31 Aug 2000 13:52:38 -0400 Subject: [pptp-server] PPTP problem with win2000 client In-Reply-To: <000601c0136a$b5e3a4f0$e7010a0a@jspinney> Message-ID: Jeff, Most likely it is your encryption settings; Under Win2000 edit the properties of the VPN Connection, and under the security tab; uncheck ?Require Data Encryption (Disconnect if none)?. In order to use encrypted data (Which I still can?t get to work right) you need to do some configuring on the Linux Box. -AL BTW; my logging doesn?t work on the Linux side; can you tell me what you have set to make yours work? -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jeff Spinney Sent: Thursday, August 31, 2000 12:42 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] PPTP problem with win2000 client Hi...i was wondering if anybody on this list might know what i did incorrectly to get this error log in the /var/log/pptpd.log file. i am runnign Mandrake 7.1 on my server, trying to connect with a win 2000 vpn client. the error message i get on the client system is "error 619: the specified port is not connected" thanks in advance, -j [root at gweep log]# more pptpd.log Aug 31 12:20:34 gweep pptpd[12070]: CTRL: Client 12.38.211.39 control connection started Aug 31 12:20:34 gweep pptpd[12070]: CTRL: Starting call (launching pppd, opening GRE) Aug 31 12:20:34 gweep pppd[12071]: pppd 2.3.11 started by root, uid 0 Aug 31 12:20:34 gweep pppd[12071]: Using interface ppp0 Aug 31 12:20:34 gweep pppd[12071]: Connect: ppp0 <--> /dev/pts/0 Aug 31 12:20:34 gweep pppd[12071]: sent [LCP ConfReq id=0x1 ] Aug 31 12:21:01 gweep last message repeated 9 times Aug 31 12:21:04 gweep pppd[12071]: LCP: timeout sending Config-Requests Aug 31 12:21:04 gweep pppd[12071]: Connection terminated. Aug 31 12:21:04 gweep pppd[12071]: Exit. Aug 31 12:21:04 gweep pptpd[12070]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Input/output error Aug 31 12:21:04 gweep pptpd[12070]: CTRL: PTY read or GRE write failed (pty,gre) =(4,5) Aug 31 12:21:04 gweep pptpd[12070]: CTRL: Client 12.38.211.39 control connection finished Aug 31 12:21:39 gweep pptpd[13101]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13101]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13102]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13102]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13103]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13103]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13104]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13104]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13105]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13105]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13106]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13106]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13107]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13107]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13108]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13108]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13109]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13109]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13110]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13110]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep init: Id "pptp" respawning too fast: disabled for 5 minute s Aug 31 12:22:00 gweep pptpd[13329]: CTRL: Client 12.38.211.39 control connection started Aug 31 12:22:00 gweep pptpd[13329]: CTRL: Starting call (launching pppd, opening GRE) Aug 31 12:22:00 gweep pppd[13334]: pppd 2.3.11 started by root, uid 0 Aug 31 12:22:00 gweep pppd[13334]: Using interface ppp0 Aug 31 12:22:00 gweep pppd[13334]: Connect: ppp0 <--> /dev/pts/0 Aug 31 12:22:00 gweep pppd[13334]: sent [LCP ConfReq id=0x1 ] Aug 31 12:22:15 gweep last message repeated 5 times Aug 31 12:22:16 gweep dhcpd: DHCPACK on 10.1.1.101 to 00:60:08:1c:45:bf via eth0 Aug 31 12:22:18 gweep pppd[13334]: sent [LCP ConfReq id=0x1 ] Aug 31 12:22:27 gweep last message repeated 3 times Aug 31 12:22:30 gweep pppd[13334]: LCP: timeout sending Config-Requests Aug 31 12:22:30 gweep pppd[13334]: Connection terminated. Aug 31 12:22:30 gweep pppd[13334]: Exit. Aug 31 12:22:30 gweep pptpd[13329]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Input/output error Aug 31 12:22:30 gweep pptpd[13329]: CTRL: PTY read or GRE write failed (pty,gre) =(4,5) Aug 31 12:22:30 gweep pptpd[13329]: CTRL: Client 12.38.211.39 control connection finished Aug 31 12:23:31 gweep pptpd[14485]: CTRL: Client 12.38.211.39 control connection started Aug 31 12:23:31 gweep pptpd[14485]: CTRL: Starting call (launching pppd, opening GRE) Aug 31 12:23:31 gweep pppd[14486]: pppd 2.3.11 started by root, uid 0 Aug 31 12:23:31 gweep pppd[14486]: Using interface ppp0 Aug 31 12:23:31 gweep pppd[14486]: Connect: ppp0 <--> /dev/pts/0 Aug 31 12:23:31 gweep pppd[14486]: sent [LCP ConfReq id=0x1 ] Aug 31 12:23:58 