From adam.powers at vicorp.com Sat Jan 1 02:04:02 2000 From: adam.powers at vicorp.com (Adam Powers) Date: Sat Jan 1 02:04:02 2000 Subject: [pptp-server] Timeout waiting for host reply to ConfReq... Message-ID: <001e01bf542e$a64f31e0$dc70a8c0@VICORP.COM> I'm running a Redhat 6.0 box with pppd 2.3.8 and PoPToP 1.0.0. I'm getting the following log output when any host trys to establish a connection... Jan 1 02:45:18 oplinux pptpd[929]: MGR: Launching /usr/local/sbin/pptpctrl to handle client Jan 1 02:45:18 oplinux pptpd[929]: CTRL: local address = 192.168.0 Jan 1 02:45:18 oplinux pptpd[929]: CTRL: remote address = 192.168.110.200 Jan 1 02:45:18 oplinux pptpd[929]: CTRL: pppd speed = 115200 Jan 1 02:45:18 oplinux pptpd[929]: CTRL: Client 192.168.110.46 control connection started Jan 1 02:45:18 oplinux pptpd[929]: CTRL: Received PPTP Control Message (type: 1) Jan 1 02:45:18 oplinux pptpd[929]: CTRL: Made a START CTRL CONN RPLY packet Jan 1 02:45:18 oplinux pptpd[929]: CTRL: I wrote 156 bytes to the client. Jan 1 02:45:18 oplinux pptpd[929]: CTRL: Sent packet to client Jan 1 02:45:18 oplinux pptpd[929]: CTRL: Received PPTP Control Message (type: 7) Jan 1 02:45:18 oplinux pptpd[929]: CTRL: Set parameters to 0 maxbps, 16 window size Jan 1 02:45:18 oplinux pptpd[929]: CTRL: Made a OUT CALL RPLY packet Jan 1 02:45:18 oplinux pptpd[929]: CTRL: Starting call (launching pppd, opening GRE) Jan 1 02:45:18 oplinux pptpd[929]: CTRL: pty_fd = 5 Jan 1 02:45:18 oplinux pptpd[929]: CTRL: tty_fd = 6 Jan 1 02:45:18 oplinux pptpd[929]: CTRL: I wrote 32 bytes to the client. Jan 1 02:45:18 oplinux pptpd[929]: CTRL: Sent packet to client Jan 1 02:45:18 oplinux pptpd[930]: CTRL (PPPD Launcher): Connection speed = 115200 Jan 1 02:45:18 oplinux pptpd[930]: CTRL (PPPD Launcher): local address = 192.168.0 Jan 1 02:45:18 oplinux pptpd[930]: CTRL (PPPD Launcher): remote address = 192.168.110.200 Jan 1 02:45:18 oplinux pppd[930]: pppd 2.3.8 started by root, uid 0 Jan 1 02:45:18 oplinux pppd[930]: Using interface ppp0 Jan 1 02:45:18 oplinux pppd[930]: Connect: ppp0 <--> /dev/pts/2 Jan 1 02:45:18 oplinux pppd[930]: sent [LCP ConfReq id=0x1 ] Jan 1 02:45:19 oplinux pptpd[929]: CTRL: Received PPTP Control Message (type: 12) Jan 1 02:45:19 oplinux pptpd[672]: MGR: Reaped child 929 Jan 1 02:45:19 oplinux pptpd[929]: CTRL: Made a CALL DISCONNECT RPLY packet Jan 1 02:45:19 oplinux pptpd[929]: CTRL: Received CALL CLR request (closing call) Jan 1 02:45:19 oplinux pptpd[929]: CTRL: I wrote 148 bytes to the client. Jan 1 02:45:19 oplinux pptpd[929]: CTRL: Sent packet to client Jan 1 02:45:19 oplinux pptpd[929]: CTRL: Error with select(), quitting Jan 1 02:45:19 oplinux pptpd[929]: CTRL: Client 192.168.110.46 control connection finished Jan 1 02:45:19 oplinux pptpd[929]: CTRL: Exiting now Jan 1 02:45:19 oplinux pppd[930]: Modem hangup Jan 1 02:45:19 oplinux pppd[930]: Connection terminated. Jan 1 02:45:19 oplinux pppd[930]: Exit. Does anyone know what a type:12 PPTP control message is or if I should be concerned with the "Error with select(), quitting" line. The host, a WIN98 machine, gets "ERROR:645 Microshaft dialup adapter in use..." Any ideas? I think the problem is in the pppd config. I have tried both compiling the source and RPM's. Same output... Great big ol TIA! Adam Powers Telecom / Network Operations Vicorp.com Virtual Office: 888.232.0604 Office: 770.200.2442 -------------- next part -------------- An HTML attachment was scrubbed... URL: From adam.powers at vicorp.com Sat Jan 1 14:13:33 2000 From: adam.powers at vicorp.com (Adam Powers) Date: Sat Jan 1 14:13:33 2000 Subject: [pptp-server] Thanks Gents... Message-ID: <001d01bf5494$99421100$786ea8c0@VICORP.COM> Thanks a lot for all the responses guys. Problem was a combination of typo (192.168.0 vs.192.168.110.1) and missing proxyarp command in options file. Great software, everything should be this easy. Adam Powers Telecom / Network Operations Vicorp.com Virtual Office: 888.232.0604 Office: 770.200.2442 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tno at westend.com Mon Jan 3 10:49:02 2000 From: tno at westend.com (Offermanns, Toni) Date: Mon Jan 3 10:49:02 2000 Subject: [pptp-server] PPTP not starting pppd Message-ID: <000001bf560a$6b45ee30$e24175d4@solveip.com> Hi all, when trying to start a pptp connection from my linux bos to a remote NTserver i always get the below: (unknown)[544]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:531]: Client connectio n established. (unknown)[544]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:626]: Error opening ca ll. [callid 0] Terminated jsw:/home/tno/pptp/pptp-linux-1.0.2 # (unknown)[544]: log[pptp_conn_close:pptp_c trl.c:275]: Closing PPTP connection I assume this cause the pppd cannot be started for any reason. Maybe someone can give me some hints, i did not find any on the webpages Thanks in advance Toni -------------- next part -------------- An HTML attachment was scrubbed... URL: From tno at westend.com Mon Jan 3 11:20:24 2000 From: tno at westend.com (Offermanns, Toni) Date: Mon Jan 3 11:20:24 2000 Subject: [pptp-server] PPTP not starting pppd In-Reply-To: <004201bf560e$63284e60$0101a8c0@highwayi.com> Message-ID: <000901bf560e$c9112c60$e24175d4@solveip.com> Hi all nope PPPD starts fine from command line here my /etc/ppp/options: sw:/home/tno/pptp/pptp-linux-1.0.2 # more /etc/ppp/options lock debug +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless here my /etc/ppp/chap-secrets: Secrets for authentication using CHAP # client server secret IP addresses jsw dallas pL24-0236 * v0nmdto1 jsw pL24-0237 * dallas v0nmdto1 pL24-0237 * LENNOX\\root * * * Any other help appreciated Thanks Toni -----Original Message----- From: Geoff Nordli [mailto:geoff at gnaa.net] Sent: Montag, 3. Januar 2000 18:17 To: tno at westend.com Subject: RE: [pptp-server] PPTP not starting pppd I struggled with this one for quite some time. See if you can run pppd from the command line. It might give you some information about why it isn't running. The last time I had a typo in the options file. geoff -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Offermanns, Toni Sent: Monday, January 03, 2000 8:49 AM To: Pptp (E-mail) Subject: [pptp-server] PPTP not starting pppd Hi all, when trying to start a pptp connection from my linux bos to a remote NTserver i always get the below: (unknown)[544]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:531]: Client connectio n established. (unknown)[544]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:626]: Error opening ca ll. [callid 0] Terminated jsw:/home/tno/pptp/pptp-linux-1.0.2 # (unknown)[544]: log[pptp_conn_close:pptp_c trl.c:275]: Closing PPTP connection I assume this cause the pppd cannot be started for any reason. Maybe someone can give me some hints, i did not find any on the webpages Thanks in advance Toni -------------- next part -------------- An HTML attachment was scrubbed... URL: From geoff at gnaa.net Mon Jan 3 11:38:34 2000 From: geoff at gnaa.net (Geoff Nordli) Date: Mon Jan 3 11:38:34 2000 Subject: [pptp-server] PPTP not starting pppd In-Reply-To: <000901bf560e$c9112c60$e24175d4@solveip.com> Message-ID: <004f01bf5611$77e3bdf0$0101a8c0@highwayi.com> These are just guesses. I really don't know what the error is. Did you compiled PPP as a module in the kernel? Did you add the MPPE patch? Did everything compile alright? Did you try to manually load the modules: insmod slhc insmod ppp insmod ppp_deflate insmod bsd_comp insmod ppp_mppe geoff -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Offermanns, Toni Sent: Monday, January 03, 2000 9:20 AM To: geoff at gnaa.net Cc: Pptp (E-mail) Subject: RE: [pptp-server] PPTP not starting pppd Hi all nope PPPD starts fine from command line here my /etc/ppp/options: sw:/home/tno/pptp/pptp-linux-1.0.2 # more /etc/ppp/options lock debug +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless here my /etc/ppp/chap-secrets: Secrets for authentication using CHAP # client server secret IP addresses jsw dallas pL24-0236 * v0nmdto1 jsw pL24-0237 * dallas v0nmdto1 pL24-0237 * LENNOX\\root * * * Any other help appreciated Thanks Toni -----Original Message----- From: Geoff Nordli [mailto:geoff at gnaa.net] Sent: Montag, 3. Januar 2000 18:17 To: tno at westend.com Subject: RE: [pptp-server] PPTP not starting pppd I struggled with this one for quite some time. See if you can run pppd from the command line. It might give you some information about why it isn't running. The last time I had a typo in the options file. geoff -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Offermanns, Toni Sent: Monday, January 03, 2000 8:49 AM To: Pptp (E-mail) Subject: [pptp-server] PPTP not starting pppd Hi all, when trying to start a pptp connection from my linux bos to a remote NTserver i always get the below: (unknown)[544]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:531]: Client connectio n established. (unknown)[544]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:626]: Error opening ca ll. [callid 0] Terminated jsw:/home/tno/pptp/pptp-linux-1.0.2 # (unknown)[544]: log[pptp_conn_close:pptp_c trl.c:275]: Closing PPTP connection I assume this cause the pppd cannot be started for any reason. Maybe someone can give me some hints, i did not find any on the webpages Thanks in advance Toni -------------- next part -------------- An HTML attachment was scrubbed... URL: From tno at westend.com Mon Jan 3 12:01:38 2000 From: tno at westend.com (Offermanns, Toni) Date: Mon Jan 3 12:01:38 2000 Subject: [pptp-server] PPTP not starting pppd In-Reply-To: <004f01bf5611$77e3bdf0$0101a8c0@highwayi.com> Message-ID: <001401bf5614$89dd2750$e24175d4@solveip.com> Hi geoff yes as modules: see lsmod: sw:/var/spool/news/interesting.groups # lsmod Module Size Used by ppp_mppe 13328 0 (unused) ppp_deflate 40548 0 (unused) bsd_comp 3632 0 (unused) ppp 20780 0 [ppp_mppe ppp_deflate bsd_comp] slhc 4352 0 [ppp] serial 41940 0 (autoclean) MPPE is in yes all compiles fine I am also somehow surprised i am struggling with that, form reading the mail archives it does not look to complicated. Thanks so far Toni -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Geoff Nordli Sent: Montag, 3. Januar 2000 18:39 To: tno at westend.com Cc: 'Pptp (E-mail)' Subject: RE: [pptp-server] PPTP not starting pppd These are just guesses. I really don't know what the error is. Did you compiled PPP as a module in the kernel? Did you add the MPPE patch? Did everything compile alright? Did you try to manually load the modules: insmod slhc insmod ppp insmod ppp_deflate insmod bsd_comp insmod ppp_mppe geoff -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Offermanns, Toni Sent: Monday, January 03, 2000 9:20 AM To: geoff at gnaa.net Cc: Pptp (E-mail) Subject: RE: [pptp-server] PPTP not starting pppd Hi all nope PPPD starts fine from command line here my /etc/ppp/options: sw:/home/tno/pptp/pptp-linux-1.0.2 # more /etc/ppp/options lock debug +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless here my /etc/ppp/chap-secrets: Secrets for authentication using CHAP # client server secret IP addresses jsw dallas pL24-0236 * v0nmdto1 jsw pL24-0237 * dallas v0nmdto1 pL24-0237 * LENNOX\\root * * * Any other help appreciated Thanks Toni -----Original Message----- From: Geoff Nordli [mailto:geoff at gnaa.net] Sent: Montag, 3. Januar 2000 18:17 To: tno at westend.com Subject: RE: [pptp-server] PPTP not starting pppd I struggled with this one for quite some time. See if you can run pppd from the command line. It might give you some information about why it isn't running. The last time I had a typo in the options file. geoff -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Offermanns, Toni Sent: Monday, January 03, 2000 8:49 AM To: Pptp (E-mail) Subject: [pptp-server] PPTP not starting pppd Hi all, when trying to start a pptp connection from my linux bos to a remote NTserver i always get the below: (unknown)[544]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:531]: Client connectio n established. (unknown)[544]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:626]: Error opening ca ll. [callid 0] Terminated jsw:/home/tno/pptp/pptp-linux-1.0.2 # (unknown)[544]: log[pptp_conn_close:pptp_c trl.c:275]: Closing PPTP connection I assume this cause the pppd cannot be started for any reason. Maybe someone can give me some hints, i did not find any on the webpages Thanks in advance Toni -------------- next part -------------- An HTML attachment was scrubbed... URL: From tno at westend.com Mon Jan 3 12:40:09 2000 From: tno at westend.com (Offermanns, Toni) Date: Mon Jan 3 12:40:09 2000 Subject: [pptp-server] PPTP not starting pppd In-Reply-To: Message-ID: <002001bf5619$eb6ca400$e24175d4@solveip.com> Hi Kevin thanks, but i am using pptp-linux-1.0.2 Toni > -----Original Message----- > From: tmk [mailto:tmk at netmagic.net] > Sent: Montag, 3. Januar 2000 19:48 > To: Offermanns, Toni > Cc: geoff at gnaa.net; Pptp (E-mail) > Subject: RE: [pptp-server] PPTP not starting pppd > > > if you are trying to connect TO an NT server FROM the linux > server, then > pptpd is not the right program to use. you want the pptp client. > > Kevin > > On Mon, 3 Jan 2000, Offermanns, Toni wrote: > > > Hi geoff > > > > yes as modules: > > > > see lsmod: > > sw:/var/spool/news/interesting.groups # lsmod > > Module Size Used by > > ppp_mppe 13328 0 (unused) > > ppp_deflate 40548 0 (unused) > > bsd_comp 3632 0 (unused) > > ppp 20780 0 [ppp_mppe ppp_deflate bsd_comp] > > slhc 4352 0 [ppp] > > serial 41940 0 (autoclean) > > > > MPPE is in > > > > yes all compiles fine > > > > I am also somehow surprised i am struggling with that, form > reading the mail > > archives it does not look to complicated. > > > > Thanks so far Toni > > -----Original Message----- > > From: pptp-server-admin at lists.schulte.org > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of > Geoff Nordli > > Sent: Montag, 3. Januar 2000 18:39 > > To: tno at westend.com > > Cc: 'Pptp (E-mail)' > > Subject: RE: [pptp-server] PPTP not starting pppd > > > > > > These are just guesses. I really don't know what the error is. > > > > Did you compiled PPP as a module in the kernel? > > > > Did you add the MPPE patch? > > > > Did everything compile alright? > > > > Did you try to manually load the modules: > > > > insmod slhc > > insmod ppp > > insmod ppp_deflate > > insmod bsd_comp > > insmod ppp_mppe > > > > geoff > > > > -----Original Message----- > > From: pptp-server-admin at lists.schulte.org > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of > Offermanns, Toni > > Sent: Monday, January 03, 2000 9:20 AM > > To: geoff at gnaa.net > > Cc: Pptp (E-mail) > > Subject: RE: [pptp-server] PPTP not starting pppd > > > > > > Hi all > > > > nope PPPD starts fine from command line > > > > here my /etc/ppp/options: > > sw:/home/tno/pptp/pptp-linux-1.0.2 # more /etc/ppp/options > > lock > > debug > > +chap > > +chapms > > +chapms-v2 > > mppe-40 > > mppe-128 > > mppe-stateless > > > > here my /etc/ppp/chap-secrets: > > > > Secrets for authentication using CHAP > > # client server secret IP addresses > > jsw dallas pL24-0236 * > > v0nmdto1 jsw pL24-0237 * > > dallas v0nmdto1 pL24-0237 * > > LENNOX\\root * * * > > > > Any other help appreciated > > > > Thanks Toni > > -----Original Message----- > > From: Geoff Nordli [mailto:geoff at gnaa.net] > > Sent: Montag, 3. Januar 2000 18:17 > > To: tno at westend.com > > Subject: RE: [pptp-server] PPTP not starting pppd > > > > > > I struggled with this one for quite some time. > > > > See if you can run pppd from the command line. It > might give you some > > information about why it isn't running. The last > time I had a typo in > > the options file. > > > > geoff > > -----Original Message----- > > From: pptp-server-admin at lists.schulte.org > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of > Offermanns, Toni > > Sent: Monday, January 03, 2000 8:49 AM > > To: Pptp (E-mail) > > Subject: [pptp-server] PPTP not starting pppd > > > > > > Hi all, > > > > when trying to start a pptp connection from my > linux bos to a remote > > NTserver i always get the below: > > > > (unknown)[544]: > log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:531]: > > Client connectio > > n established. > > (unknown)[544]: > log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:626]: > > Error opening ca > > ll. [callid 0] > > Terminated > > jsw:/home/tno/pptp/pptp-linux-1.0.2 # (unknown)[544]: > > log[pptp_conn_close:pptp_c > > trl.c:275]: Closing PPTP connection > > > > > > I assume this cause the pppd cannot be started for > any reason. > > Maybe someone can give me some hints, i did not > find any on the > > webpages > > > > Thanks in advance > > > > Toni > > > From AZmolek at neonsoft.com Mon Jan 3 16:24:15 2000 From: AZmolek at neonsoft.com (Zmolek, Andy) Date: Mon Jan 3 16:24:15 2000 Subject: [pptp-server] PPTP not starting pppd Message-ID: Have you verified with an NT client that the remote PPTP server is fully functional through your connection path? The symptoms you report remind me of problems we see when either the client or server is not fully or directly connected to the internet. In our case, the PPTP server appears to be OK but the session cannot run because of firewall obstructions (client or server side) or NAT (PAT, to be more precise) is in use. --Andy Zmolek Manager, Network Architecture azmolek at neonsoft.com http://www.neonsoft.com +1 303 267 0951 +1 303 267 0949 FAX +1 303 409 7491 +1 303 486 3885 FAX +1 303 601 5708 -----Original Message----- From: Offermanns, Toni [mailto:tno at westend.com] Sent: Monday, January 03, 2000 11:40 AM To: 'tmk' Cc: Pptp (E-mail) Subject: RE: [pptp-server] PPTP not starting pppd Hi Kevin thanks, but i am using pptp-linux-1.0.2 Toni > -----Original Message----- > From: tmk [mailto:tmk at netmagic.net] > Sent: Montag, 3. Januar 2000 19:48 > To: Offermanns, Toni > Cc: geoff at gnaa.net; Pptp (E-mail) > Subject: RE: [pptp-server] PPTP not starting pppd > > > if you are trying to connect TO an NT server FROM the linux > server, then > pptpd is not the right program to use. you want the pptp client. > > Kevin > > On Mon, 3 Jan 2000, Offermanns, Toni wrote: > > > Hi geoff > > > > yes as modules: > > > > see lsmod: > > sw:/var/spool/news/interesting.groups # lsmod > > Module Size Used by > > ppp_mppe 13328 0 (unused) > > ppp_deflate 40548 0 (unused) > > bsd_comp 3632 0 (unused) > > ppp 20780 0 [ppp_mppe ppp_deflate bsd_comp] > > slhc 4352 0 [ppp] > > serial 41940 0 (autoclean) > > > > MPPE is in > > > > yes all compiles fine > > > > I am also somehow surprised i am struggling with that, form > reading the mail > > archives it does not look to complicated. > > > > Thanks so far Toni > > -----Original Message----- > > From: pptp-server-admin at lists.schulte.org > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of > Geoff Nordli > > Sent: Montag, 3. Januar 2000 18:39 > > To: tno at westend.com > > Cc: 'Pptp (E-mail)' > > Subject: RE: [pptp-server] PPTP not starting pppd > > > > > > These are just guesses. I really don't know what the error is. > > > > Did you compiled PPP as a module in the kernel? > > > > Did you add the MPPE patch? > > > > Did everything compile alright? > > > > Did you try to manually load the modules: > > > > insmod slhc > > insmod ppp > > insmod ppp_deflate > > insmod bsd_comp > > insmod ppp_mppe > > > > geoff > > > > -----Original Message----- > > From: pptp-server-admin at lists.schulte.org > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of > Offermanns, Toni > > Sent: Monday, January 03, 2000 9:20 AM > > To: geoff at gnaa.net > > Cc: Pptp (E-mail) > > Subject: RE: [pptp-server] PPTP not starting pppd > > > > > > Hi all > > > > nope PPPD starts fine from command line > > > > here my /etc/ppp/options: > > sw:/home/tno/pptp/pptp-linux-1.0.2 # more /etc/ppp/options > > lock > > debug > > +chap > > +chapms > > +chapms-v2 > > mppe-40 > > mppe-128 > > mppe-stateless > > > > here my /etc/ppp/chap-secrets: > > > > Secrets for authentication using CHAP > > # client server secret IP addresses > > jsw dallas pL24-0236 * > > v0nmdto1 jsw pL24-0237 * > > dallas v0nmdto1 pL24-0237 * > > LENNOX\\root * * * > > > > Any other help appreciated > > > > Thanks Toni > > -----Original Message----- > > From: Geoff Nordli [mailto:geoff at gnaa.net] > > Sent: Montag, 3. Januar 2000 18:17 > > To: tno at westend.com > > Subject: RE: [pptp-server] PPTP not starting pppd > > > > > > I struggled with this one for quite some time. > > > > See if you can run pppd from the command line. It > might give you some > > information about why it isn't running. The last > time I had a typo in > > the options file. > > > > geoff > > -----Original Message----- > > From: pptp-server-admin at lists.schulte.org > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of > Offermanns, Toni > > Sent: Monday, January 03, 2000 8:49 AM > > To: Pptp (E-mail) > > Subject: [pptp-server] PPTP not starting pppd > > > > > > Hi all, > > > > when trying to start a pptp connection from my > linux bos to a remote > > NTserver i always get the below: > > > > (unknown)[544]: > log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:531]: > > Client connectio > > n established. > > (unknown)[544]: > log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:626]: > > Error opening ca > > ll. [callid 0] > > Terminated > > jsw:/home/tno/pptp/pptp-linux-1.0.2 # (unknown)[544]: > > log[pptp_conn_close:pptp_c > > trl.c:275]: Closing PPTP connection > > > > > > I assume this cause the pppd cannot be started for > any reason. > > Maybe someone can give me some hints, i did not > find any on the > > webpages > > > > Thanks in advance > > > > Toni > > > _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From hshaw at epills.com Mon Jan 3 18:09:05 2000 From: hshaw at epills.com (Terrelle Shaw) Date: Mon Jan 3 18:09:05 2000 Subject: [pptp-server] hmm have I missed a step? Message-ID: Hello all.. I think I missed something with the client-> firewall-> pptp-server setup. First of all, I had initially setup the pptp-server with a real IP routable to the internet) to test if my setup was correct. I was able to connect to the pptp-server from my Win NT machine via vpn.. GREAT!. Now I moved the pptp-server behind my firewall and gave it an internal address ( 10.0.x.x) I compiled into the firewall kernel the vpn-masq patch (2.2.13) and installed that. Everything a go.. pptpd is running on the vpn server, so is ppp and other related modules. Among the other ipchain rules I have on my firewall, I added these at the beginning of my firewall startup script: ipchains -I forward -p tcp -d 10.0.0.127 1723 -j ACCEPT ipchains -A forward -p tcp -s 10.0.0.127 1723 -j ACCEPT ipchains -A forward -p 47 -d 10.0.0.127 -j ACCEPT ipchains -A forward -p 47 -s 10.0.0.127 -J ACCEPT Now, looking on the firewall /var/log/messags I see the connection from the NT machine, but its not forwarding it to the pptpd machine. Did I miss something in the setup? Forget a rule or some software? Thanks.. Terrelle Shaw HealthCentralRx.com System Administrator hshaw at healthcentralrx.com From geoff at gnaa.net Mon Jan 3 19:21:26 2000 From: geoff at gnaa.net (Geoff Nordli) Date: Mon Jan 3 19:21:26 2000 Subject: [pptp-server] hmm have I missed a step? In-Reply-To: Message-ID: <00ac01bf5652$19f24cc0$0101a8c0@highwayi.com> This might be what you are missing INTNET=whatever is your internal network. Extneral_IF is the external interface External_IP is the external ip address ## VPN Client MASQ ipchains -A forward -j MASQ -p tcp -s $INTNET -d 0.0.0.0/0 1723 ipchains -A forward -j MASQ -p 47 You need to masq the packets on the way out. Here is some more rules that might help: ### Need to add some additional stuff to allow outbound ### 1723 packets to external networks this is for internal clients ### needing access to the external world ipchains -A input -j ACCEPT -p tcp -d 0.0.0.0/0 1723 -i $INTERNAL_IF ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 1723 -d $EXTERNAL_IP -i $EXTERNAL_IF ! -y ipchains -A output -j ACCEPT -p tcp -s 0.0.0.0/0 1723 -d $INTNET -i $INTERNAL_IF ! -y ipchains -A output -j ACCEPT -p tcp -s $INTNET -d 0.0.0.0/0 -i $EXTERNAL_IF geoff nordli -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Terrelle Shaw Sent: Monday, January 03, 2000 4:09 PM To: pptpd Subject: [pptp-server] hmm have I missed a step? Hello all.. I think I missed something with the client-> firewall-> pptp-server setup. First of all, I had initially setup the pptp-server with a real IP routable to the internet) to test if my setup was correct. I was able to connect to the pptp-server from my Win NT machine via vpn.. GREAT!. Now I moved the pptp-server behind my firewall and gave it an internal address ( 10.0.x.x) I compiled into the firewall kernel the vpn-masq patch (2.2.13) and installed that. Everything a go.. pptpd is running on the vpn server, so is ppp and other related modules. Among the other ipchain rules I have on my firewall, I added these at the beginning of my firewall startup script: ipchains -I forward -p tcp -d 10.0.0.127 1723 -j ACCEPT ipchains -A forward -p tcp -s 10.0.0.127 1723 -j ACCEPT ipchains -A forward -p 47 -d 10.0.0.127 -j ACCEPT ipchains -A forward -p 47 -s 10.0.0.127 -J ACCEPT Now, looking on the firewall /var/log/messags I see the connection from the NT machine, but its not forwarding it to the pptpd machine. Did I miss something in the setup? Forget a rule or some software? Thanks.. Terrelle Shaw HealthCentralRx.com System Administrator hshaw at healthcentralrx.com _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From hshaw at epills.com Mon Jan 3 21:30:22 2000 From: hshaw at epills.com (Terrelle Shaw) Date: Mon Jan 3 21:30:22 2000 Subject: [pptp-server] ipchains not forwarding to pptpd server Message-ID: Hello all.. I think I might have an ipchains issue. Wondering of anything jumps out any anyone while looking at my ipchains rules. It's supposed to be forwarding 1723 and 47 stuff to the vpn-pptpd server.. but looking at the logs on the firewall and pptpd-server.. its just getting to the firewall and stopping.. Any help is appreciated. Chain input (policy ACCEPT): target prot opt source destination ports REJECT icmp ------ anywhere external_ip echo-request ACCEPT tcp ------ anywhere anywhere any -> 1723 ACCEPT tcp !y---- anywhere external_ip 1723 -> any Chain forward (policy ACCEPT): target prot opt source destination ports ACCEPT tcp ------ anywhere vpn_server_ip any -> 1723 ACCEPT tcp ------ vpn_server_ip anywhere 1723 -> any ACCEPT 47 ------ anywhere vpn_server_ip n/a ACCEPT 47 ------ vpn_server_ip anywhere n/a ACCEPT all ------ 10.0.0.0/24 external_real_ip/28 n/a MASQ all ------ 10.0.0.0/24 anywhere n/a MASQ 47 ------ anywhere anywhere n/a MASQ tcp ------ 10.0.0.0 anywhere any -> 1723 Chain output (policy ACCEPT): target prot opt source destination ports ACCEPT tcp !y---- anywhere 10.0.0.0 1723 -> any ACCEPT tcp ------ 10.0.0.0 anywhere any -> any Terrelle Shaw HealthCentralRx.com System Administrator hshaw at healthcentralrx.com From root at desade.phlo.net Tue Jan 4 01:38:37 2000 From: root at desade.phlo.net (desade-root) Date: Tue Jan 4 01:38:37 2000 Subject: [pptp-server] PPP error messages Message-ID: <3871A2F1.10C4248D@desade.phlo.net> Hey all.... Love this proggy....BUT... I'm still having some probs... Wondering if anyone out there could point me in the right directions I've got an NT server giving DHCP over a 128 bit encrypted pipe.. No stateless When I run pptp I get the following error, and I cannot track it down... Jan 3 23:17:41 localhost (unknown)[3472]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:637]: Outgoing call established. Jan 3 23:17:42 localhost pppd[3476]: The remote system (206.132.96.23) is required to authenticate itself but I Jan 3 23:17:42 localhost pppd[3476]: couldn't find any suitable secret (password) for it to use to do so. I would really love some assistance... Thanks, Joe From tmk at netmagic.net Tue Jan 4 03:18:55 2000 From: tmk at netmagic.net (tmk) Date: Tue Jan 4 03:18:55 2000 Subject: [pptp-server] PPP error messages References: <3871A2F1.10C4248D@desade.phlo.net> Message-ID: <002901bf5694$d24be140$071c0fc0@lala.net> you need to have a file called /etc/ppp/chap-secrets that has a name, pass, domain and ip (i think) for each user that will be using the system. this is how pppd authenticates. There is more info in your manpages. If you know about all that, then perhaps the other side is sending a domain name with pptp.. it doesnt look like it from your logs though.. also, use a * for IP address in teh chap-secrets file, and it will allow connections from any IP. Kevin ----- Original Message ----- From: desade-root To: Sent: Monday, January 03, 2000 11:36 PM Subject: [pptp-server] PPP error messages > Hey all.... > Love this proggy....BUT... > I'm still having some probs... Wondering if anyone out there could point > me in the right directions > I've got an NT server giving DHCP over a 128 bit encrypted pipe.. No > stateless > When I run pptp I get the following error, and I cannot track it down... > > Jan 3 23:17:41 localhost (unknown)[3472]: > log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:637]: Outgoing call > established. > Jan 3 23:17:42 localhost pppd[3476]: The remote system (206.132.96.23) > is required to authenticate itself but I > Jan 3 23:17:42 localhost pppd[3476]: couldn't find any suitable secret > (password) for it to use to do so. > > I would really love some assistance... > Thanks, > Joe > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From blalor at netDrives.com Tue Jan 4 12:03:09 2000 From: blalor at netDrives.com (Brian Lalor) Date: Tue Jan 4 12:03:09 2000 Subject: [pptp-server] VPN w/ Win98 and pptpd 1.0.0 Message-ID: Hey all. I'm making progress little by little... I've got a Win98 notebook I'm trying to configure to use our VPN from the road. I've successfully gotten it to connect to the pptpd from within the local network (a simple test to make sure the software's working properly). The problem I've got is when using the modem to call a local ISP and then connect to the VPN from there. First I call the ISP. Networking's working properly. Next I bring up the Dialup Networking profile for the VPN. It seems to connect to the pptpd, but Windows then gives an error dialog with Error 645: The Microsoft Dial-Up Adapter is in use or not responding properly. Disconnect other connections and then try again. If this problem persists, shut down and restart your computer. The boilerplate MS response to *every* friggin' problem is reboot. So, what's the proper way to initiate a VPN connection via a dialup connection (modem)? Thanks in advance, B -- Brian Lalor, Web Honkey netDrives blalor at netDrives.com 607-272-5650 x7167 From nmeyers at javalinux.net Tue Jan 4 12:17:10 2000 From: nmeyers at javalinux.net (Nathan Meyers) Date: Tue Jan 4 12:17:10 2000 Subject: [pptp-server] VPN w/ Win98 and pptpd 1.0.0 References: Message-ID: <38723900.C4FE4A8D@javalinux.net> Brian Lalor wrote: > > Hey all. I'm making progress little by little... You're close. You just need to install a second dial-up adapter. And, of course, reboot afterwards :-). Nathan > > I've got a Win98 notebook I'm trying to configure to use our VPN from the > road. I've successfully gotten it to connect to the pptpd from within the > local network (a simple test to make sure the software's working > properly). The problem I've got is when using the modem to call a local > ISP and then connect to the VPN from there. > > First I call the ISP. Networking's working properly. > Next I bring up the Dialup Networking profile for the VPN. It seems to > connect to the pptpd, but Windows then gives an error dialog with > Error 645: The Microsoft Dial-Up Adapter is in use or not > responding properly. > Disconnect other connections and then try again. > If this problem persists, shut down and restart your computer. > > The boilerplate MS response to *every* friggin' problem is reboot. > > So, what's the proper way to initiate a VPN connection via a dialup > connection (modem)? > > Thanks in advance, > B > > -- > Brian Lalor, Web Honkey > netDrives > blalor at netDrives.com > 607-272-5650 x7167 > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! From blalor at netDrives.com Tue Jan 4 12:48:19 2000 From: blalor at netDrives.com (Brian Lalor) Date: Tue Jan 4 12:48:19 2000 Subject: [pptp-server] VPN w/ Win98 and pptpd 1.0.0 In-Reply-To: <38723900.C4FE4A8D@javalinux.net> Message-ID: On Tue, 4 Jan 2000, Nathan Meyers wrote: > Brian Lalor wrote: > > > > Hey all. I'm making progress little by little... > > You're close. You just need to install a second dial-up adapter. And, of > course, reboot afterwards :-). Woo hoo! That did it! For this round, anyway. Still having routing problems. I'll work some more on that before I get back to y'all. :-) Thanks, Nathan. B -- Brian Lalor, Web Honkey netDrives blalor at netDrives.com 607-272-5650 x7167 From geoff at gnaa.net Wed Jan 5 14:03:37 2000 From: geoff at gnaa.net (Geoff Nordli) Date: Wed Jan 5 14:03:37 2000 Subject: [pptp-server] Hack to force MPPE encryption from the server side In-Reply-To: <386918F6.388AF7D1@javalinux.net> Message-ID: <000401bf57b8$03e98da0$0101a8c0@highwayi.com> I am trying your patch. It works really well, but unfortunately kills the pptp daemon also. I renamed pppd as pppd.real. I named the script /usr/sbin/pppd. It really does work, but why do you think it kills the pptp daemon? It doesn't kill the daemon if the client has mppe enabled. thanks, geoff nordli -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Nathan Meyers Sent: Tuesday, December 28, 1999 12:09 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] Hack to force MPPE encryption from the server side When I was looking recently for a way for PoPToP to force PPTP clients to use MPPE encryption, it appeared to be impossible - outside the bounds of PPP to force a compression choice on the client. I've developed a hack that gets the job done without too much ugliness. It's a small sentry, written in perl, that detects whan an unencrypted PPTP connection has been established, and kills it. If anyone's interested, here's what I did: 1) Hacked pptpd to run /usr/sbin/pppd.mppe_sentry instead of /usr/sbin/pppd as the PPP daemon. 2) Implemented /usr/sbin/pppd.mppe_sentry in perl (see below). It works by sitting between pptpd and pppd, and monitoring the log output from pppd. It looks for two things in the log output: - The message announcing the "remote IP" connection - The message announcing the use of MPPE encryption, which may occur before or shortly after the "remote IP" message. If it doesn't see the MPPE message within 10 seconds of seeing the "remote IP" message, it kills pppd. Crude, but effective. A possible alternate implementation would be to: 1) Don't hack pptpd 2) Rename /usr/sbin/pppd to /usr/sbin/pppd.real 3) Install the script as /usr/sbin/pppd, changing line 14 to run /usr/sbin/pppd.real Unfortunately, this approach involves the sentry whenever pppd is used for anything, not just PPTP connections - which won't work in my environment. Perl source for the sentry is attached below. Nathan Meyers nmeyers at javalinux.net #!/bin/sh # This is a shell archive (produced by GNU sharutils 4.2). # To extract the files from this archive, save it to some FILE, remove # everything before the `!/bin/sh' line above, then type `sh FILE'. # # Made on 1999-12-28 12:06 PST by . # Source directory was `/home/nathanm/VPN'. # # Existing files will *not* be overwritten unless `-c' is specified. # # This shar contains: # length mode name # ------ ---------- ------------------------------------------ # 716 -rwxr-xr-x pppd.mppe_sentry # save_IFS="${IFS}" IFS="${IFS}:" gettext_dir=FAILED locale_dir=FAILED first_param="$1" for dir in $PATH do if test "$gettext_dir" = FAILED && test -f $dir/gettext \ && ($dir/gettext --version >/dev/null 2>&1) then set `$dir/gettext --version 2>&1` if test "$3" = GNU then gettext_dir=$dir fi fi if test "$locale_dir" = FAILED && test -f $dir/shar \ && ($dir/shar --print-text-domain-dir >/dev/null 2>&1) then locale_dir=`$dir/shar --print-text-domain-dir` fi done IFS="$save_IFS" if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED then echo=echo else TEXTDOMAINDIR=$locale_dir export TEXTDOMAINDIR TEXTDOMAIN=sharutils export TEXTDOMAIN echo="$gettext_dir/gettext -s" fi touch -am 1231235999 $$.touch >/dev/null 2>&1 if test ! -f 1231235999 && test -f $$.touch; then shar_touch=touch else shar_touch=: echo $echo 'WARNING: not restoring timestamps. Consider getting and' $echo "installing GNU \`touch', distributed in GNU File Utilities..." echo fi rm -f 1231235999 $$.touch # if mkdir _sh14010; then $echo 'x -' 'creating lock directory' else $echo 'failed to create lock directory' exit 1 fi # ============= pppd.mppe_sentry ============== if test -f 'pppd.mppe_sentry' && test "$first_param" != -c; then $echo 'x -' SKIPPING 'pppd.mppe_sentry' '(file already exists)' else $echo 'x -' extracting 'pppd.mppe_sentry' '(text)' sed 's/^X//' << 'SHAR_EOF' > 'pppd.mppe_sentry' && #!/usr/bin/perl X $^F = 20; pipe(FROMPPPD, TOSENTRY) || die "Failed to open pipe"; X $pid = fork; if ($pid == -1) { die "fork() failed"; } X if ($pid == 0) { X # Child... run pppd X close(FROMPPPD); X open(STDOUT, '>&TOSENTRY'); X unshift @ARGV, "/usr/sbin/pppd"; X exec(@ARGV) || die "Failed to execute pppd"; } X close(TOSENTRY); X $encryption = 0; while () { X chomp; X if (/MPPE/) { $encryption = 1; } X if (/remote IP/ && !$encryption) X { X # We've seen the "remote IP" message but no sign of encryption. X # Give pppd 10 seconds to report encryption or the dog dies X $SIG{ALRM} = 'check_encrypt'; X alarm 10; X } } X sub check_encrypt { X if (!