From emmet___ at yahoo.com Fri Sep 1 02:16:43 2000 From: emmet___ at yahoo.com (S.Ecker) Date: Fri, 1 Sep 2000 00:16:43 -0700 (PDT) Subject: [pptp-server] Poptop and port 47 Message-ID: <20000901071643.17082.qmail@web219.mail.yahoo.com> If you look a little closer it says 'proto 47', not port 47. If you want to know what port 47 is, check out http://www.normos.org/en/lists/iana/port-numbers-0.html, but to save you the trip it's NI-FTP. If you have a flowpoint router for instance you need to issue the following command: remote addserver 12.34.56.78 47 all internet 47 is the protocol # for GRE --- "Cowles, Steve" wrote: > I don't consider myself an expert on this subject, > but both protocol (not > port) 47 and port 1723 are needed to establish a > PPTP/PPP VPN. The reasons > are explained below. See the cut/paste from > Microsoft's WEB site. > > Hopefully, the following scenarios might help some > of you to understand what > exactly needs to be done (configuration wise) based > on your particular > network architecture. > > Steve Cowles > > -------------------------- > Common Scenarios > -------------------------- > 1) If your PPTP/PPP server (not the client > initiating the tunnel) is located > behind a firewall, i.e. masq'd PPTP server, then you > will also need to > "forward" both proto 47 and and port 1723 in > addtition to ACCEPTing these at > the firewall. In the linux world, this is typically > accomplished by using > "ipfwd" for protocols and "ipmasqadm" for ports. You > would also need to > apply JHardin's patches to handle the masq'd inbound > PPTP connections. > > 2) If your PPTP/PPP server is running on the > firewall itself, i.e. its not > masq'd, then you only need to ACCEPT proto 47 and > port 1723. In this case, > you do NOT need to apply JHardin's patches to the > kernel. Your not masqing > the PPTP VPN. > > 3) If you have a linux based firewall and you are > trying to connect to a > PPTP/PPP server located out on the internet (like at > work) from a windows > based client behind that firewall, then you will > need to ACCEPT proto 47 and > port 1723 on the firewall. You will also need to > apply JHardin's patches to > the kernel to handle the masq'd client PPTP > connection. In this case, you > would NOT need to use ipfwd or ipmasqadm. Your > ipchain MASQ forward rule > handles that. > > ----------------------------------- > ---- From www.microsoft.com ------- > ----------------------------------- > Packet Filters for PPTP > Configure the following "input" filters with the > filter action set to Drop > all packets except those that meet the criteria > below: > > Destination IP address of the VPN server's Internet > interface, subnet mask > of 255.255.255.255, and TCP destination port of 1723 > (0x06BB). > This filter allows PPTP tunnel maintenance traffic > from the PPTP client to > the PPTP server. > > Destination IP address of the VPN server's Internet > interface, subnet mask > of 255.255.255.255, and IP Protocol ID of 47 (0x2F). > > This filter allows PPTP tunneled data from the PPTP > client to the PPTP > server. > > Destination IP address of the VPN server's Internet > interface, subnet mask > of 255.255.255.255, and TCP [established] source > port of 1723 (0x06BB). > This filter is required only if the VPN server is > acting as a VPN client (a > calling router) in a router-to-router VPN > connection. When you select TCP > [established], traffic is accepted only if the VPN > server initiated the TCP > connection. > > Configure the following "output" filters with the > filter action set to Drop > all packets except those that meet the criteria > below: > > Source IP address of the VPN server's Internet > interface, subnet mask of > 255.255.255.255, and TCP source port of 1723 > (0x06BB). > This filter allows PPTP tunnel maintenance traffic > from the VPN server to > the VPN client. > > Source IP address of the VPN server's Internet > interface, subnet mask of > 255.255.255.255, and IP Protocol ID of 47 (0x2F). > This filter allows PPTP tunneled data from the VPN > server to the VPN client. > > Source IP address of the VPN server's Internet > interface, subnet mask of > 255.255.255.255, and TCP [established] destination > port of 1723 (0x06BB). > This filter is required only if the VPN server is > acting as a VPN client (a > calling router) in a router-to-router VPN > connection. When you select TCP > [established], traffic is sent only if the VPN > server initiated the TCP > connection. > > _______________________________________________ > pptp-server maillist - > pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! __________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ From andrew.wood at datalexuk.com Fri Sep 1 03:31:13 2000 From: andrew.wood at datalexuk.com (Andrew Wood) Date: Fri, 1 Sep 2000 09:31:13 +0100 Subject: [pptp-server] Still Unable to ping AIX Servers Message-ID: <6F6EA5048A46D41184AF0006295717340DC9@DLUKEX01> I have messed around with routing tables, reconfigure clients, and servers. Rebuilt my firewall but I still cannot ping any of my AIX servers from a PPTP client. Does anybody have AIX servers that they can ping from a pptpd client. I am thinking this is an AIX specific problem but I don't want to waste any more time investigating if anybody has this working already. Andrew Wood System Administrator Datalex UK, Sunley Tower Piccadilly Plaza, Manchester, M1 4BT TEL: 0161 2282286 FAX: 0161 2282900 http://www.datalexuk.com mailto:andrew.wood at datalexuk.com <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>><<<<> >>><<<<>> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<< >>>><<<<>> From amacc at iron-bridge.net Fri Sep 1 06:50:03 2000 From: amacc at iron-bridge.net (Andrew McRory) Date: Fri, 1 Sep 2000 07:50:03 -0400 (EDT) Subject: [pptp-server] Still Unable to ping AIX Servers In-Reply-To: <6F6EA5048A46D41184AF0006295717340DC9@DLUKEX01> Message-ID: On Fri, 1 Sep 2000, Andrew Wood wrote: > I have messed around with routing tables, reconfigure clients, and servers. > Rebuilt my firewall but I still cannot ping any of my AIX servers from a > PPTP client. Does anybody have AIX servers that they can ping from a pptpd > client. I am thinking this is an AIX specific problem but I don't want to No problem pinging AIX 4.3.3 here... Andrew McRory - President/CTO amacc at iron-bridge.net ***************** The PC Doctor, Inc. www.pcdr.com 850-575-7213 ** Iron Bridge Communications, Inc. www.iron-bridge.net 850-575-0779 ** Contributed Red Hat and Caldera RPMS ftp.iron-bridge.net/pub/Caldera ** **************************************************************************** From chavant at geosys.fr Fri Sep 1 08:30:58 2000 From: chavant at geosys.fr (Jean-Paul Chavant) Date: Fri, 1 Sep 2000 15:30:58 +0200 Subject: [pptp-server] ppp_mppe.o: kernel-module version mismatch Message-ID: <003501c01418$dcea7f20$7c03a8c0@pcjpc> Hello, my VPN box is a Bi-processor mother board under linux 2.2.14-15mdksmp. my first problem was "can't locate module ppp-mppe". So in the FAQ to resolve the problem, i have to do : >yeah, in your /lib/modules//net/ directory, there should >be files called bsd_comp.o and ppp_deflate.o.. insmod those files and >you'll be good to go. i 'll do that but now i got another error : [root at endeavour net]# insmod ppp_mppe ./ppp_mppe.o: kernel-module version mismatch ./ppp_mppe.o was compiled for kernel version 2.2.14-15mdk while this kernel is version 2.2.14-15mdksmp. How can i resolve this problem ? thanks. JPaul From cliles at gw.total-web.net Fri Sep 1 11:49:49 2000 From: cliles at gw.total-web.net (Chris) Date: Fri, 1 Sep 2000 09:49:49 -0700 Subject: [pptp-server] ppp_mppe.o: kernel-module version mismatch References: <003501c01418$dcea7f20$7c03a8c0@pcjpc> Message-ID: <000c01c01434$a5af5500$2c64ed0a@jojostomp.net> recompile. ----- Original Message ----- From: "Jean-Paul Chavant" To: "Pptp" Sent: Friday, September 01, 2000 6:30 AM Subject: [pptp-server] ppp_mppe.o: kernel-module version mismatch > Hello, > > my VPN box is a Bi-processor mother board under linux 2.2.14-15mdksmp. > > my first problem was "can't locate module ppp-mppe". So in the FAQ to > resolve the problem, i have to do : > > >yeah, in your /lib/modules//net/ directory, there should > >be files called bsd_comp.o and ppp_deflate.o.. insmod those files and > >you'll be good to go. > > i 'll do that but now i got another error : > > [root at endeavour net]# insmod ppp_mppe > ./ppp_mppe.o: kernel-module version mismatch > ./ppp_mppe.o was compiled for kernel version 2.2.14-15mdk > while this kernel is version 2.2.14-15mdksmp. > > How can i resolve this problem ? > > thanks. > > JPaul > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From klumpba at hotmail.com Fri Sep 1 08:54:48 2000 From: klumpba at hotmail.com (Brian Klump) Date: Fri, 01 Sep 2000 13:54:48 GMT Subject: [pptp-server] ppp_mppe.o: kernel-module version mismatch Message-ID: It appears your current kernel is not the same as the one you compiled your modules for? Not 100% sure, but I think setting CONFIG_MODVERSIONS=y in your /usr/src/linux/.config file should do the trick...it's also the same as "Loadable module support"->"Set version information on all symbols for modules" when using make xconfig. You'll have to recompile the kernel after you make this change... -Brian >From: "Jean-Paul Chavant" >Reply-To: >To: "Pptp" >Subject: [pptp-server] ppp_mppe.o: kernel-module version mismatch >Date: Fri, 1 Sep 2000 15:30:58 +0200 >MIME-Version: 1.0 >Received: from [209.134.156.193] by hotmail.com (3.2) with ESMTP id >MHotMailBB78FB710081D820F39BD1869CC16B370; Fri Sep 01 06:34:43 2000 >Received: (from daemon at localhost)by snaildust.schulte.org (8.10.0/8.10.0) >id e81DZhT05077;Fri, 1 Sep 2000 08:35:43 -0500 >Received: from localhost(127.0.0.1), claiming to be "snaildust.schulte.org" >via SMTP by localhost, id smtpda05054; Fri Sep 1 08:35:15 2000 >Received: (from daemon at localhost)by snaildust.schulte.org (8.10.0/8.10.0) >id e81DZ5b05049for ; Fri, 1 Sep 2000 >08:35:05 -0500 >Received: from arianne.geosys.fr(195.115.79.19), claiming to be "geosys.fr" >via SMTP by snaildust.schulte.org, id smtpda05031; Fri Sep 1 08:34:57 2000 >Received: from pcjpc (asterix_pub [195.115.78.1]) by geosys.fr >(8.9.3/jtpda-5.3.2) with SMTP id PAA00579 for >; Fri, 1 Sep 2000 15:34:36 +0200 >From pptp-server-admin at lists.schulte.org Fri Sep 01 06:39:29 2000 >Message-ID: <003501c01418$dcea7f20$7c03a8c0 at pcjpc> >X-Priority: 3 (Normal) >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 >Importance: Normal >X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 >Sender: pptp-server-admin at lists.schulte.org >Errors-To: pptp-server-admin at lists.schulte.org >X-BeenThere: pptp-server at lists.schulte.org >X-Mailman-Version: 2.0beta2 >Precedence: bulk >List-Id: The Linux PPTP Server > >Hello, > >my VPN box is a Bi-processor mother board under linux 2.2.14-15mdksmp. > >my first problem was "can't locate module ppp-mppe". So in the FAQ to >resolve the problem, i have to do : > > >yeah, in your /lib/modules//net/ directory, there should > >be files called bsd_comp.o and ppp_deflate.o.. insmod those files and > >you'll be good to go. > >i 'll do that but now i got another error : > >[root at endeavour net]# insmod ppp_mppe >./ppp_mppe.o: kernel-module version mismatch > ./ppp_mppe.o was compiled for kernel version 2.2.14-15mdk > while this kernel is version 2.2.14-15mdksmp. > >How can i resolve this problem ? > >thanks. > >JPaul > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. From Steve.Cowles at gte.net Fri Sep 1 09:10:35 2000 From: Steve.Cowles at gte.net (Cowles, Steve) Date: Fri, 1 Sep 2000 09:10:35 -0500 Subject: [pptp-server] Poptop and port 47 Message-ID: <90769AF04F76D41186C700A0C90AFC3EE4F4@defiant.infohiiway.com> > -----Original Message----- > From: S.Ecker [mailto:emmet___ at yahoo.com] > Sent: Friday, September 01, 2000 2:17 AM > To: pptp-server at lists.schulte.org > Subject: RE: [pptp-server] Poptop and port 47 > > > If you look a little closer it says 'proto 47', not > port 47. If you want to know what port 47 is, check > out http://www.normos.org/en/lists/iana/port-numbers-0.html, > but to save you the trip it's NI-FTP. If you have a > flowpoint router for instance you need to issue the > following command: Hmmm... Since you replied to my post, I'm curious - Why you are asking me to take a closer look? I may not be an expert on PPTP, but I do understand the difference between ports/protos and (i believe) also correctly stated that in my reply to this list. Please correct me if I'm wrong. FWIW: From www.cisco.com (Terms and Acronyms) GRE: generic routing encapsulation. Tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. By connecting multiprotocol subnetworks in a single-protocol backbone environment, IP tunneling using GRE allows network expansion across a single-protocol backbone environment. Whether or not you choose to believe Cisco's term (definition) for GRE, all of us on this list are obviously not creating a tunnel into a cisco router. Given my limited understanding of PPTP, I believe PPTP (the tunnel part) along with PPP are being ecapsulated and de-enacapsulated using GRE. I base my belief on viewing some of the source code from PPTP client. /* pptp_gre.c -- encapsulate PPP in PPTP-GRE. * Handle the IP Protocol 47 portion of PPTP. .... .. And some of the functions defined within... int decaps_hdlc(...) int encaps_hdlc(...) int decaps_gre (...) int encaps_gre (...) Getting back to the original intent of my post, both PROTO 47 and TCP PORT 1723 must be ACCEPTed on the external interface of your firewall in order to establish a PPTP/PPP tunnel. Based on your particular network architecture, some additional configuration might need to be done. i.e. ipmasqadm and ipfwd along with the possibility of adding routes to your route tables. Steve Cowles From Steve.Cowles at gte.net Fri Sep 1 11:52:15 2000 From: Steve.Cowles at gte.net (Cowles, Steve) Date: Fri, 1 Sep 2000 11:52:15 -0500 Subject: [pptp-server] ppp_mppe.o: kernel-module version mismatch Message-ID: <90769AF04F76D41186C700A0C90AFC3EE4F5@defiant.infohiiway.com> Are you sure you "installed" the modules (or even the kernel) after you compiled your kernel/modules? On my Poptop server (RH6.1), I basically had to perform the following steps to get everything to play together. 1) make config or make xconfig Make sure the following options were set by viewing the /usr/src/linux/.config file after running the above. CONFIG_MODULES=y CONFIG_MODVERSIONS=y CONFIG_KMOD=y 2) make bzImage This will compile the kernel only, not the modules. 3) make modules This will compile the modules designated during step one above. 4) make modules_install This will copy the modules created in step three above to (typically) /lib/modules// With regards to ppp_mppe.o, sub-dir=net 5) Copy the compiled kernel image to (typically) /boot. On my system, I use cp /usr/src/linux/arch/i386/boot/bzImage /boot/vmlinuz FYI: An excellent resource that I use for my Redhat system on compiling/installing/upgrading the kernel is http://www.redhat.com/support/docs/howto/kernel-upgrade/kernel-upgrade.html 6 lilo -v Update the master boot record 7) If you want the kernel to suppress those annoying syslog messages about "unable to locate..." crap, then you will also need to edit /etc/conf.modules and make sure it contains the following: alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate alias ppp-compress-26 ppp_deflate alias tty-ldisc-3 ppp_async alias tty-ldisc-14 ppp_synctty alias char-major-108 ppp_generic 6) reboot If all is well and the module dependencies are correct (depmod), when you try to connect from a PPTP client, you should NOT have to load any modules manually. i.e. no insmod. To illustrate: Loaded modules before initiating a PPTP connection from my W2K system [scowles at voyager boot]$ lsmod Module Size Used by 3c59x 19496 1 (autoclean) Loaded modules after initiating a PPTP connection from my W2K system. [scowles at voyager boot]$ lsmod Module Size Used by ppp_deflate 40536 0 (autoclean) ppp_mppe 13572 2 (autoclean) bsd_comp 3620 0 (autoclean) 3c59x 19496 1 (autoclean) and the corresponding syslog output Sep 1 11:14:42 voyager kernel: registered device ppp0 Sep 1 11:14:42 voyager pppd[14635]: pppd 2.3.11 started by root, uid 0 Sep 1 11:14:42 voyager pppd[14635]: Using interface ppp0 Sep 1 11:14:42 voyager pppd[14635]: Connect: ppp0 <--> /dev/pts/3 Sep 1 11:14:44 voyager pptpd[14634]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Sep 1 11:14:45 voyager kernel: PPP BSD Compression module registered Sep 1 11:14:45 voyager kernel: PPP MPPE compression module registered Sep 1 11:14:45 voyager kernel: PPP Deflate Compression module registered Sep 1 11:14:45 voyager pppd[14635]: MSCHAP-v2 peer authentication succeeded for COWLES\\scowles Sep 1 11:14:45 voyager pppd[14635]: found interface eth0 for proxy arp Sep 1 11:14:45 voyager pppd[14635]: local IP address 192.168.9.4 Sep 1 11:14:45 voyager pppd[14635]: remote IP address 192.168.9.100 Sep 1 11:14:52 voyager pppd[14635]: MPPE 128 bit, stateless compression enabled Notice that the kernel has taken care of auto loading these modules based on their dependencies. It will also "remove" these modules (automatically) when they are not in use after some inactivity timeout period. For example, about 10 minutes after I disconnected my W2K system from my PopTop server, my syslog output generated the following: Sep 1 11:30:00 voyager kernel: PPP MPPE compression module unregistered [scowles at voyager net]$ lsmod Module Size Used by 3c59x 19496 1 (autoclean) Hope this helps. Steve Cowles > -----Original Message----- > From: Jean-Paul Chavant [mailto:chavant at geosys.fr] > Sent: Friday, September 01, 2000 8:31 AM > To: Pptp > Subject: [pptp-server] ppp_mppe.o: kernel-module version mismatch > > > Hello, > > my VPN box is a Bi-processor mother board under linux 2.2.14-15mdksmp. > > my first problem was "can't locate module ppp-mppe". So in the FAQ to > resolve the problem, i have to do : > > >yeah, in your /lib/modules//net/ directory, > there should > >be files called bsd_comp.o and ppp_deflate.o.. insmod those files and > >you'll be good to go. > > i 'll do that but now i got another error : > > [root at endeavour net]# insmod ppp_mppe > ./ppp_mppe.o: kernel-module version mismatch > ./ppp_mppe.o was compiled for kernel version 2.2.14-15mdk > while this kernel is version 2.2.14-15mdksmp. > > How can i resolve this problem ? > > thanks. > > JPaul > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From superhero21 at hotmail.com Sat Sep 2 03:03:19 2000 From: superhero21 at hotmail.com (Piti Cherntanomwong) Date: Sat, 02 Sep 2000 08:03:19 GMT Subject: [pptp-server] PPtP Message-ID: Dear all, I have a question about PoPToP. What is PoPToP stand for? And I wonder about the picture http://www.moretonbay.com/vpn/pptpd.gif. I have some questions. 1. The green line from pptp client to the intranet, the pptp client uses remoteip which is assigned by the pptpd server for ppp, right? 2. If there are mutiple connections, pptpd server creates mutiple green lines for each connection, right? It's very helpful if you can describe about that picture. Thank you very much Piti _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. From j.krigovszky at wirtschaftsblatt.at Sat Sep 2 16:40:36 2000 From: j.krigovszky at wirtschaftsblatt.at (Josef Krigovszky) Date: Sat, 2 Sep 2000 23:40:36 +0200 Subject: [pptp-server] Please help with pptp-server problems Message-ID: I set up an pptp-server under linux (suse 6.4) and a windows 2000 client, as described in the pptp howto. I am using an ethernet-lan connection for the tunnel. Whenever I try to connect with the windows 2000 client, I get the following log-entries in the pptp.log. I hope someone can help me with this problem cause I have no clue whats wrong. Aug 31 11:31:37 test pptpd[2502]: MGR: Reaped child 2503 Aug 31 11:51:34 test pptpd[2543]: MGR: Manager process started Aug 31 11:51:37 test pptpd[2544]: MGR: Launching /usr/sbin/pptpctrl to handle client Aug 31 11:51:37 test pptpd[2544]: CTRL: local address = 10.1.72.15 Aug 31 11:51:37 test pptpd[2544]: CTRL: remote address = 10.1.72.41 Aug 31 11:51:37 test pptpd[2544]: CTRL: pppd speed = 115200 Aug 31 11:51:37 test pptpd[2544]: CTRL: Client 192.168.0.2 control connection started Aug 31 11:51:37 test pptpd[2544]: CTRL: Received PPTP Control Message (type: 1) Aug 31 11:51:37 test pptpd[2544]: CTRL: Made a START CTRL CONN RPLY packet Aug 31 11:51:37 test pptpd[2544]: CTRL: I wrote 156 bytes to the client. Aug 31 11:51:37 test pptpd[2544]: CTRL: Sent packet to client Aug 31 11:51:40 test pptpd[2544]: CTRL: Received PPTP Control Message (type: 7) Aug 31 11:51:40 test pptpd[2544]: CTRL: Set parameters to 1525 maxbps, 64 window size Aug 31 11:51:40 test pptpd[2544]: CTRL: Made a OUT CALL RPLY packet Aug 31 11:51:40 test pptpd[2544]: CTRL: Starting call (launching pppd, opening GRE) Aug 31 11:51:40 test pptpd[2544]: CTRL: pty_fd = 4 Aug 31 11:51:40 test pptpd[2544]: CTRL: tty_fd = 5 Aug 31 11:51:40 test pptpd[2545]: CTRL (PPPD Launcher): Connection speed = 115200 Aug 31 11:51:40 test pptpd[2544]: CTRL: I wrote 32 bytes to the client. Aug 31 11:51:40 test pptpd[2544]: CTRL: Sent packet to client Aug 31 11:51:40 test pptpd[2544]: CTRL: Received PPTP Control Message (type: 15) Aug 31 11:51:40 test pptpd[2544]: CTRL: Got a SET LINK INFO packet with standard ACCMs Aug 31 11:51:40 test pptpd[2545]: CTRL (PPPD Launcher): local address = 10.1.72.15 Aug 31 11:51:40 test pptpd[2545]: CTRL (PPPD Launcher): remote address = 10.1.72.41 Aug 31 11:51:40 test pptpd[2544]: GRE: Discarding duplicate packet Aug 31 11:51:42 test pptpd[2544]: GRE: read(fd=4,buffer=804dac0,len=8196) from PTY failed: status = -1 error = Input/output error Aug 31 11:51:42 test pptpd[2544]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Aug 31 11:51:42 test pptpd[2544]: CTRL: Client 192.168.0.2 control connection finished Aug 31 11:51:42 test pptpd[2544]: CTRL: Exiting now thanks in advance, Josef Krigovszky From john.hovell at home.com Mon Sep 4 00:58:21 2000 From: john.hovell at home.com (John Hovell) Date: Sun, 03 Sep 2000 22:58:21 -0700 Subject: [pptp-server] IPSec *over* PPtP Message-ID: <39B339FC.131A1FFE@home.com> Hello all -- I have some Win98 boxes that want to do IPSec over their PPTP connection... just transport mode from one computer to another. The IPSec SA is currently successful (both phase 1 and 2).. everything seems to be set up fine, until I atually try to send data. If I try to ping the remote VPN client from the IPSec machine on the local lan I get (from tcpdump): 01:47:56.877612 < 172.16.0.4 > 172.16.0.175: ip-proto-50 76 01:47:56.972086 > 172.16.0.175 > 172.16.0.4: icmp: 172.16.0.175 protocol 50 unreachable If I do the same thing from the remote host I get: 01:53:07.586184 < 172.16.0.175 > 172.16.0.4: icmp: echo request (note the lack of encryption despite the *established* SA...) Do I need to somehow enable protocol 50 (and 51)?? IPchains forward is set up to accept all traffic between these hosts. There is no masquerading between the two machines. Does anyone know what I am missing? FYI, I am using PGPnet 6.5.8 Personal Privacy (freeware) on both Windows IPSec machines. TiA for any advice or help... Cheers, John From john.hovell at home.com Mon Sep 4 10:24:40 2000 From: john.hovell at home.com (John Hovell) Date: Mon, 04 Sep 2000 08:24:40 -0700 Subject: [pptp-server] IPSec *over* PPtP References: <6B8A85826C35D31193BD0090278589C80FE5F0@CIC-EXCHANGE> Message-ID: <39B3BEB8.44751E75@home.com> Justin -- This is because PGPnet sucks so much, that for no discernable reason when I try to bind PGPnet to my Ethernet card on one of the machines, I can't get any network connectivity. I have reinstalled the ether card 3 times... and even installed the driver files manually by hand. The card is a 3com PCMCIA 3c574 Cardbus card. It works beatifully without