[pptp-server] ADSL line pptp client not connecting.

Cowles, Steve Steve.Cowles at gte.net
Sat Jul 1 12:37:55 CDT 2000 

> -----Original Message-----
> From: Eastep, Tom 
> Sent: Saturday, July 01, 2000 10:20 AM
> To: Derek Simkowiak
> Cc: awilliam at whitemice.org; pptp-server at lists.schulte.org
> Subject: Re: [pptp-server] ADSL line pptp client not connecting.
> 
> 
> Thus spoke Derek Simkowiak:
> 
> > -> > yesterday a dedicated ADSL line and when I try to 
> > -> > establish the pptp connection over this ADSL line
> > -> > there is just no response from the 
> > [...]
> > -> Yep.  They installed my ADSL line today, and PPTP 
> > -> stopped working.  It does connect and start but then
> > -> the whole thing dies (ppp has a read error)
> > 
> > 	Could it be that your ISPs are doing some packet-filtering?
> > 
> > Is there *anyone* who was used PoPToP over an ADSL connection
> > successfully?  It would be good to know that it _can_ work...
> > 
> 
> Steve Cowles and I have tested PoPToP over ADSL successfully.
> 
> -Tom
> -- 


I thought I would add my two bits to this thread. 

Although Tom and I have been successful with PopTop and ADSL, I did run
across this problem a few weeks ago that might save some of you time in
debugging future problems with configuring PopTop. In fact, you might want
to make this the number one question to ask your ISP before ordering their
ADSL service.

BACKGROUND:

One of my customers (a lawyers office in downtown Dallas) wanted me to
implement a PPTP solution using their existing Linux based firewall so that
they could connect into the office from their homes. Piece of cake, so I
thought... considering the work Tom and I have done in setting up our own
PopTop servers on linux.

IMPLEMENTAION:

To make this long and frustrating implementation story short, I was NOT able
to implement PPTP at their office due to the fact that the ISP was blocking
"syn" type packets at their routers. When I contacted the ISP, they told me
that my customer would have to sign-up for their "business" type of service.
The business service did not block (filter) "syn" packets <groan>. Needless
to say, my customer was not willing to pay the 3x price differential to
switch service types. They decided to wait until their current contract
expired with the ISP and then switch.

MORAL OF THIS STORY:

ASK YOUR (POTENTIAL) ISP IF THEY BLOCK (FILTER) INBOUND DATA PACKETS BEFORE
YOU SIGN ON THE DOTTED LINE. It might save you future frustration in trying
to implement an application such as PopTop. In fact, this was the first time
I had run into this type of problem with an ISP. I know I'm going to check
with my customers ISP "first" before trying to implement any future
applications. I wasted way to much time on debugging this PopTop
implementation before I determined it was the ISP causing my problems.
<groan>

FWIW: Translating what (I think) this particular ISP did to block (filter)
packets at their Cisco routers into the linux/ipchains world, I cut/pasted
the following from "man ipchains"

  [!] -y, --syn
         Only match TCP packets with the SYN bit set and the
         ACK and FIN bits cleared.  Such packets are used to
         request TCP  connection  initiation;  for  example,
         blocking  such  packets coming in an interface will
         prevent incoming TCP connections, but outgoing  TCP
         connections  will  be  unaffected.   This option is
         only meaningful when the protocol type  is  set  to
         TCP.   If the "!" flag precedes the "-y", the sense
         of the option is inverted.

Steve Cowles

More information about the pptp-server mailing list