$encryption) { kill SIGTERM, pid; } } SHAR_EOF $shar_touch -am 1225114399 'pppd.mppe_sentry' && chmod 0755 'pppd.mppe_sentry' || $echo 'restore of' 'pppd.mppe_sentry' 'failed' if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \ && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then md5sum -c << SHAR_EOF >/dev/null 2>&1 \ || $echo 'pppd.mppe_sentry:' 'MD5 check failed' 21d20f3cc32b233450f52c0402f59386 pppd.mppe_sentry SHAR_EOF else shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'pppd.mppe_sentry'`" test 716 -eq "$shar_count" || $echo 'pppd.mppe_sentry:' 'original size' '716,' 'current size' "$shar_count!" fi fi rm -fr _sh14010 exit 0 _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From jbeauchamp at 4anything.com Wed Jan 5 16:13:36 2000 From: jbeauchamp at 4anything.com (Joe Beauchamp) Date: Wed Jan 5 16:13:36 2000 Subject: [pptp-server] Where is a tcpdump or equivalent? Message-ID: <3.0.6.32.20000105171215.0092cca0@1mailbox.com> Progress has been very slow for me. I have slackware 2.2.14p16 currently and am trying to masquarade and VPN a Win98 PC out of the environment into a WinNT server. Things seem to be getting eaten, don't know. Since I've now spent weeks on this (and I expected it to be pretty straight forward), I've finally reached the point of wanting to look at the packets as they go by or don't go by. So, is there a linux version of tcpdump or some such so that I can see what is messed up? Thanks! -- Joe B. ________________________________________________________________________ Joe Beauchamp -- VP, New Technology -- 4anything.com -- (610) 768-1444 From johnoel at hawaii.com Wed Jan 5 16:53:37 2000 From: johnoel at hawaii.com (john oel@H@) Date: Wed Jan 5 16:53:37 2000 Subject: [pptp-server] CTRL: Error with select(), quitting Message-ID: <200001052347.PAA22010@mail.hawaii.com> hi all, i started with a simple setup in a private network i was able to login to the pptp server using poptop and win98 client, okay. then i tried to dial in using a isp. the packets does get forwared to the internal pptp server, but it generates an error. from /var/log/messages Jan 5 10:44:37 server pptpd[535]: CTRL: Client control connection started Jan 5 10:44:37 server pptpd[535]: CTRL: Starting call (launching pppd, opening GRE) Jan 5 10:44:38 server pptpd[535]: CTRL: Error with select(), quitting Jan 5 10:44:38 server pptpd[535]: CTRL: Client control connection finished any clues -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ From johnoel at hawaii.com Wed Jan 5 16:53:38 2000 From: johnoel at hawaii.com (john oel@H@) Date: Wed Jan 5 16:53:38 2000 Subject: [pptp-server] CTRL: Error with select(), quitting Message-ID: <200001052346.PAA22000@mail.hawaii.com> hi all, i started with a simple setup in a private network i was able to login to the pptp server using poptop and win98 client, okay. then i tried to dial in using a isp. the packets does get forwared to the internal pptp server, but it generates an error. from /var/log/messages Jan 5 10:44:37 server pptpd[535]: CTRL: Client control connection started Jan 5 10:44:37 server pptpd[535]: CTRL: Starting call (launching pppd, opening GRE) Jan 5 10:44:38 server pptpd[535]: CTRL: Error with select(), quitting Jan 5 10:44:38 server pptpd[535]: CTRL: Client control connection finished any clues -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ From johnoel at hawaii.com Wed Jan 5 16:55:13 2000 From: johnoel at hawaii.com (john oel@H@) Date: Wed Jan 5 16:55:13 2000 Subject: [pptp-server] CTRL: Error with select(), quitting Message-ID: <200001052348.PAA22098@mail.hawaii.com> hi all, i started with a simple setup in a private network i was able to login to the pptp server using poptop and win98 client, okay. then i tried to dial in using a isp. the packets does get forwared to the internal pptp server, but it generates an error. from /var/log/messages Jan 5 10:44:37 server pptpd[535]: CTRL: Client control connection started Jan 5 10:44:37 server pptpd[535]: CTRL: Starting call (launching pppd, opening GRE) Jan 5 10:44:38 server pptpd[535]: CTRL: Error with select(), quitting Jan 5 10:44:38 server pptpd[535]: CTRL: Client control connection finished any clues -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ From johnoel at hawaii.com Wed Jan 5 16:55:15 2000 From: johnoel at hawaii.com (john oel@H@) Date: Wed Jan 5 16:55:15 2000 Subject: [pptp-server] CTRL: Error with select(), quitting Message-ID: <200001052348.PAA22090@mail.hawaii.com> hi all, i started with a simple setup in a private network i was able to login to the pptp server using poptop and win98 client, okay. then i tried to dial in using a isp. the packets does get forwared to the internal pptp server, but it generates an error. from /var/log/messages Jan 5 10:44:37 server pptpd[535]: CTRL: Client control connection started Jan 5 10:44:37 server pptpd[535]: CTRL: Starting call (launching pppd, opening GRE) Jan 5 10:44:38 server pptpd[535]: CTRL: Error with select(), quitting Jan 5 10:44:38 server pptpd[535]: CTRL: Client control connection finished any clues -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ From johnoel at hawaii.com Wed Jan 5 16:56:04 2000 From: johnoel at hawaii.com (john oel@H@) Date: Wed Jan 5 16:56:04 2000 Subject: [pptp-server] CTRL: Error with select(), quitting Message-ID: <200001052349.PAA22111@mail.hawaii.com> hi all, i started with a simple setup in a private network i was able to login to the pptp server using poptop and win98 client, okay. then i tried to dial in using a isp. the packets does get forwared to the internal pptp server, but it generates an error. from /var/log/messages Jan 5 10:44:37 server pptpd[535]: CTRL: Client control connection started Jan 5 10:44:37 server pptpd[535]: CTRL: Starting call (launching pppd, opening GRE) Jan 5 10:44:38 server pptpd[535]: CTRL: Error with select(), quitting Jan 5 10:44:38 server pptpd[535]: CTRL: Client control connection finished any clues -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ From rowl at earthcorp.com Wed Jan 5 18:12:50 2000 From: rowl at earthcorp.com (Michael St. Laurent) Date: Wed Jan 5 18:12:50 2000 Subject: [pptp-server] "Peer refused to authenticate" error Message-ID: <3.0.6.32.20000105161234.009b6330@guardian.hartwellcorp.com> I have a Linux box running PoPToP and sucessfully serving windoze clients with MS-Chap-v2 and MPPE. I have a second Linux box on which I am trying to get the PPTP client software working. I keep getting a "peer refused to authenticate: terminating link" error message. Attached is the debug output. Any idea what I'm doing wrong? -------------- next part -------------- Jan 5 14:20:52 ftp (unknown)[185]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:531]: Client connection established. Jan 5 14:20:53 ftp (unknown)[185]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:637]: Outgoing call established. Jan 5 14:20:53 ftp kernel: registered device ppp0 Jan 5 14:20:53 ftp pppd[183]: pppd 2.3.8 started by root, uid 0 Jan 5 14:20:53 ftp pppd[183]: Using interface ppp0 Jan 5 14:20:53 ftp pppd[183]: Connect: ppp0 <--> /dev/ttya0 Jan 5 14:20:53 ftp pppd[183]: sent [LCP ConfReq id=0x1 ] Jan 5 14:20:56 ftp pppd[183]: rcvd [LCP ConfReq id=0x1 ] Jan 5 14:20:56 ftp pppd[183]: sent [LCP ConfAck id=0x1 ] Jan 5 14:20:56 ftp pppd[183]: sent [LCP ConfReq id=0x1 ] Jan 5 14:20:56 ftp pppd[183]: rcvd [LCP ConfRej id=0x1 ] Jan 5 14:20:56 ftp pppd[183]: sent [LCP ConfReq id=0x2 ] Jan 5 14:20:56 ftp pppd[183]: rcvd [LCP ConfRej id=0x2 ] Jan 5 14:20:56 ftp pppd[183]: sent [LCP ConfReq id=0x3 ] Jan 5 14:20:56 ftp pppd[183]: rcvd [LCP ConfRej id=0x3 ] Jan 5 14:20:56 ftp pppd[183]: sent [LCP ConfReq id=0x4 ] Jan 5 14:20:56 ftp pppd[183]: rcvd [LCP ConfAck id=0x4 ] Jan 5 14:20:56 ftp pppd[183]: sent [LCP EchoReq id=0x0 magic=0x64855de1] Jan 5 14:20:56 ftp pppd[183]: peer refused to authenticate: terminating link Jan 5 14:20:56 ftp pppd[183]: sent [LCP TermReq id=0x5 "peer refused to authenticate"] Jan 5 14:20:56 ftp pppd[183]: rcvd [LCP EchoReq id=0x0 magic=0x63c424d7] Jan 5 14:20:56 ftp pppd[183]: rcvd [CHAP Challenge id=0x1 , name = "guardian"] Jan 5 14:20:56 ftp pppd[183]: rcvd [LCP EchoRep id=0x0 magic=0x63c424d7] Jan 5 14:20:56 ftp pppd[183]: rcvd [LCP TermAck id=0x5] Jan 5 14:20:56 ftp pppd[183]: Connection terminated. Jan 5 14:20:57 ftp pppd[183]: Exit. Jan 5 14:20:57 ftp pppd[183]: Terminating on signal 15. Jan 5 14:21:53 ftp (unknown)[185]: log[pptp_read_some:pptp_ctrl.c:368]: read error: Broken pipe -------------- next part -------------- -------------------- Michael St. Laurent Hartwell Corporation From rowl at earthcorp.com Wed Jan 5 19:00:21 2000 From: rowl at earthcorp.com (Michael St. Laurent) Date: Wed Jan 5 19:00:21 2000 Subject: [pptp-server] OK, fixed first prob. now another Message-ID: <3.0.6.32.20000105170009.009bb100@guardian.hartwellcorp.com> I think I fixed the peer refused authentication problem. I needed entries *for* both machines *on* both machines in the chap-secrets files. Now that I've got that the systems seem to keep sending challenges and responses back and forth but never go any further. Log file attached. -------------- next part -------------- Jan 5 16:49:50 ftp (unknown)[185]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:531]: Client connection established. Jan 5 16:49:51 ftp (unknown)[185]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:637]: Outgoing call established. Jan 5 16:49:52 ftp pppd[183]: pppd 2.3.8 started by root, uid 0 Jan 5 16:49:52 ftp pppd[183]: Using interface ppp0 Jan 5 16:49:52 ftp pppd[183]: Connect: ppp0 <--> /dev/ttya0 Jan 5 16:49:52 ftp pppd[183]: sent [LCP ConfReq id=0x1 ] Jan 5 16:49:54 ftp pppd[183]: rcvd [LCP ConfReq id=0x1 ] Jan 5 16:49:54 ftp pppd[183]: sent [LCP ConfAck id=0x1 ] Jan 5 16:49:55 ftp pppd[183]: sent [LCP ConfReq id=0x1 ] Jan 5 16:49:55 ftp pppd[183]: rcvd [LCP ConfAck id=0x1 ] Jan 5 16:49:55 ftp pppd[183]: sent [LCP EchoReq id=0x0 magic=0x1269bfbc] Jan 5 16:49:55 ftp pppd[183]: sent [CHAP Challenge id=0x1 <7dd877af5b6a7e73578caede2b84eddb>, name = "ftp"] Jan 5 16:49:55 ftp pppd[183]: rcvd [LCP EchoReq id=0x0 magic=0xdd7a3d54] Jan 5 16:49:55 ftp pppd[183]: sent [LCP EchoRep id=0x0 magic=0x1269bfbc] Jan 5 16:49:55 ftp pppd[183]: rcvd [CHAP Challenge id=0x1 , name = "guardian"] Jan 5 16:49:55 ftp pppd[183]: sent [CHAP Response id=0x1 <61db70b7bb4fb29fe5af44286d298e620000000000000000657dbef8e181b749984b60fbece36ad64e9e2622daa1c6c700>, name = "ftp"] Jan 5 16:49:55 ftp pppd[183]: rcvd [LCP EchoRep id=0x0 magic=0xdd7a3d54] Jan 5 16:49:55 ftp pppd[183]: rcvd [CHAP Response id=0x1 , name = "guardian"] Jan 5 16:49:58 ftp pppd[183]: sent [CHAP Challenge id=0x2 <61db70b7bb4fb29fe5af44286d298e62>, name = "ftp"] Jan 5 16:49:58 ftp pppd[183]: rcvd [CHAP Challenge id=0x2 , name = "guardian"] Jan 5 16:49:58 ftp pppd[183]: sent [CHAP Response id=0x2 , name = "ftp"] Jan 5 16:49:58 ftp pppd[183]: rcvd [CHAP Response id=0x2 , name = "guardian"] Jan 5 16:50:01 ftp pppd[183]: sent [CHAP Challenge id=0x3 , name = "ftp"] Jan 5 16:50:01 ftp pppd[183]: sent [CHAP Response id=0x2 , name = "ftp"] Jan 5 16:50:01 ftp pppd[183]: rcvd [CHAP Challenge id=0x3 , name = "guardian"] Jan 5 16:50:01 ftp pppd[183]: sent [CHAP Response id=0x3 , name = "ftp"] Jan 5 16:50:01 ftp pppd[183]: rcvd [CHAP Response id=0x2 , name = "guardian"] Jan 5 16:50:01 ftp pppd[183]: rcvd [CHAP Response id=0x3 <19b6b68746094694b281e9f802df2d84000000000000000073053544b0358fb8777e7714a471abf17639cc2ca163f38b00>, name = "guardian"] Jan 5 16:50:04 ftp pppd[183]: sent [CHAP Challenge id=0x4 , name = "ftp"] Jan 5 16:50:04 ftp pppd[183]: sent [CHAP Response id=0x3 , name = "ftp"] Jan 5 16:50:04 ftp pppd[183]: rcvd [CHAP Challenge id=0x4 <19b6b68746094694b281e9f802df2d84>, name = "guardian"] Jan 5 16:50:04 ftp pppd[183]: sent [CHAP Response id=0x4 , name = "ftp"] Jan 5 16:50:04 ftp pppd[183]: rcvd [CHAP Response id=0x3 <19b6b68746094694b281e9f802df2d84000000000000000073053544b0358fb8777e7714a471abf17639cc2ca163f38b00>, name = "guardian"] Jan 5 16:50:04 ftp pppd[183]: rcvd [CHAP Response id=0x4 <99b374b5272cc9baa6f007c30a5eaa0d0000000000000000d27c2a968135379281df557c52bcc325f5428682f7999c2800>, name = "guardian"] Jan 5 16:50:07 ftp pppd[183]: sent [CHAP Challenge id=0x5 , name = "ftp"] Jan 5 16:50:07 ftp pppd[183]: sent [CHAP Response id=0x4 , name = "ftp"] Jan 5 16:50:07 ftp pppd[183]: rcvd [CHAP Challenge id=0x5 <99b374b5272cc9baa6f007c30a5eaa0d>, name = "guardian"] Jan 5 16:50:07 ftp pppd[183]: sent [CHAP Response id=0x5 , name = "ftp"] Jan 5 16:50:07 ftp pppd[183]: rcvd [CHAP Response id=0x4 <99b374b5272cc9baa6f007c30a5eaa0d0000000000000000d27c2a968135379281df557c52bcc325f5428682f7999c2800>, name = "guardian"] Jan 5 16:50:07 ftp pppd[183]: rcvd [CHAP Response id=0x5 <79fee5288d7ea2d2bcf0ab0fcc22778300000000000000006654c0c83aee275540c8c5cca2674436e0dd050eed5a647f00>, name = "guardian"] Jan 5 16:50:10 ftp pppd[183]: sent [CHAP Challenge id=0x6 , name = "ftp"] Jan 5 16:50:10 ftp pppd[183]: sent [CHAP Response id=0x5 , name = "ftp"] Jan 5 16:50:10 ftp pppd[183]: rcvd [CHAP Challenge id=0x6 <79fee5288d7ea2d2bcf0ab0fcc227783>, name = "guardian"] Jan 5 16:50:10 ftp pppd[183]: sent [CHAP Response id=0x6 , name = "ftp"] Jan 5 16:50:10 ftp pppd[183]: rcvd [CHAP Response id=0x5 <79fee5288d7ea2d2bcf0ab0fcc22778300000000000000006654c0c83aee275540c8c5cca2674436e0dd050eed5a647f00>, name = "guardian"] Jan 5 16:50:10 ftp pppd[183]: rcvd [CHAP Response id=0x6 <6f1fac88e0c18425d8803366b053e45c0000000000000000a27d807d628e913c13da36c7c90924021b9035a74f6200d000>, name = "guardian"] Jan 5 16:50:13 ftp pppd[183]: sent [CHAP Challenge id=0x7 , name = "ftp"] Jan 5 16:50:13 ftp pppd[183]: sent [CHAP Response id=0x6 , name = "ftp"] Jan 5 16:50:13 ftp pppd[183]: rcvd [CHAP Challenge id=0x7 <6f1fac88e0c18425d8803366b053e45c>, name = "guardian"] Jan 5 16:50:13 ftp pppd[183]: sent [CHAP Response id=0x7 <547f435d95bbd85585e9563e6057ce81000000000000000082ae9a7ec16eea25dc1e732de13caffdfcc314188c48497400>, name = "ftp"] Jan 5 16:50:13 ftp pppd[183]: rcvd [CHAP Response id=0x6 <6f1fac88e0c18425d8803366b053e45c0000000000000000a27d807d628e913c13da36c7c90924021b9035a74f6200d000>, name = "guardian"] Jan 5 16:50:13 ftp pppd[183]: rcvd [CHAP Response id=0x7 <2c729d22baf7ddbb9371ea2c715d373200000000000000005690363196c55a2d554f375567dbab9c295d73d04fd9532f00>, name = "guardian"] Jan 5 16:50:16 ftp pppd[183]: sent [CHAP Challenge id=0x8 <547f435d95bbd85585e9563e6057ce81>, name = "ftp"] Jan 5 16:50:16 ftp pppd[183]: sent [CHAP Response id=0x7 <547f435d95bbd85585e9563e6057ce81000000000000000082ae9a7ec16eea25dc1e732de13caffdfcc314188c48497400>, name = "ftp"] Jan 5 16:50:16 ftp pppd[183]: rcvd [CHAP Challenge id=0x8 <2c729d22baf7ddbb9371ea2c715d3732>, name = "guardian"] Jan 5 16:50:16 ftp pppd[183]: sent [CHAP Response id=0x8 <3e84b101877b02301fab960563c2e60000000000000000005413a103cc7e6a9494ef73c23a6940d4fc2170b835acb74700>, name = "ftp"] Jan 5 16:50:16 ftp pppd[183]: rcvd [CHAP Response id=0x7 <2c729d22baf7ddbb9371ea2c715d373200000000000000005690363196c55a2d554f375567dbab9c295d73d04fd9532f00>, name = "guardian"] Jan 5 16:50:16 ftp pppd[183]: rcvd [CHAP Response id=0x8 <54e82d6e48a16f2d1111d6f3dfd1aa1c00000000000000004227be52327c204a86106d381c5bd2db956b0c37168026d400>, name = "guardian"] Jan 5 16:50:19 ftp pppd[183]: sent [CHAP Challenge id=0x9 <3e84b101877b02301fab960563c2e600>, name = "ftp"] Jan 5 16:50:19 ftp pppd[183]: sent [CHAP Response id=0x8 <3e84b101877b02301fab960563c2e60000000000000000005413a103cc7e6a9494ef73c23a6940d4fc2170b835acb74700>, name = "ftp"] Jan 5 16:50:19 ftp pppd[183]: rcvd [CHAP Challenge id=0x9 <54e82d6e48a16f2d1111d6f3dfd1aa1c>, name = "guardian"] Jan 5 16:50:19 ftp pppd[183]: sent [CHAP Response id=0x9 <9b463bd1a2aa36a16bc0fccd7f51ba850000000000000000eee1c786f6dd2be6f17e3d35e93130db98fe0188e4f5ae7d00>, name = "ftp"] Jan 5 16:50:19 ftp pppd[183]: rcvd [CHAP Response id=0x8 <54e82d6e48a16f2d1111d6f3dfd1aa1c00000000000000004227be52327c204a86106d381c5bd2db956b0c37168026d400>, name = "guardian"] Jan 5 16:50:19 ftp pppd[183]: rcvd [CHAP Response id=0x9 , name = "guardian"] Jan 5 16:50:22 ftp pppd[183]: sent [CHAP Challenge id=0xa <9b463bd1a2aa36a16bc0fccd7f51ba85>, name = "ftp"] Jan 5 16:50:22 ftp pppd[183]: sent [CHAP Response id=0x9 <9b463bd1a2aa36a16bc0fccd7f51ba850000000000000000eee1c786f6dd2be6f17e3d35e93130db98fe0188e4f5ae7d00>, name = "ftp"] Jan 5 16:50:22 ftp pppd[183]: rcvd [CHAP Challenge id=0xa , name = "guardian"] Jan 5 16:50:22 ftp pppd[183]: sent [CHAP Response id=0xa <708aa3b5d11fee70d99deef340fa4ff400000000000000004934f067b38db37a23d43bcca20335742904ee27b715ddc200>, name = "ftp"] Jan 5 16:50:22 ftp pppd[183]: rcvd [CHAP Response id=0x9 , name = "guardian"] Jan 5 16:50:22 ftp pppd[183]: rcvd [CHAP Response id=0xa <0cc2ae366e14534c0f07e4d6ad47d335000000000000000098eff8d4107039df0664b5a63a83a8f0c56c4fc8321462d900>, name = "guardian"] Jan 5 16:50:25 ftp pppd[183]: sent [LCP EchoReq id=0x1 magic=0x1269bfbc] Jan 5 16:50:25 ftp pppd[183]: rcvd [LCP EchoReq id=0x1 magic=0xdd7a3d54] Jan 5 16:50:25 ftp pppd[183]: sent [LCP EchoRep id=0x1 magic=0x1269bfbc] Jan 5 16:50:25 ftp pppd[183]: rcvd [LCP EchoRep id=0x1 magic=0xdd7a3d54] Jan 5 16:50:25 ftp pppd[183]: sent [CHAP Challenge id=0xb <708aa3b5d11fee70d99deef340fa4ff4>, name = "ftp"] Jan 5 16:50:25 ftp pppd[183]: sent [CHAP Response id=0xa <708aa3b5d11fee70d99deef340fa4ff400000000000000004934f067b38db37a23d43bcca20335742904ee27b715ddc200>, name = "ftp"] Jan 5 16:50:25 ftp pppd[183]: rcvd [CHAP Challenge id=0xb <0cc2ae366e14534c0f07e4d6ad47d335>, name = "guardian"] Jan 5 16:50:25 ftp pppd[183]: sent [CHAP Response id=0xb <26a4dcab28c4671265acb30fb4031c970000000000000000336e2c0d6c6066ec839ccc5ff304bc1220493f16375d145300>, name = "ftp"] Jan 5 16:50:25 ftp pppd[183]: rcvd [CHAP Response id=0xa <0cc2ae366e14534c0f07e4d6ad47d335000000000000000098eff8d4107039df0664b5a63a83a8f0c56c4fc8321462d900>, name = "guardian"] Jan 5 16:50:25 ftp pppd[183]: rcvd [CHAP Response id=0xb <1f6729c8f2bdc2223fd43607c4141d6c000000000000000095e94155da8cca786e82578572d02776fc1f34bdf940e7a400>, name = "guardian"] Jan 5 16:50:28 ftp pppd[183]: sent [CHAP Challenge id=0xc <26a4dcab28c4671265acb30fb4031c97>, name = "ftp"] Jan 5 16:50:28 ftp pppd[183]: sent [CHAP Response id=0xb <26a4dcab28c4671265acb30fb4031c970000000000000000336e2c0d6c6066ec839ccc5ff304bc1220493f16375d145300>, name = "ftp"] Jan 5 16:50:28 ftp pppd[183]: rcvd [CHAP Challenge id=0xc <1f6729c8f2bdc2223fd43607c4141d6c>, name = "guardian"] Jan 5 16:50:28 ftp pppd[183]: sent [CHAP Response id=0xc <82862d246a00feead1d5b5aae929c02700000000000000002dee7336a0fef3c9a661dfc430b180a21b7ae083fce4574d00>, name = "ftp"] Jan 5 16:50:28 ftp pppd[183]: rcvd [CHAP Response id=0xb <1f6729c8f2bdc2223fd43607c4141d6c000000000000000095e94155da8cca786e82578572d02776fc1f34bdf940e7a400>, name = "guardian"] Jan 5 16:50:28 ftp pppd[183]: rcvd [CHAP Response id=0xc , name = "guardian"] Jan 5 16:50:31 ftp pppd[183]: sent [CHAP Challenge id=0xd <82862d246a00feead1d5b5aae929c027>, name = "ftp"] Jan 5 16:50:31 ftp pppd[183]: sent [CHAP Response id=0xc <82862d246a00feead1d5b5aae929c02700000000000000002dee7336a0fef3c9a661dfc430b180a21b7ae083fce4574d00>, name = "ftp"] Jan 5 16:50:31 ftp pppd[183]: rcvd [CHAP Challenge id=0xd , name = "guardian"] Jan 5 16:50:31 ftp pppd[183]: sent [CHAP Response id=0xd , name = "ftp"] Jan 5 16:50:31 ftp pppd[183]: rcvd [CHAP Response id=0xc , name = "guardian"] Jan 5 16:50:31 ftp pppd[183]: rcvd [CHAP Response id=0xd <61e1202c72f06a9a5ae404be6d5bb74c00000000000000000656755aeda4e151371fa65fcf16fee98c712a7bf0c5454400>, name = "guardian"] Jan 5 16:50:34 ftp pppd[183]: sent [CHAP Challenge id=0xe , name = "ftp"] Jan 5 16:50:34 ftp pppd[183]: sent [CHAP Response id=0xd , name = "ftp"] Jan 5 16:50:34 ftp pppd[183]: rcvd [CHAP Challenge id=0xe <61e1202c72f06a9a5ae404be6d5bb74c>, name = "guardian"] Jan 5 16:50:34 ftp pppd[183]: sent [CHAP Response id=0xe <815024f3347d7ca893287ba7640bdfb60000000000000000fc7722157f2ab57b7cb7c733283232890f47fd2e69d6b0e900>, name = "ftp"] Jan 5 16:50:34 ftp pppd[183]: rcvd [CHAP Response id=0xd <61e1202c72f06a9a5ae404be6d5bb74c00000000000000000656755aeda4e151371fa65fcf16fee98c712a7bf0c5454400>, name = "guardian"] Jan 5 16:50:34 ftp pppd[183]: rcvd [CHAP Response id=0xe <6a4e721b0edf9c99f936dcd3a88cd52100000000000000002b08cc5f37cc7a8a07c94bd12479f2a1fb2633d82e81201500>, name = "guardian"] Jan 5 16:50:37 ftp pppd[183]: sent [CHAP Challenge id=0xf <815024f3347d7ca893287ba7640bdfb6>, name = "ftp"] Jan 5 16:50:37 ftp pppd[183]: sent [CHAP Response id=0xe <815024f3347d7ca893287ba7640bdfb60000000000000000fc7722157f2ab57b7cb7c733283232890f47fd2e69d6b0e900>, name = "ftp"] Jan 5 16:50:37 ftp pppd[183]: rcvd [CHAP Challenge id=0xf <6a4e721b0edf9c99f936dcd3a88cd521>, name = "guardian"] Jan 5 16:50:37 ftp pppd[183]: sent [CHAP Response id=0xf <6dd3c24f31d9a02694f6680a3aa14fa300000000000000003381a15c5c57317870f048ab805e48c126301336fa98896300>, name = "ftp"] Jan 5 16:50:37 ftp pppd[183]: rcvd [CHAP Response id=0xe <6a4e721b0edf9c99f936dcd3a88cd52100000000000000002b08cc5f37cc7a8a07c94bd12479f2a1fb2633d82e81201500>, name = "guardian"] Jan 5 16:50:37 ftp pppd[183]: rcvd [CHAP Response id=0xf , name = "guardian"] Jan 5 16:50:40 ftp pppd[183]: sent [CHAP Challenge id=0x10 <6dd3c24f31d9a02694f6680a3aa14fa3>, name = "ftp"] Jan 5 16:50:40 ftp pppd[183]: sent [CHAP Response id=0xf <6dd3c24f31d9a02694f6680a3aa14fa300000000000000003381a15c5c57317870f048ab805e48c126301336fa98896300>, name = "ftp"] Jan 5 16:50:40 ftp pppd[183]: rcvd [CHAP Challenge id=0x10 , name = "guardian"] Jan 5 16:50:40 ftp pppd[183]: sent [CHAP Response id=0x10 , name = "ftp"] Jan 5 16:50:40 ftp pppd[183]: rcvd [CHAP Response id=0xf , name = "guardian"] Jan 5 16:50:40 ftp pppd[183]: rcvd [CHAP Response id=0x10 <211885b38049c6702b1e781ad17e2cfa0000000000000000fd2c9f12c6e7ffe25bffcfa8225c144bd23cc5118c9c8c4c00>, name = "guardian"] Jan 5 16:50:43 ftp pppd[183]: sent [CHAP Challenge id=0x11 , name = "ftp"] Jan 5 16:50:43 ftp pppd[183]: sent [CHAP Response id=0x10 , name = "ftp"] Jan 5 16:50:43 ftp pppd[183]: rcvd [CHAP Challenge id=0x11 <211885b38049c6702b1e781ad17e2cfa>, name = "guardian"] Jan 5 16:50:43 ftp pppd[183]: sent [CHAP Response id=0x11 , name = "ftp"] Jan 5 16:50:43 ftp pppd[183]: rcvd [CHAP Response id=0x10 <211885b38049c6702b1e781ad17e2cfa0000000000000000fd2c9f12c6e7ffe25bffcfa8225c144bd23cc5118c9c8c4c00>, name = "guardian"] Jan 5 16:50:43 ftp pppd[183]: rcvd [CHAP Response id=0x11 <733e13c4c3140fdd189824921b3a3fc400000000000000009cfd9a57b1d8d32c2e6c4a0219d34418db1f9ffda4a7851100>, name = "guardian"] Jan 5 16:50:46 ftp pppd[183]: sent [CHAP Challenge id=0x12 , name = "ftp"] Jan 5 16:50:46 ftp pppd[183]: sent [CHAP Response id=0x11 , name = "ftp"] Jan 5 16:50:46 ftp pppd[183]: rcvd [CHAP Challenge id=0x12 <733e13c4c3140fdd189824921b3a3fc4>, name = "guardian"] Jan 5 16:50:46 ftp pppd[183]: sent [CHAP Response id=0x12 <9763db9bdf647f4ad9e80b5e30280e9200000000000000002279442a44349025b4ba608cc55a569a154de0ee07d391dd00>, name = "ftp"] Jan 5 16:50:46 ftp pppd[183]: rcvd [CHAP Response id=0x11 <733e13c4c3140fdd189824921b3a3fc400000000000000009cfd9a57b1d8d32c2e6c4a0219d34418db1f9ffda4a7851100>, name = "guardian"] Jan 5 16:50:46 ftp pppd[183]: rcvd [CHAP Response id=0x12 , name = "guardian"] Jan 5 16:50:49 ftp pppd[183]: sent [CHAP Challenge id=0x13 <9763db9bdf647f4ad9e80b5e30280e92>, name = "ftp"] Jan 5 16:50:49 ftp pppd[183]: sent [CHAP Response id=0x12 <9763db9bdf647f4ad9e80b5e30280e9200000000000000002279442a44349025b4ba608cc55a569a154de0ee07d391dd00>, name = "ftp"] Jan 5 16:50:49 ftp pppd[183]: rcvd [CHAP Challenge id=0x13 , name = "guardian"] Jan 5 16:50:49 ftp pppd[183]: sent [CHAP Response id=0x13 , name = "ftp"] Jan 5 16:50:49 ftp pppd[183]: rcvd [CHAP Response id=0x12 , name = "guardian"] Jan 5 16:50:49 ftp pppd[183]: rcvd [CHAP Response id=0x13 , name = "guardian"] Jan 5 16:50:52 ftp pppd[183]: sent [CHAP Challenge id=0x14 , name = "ftp"] Jan 5 16:50:52 ftp pppd[183]: sent [CHAP Response id=0x13 , name = "ftp"] Jan 5 16:50:52 ftp pppd[183]: rcvd [CHAP Challenge id=0x14 , name = "guardian"] Jan 5 16:50:52 ftp pppd[183]: sent [CHAP Response id=0x14 , name = "ftp"] Jan 5 16:50:52 ftp pppd[183]: rcvd [CHAP Response id=0x13 , name = "guardian"] Jan 5 16:50:52 ftp pppd[183]: rcvd [CHAP Response id=0x14 <596fd9e3d72e804278ef89613e5cafd40000000000000000d0827b8efc47d89436f636b3bbf23af6fbc20b76e6328c2000>, name = "guardian"] Jan 5 16:50:53 ftp pppd[183]: Terminating on signal 2. Jan 5 16:50:53 ftp pppd[183]: Terminating on signal 15. Jan 5 16:50:53 ftp pppd[183]: sent [LCP TermReq id=0x2 "User request"] Jan 5 16:50:55 ftp (unknown)[185]: log[pptp_conn_close:pptp_ctrl.c:275]: Closing PPTP connection Jan 5 16:50:56 ftp pppd[183]: sent [LCP TermReq id=0x3 "User request"] Jan 5 16:50:57 ftp pppd[183]: Terminating on signal 15. Jan 5 16:50:59 ftp pppd[183]: Connection terminated. Jan 5 16:51:01 ftp pppd[183]: Exit. -------------- next part -------------- -------------------- Michael St. Laurent Hartwell Corporation From matthewr at moreton.com.au Wed Jan 5 19:10:49 2000 From: matthewr at moreton.com.au (Matthew Ramsay) Date: Wed Jan 5 19:10:49 2000 Subject: [pptp-server] Official PoPToP 1.1.1 dev release Message-ID: <00010611112803.10819@gibberling> Heya all, PoPToP v1.1.1 (development) has been (officially) released! See Pat's comments on the changes: http://www.moretonbay.com/vpn/releases/pat-1.1.1.txt This is a development release only!! Feedback is expected... development continues. Download your copy here: http://www.moretonbay.com/vpn/releases/pptpd-1.1.1.tgz Cheers, PoPToP Development Team. From tmk at netmagic.net Wed Jan 5 19:34:40 2000 From: tmk at netmagic.net (tmk) Date: Wed Jan 5 19:34:40 2000 Subject: [pptp-server] Where is a tcpdump or equivalent? References: <3.0.6.32.20000105171215.0092cca0@1mailbox.com> Message-ID: <002e01bf57e6$49959e60$071c0fc0@lala.net> there is a linux tcpdump but to masq a pptp connection there is a kernel module you need to load. Check that out before you go too much farther Kevin ----- Original Message ----- From: Joe Beauchamp To: Sent: Wednesday, January 05, 2000 2:12 PM Subject: [pptp-server] Where is a tcpdump or equivalent? > Progress has been very slow for me. I have slackware 2.2.14p16 currently and am trying to masquarade and VPN a Win98 PC out of the environment into a WinNT server. Things seem to be getting eaten, don't know. Since I've now spent weeks on this (and I expected it to be pretty straight forward), I've finally reached the point of wanting to look at the packets as they go by or don't go by. So, is there a linux version of tcpdump or some such so that I can see what is messed up? > > Thanks! -- Joe B. > ________________________________________________________________________ > Joe Beauchamp -- VP, New Technology -- 4anything.com -- (610) 768-1444 > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From nmeyers at javalinux.net Wed Jan 5 20:35:49 2000 From: nmeyers at javalinux.net (Nathan Meyers) Date: Wed Jan 5 20:35:49 2000 Subject: [pptp-server] Hack to force MPPE encryption from the server side References: <000401bf57b8$03e98da0$0101a8c0@highwayi.com> Message-ID: <3873FF57.6D3628D9@javalinux.net> Geoff Nordli wrote: > > I am trying your patch. It works really well, but unfortunately > kills the pptp daemon also. > > I renamed pppd as pppd.real. > > I named the script /usr/sbin/pppd. > > It really does work, but why do you think it kills the pptp daemon? > > It doesn't kill the daemon if the client has mppe enabled. Hmmm... don't know. It issues a kill only against pppd, and doesn't affect pptpd in my environment. No obvious reason comes to mind. I probably won't get much time to look at the problem, but I'll let you know if I identify it. Nathan > > thanks, > > geoff nordli > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Nathan Meyers > Sent: Tuesday, December 28, 1999 12:09 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Hack to force MPPE encryption from the server > side > > When I was looking recently for a way for PoPToP to force PPTP clients > to use MPPE encryption, it appeared to be impossible - outside the > bounds of PPP to force a compression choice on the client. > > I've developed a hack that gets the job done without too much ugliness. > It's a small sentry, written in perl, that detects whan an unencrypted > PPTP connection has been established, and kills it. If anyone's > interested, here's what I did: > > 1) Hacked pptpd to run /usr/sbin/pppd.mppe_sentry instead of > /usr/sbin/pppd as the PPP daemon. > > 2) Implemented /usr/sbin/pppd.mppe_sentry in perl (see below). > > It works by sitting between pptpd and pppd, and monitoring the log > output from pppd. It looks for two things in the log output: > > - The message announcing the "remote IP" connection > > - The message announcing the use of MPPE encryption, which may occur > before or shortly after the "remote IP" message. > > If it doesn't see the MPPE message within 10 seconds of seeing the > "remote IP" message, it kills pppd. Crude, but effective. > > A possible alternate implementation would be to: > > 1) Don't hack pptpd > > 2) Rename /usr/sbin/pppd to /usr/sbin/pppd.real > > 3) Install the script as /usr/sbin/pppd, changing line 14 to run > /usr/sbin/pppd.real > > Unfortunately, this approach involves the sentry whenever pppd is used > for anything, not just PPTP connections - which won't work in my > environment. > > Perl source for the sentry is attached below. > > Nathan Meyers > nmeyers at javalinux.net > > #!/bin/sh > # This is a shell archive (produced by GNU sharutils 4.2). > # To extract the files from this archive, save it to some FILE, remove > # everything before the `!/bin/sh' line above, then type `sh FILE'. > # > # Made on 1999-12-28 12:06 PST by . > # Source directory was `/home/nathanm/VPN'. > # > # Existing files will *not* be overwritten unless `-c' is specified. > # > # This shar contains: > # length mode name > # ------ ---------- ------------------------------------------ > # 716 -rwxr-xr-x pppd.mppe_sentry > # > save_IFS="${IFS}" > IFS="${IFS}:" > gettext_dir=FAILED > locale_dir=FAILED > first_param="$1" > for dir in $PATH > do > if test "$gettext_dir" = FAILED && test -f $dir/gettext \ > && ($dir/gettext --version >/dev/null 2>&1) > then > set `$dir/gettext --version 2>&1` > if test "$3" = GNU > then > gettext_dir=$dir > fi > fi > if test "$locale_dir" = FAILED && test -f $dir/shar \ > && ($dir/shar --print-text-domain-dir >/dev/null 2>&1) > then > locale_dir=`$dir/shar --print-text-domain-dir` > fi > done > IFS="$save_IFS" > if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED > then > echo=echo > else > TEXTDOMAINDIR=$locale_dir > export TEXTDOMAINDIR > TEXTDOMAIN=sharutils > export TEXTDOMAIN > echo="$gettext_dir/gettext -s" > fi > touch -am 1231235999 $$.touch >/dev/null 2>&1 > if test ! -f 1231235999 && test -f $$.touch; then > shar_touch=touch > else > shar_touch=: > echo > $echo 'WARNING: not restoring timestamps. Consider getting and' > $echo "installing GNU \`touch', distributed in GNU File Utilities..." > echo > fi > rm -f 1231235999 $$.touch > # > if mkdir _sh14010; then > $echo 'x -' 'creating lock directory' > else > $echo 'failed to create lock directory' > exit 1 > fi > # ============= pppd.mppe_sentry ============== > if test -f 'pppd.mppe_sentry' && test "$first_param" != -c; then > $echo 'x -' SKIPPING 'pppd.mppe_sentry' '(file already exists)' > else > $echo 'x -' extracting 'pppd.mppe_sentry' '(text)' > sed 's/^X//' << 'SHAR_EOF' > 'pppd.mppe_sentry' && > #!/usr/bin/perl > X > $^F = 20; > pipe(FROMPPPD, TOSENTRY) || die "Failed to open pipe"; > X > $pid = fork; > if ($pid == -1) { die "fork() failed"; } > X > if ($pid == 0) > { > X # Child... run pppd > X close(FROMPPPD); > X open(STDOUT, '>&TOSENTRY'); > X unshift @ARGV, "/usr/sbin/pppd"; > X exec(@ARGV) || die "Failed to execute pppd"; > } > X > close(TOSENTRY); > X > $encryption = 0; > while () > { > X chomp; > X if (/MPPE/) { $encryption = 1; } > X if (/remote IP/ && !$encryption) > X { > X # We've seen the "remote IP" message but no sign of encryption. > X # Give pppd 10 seconds to report encryption or the dog dies > X $SIG{ALRM} = 'check_encrypt'; > X alarm 10; > X } > } > X > sub check_encrypt > { > X if (!$encryption) { kill SIGTERM, pid; } > } > SHAR_EOF > $shar_touch -am 1225114399 'pppd.mppe_sentry' && > chmod 0755 'pppd.mppe_sentry' || > $echo 'restore of' 'pppd.mppe_sentry' 'failed' > if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \ > && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; > then > md5sum -c << SHAR_EOF >/dev/null 2>&1 \ > || $echo 'pppd.mppe_sentry:' 'MD5 check failed' > 21d20f3cc32b233450f52c0402f59386 pppd.mppe_sentry > SHAR_EOF > else > shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'pppd.mppe_sentry'`" > test 716 -eq "$shar_count" || > $echo 'pppd.mppe_sentry:' 'original size' '716,' 'current size' > "$shar_count!" > fi > fi > rm -fr _sh14010 > exit 0 > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! From bens at SERVER.computerscheap.com Wed Jan 5 20:50:00 2000 From: bens at SERVER.computerscheap.com (Benjamin Smith) Date: Wed Jan 5 20:50:00 2000 Subject: [pptp-server] routing blues - VPN w/ssh and PPPD Message-ID: <00010518511100.04772@bug1> I've set up a VPN using ssh and PPPD, as described in the VPN howto at the LDP, and am almost successful. Here's a map of the situation: we have two IP masq networks, one server running RH 6.0, the other running 6.1. Home Office 192.168.120.* (local network) 192.168.120.1 (eth1 adapter) 63.195.17.22 (IP Address of local Linux box) 192.168.0.2 (VPN IP Address) { Internet } Office 192.168.0.1 (VPN IP address) 63.195.16.96 (IP Address of remote Linux box) 192.168.121.1 (eth1 adapter) 192.168.121.* (remote network) Local (home) routing table: Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.120.1 * 255.255.255.255 UH 0 0 0 eth1 192.168.0.2 * 255.255.255.255 UH 0 0 0 ppp0 63.195.17.22 * 255.255.255.255 UH 0 0 0 eth0 192.168.197.0 * 255.255.255.0 U 0 0 0 vmnet1 192.168.120.0 * 255.255.255.0 U 0 0 0 eth1 192.168.121.0 192.168.0.1 255.255.255.0 UG 0 0 0 ppp0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo 63.0.0.0 * 255.0.0.0 U 0 0 0 eth0 default adsl-63-195-17- 0.0.0.0 UG 0 0 0 eth0 Remote (office) routing table: Destination Gateway Genmask Flags Metric Ref Use Iface 63.195.16.96 * 255.255.255.255 UH 0 0 0 eth0 192.168.0.1 * 255.255.255.255 UH 0 0 0 ppp0 192.168.121.1 * 255.255.255.255 UH 0 0 0 eth1 63.195.16.0 * 255.255.255.0 U 0 0 0 eth0 192.168.120.0 192.168.0.2 255.255.255.0 UG 0 0 0 ppp0 192.168.121.0 * 255.255.255.0 U 0 0 0 eth1 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 63.195.16.254 0.0.0.0 UG 0 0 0 eth0 I can ping from any workstation on either LAN to the remote Linux server, but I can't ping from workstation to remote workstation. All workstations are using the local Linux box as the default gateway. The office computer has DNS, and it's the DNS server for home and office. from 192.168.120.11 (local workstation) ping 192.168.120.1 - works (the local linux box) ping 192.168.121.1 - works. (the remote linux box) ping 192.168.121.3 - doesn't work. ( a remote Windows workstation) --- from 192.168.121.1 (the remote linux box) ping 192.168.121.3 - works ( remote Windows workstation) ping 192.168.120.1 - works (the local linux box) ping 192.168.120.11 - doesn't work. (a local workstation) All workstations on either side use the local Linux box as default route. (192.168.121.2, running Windoze, uses 192.168.121.1 as the default route, and 192.168.120.11 uses 192.168.120.1 as the default route) I can't for the life of me figure this out! Why isn't this WORKING? And, I admit it, this is not a PPTP issue, but I asked about PPTP vs ssh + PPPD on this list a while back, and was informed that when you have a Linux box as a server on both sides, that this way was more efficient. Since some of you had used this method, I thought I'd try here. Thanks, Ben From bens at saber.net Wed Jan 5 21:16:30 2000 From: bens at saber.net (Benjamin Smith) Date: Wed Jan 5 21:16:30 2000 Subject: [pptp-server] routing blues - VPN w/ssh and PPPD Message-ID: <00010519164502.04772@bug1> I've set up a VPN using ssh and PPPD, as described in the VPN howto at the LDP, and am almost successful. Here's a map of the situation: we have two IP masq networks, one server running RH 6.0, the other running 6.1. Home Office 192.168.120.* (local network) 192.168.120.1 (eth1 adapter) 63.195.17.22 (IP Address of local Linux box) 192.168.0.2 (VPN IP Address) { Internet } Office 192.168.0.1 (VPN IP address) 63.195.16.96 (IP Address of remote Linux box) 192.168.121.1 (eth1 adapter) 192.168.121.* (remote network) Local (home) routing table: Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.120.1 * 255.255.255.255 UH 0 0 0 eth1 192.168.0.2 * 255.255.255.255 UH 0 0 0 ppp0 63.195.17.22 * 255.255.255.255 UH 0 0 0 eth0 192.168.197.0 * 255.255.255.0 U 0 0 0 vmnet1 192.168.120.0 * 255.255.255.0 U 0 0 0 eth1 192.168.121.0 192.168.0.1 255.255.255.0 UG 0 0 0 ppp0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo 63.0.0.0 * 255.0.0.0 U 0 0 0 eth0 default adsl-63-195-17- 0.0.0.0 UG 0 0 0 eth0 Remote (office) routing table: Destination Gateway Genmask Flags Metric Ref Use Iface 63.195.16.96 * 255.255.255.255 UH 0 0 0 eth0 192.168.0.1 * 255.255.255.255 UH 0 0 0 ppp0 192.168.121.1 * 255.255.255.255 UH 0 0 0 eth1 63.195.16.0 * 255.255.255.0 U 0 0 0 eth0 192.168.120.0 192.168.0.2 255.255.255.0 UG 0 0 0 ppp0 192.168.121.0 * 255.255.255.0 U 0 0 0 eth1 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 63.195.16.254 0.0.0.0 UG 0 0 0 eth0 I can ping from any workstation on either LAN to the remote Linux server, but I can't ping from workstation to remote workstation. All workstations are using the local Linux box as the default gateway. The office computer has DNS, and it's the DNS server for home and office. from 192.168.120.11 (local workstation) ping 192.168.120.1 - works (the local linux box) ping 192.168.121.1 - works. (the remote linux box) ping 192.168.121.3 - doesn't work. ( a remote Windows workstation) --- from 192.168.121.1 (the remote linux box) ping 192.168.121.3 - works ( remote Windows workstation) ping 192.168.120.1 - works (the local linux box) ping 192.168.120.11 - doesn't work. (a local workstation) All workstations on either side use the local Linux box as default route. (192.168.121.2, running Windoze, uses 192.168.121.1 as the default route, and 192.168.120.11 uses 192.168.120.1 as the default route) I can't for the life of me figure this out! Why isn't this WORKING? And, I admit it, this is not a PPTP issue, but I asked about PPTP vs ssh + PPPD on this list a while back, and was informed that when you have a Linux box as a server on both sides, that this way was more efficient. Since some of you had used this method, I thought I'd try here. Thanks, Ben From nicolas.lienard at internet-telecom.net Thu Jan 6 02:14:55 2000 From: nicolas.lienard at internet-telecom.net (LIENARD Nicolas) Date: Thu Jan 6 02:14:55 2000 Subject: [pptp-server] Hack to force MPPE encryption from the server side References: <000401bf57b8$03e98da0$0101a8c0@highwayi.com> Message-ID: <007201bf581e$4e9df0a0$100a0007@jayce> Hello i've a problem, i'am with Linux (Mips processor), i configure PPTP... and ip masquerading (network of 40 w98/NT computers) what does that mean : Jan 6 10:04:58 cache pppd[13375]: pppd 2.3.5 started by root, uid 0 Jan 6 10:04:58 cache pppd[13375]: Using interface ppp0 Jan 6 10:04:58 cache pppd[13375]: Connect: ppp0 <--> /dev/ttya0 Jan 6 10:05:28 cache pppd[13375]: LCP: timeout sending Config-Requests Jan 6 10:05:28 cache pppd[13375]: Connection terminated. Jan 6 10:05:29 cache pppd[13375]: Exit. Jan 6 10:05:41 cache (unknown)[12941]: log[pptp_conn_close:pptp_ctrl.c:275]: Closing PPTP connection If i do another "killall pptp" , i 've this message : Jan 6 10:05:49 cache (unknown)[13408]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:533]: Client connection established. Jan 6 10:05:50 cache (unknown)[13408]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:639]: Outgoing call established. But no PPP0 interface in ifconfig. It said "Time Out"... i don't know why... Yesterday, everything work good... Please HELP Thanx Nicolas Nicolas LIENARD Internet Telecom T/01.55.80.17.26 - F/01.55.80.17.18 19/21, rue Poissonni?re - 75002 PARIS nicolas.lienard at internet-telecom.net ----- Original Message ----- From: Geoff Nordli To: 'Nathan Meyers' ; Sent: Wednesday, January 05, 2000 9:04 PM Subject: RE: [pptp-server] Hack to force MPPE encryption from the server side > I am trying your patch. It works really well, but unfortunately > kills the pptp daemon also. > > I renamed pppd as pppd.real. > > I named the script /usr/sbin/pppd. > > It really does work, but why do you think it kills the pptp daemon? > > It doesn't kill the daemon if the client has mppe enabled. > > thanks, > > geoff nordli > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Nathan Meyers > Sent: Tuesday, December 28, 1999 12:09 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Hack to force MPPE encryption from the server > side > > > When I was looking recently for a way for PoPToP to force PPTP clients > to use MPPE encryption, it appeared to be impossible - outside the > bounds of PPP to force a compression choice on the client. > > I've developed a hack that gets the job done without too much ugliness. > It's a small sentry, written in perl, that detects whan an unencrypted > PPTP connection has been established, and kills it. If anyone's > interested, here's what I did: > > 1) Hacked pptpd to run /usr/sbin/pppd.mppe_sentry instead of > /usr/sbin/pppd as the PPP daemon. > > 2) Implemented /usr/sbin/pppd.mppe_sentry in perl (see below). > > It works by sitting between pptpd and pppd, and monitoring the log > output from pppd. It looks for two things in the log output: > > - The message announcing the "remote IP" connection > > - The message announcing the use of MPPE encryption, which may occur > before or shortly after the "remote IP" message. > > If it doesn't see the MPPE message within 10 seconds of seeing the > "remote IP" message, it kills pppd. Crude, but effective. > > > > A possible alternate implementation would be to: > > 1) Don't hack pptpd > > 2) Rename /usr/sbin/pppd to /usr/sbin/pppd.real > > 3) Install the script as /usr/sbin/pppd, changing line 14 to run > /usr/sbin/pppd.real > > Unfortunately, this approach involves the sentry whenever pppd is used > for anything, not just PPTP connections - which won't work in my > environment. > > > Perl source for the sentry is attached below. > > > Nathan Meyers > nmeyers at javalinux.net > > > > #!/bin/sh > # This is a shell archive (produced by GNU sharutils 4.2). > # To extract the files from this archive, save it to some FILE, remove > # everything before the `!