[pptp-server] The First Step...

Spencer Jr., Michael mspencer at accbiowa.com
Mon Mar 6 00:18:51 CST 2000 

You have to understand IP routing a little better to get tunnel connections
to work properly.  To be honest, I didn't know anything about IP routing and
subnetworking either, until I had to learn quickly to solve a company
problem.  Or in other words, you're not a stupid person, it's just natural
to put off really learning and tinkering with IP routing until you need to.

I'm not saying this because I think you don't know it, I'm saying it for
completion.

An IP network is made up of subnetworks connected by routers and routes.

When you send an IP packet, your stack first figures out whether to just
place it on the wire (because the destination is on the same wire as you
are) or to send it through a router.  It makes this decision by using your
network number (your IP number ANDed with your netmask) and the
destination's IP number (ANDed with your netmask).

If it has to send it through a router, it then has to figure out which
router to use.  For most simple networks and most home dial-up users, there
is one and only one router:  the DEFAULT route's router.  If you don't have
a default route, you can't ever get outside your local network.  If you have
multiple default routes, your traffic will probably alternate which router
it goes through.

In more complicated networks, you have a (non-trivial) routing table.  That
routing table is only used when a packet must be delivered and is not on the
local wire.  The outgoing packet is checked against the destination network
and netmask on each entry in the routing table.  If a match is found, that
route's router is used to send the packet.  If no match is found period, the
default route is used.

For example:  I'm running an internal NT network with addresses on the
192.100.90.0/24 network.  I'll have an external PoPToP user connect to us --
I'll give the user an obscure 10.139.200.0/24 network address.  On the
user's end (with a batch file, for example) he must run ROUTE ADD
192.100.90.0 MASK 255.255.255.0 10.130.200.1 -- this adds another route to
the client's routing table, so his 98 box knows to use the VPN link whenever
it needs to connect into our network.  Other than that, though, his default
route hasn't been changed...he's not going to try to use our VPN router
(PoPToP) to route internet traffic.

So in short, the most elegant solution isn't just adding another default
route, it's adding a route command on the client-side.  If you make your
'localip' in pptpd.conf be a single IP number, you can put that route
command in a batch file.  (Our Director of Food and Beverage is trained to
make his laptop connect to the internet, then double-click the PPTP dial-up
icon, then double-click the VPN ROUTE batch file icon.  It's not hard for
end-users, and they'll jump through considerable hoops to get their email
from off-property.)

The only other problem will be getting traffic from your internal network to
go back through the VPN router box to your remote location.  We give
everyone our linux box as a default route, even boxes that aren't supposed
to connect to the internet or corporate.  You may have to do some
reconfiguring.


I've given help, and now I'd like to request a little.  I don't have any
problems getting a client to connect to our network.  But:  our connections
aren't encrypted, because I can't figure out how to get MS-CHAP encryption
support to work...and I can't figure out how to connect a network to another
network, instead of just a single host to a network.  I'm looking for simple
procedures, not lengthy HOWTO-worthy discussion.  (Remember the doom-ps
documentation?  Get linux, make linux go, get doom, make doom go...that kind
of detail is fine.)  I know I didn't provide any necessary information, but
if someone is interested in helping, let me know and I'll fess up details.

Thanks!

--Michael Spencer Jr.
mjs00 at uswest.net

> -----Original Message-----
> From:	Thomas Koschate [SMTP:koschate at bigfoot.com]
> Sent:	Thursday, March 02, 2000 7:51 PM
> To:	pptp-server at lists.schulte.org
> Subject:	[pptp-server] The First Step...
> 
> is driving me crazy!  I've got PoPToP 1.0 set up on a RedHat 6.1 box 
> directly connected to the internet.  At this point, I haven't compiled in 
> any of the MS-CHAP stuff - it's strictly the PoPToP distribution.  When I 
> dial into it from an NT4 laptop using PPTP via an ISP, the laptop connects
> 
> and is assigned a correct IP address according to the pptpd.conf file
> (i.e. 
> on the same subnet as the rest of the private network), but it can't 
> communicate with the private network (or even the PoPToP server), and none
> 
> of the other machines can see it.  On the server side, an interface has 
> been created and assigned an expected IP address, and a point-to-point 
> route is set up. 
> 
> There are no obvious error messages in the pptpd.log or messages files,
> and 
> the connection appears willing to remain up as long as I am willing to
> keep 
> it up.  A status message is added to the pptpd.log on a periodic basis
> that 
> seems totally benign, but I can't do a damned thing with the connection. 
> I've tried variations in the client settings, including both alllowing the
> 
> server to change the client gateway and not allowing the change, but the 
> effect is the same.
> 
> Can anyone help me past this hurdle?
> 
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulte.org!

More information about the pptp-server mailing list