PGPnet... The reason I am doing the bass-ackwards configuration is because PGPnet will at least bind to the VPN dial-up adapter... but that may be just my problem. Any other ideas? Thanks for your help... Cheers, John Justin Kreger wrote: > Why not setup two linux boxes to do the IPSec? and just have the windows > boxes use pptp so they can browse the remote network if you dint setup your > ipsec wan so it passes the Browser List. > -LW > > -----Original Message----- > From: John Hovell [mailto:john.hovell at home.com] > Sent: Monday, September 04, 2000 1:58 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] IPSec *over* PPtP > > Hello all -- > > I have some Win98 boxes that want to do IPSec over their PPTP > connection... just transport mode from one computer to another. The > IPSec SA is currently successful (both phase 1 and 2).. everything seems > to be set up fine, until I atually try to send data. If I try to ping > the remote VPN client from the IPSec machine on the local lan I get > (from tcpdump): > > 01:47:56.877612 < 172.16.0.4 > 172.16.0.175: ip-proto-50 76 > 01:47:56.972086 > 172.16.0.175 > 172.16.0.4: icmp: 172.16.0.175 protocol > 50 unreachable > > If I do the same thing from the remote host I get: > > 01:53:07.586184 < 172.16.0.175 > 172.16.0.4: icmp: echo request > > (note the lack of encryption despite the *established* SA...) > > Do I need to somehow enable protocol 50 (and 51)?? IPchains forward is > set up to accept all traffic between these hosts. There is no > masquerading between the two machines. > > Does anyone know what I am missing? FYI, I am using PGPnet 6.5.8 > Personal Privacy (freeware) on both Windows IPSec machines. > > TiA for any advice or help... > > Cheers, > John > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From peter.rendle at exemus.com Mon Sep 4 11:55:55 2000 From: peter.rendle at exemus.com (Peter Rendle) Date: Mon, 04 Sep 2000 17:55:55 +0100 Subject: [pptp-server] Win95 Client not connecting to NT4 VPN Server behind RH6.2 Firewall Message-ID: <39B3D41B.5D3E749@exemus.com> I have a very perplexing problem getting a Windows 95 client connected to the Internet to connect via PPTP to a NT4 server behind a MASQ firewall. The firewall is running RH6.2 with kernel 2.2.16-12 which has the ip_masq_pptp patch applied. (and module is loaded) I am using ipmasqadm to forward port 1723 to the NT server. I also have ipfwd running for protocol 47. The client machine appears to connect and I get a : ip_masq_gre(): creating GRE masq for 10.0.0.2 -> xxx.xxx.xxx.xxx CID=0 MCID=5890 from syslog. It then sticks on "Verifying username and password..." and eventually comes back with a "Error 650: The computer you're dialing in to does not respond to a network request." The big mystery is that a Windows 2000 client can connect with no problems at all using the same ISP and username/password. Please Help! From jvonau at home.com Mon Sep 4 12:13:19 2000 From: jvonau at home.com (Jerry Vonau) Date: Mon, 04 Sep 2000 12:13:19 -0500 Subject: [pptp-server] Win95 Client not connecting to NT4 VPN Server behind RH6.2 Firewall References: <39B3D41B.5D3E749@exemus.com> Message-ID: <39B3D82F.B47C3F84@home.com> I think your win95 client needs the 128bit encryption patch from ms. Email me if you can't find it. Jerry Peter Rendle wrote: > I have a very perplexing problem getting a Windows 95 client connected > to the Internet to connect via PPTP to a NT4 server behind a MASQ > firewall. The firewall is running RH6.2 with kernel 2.2.16-12 which has > the ip_masq_pptp patch applied. (and module is loaded) I am using > ipmasqadm to forward port 1723 to the NT server. I also have ipfwd > running for protocol 47. > > The client machine appears to connect and I get a : > ip_masq_gre(): creating GRE masq for 10.0.0.2 -> xxx.xxx.xxx.xxx CID=0 > MCID=5890 > from syslog. > It then sticks on "Verifying username and password..." and eventually > comes back with a "Error 650: The computer you're dialing in to does not > respond to a network request." > > The big mystery is that a Windows 2000 client can connect with no > problems at all using the same ISP and username/password. > > Please Help! > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From peter.rendle at exemus.com Mon Sep 4 12:40:28 2000 From: peter.rendle at exemus.com (Peter Rendle) Date: Mon, 04 Sep 2000 18:40:28 +0100 Subject: [pptp-server] Win95 Client not connecting to NT4 VPN Server behind RH6.2 Firewall References: <39B3D41B.5D3E749@exemus.com> <39B3D82F.B47C3F84@home.com> Message-ID: <39B3DE8C.EB13A11F@exemus.com> I am in the UK and only have 40bit encryption as standard. ( As far as I know anyway ) I have just applied this patch and it makes no difference. ( It was worth a try - thanks ) Jerry Vonau wrote: > > I think your win95 client needs the 128bit encryption patch from ms. Email > me if you can't find it. > > Jerry > > Peter Rendle wrote: > > > I have a very perplexing problem getting a Windows 95 client connected > > to the Internet to connect via PPTP to a NT4 server behind a MASQ > > firewall. The firewall is running RH6.2 with kernel 2.2.16-12 which has > > the ip_masq_pptp patch applied. (and module is loaded) I am using > > ipmasqadm to forward port 1723 to the NT server. I also have ipfwd > > running for protocol 47. > > > > The client machine appears to connect and I get a : > > ip_masq_gre(): creating GRE masq for 10.0.0.2 -> xxx.xxx.xxx.xxx CID=0 > > MCID=5890 > > from syslog. > > It then sticks on "Verifying username and password..." and eventually > > comes back with a "Error 650: The computer you're dialing in to does not > > respond to a network request." > > > > The big mystery is that a Windows 2000 client can connect with no > > problems at all using the same ISP and username/password. > > > > Please Help! > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! From jvonau at home.com Mon Sep 4 15:00:08 2000 From: jvonau at home.com (Jerry Vonau) Date: Mon, 04 Sep 2000 15:00:08 -0500 Subject: [pptp-server] Win95 Client not connecting to NT4 VPN Server behind RH6.2 Firewall References: <39B3D41B.5D3E749@exemus.com> <39B3D82F.B47C3F84@home.com> <39B3DE8C.EB13A11F@exemus.com> Message-ID: <39B3FF47.250B178F@home.com> What options are you using with the client? There are a few vpn updates around also. The 128bit upgrade may not allow 40bit to connect, locks out 40bit mode to force 128bit. Perhaps the DUN1.3 upgrade needs to be uninstalled, reinstalled. What level of encryption does the win2k report? Jerry Jerry Peter Rendle wrote: > I am in the UK and only have 40bit encryption as standard. ( As far as I > know anyway ) > > I have just applied this patch and it makes no difference. ( It was > worth a try - thanks ) > > Jerry Vonau wrote: > > > > I think your win95 client needs the 128bit encryption patch from ms. Email > > me if you can't find it. > > > > Jerry > > > > Peter Rendle wrote: > > > > > I have a very perplexing problem getting a Windows 95 client connected > > > to the Internet to connect via PPTP to a NT4 server behind a MASQ > > > firewall. The firewall is running RH6.2 with kernel 2.2.16-12 which has > > > the ip_masq_pptp patch applied. (and module is loaded) I am using > > > ipmasqadm to forward port 1723 to the NT server. I also have ipfwd > > > running for protocol 47. > > > > > > The client machine appears to connect and I get a : > > > ip_masq_gre(): creating GRE masq for 10.0.0.2 -> xxx.xxx.xxx.xxx CID=0 > > > MCID=5890 > > > from syslog. > > > It then sticks on "Verifying username and password..." and eventually > > > comes back with a "Error 650: The computer you're dialing in to does not > > > respond to a network request." > > > > > > The big mystery is that a Windows 2000 client can connect with no > > > problems at all using the same ISP and username/password. > > > > > > Please Help! > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > List services provided by www.schulteconsulting.com! > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From vlast at eetc.com Tue Sep 5 10:04:49 2000 From: vlast at eetc.com (Vlad Strezhnev) Date: Tue, 05 Sep 2000 10:04:49 -0500 Subject: [pptp-server] PoPToP & Tunnel Builder for Mac Message-ID: <39B50B91.7494CC4C@eetc.com> Does PoPToP work with TunnelBuilder VPN client software for Macintosh ? From vlast at eetc.com Tue Sep 5 11:47:47 2000 From: vlast at eetc.com (Vlad Strezhnev) Date: Tue, 05 Sep 2000 11:47:47 -0500 Subject: [pptp-server] PoPToP & Tunnel Builder for Mac References: <39B50B91.7494CC4C@eetc.com> <39B514DF.27F2F320@netman.dk> Message-ID: <39B523B3.74CC02A1@eetc.com> Sorry for asking. I thought that this mailing list was for grown-ups I'm unsubscribing now. Alaa Al-Amood wrote: > Is a Macintosh children toy > > Vlad Strezhnev wrote: > > > Does PoPToP work with TunnelBuilder VPN client software for Macintosh ? > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! From david_luyer at pacific.net.au Tue Sep 5 12:40:46 2000 From: david_luyer at pacific.net.au (David Luyer) Date: Wed, 06 Sep 2000 04:40:46 +1100 Subject: [pptp-server] PoPToP & Tunnel Builder for Mac In-Reply-To: Message from Vlad Strezhnev of "Tue, 05 Sep 2000 10:04:49 CDT." <39B50B91.7494CC4C@eetc.com> References: <39B50B91.7494CC4C@eetc.com> Message-ID: <200009051740.e85Hek600471@typhaon.pacific.net.au> > Does PoPToP work with TunnelBuilder VPN client software for Macintosh ? In theory it should, but I have had someone recently report that it didn't, the problem appeared to be at the PPP layer, the Mac wanted to talk some protocols that the Linux system didn't know about. I seem to remember (quite some time ago though) that TunnelBuilder or some other product from the same vendor exposed some faults in the NT PPP stack which didn't do Apple protocols properly. However I expect you only want IP, since I don't have a copy of TunnelBuilder I can't really diagnose here unfortunately (and the PowerMac 5500/250 on my desk doesn't want to know about its ethernet card, have to get a Mac serial cable and boot into the OpenFirmware ROMs and remember how to talk to them.... been some time... so even if I had a copy of TunnelBuilder I'd have some hurdles before being able to diagnose properly). David. -- ---------------------------------------------- David Luyer Senior Network Engineer Pacific Internet (Aust) Pty Ltd Phone: +61 3 9674 7525 Fax: +61 3 9699 8693 Mobile: +61 4 1064 2258, +61 4 1114 2258 http://www.pacific.net.au NASDAQ: PCNTF << fast 'n easy >> ---------------------------------------------- From superhero21 at hotmail.com Tue Sep 5 13:21:59 2000 From: superhero21 at hotmail.com (Piti Cherntanomwong) Date: Tue, 05 Sep 2000 18:21:59 GMT Subject: [pptp-server] What does PoPToP stand for ? Message-ID: Dear all, I have some questions about PoPToP? 1. What does PoPToP stand for? 2. How many time does the server authenticate the client? Anyone knows, please answer my question. Thank you very much _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. From jdewitt at broadcastzone.com Tue Sep 5 15:19:02 2000 From: jdewitt at broadcastzone.com (Josiah DeWitt) Date: Tue, 5 Sep 2000 13:19:02 -0700 Subject: [pptp-server] MS-CHAP/MSPPE support Message-ID: Does anyone know if pppd v2.3.11 (RH 6.2) has MS-CHAP/MSPPE support or if it still requires a recompile. It looks like I may have to recompile the kernel (2.2.14) as well - is this true? Thanks for any help. -j -------------- next part -------------- An HTML attachment was scrubbed... URL: From thomask at aesbus.com Tue Sep 5 16:47:39 2000 From: thomask at aesbus.com (Thomas Klettke) Date: Tue, 5 Sep 2000 16:47:39 -0500 Subject: [pptp-server] MPPE encryption - compiled just fine - but still problems Message-ID: <000001c01782$ea4dd2d0$5602a8c0@thomaska.shadow.aesbus.com> My setup: PPTP server on Linux, kernel 2.2.16, ppp-2.3.11, mppe_patch-open-ssl-095-mppe, poptop Client: Win NT 4.0 for this example (also Win98se with similar results) Apparently the modules compiled fine, mschap encryption works, so far so good. The problem seems to be with data encryption and data compression. Problem #1: When I check the "Require data encryption" field on the NT client, the connection is refused, without it works fine. Problem #2: The NT client shows always a compression ratio of 0% (and that matches the reported in/out data.) Any ideas? Sample log with "Require data encryption" turned OFF on NT4 client Sep 5 15:12:12 vpn pptpd[899]: CTRL: Client *** control connection started Sep 5 15:12:12 vpn pptpd[899]: CTRL: Starting call (launching pppd, opening GRE) Sep 5 15:12:12 vpn modprobe: modprobe: Can't locate module ppp0 Sep 5 15:12:12 vpn kernel: registered device ppp0 Sep 5 15:12:12 vpn pppd[900]: pppd 2.3.11 started by root, uid 0 Sep 5 15:12:12 vpn pppd[900]: Using interface ppp0 Sep 5 15:12:12 vpn pppd[900]: Connect: ppp0 <--> /dev/pts/1 Sep 5 15:12:12 vpn pptpd[899]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Sep 5 15:12:12 vpn kernel: PPP BSD Compression module registered Sep 5 15:12:12 vpn kernel: PPP MPPE compression module registered Sep 5 15:12:12 vpn kernel: PPP Deflate Compression module registered Sep 5 15:12:12 vpn pppd[900]: MSCHAP-v2 peer authentication succeeded for billy Sep 5 15:12:12 vpn pppd[900]: found interface eth0 for proxy arp Sep 5 15:12:12 vpn pppd[900]: local IP address 192.168.2.230 Sep 5 15:12:12 vpn pppd[900]: remote IP address 192.168.2.240 Sep 5 15:12:43 vpn pppd[900]: CCP: timeout sending Config-Requests Sep 5 15:15:59 vpn pptpd[899]: CTRL: Error with select(), quitting Sep 5 15:15:59 vpn pptpd[899]: CTRL: Client *** control connection finished Sep 5 15:15:59 vpn pppd[900]: Modem hangup Sep 5 15:15:59 vpn pppd[900]: Connection terminated. Sep 5 15:15:59 vpn pppd[900]: Connect time 3.8 minutes. Sep 5 15:15:59 vpn pppd[900]: Sent 7049 bytes, received 20078 bytes. Sep 5 15:15:59 vpn pppd[900]: Exit. Sep 5 15:30:00 vpn kernel: PPP MPPE compression module unregistered ===> So the module was really loaded! And now the same, but with "Require data encryption" turned ON on NT4 client Sep 5 16:03:42 vpn pptpd[1103]: CTRL: Client *** control connection started Sep 5 16:03:42 vpn pptpd[1103]: CTRL: Starting call (launching pppd, opening GRE) Sep 5 16:03:42 vpn pppd[1104]: pppd 2.3.11 started by root, uid 0 Sep 5 16:03:42 vpn pppd[1104]: Using interface ppp0 Sep 5 16:03:42 vpn pppd[1104]: Connect: ppp0 <--> /dev/pts/1 Sep 5 16:03:42 vpn pptpd[1103]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Sep 5 16:03:42 vpn kernel: PPP BSD Compression module registered Sep 5 16:03:42 vpn kernel: PPP MPPE compression module registered Sep 5 16:03:42 vpn kernel: PPP Deflate Compression module registered Sep 5 16:03:42 vpn pppd[1104]: MSCHAP-v2 peer authentication succeeded for billy Sep 5 16:03:42 vpn pppd[1104]: found interface eth0 for proxy arp Sep 5 16:03:42 vpn pppd[1104]: local IP address 192.168.2.230 Sep 5 16:03:42 vpn pppd[1104]: remote IP address 192.168.2.241 Sep 5 16:03:42 vpn pptpd[1103]: CTRL: Error with select(), quitting Sep 5 16:03:42 vpn pptpd[1103]: CTRL: Client *** control connection finished Sep 5 16:03:42 vpn pppd[1104]: Modem hangup Sep 5 16:03:42 vpn pppd[1104]: Connection terminated. Sep 5 16:03:42 vpn pppd[1104]: Connect time 0.0 minutes. Sep 5 16:03:42 vpn pppd[1104]: Sent 669 bytes, received 611 bytes. Sep 5 16:03:42 vpn pppd[1104]: Exit. Thomas Klettke Network Administrator Aesbus Knowledge Solutions -------------- next part -------------- An HTML attachment was scrubbed... URL: From dan at fullmotions.com Tue Sep 5 17:01:04 2000 From: dan at fullmotions.com (Danny L. Brow, Jr.) Date: Tue, 5 Sep 2000 18:01:04 -0400 Subject: [pptp-server] Setup linux client... Message-ID: <000201c01784$d537f4f0$0200a8c0@sys1> Hello All, I need a little help. I am trying to connect to a linux PPTP server from a Linux client but when I try connecting to the Linux server I get this message: warn[open_unixsock:pptp_callmgr.c:308]: Call Manager for X.X.X.X is already running. fatal[callmgr_main:pptp_callmgr.c:124]: Could not open unix socket for X.X.X.X fatal[launch_callmgr:pptp.c:213]: Call manager exited with error 256 I had a few errors running make too, but there is not much documentation for the Linux client. Can anyone help me... Or is there another client.. I am using the Linux PPTP Client by C.S. Ananian. Dan. From amacc at iron-bridge.net Tue Sep 5 17:05:19 2000 From: amacc at iron-bridge.net (Andrew McRory) Date: Tue, 5 Sep 2000 18:05:19 -0400 (EDT) Subject: [pptp-server] PoPToP & Tunnel Builder for Mac In-Reply-To: <39B523B3.74CC02A1@eetc.com> Message-ID: On Tue, 5 Sep 2000, Vlad Strezhnev wrote: > > Sorry for asking. > I thought that this mailing list was for grown-ups > I'm unsubscribing now. Sorry I can't provide the answer to your question but you should never let one jerk^H^H^H^H child mess up your whole day. > > Alaa Al-Amood wrote: > > > Is a Macintosh children toy > > > > Vlad Strezhnev wrote: > > > > > Does PoPToP work with TunnelBuilder VPN client software for Macintosh ? Andrew McRory - President/CTO amacc at iron-bridge.net ***************** The PC Doctor, Inc. www.pcdr.com 850-575-7213 ** Iron Bridge Communications, Inc. www.iron-bridge.net 850-575-0779 ** Contributed Red Hat and Caldera RPMS ftp.iron-bridge.net/pub/Caldera ** **************************************************************************** From jshackelford at orsys.com Tue Sep 5 19:37:48 2000 From: jshackelford at orsys.com (Jason Shackelford) Date: Tue, 5 Sep 2000 17:37:48 -0700 Subject: [pptp-server] Fix for : Call manager is already running Message-ID: Hello All, I need a little help. I am trying to connect to a linux PPTP server from a Linux client but when I try connecting to the Linux server I get this message: warn[open_unixsock:pptp_callmgr.c:308]: Call Manager for X.X.X.X is already running. fatal[callmgr_main:pptp_callmgr.c:124]: Could not open unix socket for X.X.X.X fatal[launch_callmgr:pptp.c:213]: Call manager exited with error 256 I had a few errors running make too, but there is not much documentation for the Linux client. Can anyone help me... Or is there another client.. I am using the Linux PPTP Client by C.S. Ananian. Dan. _______________________________________________ cd /var/run/pptp Remove address entries ps -ef | grep pptp Make sure there are no processes hanging around!!! jshackelford at orsys.com From iharris at quadtel.com Tue Sep 5 23:10:35 2000 From: iharris at quadtel.com (Ian Harris) Date: Wed, 6 Sep 2000 14:10:35 +1000 Subject: [pptp-server] Fix for : Call manager is already running In-Reply-To: Message-ID: I get the same thing. I don't think it should occur. My temporary fix is to rm /var/pptp/X.X.X.X (x.X.X.X being your ip address) Ian. > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jason > Shackelford > Sent: Wednesday, 6 September 2000 10:38 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Fix for : Call manager is already running > > > Hello All, > > I need a little help. I am trying to connect to a linux PPTP > server from a > Linux client but when I try connecting to the Linux server I get this > message: > > warn[open_unixsock:pptp_callmgr.c:308]: Call Manager for X.X.X.X > is already > running. > fatal[callmgr_main:pptp_callmgr.c:124]: Could not open unix socket for > X.X.X.X > fatal[launch_callmgr:pptp.c:213]: Call manager exited with error 256 > > I had a few errors running make too, but there is not much > documentation for > the Linux client. Can anyone help me... Or is there another client.. I am > using the Linux PPTP Client by C.S. Ananian. > > > > Dan. > > _______________________________________________ > > cd /var/run/pptp > Remove address entries > > > ps -ef | grep pptp > Make sure there are no processes hanging around!!! > > > jshackelford at orsys.com > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From john.hovell at home.com Tue Sep 5 22:54:51 2000 From: john.hovell at home.com (John Hovell) Date: Tue, 05 Sep 2000 20:54:51 -0700 Subject: FOLLOW UP: Re: [pptp-server] IPSec *over* PPtP References: <6B8A85826C35D31193BD0090278589C80FE5F0@CIC-EXCHANGE> <39B3BEB8.44751E75@home.com> Message-ID: <39B5C00B.277D21CB@home.com> Hello all -- I solved the problem... IPSec over PPP is possible. This is just wacky, but this is what to do: PGPnet only wants to bind to your "Dial Up Adapter" -- not #2 for VPN support as one might logically think. Bind it to "Dial Up" and it works like a charm. This might actually be useful to people who aren't allowed to transmit protocols 50 or 51... since they can tunnel it all over tcp/1723 and still get IPSec data encryption. Cheers, John John Hovell wrote: > Justin -- > > This is because PGPnet sucks so much, that for no discernable reason when I try > to bind PGPnet to my Ethernet card on one of the machines, I can't get any > network connectivity. I have reinstalled the ether card 3 times... and even > installed the driver files manually by hand. The card is a 3com PCMCIA 3c574 > Cardbus card. It works beatifully without PGPnet... The reason I am doing the > bass-ackwards configuration is because PGPnet will at least bind to the VPN > dial-up adapter... but that may be just my problem. > > Any other ideas? Thanks for your help... > > Cheers, > John > > Justin Kreger wrote: > > > Why not setup two linux boxes to do the IPSec? and just have the windows > > boxes use pptp so they can browse the remote network if you dint setup your > > ipsec wan so it passes the Browser List. > > -LW > > > > -----Original Message----- > > From: John Hovell [mailto:john.hovell at home.com] > > Sent: Monday, September 04, 2000 1:58 AM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] IPSec *over* PPtP > > > > Hello all -- > > > > I have some Win98 boxes that want to do IPSec over their PPTP > > connection... just transport mode from one computer to another. The > > IPSec SA is currently successful (both phase 1 and 2).. everything seems > > to be set up fine, until I atually try to send data. If I try to ping > > the remote VPN client from the IPSec machine on the local lan I get > > (from tcpdump): > > > > 01:47:56.877612 < 172.16.0.4 > 172.16.0.175: ip-proto-50 76 > > 01:47:56.972086 > 172.16.0.175 > 172.16.0.4: icmp: 172.16.0.175 protocol > > 50 unreachable > > > > If I do the same thing from the remote host I get: > > > > 01:53:07.586184 < 172.16.0.175 > 172.16.0.4: icmp: echo request > > > > (note the lack of encryption despite the *established* SA...) > > > > Do I need to somehow enable protocol 50 (and 51)?? IPchains forward is > > set up to accept all traffic between these hosts. There is no > > masquerading between the two machines. > > > > Does anyone know what I am missing? FYI, I am using PGPnet 6.5.8 > > Personal Privacy (freeware) on both Windows IPSec machines. > > > > TiA for any advice or help... > > > > Cheers, > > John > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From brian at freenetwork.ws Tue Sep 5 23:31:40 2000 From: brian at freenetwork.ws (Brian Free) Date: Tue, 5 Sep 2000 22:31:40 -0600 Subject: [pptp-server] Dual-NIC Server Problem Message-ID: <000101c017bb$5b034cc0$23455ad1@bfreehome> Here is my configuration: 192.168.8.142 192.168.56.10 192.168.56.11 External NIC 192.168.4.1 Internal NIC 192.168.4.2 ________ _______ ______ _____ | | | | | | | | | client |------->| fire |-------->| pptp |------------------->| host | | | | wall | | srvr | | | |________| |_______| |______| |______| H H H H H H H===================================H 192.168.4.240 pptp connection 192.168.4.250 I am able to connect to the pptp server and can ping both ethernet interfaces on that server, but I can't ping the inside host. I have checked the arp table and it shows 192.168.4.240 as being eth1 which is the Internal NIC. I have proxyarp set in the options file and have tried every other option that looked pertinent. I have also verified that the firewall is not causing any problems. The pptp server is able to ping the host and the VPN client at 192.168.4.240. The pptp server is not setup to route between the 192.168.56 and the 192.168.4 networks, and it isn't obvious to me that it should have to be. I'm stumped. Any help would be greatly appreciated. Thanks in advance, Brian Free brian at freenetwork.ws From larrydog at coqui.net Wed Sep 6 06:59:22 2000 From: larrydog at coqui.net (Larry Rivera) Date: Wed, 06 Sep 2000 07:59:22 -0400 Subject: [pptp-server] Setup linux client... References: <000201c01784$d537f4f0$0200a8c0@sys1> Message-ID: <39B63199.41384F9F@coqui.net> This problem is well covered in the archives. Look there... "Danny L. Brow, Jr." wrote: > Hello All, > > I need a little help. I am trying to connect to a linux PPTP server from a > Linux client but when I try connecting to the Linux server I get this > message: > > warn[open_unixsock:pptp_callmgr.c:308]: Call Manager for X.X.X.X is already > running. > fatal[callmgr_main:pptp_callmgr.c:124]: Could not open unix socket for > X.X.X.X > fatal[launch_callmgr:pptp.c:213]: Call manager exited with error 256 > > I had a few errors running make too, but there is not much documentation for > the Linux client. Can anyone help me... Or is there another client.. I am > using the Linux PPTP Client by C.S. Ananian. > > Dan. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From shugarts at acsu.buffalo.edu Wed Sep 6 09:05:27 2000 From: shugarts at acsu.buffalo.edu (Travis Shugarts) Date: Wed, 06 Sep 2000 10:05:27 -0400 Subject: [pptp-server] pptp-server -- confirmation of subscription -- request 735451 Message-ID: <39B64F27.4F15E83A@acsu.buffalo.edu> From mpeel at istar.ca Wed Sep 6 10:20:33 2000 From: mpeel at istar.ca (Mike Peel) Date: Wed, 06 Sep 2000 08:20:33 -0700 Subject: [pptp-server] Dual-NIC Server Problem References: <000101c017bb$5b034cc0$23455ad1@bfreehome> Message-ID: <39B660C1.9D87772D@istar.ca> I think you need to establish a ROUTE on the host through the tunnel ?? I'm guessing a bit here. Mike Peel Brian Free wrote: > Here is my configuration: > > 192.168.8.142 192.168.56.10 192.168.56.11 External NIC > 192.168.4.1 Internal NIC 192.168.4.2 > ________ _______ ______ _____ > | | | | | | | | > | client |------->| fire |-------->| pptp |------------------->| host | > | | | wall | | srvr | | | > |________| |_______| |______| |______| > H H > H H > H H > H===================================H > 192.168.4.240 pptp connection 192.168.4.250 > > I am able to connect to the pptp server and can ping both ethernet > interfaces on that server, but I can't ping the inside host. I have checked > the arp table and it shows 192.168.4.240 as being eth1 which is the Internal > NIC. I have proxyarp set in the options file and have tried every other > option that looked pertinent. I have also verified that the firewall is not > causing any problems. The pptp server is able to ping the host and the VPN > client at 192.168.4.240. The pptp server is not setup to route between the > 192.168.56 and the 192.168.4 networks, and it isn't obvious to me that it > should have to be. I'm stumped. Any help would be greatly appreciated. > > Thanks in advance, > > Brian Free > brian at freenetwork.ws > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From ed at schernau.com Wed Sep 6 10:50:07 2000 From: ed at schernau.com (Edward Schernau) Date: Wed, 06 Sep 2000 11:50:07 -0400 Subject: [pptp-server] FAQ? Accessing NT4 server from Linux client behind Linux ipmasq Message-ID: <39B667AF.729FE435@schernau.com> What do I need to enable, if anything, on the ipmasq box, to connect out over the Internet from my internal network to a remote NT4 machine? From P.J.Reid at earthling.net Wed Sep 6 10:57:59 2000 From: P.J.Reid at earthling.net (Patrick Reid) Date: Wed, 6 Sep 2000 12:57:59 -0300 Subject: FOLLOW UP: Re: [pptp-server] IPSec *over* PPtP In-Reply-To: <39B5C00B.277D21CB@home.com> Message-ID: This could also be very useful for people who have machines which are behind an NAT wall which they don't control (like my own high-speed link). My linux box doesn't know what it's IP address is for people out on the internet, and so it can't authenticate over IPSec, since the protocol requires that both ends of the link agree on what the IP addresses are. This is not the case for PPTP. However, if I already have a PPTP link up and can then run IPSec over it, this means I could have IPSec encryption, which is generally felt to be superior to MSChap v2 (even with the patched is place). Thanks for this info!. Patrick Reid - mailto:PReid at candesco.com Candesco Research Corp. Communication Centre: -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of John Hovell Sent: September 6, 2000 12:55 AM To: Justin Kreger; pptp-server at lists.schulte.org Subject: FOLLOW UP: Re: [pptp-server] IPSec *over* PPtP Hello all -- I solved the problem... IPSec over PPP is possible. This is just wacky, but this is what to do: PGPnet only wants to bind to your "Dial Up Adapter" -- not #2 for VPN support as one might logically think. Bind it to "Dial Up" and it works like a charm. This might actually be useful to people who aren't allowed to transmit protocols 50 or 51... since they can tunnel it all over tcp/1723 and still get IPSec data encryption. Cheers, John John Hovell wrote: > Justin -- > > This is because PGPnet sucks so much, that for no discernable reason when I try > to bind PGPnet to my Ethernet card on one of the machines, I can't get any > network connectivity. I have reinstalled the ether card 3 times... and even > installed the driver files manually by hand. The card is a 3com PCMCIA 3c574 > Cardbus card. It works beatifully without PGPnet... The reason I am doing the > bass-ackwards configuration is because PGPnet will at least bind to the VPN > dial-up adapter... but that may be just my problem. > > Any other ideas? Thanks for your help... > > Cheers, > John > > Justin Kreger wrote: > > > Why not setup two linux boxes to do the IPSec? and just have the windows > > boxes use pptp so they can browse the remote network if you dint setup your > > ipsec wan so it passes the Browser List. > > -LW > > > > -----Original Message----- > > From: John Hovell [mailto:john.hovell at home.com] > > Sent: Monday, September 04, 2000 1:58 AM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] IPSec *over* PPtP > > > > Hello all -- > > > > I have some Win98 boxes that want to do IPSec over their PPTP > > connection... just transport mode from one computer to another. The > > IPSec SA is currently successful (both phase 1 and 2).. everything seems > > to be set up fine, until I atually try to send data. If I try to ping > > the remote VPN client from the IPSec machine on the local lan I get > > (from tcpdump): > > > > 01:47:56.877612 < 172.16.0.4 > 172.16.0.175: ip-proto-50 76 > > 01:47:56.972086 > 172.16.0.175 > 172.16.0.4: icmp: 172.16.0.175 protocol > > 50 unreachable > > > > If I do the same thing from the remote host I get: > > > > 01:53:07.586184 < 172.16.0.175 > 172.16.0.4: icmp: echo request > > > > (note the lack of encryption despite the *established* SA...) > > > > Do I need to somehow enable protocol 50 (and 51)?? IPchains forward is > > set up to accept all traffic between these hosts. There is no > > masquerading between the two machines. > > > > Does anyone know what I am missing? FYI, I am using PGPnet 6.5.8 > > Personal Privacy (freeware) on both Windows IPSec machines. > > > > TiA for any advice or help... > > > > Cheers, > > John > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From shave at wavenet.cc Wed Sep 6 11:26:35 2000 From: shave at wavenet.cc (Paul Shave) Date: Wed, 6 Sep 2000 11:26:35 -0500 Subject: [pptp-server] PPP Magic?? Message-ID: <003801c0181f$3a46dfb0$036fa8c0@ewok> Ok.. going nuts now. I found a posting from about month ago about this problem while trying to setup the MS encryption stuff and the suggestion was to go with a clean kernel package.. I have done both the RH setup faq, and dumped all the RedHat stuff and went with a clean kernel source package, and get the same error either way I do it.... No matter what I do when I try and compile my modules I get a pile of errors about PPP_MAGIC being undeclared.. Anybody got the magic solution for this Thanks.. From bfree at sonici.com Wed Sep 6 11:23:14 2000 From: bfree at sonici.com (Brian Free) Date: Wed, 6 Sep 2000 10:23:14 -0600 Subject: [pptp-server] Dual-NIC Server Problem Message-ID: <8FEAC4F0CAC9D111A88B006008A993C101258280@slc1mail1.sonici.com> I think you are correct, but the solution a found was to simply add ktune to the ppp options. Below is an excerpt from the man pages on pppd that I found. Once I added this option, it all started working. Thanks for your input. ktune Enables pppd to alter kernel settings as appropriate. Under Linux, pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward to 1) if the proxyarp option is used, and will enable the dynamic IP address option (i.e. set /proc/sys/net/ipv4/ip_dynaddr to 1) in demand mode if the local address changes. -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Mike Peel Sent: Wednesday, September 06, 2000 9:21 AM To: brian at freenetwork.ws Cc: pptp-server at lists.schulte.org Subject: Re: [pptp-server] Dual-NIC Server Problem I think you need to establish a ROUTE on the host through the tunnel ?? I'm guessing a bit here. Mike Peel Brian Free wrote: > Here is my configuration: > > 192.168.8.142 192.168.56.10 192.168.56.11 External NIC > 192.168.4.1 Internal NIC 192.168.4.2 > ________ _______ ______ _____ > | | | | | | | | > | client |------->| fire |-------->| pptp |------------------->| host | > | | | wall | | srvr | | | > |________| |_______| |______| |______| > H H > H H > H H > H===================================H > 192.168.4.240 pptp connection 192.168.4.250 > > I am able to connect to the pptp server and can ping both ethernet > interfaces on that server, but I can't ping the inside host. I have checked > the arp table and it shows 192.168.4.240 as being eth1 which is the Internal > NIC. I have proxyarp set in the options file and have tried every other > option that looked pertinent. I have also verified that the firewall is not > causing any problems. The pptp server is able to ping the host and the VPN > client at 192.168.4.240. The pptp server is not setup to route between the > 192.168.56 and the 192.168.4 networks, and it isn't obvious to me that it > should have to be. I'm stumped. Any help would be greatly appreciated. > > Thanks in advance, > > Brian Free > brian at freenetwork.ws > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From ctc911ctc at yahoo.com Wed Sep 6 16:32:15 2000 From: ctc911ctc at yahoo.com (Net- Head) Date: Wed, 6 Sep 2000 14:32:15 -0700 (PDT) Subject: [pptp-server] pptpd pptpcrtl cannot spawn pppd Message-ID: <20000906213215.27620.qmail@web3703.mail.yahoo.com> I have spent 3-4 hrs working on this and cannot figure out why pppd does not start when a gre request is taken by our machine. I have reviewed the setup and have gotten this operational on othe machines. Any ideas out there in pptp land? CTC ********** SYSLOG OUTPUT FOLLOWS ***************** Sep 5 15:15:31 hostname pptpd[2400]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6) Sep 5 15:17:08 hostname pptpd[2432]: CTRL (PPPD Launcher): Failed to launch PPP daemon. Sep 5 15:17:08 hostname pptpd[2432]: CTRL (PPPD Launcher): Failed to launch PPP daemon. Sep 5 15:17:08 hostname pptpd[2432]: CTRL: PPPD launch failed! Sep 5 15:17:08 hostname pptpd[2432]: CTRL: PPPD launch failed! Sep 5 15:17:08 hostname pptpd[2430]: GRE: read(fd=5,buffer=804dee4,len=8196) from PTY failed: status = -1 error = I/O error Sep 5 15:17:08 hostname pptpd[2430]: GRE: read(fd=5,buffer=804dee4,len=8196) from PTY failed: status = -1 error = I/O error Sep 5 15:17:08 hostname pptpd[2430]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6) Sep 5 15:17:08 hostname pptpd[2430]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6) Sep 6 09:45:55 hostname su: 'su root' succeeded for conrad on /dev/pts/0 __________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ From NorthwestFrog at home.com Wed Sep 6 22:27:51 2000 From: NorthwestFrog at home.com (Jean-Francois Gagnon) Date: Wed, 6 Sep 2000 20:27:51 -0700 Subject: FW: [pptp-server] compiling ppp-2.3.10-openssl-norc-mppe.patch Message-ID: <005201c0187b$9aa7b4e0$0201a8c0@olmpi1.wa.home.com> Look at the bottom of the message. I got the error myself. and this fixed it. Now, why is this not part of an official patch from PopToPOp ?... Regards -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org] On Behalf Of Richard E Blauvelt Sent: Thursday, August 10, 2000 11:15 PM To: Daniell Freed; tfasko at cyberacc.com; Lillian Kulhanek Cc: pptp-server at lists.schulte.org Subject: Re: [pptp-server] compiling ppp-2.3.10-openssl-norc-mppe.patch I had to do a couple of additional things. My install used these components: Red Hat 6.2, 2.2.16-3 kernel ppp-2.3.11 pptpd-1.0.0 SSLeay-0.9.0b ppp-2.3.10-openssl-norc4-mppe.patch Here are the extra things I did to get the server to work when using a Windows 98se client with microsoft strong encryption: When doing the [patch -p1 < ../ppp-2.3.10-openssl-norc4-mppe.patch] onto the ppp-2.3.11, everything patched OK except for the pppd/lcp.c file, which I had to do by hand. Basically, I replaced "Old Stuff" with "New Stuff", as shown below (I don't yet know how to create patch files, so go easy on me): ====== Begin "Old Stuff" ====================================================== /* * We were asking for CHAP/MD5; they must want a different * algorithm. If they can't do MD5, we can ask for M$-CHAP * if we support it, otherwise we'll have to stop * asking for CHAP. */ if (cichar != go->chap_mdtype) { #ifdef CHAPMS if (cichar == CHAP_MICROSOFT) go->chap_mdtype = CHAP_MICROSOFT; else #endif /* CHAPMS */ try.neg_chap = 0; } } else { ====== End "Old Stuff" ====================================================== ====== Begin "New Stuff" ====================================================== /* * We were asking for CHAP/MD5; they must want a different * algorithm. If they can't do MD5, we can ask for M$-CHAP * if we support it, otherwise we'll have to stop * asking for CHAP. * * (failed ppp-2.3.10-openssl-norc4-mppe.patch manually * applied here by R Blauvelt 2000 08 10 */ if (go->chap_mdtype == CHAP_MICROSOFT_V2) { try.use_chapms_v2 = 0; if(try.use_chapms) try.chap_mdtype = CHAP_MICROSOFT; else if(try.use_digest) try.chap_mdtype = CHAP_DIGEST_MD5; else try.neg_chap = 0; } else if(go->chap_mdtype == CHAP_MICROSOFT) { try.use_chapms = 0; if(try.use_digest) try.chap_mdtype = CHAP_DIGEST_MD5; else try.neg_chap = 0; } else if(go->chap_mdtype == CHAP_DIGEST_MD5) { try.use_digest = 0; try.neg_chap = 0; } else try.neg_chap = 0; if ((cichar != CHAP_MICROSOFT_V2) && (cichar != CHAP_MICROSOFT) && (cichar != CHAP_DIGEST_MD5)) try.neg_chap = 0; } else { ====== End "New Stuff" ====================================================== Immediately after this, there is an instruction to "Comment out or delete the reference to rc4_skey.c in [...]/ppp_mppe.c" This DID NOT work for me, and produced an "unresolved symbol RC4_set_key", error message when I later tried to [insmod ppp_mppe], which prevented the ppp_mppe module from loading, which then did not allow the microsoft encryption to work from windows 98se (failed with an error 742 when trying to connect through VPN). When I put the rc4_skey.c reference back into ppp_mppe.c and re-did the steps from there, then everything worked well. As per Tom Eastep's suggestion from 01 August 2000, I also had to do the following for the [make modules SUBDIRS=drivers/net] to not complain that PPP_MAGIC and PPP_VERSION were undeclared: >Edit /usr/src/linux/include/linux/if_ppp.h and add the following: > >#define PPP_MAGIC 0x5002 >#define PPP_VERSION "2.3.11" > >The second of course depends on your ppp version... One final note: The "5.0 Windows Client Setup" indicates in step 12 to check "require encrypted password". To ensure that encryption is used, however, I believe that the client should also check "require data encryption". Thanks to all the previous posters, I was able to piece this together. As a [former] lurker, I hope that this can help some of the other lurkers who are subscribed to the list. Thanks, Richard Blauvelt richard at blauvelt.com At 01:29 PM 8/4/00, Daniell Freed wrote: >I followed you HOW-TO, and I found an error that you may want to correct > >In the section of the document where you say to download SSLeay-0.6.6b you should say to download SSLea-0.9.0b since that is what your later instructions tell you to use (and 0.6.6b doesn't contain a couple of files you say we need to copy to the kernel directory). > >Also, you do not need to add the NULL parameter in ppp.c for kill_fasync. If you do, it won't compile (too many parameters), it works fine without this added. > >That was it. Thanks for the updated HOW-TO. I never had been able to get ppp-2-3.10 working with pptp and MSCHAP before this. > >If you get time, you should add a section on setting up and running the pptp linux client. I'm sure there are those that would greatly appreciate it. > > > >tfasko at cyberacc.com wrote: >-- >Daniell Freed >Computer Services >Dewitt, Ross, & Stevens S.C. > >He who fights with monsters might take care >lest he thereby become a monster. >And if you gaze for long into an abyss, >the abyss gazes also into you. > >Beyond Good and Evil >Friedrich Wilhelm Nietzche > _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From larrydog at coqui.net Thu Sep 7 05:42:59 2000 From: larrydog at coqui.net (Larry Rivera) Date: Thu, 07 Sep 2000 06:42:59 -0400 Subject: [pptp-server] ISDN and pptp Message-ID: <39B77133.88CB9C27@coqui.net> Hello all: I just finished upgrading from an analog 56Kflex dedicated connection for my pptp server to ISDN 64K. For those interested this is my setup: For USA ISDN Use 1. Kernel 2.2.13 2. Using NETSpider ISDN passive modem which uses the hisax drivers that you can compile into the kernel . (http://www.ttcomms.com) 3. Using latest pptpd with patch to avoid dreaded CTRL: couldn't read packet header (exit) [1420]: CTRL: CTRL read failed, error messages that blitz log files until disk fills up. 4. Using latest isdn4linux utilities. 5. Make sure you know your SPID which goes with your ISDN line. Result: Full 35-40% increase in speed of packets passing through my pptp tunnels (two at the same time) and dramatic decrease in screen "freeze-ups" So far I have not had the need to use the second channel to shoot to 128K (this requires upgrade in ISP service so that second connection can be added to bundle with MPPP) LR From jaymejohnston at realitycorp.com Thu Sep 7 13:22:16 2000 From: jaymejohnston at realitycorp.com (Jayme Johnston) Date: Thu, 7 Sep 2000 13:22:16 -0500 Subject: [pptp-server] ppp device ip's and routes not established Message-ID: I seem to be having difficulty with pptpd or pppd not giving an ip address to ppp0 or setting up the routing table on both the RH 6.2 Server and the Win98 Client. This is my setup. RH6.2 Linux Router (LRP) Win98 192.168.0.10 <-- 192.168.0.1 & 216.50.240.143 <-- 216.50.240.183 The kernel patch for pptpd has been installed and debug information from the Linux Router shows no error messages when a connection is made. Windows 98 displays the 2 flashing lights in the system tray after successfully connecting to the RH 6.2 server. Attached is a debug.txt file I created with some relevant information from the server. One thing that isn't completely clear to me is what to set the local and remote ip addresses to. I just used ip addresses in my internal subnet (/24). I don't quite understand is how both the server and client know to route all ppp information through the eth interface. I have never setup a ppp server before so I'm not clear on exactly how it works (the ppp howto) is VERY old and wasn't much help. Another thing I noticed is the ip-up and ip-down files in the /etc/ppp directory never gets run when pppd starts or stops. If anyone could spare a minute I would really appreciate it. --Jayme -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: debug.txt URL: From jkuhn at siumed.edu Thu Sep 7 13:34:26 2000 From: jkuhn at siumed.edu (Jan Kuhn) Date: Thu, 07 Sep 2000 13:34:26 -0500 Subject: [pptp-server] Unresolved symbols ppp_mppe.o Message-ID: <39B7DFB2.41FD427A@siumed.edu> I am a newbie to Linux. I have been following the PoPTop-RedHat-Howoto from moretonbay. I am having a problem with the unresolved symbol below. It seems that I would need to re-compile or have additional libraries. Any help would be appreciated. thanks, jan Red Hat 6.2 ppp-2.3.11 kernel 2.2.12 root at dhcp140 linux]# /sbin/depmod -ae depmod: *** Unresolved symbols in /lib/modules/2.2.12/net/ppp_mppe.o depmod: RC4_set_key -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 1477 bytes Desc: S/MIME Cryptographic Signature URL: From vlast at eetc.com Thu Sep 7 15:53:47 2000 From: vlast at eetc.com (Vlad Strezhnev) Date: Thu, 07 Sep 2000 15:53:47 -0500 Subject: [pptp-server] PoPToP & Tunnel Builder for Mac Message-ID: <39B8005B.A6DD0F9A@eetc.com> It looks like PoPToP does work with Mac's Tunnel Builder. We've just installed PoPToP on "Ruffian" Alpha Deskstation with Red Hat 6.2 : kernel 2.2.16-3 ppp-2.3.11.tar.gz (extracted from .src.rpm) ppptd-1.0.0-1.alpha.rpm (rebuild from .src.rpm) Since some important corrections to HOWTO/FAQs were recently re-published on the mailing list we had [almost] no problems applying patches and making kernel modules. The server works with both W2K VPN clent and Tunnel Builder for Windows and Macs. Encription supported OK. ( So, the cost of Mac VPN client went down from $400 (as indicated on the PoPToP home page) to $99 :-). Thanks a lot to everyone for valuable advices and prompt attention to this matter. Vlad Strezhnev IndiVisual Learning, Inc. St.Paul, MN From ajlill at ajlc.waterloo.on.ca Thu Sep 7 23:04:55 2000 From: ajlill at ajlc.waterloo.on.ca (Tony Lill) Date: Fri, 08 Sep 2000 00:04:55 EDT Subject: [pptp-server] ppp-2.3.10-openssl-norc-mppe.patch In-Reply-To: Your message of "Wed, 06 Sep 2000 20:27:51 PDT." <005201c0187b$9aa7b4e0$0201a8c0@olmpi1.wa.home.com> Message-ID: <200009080404.AAA21455@spider.ajlc.waterloo.on.ca> When you use the 2.3.10 patch and turn on CBCP_SUPPORT in the makefile, pppd drops every other packet coming in on the link. If you do a tcpdump on both ends of the link, and ping from the end using 2.3.10 with CBCP_SUPPORT compiled in, the remote end shows all ping requests and replies being transmitted, but on the local end, every other reply is dropped. This does not require that callbacks be used, or even configured to be available, merely that the option is compiled in. This works fine with the 2.3.8 patch. -- Tony Lill, Tony.Lill at AJLC.Waterloo.ON.CA President, A. J. Lill Consultants fax/data (519) 650 3571 539 Grand Valley Dr., Cambridge, Ont. N3H 2S2 (519) 241 2461 --------------- http://www.ajlc.waterloo.on.ca/ ---------------- "Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!" From ajlill at ajlc.waterloo.on.ca Thu Sep 7 23:08:35 2000 From: ajlill at ajlc.waterloo.on.ca (Tony Lill) Date: Fri, 08 Sep 2000 00:08:35 EDT Subject: [pptp-server] Re: ppp-2.3.10-openssl-norc-mppe.patch In-Reply-To: Your message of "Wed, 06 Sep 2000 20:27:51 PDT." <005201c0187b$9aa7b4e0$0201a8c0@olmpi1.wa.home.com> Message-ID: <200009080408.AAA22646@spider.ajlc.waterloo.on.ca> I should also mention that the LCPDEBUG statement on line 1538 is wrong and causes a SEGV. And that the pppd on the remote end is the ppp-2.3.8 patched version with CBCP_SUPPORT compiled in. -- Tony Lill, Tony.Lill at AJLC.Waterloo.ON.CA President, A. J. Lill Consultants fax/data (519) 650 3571 539 Grand Valley Dr., Cambridge, Ont. N3H 2S2 (519) 241 2461 --------------- http://www.ajlc.waterloo.on.ca/ ---------------- "Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!" From richard at blauvelt.com Thu Sep 7 23:34:16 2000 From: richard at blauvelt.com (Richard E Blauvelt) Date: Thu, 07 Sep 2000 21:34:16 -0700 Subject: [pptp-server] Unresolved symbols ppp_mppe.o In-Reply-To: <39B7DFB2.41FD427A@siumed.edu> Message-ID: <4.3.2.7.2.20000907211038.067339e0@blauvelt.com> I had a similar problem, and finally got things to work by following some advice in this list about a month ago. Take a look at the August 2000 archives at: http://lists.schulte.org/pipermail/pptp-server/2000-August/thread.html and look for several messages with this subject: [pptp-server] compiling ppp-2.3.10-openssl-norc-mppe.patch A few of those messages have some suggested changes to the HOWTO instructions. As per those messages, if your problem is similar, then you will have to ignore the instruction in the HOWTO which tells you to "... delete the reference to rc4_skey.c in /usr/src/redhat/SOURCES/ppp-2.3.10/linux/ppp_mppe.c " For me, this reference was needed, contrary to the HOWTO. Good luck, Richard At 11:34 AM 9/7/00, you wrote: >I am a newbie to Linux. I have been following the >PoPTop-RedHat-Howoto from moretonbay. I am having >a problem with the unresolved symbol below. It >seems that I would need to re-compile or have >additional libraries. Any help would be >appreciated. thanks, jan > >Red Hat 6.2 >ppp-2.3.11 >kernel 2.2.12 > >root at dhcp140 linux]# /sbin/depmod -ae >depmod: *** Unresolved symbols in >/lib/modules/2.2.12/net/ppp_mppe.o >depmod: RC4_set_key From pascal.fremaux at sxb.bsf.alcatel.fr Fri Sep 8 06:23:12 2000 From: pascal.fremaux at sxb.bsf.alcatel.fr (Pascal Fremaux) Date: Fri, 08 Sep 2000 13:23:12 +0200 Subject: [pptp-server] more than one computer behind a client ? Message-ID: <39B8CC1F.16411606@sxb.bsf.alcatel.fr> Does it work if I have two computers (or more) behind a router that have a PPTP client ? I think it doesn't work, but can you give me some elements to say it clearly. What does it make not work ? -- Pascal Fremaux From jshackelford at orsys.com Fri Sep 8 14:30:16 2000 From: jshackelford at orsys.com (Jason Shackelford) Date: Fri, 8 Sep 2000 12:30:16 -0700 Subject: [pptp-server] multiple hosts behind a pptp client Message-ID: Does it work if I have two computers (or more) behind a router that have a PPTP client ? I think it doesn't work, but can you give me some elements to say it clearly. What does it make not work ? -- Pascal Fremaux -------------------------- Yes, this does work as long as long as the pptp client is configured to pass traffic in that fashion. I am using a PC running a masquerading firewall. This PC is already used to connect a bunch of PCs to the internet. I installed the pptp client on it. At a remote site I have a Moretonbay Netel. It is a small linux pc that only has flash memory. It is compiled with VPN server (PPTPD). So for our purposes we will just pretend it is a normal linux firewall. Basically I start a pptp connection from the PC firewall across the Internet to the Moreonbay Netel. I will now direct you to a previous e-mail I sent to another fellow. OK, here is how to do this. Each linux PC will have a ppp interface when the link is active. The output of ifconfig will show an "inet address" and a "PtP address" The method that I used was network routes rather than host routes. So, once the link is up, you should get on either PC and type: route add -net netmask gw . This will add a network route to the remote LAN. Then you need to get on the other pc and do the same procedure. As long as masquerading is working properly, this should work. Anything on the LAN behind the netel can ping anything on the LAN behind the PC firewall.