/bin/sh' line above, then type `sh FILE'. > # > # Made on 1999-12-28 12:06 PST by . > # Source directory was `/home/nathanm/VPN'. > # > # Existing files will *not* be overwritten unless `-c' is specified. > # > # This shar contains: > # length mode name > # ------ ---------- ------------------------------------------ > # 716 -rwxr-xr-x pppd.mppe_sentry > # > save_IFS="${IFS}" > IFS="${IFS}:" > gettext_dir=FAILED > locale_dir=FAILED > first_param="$1" > for dir in $PATH > do > if test "$gettext_dir" = FAILED && test -f $dir/gettext \ > && ($dir/gettext --version >/dev/null 2>&1) > then > set `$dir/gettext --version 2>&1` > if test "$3" = GNU > then > gettext_dir=$dir > fi > fi > if test "$locale_dir" = FAILED && test -f $dir/shar \ > && ($dir/shar --print-text-domain-dir >/dev/null 2>&1) > then > locale_dir=`$dir/shar --print-text-domain-dir` > fi > done > IFS="$save_IFS" > if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED > then > echo=echo > else > TEXTDOMAINDIR=$locale_dir > export TEXTDOMAINDIR > TEXTDOMAIN=sharutils > export TEXTDOMAIN > echo="$gettext_dir/gettext -s" > fi > touch -am 1231235999 $$.touch >/dev/null 2>&1 > if test ! -f 1231235999 && test -f $$.touch; then > shar_touch=touch > else > shar_touch=: > echo > $echo 'WARNING: not restoring timestamps. Consider getting and' > $echo "installing GNU \`touch', distributed in GNU File Utilities..." > echo > fi > rm -f 1231235999 $$.touch > # > if mkdir _sh14010; then > $echo 'x -' 'creating lock directory' > else > $echo 'failed to create lock directory' > exit 1 > fi > # ============= pppd.mppe_sentry ============== > if test -f 'pppd.mppe_sentry' && test "$first_param" != -c; then > $echo 'x -' SKIPPING 'pppd.mppe_sentry' '(file already exists)' > else > $echo 'x -' extracting 'pppd.mppe_sentry' '(text)' > sed 's/^X//' << 'SHAR_EOF' > 'pppd.mppe_sentry' && > #!/usr/bin/perl > X > $^F = 20; > pipe(FROMPPPD, TOSENTRY) || die "Failed to open pipe"; > X > $pid = fork; > if ($pid == -1) { die "fork() failed"; } > X > if ($pid == 0) > { > X # Child... run pppd > X close(FROMPPPD); > X open(STDOUT, '>&TOSENTRY'); > X unshift @ARGV, "/usr/sbin/pppd"; > X exec(@ARGV) || die "Failed to execute pppd"; > } > X > close(TOSENTRY); > X > $encryption = 0; > while () > { > X chomp; > X if (/MPPE/) { $encryption = 1; } > X if (/remote IP/ && !$encryption) > X { > X # We've seen the "remote IP" message but no sign of encryption. > X # Give pppd 10 seconds to report encryption or the dog dies > X $SIG{ALRM} = 'check_encrypt'; > X alarm 10; > X } > } > X > sub check_encrypt > { > X if (!$encryption) { kill SIGTERM, pid; } > } > SHAR_EOF > $shar_touch -am 1225114399 'pppd.mppe_sentry' && > chmod 0755 'pppd.mppe_sentry' || > $echo 'restore of' 'pppd.mppe_sentry' 'failed' > if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \ > && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; > then > md5sum -c << SHAR_EOF >/dev/null 2>&1 \ > || $echo 'pppd.mppe_sentry:' 'MD5 check failed' > 21d20f3cc32b233450f52c0402f59386 pppd.mppe_sentry > SHAR_EOF > else > shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'pppd.mppe_sentry'`" > test 716 -eq "$shar_count" || > $echo 'pppd.mppe_sentry:' 'original size' '716,' 'current size' > "$shar_count!" > fi > fi > rm -fr _sh14010 > exit 0 > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! From nicolas.lienard at internet-telecom.net Thu Jan 6 05:18:56 2000 From: nicolas.lienard at internet-telecom.net (LIENARD Nicolas) Date: Thu Jan 6 05:18:56 2000 Subject: [pptp-server] ipchains not forwarding to pptpd server References: Message-ID: <019301bf5838$00e9d300$100a0007@jayce> Hello Why do u use this rules with ipchains ? I only put this (with ipfwadm): /sbin/ipfwadm -F -a m -S 7.0.10.0/255.255.255.0 -D 0.0.0.0/0 and it works good. [root scripts]# ./etat-firewall IP firewall forward rules, default policy: deny pkts bytes type prot opt tosa tosx ifname ifaddress source destination ports 0 0 acc/m all ---- 0xFF 0x00 any any 7.0.10.0/24 anywhere n/a 0 0 acc tcp b--- 0xFF 0x00 any any anywhere cache.internet-telecom.net 1024:65535 -> smtp 0 0 acc tcp b--- 0xFF 0x00 any any cache.internet-telecom.net anywhere smtp -> 1024:65535 0 0 acc tcp b--- 0xFF 0x00 any any anywhere cache.internet-telecom.net 1024:65535 -> http 0 0 acc tcp b--- 0xFF 0x00 any any 7.0.10.0 anywhere http -> 1024:65535 0 0 acc udp b--- 0xFF 0x00 any any anywhere 7.0.10.0/24 domain -> any why do u need a VPN ? i don't understand... is it better than ip masquerading ? Thanx . Nicolas. Nicolas LIENARD Internet Telecom T/01.55.80.17.26 - F/01.55.80.17.18 19/21, rue Poissonni?re - 75002 PARIS nicolas.lienard at internet-telecom.net ----- Original Message ----- From: Terrelle Shaw To: pptpd Sent: Tuesday, January 04, 2000 4:30 AM Subject: [pptp-server] ipchains not forwarding to pptpd server > Hello all.. > > I think I might have an ipchains issue. Wondering of anything jumps out any > anyone while looking at my ipchains rules. It's supposed to be forwarding > 1723 and 47 stuff to the vpn-pptpd server.. but looking at the logs on the > firewall and pptpd-server.. its just getting to the firewall and stopping.. > > Any help is appreciated. > > Chain input (policy ACCEPT): > target prot opt source destination ports > REJECT icmp ------ anywhere external_ip > echo-request > ACCEPT tcp ------ anywhere anywhere any -> > 1723 > ACCEPT tcp !y---- anywhere external_ip 1723 -> > any > Chain forward (policy ACCEPT): > target prot opt source destination ports > ACCEPT tcp ------ anywhere vpn_server_ip any -> > 1723 > ACCEPT tcp ------ vpn_server_ip anywhere 1723 -> > any > ACCEPT 47 ------ anywhere vpn_server_ip n/a > ACCEPT 47 ------ vpn_server_ip anywhere n/a > ACCEPT all ------ 10.0.0.0/24 external_real_ip/28 n/a > MASQ all ------ 10.0.0.0/24 anywhere n/a > MASQ 47 ------ anywhere anywhere n/a > MASQ tcp ------ 10.0.0.0 anywhere any -> > 1723 > Chain output (policy ACCEPT): > target prot opt source destination ports > ACCEPT tcp !y---- anywhere 10.0.0.0 1723 -> > any > ACCEPT tcp ------ 10.0.0.0 anywhere any -> > any > > > Terrelle Shaw > HealthCentralRx.com > System Administrator > hshaw at healthcentralrx.com > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! From neale at lowendale.com.au Thu Jan 6 05:27:09 2000 From: neale at lowendale.com.au (Neale Banks) Date: Thu Jan 6 05:27:09 2000 Subject: [pptp-server] "Peer refused to authenticate" error In-Reply-To: <3.0.6.32.20000105161234.009b6330@guardian.hartwellcorp.com> Message-ID: On Wed, 5 Jan 2000, Michael St. Laurent wrote: > I have a Linux box running PoPToP and sucessfully serving windoze clients > with MS-Chap-v2 and MPPE. I have a second Linux box on which I am trying > to get the PPTP client software working. I keep getting a "peer refused to > authenticate: terminating link" error message. Attached is the debug > output. Any idea what I'm doing wrong? Sounds like you might not have "noauth" in the PPP options for your _outgoing_ PPP. Without the "noauth" the PPP will try to authenticate the other side (regardless of who called who). If the called side is not set up to authenticate itself back to the calling side then this eror will result. REALLY IMPORTANT: do NOT put "noauth" in PPP options for incoming calls (e.g. the PPP options associated with PoPToP - you really don't want to accept incoming PPTP sessions without authenticating them, do you?). HTH, Neale. From neale at lowendale.com.au Thu Jan 6 05:57:06 2000 From: neale at lowendale.com.au (Neale Banks) Date: Thu Jan 6 05:57:06 2000 Subject: [pptp-server] OK, fixed first prob. now another In-Reply-To: <3.0.6.32.20000105170009.009bb100@guardian.hartwellcorp.com> Message-ID: On Wed, 5 Jan 2000, Michael St. Laurent wrote: > I think I fixed the peer refused authentication problem. I needed entries > *for* both machines *on* both machines in the chap-secrets files. Now that > I've got that the systems seem to keep sending challenges and responses > back and forth but never go any further. Log file attached. Your ppp options wouldn't include "chap-interval 3" by any chance? Snippet from my default ppp options: ---------------------------------8<--------------------------------- # If this option is given, pppd will rechallenge the peer every # seconds. #chap-interval ---------------------------------8<--------------------------------- Also, in addition to my previous comments re "noauth" here's what the default options file has to say: ---------------------------------8<--------------------------------- # Require the peer to authenticate itself before allowing network # packets to be sent or received. # Please do not disable this setting. It is expected to be standard in # future releases of pppd. Use the call option (see manpage) to disable # authentication for specific peers. auth ---------------------------------8<--------------------------------- The above snippets are from ppp-2.3.8, obviously YMMV with other versions. HTH, Neale. From Gareth_Marlow at scientia.com Thu Jan 6 11:43:20 2000 From: Gareth_Marlow at scientia.com (Gareth Marlow) Date: Thu Jan 6 11:43:20 2000 Subject: [pptp-server] Choice of passwords In-Reply-To: <199911291225.GAA28489@snaildust.schulte.org>; from pptp-server-admin@lists.schulte.org on Mon, Nov 29, 1999 at 06:25:02AM -0600 References: <199911291225.GAA28489@snaildust.schulte.org> Message-ID: <20000106174202.N6087@harris.scientia.com> Season's Greetings. I have a question about choosing passwords. I have successfully set up PoPToP and am able to happily get connections going from a dial-up account to the server, so I'm at the next stage of bringing this in as a production system. My /etc/ppp/chap-secrets file currently contains lines like: workgroup\\jim * Jones ipa.ddr.ess1 workgroup\\john * Smith ipa.ddr.ess2 to give different users different IP addresses (we want to give different people different levels of access. The passwords in this case are therefore Jones and Smith respectively. I understand that the MPPE keys are derived from the password and that therefore the passwords should be very high entropy, especially if 128 bit encryption is being used. So my question is, how are you generating strong passwords to use here? How long do they have to be? We currently take an MD5 hash of a large log file and take 16 character chunks to use as our APOP shared secrets with Eudora/Qpopper - is there something equivalent that can be done here? Also, one of the PPP options mentions that the passwords in /etc/ppp/chap-secrets can themselves be encrypted to prevent someone who gains root from getting them. How does this work? Sorry for the long question... Cheers, Gareth -- Gareth Marlow, Systems Administrator Scientia Ltd. ______________________________________________________________________ They've got lumps of it round the back From tom.jones at oceanfree.net Thu Jan 6 13:35:04 2000 From: tom.jones at oceanfree.net (T Jones) Date: Thu Jan 6 13:35:04 2000 Subject: [pptp-server] MSCHAP-V2 to a linux-client Message-ID: <20000106193458.11034.cpmta@c006.sfo.cp.net> An embedded and charset-unspecified text was scrubbed... Name: not available URL: From shaeff at mediaone.net Thu Jan 6 21:39:54 2000 From: shaeff at mediaone.net (Noel Schaefer) Date: Thu Jan 6 21:39:54 2000 Subject: [pptp-server] Remote not connecting ! Message-ID: <38752600.2E8F13E6@mediaone.net> I have had the hardiest time getting my remote clients to connect ! My local clients have no trouble connection it is kinda strange that i am having this difficulty. Do i need "NAT" software to get remote clients to connect. Or just some thing simple like adding new rules to "ipchains" ?! Thank you for your time ! shaeff at mediaone.net -------------- next part -------------- this is what i see in my message log when a remote client connects to my server ! Dec 31 21:12:18 killer pptpd[308]: CTRL: Client 24.129.92.64 control connection started Dec 31 21:12:18 killer pptpd[308]: CTRL: Starting call (launching pppd, opening GRE) Dec 31 21:12:18 killer pppd[309]: pppd 2.3.10 started by root, uid 0 Dec 31 21:12:18 killer pppd[309]: Using interface ppp0 Dec 31 21:12:18 killer pppd[309]: Connect: ppp0 <--> /dev/pts/1 Dec 31 21:12:48 killer pppd[309]: Connection terminated. Dec 31 21:12:48 killer pppd[309]: Exit. Dec 31 21:12:48 killer pptpd[308]: CTRL: Client 24.129.92.64 control connection finished but this line comes up when i connect Via the local network " Dec 31 21:22:06 killer kernel: registered device ppp0 " and it all ways comes up be for " Dec 31 21:12:18 killer pppd[309]: pppd 2.3.10 started by root, uid 0 " But here is what happens when i connect to the server ( local ) ! Dec 31 21:36:47 killer pptpd[174]: CTRL: Client 192.168.0.2 control connection s tarted Dec 31 21:36:47 killer pptpd[174]: CTRL: Starting call (launching pppd, opening GRE) Dec 31 21:36:47 killer kernel: registered device ppp0 " does not apper for my remote clients ! " Dec 31 21:36:47 killer pppd[175]: pppd 2.3.10 started by root, uid 0 Dec 31 21:36:47 killer pppd[175]: Using interface ppp0 Dec 31 21:36:47 killer pppd[175]: Connect: ppp0 <--> /dev/pts/1 Dec 31 21:36:47 killer pppd[175]: CHAP peer authentication succeeded for killjoy Dec 31 21:36:47 killer pppd[175]: found interface eth1 for proxy arp Dec 31 21:36:47 killer pppd[175]: local IP address 192.168.0.5 Dec 31 21:36:47 killer pppd[175]: remote IP address 192.168.0.6 From john at artxinc.com Thu Jan 6 21:59:04 2000 From: john at artxinc.com (John Nitis) Date: Thu Jan 6 21:59:04 2000 Subject: [pptp-server] delay in accessing an nt domain Message-ID: <02490A11759BD111B4DA00600811BD277FE330@ns1.artxinc.com> Hello, I'm having problems doing anything that uses netbios over tcp/ip via my pptp connection. The client is a Windows NT WS 4.0 box with SP6a, and the server is Mandrake Linux 5.0 with poptop, pptpd, and pppd. I can login to PPTP just fine, but the problems begin when I try to browse the network. I can eventually browse the network (I have WINS servers setup) but it's *very* slow to come up. When I click on network neighborhood it just pauses for about a minute, and then it pops up with all of the computers on the network. All standard TCP/IP communications are fine (such as telnet) - it's just netbios that's goofed up. As far as I can tell, this is a name resolution problem. I have both DNS and WINS configured correctly - what could be causing the long delay in accessing netbios/smb/netbeui resources via my PPTP connection? Thank you, John Nitis john at artxinc.com From hshaw at epills.com Thu Jan 6 22:10:41 2000 From: hshaw at epills.com (Terrelle Shaw) Date: Thu Jan 6 22:10:41 2000 Subject: [pptp-server] delay in accessing an nt domain In-Reply-To: <02490A11759BD111B4DA00600811BD277FE330@ns1.artxinc.com> Message-ID: I have the same problem.. but I'm not concerned so much due to the fact that most people who would be access my vpn are on dialup.. and who wants to wait to see machines via dialup? -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of John Nitis Sent: Thursday, January 06, 2000 7:58 PM To: 'pptp-server at lists.schulte.org' Subject: [pptp-server] delay in accessing an nt domain Hello, I'm having problems doing anything that uses netbios over tcp/ip via my pptp connection. The client is a Windows NT WS 4.0 box with SP6a, and the server is Mandrake Linux 5.0 with poptop, pptpd, and pppd. I can login to PPTP just fine, but the problems begin when I try to browse the network. I can eventually browse the network (I have WINS servers setup) but it's *very* slow to come up. When I click on network neighborhood it just pauses for about a minute, and then it pops up with all of the computers on the network. All standard TCP/IP communications are fine (such as telnet) - it's just netbios that's goofed up. As far as I can tell, this is a name resolution problem. I have both DNS and WINS configured correctly - what could be causing the long delay in accessing netbios/smb/netbeui resources via my PPTP connection? Thank you, John Nitis john at artxinc.com _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From geoff at gnaa.net Thu Jan 6 22:16:07 2000 From: geoff at gnaa.net (Geoff Nordli) Date: Thu Jan 6 22:16:07 2000 Subject: [pptp-server] delay in accessing an nt domain In-Reply-To: <02490A11759BD111B4DA00600811BD277FE330@ns1.artxinc.com> Message-ID: <009f01bf58c6$177fe5d0$0101a8c0@highwayi.com> You have wins servers setup, but are you using them in your ppp options file? -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of John Nitis Sent: Thursday, January 06, 2000 7:58 PM To: 'pptp-server at lists.schulte.org' Subject: [pptp-server] delay in accessing an nt domain Hello, I'm having problems doing anything that uses netbios over tcp/ip via my pptp connection. The client is a Windows NT WS 4.0 box with SP6a, and the server is Mandrake Linux 5.0 with poptop, pptpd, and pppd. I can login to PPTP just fine, but the problems begin when I try to browse the network. I can eventually browse the network (I have WINS servers setup) but it's *very* slow to come up. When I click on network neighborhood it just pauses for about a minute, and then it pops up with all of the computers on the network. All standard TCP/IP communications are fine (such as telnet) - it's just netbios that's goofed up. As far as I can tell, this is a name resolution problem. I have both DNS and WINS configured correctly - what could be causing the long delay in accessing netbios/smb/netbeui resources via my PPTP connection? Thank you, John Nitis john at artxinc.com _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From tmk at netmagic.net Thu Jan 6 22:30:30 2000 From: tmk at netmagic.net (tmk) Date: Thu Jan 6 22:30:30 2000 Subject: [pptp-server] delay in accessing an nt domain References: <02490A11759BD111B4DA00600811BD277FE330@ns1.artxinc.com> Message-ID: <001801bf58c7$db6aa9c0$071c0fc0@lala.net> how large is your network? if the modem is a little on the slow side, or teh link is unreliable then the actual transfer of the names of the computers on your network could take quite a while.. i dont know that wins is 'slow-link' friendly Kevin ----- Original Message ----- From: John Nitis To: Sent: Thursday, January 06, 2000 7:58 PM Subject: [pptp-server] delay in accessing an nt domain > Hello, > > I'm having problems doing anything that uses netbios over tcp/ip via my pptp > connection. The client is a Windows NT WS 4.0 box with SP6a, and the server > is Mandrake Linux 5.0 with poptop, pptpd, and pppd. I can login to PPTP > just fine, but the problems begin when I try to browse the network. I can > eventually browse the network (I have WINS servers setup) but it's *very* > slow to come up. When I click on network neighborhood it just pauses for > about a minute, and then it pops up with all of the computers on the > network. All standard TCP/IP communications are fine (such as telnet) - > it's just netbios that's goofed up. > > As far as I can tell, this is a name resolution problem. I have both DNS > and WINS configured correctly - what could be causing the long delay in > accessing netbios/smb/netbeui resources via my PPTP connection? > > Thank you, > > John Nitis > john at artxinc.com > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From nico at sonycom.com Fri Jan 7 02:22:52 2000 From: nico at sonycom.com (Nico De Ranter) Date: Fri Jan 7 02:22:52 2000 Subject: [pptp-server] delay in accessing an nt domain In-Reply-To: <009f01bf58c6$177fe5d0$0101a8c0@highwayi.com> Message-ID: On Thu, 6 Jan 2000, Geoff Nordli wrote: > You have wins servers setup, but are you using them in your ppp options > file? What that be on the server side (Linux) or on the client side (NT)? I have exactly the same problem, even worse: when I'm browsing my homedir from the samba-server it takes ages to show something. I'm using a 64kbit ISDN line which is very reliable and fast for everything else I do... except the "Microsoft Network". Nico > > > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of John Nitis > Sent: Thursday, January 06, 2000 7:58 PM > To: 'pptp-server at lists.schulte.org' > Subject: [pptp-server] delay in accessing an nt domain > > > Hello, > > I'm having problems doing anything that uses netbios over tcp/ip via my pptp > connection. The client is a Windows NT WS 4.0 box with SP6a, and the server > is Mandrake Linux 5.0 with poptop, pptpd, and pppd. I can login to PPTP > just fine, but the problems begin when I try to browse the network. I can > eventually browse the network (I have WINS servers setup) but it's *very* > slow to come up. When I click on network neighborhood it just pauses for > about a minute, and then it pops up with all of the computers on the > network. All standard TCP/IP communications are fine (such as telnet) - > it's just netbios that's goofed up. > > As far as I can tell, this is a name resolution problem. I have both DNS > and WINS configured correctly - what could be causing the long delay in > accessing netbios/smb/netbeui resources via my PPTP connection? > > Thank you, > > John Nitis > john at artxinc.com > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > -------------------------------------------------------- "It has been said that there are only two businesses refer to customers as users: illegal drug trade and the computer industry." -------------------------------------------------------- Nico De Ranter Sony Service Center (SUPC-E/DME-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: nico.deranter at sonycom.com From john at artxinc.com Fri Jan 7 03:33:07 2000 From: john at artxinc.com (John Nitis) Date: Fri Jan 7 03:33:07 2000 Subject: [pptp-server] delay in accessing an nt domain Message-ID: <02490A11759BD111B4DA00600811BD277FE331@ns1.artxinc.com> I have WINS servers setup, and they are configured in the ppp options file. How would I debug this? Should I setup pptp to dump all of the packets? It seems like there's some sort of name resolution error. Perhaps broadcasts that need to get through the PPTP connection aren't getting through? -----Original Message----- From: Nico De Ranter [mailto:nico at sonycom.com] Sent: Friday, January 07, 2000 12:22 AM To: Geoff Nordli Cc: 'John Nitis'; pptp-server at lists.schulte.org Subject: RE: [pptp-server] delay in accessing an nt domain On Thu, 6 Jan 2000, Geoff Nordli wrote: > You have wins servers setup, but are you using them in your ppp options > file? What that be on the server side (Linux) or on the client side (NT)? I have exactly the same problem, even worse: when I'm browsing my homedir from the samba-server it takes ages to show something. I'm using a 64kbit ISDN line which is very reliable and fast for everything else I do... except the "Microsoft Network". Nico > > > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of John Nitis > Sent: Thursday, January 06, 2000 7:58 PM > To: 'pptp-server at lists.schulte.org' > Subject: [pptp-server] delay in accessing an nt domain > > > Hello, > > I'm having problems doing anything that uses netbios over tcp/ip via my pptp > connection. The client is a Windows NT WS 4.0 box with SP6a, and the server > is Mandrake Linux 5.0 with poptop, pptpd, and pppd. I can login to PPTP > just fine, but the problems begin when I try to browse the network. I can > eventually browse the network (I have WINS servers setup) but it's *very* > slow to come up. When I click on network neighborhood it just pauses for > about a minute, and then it pops up with all of the computers on the > network. All standard TCP/IP communications are fine (such as telnet) - > it's just netbios that's goofed up. > > As far as I can tell, this is a name resolution problem. I have both DNS > and WINS configured correctly - what could be causing the long delay in > accessing netbios/smb/netbeui resources via my PPTP connection? > > Thank you, > > John Nitis > john at artxinc.com > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > -------------------------------------------------------- "It has been said that there are only two businesses refer to customers as users: illegal drug trade and the computer industry." -------------------------------------------------------- Nico De Ranter Sony Service Center (SUPC-E/DME-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: nico.deranter at sonycom.com From shanselman at brendata.co.uk Fri Jan 7 06:24:17 2000 From: shanselman at brendata.co.uk (Steve Hanselman) Date: Fri Jan 7 06:24:17 2000 Subject: [pptp-server] Attempting to find rc4_skey.c Message-ID: Hi, I'm running Linux 2.2.14 I've followed the instructions and patched 2.3.11 of PPP for MPPE. But I am missing the file rc4_skey.c I've searched my entire source tree and it's not there, searching altavista and dejanews finds entries for libssl for openbsd. Any ideas? Thanks Steve The information contained in this email is intended for the personal and confidential use of the addressee only. It may also be privileged information. If you are not the intended recipient then you are hereby notified that you have received this document in error and that any review, distribution or copying of this document is strictly prohibited. If you have received this communication in error, please notify Brendata immediately on: +44 (0)1268 466100, or email 'technical at brendata.co.uk' Brendata (UK) Ltd Astra House, Christy Way, Southfields Business Park, Laindon, Essex SS15 6TQ. UK Registered Office as above. Registered in England No. 2764339 This mail was processed by Mail essentials for Exchange/SMTP, the email security & management gateway. Mail essentials adds content checking, email encryption, anti spam, anti virus, attachment compression, personalised auto responders, archiving and more to your Microsoft Exchange Server or SMTP mail server. For more information visit http://www.mailessentials.com From yan at cardinalengineering.com Fri Jan 7 07:01:07 2000 From: yan at cardinalengineering.com (Yan Seiner) Date: Fri Jan 7 07:01:07 2000 Subject: [pptp-server] recompiling pppd for pptp support breaks logging? Message-ID: <3875E4B6.74F84F9C@cardinalengineering.com> I am playing with my firewall, and just recently recompiled pppd to include pptp support and since then, my firewall has apparently stopped logging packets coming in on that interface.... Has anyone else experienced this? The packets are still being blocked, but there is no record in the log files. Just ppp0 (the outgoing connection) does not log anything. Packets are being counted - but the DENY count is always 0, even when I try to RH 6.0, latest (fixed) syslogd, ipchains 1.3.9, pppd 2.3.10 recompiled with the pptp patches. --Yan -- Think different ride a recumbent use Linux. From GregoryC at stcinc.com Fri Jan 7 09:39:00 2000 From: GregoryC at stcinc.com (Gregory Carvalho) Date: Fri Jan 7 09:39:00 2000 Subject: [pptp-server] Configuration Validation Request Message-ID: <38760ACA.AD7C041@stcinc.com> I have a scenario which requires IPSec, but the packets must transgress a Microsoft Windows NT 4.0 Server running PPTP. I would like to use the Kame IPSec package on FreeBSD 3.3R as in the diagram below. I envision the sequence being Farside's PoPToP establishing a connection with OutOfMyHands's PPTP, then IPSec riding that tunnel and cruising right past OutOfMyHands to ServerSide's IPSec. Please comment on the validity of this configuration. ------------------- /\ ------------------- | FreeBSD 3.3R | / \ | WinNT4S | | Name: FarSide | / \ | Name: OutOfMyHands| | IPSec (Kame) | \Inet/ | MS Proxy | | PoPToP |____\__/____| PPTP |__ ------------------- \/ ------------------- | | | ------------------- | | FreeBSD 3.3R | | | Name: ServerSide | | | | | | IPSec |__| ------------------- -- Cordially, Gregory Carvalho GregoryC at stcinc.com Simplified Technology Company http://www.stcinc.com In God I Trust! From pf at sxb.bsf.alcatel.fr Fri Jan 7 09:42:56 2000 From: pf at sxb.bsf.alcatel.fr (Pascal Fremaux) Date: Fri Jan 7 09:42:56 2000 Subject: [pptp-server] Attempting to find rc4_skey.c References: Message-ID: <3876097F.5E72952A@sxb.bsf.alcatel.fr> It depends on which version of openssl you used. If you take the rc4 implementation from the 6.6.?b, there is no rc4_skey.c (the code is includeed in the others files) Just comment the include line If you take the rc4 from 9.x.x, there is a rc4_skey.c file. Steve Hanselman wrote: > Hi, > I'm running Linux 2.2.14 > > I've followed the instructions and patched 2.3.11 of PPP for MPPE. > > But I am missing the file rc4_skey.c > > I've searched my entire source tree and it's not there, searching altavista > and dejanews finds entries for libssl for openbsd. > > Any ideas? > > Thanks > > Steve > -- Pascal Fremaux, SSII Alten Study Engineer at Alcatel Telecom R&D, Illkirch, France From ewampner at cayenta.com Fri Jan 7 10:03:13 2000 From: ewampner at cayenta.com (Eric Wampner) Date: Fri Jan 7 10:03:13 2000 Subject: [pptp-server] pptp connect up, but no packets? Message-ID: <01BF58FF.60752D20.ewampner@cayenta.com> Hi, this is a bit off topic as it deals with a linux client and a NT server. I looked for debs.fuller.edu, supposed home of some pptp client info, and it seems be gone. Pointers are welcome. Server Windows NT 4.0 SP6a. Requires 128bit encrypt and chap v2 Client Linux RH6.1 Vanilla 2.2.13 kernel. RedHat Sourced ppp-2.3.10 ppp-2_3_10-openssl-norc4-mppe_patch and mppe_stateless.diff applied to ppp source. Files rc4.h rc4_enc.c rc4_locl.h and rc4_skey.c copied from SSLeay-0.9.0b. ppp kernel install done, kernel recompiled, pppd compiled. pptp-linux-1.0.2 installed. whew. I get my dialup pppd connected. I run my pptp startup which looks like pptp ntserver debug name "DOMAIN\\USER" remotename ntserver +chapms-v2 +mppe-128 noauth I get Jan 7 09:52:50 localhost (unknown)[629]: log[pptp_dispatch_ctrl_packet:pptp_ctr l.c:531]: Client connection established. Jan 7 09:52:51 localhost (unknown)[629]: log[pptp_dispatch_ctrl_packet:pptp_ctr l.c:637]: Outgoing call established. Jan 7 09:52:52 localhost modprobe: can't locate module char-major-108 Jan 7 09:52:52 localhost pppd[632]: pppd 2.3.10 started by root, uid 0 Jan 7 09:52:52 localhost kernel: registered device ppp1 Jan 7 09:52:52 localhost pppd[632]: Using interface ppp1 Jan 7 09:52:52 localhost pppd[632]: Connect: ppp1 <--> /dev/ttya0 Jan 7 09:52:54 localhost pppd[632]: Remote message: XXXKEYXXX Jan 7 09:52:55 localhost kernel: PPP MPPE compression module registered Jan 7 09:52:55 localhost pppd[632]: Unsupported protocol (0x802b) received Jan 7 09:52:55 localhost pppd[632]: Unsupported protocol (0x803f) received Jan 7 09:52:55 localhost pppd[632]: MPPE 128 bit, non-stateless compression enabled Jan 7 09:52:55 localhost pppd[632]: local IP address XXXvalid client ipXXX Jan 7 09:52:55 localhost pppd[632]: remote IP address XXXvalid server ipXXX Jan 7 09:53:10 localhost pppd[632]: Protocol-Reject for unsupported protocol 0xce2f Jan 7 09:53:11 localhost pppd[632]: Protocol-Reject for unsupported protocol 0xd6b4 Jan 7 09:53:14 localhost pppd[632]: Protocol-Reject for unsupported protocol 0xb46e I can't get any packets accross, I tried ping and telnet with no luck, and each attempt generates more of the same messages. Now this error has been noted on the list http://lists.schulte.org/pipermail/pptp-server/1999-December/001249.html but not with an NT server, and no apparent resolution. I'll triple check for SP6.1a, but does anybody have any other suggestions? If I can't get this working I'll probably owe my boss lunch, and I just can't handle that. :-) eric From GregoryC at stcinc.com Fri Jan 7 14:12:13 2000 From: GregoryC at stcinc.com (Gregory Carvalho) Date: Fri Jan 7 14:12:13 2000 Subject: [pptp-server] Configuration Validation Request References: <38760ACA.AD7C041@stcinc.com> Message-ID: <38764A5D.9E41AECD@stcinc.com> Gregory Carvalho wrote: > > I have a scenario which requires IPSec, but the packets must transgress > a Microsoft Windows NT 4.0 Server running PPTP. I would like to use the > Kame IPSec package on FreeBSD 3.3R as in the diagram below. I envision > the sequence being Farside's PoPToP establishing a connection with > OutOfMyHands's PPTP, then IPSec riding that tunnel and cruising right > past OutOfMyHands to ServerSide's IPSec. Please comment on the validity > of this configuration. Clarification: Hosts connected to Farside (which is acting as firewall/gateway) attempt to talk to hosts connected to ServerSide (which is acting as firewall/gateway), so I desire for all traffic between FarSide and ServerSide to be ESP with authentication. OutOfMyHands does not contain IPSec. > > ------------------- /\ ------------------- > | FreeBSD 3.3R | / \ | WinNT4S | > | Name: FarSide | / \ | Name: OutOfMyHands| > | IPSec (Kame) | \Inet/ | MS Proxy | > | PoPToP |____\__/____| PPTP |__ > ------------------- \/ ------------------- | > | > | > ------------------- | > | FreeBSD 3.3R | | > | Name: ServerSide | | > | | | > | IPSec |__| > ------------------- > Cordially, Gregory Carvalho GregoryC at stcinc.com Simplified Technology Company http://www.stcinc.com In God I Trust! From geoff at gnaa.net Fri Jan 7 14:31:29 2000 From: geoff at gnaa.net (Geoff Nordli) Date: Fri Jan 7 14:31:29 2000 Subject: [pptp-server] delay in accessing an nt domain In-Reply-To: <02490A11759BD111B4DA00600811BD277FE331@ns1.artxinc.com> Message-ID: <001501bf594e$5e632420$0101a8c0@highwayi.com> I am using NT, and the wins server settings will show up in the ipconfig /all command. I have never really thought about this, but I am not getting the remote network displayed. A browse list is assembed by something called a Master browser. Each subnet has one. Normally what will happen is that the master browser will use the wins server to contact other master browsers, and assemble the browse list. I really don't know how this will work on a client basis. Does anyone else have any input on this? geoff -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of John Nitis Sent: Friday, January 07, 2000 1:32 AM To: 'Nico De Ranter'; Geoff Nordli Cc: John Nitis; pptp-server at lists.schulte.org Subject: RE: [pptp-server] delay in accessing an nt domain I have WINS servers setup, and they are configured in the ppp options file. How would I debug this? Should I setup pptp to dump all of the packets? It seems like there's some sort of name resolution error. Perhaps broadcasts that need to get through the PPTP connection aren't getting through? -----Original Message----- From: Nico De Ranter [mailto:nico at sonycom.com] Sent: Friday, January 07, 2000 12:22 AM To: Geoff Nordli Cc: 'John Nitis'; pptp-server at lists.schulte.org Subject: RE: [pptp-server] delay in accessing an nt domain On Thu, 6 Jan 2000, Geoff Nordli wrote: > You have wins servers setup, but are you using them in your ppp options > file? What that be on the server side (Linux) or on the client side (NT)? I have exactly the same problem, even worse: when I'm browsing my homedir from the samba-server it takes ages to show something. I'm using a 64kbit ISDN line which is very reliable and fast for everything else I do... except the "Microsoft Network". Nico > > > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of John Nitis > Sent: Thursday, January 06, 2000 7:58 PM > To: 'pptp-server at lists.schulte.org' > Subject: [pptp-server] delay in accessing an nt domain > > > Hello, > > I'm having problems doing anything that uses netbios over tcp/ip via my pptp > connection. The client is a Windows NT WS 4.0 box with SP6a, and the server > is Mandrake Linux 5.0 with poptop, pptpd, and pppd. I can login to PPTP > just fine, but the problems begin when I try to browse the network. I can > eventually browse the network (I have WINS servers setup) but it's *very* > slow to come up. When I click on network neighborhood it just pauses for > about a minute, and then it pops up with all of the computers on the > network. All standard TCP/IP communications are fine (such as telnet) - > it's just netbios that's goofed up. > > As far as I can tell, this is a name resolution problem. I have both DNS > and WINS configured correctly - what could be causing the long delay in > accessing netbios/smb/netbeui resources via my PPTP connection? > > Thank you, > > John Nitis > john at artxinc.com > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > -------------------------------------------------------- "It has been said that there are only two businesses refer to customers as users: illegal drug trade and the computer industry." -------------------------------------------------------- Nico De Ranter Sony Service Center (SUPC-E/DME-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: nico.deranter at sonycom.com _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From geoff at gnaa.net Fri Jan 7 15:41:37 2000 From: geoff at gnaa.net (Geoff Nordli) Date: Fri Jan 7 15:41:37 2000 Subject: [pptp-server] delay in accessing an nt domain In-Reply-To: Message-ID: <001b01bf5958$27526a90$0101a8c0@highwayi.com> There is a program in the resource kit called browmon, which will tell you who is the master browser. The lmhosts file will definitely work on clients. I guess the part that confuses me is what happens on a multi-homed computer, which the client essentially becomes. Is it the primary interace that controls all browsing. When you logon to the pptp system. You computer doesn't get registered with the wins server. In order for the client to compile a list of servers it would need to become a master browser, since it is the only client on that subnet. The pptp server doesn't do any broadcasting, and browser elections are based on broadcast traffic. What do you think? geoff -----Original Message----- From: tmk [mailto:tmk at netmagic.net] Sent: Friday, January 07, 2000 1:43 PM To: Geoff Nordli Cc: 'John Nitis'; 'Nico De Ranter'; pptp-server at lists.schulte.org Subject: RE: [pptp-server] delay in accessing an nt domain if you want instant network neighborhood access, the cheezy way to do it is to add a bunch of entries into your lmhosts file (see lmhosts.sam for examples) and those comuer will always be in your network neighborhood list..this is good if there are a small number of computers. The nature of a modem connection means that it will take a long time for any updates to happen on the client side, and it is perhaps unrealistic to expect lan browse performance out of a modem client. there are several ways which a client can request a browse list, if a wins server has been assigned, clients will use a "type h" (for hybrid) method, which will first check the wins server, then ask for a master browser, then broadcast. (to see what your client is set to, run winipcfg and if it says hybrid for node type, this is the method you are using) if the clients are not set for this method, they will be slower for sure beyond that, it is a good idea to set the browse master to disabled and lm_announce to no (in the file and print services for MS networking section of the network control panel.. only applies to computers with shares on them) This will prevent browse master wars (lots of computers claiming to be the browse master) and lower the overall chatter ofyour network.. Of course you still need to have at least one (preferably two) computers on your network with this enabled (not sure how to check it in NT, i think it's a registry hack though).. -Kevin On Fri, 7 Jan 2000, Geoff Nordli wrote: > I am using NT, and the wins server settings will show up in the > ipconfig /all command. > > I have never really thought about this, but I am not getting > the remote network displayed. > > A browse list is assembed by something called a Master browser. Each > subnet has one. Normally what will happen is that the master browser > will use the wins server to contact other master browsers, and assemble > the browse list. I really don't know how this will work on a client > basis. > > Does anyone else have any input on this? > > geoff > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of John Nitis > Sent: Friday, January 07, 2000 1:32 AM > To: 'Nico De Ranter'; Geoff Nordli > Cc: John Nitis; pptp-server at lists.schulte.org > Subject: RE: [pptp-server] delay in accessing an nt domain > > > I have WINS servers setup, and they are configured in the ppp options file. > How would I debug this? Should I setup pptp to dump all of the packets? It > seems like there's some sort of name resolution error. Perhaps broadcasts > that need to get through the PPTP connection aren't getting through? > > -----Original Message----- > From: Nico De Ranter [mailto:nico at sonycom.com] > Sent: Friday, January 07, 2000 12:22 AM > To: Geoff Nordli > Cc: 'John Nitis'; pptp-server at lists.schulte.org > Subject: RE: [pptp-server] delay in accessing an nt domain > > > On Thu, 6 Jan 2000, Geoff Nordli wrote: > > > You have wins servers setup, but are you using them in your ppp options > > file? > > What that be on the server side (Linux) or on the client side (NT)? > I have exactly the same problem, even worse: when I'm browsing my homedir > from the samba-server it takes ages to show something. I'm using a 64kbit > ISDN line which is very reliable and fast for everything else I do... except > the "Microsoft Network". > > Nico > > > > > > > > > -----Original Message----- > > From: pptp-server-admin at lists.schulte.org > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of John Nitis > > Sent: Thursday, January 06, 2000 7:58 PM > > To: 'pptp-server at lists.schulte.org' > > Subject: [pptp-server] delay in accessing an nt domain > > > > > > Hello, > > > > I'm having problems doing anything that uses netbios over tcp/ip via my > pptp > > connection. The client is a Windows NT WS 4.0 box with SP6a, and the > server > > is Mandrake Linux 5.0 with poptop, pptpd, and pppd. I can login to PPTP > > just fine, but the problems begin when I try to browse the network. I can > > eventually browse the network (I have WINS servers setup) but it's *very* > > slow to come up. When I click on network neighborhood it just pauses for > > about a minute, and then it pops up with all of the computers on the > > network. All standard TCP/IP communications are fine (such as telnet) - > > it's just netbios that's goofed up. > > > > As far as I can tell, this is a name resolution problem. I have both DNS > > and WINS configured correctly - what could be causing the long delay in > > accessing netbios/smb/netbeui resources via my PPTP connection? > > > > Thank you, > > > > John Nitis > > john at artxinc.com > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulte.org! > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulte.org! > > > > -------------------------------------------------------- > "It has been said that there are only two businesses > refer to customers as users: illegal drug trade and > the computer industry." > -------------------------------------------------------- > Nico De Ranter > Sony Service Center (SUPC-E/DME-B) > Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) > 1130 Brussel (Bruxelles), Belgium, Europe, Earth > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 > e-mail: nico.deranter at sonycom.com > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From johnoel at hawaii.com Fri Jan 7 17:40:19 2000 From: johnoel at hawaii.com (john oel@H@) Date: Fri Jan 7 17:40:19 2000 Subject: [pptp-server] pppd[521]: no device specified and stdin is not a tty Message-ID: <200001080033.QAA04526@mail.hawaii.com> hi all, i am stuMpEd. anyhow, i am running pptp sever behing a linux ipchain/masq firewall. it seems to be forwarding the packets okay to the pptp server when dialing in from an isp on a win98 machine. the output from the /var/log/pptp.log is Jan 7 13:20:40 mahimahi pptpd[518]: MGR: Manager process started Jan 7 13:21:08 mahimahi pptpd[520]: MGR: Launching /usr/local/sbin/pptpctrl to handle client Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: local address = 192.168.0.90 Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: remote address = 192.168.0.20 Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: Client 2XXXXXXXXXX0 control connection started Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: Received PPTP Control Message (type: 1) Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: Made a START CTRL CONN RPLY packet Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: I wrote 156 bytes to the client. Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: Sent packet to client Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: Received PPTP Control Message (type: 7) Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: Set parameters to 0 maxbps, 16 window size Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: Made a OUT CALL RPLY packet Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: Starting call (launching pppd, opening GRE) Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: pty_fd = 4 Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: tty_fd = 5 Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: I wrote 32 bytes to the client. Jan 7 13:21:08 mahimahi pptpd[518]: MGR: Reaped child 520 Jan 7 13:21:08 mahimahi pptpd[521]: CTRL (PPPD Launcher): Connection speed = 115200 Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: Sent packet to client Jan 7 13:21:08 mahimahi pppd[521]: no device specified and stdin is not a tty Jan 7 13:21:08 mahimahi pptpd[521]: CTRL (PPPD Launcher): local address = 192.168.0.90 Jan 7 13:21:08 mahimahi pptpd[521]: CTRL (PPPD Launcher): remote address = 192.168.0.20 Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: Received PPTP Control Message (type: 12) Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: Made a CALL DISCONNECT RPLY packet Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: Received CALL CLR request (closing call) Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: I wrote 148 bytes to the client. Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: Sent packet to client Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: Error with select(), quitting Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: Client 2XXXXXXXXXX0 control connection finished Jan 7 13:21:08 mahimahi pptpd[520]: CTRL: Exiting now i think that i am getting closer, but may be over looking the obvious. johnoel -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ From johnoel at hawaii.com Fri Jan 7 18:58:33 2000 From: johnoel at hawaii.com (john oel@H@) Date: Fri Jan 7 18:58:33 2000 Subject: [pptp-server] ipchains Message-ID: <200001080151.RAA06931@mail.hawaii.com> hi again, in the internel private network i set up the poptop server. if i set up a win98 machine to dail into the poptop server inside of the private network, it connects fine. so now i set up the firewall to ipchains forward port 1723 and portocal 47 . then i dial in with a isp. the connections fail. i think i configured the firewall correctly,but... so i tried to do a traceroute to the firewall from the isp using a patch that allows GRE packets. i seems to die at the firewall. so, tried the same from within the private network and it also dies at the public side of the firewall. so, is it a clue that i didn't configure ipchains correctly. what is the proper commands to allow port 1723 and protocal 47 to go in to and out of the firewall. johnoel -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ From knup at home.com Fri Jan 7 21:26:51 2000 From: knup at home.com (knup) Date: Fri Jan 7 21:26:51 2000 Subject: [pptp-server] ipchains References: <200001080151.RAA06931@mail.hawaii.com> Message-ID: <001101bf5988$212720e0$071c0fc0@lala.net> ipchains -A input -p 47 -j ACCEPT is the command to allow proto 47 i believe Kevin ----- Original Message ----- From: john oel at H@ To: Sent: Friday, January 07, 2000 5:51 PM Subject: [pptp-server] ipchains > hi again, > > in the internel private network i set up the poptop > server. if i set up a win98 machine to dail into > the poptop server inside of the private network, > it connects fine. so now i set up the firewall > to ipchains forward port 1723 and portocal 47 . > then i dial in with a isp. the connections fail. > i think i configured the firewall correctly,but... > > so i tried to do a traceroute to the firewall from > the isp using a patch that allows GRE packets. i > seems to die at the firewall. so, tried the same > from within the private network and it also dies > at the public side of the firewall. so, is it a > clue that i didn't configure ipchains correctly. > what is the proper commands to allow port 1723 > and protocal 47 to go in to and out of the firewall. > > > johnoel > > > -------------------------------- > Get your free email @hawaii.com > http://www.hawaii.com/ > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From yan at cardinalengineering.com Sat Jan 8 05:40:26 2000 From: yan at cardinalengineering.com (Yan Seiner) Date: Sat Jan 8 05:40:26 2000 Subject: [pptp-server] ipchains References: <200001080151.RAA06931@mail.hawaii.com> Message-ID: <38772226.BC7276DD@cardinalengineering.com> A snippet from my ipchains rules. My pptp server is on my firewall; no port forwarding. # PPTP is kind of a bastardized service in that it requires # both a tcp connection and a protocol 47 connection. # for that reason, let's put it off by itself. echo -n "pptp..." ipchains -A pub-in -p tcp \ --sport $UNPRIV_PORTS \ -d $PUBLIC_IP pptp \ -j ACCEPT ipchains -A pub-in -p 47 \ -d $PUBLIC_IP \ -j ACCEPT ipchains -A pub-out -p tcp \ --source $PUBLIC_IP pptp \ --dport $UNPRIV_PORTS \ -j ACCEPT ipchains -A pub-out -p 47 \ --source $PUBLIC_IP \ -j ACCEPT --Yan "john oel at H@" wrote: > > hi again, > > in the internel private network i set up the poptop > server. if i set up a win98 machine to dail into > the poptop server inside of the private network, > it connects fine. so now i set up the firewall > to ipchains forward port 1723 and portocal 47 . > then i dial in with a isp. the connections fail. > i think i configured the firewall correctly,but... > > so i tried to do a traceroute to the firewall from > the isp using a patch that allows GRE packets. i > seems to die at the firewall. so, tried the same > from within the private network and it also dies > at the public side of the firewall. so, is it a > clue that i didn't configure ipchains correctly. > what is the proper commands to allow port 1723 > and protocal 47 to go in to and out of the firewall. > > johnoel > > -------------------------------- > Get your free email @hawaii.com > http://www.hawaii.com/ > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! From Piya.Saropala at Nextel.com Sat Jan 8 16:19:48 2000 From: Piya.Saropala at Nextel.com (Saropala, Piya) Date: Sat Jan 8 16:19:48 2000 Subject: [pptp-server] can't see computers in Network Neighborhood Message-ID: <41D1471ED4FED111A81C00104B6AEF7C0255D993@atlntex01.nextel.com> Ok.. I have try to lookup this situation in the archive but I didn't find .. or I just don't know what I'm talking about(most lightly) any how, here goes... I'm running RedHat6.1 Kernel 2.2.12-12 And using win98se clients I have installed pppd and pptpd as instructed on the pptpd page... all my 98 machines can log-in fine, and I can ping the address that pptp give out to the 98 clients... I can also map the drive by using \\xxx.xxx.xxx.xxx\[share name] but I can't see anyone in the Network Neighborhood. Please help... I know it's a very simple thing that I miss... Thank you Piya Saropala From kvandel at cs.duke.edu Sat Jan 8 22:40:14 2000 From: kvandel at cs.duke.edu (Kurt E. Van Delden) Date: Sat Jan 8 22:40:14 2000 Subject: [pptp-server] ppp0 active, ping times out on client. Message-ID: Hello, I have a cable modem setup proxing for an internal network. Server Linux, Mandrake 6.1, 2.2.14, ipchains for NAT. (Authentication works....see log below) The client(win98 SE w/128 update) appears to be generating traffic: [root at sundance ~]# tcpdump -i ppp0 tcpdump: listening on ppp0 09:38:46.177123 10.0.0.111.netbios-ns > 10.0.0.2.netbios-ns: udp 68 09:38:47.677378 10.0.0.111.netbios-ns > 10.0.0.2.netbios-ns: udp 68 09:38:51.248371 10.0.0.111.netbios-dgm > 10.255.255.255.netbios-dgm: udp 197 09:38:53.517693 10.0.0.111.netbios-dgm > 10.255.255.255.netbios-dgm: udp 197 09:38:53.677288 10.0.0.111.netbios-ns > 10.0.0.2.netbios-ns: udp 68 09:38:54.497345 10.0.0.111.netbios-dgm > 10.255.255.255.netbios-dgm: udp 197 09:38:55.177520 10.0.0.111.netbios-ns > 10.0.0.2.netbios-ns: udp 68 09:38:55.507633 10.0.0.111.netbios-dgm > 10.255.255.255.netbios-dgm: udp 197 09:38:56.518206 10.0.0.111.netbios-dgm >10.255.255.255.netbios-dgm: udp 197 09:38:56.676698 10.0.0.111.netbios-ns > 10.0.0.2.netbios-ns: udp 68 09:38:57.508123 10.0.0.111.netbios-ns > 10.0.0.2.netbios-ns: udp 68 09:38:58.976741 10.0.0.111.netbios-ns > 10.0.0.2.netbios-ns: udp 68 09:38:59.728000 216.54.130.135.netbios-ns > 10.0.0.3.domain: 416+ A? COWBOY.vand--cut However, no traffic returns.. The client side times out on ping. (PS I know there are no ping requests in the above trace, but they do appear when I initiate the ping on the client) /var/log/messages Jan 8 09:36:50 sundance pptpd[2699]: CTRL: Client 216.54.130.135 control connec tion started Jan 8 09:36:51 sundance pptpd[2699]: CTRL: Starting call (launching pppd, openi ng GRE) Jan 8 09:36:51 sundance pppd[2700]: pppd 2.3.10 started by root, uid 0 Jan 8 09:36:51 sundance pppd[2700]: Using interface ppp0 Jan 8 09:36:51 sundance pppd[2700]: Connect: ppp0 <--> /dev/pts/4 Jan 8 09:36:51 sundance pppd[2700]: MSCHAP-v2 peer authentication succeeded for xxxx\xx Jan 8 09:36:52 sundance pppd[2700]: found interface eth0 for proxy arp Jan 8 09:36:52 sundance pppd[2700]: local IP address 10.0.0.100 Jan 8 09:36:52 sundance pppd[2700]: remote IP address 10.0.0.111 Jan 8 09:36:52 sundance pppd[2700]: MPPE 128 bit, stateless compression enabled Notes on installation: ppp-2.3.10 w/ Daniel'spatch for MPPE **** additional patch by Paul Janzen failed to apply.(This is likely it...) (after looking at the patch) More information and thoughts Ifconfig: eth0(internal 10.) eth1(Internet Routable) eth0 Link encap:Ethernet HWaddr 00:60:08:41:57:FF inet addr:10.0.0.3 Bcast:10.255.255.255 Mask:255.0.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:617742 errors:0 dropped:0 overruns:0 frame:0 TX packets:713374 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:11 Base address:0xec00 eth1 Link encap:Ethernet HWaddr 00:40:33:99:EA:DE inet addr:24.28.135.253 Bcast:255.255.255.255 Mask:255.255.255.0 UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:13585 errors:0 dropped:0 overruns:0 frame:4 TX packets:13621 errors:0 dropped:0 overruns:0 carrier:0 collisions:28 txqueuelen:100 Interrupt:12 Base address:0xe800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:726 errors:0 dropped:0 overruns:0 frame:0 TX packets:726 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 ppp0 Link encap:Point-to-Point Protocol inet addr:10.0.0.101 P-t-P:10.0.0.112 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:62 errors:0 dropped:0 overruns:0 frame:0 TX packets:14 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.0.0.3 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 10.0.0.112 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 24.28.135.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 24.28.135.1 0.0.0.0 UG 0 0 0 eth1 pppd options name sundance auth +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless proxyarp ms-wins 10.0.0.2 ms-dns 10.0.0.3 netmask 255.255.255.255 Ping output from server to client [root at sundance ~]# ping 10.0.0.111 PING 10.0.0.111 (10.0.0.111): 56 data bytes ping: sendto: Operation not permitted ping: wrote 10.0.0.111 64 chars, ret=-1 ping: sendto: Operation not permitted ping: wrote 10.0.0.111 64 chars, ret=-1 ping: sendto: Operation not permitted ping: wrote 10.0.0.111 64 chars, ret=-1 ping: sendto: Operation not permitted ping: wrote 10.0.0.111 64 chars, ret=-1 ping: sendto: Operation not permitted ping: wrote 10.0.0.111 64 chars, ret=-1 ping: sendto: Operation not permitted ping: wrote 10.0.0.111 64 chars, ret=-1 --- 10.0.0.111 ping statistics --- 6 packets transmitted, 0 packets received, 100% packet loss Final thought.. I beleive everybodies first intuition is going to be the ipchain rules. I've checked them. I can provide them if required.(They are long) I have even cleared the system chains, and set accept policies on the empty chains to eliminate the possibility of problems from ipchains. thanks a bunch, kurt From kvandel at cs.duke.edu Sat Jan 8 23:32:47 2000 From: kvandel at cs.duke.edu (Kurt E. Van Delden) Date: Sat Jan 8 23:32:47 2000 Subject: [pptp-server] ppp0 active, ping times out on client. In-Reply-To: Message-ID: Solution Found > Final thought.. I beleive everybodies first intuition > is going to be the ipchain rules. I've checked them. They were wrong! Works great now. > I have even cleared the system chains, and set accept policies.. They were set to deny. clearing the chains and correctly setting the policies to ACCEPT made it work..! thanks, kurt > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From cambo11 at hotmail.com Sun Jan 9 01:54:22 2000 From: cambo11 at hotmail.com (Cam Bowman) Date: Sun Jan 9 01:54:22 2000 Subject: [pptp-server] can't see computers in Network Neighborhood Message-ID: <20000109075414.42864.qmail@hotmail.com> This sounds like a name-resolution problem. To solve it, you must implement some form of dynamic or static name resolution (that is Netbios Name to IP address translations). By default your WIN9x clients are trying to broadcast to find the names of other computers, BROADCAST traffic will never cross a PPP link. Option #1 Configure a WINS server for WIN9x client. To make this dynamic when the PPTP client connects, edit your PPPD "options" file on the linux server; usually "/etc/ppp/options". OPTIONS file should look something like this: debug name servername auth require-chap proxyarp ms-dns 192.168.1.10 ms-dns 192.168.1.11 ms-wins 10.1.141.12 ms-wins 10.1.142.10 lock Please note the order of ms-dns and ms-wins addresses, the first one entered becomes the primary and the next secondary.... and so on. Options #2 LMHOSTS file on WIN9x client. "c:\windows\lmhosts" on NT "c:\winnt\system32\drivers\etc\lmhosts" There is a sample file (lmhosts.sam) to help you configure this file, remember to reboot or run "nbtstat -R" (reloads the file) after saving this file. If you don't have a WINS server and you want to save time setting up the lmhosts file, input a PDC, BDC or server; these computers are the most likely to be the "master browser" (microsoft name for computer who holds all computer names and share information). This should get you a list of the whole network neighbourhood. This should take care of you problem.. Cam Bowman Amtelecom Communications >From: "Saropala, Piya" >To: "'pptp-server at lists.schulte.org'" >Subject: [pptp-server] can't see computers in Network Neighborhood >Date: Sat, 8 Jan 2000 17:02:29 -0500 > >Ok.. I have try to lookup this situation in the archive but I didn't find >.. >or I just don't know what I'm talking about(most lightly) any how, here >goes... > >I'm running RedHat6.1 >Kernel 2.2.12-12 >And using win98se clients > >I have installed pppd and pptpd as instructed on the pptpd page... all my >98 >machines can log-in fine, and I can ping the address that pptp give out to >the 98 clients... I can also map the drive by using > >\\xxx.xxx.xxx.xxx\[share name] > >but I can't see anyone in the Network Neighborhood. >Please help... I know it's a very simple thing that I miss... > >Thank you >Piya Saropala > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulte.org! ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From yan at cardinalengineering.com Sun Jan 9 06:47:00 2000 From: yan at cardinalengineering.com (Yan Seiner) Date: Sun Jan 9 06:47:00 2000 Subject: [pptp-server] pptpctrl problems? Message-ID: <38788341.BD262F41@cardinalengineering.com> At some point during a long session yesterday I started getting these messages in my syslog: Jan 8 18:26:39 aphrodite pptpd[30662]: CTRL: Unexpected control message 0 in disconnect sequence Jan 8 18:26:39 aphrodite pptpd[30662]: CTRL: EOF or bad error reading ctrl packet length. Jan 8 18:26:39 aphrodite pptpd[30662]: CTRL: couldn't read packet header (exit) at the rate of 2-3 per second. Enough to tie up one of my CPUs at 100% util. This persisted even though I disconnected the VPN session. I then killed pptpd; still no joy. The problem stopped after I killed pptpctrl. I restarted pptpd, and now am running with no problems. During all this time, there was no impact on the VPN session itself; transfers went on as normal.... Questions: 1. Should I be starting pptpctrl from inetd? Right now, I am letting pptpd start it. 2. Is anyone else experiencing this? I think the problem may have started when the VPN session abruptly termintated and I reconnected. --Yan From geoff at gnaa.net Sun Jan 9 11:13:02 2000 From: geoff at gnaa.net (Geoff Nordli) Date: Sun Jan 9 11:13:02 2000 Subject: [pptp-server] can't see computers in Network Neighborhood In-Reply-To: <20000109075414.42864.qmail@hotmail.com> Message-ID: <000001bf5ac4$ff2a10e0$0101a8c0@highwayi.com> I don't think it is a name resolution problem. I think the problem is building, and retrieving the master browser list of the domains. Each subnet will have a masterbrowser, each client will be own their own subnet. Each subnetwork announces itself as the master browser to the domain master broswer, using a directed MasterBrowserAnnouncement Datagram. The domain master browser then send a remote NetServerEnum API call to each master browser, to collect each subnetworks's list of servers. The domain master browser mergest the server list from each subnetwork master browser with its own server list, forming the browse list for the domain. I guess the question is. Does a browse list actually get created for that pptp connection. If it doesn't it will never be, since most browser traffic is broadcast based. geoff nordli -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Cam Bowman Sent: Saturday, January 08, 2000 11:54 PM To: Piya.Saropala at Nextel.com Cc: pptp-server at lists.schulte.org Subject: Re: [pptp-server] can't see computers in Network Neighborhood This sounds like a name-resolution problem. To solve it, you must implement some form of dynamic or static name resolution (that is Netbios Name to IP address translations). By default your WIN9x clients are trying to broadcast to find the names of other computers, BROADCAST traffic will never cross a PPP link. Option #1 Configure a WINS server for WIN9x client. To make this dynamic when the PPTP client connects, edit your PPPD "options" file on the linux server; usually "/etc/ppp/options". OPTIONS file should look something like this: debug name servername auth require-chap proxyarp ms-dns 192.168.1.10 ms-dns 192.168.1.11 ms-wins 10.1.141.12 ms-wins 10.1.142.10 lock Please note the order of ms-dns and ms-wins addresses, the first one entered becomes the primary and the next secondary.... and so on. Options #2 LMHOSTS file on WIN9x client. "c:\windows\lmhosts" on NT "c:\winnt\system32\drivers\etc\lmhosts" There is a sample file (lmhosts.sam) to help you configure this file, remember to reboot or run "nbtstat -R" (reloads the file) after saving this file. If you don't have a WINS server and you want to save time setting up the lmhosts file, input a PDC, BDC or server; these computers are the most likely to be the "master browser" (microsoft name for computer who holds all computer names and share information). This should get you a list of the whole network neighbourhood. This should take care of you problem.. Cam Bowman Amtelecom Communications >From: "Saropala, Piya" >To: "'pptp-server at lists.schulte.org'" >Subject: [pptp-server] can't see computers in Network Neighborhood >Date: Sat, 8 Jan 2000 17:02:29 -0500 > >Ok.. I have try to lookup this situation in the archive but I didn't find >.. >or I just don't know what I'm talking about(most lightly) any how, here >goes... > >I'm running RedHat6.1 >Kernel 2.2.12-12 >And using win98se clients > >I have installed pppd and pptpd as instructed on the pptpd page... all my >98 >machines can log-in fine, and I can ping the address that pptp give out to >the 98 clients... I can also map the drive by using > >\\xxx.xxx.xxx.xxx\[share name] > >but I can't see anyone in the Network Neighborhood. >Please help... I know it's a very simple thing that I miss... > >Thank you >Piya Saropala > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulte.org! ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From timeman at mellorien.net Sun Jan 9 13:56:45 2000 From: timeman at mellorien.net (=?iso-8859-1?Q?Magnus_L=F6fqvist?=) Date: Sun Jan 9 13:56:45 2000 Subject: [pptp-server] Very Newbee Q. Message-ID: <20000109205927.A21600@mellorien.net> I have installed PoPToP 1.0 and pppd 2.3.9 with mschap patches (as desc. in howto) on a Linux 2.2 box, but when I try to connect I got: Connect with Win2k...anyone know whats wrong? //TimeMan Jan 9 20:56:05 w pptpd[6383]: CTRL: Client 195.100.243.37 control connection started Jan 9 20:56:06 w pptpd[6383]: CTRL: Starting call (launching pppd, opening GRE) Jan 9 20:56:06 w kernel: CSLIP: code copyright 1989 Regents of the University of California Jan 9 20:56:06 w kernel: PPP: version 2.2.0 (dynamic channel allocation) Jan 9 20:56:06 w kernel: PPP Dynamic channel allocation code copyright 1995 Caldera, Inc. Jan 9 20:56:06 w kernel: PPP line discipline registered. Jan 9 20:56:06 w kernel: registered device ppp0 Jan 9 20:56:06 w pppd[6384]: pppd 2.3.8 started by root, uid 0 Jan 9 20:56:06 w pppd[6384]: Using interface ppp0 Jan 9 20:56:06 w pppd[6384]: Connect: ppp0 <--> /dev/ttyp3 Jan 9 20:56:06 w pppd[6384]: sent [LCP ConfReq id=0x1 ] Jan 9 20:56:33 w last message repeated 9 times Jan 9 20:56:36 w pppd[6384]: LCP: timeout sending Config-Requests Jan 9 20:56:36 w pppd[6384]: Connection terminated. Jan 9 20:56:36 w pppd[6384]: tcflush failed: Invalid argument Jan 9 20:56:36 w pppd[6384]: Exit. Jan 9 20:56:36 w pptpd[6383]: GRE: read(fd=4,buffer=804d7ec,len=8196) from PTY failed: status = -1 error = Input/output error Jan 9 20:56:36 w pptpd[6383]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Jan 9 20:56:36 w pptpd[6383]: CTRL: Client 195.100.243.37 control connection finished Jan 9 20:58:06 w kernel: PPP: ppp line discipline successfully unregistered -- Magnus L?fqvist (http://www.mellorien.net/timeman) +46(0)70-6442916 From pf at sxb.bsf.alcatel.fr Mon Jan 10 03:07:16 2000 From: pf at sxb.bsf.alcatel.fr (Pascal Fremaux) Date: Mon Jan 10 03:07:16 2000 Subject: [pptp-server] Very Newbee Q. References: <20000109205927.A21600@mellorien.net> Message-ID: <3879A146.227426CA@sxb.bsf.alcatel.fr> There is a problem with your PPP: You should have a line like: Jan 9 20:56:06 w kernel: PPP: version 2.3.9 (demand dialling) instead of Jan 9 20:56:06 w kernel: PPP: version 2.2.0 (dynamic channel allocation) and you have the line Jan 9 20:56:06 w pppd[6384]: pppd 2.3.8 started by root, uid 0 which is obviously not the ppp-2.3.9 . So you may have not installed your new ppp-2.3.9 correctly. Magnus L?fqvist wrote: > I have installed PoPToP 1.0 and pppd 2.3.9 with mschap patches (as desc. in howto) on a Linux 2.2 box, > but when I try to connect I got: > Connect with Win2k...anyone know whats wrong? > > //TimeMan > > Jan 9 20:56:05 w pptpd[6383]: CTRL: Client 195.100.243.37 control connection started > Jan 9 20:56:06 w pptpd[6383]: CTRL: Starting call (launching pppd, opening GRE) > Jan 9 20:56:06 w kernel: CSLIP: code copyright 1989 Regents of the University of California > Jan 9 20:56:06 w kernel: PPP: version 2.2.0 (dynamic channel allocation) > Jan 9 20:56:06 w kernel: PPP Dynamic channel allocation code copyright 1995 Caldera, Inc. > Jan 9 20:56:06 w kernel: PPP line discipline registered. > Jan 9 20:56:06 w kernel: registered device ppp0 > Jan 9 20:56:06 w pppd[6384]: pppd 2.3.8 started by root, uid 0 > Jan 9 20:56:06 w pppd[6384]: Using interface ppp0 > Jan 9 20:56:06 w pppd[6384]: Connect: ppp0 <--> /dev/ttyp3 > Jan 9 20:56:06 w pppd[6384]: sent [LCP ConfReq id=0x1 ] > Jan 9 20:56:33 w last message repeated 9 times > Jan 9 20:56:36 w pppd[6384]: LCP: timeout sending Config-Requests > Jan 9 20:56:36 w pppd[6384]: Connection terminated. > Jan 9 20:56:36 w pppd[6384]: tcflush failed: Invalid argument > Jan 9 20:56:36 w pppd[6384]: Exit. > Jan 9 20:56:36 w pptpd[6383]: GRE: read(fd=4,buffer=804d7ec,len=8196) from PTY failed: status = -1 error = Input/output error > Jan 9 20:56:36 w pptpd[6383]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) > Jan 9 20:56:36 w pptpd[6383]: CTRL: Client 195.100.243.37 control connection finished > Jan 9 20:58:06 w kernel: PPP: ppp line discipline successfully unregistered > > -- > Magnus L?fqvist (http://www.mellorien.net/timeman) > +46(0)70-6442916 > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! -- Pascal Fremaux, SSII Alten Study Engineer at Alcatel Telecom R&D, Illkirch, France From pf at sxb.bsf.alcatel.fr Mon Jan 10 03:09:07 2000 From: pf at sxb.bsf.alcatel.fr (Pascal Fremaux) Date: Mon Jan 10 03:09:07 2000 Subject: [pptp-server] Very Newbee Q. References: <20000109205927.A21600@mellorien.net> Message-ID: <3879A1BB.A887E09@sxb.bsf.alcatel.fr> I forgot: Be modern, use the PPP-2.3.10. There is also now a ppp-2.3.11, but it seems not to change something under linux. -- Pascal Fremaux, SSII Alten Study Engineer at Alcatel Telecom R&D, Illkirch, France From yan at cardinalengineering.com Mon Jan 10 06:55:11 2000 From: yan at cardinalengineering.com (Yan Seiner) Date: Mon Jan 10 06:55:11 2000 Subject: [pptp-server] Can't access computers past pptp server Message-ID: <3879D7C1.1FFE8F53@cardinalengineering.com> OK, here's a new one: I have pptpd set up and running (with a small hitch with pptpctrl). I can see all the computers in network neighborhood. When I try to click on any of them, I get a message that the machine is not available. I can see all the shares on the pptpd box. My firewall is not showing that any packets are blocked. I'm stumped.... --Yan -- Think different ride a recumbent use Linux. From P.J.Reid at earthling.net Mon Jan 10 07:44:37 2000 From: P.J.Reid at earthling.net (Patrick Reid) Date: Mon Jan 10 07:44:37 2000 Subject: [pptp-server] can't see computers in Network Neighborhood In-Reply-To: <41D1471ED4FED111A81C00104B6AEF7C0255D993@atlntex01.nextel.com> Message-ID: <000001bf5b70$c07dd500$0200a8c0@Reidworld.dynip.com> I have found that if I am connecting from a machine which is already on an "Windows Networking" network sith its own workgroup, getting the machine to "see" the Microsoft Network it is dialling into takes quite a while. I think this is because MS didn't contemplate a Win98 machine being on two different MS Networks. Patrick Reid - mailto:PReid at candesco.com Candesco Research Corp. Communication Centre: -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Saropala, Piya Sent: January 8, 2000 6:02 PM To: 'pptp-server at lists.schulte.org' Subject: [pptp-server] can't see computers in Network Neighborhood Ok.. I have try to lookup this situation in the archive but I didn't find .. or I just don't know what I'm talking about(most lightly) any how, here goes... I'm running RedHat6.1 Kernel 2.2.12-12 And using win98se clients I have installed pppd and pptpd as instructed on the pptpd page... all my 98 machines can log-in fine, and I can ping the address that pptp give out to the 98 clients... I can also map the drive by using \\xxx.xxx.xxx.xxx\[share name] but I can't see anyone in the Network Neighborhood. Please help... I know it's a very simple thing that I miss... Thank you Piya Saropala _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From P.J.Reid at earthling.net Mon Jan 10 08:32:08 2000 From: P.J.Reid at earthling.net (Patrick Reid) Date: Mon Jan 10 08:32:08 2000 Subject: [pptp-server] Logging In-Reply-To: <000001bf5b70$c07dd500$0200a8c0@Reidworld.dynip.com> Message-ID: <000501bf5b77$7315af20$0200a8c0@Reidworld.dynip.com> This is a newbie-type question: I have debug in both my pptpd.conf file and in my options file, but I get very little information and none of it is in my pptpd.log file, all in /var/log/messages I am sure that (in a previous installation), I got more stuff and mostly in /var/log/pptpd.log, but I don't know how to make it happen again. Can anyone help me? Patrick Reid - mailto:PReid at candesco.com Candesco Research Corp. Communication Centre: -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Patrick Reid Sent: January 10, 2000 9:44 AM To: 'Saropala, Piya'; pptp-server at lists.schulte.org Subject: RE: [pptp-server] can't see computers in Network Neighborhood I have found that if I am connecting from a machine which is already on an "Windows Networking" network sith its own workgroup, getting the machine to "see" the Microsoft Network it is dialling into takes quite a while. I think this is because MS didn't contemplate a Win98 machine being on two different MS Networks. Patrick Reid - mailto:PReid at candesco.com Candesco Research Corp. Communication Centre: -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Saropala, Piya Sent: January 8, 2000 6:02 PM To: 'pptp-server at lists.schulte.org' Subject: [pptp-server] can't see computers in Network Neighborhood Ok.. I have try to lookup this situation in the archive but I didn't find .. or I just don't know what I'm talking about(most lightly) any how, here goes... I'm running RedHat6.1 Kernel 2.2.12-12 And using win98se clients I have installed pppd and pptpd as instructed on the pptpd page... all my 98 machines can log-in fine, and I can ping the address that pptp give out to the 98 clients... I can also map the drive by using \\xxx.xxx.xxx.xxx\[share name] but I can't see anyone in the Network Neighborhood. Please help... I know it's a very simple thing that I miss... Thank you Piya Saropala _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From tmk at netmagic.net Mon Jan 10 09:44:51 2000 From: tmk at netmagic.net (tmk) Date: Mon Jan 10 09:44:51 2000 Subject: [pptp-server] Logging References: <000501bf5b77$7315af20$0200a8c0@Reidworld.dynip.com> Message-ID: <001301bf5b81$89d7e700$071c0fc0@lala.net> you need a line like *.debug /var/log/debug in your /etc/syslog.conf file to get debug output.. all debug info will go to that file. Kevin ----- Original Message ----- From: Patrick Reid To: Sent: Monday, January 10, 2000 6:31 AM Subject: [pptp-server] Logging > This is a newbie-type question: > > I have debug in both my pptpd.conf file and in my options file, but I get > very little information and none of it is in my pptpd.log file, all in > /var/log/messages > > I am sure that (in a previous installation), I got more stuff and mostly in > /var/log/pptpd.log, but I don't know how to make it happen again. Can anyone > help me? > > Patrick Reid - mailto:PReid at candesco.com > Candesco Research Corp. > Communication Centre: > > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Patrick Reid > Sent: January 10, 2000 9:44 AM > To: 'Saropala, Piya'; pptp-server at lists.schulte.org > Subject: RE: [pptp-server] can't see computers in Network Neighborhood > > > I have found that if I am connecting from a machine which is already on an > "Windows Networking" network sith its own workgroup, getting the machine to > "see" the Microsoft Network it is dialling into takes quite a while. > > I think this is because MS didn't contemplate a Win98 machine being on two > different MS Networks. > > Patrick Reid - mailto:PReid at candesco.com > Candesco Research Corp. > Communication Centre: > > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Saropala, Piya > Sent: January 8, 2000 6:02 PM > To: 'pptp-server at lists.schulte.org' > Subject: [pptp-server] can't see computers in Network Neighborhood > > > Ok.. I have try to lookup this situation in the archive but I didn't find .. > or I just don't know what I'm talking about(most lightly) any how, here > goes... > > I'm running RedHat6.1 > Kernel 2.2.12-12 > And using win98se clients > > I have installed pppd and pptpd as instructed on the pptpd page... all my 98 > machines can log-in fine, and I can ping the address that pptp give out to > the 98 clients... I can also map the drive by using > > \\xxx.xxx.xxx.xxx\[share name] > > but I can't see anyone in the Network Neighborhood. > Please help... I know it's a very simple thing that I miss... > > Thank you > Piya Saropala > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From shagster at devel.alal.com Mon Jan 10 22:25:48 2000 From: shagster at devel.alal.com (Mat Kovach) Date: Mon Jan 10 22:25:48 2000 Subject: [pptp-server] Problem using poptop Message-ID: <20000110230850.A20726@devel.shagster.com> Okay, we have a slight problem here. Basically this is what we have: A Linux server running poptop back behind an ISDN router. On the remote end, we have client workstations behind a WebRamp 315i. AT the present time, only one workstation at a time my connect to the poptop server. If somebody connect via a regular Internet connection, everything works fine. So the problem must be with the WebRamp, I think. The WebRamps have VPN-Pass Through, which is suppose to allow PPTP connection out. In addition, you are suppose to be able to configure it to connect to a PPTP server, expect it never seems to send a username/password to authenticate with, and poptop terminates the connection waiting for the information. Hopefully somebody on here as some idea. If you need any further details, please feel free to ask. Thanks, Mat Kovach From damin at nacs.net Mon Jan 10 22:26:34 2000 From: damin at nacs.net (Greg Boehnlein) Date: Mon Jan 10 22:26:34 2000 Subject: [pptp-server] WebRamp + PopTop? Message-ID: Has anyone succesfully gotten a Webramp 315e VPN client to attach to a POPtop server? Webramp makes a router that has a built in VPN client that is designed to attach to an NT server and allow multiple users to share a single VPN connection. We get to the authentication stage, however, but the Webramp never sends it's authentication information. -- President of New Age Consulting Service, Inc. Cleveland Ohio http://www.nacs.net info at nacs.net (216)-619-2000 An athletic supporter of the Cleveland Linux User Group http://cleveland.lug.net From damin at nacs.net Mon Jan 10 23:50:22 2000 From: damin at nacs.net (Greg Boehnlein) Date: Mon Jan 10 23:50:22 2000 Subject: [pptp-server] WebRamp + PopTop? In-Reply-To: Message-ID: On Mon, 10 Jan 2000, Greg Boehnlein wrote: > Has anyone succesfully gotten a Webramp 315e VPN client to attach to a > POPtop server? > > Webramp makes a router that has a built in VPN client that is designed to > attach to an NT server and allow multiple users to share a single VPN > connection. We get to the authentication stage, however, but the Webramp > never sends it's authentication information. Upon further einvestigation, "+pap" to the PPP Options file will allow the Webramp VPN client to connect and work. Apparently, the Webramp does not use or understand Chap. -- President of New Age Consulting Service, Inc. Cleveland Ohio http://www.nacs.net info at nacs.net (216)-619-2000 An athletic supporter of the Cleveland Linux User Group http://cleveland.lug.net From cambo11 at hotmail.com Tue Jan 11 08:14:14 2000 From: cambo11 at hotmail.com (Cam Bowman) Date: Tue Jan 11 08:14:14 2000 Subject: [pptp-server] Misc. Questions Message-ID: <20000111141407.50068.qmail@hotmail.com> I have a few questions about the PoPToP v1.0.0 for linux running on Redhat 6.1. 1. How many incoming connections is PoPToP limited to? (the clients will be DSL broadband 1.3MB) Linux box running 100Mbit/full-duplex. 2. What type of security is availble for clients. Encryption etc. 3. If I want to connect the PoPToP server to multiple networks, what software should I use to prevent unauthorized access from LAN to LAN. 4. Has anyone heard of a 802.1q tagging ethernet package for linux? Any information would be appreciated. Thanks Cam Bowman Amtelecom Communications ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From soriordain at asitatech.com Tue Jan 11 08:28:14 2000 From: soriordain at asitatech.com (=?iso-8859-1?Q?Seosamh_D._=D3_Riord=E1in?