gweep last message repeated 9 times Aug 31 12:24:01 gweep pppd[14486]: LCP: timeout sending Config-Requests Aug 31 12:24:01 gweep pppd[14486]: Connection terminated. Aug 31 12:24:01 gweep pppd[14486]: Exit. Aug 31 12:24:01 gweep pptpd[14485]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Input/output error Aug 31 12:24:01 gweep pptpd[14485]: CTRL: PTY read or GRE write failed (pty,gre) =(4,5) Aug 31 12:24:01 gweep pptpd[14485]: CTRL: Client 12.38.211.39 control connection finished Aug 31 12:26:40 gweep pptpd[16938]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16938]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16939]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16939]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16940]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16940]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16941]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16941]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16948]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16948]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16949]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16949]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16950]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16950]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16960]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16960]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16961]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16961]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16962]: MGR: Manager process started Aug 31 12:26:41 gweep pptpd[16962]: MGR: Couldn't create host socket Aug 31 12:26:41 gweep init: Id "pptp" respawning too fast: disabled for 5 minute s Aug 31 12:27:16 gweep dhcpd: DHCPREQUEST for 10.1.1.101 from 00:60:08:1c:45:bf v ia eth0 Aug 31 12:27:16 gweep dhcpd: DHCPACK on 10.1.1.101 to 00:60:08:1c:45:bf via eth0 Aug 31 12:31:42 gweep pptpd[20870]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20870]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20871]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20871]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20872]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20872]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20873]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20873]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20874]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20874]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20875]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20875]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20876]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20876]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20877]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20877]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20889]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20889]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20890]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20890]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep init: Id "pptp" respawning too fast: disabled for 5 minute s Aug 31 12:32:16 gweep dhcpd: DHCPREQUEST for 10.1.1.101 from 00:60:08:1c:45:bf v ia eth0 Aug 31 12:32:16 gweep dhcpd: DHCPACK on 10.1.1.101 to 00:60:08:1c:45:bf via eth0 [root at gweep log]# -------------- next part -------------- An HTML attachment was scrubbed... URL: From walterm at Gliatech.com Thu Aug 31 13:03:44 2000 From: walterm at Gliatech.com (Michael Walter) Date: Thu, 31 Aug 2000 14:03:44 -0400 Subject: [pptp-server] PPTP problem with win2000 client Message-ID: Jeff, Make sure that your remote and local addresses in /etc/pptpd.conf are not the same. I have seen this cause the same error. Al, In order to see general pptpd logging info edit /etc/syslog.conf and add the line: *.info /var/log/messages That will drop general info from all daemons into the syslog, or to be more specific to poptop and get more debugging info from poptop: edit /etc/pptpd.conf and add the line debug edit /etc/syslog.conf and add the line: daemon.debug /var/log/messages or to seperate to a different file daemon.debug /var/log/pptpd Thanks, Michael J. Walter rhce mcse mcp+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Al Ludwig [mailto:aludwig at imagestor.com] Sent: Thursday, August 31, 2000 1:53 PM To: Jeff Spinney; pptp-server at lists.schulte.org Subject: RE: [pptp-server] PPTP problem with win2000 client Jeff, Most likely it is your encryption settings; Under Win2000 edit the properties of the VPN Connection, and under the security tab; uncheck "Require Data Encryption (Disconnect if none)". In order to use encrypted data (Which I still can't get to work right) you need to do some configuring on the Linux Box. -AL BTW; my logging doesn't work on the Linux side; can you tell me what you