(As long as they are using the firewalls as their default gateways.) jshackelford at orsys.com From jshackelford at orsys.com Fri Sep 8 16:19:59 2000 From: jshackelford at orsys.com (Jason Shackelford) Date: Fri, 8 Sep 2000 14:19:59 -0700 Subject: [pptp-server] Keeping PPTP link alive Message-ID: I have a PC firewall running RedHat 6.2 that connects to a Moretonbay Netel running a linux kernel compiled with PPTPD support. I can get the connection up, but each morning it has to be reset. Any nifty solutions for keeping a pptp link alive? jshackelford at orsys.com From matthewr at moreton.com.au Thu Sep 7 17:21:35 2000 From: matthewr at moreton.com.au (Matt Ramsay) Date: Thu, 07 Sep 2000 16:21:35 -0600 Subject: [pptp-server] new code and website References: <90769AF04F76D41186C700A0C90AFC3EE4F3@defiant.infohiiway.com> Message-ID: <39B814EF.CB88F9B6@moreton.com.au> G'day, I am in the process of moving and updating poptop. New code has been submitted and there will be a new release (1.0.1). (1.1.1 will remain the unstable release for now). I also have SAMBA/PoPToP integration that will be available. I am also collecting patches and other material over the last few months and basically overhauling the website and making the latest files and patches available all in one place. I am hoping to get the latest HOWTO from Mike again. (Mike?) The site will be poptop.lineo.com.. it is live now, but only reflects the old page at this time. I should be finished with all the new pages between 18-22 September. I am also merging in the PPTP client files and patches and HOWTOs. I apologise for slipping behind in the site maintenance but will make up for it soon. Cheers, Matt From tfindlay at prodevelop.com.au Fri Sep 8 18:40:26 2000 From: tfindlay at prodevelop.com.au (Timothy Findlay) Date: Sat, 09 Sep 2000 09:40:26 +1000 Subject: [pptp-server] Linx PPTP -> Cisco VPN Adaptor Message-ID: <39B978EA.F843DAA5@prodevelop.com.au> Hi, I setup PPTP on a Linux Internet gateway at work a few weeks ago, and all has been great, people are been authenticating against the PDC and all which is great, but now were opening a new little office overseas, and I just found out they've brought a 17xx Cisco router, which they want to use to connect to the VPN, as it's overseas there some other cluey dude on the other end to setup the cisco, but what do I need to do to my Linux box, can it do it ?!?!? Where it gets even more tricky is they've brought a 24 port hub and my bosses response was "Oh, we'll route them down a new 'scope' (as he calls it)" been 128.1.4.x, our main office has a private network based on 128.1.6.x, routing 1 IP isn't hard, but how do I route a whole network ?!?!? Thanks in advance. Tim. From sstone at taos.com Fri Sep 8 17:56:53 2000 From: sstone at taos.com (Scott M. Stone) Date: Fri, 8 Sep 2000 15:56:53 -0700 (PDT) Subject: [pptp-server] Linx PPTP -> Cisco VPN Adaptor In-Reply-To: <39B978EA.F843DAA5@prodevelop.com.au> Message-ID: On Sat, 9 Sep 2000, Timothy Findlay wrote: > Hi, > > I setup PPTP on a Linux Internet gateway at work a few weeks ago, and > all has been great, people are been authenticating against the PDC and > all which is great, but now were opening a new little office overseas, > and I just found out they've brought a 17xx Cisco router, which they > want to use to connect to the VPN, as it's overseas there some other > cluey dude on the other end to setup the cisco, but what do I need to do > to my Linux box, can it do it ?!?!? > > Where it gets even more tricky is they've brought a 24 port hub and my > bosses response was "Oh, we'll route them down a new 'scope' (as he > calls it)" been 128.1.4.x, our main office has a private network based > on 128.1.6.x, routing 1 IP isn't hard, but how do I route a whole > network ?!?!? do Ciscos even speak PPTP? I don't think they do. get Freeswan for your linux box, and you'll need the Enterprise Plus/3DES feature pack for the Cisco to do the ipsec on the other end. http://www.cisco.com is your friend -------------------------- Scott M. Stone, CCNA UNIX Systems and Network Engineer Taos - The SysAdmin Company From david at solutionsfirst.net Fri Sep 8 19:35:32 2000 From: david at solutionsfirst.net (Dave Kempe) Date: Sat, 9 Sep 2000 10:35:32 +1000 Subject: [pptp-server] new code and website In-Reply-To: <39B814EF.CB88F9B6@moreton.com.au> Message-ID: Keep up the great work Matt. Thanks very much. Dave > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Matt Ramsay > Sent: Friday, 8 September 2000 8:22 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] new code and website > > > G'day, > > I am in the process of moving and updating poptop. New code has been > submitted and there will be a new release (1.0.1). (1.1.1 will remain > the unstable release for now). I also have SAMBA/PoPToP integration that > will be available. I am also collecting patches and other material over > the last few months and basically overhauling the website and making the > latest files and patches available all in one place. I am hoping to get > the latest HOWTO from Mike again. (Mike?) > > The site will be poptop.lineo.com.. it is live now, but only reflects > the old page at this time. I should be finished with all the new pages > between 18-22 September. I am also merging in the PPTP client files and > patches and HOWTOs. > > I apologise for slipping behind in the site maintenance but will make up > for it soon. > > Cheers, > Matt > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From john.hovell at home.com Sat Sep 9 21:20:00 2000 From: john.hovell at home.com (John Hovell) Date: Sat, 09 Sep 2000 19:20:00 -0700 Subject: FOLLOW UP: Re: [pptp-server] IPSec *over* PPtP References: Message-ID: <39BAEFD0.A52E0390@home.com> Patrick -- Patrick Reid wrote: > This could also be very useful for people who have machines which are behind > an NAT wall which they don't control (like my own high-speed link). Yeah, I thought so! Or countries that don't allow proto 50 etc... > However, if I already have a PPTP link up and can then run IPSec over it, > this means I could have IPSec encryption, which is generally felt to be > superior to MSChap v2 (even with the patched is place). What do you mean, patch? You don't mean patching pppd for Linux, do you? I mean without that in place, there is *zero* encryption. And AFAIK, the "128 bit enc." is really insecure b/c of protocol design. Please let me know if you are talking about something else... Cheers, John > > Thanks for this info!. > > Patrick Reid - mailto:PReid at candesco.com > Candesco Research Corp. > Communication Centre: > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of John Hovell > Sent: September 6, 2000 12:55 AM > To: Justin Kreger; pptp-server at lists.schulte.org > Subject: FOLLOW UP: Re: [pptp-server] IPSec *over* PPtP > > Hello all -- > > I solved the problem... IPSec over PPP is possible. This is just wacky, but > this > is what to do: > > PGPnet only wants to bind to your "Dial Up Adapter" -- not #2 for VPN > support as > one might logically think. Bind it to "Dial Up" and it works like a charm. > > This might actually be useful to people who aren't allowed to transmit > protocols 50 > or 51... since they can tunnel it all over tcp/1723 and still get IPSec data > encryption. > > Cheers, > John > > John Hovell wrote: > > > Justin -- > > > > This is because PGPnet sucks so much, that for no discernable reason when > I try > > to bind PGPnet to my Ethernet card on one of the machines, I can't get any > > network connectivity. I have reinstalled the ether card 3 times... and > even > > installed the driver files manually by hand. The card is a 3com PCMCIA > 3c574 > > Cardbus card. It works beatifully without PGPnet... The reason I am doing > the > > bass-ackwards configuration is because PGPnet will at least bind to the > VPN > > dial-up adapter... but that may be just my problem. > > > > Any other ideas? Thanks for your help... > > > > Cheers, > > John > > > > Justin Kreger wrote: > > > > > Why not setup two linux boxes to do the IPSec? and just have the > windows > > > boxes use pptp so they can browse the remote network if you dint setup > your > > > ipsec wan so it passes the Browser List. > > > -LW > > > > > > -----Original Message----- > > > From: John Hovell [mailto:john.hovell at home.com] > > > Sent: Monday, September 04, 2000 1:58 AM > > > To: pptp-server at lists.schulte.org > > > Subject: [pptp-server] IPSec *over* PPtP > > > > > > Hello all -- > > > > > > I have some Win98 boxes that want to do IPSec over their PPTP > > > connection... just transport mode from one computer to another. The > > > IPSec SA is currently successful (both phase 1 and 2).. everything seems > > > to be set up fine, until I atually try to send data. If I try to ping > > > the remote VPN client from the IPSec machine on the local lan I get > > > (from tcpdump): > > > > > > 01:47:56.877612 < 172.16.0.4 > 172.16.0.175: ip-proto-50 76 > > > 01:47:56.972086 > 172.16.0.175 > 172.16.0.4: icmp: 172.16.0.175 protocol > > > 50 unreachable > > > > > > If I do the same thing from the remote host I get: > > > > > > 01:53:07.586184 < 172.16.0.175 > 172.16.0.4: icmp: echo request > > > > > > (note the lack of encryption despite the *established* SA...) > > > > > > Do I need to somehow enable protocol 50 (and 51)?? IPchains forward is > > > set up to accept all traffic between these hosts. There is no > > > masquerading between the two machines. > > > > > > Does anyone know what I am missing? FYI, I am using PGPnet 6.5.8 > > > Personal Privacy (freeware) on both Windows IPSec machines. > > > > > > TiA for any advice or help... > > > > > > Cheers, > > > John > > > > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > List services provided by www.schulteconsulting.com! > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From john at arnie.jfive.com Sat Sep 9 22:36:25 2000 From: john at arnie.jfive.com (John Heyer) Date: Sat, 9 Sep 2000 22:36:25 -0500 (CDT) Subject: [pptp-server] "Ignored a SET LINK INFO packet" in FreeBSD 4.1 In-Reply-To: <39BAEFD0.A52E0390@home.com> Message-ID: I had pptpd running in FreeBSD 3.2, but ever since upgrading to 4.1 it's no longer working. The clients authenticate and I can see the tunnel come up, but it proxyarp never seems to kick in. The main error I'm getting is CTRL: Ignored a SET LINK INFO packet with real ACCMs! I get a duplicate about 35 seconds later, then a GRE read error. Does anybody know what this means? my /etc/ppp/ppp.conf appears below -- Johh Heyer - john at arnie.jfive.com - http://www.jfive.com "Me fail English? That's unpossible!" -- Ralph Wiggam default: set log Phase Chat LCP IPCP CCP tun command set speed 115200 loop: set timeout 0 set log phase chat connect lcp ipcp command set device localhost:pptp set dial set login set ifaddr 192.168.1.130 192.168.1.131-192.168.1.139 255.255.255.255 set server /tmp/loop "" 0177 loop-in: set timeout 0 set log phase lcp ipcp command allow mode direct pptp: load loop enable pap enable passwdauth enable proxy accept dns set dns 192.168.1.1 set device !/etc/ppp/secure From tfindlay at prodevelop.com.au Sun Sep 10 06:22:32 2000 From: tfindlay at prodevelop.com.au (Timothy Findlay) Date: Sun, 10 Sep 2000 21:22:32 +1000 Subject: [pptp-server] Linx PPTP -> Cisco VPN Adaptor References: <39B978EA.F843DAA5@prodevelop.com.au> <20000908165106.A11824@ecst.csuchico.edu> Message-ID: <39BB6EF8.227B5958@prodevelop.com.au> I believe it's a 1750 of sorts, I'm assuming we could setup a VPN-decoding type thing on our router here in melbourne which is a Cisco 2611, but I'm really pushing to keep a linux server or two in the office! I've heard IPSec is actually better than PPTOP, but it's a _REAL_ pain in the arse to setup, is this sorta true ?!? should I attempt it ?? Tim. "Charles C. Duffy" wrote: > On Sat, Sep 09, 2000 at 09:40:26AM +1000, Timothy Findlay wrote: > > I setup PPTP on a Linux Internet gateway at work a few weeks ago, and > > all has been great, people are been authenticating against the PDC and > > all which is great, but now were opening a new little office overseas, > > and I just found out they've brought a 17xx Cisco router, which they > > want to use to connect to the VPN, as it's overseas there some other > > cluey dude on the other end to setup the cisco, but what do I need to do > > to my Linux box, can it do it ?!?!? > > Depends on the Cisco. > > One option would be to use CIPE (available as part of the International > Kernel Patch, kerneli.org), or better (if the Cisco supports it) IPsec. From john.hovell at home.com Sun Sep 10 17:12:59 2000 From: john.hovell at home.com (John Hovell) Date: Sun, 10 Sep 2000 15:12:59 -0700 Subject: [pptp-server] Linx PPTP -> Cisco VPN Adaptor References: <39B978EA.F843DAA5@prodevelop.com.au> <20000908165106.A11824@ecst.csuchico.edu> <39BB6EF8.227B5958@prodevelop.com.au> Message-ID: <39BC076B.37120361@home.com> Timothy -- Timothy Findlay wrote: > I've heard IPSec is actually better than PPTOP, Um, well lets see. Yes. To be blunt. Just a bit. In fact, PPTP is basically known as *insecure* even with 128-bit encryption enabled (which if you want to talk about something that is a pain in the arse to set up). Check out: http://www.counterpane.com/pptp.html > but it's a _REAL_ pain in the > arse to setup, is this sorta true ?!? should I attempt it ?? Yes, you should definitely attempt it. PPTP is *not* secure, and is provided on Linux, simply to provide compatibility with MS products. (yes, or when data integrity/secrecy is not important... PPTP in general is a great tunneling protocol.) Check out FreeS/WAN: http://www.freeswan.org. Download it... untar it. Configure, do "make newgo" or whatever it is called, and install the kernel and reboot. There are 2 conf files (/etc/ipsec.conf and /etc/ipsec.secrets) which are very easy to set up. There is even a patch for it to use X.509 certificates, to ensure compatibility with PGPnet (Network Associates PGP package for Win9x/NT). (Do not use this paragraph as your instruction manual; I'm just typing this to show you its not hard to set up) (does require a kernel-recompile, but so does PPTP w/ encryption). Microsoft's PPTP is a "last resort" solution when nothing else is possible. IPSec is the IPv6 standard, and using 3DES encryption and SHA or MD5 provides currently "unbreakable" encryption and data integrity... not to mention is more robust and configurable; it is also truly peer-to-peer, and is *not* a Point-to-Point protocol (although it can be configured that way if you want or need PPP). And yes, IPSec is what Cisco and just about any router I can think of uses for VPN's. Cheers, John > "Charles C. Duffy" wrote: > > > On Sat, Sep 09, 2000 at 09:40:26AM +1000, Timothy Findlay wrote: > > > I setup PPTP on a Linux Internet gateway at work a few weeks ago, and > > > all has been great, people are been authenticating against the PDC and > > > all which is great, but now were opening a new little office overseas, > > > and I just found out they've brought a 17xx Cisco router, which they > > > want to use to connect to the VPN, as it's overseas there some other > > > cluey dude on the other end to setup the cisco, but what do I need to do > > > to my Linux box, can it do it ?!?!? > > > > Depends on the Cisco. > > > > One option would be to use CIPE (available as part of the International > > Kernel Patch, kerneli.org), or better (if the Cisco supports it) IPsec. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From yan at cardinalengineering.com Sun Sep 10 18:10:52 2000 From: yan at cardinalengineering.com (Yan Seiner) Date: Sun, 10 Sep 2000 19:10:52 -0400 Subject: OT Re: [pptp-server] Linx PPTP -> Cisco VPN Adaptor References: <39B978EA.F843DAA5@prodevelop.com.au> <20000908165106.A11824@ecst.csuchico.edu> <39BB6EF8.227B5958@prodevelop.com.au> <39BC076B.37120361@home.com> Message-ID: <39BC14FC.CEAD3265@cardinalengineering.com> I struggled mightily about a year ago to get freeswan running. In the end I gave up and went with vtund. Are you saying that most of the config stuff has been sorted out? When I was playing with it, it was really alpha code as far as interoperability with other vendors and abilty to work with non-fixed IPs. I agree with the comments on PPTP - except that it is actually a pretty good protocol, just MS broke it REALLY REALLY badly and called it a new standard. pptp WITHOUT the MS patches is pretty good AFAIK. --Yan John Hovell wrote: > > Timothy -- > > Timothy Findlay wrote: > > > I've heard IPSec is actually better than PPTOP, > > Um, well lets see. Yes. To be blunt. Just a bit. In fact, PPTP is basically > known as *insecure* even with 128-bit encryption enabled (which if you want to > talk about something that is a pain in the arse to set up). Check out: > > http://www.counterpane.com/pptp.html > > > but it's a _REAL_ pain in the > > arse to setup, is this sorta true ?!? should I attempt it ?? > > Yes, you should definitely attempt it. PPTP is *not* secure, and is provided on > Linux, simply to provide compatibility with MS products. (yes, or when data > integrity/secrecy is not important... PPTP in general is a great tunneling > protocol.) > > Check out FreeS/WAN: > http://www.freeswan.org. > > Download it... untar it. Configure, do "make newgo" or whatever it is called, > and install the kernel and reboot. There are 2 conf files (/etc/ipsec.conf and > /etc/ipsec.secrets) which are very easy to set up. There is even a patch for it > to use X.509 certificates, to ensure compatibility with PGPnet (Network > Associates PGP package for Win9x/NT). (Do not use this paragraph as your > instruction manual; I'm just typing this to show you its not hard to set up) > (does require a kernel-recompile, but so does PPTP w/ encryption). > > Microsoft's PPTP is a "last resort" solution when nothing else is possible. > IPSec is the IPv6 standard, and using 3DES encryption and SHA or MD5 provides > currently "unbreakable" encryption and data integrity... not to mention is more > robust and configurable; it is also truly peer-to-peer, and is *not* a > Point-to-Point protocol (although it can be configured that way if you want or > need PPP). > > And yes, IPSec is what Cisco and just about any router I can think of uses for > VPN's. > > Cheers, > John > > > "Charles C. Duffy" wrote: > > > > > On Sat, Sep 09, 2000 at 09:40:26AM +1000, Timothy Findlay wrote: > > > > I setup PPTP on a Linux Internet gateway at work a few weeks ago, and > > > > all has been great, people are been authenticating against the PDC and > > > > all which is great, but now were opening a new little office overseas, > > > > and I just found out they've brought a 17xx Cisco router, which they > > > > want to use to connect to the VPN, as it's overseas there some other > > > > cluey dude on the other end to setup the cisco, but what do I need to do > > > > to my Linux box, can it do it ?!?!? > > > > > > Depends on the Cisco. > > > > > > One option would be to use CIPE (available as part of the International > > > Kernel Patch, kerneli.org), or better (if the Cisco supports it) IPsec. > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From chavant at geosys.fr Mon Sep 11 03:52:55 2000 From: chavant at geosys.fr (Jean-Paul Chavant) Date: Mon, 11 Sep 2000 10:52:55 +0200 Subject: [pptp-server] connexion problem Message-ID: <000001c01bcd$ad21e820$7c03a8c0@pcjpc> hello, i ve reinstalled PPTP on my Linux box (2.2.15 kernel). I ve this errors : Sep 11 10:38:43 localhost pptpd[984]: MGR: Manager process started Sep 11 10:38:43 localhost pptpd[984]: MGR: Couldn't create host socket Sep 11 10:40:06 localhost pptpd[987]: CTRL: Client 192.168.3.124 control connection started Sep 11 10:40:06 localhost pptpd[987]: CTRL: Starting call (launching pppd, opening GRE) Sep 11 10:40:06 localhost pptpd[987]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Input/output error Sep 11 10:40:06 localhost pptpd[987]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Sep 11 10:40:06 localhost pptpd[987]: CTRL: Client 192.168.3.124 control connection finished How can i resolve the MRG error ("Couldn't create host socket"). And the CTRL error (GRE). GRE is compiled as module in the kernel. thanks. JPaul. From veste at gmx.at Mon Sep 11 09:27:18 2000 From: veste at gmx.at (stefan vetter) Date: Mon, 11 Sep 2000 16:27:18 +0200 Subject: [pptp-server] log analysing Message-ID: <4.3.2.7.0.20000911162442.00aca6a0@proxy> hello !! i'm searching for a