[pptp-server] Error 619
Michael Walter
walterm at Gliatech.com
Thu Aug 10 07:53:04 CDT 2000
Well, I did finally manage to get pptp masqing to work, here is what I had
to do to accomplish it, hope it helps. This conf is based on a client
connecting through a linux masq firewall to a vpn server with a registered
address. No additional configuration is needed on the firewall or client if
they are able to connect when the masq server is not involved. On the masq
server, this is a VERY open ruleset, but it will work and should be good for
your testing purposes.
For the purposes of this example:
EXTERNAL_NIC is the nic that resides on the internet(eth0)
INTERNAL_NIC is the nic that resides on the local network(eth1)
EXTERNAL_IP is the ip address of the nic on the internet(206.68.10.12)
INTERNAL_IP is the ip address of the nic on the local network(192.168.0.1)
EXTERNAL_NET is the entire internet(any/0)
INTERNAL_NET is the local network(192.168.0.0/24)
echo -n "- Set the default firewall
policies..................................."
ipchains -F
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT
echo -e "DONE"
echo 1 > /proc/sys/net/ipv4/ip_forward
# At this point if you built vpn masq as a module you will want to "insmod
ip_masq_pptp" I built it into the kernel rather than using it as a module.
echo -n "- Allow gre traffic to support vpn client
masquerading................"
ipchains -A input -p 47 -j ACCEPT
ipchains -A output -p 47 -j ACCEPT
echo -e "DONE"
echo -n "- Allow traffic to and from the dynamic
ports........................."
ipchains -A input -p tcp -i $EXTERNAL_NIC -d $EXTERNAL_IP 49152:65535
-s $EXTERNAL_NET -j ACCEPT
ipchains -A input -p tcp -i $EXTERNAL_NIC -d $EXTERNAL_IP 49152:65535
-s $INTERNAL_NET -j ACCEPT
ipchains -A output -p tcp -i $EXTERNAL_NIC -d $EXTERNAL_NET -s
$EXTERNAL_IP 49152:65535 -j ACCEPT
ipchains -A output -p tcp -i $EXTERNAL_NIC -d $INTERNAL_NET -s
$EXTERNAL_IP 49152:65535 -j ACCEPT
ipchains -A forward -p tcp -i $EXTERNAL_NIC -d $EXTERNAL_NET -s
$EXTERNAL_IP 49152:65535 -j ACCEPT
ipchains -A forward -p tcp -i $EXTERNAL_NIC -d $INTERNAL_NET -s
$EXTERNAL_IP 49152:65535 -j ACCEPT
ipchains -A input -p udp -i $EXTERNAL_NIC -d $EXTERNAL_IP 49152:65535
-s $EXTERNAL_NET -j ACCEPT
ipchains -A input -p udp -i $EXTERNAL_NIC -d $EXTERNAL_IP 49152:65535
-s $INTERNAL_NET -j ACCEPT
ipchains -A output -p udp -i $EXTERNAL_NIC -d $EXTERNAL_NET -s
$EXTERNAL_IP 49152:65535 -j ACCEPT
ipchains -A output -p udp -i $EXTERNAL_NIC -d $INTERNAL_NET -s
$EXTERNAL_IP 49152:65535 -j ACCEPT
ipchains -A forward -p udp -i $EXTERNAL_NIC -d $EXTERNAL_NET -s
$EXTERNAL_IP 49152:65535 -j ACCEPT
ipchains -A forward -p udp -i $EXTERNAL_NIC -d $INTERNAL_NET -s
$EXTERNAL_IP 49152:65535 -j ACCEPT
echo -e "DONE"
echo -n "- Setup syn cookie rules on the external
interface...................."
ipchains -A input -p tcp -i $EXTERNAL_NIC -d $EXTERNAL_IP -s
$INTERNAL_NET -y -j ACCEPT
ipchains -A input -p tcp -i $EXTERNAL_NIC -d $EXTERNAL_IP 49152:65535 -s
$EXTERNAL_NET -y -j ACCEPT
ipchains -A input -p tcp -i $EXTERNAL_NIC -d $EXTERNAL_IP -s
$EXTERNAL_NET -y -j DENY -l
echo -e "DONE"
echo -n "- Setup
masquerading.................................................."
ipchains -A forward -i $INTERNAL_NIC -d $INTERNAL_NET -s $INTERNAL_NET
-j ACCEPT
ipchains -A forward -i $EXTERNAL_NIC -d $INTERNAL_NET -s $INTERNAL_NET
-j ACCEPT
ipchains -A forward -i $EXTERNAL_NIC -d $EXTERNAL_NET -s $INTERNAL_NET
-j MASQ
echo 1 > /proc/sys/net/ipv4/ip_forward
echo -e "DONE"
I downloaded kernel 2.2.16 from www.kernel.org <http://www.kernel.org> ,
downloaded the ip_masq_vpn-2.2.15.patch patch from
ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn-2.2.15.patch.gz
<ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn-2.2.15.patch.gz>
I also used net-tools-1.51.tar.bz2, net-tools-1.51-masq_vpn_protos.patch,
traceroute-1.4a5.tar, and pptp-traceroute.patch to help with
troubleshooting. The kernel I got from Redhat 2.2.16-12 with pptp masq
built in did not work I had to build my own. I chose all the kernel
settings from
ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-howto/VPN-Masquerade-3.ht
ml#ss3.4
<ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-howto/VPN-Masquerade-3.h
tml#ss3.4> except CONFIG_IP_ALWAYS_DEFRAG which I never saw. After all
that, things started to work.