have set to make yours work? -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jeff Spinney Sent: Thursday, August 31, 2000 12:42 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] PPTP problem with win2000 client Hi...i was wondering if anybody on this list might know what i did incorrectly to get this error log in the /var/log/pptpd.log file. i am runnign Mandrake 7.1 on my server, trying to connect with a win 2000 vpn client. the error message i get on the client system is "error 619: the specified port is not connected" thanks in advance, -j [root at gweep log]# more pptpd.log Aug 31 12:20:34 gweep pptpd[12070]: CTRL: Client 12.38.211.39 control connection started Aug 31 12:20:34 gweep pptpd[12070]: CTRL: Starting call (launching pppd, opening GRE) Aug 31 12:20:34 gweep pppd[12071]: pppd 2.3.11 started by root, uid 0 Aug 31 12:20:34 gweep pppd[12071]: Using interface ppp0 Aug 31 12:20:34 gweep pppd[12071]: Connect: ppp0 <--> /dev/pts/0 Aug 31 12:20:34 gweep pppd[12071]: sent [LCP ConfReq id=0x1 ] Aug 31 12:21:01 gweep last message repeated 9 times Aug 31 12:21:04 gweep pppd[12071]: LCP: timeout sending Config-Requests Aug 31 12:21:04 gweep pppd[12071]: Connection terminated. Aug 31 12:21:04 gweep pppd[12071]: Exit. Aug 31 12:21:04 gweep pptpd[12070]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Input/output error Aug 31 12:21:04 gweep pptpd[12070]: CTRL: PTY read or GRE write failed (pty,gre) =(4,5) Aug 31 12:21:04 gweep pptpd[12070]: CTRL: Client 12.38.211.39 control connection finished Aug 31 12:21:39 gweep pptpd[13101]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13101]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13102]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13102]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13103]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13103]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13104]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13104]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13105]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13105]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13106]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13106]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13107]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13107]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13108]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13108]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13109]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13109]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep pptpd[13110]: MGR: Manager process started Aug 31 12:21:39 gweep pptpd[13110]: MGR: Couldn't create host socket Aug 31 12:21:39 gweep init: Id "pptp" respawning too fast: disabled for 5 minute s Aug 31 12:22:00 gweep pptpd[13329]: CTRL: Client 12.38.211.39 control connection started Aug 31 12:22:00 gweep pptpd[13329]: CTRL: Starting call (launching pppd, opening GRE) Aug 31 12:22:00 gweep pppd[13334]: pppd 2.3.11 started by root, uid 0 Aug 31 12:22:00 gweep pppd[13334]: Using interface ppp0 Aug 31 12:22:00 gweep pppd[13334]: Connect: ppp0 <--> /dev/pts/0 Aug 31 12:22:00 gweep pppd[13334]: sent [LCP ConfReq id=0x1 ] Aug 31 12:22:15 gweep last message repeated 5 times Aug 31 12:22:16 gweep dhcpd: DHCPACK on 10.1.1.101 to 00:60:08:1c:45:bf via eth0 Aug 31 12:22:18 gweep pppd[13334]: sent [LCP ConfReq id=0x1 ] Aug 31 12:22:27 gweep last message repeated 3 times Aug 31 12:22:30 gweep pppd[13334]: LCP: timeout sending Config-Requests Aug 31 12:22:30 gweep pppd[13334]: Connection terminated. Aug 31 12:22:30 gweep pppd[13334]: Exit. Aug 31 12:22:30 gweep pptpd[13329]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Input/output error Aug 31 12:22:30 gweep pptpd[13329]: CTRL: PTY read or GRE write failed (pty,gre) =(4,5) Aug 31 12:22:30 gweep pptpd[13329]: CTRL: Client 12.38.211.39 control connection finished Aug 31 12:23:31 gweep pptpd[14485]: CTRL: Client 12.38.211.39 control connection started Aug 31 12:23:31 gweep pptpd[14485]: CTRL: Starting call (launching pppd, opening GRE) Aug 31 12:23:31 gweep pppd[14486]: pppd 2.3.11 started by root, uid 0 Aug 31 12:23:31 gweep pppd[14486]: Using interface ppp0 Aug 31 12:23:31 gweep pppd[14486]: Connect: ppp0 <--> /dev/pts/0 Aug 31 12:23:31 gweep pppd[14486]: sent [LCP ConfReq id=0x1 ] Aug 31 12:23:58 gweep last message repeated 9 times Aug 31 12:24:01 gweep pppd[14486]: LCP: timeout sending Config-Requests Aug 31 12:24:01 gweep pppd[14486]: Connection terminated. Aug 31 12:24:01 gweep pppd[14486]: Exit. Aug 31 12:24:01 gweep pptpd[14485]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Input/output error Aug 31 12:24:01 gweep pptpd[14485]: CTRL: PTY read or GRE write failed (pty,gre) =(4,5) Aug 31 12:24:01 gweep pptpd[14485]: CTRL: Client 12.38.211.39 control connection finished Aug 31 12:26:40 gweep