small script that does some log-analyzing. maybe anybody has done such a thing, so i don't have to start to write that ;-) cheers, stefan From P.J.Reid at earthling.net Mon Sep 11 10:49:05 2000 From: P.J.Reid at earthling.net (Patrick Reid) Date: Mon, 11 Sep 2000 12:49:05 -0300 Subject: FOLLOW UP: Re: [pptp-server] IPSec *over* PPtP In-Reply-To: <39BAEFD0.A52E0390@home.com> Message-ID: The patches I was referring to are the patches which M$ issued to address some of the weaknesses identified in the counterpane analysis of MS-Chap. If you combine application of the most up-to-date DUN version in Windows with some pppd options in Linux (like allowing only 128-bit ms-chap2 connections, which requires another couple of patches to add the options), you eliminate the most grievous of the holes in M$' MS-Chap. Patrick Reid - mailto:PReid at candesco.com Candesco Research Corp. Communication Centre: -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of John Hovell Sent: September 9, 2000 11:20 PM To: Patrick Reid Cc: pptp-server at lists.schulte.org Subject: Re: FOLLOW UP: Re: [pptp-server] IPSec *over* PPtP Patrick -- Patrick Reid wrote: > This could also be very useful for people who have machines which are behind > an NAT wall which they don't control (like my own high-speed link). Yeah, I thought so! Or countries that don't allow proto 50 etc... > However, if I already have a PPTP link up and can then run IPSec over it, > this means I could have IPSec encryption, which is generally felt to be > superior to MSChap v2 (even with the patched is place). What do you mean, patch? You don't mean patching pppd for Linux, do you? I mean without that in place, there is *zero* encryption. And AFAIK, the "128 bit enc." is really insecure b/c of protocol design. Please let me know if you are talking about something else... Cheers, John > > Thanks for this info!. > > Patrick Reid - mailto:PReid at candesco.com > Candesco Research Corp. > Communication Centre: > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of John Hovell > Sent: September 6, 2000 12:55 AM > To: Justin Kreger; pptp-server at lists.schulte.org > Subject: FOLLOW UP: Re: [pptp-server] IPSec *over* PPtP > > Hello all -- > > I solved the problem... IPSec over PPP is possible. This is just wacky, but > this > is what to do: > > PGPnet only wants to bind to your "Dial Up Adapter" -- not #2 for VPN > support as > one might logically think. Bind it to "Dial Up" and it works like a charm. > > This might actually be useful to people who aren't allowed to transmit > protocols 50 > or 51... since they can tunnel it all over tcp/1723 and still get IPSec data > encryption. > > Cheers, > John > > John Hovell wrote: > > > Justin -- > > > > This is because PGPnet sucks so much, that for no discernable reason when > I try > > to bind PGPnet to my Ethernet card on one of the machines, I can't get any > > network connectivity. I have reinstalled the ether card 3 times... and > even > > installed the driver files manually by hand. The card is a 3com PCMCIA > 3c574 > > Cardbus card. It works beatifully without PGPnet... The reason I am doing > the > > bass-ackwards configuration is because PGPnet will at least bind to the > VPN > > dial-up adapter... but that may be just my problem. > > > > Any other ideas? Thanks for your help... > > > > Cheers, > > John > > > > Justin Kreger wrote: > > > > > Why not setup two linux boxes to do the IPSec? and just have the > windows > > > boxes use pptp so they can browse the remote network if you dint setup > your > > > ipsec wan so it passes the Browser List. > > > -LW > > > > > > -----Original Message----- > > > From: John Hovell [mailto:john.hovell at home.com] > > > Sent: Monday, September 04, 2000 1:58 AM > > > To: pptp-server at lists.schulte.org > > > Subject: [pptp-server] IPSec *over* PPtP > > > > > > Hello all -- > > > > > > I have some Win98 boxes that want to do IPSec over their PPTP > > > connection... just transport mode from one computer to another. The > > > IPSec SA is currently successful (both phase 1 and 2).. everything seems > > > to be set up fine, until I atually try to send data. If I try to ping > > > the remote VPN client from the IPSec machine on the local lan I get > > > (from tcpdump): > > > > > > 01:47:56.877612 < 172.16.0.4 > 172.16.0.175: ip-proto-50 76 > > > 01:47:56.972086 > 172.16.0.175 > 172.16.0.4: icmp: 172.16.0.175 protocol > > > 50 unreachable > > > > > > If I do the same thing from the remote host I get: > > > > > > 01:53:07.586184 < 172.16.0.175 > 172.16.0.4: icmp: echo request > > > > > > (note the lack of encryption despite the *established* SA...) > > > > > > Do I need to somehow enable protocol 50 (and 51)?? IPchains forward is > > > set up to accept all traffic between these hosts. There is no > > > masquerading between the two machines. > > > > > > Does anyone know what I am missing? FYI, I am using PGPnet 6.5.8 > > > Personal Privacy (freeware) on both Windows IPSec machines. > > > > > > TiA for any advice or help... > > > > > > Cheers, > > > John > > > > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > List services provided by www.schulteconsulting.com! > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From NorthwestFrog at home.com Mon Sep 11 11:02:26 2000 From: NorthwestFrog at home.com (Jean-Francois Gagnon) Date: Mon, 11 Sep 2000 09:02:26 -0700 Subject: [pptp-server] connexion problem In-Reply-To: <000001c01bcd$ad21e820$7c03a8c0@pcjpc> Message-ID: <000701c01c09$ae10e4c0$0201a8c0@olmpi1.wa.home.com> Please supply more information: the content of the pptp_options on your linux box... Have you installed the PPP patches... Which client did you try to have connected to your pptp server... I still have a similar problem when I require encryption from the client side (win98SE) Regards (Salutations) Jean-Francois Gagnon > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jean-Paul > Chavant > Sent: Monday, September 11, 2000 1:53 AM > To: Pptp > Subject: [pptp-server] connexion problem > > > hello, > > i ve reinstalled PPTP on my Linux box (2.2.15 kernel). > I ve this errors : > > Sep 11 10:38:43 localhost pptpd[984]: MGR: Manager process started > Sep 11 10:38:43 localhost pptpd[984]: MGR: Couldn't create host socket > Sep 11 10:40:06 localhost pptpd[987]: CTRL: Client 192.168.3.124 control > connection started > Sep 11 10:40:06 localhost pptpd[987]: CTRL: Starting call (launching pppd, > opening GRE) > Sep 11 10:40:06 localhost pptpd[987]: GRE: > read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = > Input/output error > Sep 11 10:40:06 localhost pptpd[987]: CTRL: PTY read or GRE write failed > (pty,gre)=(4,5) > Sep 11 10:40:06 localhost pptpd[987]: CTRL: Client 192.168.3.124 control > connection finished > > > How can i resolve the MRG error ("Couldn't create host socket"). > And the CTRL error (GRE). GRE is compiled as module in the kernel. > > thanks. JPaul. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From philv at ridgerun.com Mon Sep 11 16:12:20 2000 From: philv at ridgerun.com (Phil Verghese) Date: Mon, 11 Sep 2000 15:12:20 -0600 Subject: [pptp-server] log analysing In-Reply-To: <4.3.2.7.0.20000911162442.00aca6a0@proxy> Message-ID: Here's a script I wrote to look through the logs and generate a report. This is my first significant Perl script, so forgive me if it's not optimal. Phil ------------------------------------------------------ #!/usr/bin/perl # # pptplog.pl # This program parses /var/log/messages looking for login attempts # through pptpd & pppd to generate a report of failed, insecure and # valid login attempts # # USAGE: pptplog [-f filename] [-kh] # -f Specifies log file to read (default is /var/log/messages) # -k Keep temporary files in /tmp (default is to delete these files) # -n Do not send any mail (default is to send to root) # -h Show usage # # Copyright (C) 2000 Phil Verghese # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA, # or visit http://www.gnu.org/copyleft/gpl.html use IO::File; use Getopt::Std; sub PPTP_Header; sub WriteReport; # Parse command line $arg_err = getopts('f:knh'); if ($arg_err == 0 || $opt_h == 1) { print "Usage: pptplog [-f filename] [-kh]\n"; print "-f Specifies log file to read (default is /var/log/messages)\n"; print "-k Keep temporary files in /tmp (default is to delete these files)\n"; print "-n Do not send any mail (default is to send to root)\n"; print "-h Show this message\n"; exit; } if ($opt_f ne "") { $messages_file = $opt_f; } else { $messages_file = "/var/log/messages"; } # Input file open(MESSAGES, $messages_file) or die "Can't open messages file:$!\n"; # Output files for failed logins, insecure logins, and valid logins $failed_file = "/tmp/vpn_failed"; $insecure_file = "/tmp/vpn_insecure"; $valid_file = "/tmp/vpn_valid"; $report_file = "/tmp/vpn_report"; open(FAILED, "> " . $failed_file) or die "Can't open $! for output\n"; open(INSECURE, "> " . $insecure_file) or die "Can't open $! for output\n"; open(VALID, "> " . $valid_file) or die "Can't open $! for output\n"; print FAILED "-" x 10 . " Failed login attempts " . "-" x 10 . "\n"; print INSECURE "-" x 10 . " Insecure logins " . "-" x 10 . "\n"; print VALID "-" x 10 . " Valid logins " . "-" x 10 . "\n"; while ($line = ) { if ($line =~ /pptpd\[\d+\]:\sCTRL:.*control connection started/) { PPTP_Header; # Process the start of the PPTP connection } elsif ($line =~ /pppd\[(\d+)\]:\s.*peer authentication/) { # User authentication $ppp_id = $1; $_ = $line; if (/\d+\]: ([\w\-]+)/) { $chaptype{$ppp_id} = $1; } if (/authentication (\w+) for.* (\w+)$/) { $username{$ppp_id} = $2; if ($1 eq "failed") { $loginok{$ppp_id} = 0; } else { $loginok{$ppp_id} = 1; } } } elsif ($line =~ /pppd\[(\d+)\]:\s.*compression/i) { $ppp_id = $1; $_ = $line; if (/Compression disabled/) { $crypt{$ppp_id} = "NONE"; } elsif (/(MPPE \d+ bit)/) { $crypt{$ppp_id} = $1; } elsif (/Deflate.*compression enabled/) { $crypt{$ppp_id} = "Deflate"; } } elsif ($line =~ /pptpd\[(\d+)\]:\sCTRL: PTY read or GRE write failed/) { $errors{$1} .= "r/w "; } elsif ($line =~ /pptpd\[(\d+)\]:\sCTRL: Session timed out, ending call/) { $errors{$1} .= "session-timeout "; } elsif ($line =~ /pptpd\[(\d+)\]:\sLCP: timeout sending Config/) { $errors{$1} .= "cfg-req-timeout "; } elsif ($line =~ /pptpd\[(\d+)\]:\sCTRL: EOF or bad error reading ctrl/) { $pptp_id = $1; if (!($errors{$pptp_id} =~ /ctrl-packet-bad/)) { # Only log one bad ctrl packet $errors{$pptp_id} .= "ctrl-packet-bad "; } } elsif ($line =~ /pptpd\[(\d+)\]:\sGRE: Discarding/) { $pptp_id = $1; if (!($errors{$pptp_id} =~ /GRE-discard/)) { # Only log one GRE error $errors{$pptp_id} .= "GRE-discard "; } } elsif ($line =~ /pppd\[(\d+)\]: Connect time (\d+\.\d+) min/) { $time{$1} = $2; } elsif ($line =~ /pppd\[(\d+)\]: Sent (\d+) by.* (\d+) by/) { $sent{$1} = $2; $rcvd{$1} = $3; } elsif ($line =~ /pppd\[(\d+)\]: Exit/) { $ppp_id = $1; WriteReport; } } # Write out blank lines for readability print FAILED "\n"; print INSECURE "\n"; close (FAILED); close (INSECURE); close (VALID); `cat $failed_file $insecure_file $valid_file > $report_file`; if ($opt_n != 1) { `mail -s "VPN Report" root < $report_file`; } if ($opt_k != 1) { `rm $failed_file $insecure_file $valid_file $report_file`; } ######################################################################### # Process the start of the PPTP connection. Hash tables are used to track # information because it's possible to having overlapping sessions with # starts & ends interleaved. sub PPTP_Header { $_ = $line; if (/^(\w{3}\s+\d+\s+..:..:..).*pptpd\[(\d+)\]:\sCTRL: Client (\d+.\d+.\d+.\d+)/) { $date = $1; $pptp_id = $2; $ip = $3; } # Find the line that launches pppd so we can track that PID while ($line = ) { if ($line =~ /pppd\[(\d+)\]:\s.*started by/) { $ppp_id = $1; last; } } # Track values that are keyed to the PID of pptpd. This is needed because # it's possible to have interleaving start/end pptpd connection messages $ppp_id_hash{$pptp_id} = $ppp_id; # The PID of the pppd that was launched by pptpd $pptp_id_hash{$ppp_id} = $pptp_id; # The PID of the pptp that launched this pppd $date_hash{$pptp_id} = $date; $ip_hash{$pptp_id} = $ip; } ######################################################################### # Finished with one session, so write to the appropriate report file sub WriteReport { $pptp_id = $pptp_id_hash{$ppp_id}; # Fixup null strings if ($crypt{$ppp_id} eq "") { $crypt{$ppp_id} = "Empty"; } if ($errors{$pptp_id} eq "") { $errors{$pptp_id} = "none"; } # Failed login? if ($loginok{$ppp_id} == 0) print FAILED "$date_hash{$pptp_id} USER:$username{$ppp_id} IP:$ip_hash{$pptp_id}\n"; } # Insecure login? elsif (($chaptype{$ppp_id} ne "MSCHAP-v2") || (($crypt{$ppp_id} ne "MPPE 128 bit") && ($crypt{$ppp_id} ne "MPPE 40 bit"))) { print INSECURE "$date_hash{$pptp_id} USER:$username{$ppp_id} IP:$ip_hash{$pptp_id} "; print INSECURE "AUTH:$chaptype{$ppp_id} CRYPT:$crypt{$ppp_id} "; print INSECURE "TIME:$time{$ppp_id} SENT:$sent{$ppp_id} RCVD:$rcvd{$ppp_id} ERRS:$errors{$pptp_id} \n"; } # Valid login else { print VALID "$date_hash{$pptp_id} USER:$username{$ppp_id} IP:$ip_hash{$pptp_id} "; print VALID "AUTH:$chaptype{$ppp_id} CRYPT:$crypt{$ppp_id} "; print VALID "TIME:$time{$ppp_id} SENT:$sent{$ppp_id} RCVD:$rcvd{$ppp_id} ERRS:$errors{$pptp_id} \n"; } } From jkuhn at siumed.edu Tue Sep 12 08:22:38 2000 From: jkuhn at siumed.edu (Jan Kuhn) Date: Tue, 12 Sep 2000 08:22:38 -0500 Subject: [pptp-server] 128 bit Win 98 dial-up networking security upgrade Message-ID: <39BE2E1E.229A8677@siumed.edu> http://support/microsoft.com/support/ntserver/128downloads.asp gives me an error that the document contains no data. I've sent a note to microsoft. Is there an alternate site I can find this? TIA, jan -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 1477 bytes Desc: S/MIME Cryptographic Signature URL: From jurkd at mrrm.ca Tue Sep 12 11:12:13 2000 From: jurkd at mrrm.ca (Dragan Jurkovic) Date: Tue, 12 Sep 2000 12:12:13 -0400 (EDT) Subject: [pptp-server] PPTP Problem Message-ID: <200009121612.MAA19123@daintyml.mrrm.ca> Hi everyone, I am using pptp.1.0.0 as a server on 2.2.14 kernel and Win 9x as a client(s). My users randomly experience delays in traffic - everything stops for 10-60 seconds and then suddenly everything is flushed out on the screen and connection behaves normally until next time. Does anybody have any idea how to fix this? Thanks in advance, \\|// Dragan Jurkovic (o o) ------------------------oOOo-(_)-oOOo-------------------- From barjunk at attglobal.net Tue Sep 12 13:39:24 2000 From: barjunk at attglobal.net (Michael Barsalou) Date: Tue, 12 Sep 2000 10:39:24 -0800 Subject: [pptp-server] 128 bit encryption Message-ID: <39BE07DC.24229.7EB19B@localhost> Try this instead: http://www.microsoft.com/windows/ie/download/128bit/intro.htm Michael Barsalou barjunk at attglobal.net From tfindlay at prodevelop.com.au Tue Sep 12 16:47:22 2000 From: tfindlay at prodevelop.com.au (Timothy Findlay) Date: Wed, 13 Sep 2000 07:47:22 +1000 Subject: [pptp-server] Linx PPTP -> Cisco VPN Adaptor References: <39B978EA.F843DAA5@prodevelop.com.au> <20000908165106.A11824@ecst.csuchico.edu> <39BB6EF8.227B5958@prodevelop.com.au> <39BC076B.37120361@home.com> Message-ID: <39BEA469.E5F2DB06@prodevelop.com.au> Yup, I've d/l'd it all (the freeswan one), it wouldn't compile with my 2.4 kernel, so I've gone back to the regular 2.2 one, and it's all compiled up and installed fine (that wasn't hard!), the catch now is working out how to configure it! I'm following some examples by ean-Francois Nadeau which look pretty cool, the catch is I sorta need to have it working 'yesterday' as such, as theres a guy on the other side of the globe waiting for me to give him all the details, and he doesn't speak much english! :( I've got a Wincrudy 2000 box here which I'm working with as a client to see if I can get it to work, else I'll build another linux box. Worse case scenario, if I can get it to work by the end of the weekish, we'll pay someone else to come and setup, as we do sorta have another cisco 2611 on our 'main office' as such, I was just trying to avoid this, not so much for the cost, but 98% of our IT gear is all setup & managed by 3rd party consultants, we're supposed to be the IT team, and we dont know crap about anything! Anywyas, Thanks for your help guys! Tim. John Hovell wrote: > Timothy -- > > Timothy Findlay wrote: > > > I've heard IPSec is actually better than PPTOP, > > Um, well lets see. Yes. To be blunt. Just a bit. In fact, PPTP is basically > known as *insecure* even with 128-bit encryption enabled (which if you want to > talk about something that is a pain in the arse to set up). Check out: > > http://www.counterpane.com/pptp.html > > > but it's a _REAL_ pain in the > > arse to setup, is this sorta true ?!? should I attempt it ?? > > Yes, you should definitely attempt it. PPTP is *not* secure, and is provided on > Linux, simply to provide compatibility with MS products. (yes, or when data > integrity/secrecy is not important... PPTP in general is a great tunneling > protocol.) > > Check out FreeS/WAN: > http://www.freeswan.org. > > Download it... untar it. Configure, do "make newgo" or whatever it is called, > and install the kernel and reboot. There are 2 conf files (/etc/ipsec.conf and > /etc/ipsec.secrets) which are very easy to set up. There is even a patch for it > to use X.509 certificates, to ensure compatibility with PGPnet (Network > Associates PGP package for Win9x/NT). (Do not use this paragraph as your > instruction manual; I'm just typing this to show you its not hard to set up) > (does require a kernel-recompile, but so does PPTP w/ encryption). > > Microsoft's PPTP is a "last resort" solution when nothing else is possible. > IPSec is the IPv6 standard, and using 3DES encryption and SHA or MD5 provides > currently "unbreakable" encryption and data integrity... not to mention is more > robust and configurable; it is also truly peer-to-peer, and is *not* a > Point-to-Point protocol (although it can be configured that way if you want or > need PPP). > > And yes, IPSec is what Cisco and just about any router I can think of uses for > VPN's. > > Cheers, > John > > > "Charles C. Duffy" wrote: > > > > > On Sat, Sep 09, 2000 at 09:40:26AM +1000, Timothy Findlay wrote: > > > > I setup PPTP on a Linux Internet gateway at work a few weeks ago, and > > > > all has been great, people are been authenticating against the PDC and > > > > all which is great, but now were opening a new little office overseas, > > > > and I just found out they've brought a 17xx Cisco router, which they > > > > want to use to connect to the VPN, as it's overseas there some other > > > > cluey dude on the other end to setup the cisco, but what do I need to do > > > > to my Linux box, can it do it ?!?!? > > > > > > Depends on the Cisco. > > > > > > One option would be to use CIPE (available as part of the International > > > Kernel Patch, kerneli.org), or better (if the Cisco supports it) IPsec. > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From barjunk at attglobal.net Tue Sep 12 18:14:18 2000 From: barjunk at attglobal.net (Michael Barsalou) Date: Tue, 12 Sep 2000 15:14:18 -0800 Subject: [pptp-server] HOWTO update Message-ID: <39BE484A.15719.179AB7E@localhost> I was just checking my HOWTO and trying to work out the bugs with the newest releases of differing pieces of software: I am writing it to work with: 2.2.16-3 kernel openssl 0.9-5a-1 ppp-2.3.11-4 MPPE patch VPN patch (so you can have outbound VPN in a NAT'd network) This seems to be the most common setup. Please give me feedback if you think this should be different. I am currently running into patching problems when using the references I currently have. It would be great if someone had a set of patches that worked well together. Adi: Do your RPM's include the stuff above? If so, I will put a link in there. Mike Michael Barsalou barjunk at attglobal.net From hb at gnw.de Wed Sep 13 07:04:55 2000 From: hb at gnw.de (hb at gnw.de) Date: Wed, 13 Sep 2000 14:04:55 +0200 Subject: [pptp-server] Problems with PPP-patches Message-ID: <3BBD17E5E23ED411AAEA0050DA7121811188@GNWPDC> Hi ! I have problems patching the original ppp-2.3.10 source with the patch file "ppp-2.3.10-openssl-norc4-mppe.patch". Every hunk failed. Does someone have working encryption-patches for PPP and openssl versions included in Debian Potato (2.2) ? Debian used ppp-2.3.11 and OpenSSL 0.9.4. Regards, Holger Baust -- Gamers Network GmbH Holger Baust, Technik Dolmanstr. 