[pptp-server] PPTP working on local net, not working over Internet (long one)

Vanja Hrustic vanja at relaygroup.com
Wed Jun 7 09:59:35 CDT 2000


After 2 days, I still can't make Windows clients work with PoPToP over
Internet. It works just fine on local network.

I will try to supply as much details as possible, and I'd be happy if
someone has any suggestions. Sorry for the lengthy mail, but I've been
through FAQs and mailing list archives, and just couldn't find any
answers to this.

If you wish, you can just answer directly to me, and I will make a
summary to the list (to avoid 'flooding' the list :). But please, read
the whole mail before suggesting things (maybe I've tried them already
:).

The PoPToP setup...

Server:
- RedHat 6.1, 2.2.14 kernel, ppp-2.3.11, mppe patch (
ftp://ftp.binarix.com/pub/ppp-mppe/ppp-2.3.11-openssl-0.9.5-mppe.patch.gz
). kernel was recompiled 'from the scratch', ppp* modules have been
compiled properly too (at least, they don't 'complain' :)
- PoPToP V1.0.0 (running as a standalone daemon, not from inetd);
installed in /usr/local/sbin (pptpctrl is also in /usr/local/sbin)
- Linux box has 2 interfaces - eth0 (internal) and eth1 (external).
pptpd is listening on eth1

Clients:

- Windows 2000, 128-bit 'patch' has not been applied. No 'fixes' (from
windowsupdate.microsoft.com) have been applied either.
- Windows NT 4.0 Workstation, SP6a is applied.

---------------------
/etc/ppp/options:

debug
kdebug 1
auth
+chap
+chapms
+chapms-v2
mppe-40
mppe-128
mppe-stateless
proxyarp
require-chap
name crash
---------------------
/etc/pptpd.conf:

speed 115200
option /etc/ppp/options
debug
localip 192.168.1.250
remoteip 192.168.1.230-249
listen 202.1.1.1
---------------------

As I've said before, on Windows clients work just fine on local network.
I can see this in /var/log/messages:

Jun  7 19:55:35 x pppd[2171]: MSCHAP-v2 peer authentication succeeded
for test
Jun  7 19:55:35 x pppd[2171]: local  IP address 192.168.1.250
Jun  7 19:55:35 x pppd[2171]: remote IP address 192.168.1.230
Jun  7 19:55:35 x pppd[2171]: MPPE 40 bit, stateless compression enabled

I presume it means that MSCHAP-v2 authentication was ok, and that 40-bit
encryption is being used.

Both Windows2000 and Windows NT4 are able to connect like this over
local network.

The fun begins when I disconnect any of those workstations from the
local network. I reboot (just in case), login locally to the machine (no
domain logins - it's obvious, since I'm disconencted from the network
:), and establish a connection to the ISP. Connection to ISP works fine,
and I've tried using both Supra and US Robotics modems (just in case,
again).

Now...

Windows 2000:

After I've rebooted and dialed ISP (let's say that IP of Win2000 box was
203.1.1.1), I've done:

# ipchains -I input -s 203.1.1.1 -j ACCEPT
# ipchains -I input -s 203.1.1.1 -j ACCEPT -p 47
# ipchains -I output -d 203.1.1.1 -j ACCEPT
# ipchains -I output -d 203.1.1.1 -j ACCEPT -p 47

I've added "-p 47" as per suggestion, but I think that '-j ACCEPT'
should allow *everything* in anyway.

Anyway, to make it short - I've done the same for both clients, and with
Windows 2000 I get "ERROR 651: The modem (or other connecting device)
has reported an error", while with NT 4 I get something like "No
response" (don't remember the msg, and can't go to that NT box right
now). I've tried to modify /etc/ppp/options (comment/uncomment various
entries) - but nothing has changed.

I have really tried to modify every single parameter in VPN properties
on Win2000. I've tried not to use encryption at all (commented it out in
pptpd.conf and allowed it in Win2000 properties), I've tried to change
TCP/IP settings, I've tried quite many things, but... always the same
problem.

Now, the point is that Win200 box does send some data to pptp server.
I've grabbed the 'communication' between those 2 hosts using tcpdump. It
goes like...

1. 203.1.1.1 -> 202.1.1.1: SYN
2. 202.1.1.1 -> 203.1.1.1: SYN/ACK
3. 203.1.1.1 -> 202.1.1.1: ACK
4. 202.1.1.1 -> 203.1.1.1: FIN/ACK
5. 203.1.1.1 -> 202.1.1.1: PPTP START-CONTROL-REQUEST
6. 202.1.1.1 -> 203.1.1.1: RST
7. 203.1.1.1 -> 202.1.1.1: FIN/ACK
8. 202.1.1.1 -> 203.1.1.1: RST

What bothers me is:
- why is FIN/ACK returned by firewall (PoPToP) server (packet 4)?
- why is RST returned by firewall (PoPToP server), after the PPTP
request?

I am pretty sure that FIN/ACK (packet 4) and RST (packet 6) should not
be there. For some reason, they are... :(

However, in local network, the 'handshaking' goes like (192.1.1.1 is
Win2000 client):

1. 192.1.1.1 -> 202.1.1.1: SYN
2. 202.1.1.1 -> 192.1.1.1: SYN/ACK
3. 192.1.1.1 -> 202.1.1.1: ACK
5. 192.1.1.1 -> 202.1.1.1: PPTP START-CONTROL-REQUEST
6. 202.1.1.1 -> 192.1.1.1: ACK
7. 192.1.1.1 -> 202.1.1.1: PPTP START-CONTROL-REPLY
8. ...etc...

And this is the way it should be (SYN -> SYN/ACK -> ACK -> etc -> ACK ->
etc...)

Does anybody have any idea of what is going on in this scenario? :)

Also, this is the content of the PPTP START-CONTROL-REQUEST packet (as
seen in Ethereal). Maybe someone can tell me if it looks ok (it has the
same content, no matter if I am going through local net or through
Internet):

---------------------------------------
PPTP CONTROL CHANNEL:
Length: 156
Message Type: CONTROL MESSAGE (1)
Cookie: 0x1a2b3c4d
Control Type: START-CONTROL-REQUEST (1)
Reserved: 0
Protocol Version: 1.0
Reserved: 0
Framing Capabilities: ASYNCHRONOUS (1)
Bearer Capabilities: ANALOG (1)
Maximum Channels: 0
Firmware Revision: 2160
Hostname: (empty)
Vendor: Microsoft Windows NT
---------------------------------------

And the worst of all is - absolutelly nothing gets logged (by pptpd) in
/var/log/messages or /var/log/pptpd.log. Is there any way to turn on
some 'super-debugging' in pptpd, that would be more verbose? [or should
I just try modify the source and add more 'verbosity'?]

Any suggestion/idea/whatever is more than appreciated.

Thanks.

Vanja Hrustic
The Relay Group
http://relaygroup.com
Technology Ahead of Time



More information about the pptp-server mailing list