=) Date: Tue Jan 11 08:28:14 2000 Subject: [pptp-server] MPPE from NT vs pptp-linux-1.0.2 Message-ID: <021701bf5c3f$ec1b7260$8c7fa8c0@typhoon.asitatech.ie> Hi folks, Has anyone here got the pptp-linux-1.0.2 client software to successfully negotiate 40-bit MPPE with a PoPToP server? My setup seems to default to Deflate (15) compression. I've the following setup: PoPToP server machine: pptpd-1.0.0, RH 5.1, 2.0.36, pppd2.3.8 with patches applied as per instructions; all modules loaded; /etc/ppp/options file: lock name pptp-vpn debug kdebug 7 auth +chapms +chapms-v2 mppe-stateless mppe-40 mppe-128 Linux PPTP client machine: pptp-linux-1.0.2, RH 5.1, 2.0.36, pppd2.3.8 with patches applied as per instructions;all modules loaded; /etc/ppp/options file: lock name pptp-vpn debug kdebug 7 noauth Connected to server with: pptp mustang debug name tom noauth +chapms mppe-40 mppe-stateless BTW, it works fine for NT 4.0 SP 6a. Log files from the PoPToP server are attached. Any pointers would be much appreciated, Regards, Seosamh. --------------- Seosamh D. ? Riord?in, [soriordain at asitatech.com] Asita Technologies Int'l Ltd., [http://www.asitatech.com] -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: pptpd.log.NT.txt URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: pptpd.log.linux.txt URL: From tmk at netmagic.net Tue Jan 11 10:38:24 2000 From: tmk at netmagic.net (tmk) Date: Tue Jan 11 10:38:24 2000 Subject: [pptp-server] Misc. Questions References: <20000111141407.50068.qmail@hotmail.com> Message-ID: <001201bf5c52$33882fa0$071c0fc0@lala.net> incoming connections are limited by the number of ppp devices and number of fd's linux allows you to have, when we were first developing it, talks of 1024 or 2048 seemed plausible, though the usable maximum is probably less, i'd say no more than 128 at once on a sufficiently powerful machine.. security is ms-chapV2 40 or 128bit encryption depending on the client if you connect it to multiple networks, you can use ipchains to set up firewalling rules to prevent cross network routing. i know of no vlan tagging package for linux, but i fail to see the usefullness unless you intend to use linux as a switch (which is somewhat impractical IMHO) -Kevin ----- Original Message ----- From: Cam Bowman To: Sent: Tuesday, January 11, 2000 6:14 AM Subject: [pptp-server] Misc. Questions > I have a few questions about the PoPToP v1.0.0 for linux running on Redhat > 6.1. > > 1. How many incoming connections is PoPToP limited to? (the clients will > be DSL broadband 1.3MB) Linux box running 100Mbit/full-duplex. > 2. What type of security is availble for clients. Encryption etc. > 3. If I want to connect the PoPToP server to multiple networks, what > software should I use to prevent unauthorized access from LAN to LAN. > 4. Has anyone heard of a 802.1q tagging ethernet package for linux? > > > > Any information would be appreciated. > > > Thanks > > > Cam Bowman > Amtelecom Communications > > > ______________________________________________________ > Get Your Private, Free Email at http://www.hotmail.com > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From cambo11 at hotmail.com Tue Jan 11 10:56:39 2000 From: cambo11 at hotmail.com (Cam Bowman) Date: Tue Jan 11 10:56:39 2000 Subject: [pptp-server] Misc. Questions Message-ID: <20000111165625.24806.qmail@hotmail.com> I missed one question: I was wondering if I could have the PPTP authentication come from a radius server instead of the pap-secrets or chap-secrets files. Please advise, Cam Bowman >From: "Cam Bowman" >To: pptp-server at lists.schulte.org >Subject: [pptp-server] Misc. Questions >Date: Tue, 11 Jan 2000 06:14:07 PST > >I have a few questions about the PoPToP v1.0.0 for linux running on Redhat >6.1. > >1. How many incoming connections is PoPToP limited to? (the clients will >be DSL broadband 1.3MB) Linux box running 100Mbit/full-duplex. >2. What type of security is availble for clients. Encryption etc. >3. If I want to connect the PoPToP server to multiple networks, what >software should I use to prevent unauthorized access from LAN to LAN. >4. Has anyone heard of a 802.1q tagging ethernet package for linux? > > > >Any information would be appreciated. > > >Thanks > > >Cam Bowman >Amtelecom Communications > > >______________________________________________________ >Get Your Private, Free Email at http://www.hotmail.com > > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulte.org! ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From damin at nacs.net Tue Jan 11 11:12:15 2000 From: damin at nacs.net (Greg Boehnlein) Date: Tue Jan 11 11:12:15 2000 Subject: [pptp-server] WebRamp + PopTop? In-Reply-To: Message-ID: On Tue, 11 Jan 2000, Greg Boehnlein wrote: > On Mon, 10 Jan 2000, Greg Boehnlein wrote: > > > Has anyone succesfully gotten a Webramp 315e VPN client to attach to a > > POPtop server? > > > > Webramp makes a router that has a built in VPN client that is designed to > > attach to an NT server and allow multiple users to share a single VPN > > connection. We get to the authentication stage, however, but the Webramp > > never sends it's authentication information. > > Upon further einvestigation, "+pap" to the PPP Options file will allow the > Webramp VPN client to connect and work. Apparently, the Webramp does not > use or understand Chap. Now the biggest problem that I am having is that the Webramp uses NAT of some sort to allow multiple IP addresses behind it to access the Internet. This causes problems with the VPN connection. I.E. from the Webramp, I am able to ping through the VPN and into the remote network. However, when I attempt to ping with a host sitting behind the Webramp, I can't even ping the PPP interface that the Webramp is assigned. The same problem crops up when you attempt to use the VPN Pass Through feature on the Webramp, except it is a little more succesfull. One client behind the Webramp can establish a VPN connection to the remote PPTP server. The second one that is brought up authenticates fine, but then only one of them can send data. The first client is left dead in the water. This isn't a routing issue. The Linux PPTP server is assigning unique addresses to the VPN connection, and multiple clients from other NON-Webramp sites can connect without a problem. This is most definitely something in the way the Webramp handles the NAT and VPN combination. -- President of New Age Consulting Service, Inc. Cleveland Ohio http://www.nacs.net info at nacs.net (216)-619-2000 An athletic supporter of the Cleveland Linux User Group http://cleveland.lug.net From eswood at tor.dhs.org Tue Jan 11 15:03:41 2000 From: eswood at tor.dhs.org (Edward Scott 'Woody' Wood) Date: Tue Jan 11 15:03:41 2000 Subject: [pptp-server] ipchains on client firewall Message-ID: Good day folks. Newbie here, doin' his best and hitting the wall. I have read the howtos and faqs and am still having troubles at the client end. The Server end is quite happy though. I have an NT client behind a Redhat 6.1 firewall trying to connect to a PoPToP server. I'm sure I have the wrong IPchains rules on that firewall. Here they are. ipchains -P forward DENY ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0 ipchains -A input -p tcp -d 1723 -j ACCEPT ipchains -A input -p tcp -d -j ACCEPT ipchains -A forward -p tcp -d 1723 -j ACCEPT ipchains -A forward -p tcp -s 1723 -j ACCEPT ipchains -A forward -p 47 -d -j ACCEPT ipchains -A forward -P 47 -s -j ACCEPT It's just a home system so all I want from the wall is to allow all outgoing traffic and for the PPTP traffic to work! Any tips, flames, kind words from the masses? From geoff at gnaa.net Tue Jan 11 15:14:45 2000 From: geoff at gnaa.net (Geoff Nordli) Date: Tue Jan 11 15:14:45 2000 Subject: [pptp-server] ipchains on client firewall In-Reply-To: Message-ID: <00d501bf5c79$0d4e59a0$0101a8c0@highwayi.com> It doesn't look like you have any output rules. So unless you default policy for output is allow that part won't work. You also need the vpn masq patch if the firewall is in between the client, and the pptp server. Look at the pptp home page, and you will find reference to it. geoff -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Edward Scott 'Woody' Wood Sent: Tuesday, January 11, 2000 1:07 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] ipchains on client firewall Good day folks. Newbie here, doin' his best and hitting the wall. I have read the howtos and faqs and am still having troubles at the client end. The Server end is quite happy though. I have an NT client behind a Redhat 6.1 firewall trying to connect to a PoPToP server. I'm sure I have the wrong IPchains rules on that firewall. Here they are. ipchains -P forward DENY ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0 ipchains -A input -p tcp -d 1723 -j ACCEPT ipchains -A input -p tcp -d -j ACCEPT ipchains -A forward -p tcp -d 1723 -j ACCEPT ipchains -A forward -p tcp -s 1723 -j ACCEPT ipchains -A forward -p 47 -d -j ACCEPT ipchains -A forward -P 47 -s -j ACCEPT It's just a home system so all I want from the wall is to allow all outgoing traffic and for the PPTP traffic to work! Any tips, flames, kind words from the masses? _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From neale at lowendale.com.au Tue Jan 11 16:25:39 2000 From: neale at lowendale.com.au (Neale Banks) Date: Tue Jan 11 16:25:39 2000 Subject: [pptp-server] Misc. Questions In-Reply-To: <20000111165625.24806.qmail@hotmail.com> Message-ID: On Tue, 11 Jan 2000, Cam Bowman wrote: > I missed one question: I was wondering if I could have the PPTP > authentication come from a radius server instead of the pap-secrets or > chap-secrets files. Authentication id done by PPP, not PPTP. Look at using a PAM-aware PPPD and a RADIUS module for PAM. HTH, Neale. From rowl at earthcorp.com Tue Jan 11 16:38:50 2000 From: rowl at earthcorp.com (Michael St. Laurent) Date: Tue Jan 11 16:38:50 2000 Subject: [pptp-server] Can't get pppd to stop requiring server to authenticate Message-ID: <3.0.6.32.20000111143809.009c7900@guardian.hartwellcorp.com> I'm having a little trouble getting pppd configured properly. I'll be connecting from my Linux box to an NT PPTP server and so I need pppd to not require the NT server to authenticate itself. I've tried adding the 'noauth' option to my options file but it does not seem to change the behaviour. Below is the options file I'm working with: # /etc/ppp/options usehostname noipdefault nodefaultroute debug noauth -pap +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless crtscts lock modem asyncmap 0 nodetach proxyarp lcp-echo-interval 30 lcp-echo-failure 4 idle 600 noipx -------------------- Michael St. Laurent Hartwell Corporation From ewampner at cayenta.com Wed Jan 12 09:20:14 2000 From: ewampner at cayenta.com (Eric Wampner) Date: Wed Jan 12 09:20:14 2000 Subject: [pptp-server] Can't get pppd to stop requiring server to authenticate References: <3.0.6.32.20000111143809.009c7900@guardian.hartwellcorp.com> Message-ID: <387C9CA5.17B78B75@cayenta.com> "Michael St. Laurent" wrote: > require the NT server to authenticate itself. I've tried adding the > 'noauth' option to my options file but it does not seem to change the > behaviour. Below is the options file I'm working with: I ran into the same problem. I found that placing the "noauth" at the end of my arguments line fixed the problem for me, but I was running pppd from the command line, so it may be different for you. Seems like a bug to me. "noauth" should always take precedence over options with specify an authentication scheme, which may be client or server directed. IMHO. eric From dwaller at precisiondrive.com Wed Jan 12 15:16:48 2000 From: dwaller at precisiondrive.com (Dave Waller) Date: Wed Jan 12 15:16:48 2000 Subject: [pptp-server] pptp and ipfwadm Message-ID: <387CEFE6.30673BFA@precisiondrive.com> I am triing to figure out ipfw rules for my LRP box that will allow pptp to work. I have studdied the ipchains in the FAQ but I still don't fully understand it. Could any one shed some light on this? Dave Waller From dwaller at precisiondrive.com Wed Jan 12 16:00:21 2000 From: dwaller at precisiondrive.com (Dave Waller) Date: Wed Jan 12 16:00:21 2000 Subject: [pptp-server] pptp and ipfwadm Message-ID: <387CFA1E.9B9874F3@precisiondrive.com> This is clearify my earlier post. What I am confused about is how you specify a hole in the firewall for a pptp connection that is not a security risk. My network is on 172.16.0.0 and if I allow packets from the internet to come in to that network why wasn't my security been breached? Dave Waller From dwaller at precisiondrive.com Wed Jan 12 16:39:31 2000 From: dwaller at precisiondrive.com (Dave Waller) Date: Wed Jan 12 16:39:31 2000 Subject: [pptp-server] pptp and ipfwadm References: Message-ID: <387D034C.36A5D8B4@precisiondrive.com> ipchains is the problem. I need to use ipfwadm because the LRP box I am using is an older kernel. Dave Waller tmk wrote: > it's in the pptp-server list archives, but here's the short version > > these two commands allow pptp data from all hosts through (server only.. > if you want masq'd clients to get to external pptp servers, you need a > kernel module) > > #for new connections > ipchains -A input -p tcp -d 1723 -j ACCEPT > #for GRE > ipchains -A input -p 47 -j ACCEPT > > Kevin > > On Wed, 12 Jan 2000, Dave Waller wrote: > > > I am triing to figure out ipfw rules for my LRP box that will allow pptp > > to work. > > > > I have studdied the ipchains in the FAQ but I still don't fully > > understand it. > > > > Could any one shed some light on this? > > > > Dave Waller > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulte.org! > > From mjbarsalou at attglobal.net Wed Jan 12 18:09:22 2000 From: mjbarsalou at attglobal.net (Michael Barsalou) Date: Wed Jan 12 18:09:22 2000 Subject: [pptp-server] getting pptp to work using inetd Message-ID: <200001130009.SAA16992@snaildust.schulte.org> I didn't really understand the README.inetd file. I tried putting the pptpctrl in the inetd.conf file but couldn't get it to work properly. pptpd will work fine if I launch it from the command line. Anyone have any ideas? Mike Michael Barsalou mjbarsalou at ibm.net From tmk at netmagic.net Wed Jan 12 18:46:03 2000 From: tmk at netmagic.net (tmk) Date: Wed Jan 12 18:46:03 2000 Subject: [pptp-server] getting pptp to work using inetd References: <200001130009.SAA16992@snaildust.schulte.org> Message-ID: <000f01bf5d5f$7ee55be0$071c0fc0@lala.net> there used to be a switch to tell it that it is using inetd.. it wasnt in the manpage, and we may have scrapped it.. let me look into this. Kevin ----- Original Message ----- From: Michael Barsalou To: Sent: Wednesday, January 12, 2000 4:09 PM Subject: [pptp-server] getting pptp to work using inetd > I didn't really understand the README.inetd file. > > I tried putting the pptpctrl in the inetd.conf file but couldn't get it to > work properly. > > pptpd will work fine if I launch it from the command line. > > Anyone have any ideas? > > Mike > > > Michael Barsalou > mjbarsalou at ibm.net > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From tmk at netmagic.net Wed Jan 12 18:49:17 2000 From: tmk at netmagic.net (tmk) Date: Wed Jan 12 18:49:17 2000 Subject: [pptp-server] getting pptp to work using inetd References: <200001130009.SAA16992@snaildust.schulte.org> Message-ID: <001301bf5d5f$f0b17060$071c0fc0@lala.net> read the manpage for pptpctrl, there are examples for how to do it (you use pptpctrl, not pptpd) Kevin ----- Original Message ----- From: Michael Barsalou To: Sent: Wednesday, January 12, 2000 4:09 PM Subject: [pptp-server] getting pptp to work using inetd > I didn't really understand the README.inetd file. > > I tried putting the pptpctrl in the inetd.conf file but couldn't get it to > work properly. > > pptpd will work fine if I launch it from the command line. > > Anyone have any ideas? > > Mike > > > Michael Barsalou > mjbarsalou at ibm.net > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From mjbarsalou at attglobal.net Wed Jan 12 19:17:02 2000 From: mjbarsalou at attglobal.net (Michael Barsalou) Date: Wed Jan 12 19:17:02 2000 Subject: [pptp-server] Multiple interfaces Message-ID: <200001130117.TAA17886@snaildust.schulte.org> I have multiple interfaces that I want to have pptp connection on. What would be my best way to implement this? Michael Barsalou mjbarsalou at ibm.net From tmk at netmagic.net Wed Jan 12 19:30:09 2000 From: tmk at netmagic.net (tmk) Date: Wed Jan 12 19:30:09 2000 Subject: [pptp-server] Multiple interfaces References: <200001130117.TAA17886@snaildust.schulte.org> Message-ID: <003401bf5d65$a45b7340$071c0fc0@lala.net> it defaults to allow connections from all interfaces if you want to selectively block them, use ipchains or some other firewall to block incoming connections on port 1723 for that interface Kevin ----- Original Message ----- From: Michael Barsalou To: Sent: Wednesday, January 12, 2000 5:17 PM Subject: [pptp-server] Multiple interfaces > I have multiple interfaces that I want to have pptp connection on. > > What would be my best way to implement this? > > > Michael Barsalou > mjbarsalou at ibm.net > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From jbeauchamp at 4anything.com Wed Jan 12 21:08:08 2000 From: jbeauchamp at 4anything.com (Joe Beauchamp) Date: Wed Jan 12 21:08:08 2000 Subject: [pptp-server] What the heck... Announcing pptpd-1.1.1pre1 In-Reply-To: References: Message-ID: <3.0.6.32.20000112220646.009377d0@1mailbox.com> This is what I got trying to build it on 2.2.14p16: gcc -DHAVE_CONFIG_H -I. -I. -I. -I. -g -fno-builtin -Wall -Werror -ansi -DSBI NDIR='"/usr/local/sbin"' -c pptpd.c cc1: warnings being treated as errors pptpd.c: In function `main': pptpd.c:163: warning: implicit declaration of function `strdup' pptpd.c:163: warning: assignment makes pointer from integer without a cast pptpd.c:193: warning: assignment makes pointer from integer without a cast pptpd.c:200: warning: assignment makes pointer from integer without a cast pptpd.c:206: warning: assignment makes pointer from integer without a cast pptpd.c:220: warning: assignment makes pointer from integer without a cast pptpd.c:236: warning: assignment makes pointer from integer without a cast pptpd.c:248: warning: assignment makes pointer from integer without a cast pptpd.c:252: warning: assignment makes pointer from integer without a cast pptpd.c:260: warning: assignment makes pointer from integer without a cast pptpd.c:264: warning: assignment makes pointer from integer without a cast pptpd.c: In function `lookup': pptpd.c:398: warning: implicit declaration of function `memcpy' make: *** [pptpd.o] Error 1 At 08:07 PM 12/23/99 -0500, Patrick J. LoPresti wrote: >patl at cag.lcs.mit.edu (Patrick J. LoPresti) writes: > >> Well, that was quick. > >And again. > >It looks like Linux 2.2.x did some violence to the way send() and >recv() work. So I have punted them entirely and gone back to good old >read() and write(). (A quick browse through the kernel sources >suggest they are the same thing for this purpose.) This should be a >lot more portable. > > > >Sorry for the flurry of announcements. > > - Pat > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulte.org! > > From tmk at netmagic.net Wed Jan 12 21:23:56 2000 From: tmk at netmagic.net (tmk) Date: Wed Jan 12 21:23:56 2000 Subject: [pptp-server] What the heck... Announcing pptpd-1.1.1pre1 References: <3.0.6.32.20000112220646.009377d0@1mailbox.com> Message-ID: <000901bf5d75$8ac9c8e0$071c0fc0@lala.net> you need to turn off the 'treat warnings as errors' stuff it was explained in a subsequent post Kevin ----- Original Message ----- From: Joe Beauchamp To: Patrick J. LoPresti ; Sent: Wednesday, January 12, 2000 7:06 PM Subject: Re: [pptp-server] What the heck... Announcing pptpd-1.1.1pre1 > This is what I got trying to build it on 2.2.14p16: > > gcc -DHAVE_CONFIG_H -I. -I. -I. -I. -g -fno-builtin -Wall -Werror -ansi - DSBI > NDIR='"/usr/local/sbin"' -c pptpd.c > cc1: warnings being treated as errors > pptpd.c: In function `main': > pptpd.c:163: warning: implicit declaration of function `strdup' > pptpd.c:163: warning: assignment makes pointer from integer without a cast > pptpd.c:193: warning: assignment makes pointer from integer without a cast > pptpd.c:200: warning: assignment makes pointer from integer without a cast > pptpd.c:206: warning: assignment makes pointer from integer without a cast > pptpd.c:220: warning: assignment makes pointer from integer without a cast > pptpd.c:236: warning: assignment makes pointer from integer without a cast > pptpd.c:248: warning: assignment makes pointer from integer without a cast > pptpd.c:252: warning: assignment makes pointer from integer without a cast > pptpd.c:260: warning: assignment makes pointer from integer without a cast > pptpd.c:264: warning: assignment makes pointer from integer without a cast > pptpd.c: In function `lookup': > pptpd.c:398: warning: implicit declaration of function `memcpy' > make: *** [pptpd.o] Error 1 > > > At 08:07 PM 12/23/99 -0500, Patrick J. LoPresti wrote: > >patl at cag.lcs.mit.edu (Patrick J. LoPresti) writes: > > > >> Well, that was quick. > > > >And again. > > > >It looks like Linux 2.2.x did some violence to the way send() and > >recv() work. So I have punted them entirely and gone back to good old > >read() and write(). (A quick browse through the kernel sources > >suggest they are the same thing for this purpose.) This should be a > >lot more portable. > > > > > > > >Sorry for the flurry of announcements. > > > > - Pat > > > >_______________________________________________ > >pptp-server maillist - pptp-server at lists.schulte.org > >http://lists.schulte.org/mailman/listinfo/pptp-server > >List services provided by www.schulte.org! > > > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From johnoel at hawaii.com Thu Jan 13 00:11:28 2000 From: johnoel at hawaii.com (john oel@H@) Date: Thu Jan 13 00:11:28 2000 Subject: [pptp-server] pppd:no device stdin not tty Message-ID: <200001130703.XAA08992@mail.hawaii.com> hi all, i keep getting this weird error when it tries to make the pptp connection. pppd:no device specified and stdin is not tty i am using ppp-2.3.8 with patch and followed the poptop instructions exactly. anyclues, johnoel -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ From A.T.v.d.Hil at tue.nl Thu Jan 13 01:32:30 2000 From: A.T.v.d.Hil at tue.nl (Hil, A.T.v.d.) Date: Thu Jan 13 01:32:30 2000 Subject: [pptp-server] Stalling Connection Message-ID: <81E5F727841DD211A5FD0008C728DB7B0218AE97@campusx1.tue.nl> Hi, Im using pptp to create a tunnel to a NT pptp-server. The connection is working fine but.... When I e.g. start an x-session the connection stalls after serveral kbit's. This means that I get a x-window on my screen but it refuses to work correcty because there are no further packets transfered over the tunnel. Can someone help me with this. Alexander From tmk at netmagic.net Thu Jan 13 02:23:26 2000 From: tmk at netmagic.net (tmk) Date: Thu Jan 13 02:23:26 2000 Subject: [pptp-server] Stalling Connection References: <81E5F727841DD211A5FD0008C728DB7B0218AE97@campusx1.tue.nl> Message-ID: <001601bf5d9f$6387f160$071c0fc0@lala.net> you might want to try the developers version that is going around.. we think we fixed some of the problems relating to link degredation, but we're still testing.. we'd love your input if you are going over a modem, try setting the speed to 38400 instead of the default 115200.. that is done in the pptpd.conf file or on the command line.. it is easy to flood a modem line, and the pptp daemon has no way of determining line speed. Kevin ----- Original Message ----- From: Hil, A.T.v.d. To: Sent: Wednesday, January 12, 2000 11:32 PM Subject: [pptp-server] Stalling Connection > > Hi, > > > Im using pptp to create a tunnel to a > NT pptp-server. The connection is > working fine but.... When I e.g. start > an x-session the connection stalls after > serveral kbit's. This means that I get > a x-window on my screen but it refuses to > work correcty because there are no further > packets transfered over the tunnel. > > Can someone help me with this. > > > Alexander > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From yan at cardinalengineering.com Thu Jan 13 06:10:09 2000 From: yan at cardinalengineering.com (Yan Seiner) Date: Thu Jan 13 06:10:09 2000 Subject: [pptp-server] Stalling Connection References: <81E5F727841DD211A5FD0008C728DB7B0218AE97@campusx1.tue.nl> <001601bf5d9f$6387f160$071c0fc0@lala.net> Message-ID: <387DC1C1.726345BA@cardinalengineering.com> I ran into this last night. It was weird; I was in the midst of a medium download (~200K) and the line stopped dead... I still had the ssh connection, so I killed pptp and restarted; no dice. Shortly thereafter, the ssh connection went dead. Came in this morning; the pppd daemon had died. Anyway, poptop is not quite ready for prime time :-( . (Or maybe it's MS that's not ready...) I was connecting from a Win95 box with DUN 1.3. Apparently, there is also some issue with the Windows TCP/IP stack getting corrupted; I don't know which causes which. After the ssh connection went dead, I could no longer even ping the internet, although my dial-up was still up. A reboot solved the problem. Let me know what if anything I can do to help. I need to get this running rock solid in the next 3 months. --Yan tmk wrote: > > you might want to try the developers version that is going around.. we think > we fixed some of the problems relating to link degredation, but we're still > testing.. we'd love your input > > if you are going over a modem, try setting the speed to 38400 instead of the > default 115200.. that is done in the pptpd.conf file or on the command > line.. it is easy to flood a modem line, and the pptp daemon has no way of > determining line speed. > > Kevin > -- Think different ride a recumbent use Linux. From joakim at island.liu.se Thu Jan 13 06:23:05 2000 From: joakim at island.liu.se (Joakim Franzen) Date: Thu Jan 13 06:23:05 2000 Subject: [pptp-server] Stalling Connection References: <81E5F727841DD211A5FD0008C728DB7B0218AE97@campusx1.tue.nl> <001601bf5d9f$6387f160$071c0fc0@lala.net> <387DC1C1.726345BA@cardinalengineering.com> Message-ID: <387DC3AE.245EA020@island.liu.se> We have been experiencing something similar. If the pptp server has to work hard (90-100% of CPU) for a longer period of time it dies and shortly after ssh connections go dead as well. I still run ver 1.0 so I will try version 1.1.1 that came out a while back hopefully that will solve this problem. //Joakim Yan Seiner wrote: > > I ran into this last night. It was weird; I was in the midst of a > medium download (~200K) and the line stopped dead... > > I still had the ssh connection, so I killed pptp and restarted; no > dice. Shortly thereafter, the ssh connection went dead. Came in this > morning; the pppd daemon had died. > > Anyway, poptop is not quite ready for prime time :-( . (Or maybe it's > MS that's not ready...) > > I was connecting from a Win95 box with DUN 1.3. Apparently, there is > also some issue with the Windows TCP/IP stack getting corrupted; I don't > know which causes which. After the ssh connection went dead, I could no > longer even ping the internet, although my dial-up was still up. A > reboot solved the problem. > > Let me know what if anything I can do to help. I need to get this > running rock solid in the next 3 months. > > --Yan > > tmk wrote: > > > > you might want to try the developers version that is going around.. we think > > we fixed some of the problems relating to link degredation, but we're still > > testing.. we'd love your input > > > > if you are going over a modem, try setting the speed to 38400 instead of the > > default 115200.. that is done in the pptpd.conf file or on the command > > line.. it is easy to flood a modem line, and the pptp daemon has no way of > > determining line speed. > > > > Kevin > > > -- > > Think different > ride a recumbent > use Linux. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! From dwaller at precisiondrive.com Thu Jan 13 10:10:00 2000 From: dwaller at precisiondrive.com (Dave Waller) Date: Thu Jan 13 10:10:00 2000 Subject: [pptp-server] pptp and ipfwadm References: <387D034C.36A5D8B4@precisiondrive.com> <387DBAB2.857F5944@cardinalengineering.com> Message-ID: <387DF97C.70532FC5@precisiondrive.com> So I need to switch to ipchains? Yan Seiner wrote: > You can't use ipfwadm with opptp; it lacks support for GRE (protocol 47 > that PPTP uses). > > There are patches out, but all focus has shifted to ipchains. > > --Yan > > Dave Waller wrote: > > > > ipchains is the problem. I need to use ipfwadm because the LRP box I am > > using is an older kernel. > > > > Dave Waller > > > > tmk wrote: > > > > > it's in the pptp-server list archives, but here's the short version > > > > > > these two commands allow pptp data from all hosts through (server only.. > > > if you want masq'd clients to get to external pptp servers, you need a > > > kernel module) > > > > > > #for new connections > > > ipchains -A input -p tcp -d 1723 -j ACCEPT > > > #for GRE > > > ipchains -A input -p 47 -j ACCEPT > > > > > > Kevin > > > > > > On Wed, 12 Jan 2000, Dave Waller wrote: > > > > > > > I am triing to figure out ipfw rules for my LRP box that will allow pptp > > > > to work. > > > > > > > > I have studdied the ipchains in the FAQ but I still don't fully > > > > understand it. > > > > > > > > Could any one shed some light on this? > > > > > > > > Dave Waller > > > > > > > > > > > > _______________________________________________ > > > > pptp-server maillist - pptp-server at lists.schulte.org > > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > > List services provided by www.schulte.org! > > > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulte.org! > > -- > > Think different > ride a recumbent > use Linux. From hshaw at healthcentralrx.com Thu Jan 13 10:41:20 2000 From: hshaw at healthcentralrx.com (T.Shaw) Date: Thu Jan 13 10:41:20 2000 Subject: [pptp-server] Stalling Connection In-Reply-To: <387DC1C1.726345BA@cardinalengineering.com> Message-ID: Seems ready for Prime time to me. I have had no problems connecting win98/winNT Machine to my poptop VPN server running on my firewall at all. got Multiple people connecting just fine. Only issue I still have is the Browsing and name resolution of netbios names ( yes I have ms-wins in /etc/ppp/options and yes I have a wins server setup that its pointing to). but I suspect that that's a PPP thing and not a poptop thing. (shrug) Working like a champ for me.. Good work guys, you made me 'The MAN' at work.. :-) Terrelle Shaw System Administrator hshaw at healthcentralrx.com -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Yan Seiner Sent: Thursday, January 13, 2000 4:15 AM To: tmk; pptp-server at lists.schulte.org Subject: Re: [pptp-server] Stalling Connection I ran into this last night. It was weird; I was in the midst of a medium download (~200K) and the line stopped dead... I still had the ssh connection, so I killed pptp and restarted; no dice. Shortly thereafter, the ssh connection went dead. Came in this morning; the pppd daemon had died. Anyway, poptop is not quite ready for prime time :-( . (Or maybe it's MS that's not ready...) I was connecting from a Win95 box with DUN 1.3. Apparently, there is also some issue with the Windows TCP/IP stack getting corrupted; I don't know which causes which. After the ssh connection went dead, I could no longer even ping the internet, although my dial-up was still up. A reboot solved the problem. Let me know what if anything I can do to help. I need to get this running rock solid in the next 3 months. --Yan tmk wrote: > > you might want to try the developers version that is going around.. we think > we fixed some of the problems relating to link degredation, but we're still > testing.. we'd love your input > > if you are going over a modem, try setting the speed to 38400 instead of the > default 115200.. that is done in the pptpd.conf file or on the command > line.. it is easy to flood a modem line, and the pptp daemon has no way of > determining line speed. > > Kevin > -- Think different ride a recumbent use Linux. _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From yan at cardinalengineering.com Thu Jan 13 11:42:43 2000 From: yan at cardinalengineering.com (Yan Seiner) Date: Thu Jan 13 11:42:43 2000 Subject: [pptp-server] Stalling Connection References: Message-ID: <387E0FB2.3CA3D574@cardinalengineering.com> Maybe the issue is that I am using Win95 OSR 2 to test the setup? I'll try from my NT test box; see if we can kill pptpd. As I said, the problem may be in some instability with the Win95 TCP/IP stack, not with poptop at all. I did not mean to disparage the product or the authors at all. I appreciate what they're doing and am willing to help in my small way. Just that I have to have a rock-solid VPN up in 3 months, and neither poptop now freeswan is cutting it right now.... Maybe in the next version ;-) --Yan "T.Shaw" wrote: > > Seems ready for Prime time to me. I have had no problems connecting win98/winNT > Machine to my poptop VPN server running on my firewall at all. > got Multiple people connecting just fine. Only issue I still have is the > Browsing and name resolution of netbios names ( yes I have ms-wins in > /etc/ppp/options and yes I have a wins server setup that its pointing to). > but I suspect that that's a PPP thing and not a poptop thing. > (shrug) > Working like a champ for me.. Good work guys, you made me 'The MAN' at work.. > :-) > > Terrelle Shaw > System Administrator > hshaw at healthcentralrx.com > -- Think different ride a recumbent use Linux. From erobinson at dot.state.nv.us Thu Jan 13 14:58:22 2000 From: erobinson at dot.state.nv.us (Robinson, Eric R.) Date: Thu Jan 13 14:58:22 2000 Subject: [pptp-server] State-based Firewall and VPN Server on One Box? Message-ID: Greetings, I've been "lurking" on this list for a while and now I have a question for the assembly. I'm looking for a nice, clean, single-box Linux solution for state-based firewalling, true NAT and VPN services for Windows clients. What is your opinion? Can that be done? Is PoPtoP part of the answer? When I say "true NAT," I mean that external addresses must be statically mappable to internal hosts, and it must not matter whether the external addresses are public or private. I'd really like to hear some detailed opinions on this one. -- Eric Robinson Network Analyst Nevada DOT From cwf at infosecana.com Thu Jan 13 16:26:58 2000 From: cwf at infosecana.com (Chuck Flink) Date: Thu Jan 13 16:26:58 2000 Subject: [pptp-server] State-based Firewall and VPN Server on One Box? References: Message-ID: <001e01bf5e16$4e47e810$0100a8c0@infosecana.com> Check out www.rampnet.com products. I used an early one for demand- dialed ISDN (128k) access to MSN for a couple of years and found it a quite satisfactory NAT for a half-dozen developers in my lab. It was then about $600. Today, if they arn't a good bit cheaper, it's because sales are holding the price up. It should be as cheap or cheaper than what you can make on your own... no disk, no floppy, remote admin from any PC on your LAN, built-in 10BaseT hub, etc. Mine was about the size of a cable modem. (I see they now have a more expensive models designated as firewalls.) Don't get me wrong: I love Linux and look forward to there being a well packaged single-floppy Linux with NAT, PPTP, etc. ....and it's coming. But if you want to buy something off-the-shelf that supports PPTP, NAT, additional firewall features, etc. from a concern that's been around for a while, I recommend this one. P.S. I'm looking forward to seeing the other postings on this. I'm currently using a RC-2 Windows 2000 Pro as a NAT/PPTP basic firewall box connected to RoadRunner. It works great and was easy to setup. Once the Feb release date comes, I hope to switch to using one of my old 486 PCs as a Linux/NAT/pptp box and want to hear it's easy to do. - Chuck Flink www.infosecana.com/flinkink ----- Original Message ----- From: "Robinson, Eric R." To: Sent: Thursday, January 13, 2000 3:56 PM Subject: [pptp-server] State-based Firewall and VPN Server on One Box? > Greetings, > > I've been "lurking" on this list for a while and now I have a question for > the assembly. > > I'm looking for a nice, clean, single-box Linux solution for state-based > firewalling, true NAT and VPN services for Windows clients. What is your > opinion? Can that be done? Is PoPtoP part of the answer? > > When I say "true NAT," I mean that external addresses must be statically > mappable to internal hosts, and it must not matter whether the external > addresses are public or private. > > I'd really like to hear some detailed opinions on this one. > > -- > Eric Robinson > Network Analyst > Nevada DOT > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > > From matthewr at moreton.com.au Thu Jan 13 16:50:10 2000 From: matthewr at moreton.com.au (Matthew Ramsay) Date: Thu Jan 13 16:50:10 2000 Subject: [pptp-server] State-based Firewall and VPN Server on One Box? References: Message-ID: <00011408503003.13262@gibberling> Gday Eric, PoPToP was originally designed to run on a NETtel (uClinux-coldfire board). See: http://www.moretonbay.com/MBWEB/product/nettel/nettel.htm Perhaps it is a solution? Cheers, Matt. >I've been "lurking" on this list for a while and now I have a question for >the assembly. > >I'm looking for a nice, clean, single-box Linux solution for state-based >firewalling, true NAT and VPN services for Windows clients. What is your >opinion? Can that be done? Is PoPtoP part of the answer? > >When I say "true NAT," I mean that external addresses must be statically >mappable to internal hosts, and it must not matter whether the external >addresses are public or private. From johnoel at hawaii.com Thu Jan 13 17:39:39 2000 From: johnoel at hawaii.com (john oel@H@) Date: Thu Jan 13 17:39:39 2000 Subject: [pptp-server] routing Message-ID: <200001140031.QAA08799@mail.hawaii.com> hi all, after a long struggle, i was able to log into the poptop vpn server. current setup. win98 client | | =INTERNET= | | linux 2.2.x /ipchains firewall with vpn-patch and ipmasqadm and ipfwd to forward port 1723 and prot 47 192.168.0.0 network | | linux 2.2.x /poptop | | winnt i can ping internal linux machine but i cannot ping the winnt system. pptpd.conf assigns the ips from 192.168.219.x. i have tried to install poptop on the firewall and was able to ping and use both machines. but when i moved the poptop server internally i could only access the poptop server. any clues. johnoel -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ From erobinson at dot.state.nv.us Thu Jan 13 18:36:24 2000 From: erobinson at dot.state.nv.us (Robinson, Eric R.) Date: Thu Jan 13 18:36:24 2000 Subject: [pptp-server] State-based Firewall and VPN Server on One Box? Message-ID: When you say you're using W2K for a "NAT/PPTP basic firewall," does that mean it's providing VPN services as well? Ans what do you mean by "basic?" Looking forward to some expansion on that part. --Eric -----Original Message----- From: Chuck Flink [mailto:cwf at infosecana.com] Sent: Thursday, January 13, 2000 2:34 PM To: Robinson, Eric R.; pptp-server at lists.schulte.org Subject: Re: [pptp-server] State-based Firewall and VPN Server on One Box? Check out www.rampnet.com products. I used an early one for demand- dialed ISDN (128k) access to MSN for a couple of years and found it a quite satisfactory NAT for a half-dozen developers in my lab. It was then about $600. Today, if they arn't a good bit cheaper, it's because sales are holding the price up. It should be as cheap or cheaper than what you can make on your own... no disk, no floppy, remote admin from any PC on your LAN, built-in 10BaseT hub, etc. Mine was about the size of a cable modem. (I see they now have a more expensive models designated as firewalls.) Don't get me wrong: I love Linux and look forward to there being a well packaged single-floppy Linux with NAT, PPTP, etc. ....and it's coming. But if you want to buy something off-the-shelf that supports PPTP, NAT, additional firewall features, etc. from a concern that's been around for a while, I recommend this one. P.S. I'm looking forward to seeing the other postings on this. I'm currently using a RC-2 Windows 2000 Pro as a NAT/PPTP basic firewall box connected to RoadRunner. It works great and was easy to setup. Once the Feb release date comes, I hope to switch to using one of my old 486 PCs as a Linux/NAT/pptp box and want to hear it's easy to do. - Chuck Flink www.infosecana.com/flinkink ----- Original Message ----- From: "Robinson, Eric R." To: Sent: Thursday, January 13, 2000 3:56 PM Subject: [pptp-server] State-based Firewall and VPN Server on One Box? > Greetings, > > I've been "lurking" on this list for a while and now I have a question for > the assembly. > > I'm looking for a nice, clean, single-box Linux solution for state-based > firewalling, true NAT and VPN services for Windows clients. What is your > opinion? Can that be done? Is PoPtoP part of the answer? > > When I say "true NAT," I mean that external addresses must be statically > mappable to internal hosts, and it must not matter whether the external > addresses are public or private. > > I'd really like to hear some detailed opinions on this one. > > -- > Eric Robinson > Network Analyst > Nevada DOT > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > > From markk at cgipc.com Thu Jan 13 22:22:27 2000 From: markk at cgipc.com (Mark Komarinski) Date: Thu Jan 13 22:22:27 2000 Subject: [pptp-server] Linux PPTP server and client Message-ID: <387EA4AF.5EF1D346@cgipc.com> Hooboy. This has been a fun way to spend an evening. Anyway, here's my setup: Linux (Redhat 5.2) running as a masq server for my home network. Linux (RH 6.0) running as firewall at the office - I think that's okay. Linux (RH 6.0) running as pptp server (actually my desktop machine too). I've been having no end of trouble getting CHAP configured for both sides, so I pretty much gave up and turned all authentication off. "But Mark," you say, "you're nuts! Anyone can then get access to your PPTP server and fiddle around your network!" Ahh, but there you're wrong. Because it doesn't work! Both sides seem to get this error: Jan 13 23:14:30 wayga pppd[2721]: rcvd [CCP ConfReq id=0x1 ] Jan 13 23:14:30 wayga pppd[2721]: sent [CCP ConfAck id=0x1 ] Jan 13 23:14:30 wayga pppd[2721]: sent [CCP ConfReq id=0x3 ] Jan 13 23:14:30 wayga pppd[2721]: rcvd [CCP ConfAck id=0x3 ] Jan 13 23:14:30 wayga pppd[2721]: Received bad configure-ack: 15 03 2f Jan 13 23:14:33 wayga pppd[2721]: CCP: timeout sending Config-Requests That looks bad, don't it? Any ideas on what it is? What I would *like* to do is get the masq server running pptp client, so all my home-network machines can access the work network. Alternately, I guess I need to run ipfwd on the masq server and forward packets directly to one machine? -Mark From cambo11 at hotmail.com Thu Jan 13 22:27:20 2000 From: cambo11 at hotmail.com (Cam Bowman) Date: Thu Jan 13 22:27:20 2000 Subject: [pptp-server] routing Message-ID: <20000114042706.99683.qmail@hotmail.com> This may be a stupid question, but do you have routing (IP Forwarding) enabled on the linux box. I know I had this problem before, and as soon as I enabled routing it worked great. I believe the reason was that the PPTP connection is point-to-point, this means it's connectivity terminates on the linux server. To hop over to the internal lan the linux station must forward the packet for you (acts as a router). Let me know if it works. Cam Bowman Amtelecom Communications >From: "john oel at H@" >Reply-To: johnoel at hawaii.com >To: pptp-server at lists.schulte.org >Subject: [pptp-server] routing >Date: Thu, 13 Jan 2000 16:31:37 -0800 > >hi all, > > after a long struggle, i was able to log into the > poptop vpn server. current setup. > > win98 client > | > | > =INTERNET= > | > | > linux 2.2.x /ipchains firewall > with vpn-patch > and ipmasqadm and ipfwd to forward > > port 1723 and prot 47 > 192.168.0.0 network > | > | > linux 2.2.x /poptop > | > | > winnt > > i can ping internal linux machine > but i cannot ping the winnt system. > pptpd.conf assigns the ips from 192.168.219.x. > i have tried to install poptop on the > firewall and was able to ping and use > both machines. but when i moved the > poptop server internally i could only > access the poptop server. > > any clues. > johnoel > > > >-------------------------------- >Get your free email @hawaii.com >http://www.hawaii.com/ > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulte.org! ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From tmk at netmagic.net Thu Jan 13 22:53:47 2000 From: tmk at netmagic.net (tmk) Date: Thu Jan 13 22:53:47 2000 Subject: [pptp-server] Linux PPTP server and client References: <387EA4AF.5EF1D346@cgipc.com> Message-ID: <007f01bf5e4b$44df3460$071c0fc0@lala.net> if a pptp client is behind a firewall, you need the masq_pptp module loaded to let em through otherwise everything should be ok Kevin ----- Original Message ----- From: Mark Komarinski To: Sent: Thursday, January 13, 2000 8:23 PM Subject: [pptp-server] Linux PPTP server and client > Hooboy. This has been a fun way to spend an evening. Anyway, here's my setup: > > Linux (Redhat 5.2) running as a masq server for my home network. > Linux (RH 6.0) running as firewall at the office - I think that's okay. > Linux (RH 6.0) running as pptp server (actually my desktop machine too). > > I've been having no end of trouble getting CHAP configured for both sides, > so I pretty much gave up and turned all authentication off. > > "But Mark," you say, "you're nuts! Anyone can then get access to your > PPTP server and fiddle around your network!" > > Ahh, but there you're wrong. Because it doesn't work! > > Both sides seem to get this error: > > Jan 13 23:14:30 wayga pppd[2721]: rcvd [CCP ConfReq id=0x1 ] > Jan 13 23:14:30 wayga pppd[2721]: sent [CCP ConfAck id=0x1 ] > Jan 13 23:14:30 wayga pppd[2721]: sent [CCP ConfReq id=0x3 ] > Jan 13 23:14:30 wayga pppd[2721]: rcvd [CCP ConfAck id=0x3 ] > Jan 13 23:14:30 wayga pppd[2721]: Received bad configure-ack: 15 03 2f > Jan 13 23:14:33 wayga pppd[2721]: CCP: timeout sending Config-Requests > > That looks bad, don't it? > > Any ideas on what it is? > > What I would *like* to do is get the masq server running pptp client, so all my > home-network machines can access the work network. Alternately, I guess I need > to run ipfwd on the masq server and forward packets directly to one machine? > > -Mark > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From yan at cardinalengineering.com Fri Jan 14 06:03:11 2000 From: yan at cardinalengineering.com (Yan Seiner) Date: Fri Jan 14 06:03:11 2000 Subject: [pptp-server] Stalling Connection References: <387E0FB2.3CA3D574@cardinalengineering.com> Message-ID: <387F11A9.63515B42@cardinalengineering.com> OK, more testing last night. I think I have the instability solved - I shoved about 130MB across the connection last night and no problems - this on the Win95 box. The issue seems to be pptpctrl. I ran it from inetd and it seems to be much more stable that way. Also, all my options are in the .conf file and not on the pptpctrl command line. I don't know if that makes any difference. I had no luck with NT testing. Software prob on my end - nothing to do with pptp. I am running additional tests; I'll see what I come up with today. --Yan Yan Seiner wrote: > > Maybe the issue is that I am using Win95 OSR 2 to test the setup? I'll > try from my NT test box; see if we can kill pptpd. > > As I said, the problem may be in some instability with the Win95 TCP/IP > stack, not with poptop at all. > > I did not mean to disparage the product or the authors at all. I > appreciate what they're doing and am willing to help in my small way. > Just that I have to have a rock-solid VPN up in 3 months, and neither > poptop now freeswan is cutting it right now.... > > Maybe in the next version ;-) > > --Yan > -- Think different ride a recumbent use Linux. From jimbud at arborlink.com Fri Jan 14 08:05:25 2000 From: jimbud at arborlink.com (Adrian) Date: Fri Jan 14 08:05:25 2000 Subject: [pptp-server] State-based Firewall and VPN Server on One Box? In-Reply-To: Message-ID: Hello, Linux and this pptp package, along with the netfilter package, are what you're looking for. Netfilter is capable of stateful rules, NAT in many forms, and PoPtoP is the best, most stable VPN provider for people looking for Windows solutions. However, Netfilter, like kernel 2.3, is in development and even though it works it won't be what you should use until it's stablised. You might want to subscribe to the Netfilter mailing list as well. (email listproc at samba.org with body "subscribe netfilter your_full_name") Regards, Adrian On Thu, 13 Jan 2000, Robinson, Eric R. wrote: > Greetings, > > I've been "lurking" on this list for a while and now I have a question for > the assembly. > > I'm looking for a nice, clean, single-box Linux solution for state-based > firewalling, true NAT and VPN services for Windows clients. What is your > opinion? Can that be done? Is PoPtoP part of the answer? > > When I say "true NAT," I mean that external addresses must be statically > mappable to internal hosts, and it must not matter whether the external > addresses are public or private. > > I'd really like to hear some detailed opinions on this one. > > -- > Eric Robinson > Network Analyst > Nevada DOT > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From soriordain at asitatech.com Fri Jan 14 09:25:20 2000 From: soriordain at asitatech.com (=?iso-8859-1?Q?Seosamh_D._=D3_Riord=E1in?=) Date: Fri Jan 14 09:25:20 2000 Subject: [pptp-server] Re: Hi, I'm in trouble with the same config as you Message-ID: <04ae01bf5ea3$52651660$8c7fa8c0@typhoon.asitatech.ie> Hi Yann, I didn't manage to get the pptp-linux-1.0.2 client talking to PoPToP 1.0.0, (as yet), - it needs to be looked at further, and I may get time to do this in the next couple of weeks. It doesn't appear that anyone on the list has got this negotiating 40(or 128) bit MPPE to the PoPToP server. I've seen other messages asking about this also but they went unanswered. Microsoft clients(NT/W9[5|8]) do connect with 40(or 128) bit MPPE alright. This appears to be a negotiation problem between the linux client side and PoPToP, ie in PPPD. Logs show different messages being exchanged than when negotiating with the Microsoft clients. The pptp-linux client does connect to PPTP successfully, if you ensure the /etc/ppp/chap-secrets on both machines are similar, the options file and the pptp command are like the ones I had in my last mail to the list. However, with this setup, it will connect with MSCHAP-V2(seen in the log on the pptp server) but there will be no encryption. I'll let you know if I make any progress (when I get time) on the linux client side. Regards, Seosamh -----Original Message----- From: yann.foissac To: soriordain at asitatech.com Date: Friday, January 14, 2000 11:45 AM Subject: Hi, I'm in trouble with the same config as you I have a pptp linux client 1.0.2 and I want to connect on a PoPToP server Could you help me ? I just want to understant the chap-secret file and option file thanks From gord at amador.ca Fri Jan 14 10:02:15 2000 From: gord at amador.ca (Gord Belsey) Date: Fri Jan 14 10:02:15 2000 Subject: [pptp-server] Re: Hi, I'm in trouble with the same config as you References: <04ae01bf5ea3$52651660$8c7fa8c0@typhoon.asitatech.ie> Message-ID: <058901bf5ea8$ae520230$280111ac@amadorinc.com> Hi: Here's my two cents regarding CHAP. First, in the PPP options file, if you add "auth", you're telling THIS device to authenticate any remote machines. When you add "+chap" or "+ms-chap-v2" or sowething similar, you're telling THIS device to send it's username/password to the other end for authentication. If you add the same option to the remote device, you're telling IT to authenticate anything connecting to it. The point is that CHAP is a two-way authentication when both ends have it turned on (ie: each end authenticates the other end). For this two way authentication to work, you need both devices and their passwords in each chap-secrets file. ie: On device A, chap-secrets would be: deviceA * passwordA * deviceB * passwordB * On device B, the chapsecrets file would be exactly the same. Why? Device A uses the device A entry to send a it's username and password to device B. Then it uses the Devide B entry to authenticate what device B sends it. Device B does exactly the same thing. A note about username/password: it has to be exactly the same in each chap-secrets file (ie: if you use fully qualified domain name in one you have to use it in the other). The point here is that the username sent for chap authentication comes from the chap-secrets file as apposed to using the devices hostname. As I mentioned, this assumes that you have "auth" in the options file at both ends. If you only have it for one end, the authentication occurs only on that device. You still need +chap or similar in the remote end's option file, so it knows to send username/password for authentication. As for the * in the above chap-secrets example: The first is for "servername". * means any server. You can also put in a specific server name, to tighten up security. The second * is for IP address. Again, * means anything, but you can put in a specific IP address to tighten things up. This (I think) really only applies to the entry for the remote end. I hope this makes sense, and helps you understand how CHAP works a little better. Let me know if I wasn't clear in my description, and of course, anyone is welcome to correct me if I'm mistaken :o) Gord Belsey Amador Business Computers, Inc. Edmonton, AB, Canada ----- Original Message ----- From: Seosamh D. ? Riord?in To: yann.foissac Cc: Sent: Friday, January 14, 2000 8:23 AM Subject: [pptp-server] Re: Hi, I'm in trouble with the same config as you > Hi Yann, > > I didn't manage to get the pptp-linux-1.0.2 client talking to > PoPToP 1.0.0, (as yet), - it needs to be looked at further, > and I may get time to do this in the next couple of weeks. > It doesn't appear that anyone on the list has got this negotiating > 40(or 128) bit MPPE to the PoPToP server. I've seen other > messages asking about this also but they went unanswered. > Microsoft clients(NT/W9[5|8]) do connect with 40(or 128) bit > MPPE alright. This appears to be a negotiation problem between > the linux client side and PoPToP, ie in PPPD. Logs show different > messages being exchanged than when negotiating with the > Microsoft clients. > > The pptp-linux client does connect to PPTP successfully, if > you ensure the /etc/ppp/chap-secrets on both machines are > similar, the options file and the pptp command are like the ones > I had in my last mail to the list. However, with this setup, it will > connect with MSCHAP-V2(seen in the log on the pptp server) > but there will be no encryption. > I'll let you know if I make any progress (when I get time) on the > linux client side. > > Regards, > Seosamh > > -----Original Message----- > From: yann.foissac > To: soriordain at asitatech.com > Date: Friday, January 14, 2000 11:45 AM > Subject: Hi, I'm in trouble with the same config as you > > > I have a pptp linux client 1.0.2 and I want to connect on a PoPToP > server > Could you help me ? > I just want to understant the chap-secret file and option file > > thanks > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From cwf at infosecana.com Fri Jan 14 11:13:59 2000 From: cwf at infosecana.com (Chuck Flink) Date: Fri Jan 14 11:13:59 2000 Subject: [pptp-server] State-based Firewall and VPN Server on One Box? References: Message-ID: <003601bf5eb3$ca1cb860$0100a8c0@infosecana.com> Eric, I noted Matt Ramsay's reference to the NETtel box from www.moretonbay.com which seems to be a direct competitor for the RampNet WebRamp products I referenced. Issue: value of having Linux vrs whatever (probably another UNIX clone) as the internal software/firmware. Check for an article I'll be posting by the end of the day at: www.infosecana.com/flinkink As far as "basic" is concerned, I was refering to the fact that a NAT box is NOT a stateful proxy firewall. There are attacks on simple packet filtering firewalls like a NAT box with ipchains, but then there are attacks on anything if you invest enough time/energy into it. Moreton Bay describes their NAT box as a "firewall" while RampNet distinguishes a more expensive model, beyond NAT, as it's "firewall" product. Both are correct in concept, but differ in degree. I view NAT boxes with incoming packet filtering as a reasonably "basic" firewall. Deciding if you need more protection than this requires a risk analysis and takes time. But certainly, if you want Internet access from your LAN and don't want to go to the expense of a proxy server, NAT is a nice compromise. Now as far as Windows 2000 (W2K) NAT and VPN is concerned, I have to admit that I jumped the gun on one issue: Professional vrs Server. NAT and PPTP VPNs can coexist on W2K Server by virtue of being able to configure a PPTP filter for NAT equivalent to the masq_pptp module for Linux mentioned elsewhere on this list. (NO SUCH FILTER can exist for IPsec secured VPNs.) I jumped the gun when I implied that W2K Pro automatically configured a PPTP mask/filter for PPTP. The Pro product hides more of the configuration, trying to automate the setup by hiding NAT behind the concept of "Internet Connection Sharing". It's not yet clear to me if simply configuring ICS and PPTP together on the Pro release "does the right thing". I'll get back to this next week. Note that all W2K versions include IPsec, L2TP and PPTP VPN support, optional routing and some form of packet filtering. The Pro version supports blanket incoming packet filtering (i.e. blocks access to designated service ports from any remote address) while the Server model is much more flexible (I think functionally equivalent to ipchains, but I may be overstating it.) More later. -Chuck Flink www.infosecana.com ----- Original Message ----- From: "Robinson, Eric R." To: "'Chuck Flink'" ; "Robinson, Eric R." ; Sent: Thursday, January 13, 2000 7:34 PM Subject: RE: [pptp-server] State-based Firewall and VPN Server on One Box? > When you say you're using W2K for a "NAT/PPTP basic firewall," does that > mean it's providing VPN services as well? Ans what do you mean by "basic?" > > Looking forward to some expansion on that part. > > --Eric > > -----Original Message----- > From: Chuck Flink [mailto:cwf at infosecana.com] > Sent: Thursday, January 13, 2000 2:34 PM > To: Robinson, Eric R.; pptp-server at lists.schulte.org > Subject: Re: [pptp-server] State-based Firewall and VPN Server on One > Box? > > > Check out www.rampnet.com products. I used an early one for demand- > dialed ISDN (128k) access to MSN for a couple of years and found it a quite > satisfactory NAT for a half-dozen developers in my lab. It was then about > $600. Today, if they arn't a good bit cheaper, it's because sales are > holding > the price up. It should be as cheap or cheaper than what you can make > on your own... no disk, no floppy, remote admin from any PC on your LAN, > built-in 10BaseT hub, etc. Mine was about the size of a cable modem. > (I see they now have a more expensive models designated as firewalls.) > > Don't get me wrong: I love Linux and look forward to there being a well > packaged single-floppy Linux with NAT, PPTP, etc. ....and it's coming. > But if you want to buy something off-the-shelf that supports PPTP, NAT, > additional firewall features, etc. from a concern that's been around > for a while, I recommend this one. > > P.S. I'm looking forward to seeing the other postings on this. I'm > currently > using a RC-2 Windows 2000 Pro as a NAT/PPTP basic firewall box > connected to RoadRunner. It works great and was easy to setup. Once > the Feb release date comes, I hope to switch to using one of my old 486 > PCs as a Linux/NAT/pptp box and want to hear it's easy to do. > > - Chuck Flink www.infosecana.com/flinkink > > ----- Original Message ----- > From: "Robinson, Eric R." > To: > Sent: Thursday, January 13, 2000 3:56 PM > Subject: [pptp-server] State-based Firewall and VPN Server on One Box? > > > > Greetings, > > > > I've been "lurking" on this list for a while and now I have a question for > > the assembly. > > > > I'm looking for a nice, clean, single-box Linux solution for state-based > > firewalling, true NAT and VPN services for Windows clients. What is your > > opinion? Can that be done? Is PoPtoP part of the answer? > > > > When I say "true NAT," I mean that external addresses must be statically > > mappable to internal hosts, and it must not matter whether the external > > addresses are public or private. > > > > I'd really like to hear some detailed opinions on this one. > > > > -- > > Eric Robinson > > Network Analyst > > Nevada DOT > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulte.org! > > > > > > From rowl at earthcorp.com Fri Jan 14 11:26:52 2000 From: rowl at earthcorp.com (Michael St. Laurent) Date: Fri Jan 14 11:26:52 2000 Subject: [pptp-server] Best way to bring PPTP connections up automatically Message-ID: <3.0.6.32.20000114092616.009b46c0@guardian.hartwellcorp.com> Can anyone make a suggestion for what the simplest/best way would be to bring several different PPTP connections up as needed or just bring them up, leave them up and make sure that they restart if they should go down for some reason? -------------------- Michael St. Laurent Hartwell Corporation From ely at txc.com Fri Jan 14 12:46:35 2000 From: ely at txc.com (Ely Zavin) Date: Fri Jan 14 12:46:35 2000 Subject: [pptp-server] Authentication Problem Message-ID: <387F6E85.EF2F9E20@txc.com> Hi, I just installed pptpd-1.0.0 rpm on my Red Hat Linux 6.1. I am also running pppd 2.3.11. My pppd option file: -detach asyncmap modem crtscts lock login require-pap proxyarp debug ktune When I connected to pptp server from my WinNT using the Accept any authentication including clear text everything works fine: I was asked for user ID and passwd and was authenticated when I supplied the right one. When I tried to use Accept only encrypted authentication I was authenticated even I supplied the wrong passwd. Follow is the part of my pptpd.log file: CTRL: Sent packet to client Jan 14 12:40:15 dial1 pptpd[16399]: CTRL: Received PPTP Control Message (type: 7) Jan 14 12:40:15 dial1 pptpd[16399]: CTRL: Set parameters to 152 maxbps, 3 window size Jan 14 12:40:15 dial1 pptpd[16399]: CTRL: Made a OUT CALL RPLY packet Jan 14 12:40:15 dial1 pptpd[16399]: CTRL: Starting call (launching pppd, opening GRE) Jan 14 12:40:15 dial1 pptpd[16399]: CTRL: pty_fd = 5 Jan 14 12:40:15 dial1 pptpd[16399]: CTRL: tty_fd = 6 Jan 14 12:40:15 dial1 pptpd[16400]: CTRL (PPPD Launcher): Connection speed = 115200 Jan 14 12:40:15 dial1 pptpd[16399]: CTRL: I wrote 32 bytes to the client. Jan 14 12:40:15 dial1 pptpd[16399]: CTRL: Sent packet to client Jan 14 12:40:15 dial1 pptpd[16399]: CTRL: Received PPTP Control Message (type: 15) Jan 14 12:40:15 dial1 pptpd[16399]: CTRL: Got a SET LINK INFO packet with standard ACCMs Jan 14 12:40:15 dial1 pptpd[16400]: CTRL (PPPD Launcher): local address = 192.168.128.2 Jan 14 12:40:15 dial1 pptpd[16400]: CTRL (PPPD Launcher): remote address = 192.168.129.2 Jan 14 12:40:15 dial1 pppd[16400]: pppd 2.3.11 started by , uid 0 Jan 14 12:40:15 dial1 pppd[16400]: Using interface ppp0 Jan 14 12:40:15 dial1 pppd[16400]: Connect: ppp0 <--> /dev/pts/1 Jan 14 12:40:15 dial1 pppd[16400]: sent [LCP ConfReq id=0x1 ] Jan 14 12:40:15 dial1 pppd[16400]: rcvd [LCP ConfReq id=0x0 < 11 04 06 4e> < 13 09 03 00 a0 c9 71 16 be>] Jan 14 12:40:15 dial1 pppd[16400]: sent [LCP ConfRej id=0x0 < 11 04 06 4e> < 13 09 03 00 a0 c9 71 16 be>] Jan 14 12:40:15 dial1 pppd[16400]: rcvd [LCP ConfNak id=0x1 ] Jan 14 12:40:15 dial1 pppd[16400]: sent [LCP ConfReq id=0x2 ] Jan 14 12:40:15 dial1 pppd[16400]: rcvd [LCP ConfReq id=0x1 ] Jan 14 12:40:15 dial1 pppd[16400]: sent [LCP ConfAck id=0x1 ] Jan 14 12:40:15 dial1 pptpd[16399]: CTRL: Received PPTP Control Message (type: 15) Jan 14 12:40:15 dial1 pptpd[16399]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Jan 14 12:40:15 dial1 pppd[16400]: rcvd [LCP ConfAck id=0x2 ] Jan 14 12:40:15 dial1 pppd[16400]: sent [IPCP ConfReq id=0x1 ] Jan 14 12:40:15 dial1 pppd[16400]: sent [CCP ConfReq id=0x1 ] Jan 14 12:40:15 dial1 pppd[16400]: rcvd [LCP code=0xc id=0x2 00 00 3b 9d 4d 53 52 41 53 56 34 2e 30 30] What I did wrong or it might be some bug. Ely Zavin -------------- next part -------------- A non-text attachment was scrubbed... Name: ely.vcf Type: text/x-vcard Size: 222 bytes Desc: Card for Ely Zavin URL: From mjbarsalou at attglobal.net Fri Jan 14 13:36:12 2000 From: mjbarsalou at attglobal.net (Michael Barsalou) Date: Fri Jan 14 13:36:12 2000 Subject: [pptp-server] Which tty Message-ID: <200001141936.NAA04332@snaildust.schulte.org> How can you control when someone connects which option file they will be using. For example if I gave access to someone outside our organization, I would want their IP address to be something specific so that I have some degree of control over what services they can use. What would I have to do to accomplish that? I know that I can set options in a option.ttyXX file but how do I know or control which tty they connect from? Maybe I just don't understand the process well enough. Mike Michael Barsalou mjbarsalou at ibm.net From blalor at netDrives.com Fri Jan 14 14:35:23 2000 From: blalor at netDrives.com (Brian Lalor) Date: Fri Jan 14 14:35:23 2000 Subject: [pptp-server] GRE being blocked? Message-ID: I'm seeing these errors in my logs for one particular client: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Input/output error CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Does this mean GRE (proto 47?) is being blocked somewhere along the line? -- Brian Lalor, Web Honkey netDrives blalor at netDrives.com 607-272-5650 x7167 From johnoel at hawaii.com Fri Jan 14 17:17:36 2000 From: johnoel at hawaii.com (john oel@H@) Date: Fri Jan 14 17:17:36 2000 Subject: [pptp-server] routing In-Reply-To: <20000114042706.99683.qmail@hotmail.com> References: <20000114042706.99683.qmail@hotmail.com> Message-ID: <200001150009.QAA18479@mail.hawaii.com> hi all, that did it, i assumed it was set but ... anyhow, thanks for responding. also thanks to mr nathan meyers for suggesting someone else to install a second dial up which i also overlooked. simple things that cause so much grief. once again thankyouall, johnoel Quoting Cam Bowman : > This may be a stupid question, but do you have routing (IP Forwarding) > enabled on the linux box. I know I had this problem before, and as soon as > > I enabled routing it worked great. > > I believe the reason was that the PPTP connection is point-to-point, this > means it's connectivity terminates on the linux server. To hop over to the > > internal lan the linux station must forward the packet for you (acts as a > router). > > Let me know if it works. > > > Cam Bowman > Amtelecom Communications > > > >From: "john oel at H@" > >Reply-To: johnoel at hawaii.com > >To: pptp-server at lists.schulte.org > >Subject: [pptp-server] routing > >Date: Thu, 13 Jan 2000 16:31:37 -0800 > > > >hi all, > > > > after a long struggle, i was able to log into the > > poptop vpn server. current setup. > > > > win98 client > > | > > | > > =INTERNET= > > | > > | > > linux 2.2.x /ipchains firewall > > with vpn-patch > > and ipmasqadm and ipfwd to forward > > > > port 1723 and prot 47 > > 192.168.0.0 network > > | > > | > > linux 2.2.x /poptop > > | > > | > > winnt > > > > i can ping internal linux machine > > but i cannot ping the winnt system. > > pptpd.conf assigns the ips from 192.168.219.x. > > i have tried to install poptop on the > > firewall and was able to ping and use > > both machines. but when i moved the > > poptop server internally i could only > > access the poptop server. > > > > any clues. > > johnoel > > > > > > > >-------------------------------- > >Get your free email @hawaii.com > >http://www.hawaii.com/ > > > >_______________________________________________ > >pptp-server maillist - pptp-server at lists.schulte.org > >http://lists.schulte.org/mailman/listinfo/pptp-server > >List services provided by www.schulte.org! > > ______________________________________________________ > Get Your Private, Free Email at http://www.hotmail.com > -------------------------------- Get your free email @hawaii.com http://www.hawaii.com/ From tmk at netmagic.net Fri Jan 14 20:45:33 2000 From: tmk at netmagic.net (tmk) Date: Fri Jan 14 20:45:33 2000 Subject: [pptp-server] Which tty References: <200001141936.NAA04332@snaildust.schulte.org> Message-ID: <002701bf5f02$80d6d740$071c0fc0@lala.net> this came up a few times, but pptp uses psuedo ttys when possible (almost all linux systems have them), so the old options.ttyXX doesnt work anymore since the ttys show up as ptys/ttyXX or something what you can do is assign the clients static ip's and do what you gotta do in the ip-up script Kevin ----- Original Message ----- From: Michael Barsalou To: Sent: Friday, January 14, 2000 11:37 AM Subject: [pptp-server] Which tty > How can you control when someone connects which option file > they will be using. > > For example if I gave access to someone outside our organization, > I would want their IP address to be something specific so that I > have some degree of control over what services they can use. > > What would I have to do to accomplish that? > > I know that I can set options in a option.ttyXX file but how do I know > or control which tty they connect from? Maybe I just don't > understand the process well enough. > > Mike > > > Michael Barsalou > mjbarsalou at ibm.net > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From jimbud at arborlink.com Fri Jan 14 21:52:59 2000 From: jimbud at arborlink.com (Adrian) Date: Fri Jan 14 21:52:59 2000 Subject: [pptp-server] Re: Hi, I'm in trouble with the same config as you In-Reply-To: <04ae01bf5ea3$52651660$8c7fa8c0@typhoon.asitatech.ie> Message-ID: Hello, I have gotten 128bit encryption between two linux boxen using pptp 1.0.2 and pptpd 1.0.0. one problem people might have is that pppd likes deflate compression more than bsdcomp, so unless you say nodeflate in your options file, deflate will be used and mppe needs bsdcomp. here's my options file for server and client. server: debug name server_name auth proxyarp nodeflate bsdcomp 15,15 -pap +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless client: name server_name user client_name defaultroute noauth regards, adrian On Fri, 14 Jan 2000, [iso-8859-1] Seosamh D. ? Riord?in wrote: > Hi Yann, > > I didn't manage to get the pptp-linux-1.0.2 client talking to > PoPToP 1.0.0, (as yet), - it needs to be looked at further, > and I may get time to do this in the next couple of weeks. > It doesn't appear that anyone on the list has got this negotiating > 40(or 128) bit MPPE to the PoPToP server. I've seen other > messages asking about this also but they went unanswered. > Microsoft clients(NT/W9[5|8]) do connect with 40(or 128) bit > MPPE alright. This appears to be a negotiation problem between From erobinson at dot.state.nv.us Fri Jan 14 23:15:49 2000 From: erobinson at dot.state.nv.us (Robinson, Eric R.) Date: Fri Jan 14 23:15:49 2000 Subject: [pptp-server] State-based Firewall and VPN Server on One Box? Message-ID: Hi Chuck, I always start by dreaming up exactly what I want, then backing off as the realities pile on. I want maximum security and clean VPN services for Windows clients on a single box, and I want it, um, FREE, and I want it NOW. Plus, I want to add some Linux to my resume. Hence the search for a Linux. It's mostly free. It's downloadable now. (I'm seriously considering the Webramp 700s product, but one of the main things holding me back is that it just wouldn't be as FUN.) Adrian suggested in an earlier message that the answer is PoPToP and Netfilter. What do you think about that? Also, you seem to imply that IPSec-based VPNs and NAT can't exist on the same box, whereas PPTP-based VPNs and NAT can. I think I must have misunderstood you. I can't think of a reason why IPSec and NAT shouldn't be compatible. Theoretically, the box should examine the IP packet to see whether it contains an IPSec payload. If it does, it hands it off to the VPN software, which strips the IP header, decrypts the ESP, and forwards the recovered packet to the internal network. If the IP packet does NOT contain an ESP, the box hands it off to the firewall software, which checks the destination address against its NAT table. If it matches a NAT mapping, it then applies the filter list and state information against it. Finally, it replaces the destination with the internal address from the NAT table and forwards it to the internal network. Is that not how it works? --Eric -----Original Message----- From: Chuck Flink [mailto:cwf at infosecana.com] Sent: Friday, January 14, 2000 9:21 AM To: Robinson, Eric R.; pptp-server at lists.schulte.org Subject: Re: [pptp-server] State-based Firewall and VPN Server on One Box? Eric, I noted Matt Ramsay's reference to the NETtel box from www.moretonbay.com which seems to be a direct competitor for the RampNet WebRamp products I referenced. Issue: value of having Linux vrs whatever (probably another UNIX clone) as the internal software/firmware. Check for an article I'll be posting by the end of the day at: www.infosecana.com/flinkink As far as "basic" is concerned, I was refering to the fact that a NAT box is NOT a stateful proxy firewall. There are attacks on simple packet filtering firewalls like a NAT box with ipchains, but then there are attacks on anything if you invest enough time/energy into it. Moreton Bay describes their NAT box as a "firewall" while RampNet distinguishes a more expensive model, beyond NAT, as it's "firewall" product. Both are correct in concept, but differ in degree. I view NAT boxes with incoming packet filtering as a reasonably "basic" firewall. Deciding if you need more protection than this requires a risk analysis and takes time. But certainly, if you want Internet access from your LAN and don't want to go to the expense of a proxy server, NAT is a nice compromise. Now as far as Windows 2000 (W2K) NAT and VPN is concerned, I have to admit that I jumped the gun on one issue: Professional vrs Server. NAT and PPTP VPNs can coexist on W2K Server by virtue of being able to configure a PPTP filter for NAT equivalent to the masq_pptp module for Linux mentioned elsewhere on this list. (NO SUCH FILTER can exist for IPsec secured VPNs.) I jumped the gun when I implied that W2K Pro automatically configured a PPTP mask/filter for PPTP. The Pro product hides more of the configuration, trying to automate the setup by hiding NAT behind the concept of "Internet Connection Sharing". It's not yet clear to me if simply configuring ICS and PPTP together on the Pro release "does the right thing". I'll get back to this next week. Note that all W2K versions include IPsec, L2TP and PPTP VPN support, optional routing and some form of packet filtering. The Pro version supports blanket incoming packet filtering (i.e. blocks access to designated service ports from any remote address) while the Server model is much more flexible (I think functionally equivalent to ipchains, but I may be overstating it.) More later. -Chuck Flink www.infosecana.com ----- Original Message ----- From: "Robinson, Eric R." To: "'Chuck Flink'" ; "Robinson, Eric R." ; Sent: Thursday, January 13, 2000 7:34 PM Subject: RE: [pptp-server] State-based Firewall and VPN Server on One Box? > When you say you're using W2K for a "NAT/PPTP basic firewall," does that > mean it's providing VPN services as well? Ans what do you mean by "basic?" > > Looking forward to some expansion on that part. > > --Eric > > -----Original Message----- > From: Chuck Flink [mailto:cwf at infosecana.com] > Sent: Thursday, January 13, 2000 2:34 PM > To: Robinson, Eric R.; pptp-server at lists.schulte.org > Subject: Re: [pptp-server] State-based Firewall and VPN Server on One > Box? > > > Check out www.rampnet.com products. I used an early one for demand- > dialed ISDN (128k) access to MSN for a couple of years and found it a quite > satisfactory NAT for a half-dozen developers in my lab. It was then about > $600. Today, if they arn't a good bit cheaper, it's because sales are > holding > the price up. It should be as cheap or cheaper than what you can make > on your own... no disk, no floppy, remote admin from any PC on your LAN, > built-in 10BaseT hub, etc. Mine was about the size of a cable modem. > (I see they now have a more expensive models designated as firewalls.) > > Don't get me wrong: I love Linux and look forward to there being a well > packaged single-floppy Linux with NAT, PPTP, etc. ....and it's coming. > But if you want to buy something off-the-shelf that supports PPTP, NAT, > additional firewall features, etc. from a concern that's been around > for a while, I recommend this one. > > P.S. I'm looking forward to seeing the other postings on this. I'm > currently > using a RC-2 Windows 2000 Pro as a NAT/PPTP basic firewall box > connected to RoadRunner. It works great and was easy to setup. Once > the Feb release date comes, I hope to switch to using one of my old 486 > PCs as a Linux/NAT/pptp box and want to hear it's easy to do. > > - Chuck Flink www.infosecana.com/flinkink > > ----- Original Message ----- > From: "Robinson, Eric R." > To: > Sent: Thursday, January 13, 2000 3:56 PM > Subject: [pptp-server] State-based Firewall and VPN Server on One Box? > > > > Greetings, > > > > I've been "lurking" on this list for a while and now I have a question for > > the assembly. > > > > I'm looking for a nice, clean, single-box Linux solution for state-based > > firewalling, true NAT and VPN services for Windows clients. What is your > > opinion? Can that be done? Is PoPtoP part of the answer? > > > > When I say "true NAT," I mean that external addresses must be statically > > mappable to internal hosts, and it must not matter whether the external > > addresses are public or private. > > > > I'd really like to hear some detailed opinions on this one. > > > > -- > > Eric Robinson > > Network Analyst > > Nevada DOT > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulte.org! > > > > > > _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From erobinson at dot.state.nv.us Fri Jan 14 23:20:07 2000 From: erobinson at dot.state.nv.us (Robinson, Eric R.) Date: Fri Jan 14 23:20:07 2000 Subject: [pptp-server] State-based Firewall and VPN Server on One Box? Message-ID: Thanks, Adrian. How unstable is Netfilter? If I install the product on a new, clean Linux box, can I expect it to crash frequently or fail to provide firewalling services or just have a lot of goofy little problems? --Eric -----Original Message----- From: Adrian [mailto:jimbud at arborlink.com] Sent: Friday, January 14, 2000 6:06 AM To: Robinson, Eric R. Cc: pptp-server at lists.schulte.org Subject: Re: [pptp-server] State-based Firewall and VPN Server on One Box? Hello, Linux and this pptp package, along with the netfilter package, are what you're looking for. Netfilter is capable of stateful rules, NAT in many forms, and PoPtoP is the best, most stable VPN provider for people looking for Windows solutions. However, Netfilter, like kernel 2.3, is in development and even though it works it won't be what you should use until it's stablised. You might want to subscribe to the Netfilter mailing list as well. (email listproc at samba.org with body "subscribe netfilter your_full_name") Regards, Adrian On Thu, 13 Jan 2000, Robinson, Eric R. wrote: > Greetings, > > I've been "lurking" on this list for a while and now I have a question for > the assembly. > > I'm looking for a nice, clean, single-box Linux solution for state-based > firewalling, true NAT and VPN services for Windows clients. What is your > opinion? Can that be done? Is PoPtoP part of the answer? > > When I say "true NAT," I mean that external addresses must be statically > mappable to internal hosts, and it must not matter whether the external > addresses are public or private. > > I'd really like to hear some detailed opinions on this one. > > -- > Eric Robinson > Network Analyst > Nevada DOT > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From matthewr at moreton.com.au Sat Jan 15 00:05:49 2000 From: matthewr at moreton.com.au (Matthew Ramsay) Date: Sat Jan 15 00:05:49 2000 Subject: [pptp-server] State-based Firewall and VPN Server on One Box? References: Message-ID: <000b01bf5eb9$7cfed760$fafbff0a@qld.bigpond.net.au> > Hence the search for a Linux. It's mostly free. It's downloadable now. (I'm > seriously considering the Webramp 700s product, but one of the main things > holding me back is that it just wouldn't be as FUN.) Heh! Heh!.. That's what I like about Moreton Bay's NETtel platform. It is purely linux based so you can grab Linux applications out there already (such as PoPToP) and basically compile them into a NETtel. I'm no expert on what Web ramp uses for their OS but I bet it's not linux.. and I bet you it's entire source is not open (the entire NETtel source is available). Additionally a Moreton Bay NETtel *retails* at around US $345. (inlcuding VPN!!).. But what makes the NETtel really attractive to *hackers* and other solution providers is its customisation! At the Linux expo at comdex fall (Vegas, 99) the NETtel was hooked up to some speakers and was streaming in MP3's off the net. I guess this isn't the right forum fall this anyway.. Anyways, when price is an issue, you could grab your existing linux PC and set all this up anyway. That's what is soo cool about Linux. Cheers, Matt. From yan at cardinalengineering.com Sat Jan 15 06:31:12 2000 From: yan at cardinalengineering.com (Yan Seiner) Date: Sat Jan 15 06:31:12 2000 Subject: [pptp-server] More problems with sudden death of connections Message-ID: <38806899.9C974130@cardinalengineering.com> OK, I ran another torture test last night; this time with two shares mounted. The test consisted of copying two 100K files back and forth. The connection gave up the ghost after only 1MB of data transfer. pptp and ppp were both up this morning; the connection was good; but the pptp connection was non-responsive. Disconnecting and reconnecting brought it back to life. This is progress. Anything else I can provide to track this down? --Yan Here's the log file: Jan 14 19:11:43 aphrodite pptpd[21495]: CTRL: Starting call (launching pppd, opening GRE) Jan 14 19:12:57 aphrodite pptpd[21535]: MGR: Manager process started Jan 14 19:13:01 aphrodite pptpd[21495]: CTRL: Error with select(), quitting Jan 14 19:13:01 aphrodite pptpd[21495]: CTRL: Client 208.249.10.142 control connection finished Jan 14 19:13:04 aphrodite pptpd[21545]: CTRL: Client 208.249.10.142 control connection started Jan 14 19:13:05 aphrodite pptpd[21545]: CTRL: Starting call (launching pppd, opening GRE) Jan 14 20:32:25 aphrodite pptpd[21545]: GRE: Bad checksum from pppd. Jan 14 20:35:08 aphrodite pptpd[21545]: GRE: Bad checksum from pppd. Jan 14 20:35:47 aphrodite pptpd[21545]: GRE: Received bad packet from pppd. Jan 14 20:36:08 aphrodite pptpd[21545]: GRE: Bad checksum from pppd. Jan 14 20:36:10 aphrodite pptpd[21545]: GRE: Received bad packet