pptpd[16938]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16938]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16939]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16939]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16940]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16940]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16941]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16941]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16948]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16948]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16949]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16949]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16950]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16950]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16960]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16960]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16961]: MGR: Manager process started Aug 31 12:26:40 gweep pptpd[16961]: MGR: Couldn't create host socket Aug 31 12:26:40 gweep pptpd[16962]: MGR: Manager process started Aug 31 12:26:41 gweep pptpd[16962]: MGR: Couldn't create host socket Aug 31 12:26:41 gweep init: Id "pptp" respawning too fast: disabled for 5 minute s Aug 31 12:27:16 gweep dhcpd: DHCPREQUEST for 10.1.1.101 from 00:60:08:1c:45:bf v ia eth0 Aug 31 12:27:16 gweep dhcpd: DHCPACK on 10.1.1.101 to 00:60:08:1c:45:bf via eth0 Aug 31 12:31:42 gweep pptpd[20870]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20870]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20871]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20871]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20872]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20872]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20873]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20873]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20874]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20874]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20875]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20875]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20876]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20876]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20877]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20877]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20889]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20889]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep pptpd[20890]: MGR: Manager process started Aug 31 12:31:42 gweep pptpd[20890]: MGR: Couldn't create host socket Aug 31 12:31:42 gweep init: Id "pptp" respawning too fast: disabled for 5 minute s Aug 31 12:32:16 gweep dhcpd: DHCPREQUEST for 10.1.1.101 from 00:60:08:1c:45:bf v ia eth0 Aug 31 12:32:16 gweep dhcpd: DHCPACK on 10.1.1.101 to 00:60:08:1c:45:bf via eth0 [root at gweep log]# -------------- next part -------------- An HTML attachment was scrubbed... URL: From kennya at carlislefsp.com Thu Aug 31 13:46:57 2000 From: kennya at carlislefsp.com (Kenny Austin) Date: Thu, 31 Aug 2000 13:46:57 -0500 Subject: [pptp-server] Poptop and port 47 In-Reply-To: <017e01c01368$459e9080$1287f99f@nis001> Message-ID: <002901c0137b$d814a270$5f020a0a@kennya> pptp doesn't use port 47, it uses protocol 47, ie GRE. It is my understanding that a fair amount of companys and what have you with firewalls in place are blocking GRE (many without knowing it). You already said that your isp blocks a lot of the ports, therefore we know they have a fairly tight firewall and are rather anal, so it is probably safe to say that they are blocking the GRE protocol too. I don't think (could be wrong) that where would be a way to setup windows to use pptp without using GRE. Kenny Austin kennya at carlislefsp.com ----- Original Message ----- From: "kim oppalfens" To: Sent: Thursday, August 31, 2000 6:22 AM Subject: [pptp-server] Poptop and port 47 > Hi, > > I am running poptop versie 0.9.1 on a Linux Router Project based pc. > The problem I have is when I try to connect from the outside, a pc connected > to the internet somewhere, I cannot connect. (He stops during the verify > username > and password.) If I do the same from my internal net I can connect without > any problem. > > In my firewall rules I let 1723 and 47 through the firewall. > Which brings me to the probable cause of my problem. > My isp is blocking alot of ports under the 1024 boundary. > These ports are denied for anyone not coming from my isp's network. > So the 47 port is probably locked. > Can anyone tell me what this port 47 is for? > And if there is anyway to change the port to something above the 1024 > boundary. > If so what should I do to tell the windows vpn clients to use the other > port? > > Tnx in advance > Kim Oppalfens > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From Steve.Cowles at gte.net Thu