Hope this helps you out,
Michael J. Walter
mcse mcp+i rhce a+
Network Administrator
Gliatech, Inc.
23420 Commerce Park Rd.
Beachwood, Ohio 44122
Tel: (216) 831-3200
Email: walterm at gliatech.com
-----Original Message-----
From: Chris [mailto:cliles at gw.total-web.net]
Sent: Thursday, August 10, 2000 1:10 AM
To: pptp-server at lists.schulte.org
Subject: Fw: [pptp-server] Error 619
----- Original Message -----
From: Chris <mailto:cliles at gw.total-web.net>
To: George Csahanin-LININET <mailto:george.csahanin at lintv.com>
Sent: Wednesday, August 09, 2000 10:08 PM
Subject: Re: [pptp-server] Error 619
well I put all your chains in its own script and only run those chains. I
still get the same error and in my /var/log/messages I see this:
pppd 2.3.11 started by root
connect: ppp0 <--> /dev/pts/0
MSCHAP-v2 peer authentication suceeded for user
found interface eth1 for proxy arp
local ip address 192.168.0.1 (ip of server's internal nic)
remote ip address 192.168.0.232
LCP terminated by peer (.M-rFo^@<M_Mt^@^@BM-f)
Connection terminated
What am I doing wrong here? it connects so the only thing I can think of is
that it is not masqing the traffic back to the client and the connection
drops.
----- Original Message -----
From: George Csahanin-LININET <mailto:george.csahanin at lintv.com>
To: Chris <mailto:cliles at gw.total-web.net>
Sent: Wednesday, August 09, 2000 11:23 AM
Subject: Re: [pptp-server] Error 619
Here's my setup for the outbound masq for vpn:
ipchains -A forward -p all -s 192.168.0.0/24 -d 0.0.0.0/0 -i eth0 -j MASQ
ipchains -A forward -p tcp -d 192.168.0.0/24 1723 -i ppp0 -j ACCEPT
ipchains -A forward -p tcp -s 192.168.0.0/24 1723 -i ppp0 -j ACCEPT
ipchains -A forward -p 47 -d 192.168.0.0/24 -i ppp0 -j ACCEPT
ipchains -A forward -p 47 -s 192.168.0.0/24 -i ppp0 -j ACCEPT
And for running poptop:
(currently turned off, note)
#####################################################
#START POPTOP
#####################################################
#insmod ppp_deflate
#insmod bsd_comp
#/usr/local/sbin/pptpd -d
######################
insmod ip_masq_portfw
insmod ip_masq_autofw
insmod ip_masq_ipsec
insmod ip_masq_pptp
###########################
As I recall, missing any of the above will give a 619 or 645 error...
-G
-----Original Message-----
From: Chris < cliles at gw.total-web.net <mailto:cliles at gw.total-web.net> >
To: pptp-server at lists.schulte.org <mailto:pptp-server at lists.schulte.org> <
pptp-server at lists.schulte.org <mailto:pptp-server at lists.schulte.org> >
Date: Wednesday, August 09, 2000 12:54 PM
Subject: [pptp-server] Error 619
I'm trying to connect to my pptp server only to get a 619 error. My setup
includes a firewall with 1 regestered ip and 1 private ip. I'm trying to
connect to the pptp server through a masq. The firewall (the one running the
pptp server), is also the masqer. I have installed all the masq patches, and
in /var/messages I am told that the pptp server and client authenticate but
the client then drops the connection. I am convinced that it is a firewall
problem. The firewall rules I have to allow connections to the pptp server
are as follows:
ipchains -A input -p tcp -d 209.XXX.XXX.XXX 1723 -j ACCEPT
ipchains -A inout -p 47 -d 209.XXX.XXX.XXX -j ACCEPT
ipchains -A output -p tcp -s 209.XXX.XXX.XXX 1723 -j ACCEPT
ipchains -A output -p 47 -j ACCEPT
The following rules are for masqing:
ipchains -A forward -p tcp -s 192.168.0.0/24 -j MASQ
ipchains -A forward -p 47 -s 192.168.0.0/24 -j MASQ
and the following rules I have no clue what they do, but I got them off a
couple of howtos:
ipchains -A forward -p tcp -d 209.XXX.XXX.XXX 1723 -j ACCEPT
ipchains -A forward -p tcp -s 209.XXX.XXX.XXX 1723 -j ACCEPT
ipchains -A forward -p 47 -d 209.XXX.XXX.XXXX -j ACCEPT
ipchains -A forward -p 47 -s 209.XXX.XXX.XXX -j ACCEPT
I read all the masq woes posts in the archive, but I just can't figure out
what the hell I'm doing wrong.
Thanks,
Chris Liles
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schulte.org/mailman/private/pptp-server/attachments/20000810/59f9123e/attachment.html>
More information about the pptp-server
mailing list