from pppd. Jan 14 20:37:45 aphrodite pptpd[21545]: GRE: Bad checksum from pppd. Jan 14 20:39:38 aphrodite pptpd[21545]: GRE: Bad checksum from pppd. Jan 14 20:43:16 aphrodite pptpd[21545]: GRE: Received bad packet from pppd. Jan 14 20:43:20 aphrodite pptpd[21545]: GRE: Bad checksum from pppd. Jan 14 20:45:54 aphrodite pptpd[21545]: GRE: Received bad packet from pppd. Jan 14 20:46:00 aphrodite pptpd[21545]: GRE: Bad checksum from pppd. Jan 14 20:46:34 aphrodite pptpd[21545]: GRE: Bad checksum from pppd. Jan 14 20:46:51 aphrodite pptpd[21545]: GRE: Bad checksum from pppd. Jan 14 20:46:55 aphrodite pptpd[21545]: GRE: Received bad packet from pppd. Jan 14 20:47:06 aphrodite pptpd[21545]: GRE: Bad checksum from pppd. From yan at cardinalengineering.com Sat Jan 15 06:33:24 2000 From: yan at cardinalengineering.com (Yan Seiner) Date: Sat Jan 15 06:33:24 2000 Subject: [pptp-server] linux-linux pptp Message-ID: <3880691E.A78B4F16@cardinalengineering.com> Is the linux-linux pptp connection stable? As I seem to be experiencing sudden death of pptp connections (which I suspect may be in part to the crappy Win95 TCP/IP stack) does anyone have a track record with Scott's pptp client? TIA, --Yan From patl at cag.lcs.mit.edu Sat Jan 15 08:33:34 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Sat Jan 15 08:33:34 2000 Subject: [pptp-server] GRE being blocked? In-Reply-To: Brian Lalor's message of "Fri, 14 Jan 2000 15:35:13 -0500 (EST)" References: Message-ID: Brian Lalor writes: > I'm seeing these errors in my logs for one particular client: > GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Input/output error > CTRL: PTY read or GRE write failed (pty,gre)=(4,5) > > Does this mean GRE (proto 47?) is being blocked somewhere along the line? No, it means that pptpd got an error while trying to read() from pppd. (The "GRE:" prefix just means this error occurred in the HDLC-to-GRE module; it does not necessarily mean there is any problem with the GRE protocol itself.) I do not know what to suggest, aside from turning up logging from pppd to see what it is doing when these messages occur. Anyone happen to know what "Input/output error" even means for a PTY? - Pat From cwf at infosecana.com Sat Jan 15 17:32:20 2000 From: cwf at infosecana.com (Chuck Flink) Date: Sat Jan 15 17:32:20 2000 Subject: [pptp-server] State-based Firewall and VPN Server on One Box? References: <000b01bf5eb9$7cfed760$fafbff0a@qld.bigpond.net.au> Message-ID: <001e01bf5fb1$b6228930$0100a8c0@infosecana.com> Eric & Matt, I'll answer Eric's other questions on Monday, but I thought I'd comment on Matt's response right away. Please be sure that I'm not anti-Linux nor am I against having FUN. Somewhere back in this list the word "NEED" in capital letters were used by someone with regard to firewall and VPN all on one box. If you have is a serious NEED, then the professional thing to do is to evaluate the risk and peg your investment on the mitigation of that risk. If the maximum cost is ZERO, the risk being mitigated must be ZERO and the whole thing is a hobby. Certainly, PoPToP and Linux is the way to go.... have fun! If there is a very, very serious risk, I'd also recommend Linux and IPsec and a serious validation of your implementation by a seasoned team of security analysists and break-in artists. I'd recommend Linux because of the ability for these analysts to assure themselves of complete freedom from trap doors, flaws and Trojan Horses.... something that can only be done by heavy duty inspection of the sources generating every line of binary that runs with privilege. This is EXPENSIVE, but I've been involved with such work for the DoD in the distant past. But 98% of the real-world customers out there want something much less expensive but not as ad-hoc as "free from the web". The RampNet, the NETtel, Lucent's (Ascend's) Pipeline products, and probably a half dozen other products are in the $400 to $1000 range and offer a decent level of assurance against risk (and someone to blame if the shit hits the fan and your boss comes down on YOU!) Microsoft attempts to hit the same range assurance and (incremental) cost on a PC that can do other things as well. ....and everyone likes to be able to blame MS. I can't judge where your need falls on the spectrum from hobby to high risk. So I'm only going to comment (Monday) on what I've done and what I know of the technology. There is nothing in Matt's reply that I disagree with.... including the comment that this all is probably too far "off topic" for this mailing list! I just wanted to make it clear that security is something that usually requires something more than the typical mailing list level of treatment. - Chuck Flink www.infosecana.com/flinkink P.S. I'm very interested in developing business models for open source software that addresses the issue of assurance and accountability.... I want to see Open Source satisfy that "middle region" between hobby and high-risk. Read the articles at my site (above) and comment directly by feedback to me or the discussion forum listed there. Thanks! ----- From shaeff at mediaone.net Sun Jan 16 02:55:30 2000 From: shaeff at mediaone.net (Noel Schaefer) Date: Sun Jan 16 02:55:30 2000 Subject: [pptp-server] routing Message-ID: <38814D8C.8D87E8C2@mediaone.net> I think i have some kind of routing trouble, the remote client ( Dial up ) is connecting just fine and i can see the netbios names just fine for all the clients on the local, but i can not connect to any computers on the local other than the server . I can ping the remote ip`s that was assigned to the client and the client can ping all the hosts on the server side but i having trouble getting them to talk to each other . the only thing i have got to work with the other clients on the local is a game "TA Kingdoms" even then i had to manually in put the IP to make the remote client to see the game ! I see that the subnet for the remote client is a "D" class and the rest of my local connections are on a "C" class subnet C = 255.255.255.0 D = 255.255.255.255 and i have tryed to route the connection to a local subnet ( that just blocks any traffic from coming in from the remote client ). i have come to an impasse i not sure where to go from here, if any one has ideas on how to over come this i would be very great full ! thank your time ! From butler at dii.net Sun Jan 16 12:28:04 2000 From: butler at dii.net (Philip L. Butler) Date: Sun Jan 16 12:28:04 2000 Subject: [pptp-server] Can't login to NT domain.... Message-ID: Hi, I have a question for you. I have Poptop installed and it seems to work fine in that I can ping, ftp, etc. using it. I am having trouble getting a few machines to see the network neighborhood, login to an NT domain, etc. I have gotten it to see the domain once after I loaded Win98 SE on a test machine from scratch. I may be off base, but it seems that the first time, it will come up and ask for the NT domain username and password and I can see the network neighborhood, but if I ever login with a different username, I can never see the network neighborhood again. I am going to reload my test system to see if this is true or not, but I thought I would ask the people on this list also. Many thanks, Phil Butler butler at dii.net From P.J.Reid at earthling.net Sun Jan 16 13:37:14 2000 From: P.J.Reid at earthling.net (Patrick Reid) Date: Sun Jan 16 13:37:14 2000 Subject: [pptp-server] DUN40.EXE and firewall rejects In-Reply-To: <000901bf5d75$8ac9c8e0$071c0fc0@lala.net> Message-ID: <000601bf6058$feb18aa0$0200a8c0@Reidworld.dynip.com> I recently had to re-install poptop & pppd on my Linux machine, AND re-install windows 98. Now I can get my connection going only if I don't require encryption in the Win98 VPN connection. I am thinking that it is because of the need to install DUN40.EXE. I recall that the patch had to be applied a little oddly, but can't remember how. I have tried just running it, and uninstalling dialup networking from Add/Remove Programs, running DUN40.EXE and re-installing dialup networking. No joy. Can anyone tell me the way this patch is to be applied? Also, when I am connected (with no encryption), my ipchains rules (which are based on the semi-strong ipchains ruleset in the Linux IP Masquerade HOWTO) give the following packet rejections: Jan 11 15:03:38 reidworld kernel: Packet log: output REJECT eth1 PROTO=1 192.168.0.1:3 207.179.180.163:3 L=120 S=0xC0 I=37948 F=0x0000 T=255 Jan 11 15:03:38 reidworld kernel: Packet log: input REJECT ppp0 PROTO=17 207.179.180.163:137 192.168.0.1:53 L=72 S=0x00 I=62281 F=0x0000 T=128 Jan 11 15:03:42 reidworld kernel: Packet log: input REJECT ppp0 PROTO=6 207.179.180.163:1676 192.168.0.4:139 L=48 S=0x00 I=10314 F=0x4000 T=128 Note that my firewall/pptp server is 192.168.0.1, eth1 is my external card and 207.179.180.163 is the IP address of the dial-up connection I was using. I don't understand how packets from the machine dialling up can end up on ppp0, which is the pptp connection - should packets on that interface only come from the IP assigned to the machine connecting in on the VPN connection (which is 192.168.0.200)? And what are thos ICMP packets going out on eth1? Just trying to understand better. Patrick Reid - mailto:PReid at candesco.com Candesco Research Corp. Communication Centre: -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of tmk Sent: January 12, 2000 11:23 PM To: Patrick J. LoPresti; pptp-server at lists.schulte.org; Joe Beauchamp Subject: Re: [pptp-server] What the heck... Announcing pptpd-1.1.1pre1 you need to turn off the 'treat warnings as errors' stuff it was explained in a subsequent post Kevin ----- Original Message ----- From: Joe Beauchamp To: Patrick J. LoPresti ; Sent: Wednesday, January 12, 2000 7:06 PM Subject: Re: [pptp-server] What the heck... Announcing pptpd-1.1.1pre1 > This is what I got trying to build it on 2.2.14p16: > > gcc -DHAVE_CONFIG_H -I. -I. -I. -I. -g -fno-builtin -Wall -Werror -ansi - DSBI > NDIR='"/usr/local/sbin"' -c pptpd.c > cc1: warnings being treated as errors > pptpd.c: In function `main': > pptpd.c:163: warning: implicit declaration of function `strdup' > pptpd.c:163: warning: assignment makes pointer from integer without a cast > pptpd.c:193: warning: assignment makes pointer from integer without a cast > pptpd.c:200: warning: assignment makes pointer from integer without a cast > pptpd.c:206: warning: assignment makes pointer from integer without a cast > pptpd.c:220: warning: assignment makes pointer from integer without a cast > pptpd.c:236: warning: assignment makes pointer from integer without a cast > pptpd.c:248: warning: assignment makes pointer from integer without a cast > pptpd.c:252: warning: assignment makes pointer from integer without a cast > pptpd.c:260: warning: assignment makes pointer from integer without a cast > pptpd.c:264: warning: assignment makes pointer from integer without a cast > pptpd.c: In function `lookup': > pptpd.c:398: warning: implicit declaration of function `memcpy' > make: *** [pptpd.o] Error 1 > > > At 08:07 PM 12/23/99 -0500, Patrick J. LoPresti wrote: > >patl at cag.lcs.mit.edu (Patrick J. LoPresti) writes: > > > >> Well, that was quick. > > > >And again. > > > >It looks like Linux 2.2.x did some violence to the way send() and > >recv() work. So I have punted them entirely and gone back to good old > >read() and write(). (A quick browse through the kernel sources > >suggest they are the same thing for this purpose.) This should be a > >lot more portable. > > > > > > > >Sorry for the flurry of announcements. > > > > - Pat > > > >_______________________________________________ > >pptp-server maillist - pptp-server at lists.schulte.org > >http://lists.schulte.org/mailman/listinfo/pptp-server > >List services provided by www.schulte.org! > > > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From Martin at McFlySr.Kurgan.Ru Mon Jan 17 01:28:29 2000 From: Martin at McFlySr.Kurgan.Ru (Martin McFlySr) Date: Mon Jan 17 01:28:29 2000 Subject: [pptp-server] pptpd and freebsd 3.4s questuions Message-ID: <1519.000117@McFlySr.Kurgan.Ru> Hello pptp-server at lists.schulte.org, anybody can run pptpd on freebsd? i make all as in FAQ, but win98 client can't connect :( by words Matthew Ramsay, i have "that the free bsd pppd u r using is at fault". how can i check it? thank you. -- Monday, January 17, 2000, 12:07 Best regards from future, Martin McFlySr, HillDale. From SCody at Gulbrandsen.com Mon Jan 17 07:47:49 2000 From: SCody at Gulbrandsen.com (Steve Cody) Date: Mon Jan 17 07:47:49 2000 Subject: [pptp-server] No "/proc/sys/net/ipv4/ip_forward" in kernel 2.0.0 Message-ID: I know the solution to my problem, but I can't find the file to fix it.... I am unable to see other computers on the network, after connecting to the server. The file I am supposed to put a "1" in doesn't exist on this particular system. It is kernel 2.0.0. I am looking for /proc/sys/net/ipv4/ip_forward Is there a different file to change, or what? Thanks in advance! Steve Cody From SCody at Gulbrandsen.com Mon Jan 17 08:10:44 2000 From: SCody at Gulbrandsen.com (Steve Cody) Date: Mon Jan 17 08:10:44 2000 Subject: [pptp-server] No "/proc/sys/net/ipv4/ip_forward" in kernel 2. 0.0 Message-ID: I do have the /proc directory, and I even have a /proc/sys/net/ipv4 directory. However, there is no ip_forward file in it. I tried to create it as root, but I get a permission denied error. -----Original Message----- From: Yan Seiner [mailto:yan at cardinalengineering.com] Sent: Monday, January 17, 2000 9:13 AM To: Steve Cody Subject: Re: [pptp-server] No "/proc/sys/net/ipv4/ip_forward" in kernel 2.0.0 You did not compile your kernel with the /proc file support. You need to look at your config options and recompile. --Yan Steve Cody wrote: > > I know the solution to my problem, but I can't find the file to fix it.... > > I am unable to see other computers on the network, after connecting to the > server. The file I am supposed to put a "1" in doesn't exist on this > particular system. It is kernel 2.0.0. I am looking for > /proc/sys/net/ipv4/ip_forward > > Is there a different file to change, or what? > > Thanks in advance! > > Steve Cody > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! -- Think different ride a recumbent use Linux. From Martin at McFlySr.Kurgan.Ru Mon Jan 17 09:24:28 2000 From: Martin at McFlySr.Kurgan.Ru (Martin McFlySr) Date: Mon Jan 17 09:24:28 2000 Subject: [pptp-server] ppp-2.3.10 with MPEE/MS_CAHP Message-ID: <6849.000117@McFlySr.Kurgan.Ru> Hello pptp-server at lists.schulte.org, may be, anybody make ppp-2.3.10(for example) with MPEE/MS_CHAP? i can't :( thank you, -- Monday, January 17, 2000, 20:22 Best regards from future, Martin McFlySr, HillDale. From soriordain at asitatech.com Mon Jan 17 10:26:36 2000 From: soriordain at asitatech.com (=?iso-8859-1?Q?Seosamh_D._=D3_Riord=E1in?=) Date: Mon Jan 17 10:26:36 2000 Subject: [pptp-server] Re: Hi, I'm in trouble with the same config asyou Message-ID: <06df01bf6107$52be45d0$8c7fa8c0@typhoon.asitatech.ie> Hi Adrian, Cheers for that pointer on the effect of the nodeflate parameter - certainly saved me some time! The pptp-linux-1.0.2 client now works fine for me with MPPE40. However, if I use +mppe-128 on the command line instead, a ping over the interface just established results in the following type of message in the log file: server: "Unsupported protocol (0x...) received" client: "Protocol-Reject for unsupported protocol 0x..." How did you manage to get around this problem? Thanks for your help. Regards, Seosamh. --------------- Seosamh D. ? Riord?in, [soriordain at asitatech.ie] -----Original Message----- From: Adrian To: Seosamh D. ? Riord?in Cc: yann.foissac ; pptp-server at lists.schulte.org Date: Saturday, January 15, 2000 3:52 AM Subject: Re: [pptp-server] Re: Hi, I'm in trouble with the same config asyou Hello, I have gotten 128bit encryption between two linux boxen using pptp 1.0.2 and pptpd 1.0.0. one problem people might have is that pppd likes deflate compression more than bsdcomp, so unless you say nodeflate in your options file, deflate will be used and mppe needs bsdcomp. here's my options file for server and client. server: debug name server_name auth proxyarp nodeflate bsdcomp 15,15 -pap +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless client: name server_name user client_name defaultroute noauth regards, adrian On Fri, 14 Jan 2000, [iso-8859-1] Seosamh D. ? Riord?in wrote: > Hi Yann, > > I didn't manage to get the pptp-linux-1.0.2 client talking to > PoPToP 1.0.0, (as yet), - it needs to be looked at further, > and I may get time to do this in the next couple of weeks. > It doesn't appear that anyone on the list has got this negotiating > 40(or 128) bit MPPE to the PoPToP server. I've seen other > messages asking about this also but they went unanswered. > Microsoft clients(NT/W9[5|8]) do connect with 40(or 128) bit > MPPE alright. This appears to be a negotiation problem between From pf at sxb.bsf.alcatel.fr Mon Jan 17 11:53:14 2000 From: pf at sxb.bsf.alcatel.fr (Pascal Fremaux) Date: Mon Jan 17 11:53:14 2000 Subject: [pptp-server] ppp-2.3.10 with MPEE/MS_CAHP References: <6849.000117@McFlySr.Kurgan.Ru> Message-ID: <3883560E.529F112@sxb.bsf.alcatel.fr> I do, but it's not sufficient. You must patch the kernel and rebuild before apply that patch. I don't have a site in order to publish it, but I try to do that later if needed. Martin McFlySr wrote: > Hello pptp-server at lists.schulte.org, > > may be, anybody make ppp-2.3.10(for example) with MPEE/MS_CHAP? > > i can't :( > > thank you, > > -- > Monday, January 17, 2000, > 20:22 > > Best regards from future, > Martin McFlySr, HillDale. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! -- Pascal Fremaux, SSII Alten Study Engineer at Alcatel Telecom R&D, Illkirch, France From jimbud at arborlink.com Mon Jan 17 12:53:28 2000 From: jimbud at arborlink.com (Adrian) Date: Mon Jan 17 12:53:28 2000 Subject: [pptp-server] Re: Hi, I'm in trouble with the same config asyou In-Reply-To: <06df01bf6107$52be45d0$8c7fa8c0@typhoon.asitatech.ie> Message-ID: Hello, This might be off course, but are you using ppp as a module or built into the kernel? if you have it built in, have you remade the kernel and rebooted since patching it for mppe? 40bit encryption will work without rebooting, but 128bit wont. on windows machines, you can even connect with 128bit until you rebuild everything, but i'm not sure about linux to linux. that could be your problem. good luck :) Regards, Adrian On Mon, 17 Jan 2000, [iso-8859-1] Seosamh D. ? Riord?in wrote: > Hi Adrian, > > Cheers for that pointer on the effect of the nodeflate parameter - > certainly > saved me some time! The pptp-linux-1.0.2 client now works fine for me > with MPPE40. However, if I use +mppe-128 on the command line instead, > a ping over the interface just established results in the following type > of > message in the log file: > server: "Unsupported protocol (0x...) received" > client: "Protocol-Reject for unsupported protocol 0x..." > > How did you manage to get around this problem? > > Thanks for your help. > Regards, > Seosamh. > --------------- > Seosamh D. ? Riord?in, [soriordain at asitatech.ie] From soriordain at asitatech.com Tue Jan 18 06:14:01 2000 From: soriordain at asitatech.com (=?iso-8859-1?Q?Seosamh_D._=D3_Riord=E1in?=) Date: Tue Jan 18 06:14:01 2000 Subject: [pptp-server] Re: Hi, I'm in trouble with the same config asyou Message-ID: <08d801bf61ad$3a936d40$8c7fa8c0@typhoon.asitatech.ie> Hi, Yeah, I'm using ppp as a module - all modules are loaded properly as per instructions. My setup is RH5.1, 2.0.36, ppp-2.3.8 with relevant patches etc, and pptp 1.0.0. I've totally removed and reloaded the modules on server and client to no effect. BTW, do you use any other command line parameters to the linux pptp client than the ones below: (assuming your config files) #pptp firewall name jack noauth debug +chapms +mppe-128 mppe-stateless On another issue, if I use +chapms-v2 instead of +chapms the PPP Daemons on both machines seem to get into an endless loop sending CHAP challenge/response messages to each other ?? !!! Any pointers much appreciated.. Regards, Seosamh -----Original Message----- From: Adrian To: Seosamh D. ? Riord?in Cc: pptp-server at lists.schulte.org Date: Monday, January 17, 2000 7:07 PM Subject: Re: [pptp-server] Re: Hi, I'm in trouble with the same config asyou Hello, This might be off course, but are you using ppp as a module or built into the kernel? if you have it built in, have you remade the kernel and rebooted since patching it for mppe? 40bit encryption will work without rebooting, but 128bit wont. on windows machines, you can even connect with 128bit until you rebuild everything, but i'm not sure about linux to linux. that could be your problem. good luck :) Regards, Adrian On Mon, 17 Jan 2000, [iso-8859-1] Seosamh D. ? Riord?in wrote: > Hi Adrian, > > Cheers for that pointer on the effect of the nodeflate parameter - > certainly > saved me some time! The pptp-linux-1.0.2 client now works fine for me > with MPPE40. However, if I use +mppe-128 on the command line instead, > a ping over the interface just established results in the following type > of > message in the log file: > server: "Unsupported protocol (0x...) received" > client: "Protocol-Reject for unsupported protocol 0x..." > > How did you manage to get around this problem? > > Thanks for your help. > Regards, > Seosamh. > --------------- > Seosamh D. ? Riord?in, [soriordain at asitatech.ie] _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From Gareth_Marlow at scientia.com Tue Jan 18 06:30:04 2000 From: Gareth_Marlow at scientia.com (Gareth Marlow) Date: Tue Jan 18 06:30:04 2000 Subject: [pptp-server] 128-bit DUN upgrade Message-ID: <20000118122805.C22649@harris.scientia.com> Sorry - this is not directly about PPTP. Does anyone know if/when Microsoft will make the 128 bit VPN/DUN client upgrade available for international download under the relaxed export regulations? So far, according to their website, only Windows 2000, Outlook and some other stuff has been authorised. -- Gareth Marlow, Systems Administrator Scientia Ltd. ______________________________________________________________________ 'Ee's not the Messiah! 'Ee's a very naughty boy! From shadur at catv6150.extern.kun.nl Tue Jan 18 08:52:38 2000 From: shadur at catv6150.extern.kun.nl (Shadur t'Kharn) Date: Tue Jan 18 08:52:38 2000 Subject: [pptp-server] Error message while trying to connect over pptp Message-ID: <20000118155720.A1461@azimuth.houben.home.net> Hello all, I'm trying to connect a VPN client to a pptp server running Linux (debian Potato, last updated last night) and it's connecting at first, but then the server side fails with the following error in the log messages: Jan 18 15:22:45 catv6150 pptpd[30818]: CTRL (PPPD Launcher): local address = 192.168.150.1 Jan 18 15:22:45 catv6150 pptpd[30818]: CTRL (PPPD Launcher): remote address = 192.168.150.10 Jan 18 15:22:45 catv6150 pptpd[30817]: GRE: read(fd=5,buffer=804d8c0,len=8196) from PTY failed: status = -1 error = Input/output error Jan 18 15:22:45 catv6150 pptpd[30817]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6) Jan 18 15:22:45 catv6150 pptpd[30817]: CTRL: Client 194.109.154.81 control connection finished Jan 18 15:22:45 catv6150 pptpd[30817]: CTRL: Exiting now Jan 18 15:22:45 catv6150 pptpd[4408]: MGR: Reaped child 30817 The winduhs2K VPN client is less than helpful with its error messages, but the pptp-linux client (1.0.2) gives the following: Jan 18 15:17:06 nb-rens pppd[450]: pppd 2.3.10 started by shadur, uid 0 Jan 18 15:17:06 nb-rens pppd[450]: Using interface ppp0 Jan 18 15:17:06 nb-rens pppd[450]: Connect: ppp0 <--> /dev/ttya0 Jan 18 15:17:06 nb-rens pppd[450]: sent [LCP ConfReq id=0x1 ] Jan 18 15:17:33 nb-rens last message repeated 9 times Jan 18 15:17:36 nb-rens pppd[450]: LCP: timeout sending Config-Requests Jan 18 15:17:36 nb-rens pppd[450]: Connection terminated. I have the ip_masq_pptp patch running on the firewall between nb-rens and catv6150, and it reports normal operations in its syslogs. Has anyone had to deal with this problem before, or does anyone know what could be the cause? Thanks in advance, Rens Houben. -- Rens Houben / Shadur t'Kharn: Linux geek, programmer, student. PGP public key at: http://dwagon.sandwich.net/~shadur/pgpkey -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 248 bytes Desc: not available URL: From nmeyers at javalinux.net Tue Jan 18 09:05:49 2000 From: nmeyers at javalinux.net (Nathan Meyers) Date: Tue Jan 18 09:05:49 2000 Subject: [pptp-server] Error message while trying to connect over pptp References: <20000118155720.A1461@azimuth.houben.home.net> Message-ID: <388480F9.8BA4595E@javalinux.net> Shadur t'Kharn wrote: > > Hello all, > > I'm trying to connect a VPN client to a pptp server > running Linux (debian Potato, last updated last night) and it's > connecting at first, but then the server side fails with the > following error in the log messages: > Do you have any of those capabilities enabled from the client side that you're not supposed to have enabled (LCP extensions, and such)? Nathan > Jan 18 15:22:45 catv6150 pptpd[30818]: CTRL (PPPD Launcher): local address = 192.168.150.1 > Jan 18 15:22:45 catv6150 pptpd[30818]: CTRL (PPPD Launcher): remote address = 192.168.150.10 > Jan 18 15:22:45 catv6150 pptpd[30817]: GRE: read(fd=5,buffer=804d8c0,len=8196) from PTY failed: status = -1 error = Input/output error > Jan 18 15:22:45 catv6150 pptpd[30817]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6) > Jan 18 15:22:45 catv6150 pptpd[30817]: CTRL: Client 194.109.154.81 control connection finished > Jan 18 15:22:45 catv6150 pptpd[30817]: CTRL: Exiting now > Jan 18 15:22:45 catv6150 pptpd[4408]: MGR: Reaped child 30817 > > The winduhs2K VPN client is less than helpful with its error messages, but the > pptp-linux client (1.0.2) gives the following: > > Jan 18 15:17:06 nb-rens pppd[450]: pppd 2.3.10 started by shadur, uid 0 > Jan 18 15:17:06 nb-rens pppd[450]: Using interface ppp0 > Jan 18 15:17:06 nb-rens pppd[450]: Connect: ppp0 <--> /dev/ttya0 > Jan 18 15:17:06 nb-rens pppd[450]: sent [LCP ConfReq id=0x1 ] > Jan 18 15:17:33 nb-rens last message repeated 9 times > Jan 18 15:17:36 nb-rens pppd[450]: LCP: timeout sending Config-Requests > Jan 18 15:17:36 nb-rens pppd[450]: Connection terminated. > > I have the ip_masq_pptp patch running on the firewall between nb-rens and > catv6150, and it reports normal operations in its syslogs. > > Has anyone had to deal with this problem before, or does anyone > know what could be the cause? > > Thanks in advance, > Rens Houben. > > -- > Rens Houben / Shadur t'Kharn: Linux geek, programmer, student. > PGP public key at: http://dwagon.sandwich.net/~shadur/pgpkey > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature From jimbud at arborlink.com Tue Jan 18 11:39:56 2000 From: jimbud at arborlink.com (Adrian) Date: Tue Jan 18 11:39:56 2000 Subject: [pptp-server] Re: Hi, I'm in trouble with the same config asyou In-Reply-To: <08d801bf61ad$3a936d40$8c7fa8c0@typhoon.asitatech.ie> Message-ID: Hello, Well, I use kernel 2.3.39, ppp-2.3.10, and pptp-1.0.2, and pptpd-1.0.0. I use only the "file" option with ppp to point to my options file, which is the one I included in my post to the list. Perhaps updating your distributions (except for kernel) might help. Regards, Adrian On Tue, 18 Jan 2000, [iso-8859-1] Seosamh D. ? Riord?in wrote: > Hi, > > Yeah, I'm using ppp as a module - all modules are loaded > properly as per instructions. My setup is RH5.1, 2.0.36, ppp-2.3.8 > with relevant patches etc, and pptp 1.0.0. > I've totally removed and reloaded the modules on server and > client to no effect. > > BTW, do you use any other command line parameters to the > linux pptp client than the ones below: (assuming your config files) > > #pptp firewall name jack noauth debug +chapms +mppe-128 > mppe-stateless > > On another issue, if I use +chapms-v2 instead of +chapms the PPP > Daemons on both machines seem to get into an endless loop > sending CHAP challenge/response messages to each other ?? !!! > > Any pointers much appreciated.. > Regards, > Seosamh From Jim at Morris.net Tue Jan 18 12:02:03 2000 From: Jim at Morris.net (Jim Morris) Date: Tue Jan 18 12:02:03 2000 Subject: [pptp-server] System Crash with PoPToP! Message-ID: <3884AA15.6106138F@Morris.net> Hi all. This is a new one on me. I just installed PoPToP 1.0.0, from the binary RPM file available on moretonbay.com, on a new server, after having successfully run PoPToP (various versions) for months on another system. This morning, when testing PoPToP using a Windows 98 client, the server system crashed hard. It eventually rebooted, apparently because of the Linux software watchdog timer. The last log messages prior to the reboot seem to indicate the use of a NULL pointer in the pptpctrl process. Here are the pertinent log messages, reformatted to fit: ----------- begin syslog messages ------------- 11:20:01 pptpd[21002]: CTRL: Client 216.78.168.62 control connection started 11:20:01 pptpd[21002]: CTRL: Starting call (launching pppd, opening GRE) 11:20:01 pppd[21003]: pppd 2.3.7 started by root, uid 0 11:20:01 pppd[21003]: Using interface ppp0 11:20:01 pppd[21003]: Connect: ppp0 <--> /dev/pts/1 11:20:01 pppd[21003]: CHAP peer authentication succeeded for jim 11:20:02 pppd[21003]: found interface eth1 for proxy arp 11:20:02 pppd[21003]: local IP address 192.168.100.230 11:20:02 pppd[21003]: remote IP address 192.168.100.240 11:20:02 pppd[21003]: CCP terminated by peer 11:20:02 pppd[21003]: Compression disabled by peer. 11:22:19 kernel: Unable to handle kernel NULL pointer dereference at virtual address 00000070 11:22:19 kernel: current->tss.cr3 = 02745000, %cr3 = 02745000 11:22:19 kernel: *pde = 00000000 11:22:19 kernel: Oops: 0002 11:22:19 kernel: CPU: 0 11:22:19 kernel: EIP: 0010:[] 11:22:19 kernel: EFLAGS: 00010282 11:22:19 kernel: eax: 00002000 ebx: 0000004d ecx: c7bad400 edx: 00000000 11:22:19 kernel: esi: c7bad701 edi: c7bad448 ebp: c7bad448 esp: ce67feb8 11:22:19 kernel: ds: 0018 es: 0018 ss: 0018 11:22:19 kernel: Process pptpctrl (pid: 21002, process nr: 82, stackpage=ce67f000) 11:22:19 kernel: Stack: c71e4000 00000000 ffff4d94 00000006 c7bad448 00000000 cac71800 c7bad72e 11:22:19 kernel: 0000059f d088eef4 c7bad400 c7bad400 c71e4000 ccd4a000 ce67ff8c d088eb0b 11:22:19 kernel: c7bad400 c71e4000 ccd4a000 c01aaa52 c71e4000 00000000 00000000 c01a11aa 11:22:19 kernel: Call Trace: [] [] [pty_unthrottle+38/72] [check_unthrottle+42/48] [read_chan+1510/1792] [tty_read+176/208] [sys_read+194/232] 11:22:19 kernel: [system_call+52/56] [startup_32+43/164] 11:22:19 kernel: Code: f0 ff 4a 70 0f 94 c0 84 c0 74 09 52 e8 01 2d 8c ef 83 c4 04 11:37:38 syslogd 1.3-3: restart. ----------- end syslog stuff ------------- Pertinent system information: - SMP (2 Celeron 433's) - Redhat 6.0, with latest updates. - Linux kernel 2.2.14 - PPTP Masquerading kernel module patch installed (ip_masq_pptp) - pppd 2.3.7 (from Redhat 6.0 CD) - pptpd 1.0.0, from RPM file on moretonbay.com Client: Windows 98 Any advice would be appreciated. This system is the Samba server for about 20 people - so I cannot afford for it to reboot unexpectedly! ;-) Jim Morris (Jim at Morris.net) From eswood at tor.dhs.org Tue Jan 18 15:25:08 2000 From: eswood at tor.dhs.org (Ed Wood) Date: Tue Jan 18 15:25:08 2000 Subject: [pptp-server] windows domain host recognition Message-ID: Hey Folks. I'm working on getting pptp clients access to an NT file server which is in the same subnet as the pptp server. I have added the line " ms-dns X.X.X.X " to the /etc/ppp/options file so the client has a DNS server in that subnet. This subnet contains linux boxes and NT boxes, all of which are recognized by X.X.X.X which is a DHCP and DNS server. All of the boxeswhich are on the internal network can now be pinged from a command line on the NT PPTP client. They can also map network shares to Y.Y.Y.Y (the file server) but they can't map shares to \\fileserver\share. Why would the name resolution work from a command line but not from a windows explorer? Why would it allow shares to Y.Y.Y.Y and not \\fileserver\share? Any ideas (other than setting up a WINS server too which I'm trying to avoid at this point)? Thanx in advance. Woody From js1 at microwave.ph.msstate.edu Tue Jan 18 17:05:46 2000 From: js1 at microwave.ph.msstate.edu (js1 at microwave.ph.msstate.edu) Date: Tue Jan 18 17:05:46 2000 Subject: [pptp-server] wrong interface? Message-ID: I'm able to make a pptp connection to the pptp server. However, when the client tries to log onto the network, it sends the samba server the IP address of the NIC instead of the IP address of the pptp connection. My samba server is setup to serve only the IP address on the pptp connection. How do I make Win98 use the pptp interface instead of the NIC interface? Thanks for any help. Jiann-Ming Su, js1 at microwave.ph.msstate.edu Criminals, by definition, break the law... From MillsD at datametrics.co.uk Tue Jan 18 17:53:57 2000 From: MillsD at datametrics.co.uk (Dave Mills) Date: Tue Jan 18 17:53:57 2000 Subject: [pptp-server] Problem with more than one VPN client Message-ID: Hi, I used the FAQ's to install pptpd on a FreeBSD box, with a straight install. No MSCHAP patches for now! Everything is fine until I try to connect more than one user at a time, NT is showing "A device attached to the system is not functioning.", and the syslog is showing pppd[926]: ioctl(TIOCSETD): Device not configured pptpd[925]: GRE: read(fd=4,buffer=804d218,len=8196) from PTY failed: status = 0 error = No error pptpd[925]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) I have 50 remote and 50 local ip's configured. Anyone out there got any idea's?? Dave Mills From hshaw at epills.com Tue Jan 18 18:00:53 2000 From: hshaw at epills.com (Terrelle Shaw) Date: Tue Jan 18 18:00:53 2000 Subject: [pptp-server] Problem with more than one VPN client In-Reply-To: Message-ID: Hmm Just a question.. but why 50 local ip's? -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Dave Mills Sent: Tuesday, January 18, 2000 3:55 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] Problem with more than one VPN client Hi, I used the FAQ's to install pptpd on a FreeBSD box, with a straight install. No MSCHAP patches for now! Everything is fine until I try to connect more than one user at a time, NT is showing "A device attached to the system is not functioning.", and the syslog is showing pppd[926]: ioctl(TIOCSETD): Device not configured pptpd[925]: GRE: read(fd=4,buffer=804d218,len=8196) from PTY failed: status = 0 error = No error pptpd[925]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) I have 50 remote and 50 local ip's configured. Anyone out there got any idea's?? Dave Mills _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From MillsD at datametrics.co.uk Tue Jan 18 18:08:14 2000 From: MillsD at datametrics.co.uk (Dave Mills) Date: Tue Jan 18 18:08:14 2000 Subject: [pptp-server] Problem with more than one VPN client Message-ID: Just thought I'd match localip's with remoteip's, I've got a whole class C to play with. Should it only be one???? The FAQ example showed an equal number of IP's. Do you think this could be the cause of my problem??? Thanks for the quick response. Dave Mills -----Original Message----- From: Terrelle Shaw [mailto:hshaw at epills.com] Sent: Wednesday, January 19, 2000 12:01 AM To: Dave Mills; pptp-server at lists.schulte.org Subject: RE: [pptp-server] Problem with more than one VPN client Hmm Just a question.. but why 50 local ip's? -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Dave Mills Sent: Tuesday, January 18, 2000 3:55 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] Problem with more than one VPN client Hi, I used the FAQ's to install pptpd on a FreeBSD box, with a straight install. No MSCHAP patches for now! Everything is fine until I try to connect more than one user at a time, NT is showing "A device attached to the system is not functioning.", and the syslog is showing pppd[926]: ioctl(TIOCSETD): Device not configured pptpd[925]: GRE: read(fd=4,buffer=804d218,len=8196) from PTY failed: status = 0 error = No error pptpd[925]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) I have 50 remote and 50 local ip's configured. Anyone out there got any idea's?? Dave Mills _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From matthewr at moreton.com.au Tue Jan 18 18:14:51 2000 From: matthewr at moreton.com.au (Matthew Ramsay) Date: Tue Jan 18 18:14:51 2000 Subject: [pptp-server] Problem with more than one VPN client References: Message-ID: <00011910145306.06683@gibberling> one local ip is fine. a different remote IP required for all simultaneous clients is required though. i doubt this was the cause of the error though. cheers, matt On Wed, 19 Jan 2000, Dave Mills wrote: >Just thought I'd match localip's with remoteip's, I've got a whole class C >to play with. Should it only be one???? The FAQ example showed an equal >number of IP's. Do you think this could be the cause of my problem??? > >Thanks for the quick response. > >Dave Mills > > >-----Original Message----- >From: Terrelle Shaw [mailto:hshaw at epills.com] >Sent: Wednesday, January 19, 2000 12:01 AM >To: Dave Mills; pptp-server at lists.schulte.org >Subject: RE: [pptp-server] Problem with more than one VPN client > > >Hmm Just a question.. but why 50 local ip's? > > >-----Original Message----- >From: pptp-server-admin at lists.schulte.org >[mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Dave Mills >Sent: Tuesday, January 18, 2000 3:55 PM >To: pptp-server at lists.schulte.org >Subject: [pptp-server] Problem with more than one VPN client > > >Hi, > >I used the FAQ's to install pptpd on a FreeBSD box, with a straight install. >No MSCHAP patches for now! > >Everything is fine until I try to connect more than one user at a time, NT >is showing "A device attached to the system is not functioning.", and the >syslog is showing > >pppd[926]: ioctl(TIOCSETD): Device not configured >pptpd[925]: GRE: read(fd=4,buffer=804d218,len=8196) from PTY failed: status >= 0 error = No error >pptpd[925]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) > >I have 50 remote and 50 local ip's configured. > >Anyone out there got any idea's?? > >Dave Mills > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulte.org! > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulte.org! -- Matthew Ramsay Moreton Bay From MillsD at datametrics.co.uk Tue Jan 18 18:15:28 2000 From: MillsD at datametrics.co.uk (Dave Mills) Date: Tue Jan 18 18:15:28 2000 Subject: [pptp-server] Problem with more than one VPN client Message-ID: The number of VPN's is set to one. I've tried to do the same thing on a 98 box, it's fine when it's the only user on the pptp-server, but if I already have one connected, it fails. Thanks Dave -----Original Message----- From: John Vaughan [mailto:jvaughan at maad.com] Sent: Wednesday, January 19, 2000 12:06 AM To: Dave Mills Subject: RE: [pptp-server] Problem with more than one VPN client This may be a shot in the dark but is the NT server PPTP protocol configured with more than one user. Default is set to one I believe. In Start\Settings\ControlPanel\Network click on the Protocols tab and highlight the PPTP protocol and then click the properties button. Let me know if this helps?? -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Dave Mills Sent: Tuesday, January 18, 2000 4:55 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] Problem with more than one VPN client Hi, I used the FAQ's to install pptpd on a FreeBSD box, with a straight install. No MSCHAP patches for now! Everything is fine until I try to connect more than one user at a time, NT is showing "A device attached to the system is not functioning.", and the syslog is showing pppd[926]: ioctl(TIOCSETD): Device not configured pptpd[925]: GRE: read(fd=4,buffer=804d218,len=8196) from PTY failed: status = 0 error = No error pptpd[925]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) I have 50 remote and 50 local ip's configured. Anyone out there got any idea's?? Dave Mills _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From MillsD at datametrics.co.uk Tue Jan 18 20:18:49 2000 From: MillsD at datametrics.co.uk (Dave Mills) Date: Tue Jan 18 20:18:49 2000 Subject: [pptp-server] Problem with more than one VPN client Message-ID: No the NT client is set to only one VPN, but that is all it is connecting to. The problem exists when I try to connect more than one client to the pptp server. I can connect with either an NT or Win98 box as long as it is the only client connected. If I have the