18, 51427 Bergisch Gladbach fon. 02204 / 9680 - 32 http://www.gnw.de From kennya at carlislefsp.com Wed Sep 13 08:48:35 2000 From: kennya at carlislefsp.com (Kenny Austin) Date: Wed, 13 Sep 2000 08:48:35 -0500 Subject: [pptp-server] pptpd to different private subnets Message-ID: <000f01c01d89$50ef77d0$5f020a0a@kennya> I have a question, I found a thread dealing with the exact thing in the mailing list archive, but never found a good solution. Sorry I forgot the url, anyways the date/subject was: Date: Wed, 3 May 2000 18:28:47 -0700 (PDT) From: Mike Ireton mike at bayoffice.net Subject: [pptp-server] Managing multiple authentication domains I need to run a VPN for 2 different internal ip-subnets, ie: 192.168.1.0/29 and 192.168.2.0/29 so that after a user logs on, he is assigned an ip address from a certain pool. I could use chap-secrets for this to assign a certain ip address: sales1 * password * 192.168.1.2 service1 * secret * 192.168.2.2 but the same account could possible be logged in more then once at a given time, so it seems I could list mutliply ips, ie: sales1 * password * 192.168.1.2 192.168.1.3 192.168.1.4 sales2 * secret * 192.168.1.5 192.168.1.6 192.168.1.7 at any rate this would get unmanageable quickly, and there doesn't seem to be a way (that I've found) to list a range of ips in the chap-secrets, ie: billybob * password * 192.168.1.2-192.168.1.200 (I know if there is a way the syntax is nothing like that) I found the suggestions of having the users set it on their side.. thus making each client a custom setup, we share notebooks sometimes so this won't work. Or to run multiply sessions of pptpd with a different ip address for each department, but these eats up a lot of ips and once again makes the client setup a custom one (not near as much as the above). Or assign a different ip address to each person, see above. ----------------------- short version --------------------------- Is there a way to list a range of ip address in the chap-secrets? Or any other solution that will do what I need? Thanks, Kenny Austin kennya at carlislefsp.com From andrew.wood at datalexuk.com Wed Sep 13 09:08:15 2000 From: andrew.wood at datalexuk.com (Andrew Wood) Date: Wed, 13 Sep 2000 15:08:15 +0100 Subject: [pptp-server] Joke Message-ID: <6F6EA5048A46D41184AF0006295717340E06@DLUKEX01> This bloke with Tourette Syndrome walks into the poshest restaurant in town. "Where's the pissing, motherfucking manager, you cock sucking arse wipe?" he inquires of one of the waiters. The waiter is taken-aback and replies, "Excuse me sir but could you please refrain from using that sort of language in here. I will get the manager as soon as I can". The manager comes over and the bloke asks, "Are you the chicken-fucking manager of this bastard place?" "Yes sir, I am," replies the manager, "but I would prefer it if you could refrain from speaking such profanities in this, a private restaurant". "Fuck off" replies the bloke "and where's the fucking piano?" "Pardon?" says the manager. "Fucking deaf as well, are we? You snivelling little piece of shit, show me your cunting piano." "Ah." replies the manager, "you've come about the pianist job" and shows the bloke to the piano. "Can you play any blues?" "Of course I fucking can," and the bloke proceeds to play the most inspiring and beautiful sounding honky-tonk blues that the manager has ever heard. "That's superb. What's it called?" "I tried to shag yer missus on the sofa but the springs kept hurting my dick," replies the bloke. The manager is a bit disturbed and asks if the bloke knows any jazz. The blokeproceeds, playing the most melancholy jazz solo the manager has ever heard. "Magnificent." cries the manager "What's it called?" "Wanted a wank over the washing machine but I got my balls caught in the soap drawer". The manager is a tad embarrassed and asks if he knows any romantic ballads. The bloke then plays the most heartbreaking melody the manager has ever heard, "And what's this called?" asks the manager. "As I fuck you under the stars with the moonlight shining off your hairy ring-piece," replies the bloke. The manager is highly upset by the bloke's language but offers him the job on condition that he doesn't introduce any of his songs or talk to any of the customers. This arrangement works well for a couple of months until one night, sitting opposite him, is the most gorgeous blonde he has ever laid his eyes on. She's wearing an almost see through dress, her tits are almost falling out the top of her black lace bra, and the skimpy little 'G' string she's wearing is riding up the crack of her arse. She sitting there with her legs slightly open, sucking suggestively on asparagus shoots and the butter is dripping down her chin. It's too much for the bloke and he runs off to the bogs to bash the bishop. He's tugging away furiously when he hears the manager's voice. "Where's that bastard pianist?" He just has time to chuck his muck, and in a fluster he runs back to the piano having not bothered to adjust himself properly, sits down and starts playing some more tunes. The blonde steps up and walks over to the piano, leans over and whispers in his ear, "Do you know your knob and bollocks are hanging out your trousers and dripping spunk on your shoes?" The bloke replies "Know it? I fucking wrote it." Andrew Wood System Administrator Datalex UK, Sunley Tower Piccadilly Plaza, Manchester, M1 4BT TEL: 0161 2282286 FAX: 0161 2282900 http://www.datalexuk.com mailto:andrew.wood at datalexuk.com <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<>>>><<<<>>>><<<<>>>><<<<>>><<<<>> >><<<<>> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<< >>>><<<<>> From andrew.wood at datalexuk.com Wed Sep 13 09:11:12 2000 From: andrew.wood at datalexuk.com (Andrew Wood) Date: Wed, 13 Sep 2000 15:11:12 +0100 Subject: [pptp-server] OOPS: Sorry Message-ID: <6F6EA5048A46D41184AF0006295717340E07@DLUKEX01> Sorry about the joke. I didn't mean to send it to the mailing list. I have given myself a verbal warning for negligence. Andrew Wood System Administrator Datalex UK, Sunley Tower Piccadilly Plaza, Manchester, M1 4BT TEL: 0161 2282286 FAX: 0161 2282900 http://www.datalexuk.com mailto:andrew.wood at datalexuk.com <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<>>>><<<<>>>><<<<>>>><<<<>>><<<<>> >><<<<>> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<< >>>><<<<>> From tlskinner at hendersontrucking.com Wed Sep 13 09:19:48 2000 From: tlskinner at hendersontrucking.com (Tony Skinner) Date: Wed, 13 Sep 2000 09:19:48 -0500 (CDT) Subject: [pptp-server] OOPS: Sorry In-Reply-To: <6F6EA5048A46D41184AF0006295717340E07@DLUKEX01> Message-ID: Send more! Hahaha.. I got a good chuckle from it! Tony L Skinner Director, Information Systems Earl L Henderson Trucking Company 618-548-4667 extension 3146 Office Hours: 8:00am - 5:00pm M-F On Wed, 13 Sep 2000, Andrew Wood wrote: > > Sorry about the joke. I didn't mean to send it to the mailing list. I have > given myself a verbal warning for negligence. > > > Andrew Wood > System Administrator > Datalex UK, Sunley Tower > Piccadilly Plaza, Manchester, M1 4BT > TEL: 0161 2282286 > FAX: 0161 2282900 > http://www.datalexuk.com > mailto:andrew.wood at datalexuk.com > <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<>>>><<<<>>>><<<<>>>><<<<>>><<<<>> > >><<<<>> > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the sender. > <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<< > >>>><<<<>> > > > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From ed at schernau.com Wed Sep 13 09:36:32 2000 From: ed at schernau.com (Edward Schernau) Date: Wed, 13 Sep 2000 10:36:32 -0400 Subject: [pptp-server] OOPS: Sorry References: Message-ID: <39BF90F0.F7766762@schernau.com> Tony Skinner wrote: > > Send more! Hahaha.. I got a good chuckle from it! No. Don't. -- Edward Schernau, mailto:ed at schernau.com Network Architect http://www.schernau.com RC5-64#: 243249 e-gold acct #:131897 From eilander at cobweb.nl Wed Sep 13 15:09:26 2000 From: eilander at cobweb.nl (Thijs Eilander) Date: Wed, 13 Sep 2000 22:09:26 +0200 Subject: [pptp-server] patches for encryption Message-ID: After fiddling around to get encryption working, I made some patches. I just followed the howto on the webpage (with newer software), fixed the failed hunks manually, applied some fixes found on the mailinglist and made the patch with diff. The patch includes all files you need from OpenSSL. linux2.2.17-ppp-msencryption.patch pppd-2.3.11-msencryption.patch They can be found on ftp://ftp.paranoid.nl/linux/pptpd Works as a charm here, but I am not responsible if things might not work at your place. The kernelpatch probably works for 2.2.16 or some future 2.2.18 too, but I cannot garantuee that :-) Regards, Thijs Eilander Cobweb Internet +31-46-4758281 ---------------------------------- Quick,Dirty and Unsupported Howto: 1. get linux.2.2.17 2. get ppp-2.3.11.tar.gz 3. untar/gzip those tar.gz's 4. patch -p0 < linux2.2.17-ppp-msencryption.patch. (It looks for the directory "linux", so be carefull. otherwise copy the file into the kerneldir (eg: linux-2.2.17) and apply it with -p1) 5. patch -p0 < pppd-2.3.11-msencryption.patch 6. cd ppp-2.3.11 ; ./configure ; make && make install 7. move the kernel to /usr/src/linux-2.2.17 and create the symlink to /usr/src/linux 8. cd /usr/src/linux ; make menuconfig and configure your kernel, build and boot it. (if you are already running 2.2.17 with ppp als module, it's probably enough to rebuild and install the modules again. then rmmod ppp and do depmod -a) 9. replace (or append) /etc/ppp/options with the following: debug ms-wins your-wins-server auth +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless proxyarp require-chap name vpn netmask 255.255.255.0 mru 1400 mtu 1400 ktune 10. Edit the /etc/conf.modules (or modules.conf) with the following info: alias char-major-108 off # This will be different for 2.3.x kernels alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate alias ppp-compress-26 ppp_deflate 11. depmod -a, insmod ppp, startup pptpd again (if it was down anyway :-) and make sure you have "require encryption" turned on in your windows VPN-dialup. From sam at linuxtec.com Wed Sep 13 17:08:28 2000 From: sam at linuxtec.com (Samuel Gonzalez, Jr.) Date: Wed, 13 Sep 2000 17:08:28 -0500 Subject: [pptp-server] OOPS: Sorry References: <6F6EA5048A46D41184AF0006295717340E07@DLUKEX01> Message-ID: <39BFFADC.FF457A38@linuxtec.com> But a funny joke anyway!!!! Andrew Wood wrote: > Sorry about the joke. I didn't mean to send it to the mailing list. I have > given myself a verbal warning for negligence. > > Andrew Wood > System Administrator > Datalex UK, Sunley Tower > Piccadilly Plaza, Manchester, M1 4BT > TEL: 0161 2282286 > FAX: 0161 2282900 > http://www.datalexuk.com > mailto:andrew.wood at datalexuk.com > <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<>>>><<<<>>>><<<<>>>><<<<>>><<<<>> > >><<<<>> > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the sender. > <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<< > >>>><<<<>> > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From stevelim at jhs.com.sg Wed Sep 13 20:32:34 2000 From: stevelim at jhs.com.sg (Steve Lim) Date: Thu, 14 Sep 2000 09:32:34 +0800 Subject: [pptp-server] unsuscribe Message-ID: <003e01c01deb$a8a24220$bfc78489@jhs.com.sg> -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at arnie.jfive.com Wed Sep 13 20:37:51 2000 From: john at arnie.jfive.com (John Heyer) Date: Wed, 13 Sep 2000 20:37:51 -0500 (CDT) Subject: [pptp-server] "Ignored a SET LINK INFO packet" in FreeBSD 4.1 In-Reply-To: Message-ID: On Sat, 9 Sep 2000, John Heyer wrote: > CTRL: Ignored a SET LINK INFO packet with real ACCMs! > > I get a duplicate about 35 seconds later, then a GRE read error. Does > anybody know what this means? my /etc/ppp/ppp.conf appears below > Whoops nevermind - it was a foobared RAS/PPTP installation on the NT Workstation I was testing from. Apparently the error message I was seeing on the server can be ignored. -- Johh Heyer - john at arnie.jfive.com - http://www.jfive.com "Me fail English? That's unpossible!" -- Ralph Wiggam From alan at silveregg.co.jp Thu Sep 14 01:28:19 2000 From: alan at silveregg.co.jp (Alan Chung) Date: Thu, 14 Sep 2000 15:28:19 +0900 Subject: [pptp-server] authentication error Message-ID: <4.2.0.58.J.20000914150132.00ad6950@pear.silveregg.co.jp> I have installed pptp server and compiled kernel modules as installation guides. It seems working but I got some kind of authentication error about chap when I tried to connect to server from 98 client. My /etc/options file looks like lock debug name lemon auth require-chap +chap proxyarp +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless and my /etc/chap-secrets looks like # Secrets for authentication using CHAP # client server secret IP addresses temp lemon admin * ps. temp is the client's hostname and admin is the username I use to connect to server. lemon is the pptpd server's hostname. The following is the log message I got and does anyone have a clue? Launching /usr/sbin/pptpctrl to handle client Sep 14 15:02:03 lemon pptpd[900]: CTRL: local address = 192.168.0.51 Sep 14 15:02:03 lemon pptpd[900]: CTRL: remote address = 192.168.0.51 Sep 14 15:02:03 lemon pptpd[900]: CTRL: Client 192.168.0.40 control connection started Sep 14 15:02:03 lemon pptpd[900]: CTRL: Received PPTP Control Message (type: 1) Sep 14 15:02:03 lemon pptpd[900]: CTRL: Made a START CTRL CONN RPLY packet Sep 14 15:02:03 lemon pptpd[900]: CTRL: I wrote 156 bytes to the client. Sep 14 15:02:03 lemon pptpd[900]: CTRL: Sent packet to client Sep 14 15:02:03 lemon pptpd[900]: CTRL: Received PPTP Control Message (type: 7) Sep 14 15:02:03 lemon pptpd[900]: CTRL: Set parameters to 0 maxbps, 16 window size Sep 14 15:02:03 lemon pptpd[900]: CTRL: Made a OUT CALL RPLY packet Sep 14 15:02:03 lemon pptpd[900]: CTRL: Starting call (launching pppd, opening GRE) Sep 14 15:02:03 lemon pptpd[900]: CTRL: pty_fd = 4 Sep 14 15:02:03 lemon pptpd[900]: CTRL: tty_fd = 5 Sep 14 15:02:03 lemon pptpd[901]: CTRL (PPPD Launcher): Connection speed = 115200 Sep 14 15:02:03 lemon pptpd[901]: CTRL (PPPD Launcher): local address = 192.168.0.51 Sep 14 15:02:03 lemon pptpd[901]: CTRL (PPPD Launcher): remote address = 192.168.0.51 Sep 14 15:02:03 lemon pptpd[900]: CTRL: I wrote 32 bytes to the client. Sep 14 15:02:03 lemon pptpd[900]: CTRL: Sent packet to client Sep 14 15:02:03 lemon pptpd[900]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: stat us = -1 error = Input/output error Sep 14 15:02:03 lemon pptpd[900]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Sep 14 15:02:03 lemon pptpd[900]: CTRL: Client 192.168.0.40 control connection finished Sep 14 15:02:03 lemon pptpd[900]: CTRL: Exiting now Sep 14 15:02:03 lemon pptpd[897]: MGR: Reaped child 900 Any help is appreciated. Alan From gerhard.possler at westernacher.de Thu Sep 14 02:39:53 2000 From: gerhard.possler at westernacher.de (gerhard.possler at westernacher.de) Date: Thu, 14 Sep 2000 08:39:53 +0100 Subject: [pptp-server] (no subject) Message-ID: [pptp-server] unsuscribe From alan at silveregg.co.jp Thu Sep 14 03:45:16 2000 From: alan at silveregg.co.jp (Alan Chung) Date: Thu, 14 Sep 2000 17:45:16 +0900 Subject: [pptp-server] windows 2000 Message-ID: <4.2.0.58.J.20000914174100.00ac7290@pear.silveregg.co.jp> I have installed pptp server and compiled kernel modules as installation guides. It seems working with NT and 98 clients but I got 743 error which identicated my pptpd server doesn't suppot mppe-128 (but I have ppp-2.3.10-openssl-norc4-mppe.patch installed already) when I tried to connect to server from windows 2000 client. My /etc/options file looks like lock debug name lemon auth require-chap +chap proxyarp +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless and my /etc/chap-secrets looks like # Secrets for authentication using CHAP # client server secret IP addresses mydomain\\user passowrd * Does anyone have a clue? Thanks in advance. Alan From exiof-list at wallin.dk Thu Sep 14 06:47:00 2000 From: exiof-list at wallin.dk (Christian Pedersen - Mailinglist) Date: 14 Sep 2000 12:47:00 +0100 Subject: [pptp-server] Compiling... Message-ID: Well i have tried compiling ppp-2.3.10 and mppe patch on a Redhat 6.2 Linux 2.2. 17 kernel system!!! But it is'nt working, i have included the rc4* files in ppp-source/linux and made a make kernel and it installed it.. When i compile modules it fails... Do i have to use OpenSSL og SSLeay!?!?! Christian Pedersen / Wallin Computer Ahlgade 5 \ 4300 Holb?k / 59441490 Direct 59451497 / christian at wallin.dk LinuX / Teamware \ Networking / Firewalls From mtr at iwk.dk Thu Sep 14 06:19:06 2000 From: mtr at iwk.dk (Morten Troen) Date: Thu, 14 Sep 2000 13:19:06 +0200 Subject: [pptp-server] setting up the linux server without a known ip-address. Message-ID: <000e01c01e3d$98a2ac50$019b11ac@IDANTDOM> I've set up a pptp-server and it's running. When I implement the a server it's the ip-addresses of the clients are not known, so my question is : Can I set up the server without knowing the client ip-adresses and how ??? Morten Troen. -------------- next part -------------- An HTML attachment was scrubbed... URL: From chavant at geosys.fr Thu Sep 14 06:32:05 2000 From: chavant at geosys.fr (Jean-Paul Chavant) Date: Thu, 14 Sep 2000 13:32:05 +0200 Subject: [pptp-server] connexion problem Message-ID: <002401c01e3f$68b773c0$7c03a8c0@pcjpc> Hello, i m using the FAQ to install pptpd-1.0.0 on my linux box (2.2.14) with ppp-2.3.10 without MSCHAPv2/MPPE. when i try to connect to the pptp server i ve got the error 629. my pptpd server is launched (-d option) my /etc/ppp/options file : lock debug auth +chap proxyarp my /etc/ppp/chap-secrets file : # Secrets for authentication using CHAP # client server secret IP addresses test test my /etc/pptpd.conf file : debug localip 192.168.0.1 remoteip 192.168.0.234-238 my logs in /var/log/messages : Sep 14 13:30:33 endeavour pptpd[485]: CTRL: Client 192.168.3.124 control connection started Sep 14 13:30:33 endeavour pptpd[485]: CTRL: Starting call (launching pppd, opening GRE) Sep 14 13:30:33 endeavour modprobe: can't locate module char-major-108 Sep 14 13:30:34 endeavour kernel: CSLIP: code copyright 1989 Regents of the University of California Sep 14 13:30:34 endeavour kernel: PPP: version 2.3.7 (demand dialling) Sep 14 13:30:34 endeavour kernel: PPP line discipline registered. Sep 14 13:30:34 endeavour kernel: registered device ppp0 Sep 14 13:30:34 endeavour pptpd[485]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Input/output error Sep 14 13:30:34 endeavour pptpd[485]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Sep 14 13:30:34 endeavour pptpd[485]: CTRL: Client 192.168.3.124 control connection finished where can i found the char-major-108 module ??? Thx JPaul From andrew.wood at datalexuk.com Thu Sep 14 08:13:33 2000 From: andrew.wood at datalexuk.com (Andrew Wood) Date: Thu, 14 Sep 2000 14:13:33 +0100 Subject: [pptp-server] setting up the linux server without a known ip- address. Message-ID: <6F6EA5048A46D41184AF0006295717340E17@DLUKEX01> Morten The clients get assigned an IP address when they connect to the server. They get assigned an IP address from the remoteip range set up in your /etc/pptpd.conf file, along with any wins servers, dns server, etc you have set up in your /etc/ppp/options file. Andrew Wood System Administrator Datalex UK, Sunley Tower Piccadilly Plaza, Manchester, M1 4BT TEL: 0161 2282286 FAX: 0161 2282900 http://www.datalexuk.com mailto:andrew.wood at datalexuk.com <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<>>>><<<<>>>><<<<>>>><<<<>>><<<<>> >><<<<>> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<< >>>><<<<>> -----Original Message----- From: Morten Troen [mailto:mtr at iwk.dk] Sent: 14 September 2000 12:19 To: pptp-server at lists.schulte.org Subject: [pptp-server] setting up the linux server without a known ip-address. I've set up a pptp-server and it's running. When I implement the a server it's the ip-addresses of the clients are not known, so my question is : Can I set up the server without knowing the client ip-adresses and how ??? Morten Troen. -------------- next part -------------- An HTML attachment was scrubbed... URL: From natecars at real-time.com Thu Sep 14 09:42:33 2000 From: natecars at real-time.com (Nate Carlson) Date: Thu, 14 Sep 2000 09:42:33 -0500 (CDT) Subject: [pptp-server] authentication error In-Reply-To: <4.2.0.58.J.20000914150132.00ad6950@pear.silveregg.co.jp> Message-ID: On Thu, 14 Sep 2000, Alan Chung wrote: > My /etc/options file looks like > lock > debug > name lemon > auth > require-chap > +chap > proxyarp > +chapms > +chapms-v2 > mppe-40 > mppe-128 > mppe-stateless Looks fine. > and my /etc/chap-secrets looks like > > # Secrets for authentication using CHAP > # client server secret IP addresses > temp lemon admin * > > ps. temp is the client's hostname and admin is the username I use to > connect to server. > lemon is the pptpd server's hostname. Try the following line: admin * * > > > The following is the log message I got and does anyone have a clue? > > > Launching /usr/sbin/pptpctrl to handle client > Sep 14 15:02:03 lemon pptpd[900]: CTRL: local address = 192.168.0.51 > Sep 14 15:02:03 lemon pptpd[900]: CTRL: remote address = 192.168.0.51 > Sep 14 15:02:03 lemon pptpd[900]: CTRL: Client 192.168.0.40 control > connection started > Sep 14 15:02:03 lemon pptpd[900]: CTRL: Received PPTP Control Message (type: 1) > Sep 14 15:02:03 lemon pptpd[900]: CTRL: Made a START CTRL CONN RPLY packet > Sep 14 15:02:03 lemon pptpd[900]: CTRL: I wrote 156 bytes to the client. > Sep 14 15:02:03 lemon pptpd[900]: CTRL: Sent packet to client > Sep 14 15:02:03 lemon pptpd[900]: CTRL: Received PPTP Control Message (type: 7) > Sep 14 15:02:03 lemon pptpd[900]: CTRL: Set parameters to 0 maxbps, 16 > window size > Sep 14 15:02:03 lemon pptpd[900]: CTRL: Made a OUT CALL RPLY packet > Sep 14 15:02:03 lemon pptpd[900]: CTRL: Starting call (launching pppd, > opening GRE) > Sep 14 15:02:03 lemon pptpd[900]: CTRL: pty_fd = 4 > Sep 14 15:02:03 lemon pptpd[900]: CTRL: tty_fd = 5 > Sep 14 15:02:03 lemon pptpd[901]: CTRL (PPPD Launcher): Connection speed = > 115200 > Sep 14 15:02:03 lemon pptpd[901]: CTRL (PPPD Launcher): local address = > 192.168.0.51 > Sep 14 15:02:03 lemon pptpd[901]: CTRL (PPPD Launcher): remote address = > 192.168.0.51 > Sep 14 15:02:03 lemon pptpd[900]: CTRL: I wrote 32 bytes to the client. > Sep 14 15:02:03 lemon pptpd[900]: CTRL: Sent packet to client > Sep 14 15:02:03 lemon pptpd[900]: GRE: read(fd=4,buffer=804d7e0,len=8196) > from PTY failed: stat > us = -1 error = Input/output error > Sep 14 15:02:03 lemon pptpd[900]: CTRL: PTY read or GRE write failed > (pty,gre)=(4,5) > Sep 14 15:02:03 lemon pptpd[900]: CTRL: Client 192.168.0.40 control > connection finished > Sep 14 15:02:03 lemon pptpd[900]: CTRL: Exiting now > Sep 14 15:02:03 lemon pptpd[897]: MGR: Reaped child 900 > > > Any help is appreciated. > > Alan > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > -- Nate Carlson | Phone : (952)943-8700 http://www.real-time.com | Fax : (952)943-8500 From natecars at real-time.com Thu Sep 14 09:43:59 2000 From: natecars at real-time.com (Nate Carlson) Date: Thu, 14 Sep 2000 09:43:59 -0500 (CDT) Subject: [pptp-server] windows 2000 In-Reply-To: <4.2.0.58.J.20000914174100.00ac7290@pear.silveregg.co.jp> Message-ID: On Thu, 14 Sep 2000, Alan Chung wrote: > I have installed pptp server and compiled kernel modules as installation > guides. It seems working with NT and 98 clients but I got 743 error which > identicated my pptpd server doesn't suppot mppe-128 (but I have > ppp-2.3.10-openssl-norc4-mppe.patch installed already) when I tried to > connect to server from windows 2000 client. > # Secrets for authentication using CHAP > # client server secret IP addresses > mydomain\\user passowrd * I assume you mean mydomain\\user * password * ..the line you gave shouldn't work. Have you patched Win2000 to support 128-bit? Can you send your syslog dump from the Linux box? -- Nate Carlson | Phone : (952)943-8700 http://www.real-time.com | Fax : (952)943-8500 From natecars at real-time.com Thu Sep 14 09:45:04 2000 From: natecars at real-time.com (Nate Carlson) Date: Thu, 14 Sep 2000 09:45:04 -0500 (CDT) Subject: [pptp-server] setting up the linux server without a known ip-address. In-Reply-To: <000e01c01e3d$98a2ac50$019b11ac@IDANTDOM> Message-ID: On Thu, 14 Sep 2000, Morten Troen wrote: > I've set up a pptp-server and it's running. When I implement the a server it's the ip-addresses of the > clients are not known, so my question is : Can I set up the server without knowing the client ip-adresses > and how ??? Yes. There is no place in the PPTP configuration that you will have to enter the IP addresses the clients come from. In the PPTP configuration, you enter the addresses they will be using to communicate with your network once the link is up. -- Nate Carlson | Phone : (952)943-8700 http://www.real-time.com | Fax : (952)943-8500 From philz at tisd.net Thu Sep 14 11:44:15 2000 From: philz at tisd.net (Phil Z.) Date: Thu, 14 Sep 2000 11:44:15 -0500 Subject: [pptp-server] Control Message 9 Message-ID: <39C1005F.4A88C656@tisd.net> Several months ago I looked into replaceing the lone NT server on my network with a linux poptop server. The NT server (using pptp) currently is the only way that I can get digital calls from my CM4000 racks to terminate onto my network. From reading the list I saw that poptop did not support a piece of the messaging protocol that the CM4000 needed ( Control Message 9 ). Has this changed? TIA Best Regards Phil Z. From todd at reardensteel.com Thu Sep 14 11:30:13 2000 From: todd at reardensteel.com (Todd Krein) Date: Thu, 14 Sep 2000 09:30:13 -0700 Subject: [pptp-server] Can't see networks through PPTPD Message-ID: I've got PoPToP running on my linux box on my home network, behind a firewall. I've got VPN running on my Win2K machine. I can connect fine, and the log shows me connected, but I can't see the network behind the VPN. That is to say, from the Win2K box, I can't ping anything on the home network. I can ping the local address on the Win2K box. I can ping the remote IP address for the win2K box on the Linux PPTPD machine. I can unreliably ping the IP address of the Linux PPTPD machine (about 50%). I cannot ping anything else on the home network. I've got proxyarp in the options file, and the ARP command does show an entry for the VPN'd client, but it can't see the network. Any ideas? Thanks, TOdd ============================================== Todd Krein Rearden Steel Technologies Sr. Architect 151 University Ave todd at reardensteel.com Palo Alto, CA 94301 650 838 5572 650 838 5598 (fax) -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 2040 bytes Desc: not available URL: From amacc at iron-bridge.net Thu Sep 14 13:03:25 2000 From: amacc at iron-bridge.net (Andrew McRory) Date: Thu, 14 Sep 2000 14:03:25 -0400 (EDT) Subject: [pptp-server] Control Message 9 In-Reply-To: <39C1005F.4A88C656@tisd.net> Message-ID: On Thu, 14 Sep 2000, Phil Z. wrote: > Several months ago I looked into replaceing the lone NT server on my > network with a linux poptop server. The NT server (using pptp) currently > is the only way that I can get digital calls from my CM4000 racks to > terminate onto my network. From reading the list