Aug 31 21:43:41 2000 From: Steve.Cowles at gte.net (Cowles, Steve) Date: Thu, 31 Aug 2000 21:43:41 -0500 Subject: [pptp-server] Poptop and port 47 Message-ID: <90769AF04F76D41186C700A0C90AFC3EE4F3@defiant.infohiiway.com> I don't consider myself an expert on this subject, but both protocol (not port) 47 and port 1723 are needed to establish a PPTP/PPP VPN. The reasons are explained below. See the cut/paste from Microsoft's WEB site. Hopefully, the following scenarios might help some of you to understand what exactly needs to be done (configuration wise) based on your particular network architecture. Steve Cowles -------------------------- Common Scenarios -------------------------- 1) If your PPTP/PPP server (not the client initiating the tunnel) is located behind a firewall, i.e. masq'd PPTP server, then you will also need to "forward" both proto 47 and and port 1723 in addtition to ACCEPTing these at the firewall. In the linux world, this is typically accomplished by using "ipfwd" for protocols and "ipmasqadm" for ports. You would also need to apply JHardin's patches to handle the masq'd inbound PPTP connections. 2) If your PPTP/PPP server is running on the firewall itself, i.e. its not masq'd, then you only need to ACCEPT proto 47 and port 1723. In this case, you do NOT need to apply JHardin's patches to the kernel. Your not masqing the PPTP VPN. 3) If you have a linux based firewall and you are trying to connect to a PPTP/PPP server located out on the internet (like at work) from a windows based client behind that firewall, then you will need to ACCEPT proto 47 and port 1723 on the firewall. You will also need to apply JHardin's patches to the kernel to handle the masq'd client PPTP connection. In this case, you would NOT need to use ipfwd or ipmasqadm. Your ipchain MASQ forward rule handles that. ----------------------------------- ---- From www.microsoft.com ------- ----------------------------------- Packet Filters for PPTP Configure the following "input" filters with the filter action set to Drop all packets except those that meet the criteria below: Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP destination port of 1723 (0x06BB). This filter allows PPTP tunnel maintenance traffic from the PPTP client to the PPTP server. Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and IP Protocol ID of 47 (0x2F). This filter allows PPTP tunneled data from the PPTP client to the PPTP server. Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP [established] source port of 1723 (0x06BB). This filter is required only if the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. When you select TCP [established], traffic is accepted only if the VPN server initiated the TCP connection. Configure the following "output" filters with the filter action set to Drop all packets except those that meet the criteria below: Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP source port of 1723 (0x06BB). This filter allows PPTP tunnel maintenance traffic from the VPN server to the VPN client. Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and IP Protocol ID of 47 (0x2F). This filter allows PPTP tunneled data from the VPN server to the VPN client. Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP [established] destination port of 1723 (0x06BB). This filter is required only if the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. When you select TCP [established], traffic is sent only if the VPN server initiated the TCP connection. From jnekl at austin.rr.com Thu Aug 31 22:39:22 2000 From: jnekl at austin.rr.com (Joshua Nekl) Date: Thu, 31 Aug 2000 22:39:22 -0500 Subject: [pptp-server] Poptop and port 47 References: <90769AF04F76D41186C700A0C90AFC3EE4F3@defiant.infohiiway.com> Message-ID: <009301c013c6$3a139c70$0a00fa0a@austin.rr.com> Thought I'd add my $0.02 We use PPTP a lot. I wrote my own ipchains firewall script and found that the following needs to be allowed through the firewall for the linux PoPToP pptp server to work with MS pptp clients protocol 6(TCP) port 1723 protocol 17(UDP) port 137(nebios-ns) protocol GRE (47) --gre doesn't use ports-- Hope this helps - Joshua Nekl From nicolas.horchower at europe.tgs.com Wed Aug 2 05:28:02 2000 From: nicolas.horchower at europe.tgs.com (Nicolas HORCHOWER) Date: Wed, 2 Aug 2000 12:28:02 +0200 Subject: [pptp-server] A little reminder ! Message-ID: <005701bffc6c$581c2410$50a05c0a@scruch> Hi all ! First of all, I wish you a happy new year, and thanks P.MOYLAN for its answer. I just want to show you what I found in my log after submitting a question to the list Dec 31 08:09:37 babylone kernel: Packet log: input DENY xxx PROTO=6 163.1.36.1:25 xxxxxx:1723 L=40 S=0x00 I=0 F=0x4000 T=38 (#8) so a guy from trans.plants.ox.ac.uk (Address: 163.1.36.1) tried to try my VPN sorry for him it wasn't the good IP ;) bye... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Nicolas HORCHOWER