Win98 client connected, and try to connect with the NT box, it fails until I disconnect Win98 (and vice-versa). I am pretty sure this is a server problem, as both type of clients work if they are the only one's connected. Sorry if I didn't explain this properly in my original mail. Thanks Dave Mills -----Original Message----- From: John Vaughan [mailto:jvaughan at maad.com] Sent: Wednesday, January 19, 2000 12:25 AM To: Dave Mills Subject: RE: [pptp-server] Problem with more than one VPN client So you are saying that the PPTP protocol on the NT server was set to more than 1 VPN's and it still doesn't like it?? -----Original Message----- From: Dave Mills [mailto:MillsD at datametrics.co.uk] Sent: Tuesday, January 18, 2000 5:16 PM To: John Vaughan Cc: pptp-server at lists.schulte.org Subject: RE: [pptp-server] Problem with more than one VPN client The number of VPN's is set to one. I've tried to do the same thing on a 98 box, it's fine when it's the only user on the pptp-server, but if I already have one connected, it fails. Thanks Dave -----Original Message----- From: John Vaughan [mailto:jvaughan at maad.com] Sent: Wednesday, January 19, 2000 12:06 AM To: Dave Mills Subject: RE: [pptp-server] Problem with more than one VPN client This may be a shot in the dark but is the NT server PPTP protocol configured with more than one user. Default is set to one I believe. In Start\Settings\ControlPanel\Network click on the Protocols tab and highlight the PPTP protocol and then click the properties button. Let me know if this helps?? -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Dave Mills Sent: Tuesday, January 18, 2000 4:55 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] Problem with more than one VPN client Hi, I used the FAQ's to install pptpd on a FreeBSD box, with a straight install. No MSCHAP patches for now! Everything is fine until I try to connect more than one user at a time, NT is showing "A device attached to the system is not functioning.", and the syslog is showing pppd[926]: ioctl(TIOCSETD): Device not configured pptpd[925]: GRE: read(fd=4,buffer=804d218,len=8196) from PTY failed: status = 0 error = No error pptpd[925]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) I have 50 remote and 50 local ip's configured. Anyone out there got any idea's?? Dave Mills _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From Patrick at reidworld.dynip.com Wed Jan 19 04:14:42 2000 From: Patrick at reidworld.dynip.com (Patrick Reid) Date: Wed Jan 19 04:14:42 2000 Subject: [pptp-server] ppp-2.3.10 make kernel problem plus how to get 128 bit VPN connection Message-ID: <000001bf6265$ecfd37a0$0200a8c0@Reidworld.dynip.com> I found out what the source of the problem with getting my encrypted connections going was - running make kernel for ppp-2.3.10 skipped copying a bunch of files which needed to be updated to support an encrypted connection. I had to manually compare the files and copy those which weren't the same as in the ppp-2.3.10 over into the Linux directory tree. (This was in RH 6.0, kernel 2.2.5-15). Also, I managed to get a 128 bit VPN connection going. You can download the 128 bit version of the Windows 98 Dial-Up Networking Security Update from the following URL: http://support.microsoft.com/Support/NTServer/128Eula.asp (that is, if you are in the US or Canada). Accept the EULA, then choose the appropriate 128-bit DUN Update. (There also a 128-bit update for Win 95 DUN 1.3 as well as for Win 98 - I used the Win 98 one and can only assume that the Win 95 one will work just the same). You should also download DUN40.EXE (or maybe vpnupd.exe: I used DUN40.EXE) and install it before continuing, I think. The downloaded file is called Msnt128.exe. When I tried to execute it, I got a message saying that the installed version of dial-up networking was the wrong one. However, if you have WinZip installed on your machine, you can extract all of the compressed files from the executable. If you do so, you will find that one of them is called dun128.inf. Right-click on this file and choose "Install." I rebooted once the install completed, but that may not be necessary. The package puts the following files in the windows\system directory: dun128.doc pppmac.vxd pppmac.40 rasapi32.dll rnaapp.exe pppmac.40 is a backup of the existing pppmac.vxd (which is why I suggested installing DUN40.EXE first). The dun128.inf install also copies dun128.inf to the windows\inf directory. Once my machine came back from the reboot, I was able to set up a 128-bit encrypted VPN link to PoPToP. Patrick Reid - mailto:PReid at candesco.com Candesco Research Corp. Communication Centre: From tclick at thegallerygroup.com Wed Jan 19 08:13:45 2000 From: tclick at thegallerygroup.com (Tony Click, Senior Principal) Date: Wed Jan 19 08:13:45 2000 Subject: [pptp-server] Windows Client Connection Problems Message-ID: <000401bf6286$6e402320$4bf82ad1@thegallerygroup.com> I've been working at this problem hot and heavy for a while now and haven't found the appropriate incantation of animal to sacrifice to the gods of software compatibility. Anyone know how to fix this? I've got laptops that can dial into the ISP and then connect to the VPN flawlessly. Everything has went as expected. However, there are occasions that we will have our laptops on an Ethernet network and I'd like to to be able to use PPTP from that network to our VPN. The current situation is we have LANs at remote locations that have a dedicated router (ISDN) connecting them to the internet. On occasion, someone may need to connect to the VPN to get files. At one point I had one machine working under this configuration, but something happened and now it will connect only if I use DUN for internet connectivity. When using the Ethernet, on one machine I get error 650 and on another 629. Ironically both configurations appear to be identical. I can post the logs if they're needed. The gist of what they are indicating is that when using an ISP, everything is kosher, but when using Ethernet, the connection appears to try to negotiate IPXCP and NBFCP and after a bit it just craps out. TIA -Tony ---------------------------------------------------------------------------- ---- 312 West Millbrook Road, Suite 237 Raleigh, NC 27609 919 844-3735 844-2926 fax SOFTWARE SOLUTIONS GROUP ---------------------------------------------------------------------------- ---- Tony Click Senior Principal tclick at thegallerygroup.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: logo.gif Type: image/gif Size: 1936 bytes Desc: not available URL: From natecars at real-time.com Wed Jan 19 09:38:42 2000 From: natecars at real-time.com (Nate Carlson) Date: Wed Jan 19 09:38:42 2000 Subject: [pptp-server] Problem with more than one VPN client In-Reply-To: <00011910145306.06683@gibberling> Message-ID: On Wed, 19 Jan 2000, Matthew Ramsay wrote: > one local ip is fine. > a different remote IP required for all simultaneous clients is required though. > i doubt this was the cause of the error though. > > cheers, > matt > Well, but you would have to add an alias for each of the local ip's on the machine, right? (Eg, the local IP has to point to a valid IP address for the machine running the PPTP server..) Or am I totally misunderstanding what the local IP is (it IS the local end of the PPP tunnel, correct)? =) -- Nate Carlson | Phone : (612)943-8700 http://www.real-time.com | Fax : (612)943-8500 From hshaw at xytek.org Wed Jan 19 10:07:03 2000 From: hshaw at xytek.org (T. Shaw) Date: Wed Jan 19 10:07:03 2000 Subject: [pptp-server] (no subject) Message-ID: Hello all, although I have multiple clients connecting and I have no problems with poptop. The subnet mask for each client is set to 255.0.0.0, even though I have a netmask configured in the pptpd.conf file as 255.255.255.0. Here is an example from the NT machine that im currently on.. any reason why it set's the mask to this? PPP adapter NdisWan6: IP Address. . . . . . . . . : 10.0.0.200 Subnet Mask . . . . . . . . : 255.0.0.0 Default Gateway . . . . . . : 10.0.0.200 Terrelle Shaw hshaw at xytek.org http://www.xytek.org From MillsD at datametrics.co.uk Wed Jan 19 11:13:43 2000 From: MillsD at datametrics.co.uk (Dave Mills) Date: Wed Jan 19 11:13:43 2000 Subject: [pptp-server] Problem with more than one VPN client Message-ID: I seem to have opened a whole can of worms here!! But I have managed to get to the bottom of the original problem. It seems that FreeBSD will only allow one PPP session with it's default config, I added a line to the kernel config to let it allow a equal number of psuedo connections to what is specified in RemoteIP and after a kernel recompile and reboot it works just fine. Again, thanks for all the help on this one. If anyone see's the problem again, or if you want a full description for an FAQ or something, just let me know. Cheers, Dave -----Original Message----- From: Nate Carlson [mailto:natecars at real-time.com] Sent: Wednesday, January 19, 2000 3:38 PM To: Matthew Ramsay Cc: Dave Mills; Terrelle Shaw; pptp-server at lists.schulte.org Subject: RE: [pptp-server] Problem with more than one VPN client On Wed, 19 Jan 2000, Matthew Ramsay wrote: > one local ip is fine. > a different remote IP required for all simultaneous clients is required though. > i doubt this was the cause of the error though. > > cheers, > matt > Well, but you would have to add an alias for each of the local ip's on the machine, right? (Eg, the local IP has to point to a valid IP address for the machine running the PPTP server..) Or am I totally misunderstanding what the local IP is (it IS the local end of the PPP tunnel, correct)? =) -- Nate Carlson | Phone : (612)943-8700 http://www.real-time.com | Fax : (612)943-8500 From Patrick at reidworld.dynip.com Wed Jan 19 11:31:47 2000 From: Patrick at reidworld.dynip.com (Patrick Reid) Date: Wed Jan 19 11:31:47 2000 Subject: [pptp-server] ppp-2.3.10 make kernel problem plus how to get 128 bit VPN connection In-Reply-To: <000001bf6265$ecfd37a0$0200a8c0@Reidworld.dynip.com> Message-ID: <000801bf62a3$0980f1e0$0200a8c0@Reidworld.dynip.com> Oops -- there is a problem in my instructions below. Right-clicking on dun128.inf and selecting "install" doesn't work -- in addition to doing that (which adds some registry entries and copies over files that are not currently in your windows subfolders) you have to manually copy the following files over the existing ones: pppmac.vxd rasapi32.dll rnaapp.exe You might have to shutdown to MS-DOS mode to do this. Patrick Reid - mailto:PReid at candesco.com Candesco Research Corp. Communication Centre: -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Patrick Reid Sent: January 19, 2000 6:14 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] ppp-2.3.10 make kernel problem plus how to get 128 bit VPN connection I found out what the source of the problem with getting my encrypted connections going was - running make kernel for ppp-2.3.10 skipped copying a bunch of files which needed to be updated to support an encrypted connection. I had to manually compare the files and copy those which weren't the same as in the ppp-2.3.10 over into the Linux directory tree. (This was in RH 6.0, kernel 2.2.5-15). Also, I managed to get a 128 bit VPN connection going. You can download the 128 bit version of the Windows 98 Dial-Up Networking Security Update from the following URL: http://support.microsoft.com/Support/NTServer/128Eula.asp (that is, if you are in the US or Canada). Accept the EULA, then choose the appropriate 128-bit DUN Update. (There also a 128-bit update for Win 95 DUN 1.3 as well as for Win 98 - I used the Win 98 one and can only assume that the Win 95 one will work just the same). You should also download DUN40.EXE (or maybe vpnupd.exe: I used DUN40.EXE) and install it before continuing, I think. The downloaded file is called Msnt128.exe. When I tried to execute it, I got a message saying that the installed version of dial-up networking was the wrong one. However, if you have WinZip installed on your machine, you can extract all of the compressed files from the executable. If you do so, you will find that one of them is called dun128.inf. Right-click on this file and choose "Install." I rebooted once the install completed, but that may not be necessary. The package puts the following files in the windows\system directory: dun128.doc pppmac.vxd pppmac.40 rasapi32.dll rnaapp.exe pppmac.40 is a backup of the existing pppmac.vxd (which is why I suggested installing DUN40.EXE first). The dun128.inf install also copies dun128.inf to the windows\inf directory. Once my machine came back from the reboot, I was able to set up a 128-bit encrypted VPN link to PoPToP. Patrick Reid - mailto:PReid at candesco.com Candesco Research Corp. Communication Centre: _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From grebdnil at cheetah.spots.ab.ca Wed Jan 19 15:49:05 2000 From: grebdnil at cheetah.spots.ab.ca (Stacy Lindberg) Date: Wed Jan 19 15:49:05 2000 Subject: [pptp-server] (no subject) Message-ID: confirm 674642 From brian at cybernaut.com Wed Jan 19 16:45:16 2000 From: brian at cybernaut.com (Brian Haney) Date: Wed Jan 19 16:45:16 2000 Subject: [pptp-server] (no subject) Message-ID: <000501bf62ce$d21cefc0$819a21cf@specter.ibsystems.com> My kernel is 2.2.15 (RedHat 6.0 without modification). I'm running pptpd 1.0.0 and pppd 2.3.10. This kernel appears to include PTY. PPP loads as a module. I created /dev/ppp and added "alias char-major-108 ppp" to /etc/conf.modules. It has stopped complaining about module char-major-108. I do have ipchains filtering input on several ports, but 1723 is open. My /etc/ppp/chap-secrets file includes: server1 gatekeeper.fresno.cybernaut.com foobar * My /etc/ppp/options file contains: lock debug kdebug 7 name servername auth require-chap proxyarp My /etc/pptpd.conf file contains: speed 115200 localip 192.168.2.234-238 remoteip 192.168.3.234-238 When I attempt to connect from an NT 4.0 server (require encrypted password/no software compression/no header compression/username server1/password foobar) I get the following snippet in the syslog debug results: Jan 18 14:06:19 gatekeeper pptpd[926]: MGR: Launching /usr/local/sbin/pptpctrl to handle client Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: local address = 192.168.2.234 Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: remote address = 192.168.3.234 Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: pppd speed = 115200 Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Client 207.33.154.129 control connection started Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Received PPTP Control Message (type: 1) Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Made a START CTRL CONN RPLY packet Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: I wrote 156 bytes to the client. Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Sent packet to client Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Received PPTP Control Message (type: 7) Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Set parameters to 152 maxbps, 16 window size Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Made a OUT CALL RPLY packet Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Starting call (launching pppd, opening GRE) Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: pty_fd = 4 Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: tty_fd = 5 Jan 18 14:06:19 gatekeeper pptpd[927]: CTRL (PPPD Launcher): Connection speed = 115200 Jan 18 14:06:19 gatekeeper pptpd[927]: CTRL (PPPD Launcher): local address = 192.168.2.234 Jan 18 14:06:19 gatekeeper pptpd[927]: CTRL (PPPD Launcher): remote address = 192.168.3.234 Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: I wrote 32 bytes to the client. Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Sent packet to client Jan 18 14:06:19 gatekeeper pppd[927]: The remote system is required to authenticate itself but I Jan 18 14:06:19 gatekeeper pptpd[926]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Input/output error Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Client 207.33.154.129 control connection finished Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Exiting now Jan 18 14:06:19 gatekeeper pppd[927]: couldn't find any suitable secret (password) for it to use to do so. Jan 18 14:06:19 gatekeeper pptpd[818]: MGR: Reaped child 926 What am I missing? --Brian Haney brian at ibsystems.com www.ibsystems.com VP Engineering/CTO 408-260-8010 Internet Business Systems, Inc. Be There Now! (tm) From matthewr at moreton.com.au Wed Jan 19 16:54:35 2000 From: matthewr at moreton.com.au (Matthew Ramsay) Date: Wed Jan 19 16:54:35 2000 Subject: [pptp-server] Problem with more than one VPN client References: Message-ID: <00012008544404.26546@gibberling> >> one local ip is fine. >> a different remote IP required for all simultaneous clients is required though. >> i doubt this was the cause of the error though. > >Well, but you would have to add an alias for each of the local ip's on the >machine, right? (Eg, the local IP has to point to a valid IP address for >the machine running the PPTP server..) Or am I totally misunderstanding >what the local IP is (it IS the local end of the PPP tunnel, correct)? =) the local/remote addresses don't have to be a part of your LAN.. you can make any weird private address up and use them.. linux does the routing and will work things out for you.. for example. Private LAN: 192.168.0.* local ip: 10.255.255.254 remoteip: 10.255.254.250-254 a machine somewhere on the internet VPNs into the poptop server.. and is handed 10.255.254.250 (for example).. but it can now ping 192.168.0.* cheers, matt From christ at moreton.com.au Wed Jan 19 17:24:37 2000 From: christ at moreton.com.au (Chris Trew) Date: Wed Jan 19 17:24:37 2000 Subject: [pptp-server] (no subject) Message-ID: <388647F3.C6B40210@moreton.com.au> From christ at moreton.com.au Wed Jan 19 17:39:34 2000 From: christ at moreton.com.au (Chris Trew) Date: Wed Jan 19 17:39:34 2000 Subject: [pptp-server] Network Neighberhood Browsing using SAMBA Message-ID: <38864B68.4E66198F@moreton.com.au> This is my config to help any people that are still having any troubles browsing using poptop and SAMBA. This is a very rough guide. Sample Structure +-------------+ |MAIN NETWORK | +-------------+ | +-------------+ | 10.0.0.246 | | LINUX | | SAMBA WINS | |192.168.1.246| +-------------+ | +--------------+ | SMALL NETWORK| +--------------+ | +...................... | . +------------------------------------+ | 192.168.1.42 10.10.10.250 | | NETTEL || POPTOP | | 192.168.111.42 10.10.10.251-254 | +------------------------------------+ | . | . +--------------------------+ | LOCAL LAN | +--------------------------+ | . | . +-------------------------------------+ | 192.168.111.10 || 10.10.10.251 | | WIN98 WIN98 (PPTP) | +-------------------------------------+ NOTES: The SAMBA server running on linux can see both sides so that when the WIN98 machine connects it receives the WINS address (192.168.1.246) from the NETTEL. This points to the LINUX box. As there is no gateway to the main network the W98 machine can see all the computers on the main network but cannot connect to it. The LINUX box has a SAMBA share so the WIN98 machine may access it. FOR CLARIFICATION: The WIN98 Box is the VPN client and it accesses the NETTEL's poptop server via 192.168.111.42. It then receives a virtual address of 10.10.10.251 and can now ping LINUX on 192.168.1.246. The NETTEL box is running the poptop (pptpd) server and will accept up to 4 connections (10.10.10.251-254). The LINUX box is running samba with the win server turned on it is also the domain master and local master for both LANS 192.168.1.* and 10.0.0.*. SETUP: ========================= LINUX ------------------------- SAMBA/WINS workgroup = YOURWORKGROUP security = share local master = yes os level = 33 domain master = yes preferred master = yes wins support = yes (Make sure wins server is commented out!) wins proxy = yes - It seems to need this turned on for my config even though wins machines are pointing to it! You don't have to worry about HOSTS ALLOW unless you already use it otherwise comment it out. ========================= NETTEL - POPTOP ------------------------- /etc/options.pptp name PoPToP auth require-pap proxyarp ------------------------- /etc/pptpd.conf option /etc/options.pptp localip 10.10.10.250 remoteip 10.10.10.251-255 ------------------------- /etc/ppp/options netmask 255.255.255.0 ms-wins 192.168.1.246 ------------------------- /etc/ppp/pap-secrets phil PoPToP philspasswd * ========================= The first problem I encountered is that when I log on I see the entire network but after 2 minutes (or however long it take to register with the wins server) I loose all the other computers and it is replaced with my computer only. I fixed this at the client (W98) by doing the following: NETWORKING > PROPERTIES > TCP_IP - DIAL UP > PROPERTIES > BINDINGS Client for Microsoft Networks [Checked] File and Printer Sharing [Un-checked] If this is not done then after it logs onto the samba server (2 mins) the other computers will cease to show up during a refresh. You should first test to see if the 2min thing happens before doing this. PLEASE NOTE: Firstly make sure samba is working before using poptop. You may have to let samba run a while before it will stabilize and you can check this by adding: [Global] debuglevel = 10 in /etc/samba.conf and then tail or edit /var/log/samba/log.nmb to see the occasional printouts of the wins tables. Also this was my config and may differ from yours depending on versions and machines etc. It may require tweaking for your particular circumstances. Hope this helps you. From grebdnil at cheetah.spots.ab.ca Wed Jan 19 18:11:27 2000 From: grebdnil at cheetah.spots.ab.ca (Stacy Lindberg) Date: Wed Jan 19 18:11:27 2000 Subject: [pptp-server] a couple questions(mppe patches,etc) Message-ID: Hi and SORRY about the confirm message earlier!! :/ Anyways, I was having a problem with the mppe patches to ppp-2.3.10 but that turned out to be an issue with downloading them with netscape(munging data). Now I've just got a couple questions/issues. First of all here's what I have: Slackware 7.0.0 kernel 2.2.14 pppd-2.3.10 pptpd-1.0.0 SSLeay-0.6.6b ppp-2.3.10-openssl-norc4-mppe.patch mppe_stateless.diff Can anyone send me a mppe_stateless patch that works? Or at least tell me what exactly I need to modify? In the process of doing a "make kernel" from the patched ppp-2.3.10 source, the kinstall.sh script complains that it "Could not find source file rc4_skey.c !" Then after you build the kernel, and try to "make modules", it fails complaining it can't find the above file. I traced it down to removing line 68 from ppp_mppe.c b/c rc4_skey.c would appear to be included in the rc4.h and is no longer needed. Am I correct in coming to this conclusion? Any and all help would be appreciated! Cheers, Stacy P.S. setting pptp has been a breeze otherwise... From cambo11 at hotmail.com Wed Jan 19 20:24:37 2000 From: cambo11 at hotmail.com (Cam Bowman) Date: Wed Jan 19 20:24:37 2000 Subject: [pptp-server] using PPTP as a service selection gateway Message-ID: <20000120022428.87650.qmail@hotmail.com> I'm trying to avoid using a PPPoE server for a few reasons; 1. They are expensive 2. I haven't been able to find a linux PPPoE server 3. It requires "proprietary" software on the client I have the following setup - up and running Linux PPTP server (Redhat 6.1, kernel 2.2.12-20) ************ *************** * CORP LAN * * ISP LAN * * 10.1.1.x * * 216.47.18.x * ************ *************** \ / *************** * PPTP Server * *************** | *************** * DSL CLIENTS * * 192.168.4.x * *************** I'm running two PPTP server processes each bound to it's own IP address; they also use separate pptp config and ppp options files for network specific info. The PPTP server is also running DHCP and giving leases from the 192.168.4.x/24 network to the DSL users. Application: If the DSL client chooses to connect to ISP network, he would select his VPN profile configured for 192.168.4.10 and receive an IP address from the ISP LAN ie. 216.47.18.50. Likewise if the CORP VPN connection was chosen, the user would get a 10.1.1.x address. With the appropriate routes setup on the linux box, this works great. My concerns are with security & scalability, this box acts as a router.. therefore a hop point into my private networks; I would like to implement a routing policy where the following is true: 1. 192.168.4.x hosts can NOT talk to 10.1.1.x or 216.47.18.x hosts 2. 10.1.1.x hosts can NOT talk to 216.47.18.x or 192.168.4.x 3. 216.47.18.x hosts can NOT talk to 192.168.4.x or 10.1.1.x hosts Basically I do NOT want routing to occur between these 3 networks. The only reason it is there, is to facilitate routing PPTP connection traffic to the appropriate network. BIG QUESTION: HOW CAN I MAKE THIS SECURE??? I have disabled all services on the Linux box, except for DHCP and PPTP. You can't even telnet to the box. I'm mostly looking for feedback from anyone who can comment on scalability and security. I have the potential to have hundreds of DSL clients, so i'm not sure what type of resources it will need. If the solution is even practical??? Any and all suggestions welcome... thanks in advance Cam Bowman ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From toktar at per.com.br Wed Jan 19 22:17:44 2000 From: toktar at per.com.br (Emir Toktar) Date: Wed Jan 19 22:17:44 2000 Subject: [pptp-server] a couple questions(mppe patches,etc) References: Message-ID: <005d01bf62fd$f6727f50$010010ac@crypto.net> If you are usisng the softwares like said below, you will use the openssl-0.9.4.tar.gz file. In the openssl-0.9.4 version there are rc4_skey.c and others files.... > pptpd-1.0.0 > SSLeay-0.6.6b > ppp-2.3.10-openssl-norc4-mppe.patch > mppe_stateless.diff --- I cut this text from HOW TO FAQ - dec 99 ---------- Does this patch actually work without modification--besides editing the ppp_mppe.c file with: vi /usr/src/ppp-2.3.10/linux/ppp_mppe.c add the #include "rc4_skey.c" to the end of the include section I normally use the 2.3.8, because it works, but would like to try the 2.3.10. ... ----------------------------------------------------------- There are others references about this problem. Other thing: README.linux 2.3.11 " ... To talk to the new driver, pppd needs to be able to open /dev/ppp, character device (108,0). If the special file node /dev/ppp is not present, pppd will create it. However, if you are running with /dev on a read-only filesystem, pppd will not be able to create /dev/ppp. In that instance you should manually create /dev/ppp using the command `mknod /dev/ppp c 108 0'. If you use module autoloading and have PPP as a module, you will need to add the following to your /etc/modules.conf or /etc/conf.modules: alias tty-ldisc-3 ppp_async alias tty-ldisc-14 ppp_synctty alias char-major-108 ppp_generic " Frequently I see reference in howto/faq e-mails about error -> char-major-108 ppp_generic Dont' forget it add in your modules. Good luck! Best Regards Emir Toktar +55 2141 340-7157 toktar at per.com.br emir.toktar at bra.xerox.com toktar at ppgia.pucpr.br ----- Original Message ----- From: Stacy Lindberg To: Sent: Wednesday, January 19, 2000 10:11 PM Subject: [pptp-server] a couple questions(mppe patches,etc) > Hi and SORRY about the confirm message earlier!! :/ > > Anyways, I was having a problem with the mppe patches to ppp-2.3.10 but > that turned out to be an issue with downloading them with netscape(munging > data). Now I've just got a couple questions/issues. > > First of all here's what I have: > > Slackware 7.0.0 > kernel 2.2.14 > pppd-2.3.10 > pptpd-1.0.0 > SSLeay-0.6.6b > ppp-2.3.10-openssl-norc4-mppe.patch > mppe_stateless.diff > > Can anyone send me a mppe_stateless patch that works? Or at least tell me > what exactly I need to modify? > > In the process of doing a "make kernel" from the patched ppp-2.3.10 > source, the kinstall.sh script complains that it > "Could not find source file rc4_skey.c !" > Then after you build the kernel, and try to "make modules", it fails > complaining it can't find the above file. > > I traced it down to removing line 68 from ppp_mppe.c b/c rc4_skey.c would > appear to be included in the rc4.h and is no longer needed. Am I correct > in coming to this conclusion? > > Any and all help would be appreciated! > > Cheers, > Stacy > > P.S. setting pptp has been a breeze otherwise... > > > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! > From Patrick at reidworld.dynip.com Wed Jan 19 22:31:26 2000 From: Patrick at reidworld.dynip.com (Patrick Reid) Date: Wed Jan 19 22:31:26 2000 Subject: [pptp-server] (no subject) In-Reply-To: <000501bf62ce$d21cefc0$819a21cf@specter.ibsystems.com> Message-ID: <000a01bf62ff$30519a20$0200a8c0@Reidworld.dynip.com> I don't know if this is it, but I think the conf.modules entry is supposed to be "alias char-major-108 off" Patrick Reid - mailto:PReid at candesco.com Candesco Research Corp. Communication Centre: -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Brian Haney Sent: January 19, 2000 6:45 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] (no subject) My kernel is 2.2.15 (RedHat 6.0 without modification). I'm running pptpd 1.0.0 and pppd 2.3.10. This kernel appears to include PTY. PPP loads as a module. I created /dev/ppp and added "alias char-major-108 ppp" to /etc/conf.modules. It has stopped complaining about module char-major-108. I do have ipchains filtering input on several ports, but 1723 is open. My /etc/ppp/chap-secrets file includes: server1 gatekeeper.fresno.cybernaut.com foobar * My /etc/ppp/options file contains: lock debug kdebug 7 name servername auth require-chap proxyarp My /etc/pptpd.conf file contains: speed 115200 localip 192.168.2.234-238 remoteip 192.168.3.234-238 When I attempt to connect from an NT 4.0 server (require encrypted password/no software compression/no header compression/username server1/password foobar) I get the following snippet in the syslog debug results: Jan 18 14:06:19 gatekeeper pptpd[926]: MGR: Launching /usr/local/sbin/pptpctrl to handle client Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: local address = 192.168.2.234 Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: remote address = 192.168.3.234 Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: pppd speed = 115200 Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Client 207.33.154.129 control connection started Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Received PPTP Control Message (type: 1) Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Made a START CTRL CONN RPLY packet Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: I wrote 156 bytes to the client. Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Sent packet to client Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Received PPTP Control Message (type: 7) Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Set parameters to 152 maxbps, 16 window size Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Made a OUT CALL RPLY packet Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Starting call (launching pppd, opening GRE) Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: pty_fd = 4 Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: tty_fd = 5 Jan 18 14:06:19 gatekeeper pptpd[927]: CTRL (PPPD Launcher): Connection speed = 115200 Jan 18 14:06:19 gatekeeper pptpd[927]: CTRL (PPPD Launcher): local address = 192.168.2.234 Jan 18 14:06:19 gatekeeper pptpd[927]: CTRL (PPPD Launcher): remote address = 192.168.3.234 Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: I wrote 32 bytes to the client. Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Sent packet to client Jan 18 14:06:19 gatekeeper pppd[927]: The remote system is required to authenticate itself but I Jan 18 14:06:19 gatekeeper pptpd[926]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Input/output error Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Client 207.33.154.129 control connection finished Jan 18 14:06:19 gatekeeper pptpd[926]: CTRL: Exiting now Jan 18 14:06:19 gatekeeper pppd[927]: couldn't find any suitable secret (password) for it to use to do so. Jan 18 14:06:19 gatekeeper pptpd[818]: MGR: Reaped child 926 What am I missing? --Brian Haney brian at ibsystems.com www.ibsystems.com VP Engineering/CTO 408-260-8010 Internet Business Systems, Inc. Be There Now! (tm) _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulte.org! From pf at sxb.bsf.alcatel.fr Thu Jan 20 03:22:09 2000 From: pf at sxb.bsf.alcatel.fr (Pascal Fremaux) Date: Thu Jan 20 03:22:09 2000 Subject: [pptp-server] a couple questions(mppe patches,etc) References: Message-ID: <3886D25F.8870E2C4@sxb.bsf.alcatel.fr> You're rigth or you can use the solution proposed by Emir. I send you a mppe_stateless that works. Stacy Lindberg wrote: > Hi and SORRY about the confirm message earlier!! :/ > > Anyways, I was having a problem with the mppe patches to ppp-2.3.10 but > that turned out to be an issue with downloading them with netscape(munging > data). Now I've just got a couple questions/issues. > > First of all here's what I have: > > Slackware 7.0.0 > kernel 2.2.14 > pppd-2.3.10 > pptpd-1.0.0 > SSLeay-0.6.6b > ppp-2.3.10-openssl-norc4-mppe.patch > mppe_stateless.diff > > Can anyone send me a mppe_stateless patch that works? Or at least tell me > what exactly I need to modify? > > In the process of doing a "make kernel" from the patched ppp-2.3.10 > source, the kinstall.sh script complains that it > "Could not find source file rc4_skey.c !" > Then after you build the kernel, and try to "make modules", it fails > complaining it can't find the above file. > > I traced it down to removing line 68 from ppp_mppe.c b/c rc4_skey.c would > appear to be included in the rc4.h and is no longer needed. Am I correct > in coming to this conclusion? > > Any and all help would be appreciated! > > Cheers, > Stacy > > P.S. setting pptp has been a breeze otherwise... > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! -- Pascal Fremaux, SSII Alten Study Engineer at Alcatel Telecom R&D, Illkirch, France -------------- next part -------------- --- ppp-2.3.10/linux/ppp_mppe.c~ Thu Dec 2 14:46:31 1999 +++ ppp-2.3.10/linux/ppp_mppe.c Thu Dec 2 14:46:50 1999 @@ -163,7 +163,7 @@ RC4_set_key(&(state->RC4_send_key), state->keylen, state->session_send_key); RC4_set_key(&(state->RC4_recv_key), state->keylen, state->session_recv_key); - state->bits=MPPE_BIT_ENCRYPTED; + state->bits |= MPPE_BIT_FLUSHED; } --- ppp-2.3.10/pppd/ccp.c~ Thu Dec 2 14:44:30 1999 +++ ppp-2.3.10/pppd/ccp.c Thu Dec 2 14:48:00 1999 @@ -1051,7 +1051,10 @@ unsigned char opt_buf[64]; opt_buf[0] = CI_MPPE; opt_buf[1] = CILEN_MPPE; - opt_buf[2] = ((p[2] & MPPE_STATELESS) ? 1 : 0); + if(p[2] & MPPE_STATELESS) { + ho->mppe_stateless=1; + opt_buf[2] = MPPE_STATELESS; + } /* push in our send/receive keys */ if(p[5] & MPPE_40BIT) { ho->mppe_40 = 1; From j.koopmann at akctech.de Thu Jan 20 11:28:59 2000 From: j.koopmann at akctech.de (Koopmann, Jan-Peter) Date: Thu Jan 20 11:28:59 2000 Subject: [pptp-server] Newbie / PPTP on a firewall Message-ID: <697F9443DB53D311B361080009EEAA00057E8D@modemsrv.akctech.de> Hi, I am a complete PPTPD newbie and need some advice. Right now we have the following setup: Internet Linux Firewall internal network *.*.*.* ===== static public IP address --> ipchains and NAT --> private IP 172.16.40.254 ===== 172.16.40.* network I want to be able to establish VPN tunnels with PPTP from Windows 2000 clients. I thought about installing PPTPD on the Linux firewall. Will this work? Can Win2000 (and Win98) clients connect to the PPTPD on the Linux Firewall and "see" everything in the private 172.16.40.* network from that point on? If so, what will the configuration have to look like? Any help would be greatly appreciated! Thanks in advance, regards Jan-Peter ----------- Adam & Koopmann Computertechnik - Gesch?ftsf?hrer - Bismarckstr. 59 64293 Darmstadt Deutschland Tel.: +49 (6151) 66843-42 Fax: +49 (6151) 66843-52 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jpk.vcf Type: text/x-vcard Size: 1973 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2590 bytes Desc: not available URL: From yan at cardinalengineering.com Thu Jan 20 11:42:11 2000 From: yan at cardinalengineering.com (Yan Seiner) Date: Thu Jan 20 11:42:11 2000 Subject: [pptp-server] Newbie / PPTP on a firewall References: <697F9443DB53D311B361080009EEAA00057E8D@modemsrv.akctech.de> Message-ID: <38874A1F.4C3F686F@cardinalengineering.com> Yes - but it's not a simple setup. If you only firewall the public interface, you need ipchains code similar to: echo -n "pptp..." ipchains -A pub-in -p tcp \ --sport $UNPRIV_PORTS \ -d $PUBLIC_IP pptpctrl \ -j ACCEPT ipchains -A pub-in -p pptp \ -d $PUBLIC_IP \ -j ACCEPT ipchains -A pub-out -p tcp \ --source $PUBLIC_IP pptpctrl \ --dport $UNPRIV_PORTS \ -j ACCEPT ipchains -A pub-out -p pptp \ --source $PUBLIC_IP \ -j ACCEPT echo "" If you also firewall the internal interface, that gets a lot more complicated, as you have to handle all the smb protocol, broadcasts, etc. Remember that ppp0 is your "public" interface, and ppp1 and on are the VPN interfaces. You need to have different firewall rules for those. I have pptpd running on my firewall for win95/winNT, and it has proven stable under the vast majority of uses. I still can't see/mount shares on some of my internal servers, but that's due to the internal firewall code, not pptpd. --Yan > "Koopmann, Jan-Peter" wrote: > > Hi, > > I am a complete PPTPD newbie and need some advice. Right now we have > the following setup: > > Internet Linux > Firewall internal network > > *.*.*.* ===== static public IP address --> ipchains and NAT --> > private IP 172.16.40.254 ===== 172.16.40.* network > > I want to be able to establish VPN tunnels with PPTP from Windows 2000 > clients. I thought about installing PPTPD on the Linux firewall. Will > this work? Can Win2000 (and Win98) clients connect to the PPTPD on the > Linux Firewall and "see" everything in the private 172.16.40.* network > from that point on? If so, what will the configuration have to look > like? > > Any help would be greatly appreciated! Thanks in advance, > > regards Jan-Peter > > ----------- > Adam & Koopmann Computertechnik > - Gesch?ftsf?hrer - > Bismarckstr. 59 > 64293 Darmstadt > Deutschland > > Tel.: +49 (6151) 66843-42 > Fax: +49 (6151) 66843-52 -- Think different ride a recumbent use Linux. From tclick at thegallerygroup.com Thu Jan 20 16:46:56 2000 From: tclick at thegallerygroup.com (Tony Click, Senior Principal) Date: Thu Jan 20 16:46:56 2000 Subject: [pptp-server] Windows Client Connection Problems In-Reply-To: <388555B6.4E14A020@rampnet.com> Message-ID: <001601bf6397$44b223c0$4bf82ad1@thegallerygroup.com> Ok, well I've tried it both with CHAP and PAP and it still doesn't solve the problem. I'm convinced is on the client end. In several places I've read that you must first use DUN to make a connection to your ISP and then use DUN to connect to the VPN. In several cases I cannot use DUN to make a connection to an ISP. When I do a dial up connection, everything works fine. However, when I've not connected to an ISP via DUN but rather a LAN I get all those problems when I try to make the VPN connection. It was working at one point and I cannot tell what has changed. Is there anyone out there that has the following configuration working? [Win 98 Client]----ethernet----[Router]----ISDN----[ISP]====internet====[Router]---- ethernet----[pptp server] Everything works great when I have the machine connected like: [Win 98 Client]----Modem----[ISP]====internet====[Router]----ethernet----[pptp server] -----Original Message----- From: karunendra [mailto:babu at rampnet.com] Sent: Wednesday, January 19, 2000 1:12 AM To: tclick at thegallerygroup.com Subject: Re: [pptp-server] Windows Client Connection Problems Hi Tony, The authentication you are trying is from modem which is sending for CHAP so use PAP. with your server and let me know. thanks karunnedra Well here are the traces - this trace is from the machine that gives the Error: 650Jan 18 21:19:44 server pptpd[26646]: MGR: Manager process startedJan 18 21:19:59 server pptpd[26651]: CTRL: Client 209.42.199.180 control connection startedJan 18 21:19:59 server pptpd[26651]: CTRL: Starting call (launching pppd, opening GRE)Jan 18 21:20:00 server pppd[26652]: pppd 2.3.8 started by root, uid 0Jan 18 21:20:00 server pppd[26652]: Using interface ppp0Jan 18 21:20:00 server pppd[26652]: Connect: ppp0 <--> /dev/ttyp2Jan 18 21:20:00 server pppd[26652]: sent [LCP ConfReq id=0x1