I saw that poptop did > not support a piece of the messaging protocol that the CM4000 needed ( > Control Message 9 ). Has this changed? TIA Not that I'm aware of. We stopped waiting and bought an Ascend MAX ... :-) Andrew McRory - President/CTO amacc at iron-bridge.net ***************** The PC Doctor, Inc. www.pcdr.com 850-575-7213 ** Iron Bridge Communications, Inc. www.iron-bridge.net 850-575-0779 ** Contributed Red Hat and Caldera RPMS ftp.iron-bridge.net/pub/Caldera ** **************************************************************************** From aludwig at imagestor.com Thu Sep 14 13:57:12 2000 From: aludwig at imagestor.com (Al Ludwig) Date: Thu, 14 Sep 2000 14:57:12 -0400 Subject: [pptp-server] setting up the linux server without a known ip-address. In-Reply-To: <6F6EA5048A46D41184AF0006295717340E17@DLUKEX01> Message-ID: Andrew, Could you show me an example of how to add DNS, WINS, etc. into my options file? I didn?t find any examples that used that on the web Thanks, AL -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Andrew Wood Sent: Thursday, September 14, 2000 9:14 AM To: 'Morten Troen' Cc: PPTP Mailing List (E-mail) Subject: RE: [pptp-server] setting up the linux server without a known ip-address. Morten The clients get assigned an IP address when they connect to the server. They get assigned an IP address from the remoteip range set up in your /etc/pptpd.conf file, along with any wins servers, dns server, etc you have set up in your /etc/ppp/options file. Andrew Wood System Administrator Datalex UK, Sunley Tower Piccadilly Plaza, Manchester, M1 4BT TEL: 0161 2282286 FAX: 0161 2282900 http://www.datalexuk.com mailto:andrew.wood at datalexuk.com <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<>>>><<<<>>>><<<<>>>><<<<>>><<<<>> >><<<<>> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. <<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<<>>>><<<< >>>><<<<>> -----Original Message----- From: Morten Troen [mailto:mtr at iwk.dk] Sent: 14 September 2000 12:19 To: pptp-server at lists.schulte.org Subject: [pptp-server] setting up the linux server without a known ip-address. I've set up a pptp-server and it's running. When I implement the a server it's the ip-addresses of the clients are not known, so my question is : Can I set up the server without knowing the client ip-adresses and how ??? Morten Troen. -------------- next part -------------- An HTML attachment was scrubbed... URL: From vlast at eetc.com Fri Sep 15 09:03:36 2000 From: vlast at eetc.com (Vlad Strezhnev) Date: Fri, 15 Sep 2000 09:03:36 -0500 Subject: [pptp-server] LCP: timeout sending Config-Request Message-ID: <39C1E5E8.9248.49513DF@localhost> We have a problem connecting to PopToP server through a firewall. (Direct connection works OK) It appears that our firewall lets packets through but then the connection fails with timeout. Following is a log of a sample session. Highlighted is the relevant line. Could anybody give a hint on where we should look first for misconfiguration? #Start of the log ############### Sep 14 19:00:42 [hosthame] pptpd[2586]: CTRL: Client [ip address] control connection started Sep 14 19:00:42 [hosthame] pptpd[2586]: CTRL: Starting call (launching pppd, opening GRE) Sep 14 19:00:42 [hosthame] kernel: CSLIP: code copyright 1989 Regents of the University of California Sep 14 19:00:42 [hosthame] kernel: PPP: version 2.3.11 (demand dialling) Sep 14 19:00:42 [hosthame] kernel: PPP line discipline registered. Sep 14 19:00:42 [hosthame] kernel: registered device ppp0 Sep 14 19:00:42 [hosthame] pppd[2587]: pppd 2.3.11 started by root, uid 0 Sep 14 19:00:42 [hosthame] pppd[2587]: Using interface ppp0 Sep 14 19:00:42 [hosthame] pppd[2587]: Connect: ppp0 <--> /dev/pts/1 Sep 14 19:00:42 [hosthame] pptpd[2586]: GRE: Discarding duplicate packet Sep 14 19:01:12 [hosthame] last message repeated 27 times ################################################################## Sep 14 19:01:12 [hosthame] pppd[2587]: LCP: timeout sending Config- Requests ################################################################## Sep 14 19:01:12 [hosthame] pppd[2587]: Connection terminated. Sep 14 19:01:12 [hosthame] pppd[2587]: Exit. Sep 14 19:01:12 [hosthame] pptpd[2586]: GRE: read(fd=4,buffer=12010667c,len=8196) \ from PTY failed: status = -1 error = Input/output error Sep 14 19:01:12 [hosthame] pptpd[2586]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Sep 14 19:01:12 [hosthame] pptpd[2586]: CTRL: Client [ip address] control connection finished From bdenheyer at next-comm.com Fri Sep 15 18:22:54 2000 From: bdenheyer at next-comm.com (Brian Denheyer) Date: Fri, 15 Sep 2000 16:22:54 -0700 (PDT) Subject: [pptp-server] LCP terminated by peer Message-ID: <14786.44878.260989.513336@xavier.nextcomminc.com> We're having some trouble with PPP giving up the ghost in a middle of a connection. I've looked through the ppp code and it seems like, if it says LCP terminated by peer, it really is terminated by peer. Anybody know of any other causes which might fool PPP into dying like this ? It also seems that since PPP is quitting "gracefully" that maybe pptp's reaction should be a little nicer. Right now it looks like it is an unexpected condition. Here's the relevant details from syslog : Sep 15 15:48:51 pppd[18273]: LCP terminated by peer Sep 15 15:48:51 pptpd[18272]: CTRL: Error with select(), quitting Sep 15 15:48:51 pptpd[18272]: CTRL: Client 163.31.43.82 control connection finished Thanks Brian From JKreger at cicteam.com Sat Sep 16 08:19:26 2000 From: JKreger at cicteam.com (Justin Kreger) Date: Sat, 16 Sep 2000 09:19:26 -0400 Subject: [pptp-server] authenication off of a domain Message-ID: <6B8A85826C35D31193BD0090278589C80FE607@CIC-EXCHANGE> Has anybody put together a patch that will allow pppd to authenicate off a WinNT domain while using the MSCHAP/MSCHAPv2 Protocols? From richter at ecos.de Sun Sep 17 07:01:41 2000 From: richter at ecos.de (Gerald Richter) Date: Sun, 17 Sep 2000 14:01:41 +0200 Subject: [pptp-server] Re: 128 bit encryption Message-ID: <001901c0209f$0b349c20$0a0c0b0a@gr.ecos.de> >Try this instead: > >http://www.microsoft.com/windows/ie/download/128bit/intro.htm > This is an 128 Bit upgrade for Internet Explorer. Does it also upgrade the PPTP Protocol? Gerald ------------------------------------------------------------- Gerald Richter ecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: richter at ecos.de Voice: +49 6133 925151 WWW: http://www.ecos.de Fax: +49 6133 925152 ------------------------------------------------------------- From alan at silveregg.co.jp Sun Sep 17 20:13:22 2000 From: alan at silveregg.co.jp (Alan Chung) Date: Mon, 18 Sep 2000 10:13:22 +0900 Subject: [pptp-server] windows 2000 In-Reply-To: References: <4.2.0.58.J.20000914174100.00ac7290@pear.silveregg.co.jp> Message-ID: <4.2.0.58.J.20000918095849.00abbd30@pear.silveregg.co.jp> Thank you for your message. I have patched ppp-2.3.10-openssl-norc4-mppe.patch for my ppp-2.3.10.tar.gz. But as you said, you meant I have to patch for the win2000 client too? I have found a file named "encpack_win2000admin_en" in Microsoft web site but I wonder why I have to patch to win2000 client since it is supposed to support 128 bit by default, as I know. Alan At ?? 09:43 00/09/14 -0500, you wrote: >On Thu, 14 Sep 2000, Alan Chung wrote: > > I have installed pptp server and compiled kernel modules as installation > > guides. It seems working with NT and 98 clients but I got 743 error which > > identicated my pptpd server doesn't suppot mppe-128 (but I have > > ppp-2.3.10-openssl-norc4-mppe.patch installed already) when I tried to > > connect to server from windows 2000 client. > > > > > # Secrets for authentication using CHAP > > # client server secret IP addresses > > mydomain\\user passowrd * > >I assume you mean > >mydomain\\user * password * > >..the line you gave shouldn't work. > >Have you patched Win2000 to support 128-bit? Can you send your syslog dump >from the Linux box? > >-- >Nate Carlson | Phone : (952)943-8700 >http://www.real-time.com | Fax : (952)943-8500 > > > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! From kurt at jigsaw.com.au Mon Sep 18 00:27:56 2000 From: kurt at jigsaw.com.au (Kurt Bales.) Date: Mon, 18 Sep 2000 15:27:56 +1000 Subject: [pptp-server] Problems with PoPToP and the LAN Message-ID: <503EFA452F16D41192B300508B8B02DA06C2E4@ELVIS> I have setup the PPTP server for a client of mine, and followed the details in the HOWTO/FAQ. After the install the VPN will authenticate 100% of the time, but does not always allow pinging or connections to hosts. I have setup MASQ between the remote and internal IP's as well. Sometimes when i connect I have full and complete access to the intranet, but the next time i connect it will authenticate but I will be unable to ping any hosts on the internal network. Reading through the logs there is no difference between logins for normal or broken attempts, and there appears to be no consistency between allowing me to ping and not. When it works - it works perfectly. When it doesnt - well....hey! If you have any ideas please reply Thank you, Kurt Bales Jigsaw Technology BTW:- I am using SuSE 6.4, PoPToP 1.0.0, and PPP 2.3.8. Also, is there a Kernel module required to MASQ pptp? From harald at iki.fi Mon Sep 18 06:58:44 2000 From: harald at iki.fi (Harald Hannelius) Date: Mon, 18 Sep 2000 14:58:44 +0300 (EEST) Subject: [pptp-server] 2.4.0 kernels and /dev/pts problem? Message-ID: Hi there, what could cause this then: Sep 18 13:41:22 gw pppd[13661]: Using interface ppp0 Sep 18 13:41:22 gw pppd[13661]: Connect: ppp0 <--> /dev/pts/6 Sep 18 13:41:22 gw pppd[13661]: sent [LCP ConfReq id=0x1 ] Sep 18 13:41:49 gw last message repeated 9 times Sep 18 13:41:52 gw pptpd[13660]: GRE: read(fd=4,buffer=804d780,len=8196) from PTY failed: status = -1 error = Input/output error Sep 18 13:41:52 gw pptpd[13660]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Sep 18 13:41:52 gw pptpd[13660]: CTRL: Client 195.94.103.103 control connection finished Sep 18 13:41:52 gw pppd[13661]: LCP: timeout sending Config-Requests Sep 18 13:41:52 gw pppd[13661]: Connection terminated. Sep 18 13:41:52 gw pppd[13661]: Exit. Harald H Hannelius | Harald at iki.fi | GSM +358405470870 From harald at iki.fi Mon Sep 18 07:08:22 2000 From: harald at iki.fi (Harald Hannelius) Date: Mon, 18 Sep 2000 15:08:22 +0300 (EEST) Subject: [pptp-server] pptpctrl segfaulting Message-ID: Hi there again :) I'm running slackware-7.1 with kernel 2.4.0-test5, the pptpctrl program compiled fine, but when running it segfaults on me: (strace output) 000) = 0x40100000 old_mmap(0x40104000, 13724, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40104000 close(3) = 0 mprotect(0x4001e000, 925696, PROT_READ|PROT_WRITE) = 0 mprotect(0x4001e000, 925696, PROT_READ|PROT_EXEC) = 0 munmap(0x40014000, 22491) = 0 personality(PER_LINUX) = 0 getpid() = 27994 rt_sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 8) = 0 --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ Harald H Hannelius | Harald at iki.fi | GSM +358405470870 From ppauleau at cartesis.com Mon Sep 18 06:52:13 2000 From: ppauleau at cartesis.com (Philippe PAULEAU) Date: Mon, 18 Sep 2000 13:52:13 +0200 Subject: [pptp-server] LAN to LAN routing using wonderfull PopTop Message-ID: i would like to do this, like we do it with Micro$oft Routing & RAS. More than a classical connection from client to server, this means that we have to establish a route for the reverse way. ( for destination LAN to connect source LAN ) Note that client and server are two routers in this case. The routing from source LAN to destination LAN is ok. ( because the client is connected ) The problem is for the reverse access. As the ip given by the server is not static ( pool ), the server can give different adresses to the client. So we cannot define a static route from server to client. The basic idea would be to assign a specific ip ( always the same & different from pool ) for each chap entry ( perhaps add a parameter in chap-secrets and tweak pppd for this ) because we cannot use the ip pool defined in pptpd.conf Or perhaps to use ip-up script to change the route with the new assigned ip. ( as it changes ) In this case, how to know if the connection is made by the right login ? if someone has experienced this kind of situation...please let me know your feelings. thankx one other question: is it better to use an ip pool on local subnet or define a separate subnet for ip pool ? and why ? config is PopTOP 1.1.1 - pppd 2.3.11 mppe patched on kernel 2.2.17 > Cordialement, > Philippe PAULEAU > Ing?nieur syst?me et r?seaux > CARTESIS > Tel: 01.53.93.47.50 > ________________________________________________________________________ CARTESIS disclaimer - http://www.cartesis.com The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. From Lillian.Kulhanek at energy.on.ca Mon Sep 18 18:15:06 2000 From: Lillian.Kulhanek at energy.on.ca (Lillian Kulhanek) Date: Mon, 18 Sep 2000 19:15:06 -0400 Subject: [pptp-server] pptp without ppp Message-ID: <000f01c021c6$4a2edbc0$2c02a8c0@Lillian.energy.on.ca> Hi all, Does pptp require ppp to function? Most implementations I've been reading of pptp assume a modem or ISDN line for ppp. Can I use another ethernet card instead? See, we'll be going fibre soon, so our connection will be another lan card on the gateway to the isp's box in the basement with the fibre connection. Most of the documentation I've read about assumes the pptp server to be on the same machine as the machine that connects to the internet. If it's behind this machine, is ppp still necessary, ie. does pptp require it? (Another reason I want to do this is because, until we upgrade to fibre, I have to test using the modem connection, but diald-0.99-1-2 doesn't work for kernels 2.2.16 and 2.2.16-3 (for me anyway). For both machines I have errors such as tcp.ssl errors and cannot find module tap 0, tap 1, etc. off topic, but anyone got a clue?) Is there any documentation anywhere for this type of scenario? If there is, please point me towards it. Thanks in advance. Lillian PS, if there isn't documentation, I'll take whatever I can get, put together what I can, and contribute for a change. :) From awilliam at whitemice.org Mon Sep 18 18:49:17 2000 From: awilliam at whitemice.org (Adam Williams) Date: Mon, 18 Sep 2000 23:49:17 GMT Subject: [pptp-server] pptp without ppp Message-ID: <20000918.23491700@estate1.whitemice.org> > Does pptp require ppp to function? Absolutely, yes. > Most implementations I've been reading of pptp assume a modem or ISDN line > for ppp. Can I use another ethernet card instead? See, we'll be going Yes, in fact I think "most" times PPTP is used it isn't on the inet connected host. > fibre soon, so our connection will be another lan card on the gateway to the > isp's box in the basement with the fibre connection. MMMmmm, sounds like fun. > Most of the documentation I've read about assumes the pptp server to be on > the same machine as the machine that connects to the internet. If it's > behind this machine, is ppp still necessary, ie. does pptp require it? Yes, your missing the "true" functionality of PPP, it is Point-To-Point. A VPN is Point-To-Point, pppd really has nothing to do with modems or dialing (it lets "chat" handle that). PPP is used for DSL lines, Cisco routers, other type of VPNs, etc.... > (Another reason I want to do this is because, until we upgrade to fibre, I > have to test using the modem connection, but diald-0.99-1-2 doesn't work for > kernels 2.2.16 and 2.2.16-3 (for me anyway). For both machines I have > errors such as tcp.ssl errors and cannot find module tap 0, tap 1, etc. off > topic, but anyone got a clue?) Do you need diald for your VPN connection? Last I checked diald was aging and no longer maintained. PPPd itself now has deman dial capability. > Is there any documentation anywhere for this type of scenario? If there is, > please point me towards it. PPTP assumes you already have an IP connection to the remote VPN "server". All the documentation is about the setup you describe. From richard at blauvelt.com Mon Sep 18 18:59:21 2000 From: richard at blauvelt.com (Richard E Blauvelt) Date: Mon, 18 Sep 2000 16:59:21 -0700 Subject: [pptp-server] pptp without ppp In-Reply-To: <000f01c021c6$4a2edbc0$2c02a8c0@Lillian.energy.on.ca> Message-ID: <4.3.2.7.2.20000918165202.0677bc80@blauvelt.com> I am no expert, but I think I can answer some of your questions from experience. Yes, pptp requires ppp. Although this seems to imply a dial-up type of connection, pptp works well over IP (although I've never been able to get encryption to work reliably because of a pptp encryption bug with handling out-of-order packets, but that's a different story). For example, I set up a pptp server on a Linux server which is connected to the Internet through a cheap cable/DSL router which is connected to a DSL modem. On the DSL router, I forwarded port 1723 to the Linux server. The Linux server uses a private network address, while the router uses the public IP address assigned by the DSL provider. To connect via pptp from a remote MS Windows machine, I first connect to the Internet (dial-in, cable, DSL, or whatever), and then I use the MS VPN adapter (part of MS Dial-Up Networking) to connect to the IP address of of the DSL router (which forwards it to the pptp server on the Linux server). Works great, except for the aforementioned problems with encryption. The DSL router is not really necessary, since you can have Linux handle all the firewall functions. Good luck! Richard At 04:15 PM 9/18/00, Lillian Kulhanek wrote: >Hi all, > >Does pptp require ppp to function? > >Most implementations I've been reading of pptp assume a modem or ISDN line >for ppp. Can I use another ethernet card instead? See, we'll be going >fibre soon, so our connection will be another lan card on the gateway to the >isp's box in the basement with the fibre connection. > >Most of the documentation I've read about assumes the pptp server to be on >the same machine as the machine that connects to the internet. If it's >behind this machine, is ppp still necessary, ie. does pptp require it? > >(Another reason I want to do this is because, until we upgrade to fibre, I >have to test using the modem connection, but diald-0.99-1-2 doesn't work for >kernels 2.2.16 and 2.2.16-3 (for me anyway). For both machines I have >errors such as tcp.ssl errors and cannot find module tap 0, tap 1, etc. off >topic, but anyone got a clue?) > >Is there any documentation anywhere for this type of scenario? If there is, >please point me towards it. > >Thanks in advance. > >Lillian > >PS, if there isn't documentation, I'll take whatever I can get, put together >what I can, and contribute for a change. :) > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! From alan at silveregg.co.jp Tue Sep 19 00:59:57 2000 From: alan at silveregg.co.jp (Alan Chung) Date: Tue, 19 Sep 2000 14:59:57 +0900 Subject: [pptp-server] 2000 client Message-ID: <4.2.0.58.J.20000919145153.00ac6760@pear.silveregg.co.jp> I have patched ppp-2.3.10-openssl-norc4-mppe.patch for my ppp-2.3.10.tar.gz. Do I still need to patch for windows 2000 client too? I have found a file named "encpack_win2000admin_en" in Microsoft web site but I thought 128 bit support is default for win2000? But even after I patched it, I still got the 742 error saying that authentication is not supported. Does anyone have the same experience? Alan ************************************* ???????????????? ??????? ************************************* ????????????????? ???? 2-14-15 ??????303? TEL : 03-3560-1831 FAX : 03-3560-1832 Email: alan at silveregg.co.jp Homepage: http://www.silveregg.co.jp ************************************* From p.veenema at minocw.nl Tue Sep 19 01:47:13 2000 From: p.veenema at minocw.nl (P. Veenema) Date: Tue, 19 Sep 2000 08:47:13 +0200 Subject: [pptp-server] a UNIX PPTP client ? Message-ID: Hello All, I live in the netherlands and i have recently subscribed myself to ADSL (Mxstream from KPN) i have an account with four dialin accounts and thus four internet IP adresses, The ADSL connection uses PPTP for security. I am running a NT server for internet connection sharing on one account. What i want to do is the following; Run a Web, WAP and mailserver for my two domainnames on the other account with my HP9000 E25 which is currently running HP-UX. My question is, ofcourse, ; "How and with what software and/or patch can i upgrade HP-UX so that i can connect to my internetprovider via PPTP?!? (I am starting to believe that it is not done! no one knows about PPTP on HPUX, i was considering using a Linux gateway for the hp9000, but it's too hard to believe that no one 's ever had the idea to use PPTP on HP-UX!) Thanx folks! Paul From harald at iki.fi Tue Sep 19 03:37:00 2000 From: harald at iki.fi (Harald Hannelius) Date: Tue, 19 Sep 2000 11:37:00 +0300 (EEST) Subject: [pptp-server] pptpctrl segfaults Message-ID: Hi there, I have a problem with pptpctrl, it compiles ok, but always segfaults on me: # gdb pptpctrl GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-slackware-linux"... (gdb) run Starting program: /usr/local/src/pptpd-1.1.1/pptpctrl Program received signal SIGSEGV, Segmentation fault. __strtol_internal (nptr=0x0, endptr=0x0, base=10, group=0) at strtol.c:287 287 strtol.c: No such file or directory. (gdb) bt #0 __strtol_internal (nptr=0x0, endptr=0x0, base=10, group=0) at strtol.c:287 #1 0x8048c6c in main () #2 0x40036aa7 in __libc_start_main (main=0x8048bf8
, argc=1, argv=0xbffff9a4, init=0x8048888 <_init>, fini=0x804b244 <_fini>, rtld_fini=0x4000acb0 <_dl_fini>, stack_end=0xbffff99c) at ../sysdeps/generic/libc-start.c:92 (gdb) The program is running. Exit anyway? (y or n) y Anu clues? I'm not a programmer (IANAP)... Looks like libc to me though... Harald H Hannelius | Harald at iki.fi | GSM +358405470870 From david_luyer at pacific.net.au Tue Sep 19 03:48:10 2000 From: david_luyer at pacific.net.au (David Luyer) Date: Tue, 19 Sep 2000 19:48:10 +1100 Subject: [pptp-server] pptpctrl segfaults In-Reply-To: Message from Harald Hannelius of "Tue, 19 Sep 2000 11:37:00 EDT." References: Message-ID: <200009190848.e8J8mAF30781@typhaon.pacific.net.au> > I have a problem with pptpctrl, it compiles ok, but always segfaults on > me: > Starting program: /usr/local/src/pptpd-1.1.1/pptpctrl > Anu clues? I'm not a programmer (IANAP)... If you're not a programmer you should be running the stable version (1.0.0). There is a single bug-fix patch available for that version but that's all. David. -- ---------------------------------------------- David Luyer Senior Network Engineer Pacific Internet (Aust) Pty Ltd Phone: +61 3 9674 7525 Fax: +61 3 9699 8693 Mobile: +61 4 1064 2258, +61 4 1114 2258 http://www.pacific.net.au NASDAQ: PCNTF << fast 'n easy >> ---------------------------------------------- From harald at iki.fi Tue Sep 19 03:57:39 2000 From: harald at iki.fi (Harald Hannelius) Date: Tue, 19 Sep 2000 11:57:39 +0300 (EEST) Subject: [pptp-server] pptpctrl segfaults In-Reply-To: <200009190848.e8J8mAF30781@typhaon.pacific.net.au> Message-ID: On Tue, 19 Sep 2000, David Luyer wrote: > If you're not a programmer you should be running the stable version (1.0.0). > There is a single bug-fix patch available for that version but that's all. Tried that also, no avail: # gdb pptpctrl GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-slackware-linux"... (gdb) run Starting program: /usr/local/sbin/pptpctrl Program received signal SIGSEGV, Segmentation fault. __strtol_internal (nptr=0x0, endptr=0x0, base=10, group=0) at strtol.c:287 287 strtol.c: No such file or directory. (gdb) bt #0 __strtol_internal (nptr=0x0, endptr=0x0, base=10, group=0) at strtol.c:287 #1 0x8048bc1 in main () #2 0x40036aa7 in __libc_start_main (main=0x8048b50
, argc=1, argv=0xbffff9d4, init=0x8048810 <_init>, fini=0x804ad34 <_fini>, rtld_fini=0x4000acb0 <_dl_fini>, stack_end=0xbffff9cc) at ../sysdeps/generic/libc-start.c:92 (gdb) Harald H Hannelius | Harald at iki.fi | GSM +358405470870 From harald at iki.fi Tue Sep 19 05:44:28 2000 From: harald at iki.fi (Harald Hannelius) Date: Tue, 19 Sep 2000 13:44:28 +0300 (EEST) Subject: [pptp-server] pptpctrl segfaults (fwd) Message-ID: Forwarding this discussion to the list as well... Harald H Hannelius | Harald at iki.fi | GSM +358405470870 ---------- Forwarded message ---------- Date: Tue, 19 Sep 2000 13:36:07 +0300 (EEST) From: Harald Hannelius To: David Luyer Subject: Re: [pptp-server] pptpctrl segfaults The file is not stripped. Don't know how to get to the debugging symbols though. Does the configure script enable debugging symbols by default? I tried to look for that, but don't know where to set it. # file /usr/local/sbin/pptpctrl /usr/local/sbin/pptpctrl: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped I put "CC=gcc -g" in the top Makefile and recompiled, with this result in gdb: # gdb pptpctrl GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-slackware-linux"... (gdb) run Starting program: /usr/local/sbin/pptpctrl Program received signal SIGSEGV, Segmentation fault. __strtol_internal (nptr=0x0, endptr=0x0, base=10, group=0) at strtol.c:287 287 strtol.c: No such file or directory. (gdb) bt #0 __strtol_internal (nptr=0x0, endptr=0x0, base=10, group=0) at strtol.c:287 #1 0x8048bc1 in main (argc=1, argv=0xbffff9d4) at /usr/include/stdlib.h:251 #2 0x40036aa7 in __libc_start_main (main=0x8048b50
, argc=1, argv=0xbffff9d4, init=0x8048810 <_init>, fini=0x804ad34 <_fini>, rtld_fini=0x4000acb0 <_dl_fini>, stack_end=0xbffff9cc) at ../sysdeps/generic/libc-start.c:92 Looks the same to me... I'm running slackware-7.1, upgraded with the libc-2.1.3 patch. I have tried compiling pptpctrl on 2.0.36, libc-2.0.7 with the same result, segfaults. The software compiled on slackware-7.1 (current) with libc-2.1.2 and compiled with -g: Still segfaults The binary version downloaded as rpm from the also segfaults... On Tue, 19 Sep 2000, David Luyer wrote: > > > > On Tue, 19 Sep 2000, David Luyer wrote: > > > > > If you're not a programmer you should be running the stable version (1.0.0). > > > There is a single bug-fix patch available for that version but that's all. > > > (gdb) bt > > #0 __strtol_internal (nptr=0x0, endptr=0x0, base=10, group=0) at > > strtol.c:287 > > #1 0x8048bc1 in main () > > #2 0x40036aa7 in __libc_start_main (main=0x8048b50
, argc=1, > > argv=0xbffff9d4, init=0x8048810 <_init>, > > fini=0x804ad34 <_fini>, rtld_fini=0x4000acb0 <_dl_fini>, > > stack_end=0xbffff9cc) > > at ../sysdeps/generic/libc-start.c:92 > > If you make sure you're using -g (debug) and no -s (strip) during compiling and > linking, do you get any more detail in the backtrace? > > That backtrace there is pretty hard to get anything out of at present. > > David. > -- > ---------------------------------------------- > David Luyer > Senior Network Engineer > Pacific Internet (Aust) Pty Ltd > Phone: +61 3 9674 7525 > Fax: +61 3 9699 8693 > Mobile: +61 4 1064 2258, +61 4 1114 2258 > http://www.pacific.net.au NASDAQ: PCNTF > << fast 'n easy >> > ---------------------------------------------- > > Harald H Hannelius | Harald at iki.fi | GSM +358405470870 From patrickl at cst.ca Tue Sep 19 09:03:49 2000 From: patrickl at cst.ca (Patrick LIN) Date: Tue, 19 Sep 2000 10:03:49 -0400 Subject: [pptp-server] Routing problem on all Windows......... Message-ID: <39C77245.20B5E27A@cst.ca> hi , i am using PPTP as VPN server for a long time and always need to work with a problem : when a Client (windows ) connect to the VPN server (linux) in the client route table i have 2 default route (yes strange , but windows can do that :)) ) like : 0.0.0.0 0.0.0.0 Internet_gateway 0.0.0.0 0.0.0.0 VPN_gateway is it mine or every one have this ? so the problem is : when the client is connected to the vpn and want to access the Internet (WEb or other) generally (depend on which line is first) the packet go to the VPN gateway and of course in my case all is block by the firewall same things for DNS request any comments or tips.? any help will be apreciate patrick From ppauleau at cartesis.com Tue Sep 19 09:47:02 2000 From: ppauleau at cartesis.com (Philippe PAULEAU) Date: Tue, 19 Sep 2000 16:47:02 +0200 Subject: [pptp-server] Routing problem on all Windows......... Message-ID: in your windows dialup entry, go to tcpip settings and uncheck Use default gw on remote network this will not add the default route ( 0.0.0.0 ) so you will continue access the internet + VPN other question ? > -----Message d'origine----- > De : Patrick LIN [mailto:patrickl at cst.ca] > Envoy? : mardi 19 septembre 2000 16:04 > ? : pptp-server at lists.schulte.org > Objet : [pptp-server] Routing problem on all Windows......... > > > hi , > > i am using PPTP as VPN server for a long time > and always need to work with a problem : > > when a Client (windows ) connect to the VPN server (linux) > > in the client route table i have 2 default route (yes strange , but > windows can do that :)) ) > > like : > > 0.0.0.0 0.0.0.0 Internet_gateway > 0.0.0.0 0.0.0.0 VPN_gateway > > > is it mine or every one have this ? > > so the problem is : > > when the client is connected to the vpn and want to access > the Internet > (WEb or other) > > generally (depend on which line is first) the packet go to the VPN > gateway and of course > in my case all is block by the firewall > > same things for DNS request > > any comments or tips.? > any help will be apreciate > > > patrick > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > ________________________________________________________________________ CARTESIS disclaimer - http://www.cartesis.com The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. From glenn.robinson at btinternet.com Tue Sep 19 12:31:10 2000 From: glenn.robinson at btinternet.com (Glenn Robinson) Date: Tue, 19 Sep 2000 18:31:10 +0100 Subject: [pptp-server] LCP timeout: pptpd server and ipchains firewall Message-ID: <002301c0225f$66df4680$0300a8c0@flyingfields.co.uk> Hello, I'm using RH6.1 with ipchains as my firewall and pptpd on the same machine. I can call the VPN server accross the internet but I get the following in my syslog: LCP: timeout sending Config-Requests I don't get this if I connect to the pptp server across my internal network. I assume this is something to do with the firewall. I've set my firewall to allow incoming/outgoing on port 1723 and to allow protocol 47. What else do I need to do? I am testing this from a WinNT client but I will also need access from Win98 clients? Thanks Glenn Robinson -------------- next part -------------- An HTML attachment was scrubbed... URL: From glenn.robinson at btinternet.com Tue Sep 19 12:39:27 2000 From: glenn.robinson at btinternet.com (Glenn Robinson/Quattro Consulting Limited) Date: Tue, 19 Sep 2000 18:39:27 +0100 Subject: [pptp-server] LCP timeout: pptpd server and ipchains firewall Message-ID: Hello, I'm using RH6.1 with ipchains as my firewall and pptpd on the same machine. I can call the VPN server accross the internet but I get the following in my syslog: LCP: timeout sending Config-Requests I don't get this if I connect to the pptp server across my internal network. I assume this is something to do with the firewall. I've set my firewall to allow incoming/outgoing on port 1723 and to allow protocol 47. What else do I need to do? I am testing this from a WinNT client but I will also need access from Win98 clients? Thanks Glenn Robinson From ed at schernau.com Tue Sep 19 12:44:53 2000 From: ed at schernau.com (Edward Schernau) Date: Tue, 19 Sep 2000 13:44:53 -0400 Subject: [pptp-server] Win2K PPTP _out through_ Linux ipmasq box to NT4 server Message-ID: <39C7A615.8401DB29@schernau.com> Can anyone tell me if this is possible, and if so, what kernel mods or firewall rules are needed on the ipmasq box? Ed From yvo at boudenoodt.com Tue Sep 19 13:53:55 2000 From: yvo at boudenoodt.com (Yvo Boudenoodt) Date: Tue, 19 Sep 2000 20:53:55 +0200 Subject: [pptp-server] Routing problem on all Windows......... Message-ID: <11B0293266FBD31186E300400541CE2F4C51@NTSERVER> to prevent you from a possible opening through the pptp client you better leave the default gateway checked. Otherwise it is possible that somebody uses your PC as a gateway to get from the the internet throug your PC and the tunnel to the protected network -----Original Message----- From: Philippe PAULEAU To: patrickl at cst.ca Cc: pptp-server at lists.schulte.org Sent: 9/19/00 4:47 PM Subject: RE: [pptp-server] Routing problem on all Windows......... in your windows dialup entry, go to tcpip settings and uncheck Use default gw on remote network this will not add the default route ( 0.0.0.0 ) so you will continue access the internet + VPN other question ? > -----Message d'origine----- > De : Patrick LIN [mailto:patrickl at cst.ca] > Envoy? : mardi 19 septembre 2000 16:04 > ? : pptp-server at lists.schulte.org > Objet : [pptp-server] Routing problem on all Windows......... > > > hi , > > i am using PPTP as VPN server for a long time > and always need to work with a problem : > > when a Client (windows ) connect to the VPN server (linux) > > in the client route table i have 2 default route (yes strange , but > windows can do that :)) ) > > like : > > 0.0.0.0 0.0.0.0 Internet_gateway > 0.0.0.0 0.0.0.0 VPN_gateway > > > is it mine or every one have this ? > > so the problem is : > > when the client is connected to the vpn and want to access > the Internet > (WEb or other) > > generally (depend on which line is first) the packet go to the VPN > gateway and of course > in my case all is block by the firewall > > same things for DNS request > > any comments or tips.? > any help will be apreciate > > > patrick > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > ________________________________________________________________________ CARTESIS disclaimer - http://www.cartesis.com The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From patrickl at cst.ca Tue Sep 19 14:45:22 2000 From: patrickl at cst.ca (Patrick LIN) Date: Tue, 19 Sep 2000 15:45:22 -0400 Subject: [pptp-server] Routing problem on all Windows......... References: <11B0293266FBD31186E300400541CE2F4C51@NTSERVER> Message-ID: <39C7C252.DC2A68CF@cst.ca> hi, yes but what can i do to have a good routing table ? and if i remove default gateway , i have an other prob i cannot access my internal network because VPN client is not on the same IP class any comments or tips patrick Yvo Boudenoodt a ?crit : > > > to prevent you from a possible opening through the pptp client you better > leave the default gateway checked. > Otherwise it is possible that somebody uses your PC as a gateway to get from > the the internet throug your PC and the tunnel to the protected network > > -----Original Message----- > From: Philippe PAULEAU > To: patrickl at cst.ca > Cc: pptp-server at lists.schulte.org > Sent: 9/19/00 4:47 PM > Subject: RE: [pptp-server] Routing problem on all Windows......... > > in your windows dialup entry, go to tcpip settings and > uncheck Use default gw on remote network > > this will not add the default route ( 0.0.0.0 ) > so you will continue access the internet + VPN > > other question ? > > > -----Message d'origine----- > > De : Patrick LIN [mailto:patrickl at cst.ca] > > Envoy? : mardi 19 septembre 2000 16:04 > > ? : pptp-server at lists.schulte.org > > Objet : [pptp-server] Routing problem on all Windows......... > > > > > > hi , > > > > i am using PPTP as VPN server for a long time > > and always need to work with a problem : > > > > when a Client (windows ) connect to the VPN server (linux) > > > > in the client route table i have 2 default route (yes strange , but > > windows can do that :)) ) > > > > like : > > > > 0.0.0.0 0.0.0.0 Internet_gateway > > 0.0.0.0 0.0.0.0 VPN_gateway > > > > > > is it mine or every one have this ? > > > > so the problem is : > > > > when the client is connected to the vpn and want to access > > the Internet > > (WEb or other) > > > > generally (depend on which line is first) the packet go to the VPN > > gateway and of course > > in my case all is block by the firewall > > > > same things for DNS request > > > > any comments or tips.? > > any help will be apreciate > > > > > > patrick > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > > > ________________________________________________________________________ > CARTESIS disclaimer - http://www.cartesis.com > The information transmitted is intended only for the person or entity to > which it is addressed and may contain confidential and/or privileged > material. Any review, retransmission, dissemination or other use of, > or taking of any action in reliance upon this information by persons or > entities other than the intended recipient is prohibited. > If you received this in error, please contact the sender and delete the > material from any computer. > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From bhandari_mohinder at yahoo.com Tue Sep 19 16:11:58 2000 From: bhandari_mohinder at yahoo.com (Mohinder Bhandari) Date: Tue, 19 Sep 2000 14:11:58 -0700 (PDT) Subject: [pptp-server] help for PPTP NAS functionality Message-ID: <20000919211158.59916.qmail@web9010.mail.yahoo.com> I want a PPTP NAS server on linux. Where to look for. __________________________________________________ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/ From alan at silveregg.co.jp Tue Sep 19 20:06:36 2000 From: alan at silveregg.co.jp (Alan Chung) Date: Wed, 20 Sep 2000 10:06:36 +0900 Subject: [pptp-server] windows client problem Message-ID: <4.2.0.58.J.20000920100009.00a5a8e0@pear.silveregg.co.jp> Hi, everyone, I have installed pptp server and compiled kernel modules as installation guides. Also I have patched ppp-2.3.10-openssl-norc4-mppe.patch for my ppp-2.3.10.tar.gz. NT and 98 work fine but not for 2000. For supporting 128 bit, I also patched a file named "encpack_win2000admin_en" for my windows 2000 machines. But even after I patched it, I still got the 742 error saying that authentication mppe-128 on client side (win 2000 client) is not supported. Does anyone have any idea? Alan From mikey at blandford.net Tue Sep 19 23:06:52 2000 From: mikey at blandford.net (MIchael Blandford) Date: Tue, 19 Sep 2000 21:06:52 -0700 Subject: [pptp-server] 2.4.0test8 / Redhat 6.2 Message-ID: <39C837DC.DE3A59A1@blandford.net> Does anyone have a set of patches for the 2.4.0testX series of kernels and ppp2.3.11 that comes with redhat 6.2? -- Mikey From veste at gmx.at Wed Sep 20 01:46:16 2000 From: veste at gmx.at (stefan vetter) Date: Wed, 20 Sep 2000 08:46:16 +0200 Subject: [pptp-server] autoconnect w2k Message-ID: <4.3.2.7.0.20000920084149.00ae5ac0@proxy> hello !! i've set up a poptop-server, and i works quite fine. now i have the following problem (it's a win-only, but i hope anybody can help me). i've a win2k-pc with wingate-software installed for (shared) internet-connection. now i want the vpn-connection to be started automatically each time the wingate opens an internet connection. any ideas how to do this ??? thanks. stefan. From ppauleau at cartesis.com Wed Sep 20 02:18:19 2000 From: ppauleau at cartesis.com (Philippe PAULEAU) Date: Wed, 20 Sep 2000 09:18:19 +0200 Subject: [pptp-server] Win2K PPTP _out through_ Linux ipmasq box to NT 4 server Message-ID: look at VPN-MASQ HOWTO > -----Message d'origine----- > De : Edward Schernau [mailto:ed at schernau.com] > Envoy? : mardi 19 septembre 2000 19:45 > ? : pptp-server at lists.schulte.org > Objet : [pptp-server] Win2K PPTP _out through_ Linux ipmasq box to NT4 > server > > > Can anyone tell me if this is possible, and if so, what kernel mods > or firewall rules are needed on the ipmasq box? > > Ed > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > ________________________________________________________________________ CARTESIS disclaimer - http://www.cartesis.com The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. From ppauleau at cartesis.com Wed Sep 20 02:25:05 2000 From: ppauleau at cartesis.com (Philippe PAULEAU) Date: Wed, 20 Sep 2000 09:25:05 +0200 Subject: [pptp-server] autoconnect w2k Message-ID: use the routing & ras module to automaticly connect to internet and VPN. do not setup wingate to use a dial entry and dial itself. use RRAS instead to dial internet connection. > -----Message d'origine----- > De : stefan vetter [mailto:veste at gmx.at] > Envoy? : mercredi 20 septembre 2000 08:46 > ? : pptp-server at lists.schulte.org > Objet : [pptp-server] autoconnect w2k > > > hello !! > > i've set up a poptop-server, and i works quite fine. > now i have the following problem (it's a win-only, but i hope > anybody can help me). > > i've a win2k-pc with wingate-software installed for (shared) > internet-connection. > now i want the vpn-connection to be started automatically each time > the wingate opens an internet connection. > > any ideas how to do this ??? > > thanks. > stefan. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > ________________________________________________________________________ CARTESIS disclaimer - http://www.cartesis.com The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. From alan at silveregg.co.jp Wed Sep 20 03:03:12 2000 From: alan at silveregg.co.jp (Alan Chung) Date: Wed, 20 Sep 2000 17:03:12 +0900 Subject: [pptp-server] windows client problem In-Reply-To: References: <4.2.0.58.J.20000920100009.00a5a8e0@pear.silveregg.co.jp> <4.2.0.58.J.20000920100009.00a5a8e0@pear.silveregg.co.jp> Message-ID: <4.2.0.58.J.20000920165202.00af6100@pear.silveregg.co.jp> Thanks for the message. Do you have any idea how to fix this? There was actually a little thing that occurred while I recompiled my kernel. I copied rc4.h and rc4_enc.c into ppp-2.3.10/linux source directory and then make kernel, as the installation guide says. But when I recompile my kernel and make modules, it appeared a error saying that other rc4* files are not found (such as rc4_locl.h and rc4_skey.c). Even I knew rc4_key is not needed (again, as the installation says), I made copies of those two files from SSLeay source directory to linux/driver/net and it didn't complain any more. Any idea? Alan >Well guess that you are missing the RC4 files.. The encryption... > >Alan Chung (20-09-2000 02:06): > >Hi, everyone, > > > >I have installed pptp server and compiled kernel modules as installation > >guides. Also I have patched ppp-2.3.10-openssl-norc4-mppe.patch for my > >ppp-2.3.10.tar.gz. NT and 98 work fine but not for 2000. For supporting > >128 bit, I also patched a file named "encpack_win2000admin_en" for my > >windows 2000 machines. But even after I patched it, I still got the 742 > >error saying that authentication mppe-128 on client side (win 2000 client) > >is not supported. > > > >Does anyone have any idea? > > > >Alan > > > >_______________________________________________ > >pptp-server maillist - pptp-server at lists.schulte.org > >http://lists.schulte.org/mailman/listinfo/pptp-server > >List services provided by www.schulteconsulting.com! > > > > Christian Pedersen / Wallin Computer > Ahlgade 5 \ 4300 Holb? / 59441490 > Direct 59451497 / christian at wallin.dk > > LinuX / Teamware \ Networking / Firewalls From ppauleau at cartesis.com Wed Sep 20 03:24:27 2000 From: ppauleau at cartesis.com (Philippe PAULEAU) Date: Wed, 20 Sep 2000 10:24:27 +0200 Subject: [pptp-server] windows client problem Message-ID: i had the same problems when compiling. in fact i removed the #include of the missing files in the rc4 sources. after, to avoid problems, i used lastest patches on ftp://ftp.binarix.com/pub/ppp-mppe/ their ppp-2.3.11 patch already contains all the rc4 needed files. great. " ppp-2.3.11-openssl-0.9.5-mppe.patch.gz (30/03/2000) --------------------------------------------------- This is the ppp-2.3.10 patch adjusted for ppp-2.3.11. The cryto files are from the new OpenSSL-0.9.5. Apply to ppp-2.3.11 source. " the only problem i've got was when i made make kernel the if-pppvar.h file was not copied in the kernel so i had to do it myself. > -----Message d'origine----- > De?: Alan Chung [mailto:alan at silveregg.co.jp] > Envoye?: mercredi 20 septembre 2000 10:03 > A?: Christian Pedersen - Mailinglist > Cc?: pptp-server at lists.schulte.org > Objet?: Re:[pptp-server] windows client problem > > > Thanks for the message. Do you have any idea how to fix this? > > There was actually a little thing that occurred while I > recompiled my kernel. > > I copied rc4.h and rc4_enc.c into ppp-2.3.10/linux source > directory and > then make kernel, as the installation guide says. But when I > recompile my > kernel and make modules, it appeared a error saying that > other rc4* files > are not found (such as rc4_locl.h and rc4_skey.c). Even I > knew rc4_key is > not needed (again, as the installation says), I made copies > of those two > files from SSLeay source directory to linux/driver/net and it didn't > complain any more. > > Any idea? > > Alan > > > >Well guess that you are missing the RC4 files.. The encryption... > > > >Alan Chung (20-09-2000 02:06): > > >Hi, everyone, > > > > > >I have installed pptp server and compiled kernel modules > as installation > > >guides. Also I have patched > ppp-2.3.10-openssl-norc4-mppe.patch for my > > >ppp-2.3.10.tar.gz. NT and 98 work fine but not for 2000. > For supporting > > >128 bit, I also patched a file named > "encpack_win2000admin_en" for my > > >windows 2000 machines. But even after I patched it, I > still got the 742 > > >error saying that authentication mppe-128 on client side > (win 2000 client) > > >is not supported. > > > > > >Does anyone have any idea? > > > > > >Alan > > > > > >_______________________________________________ > > >pptp-server maillist - pptp-server at lists.schulte.org > > >http://lists.schulte.org/mailman/listinfo/pptp-server > > >List services provided by www.schulteconsulting.com! > > > > > > > > Christian Pedersen / Wallin Computer > > Ahlgade 5 \ 4300 Holb? / 59441490 > > Direct 59451497 / christian at wallin.dk > > > > LinuX / Teamware ? Networking / Firewalls > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > ________________________________________________________________________ CARTESIS disclaimer - http://www.cartesis.com The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. From josh at comdais.com Wed Sep 20 11:08:09 2000 From: josh at comdais.com (Josh Dobbin) Date: Wed, 20 Sep 2000 09:08:09 -0700 Subject: [pptp-server] Network Neighborhood Recognition and Domain login behind firewall. Message-ID: I finally got the PPTP software working on my Linux firewall, I want to be able to connect to the firewall and then be able to login to the NT domain on my w2k server behind the firewall. I been running around in circles with this. I don't know if I need to interface PPTPD with Samba or something else. I believe if we get this problem solved we would be able to have a very functional piece of software. thanks in advance. From kennya at carlislefsp.com Wed Sep 20 11:44:42 2000 From: kennya at carlislefsp.com (Kenny Austin) Date: Wed, 20 Sep 2000 11:44:42 -0500 Subject: [pptp-server] Network Neighborhood Recognition and Domain login behind firewall. In-Reply-To: Message-ID: <000a01c02322$13e9bf00$5f020a0a@carlislefsp.com> Is your PDC w2k box (or anything else for that matter) running WINS? If not it needs to be, both for this to work smoothly and just because it is a very hopefully service. Anyways, get WINS running on the internal network and make sure that the VPN clients know the WINS IP address, either through /etc/ppp/options or set it up client side. Once this is done your VPN clients "should" be able to browse the internal network/find the w2k domain controller pretty easy. Oh, and make sure that everything internal is setup to see the WINS server too, that way they can easily find/be found by the VPN client. Hope this was at least some what helpful, if not I'll at least enjoy seeing my own name in my pptpd email folder. Kenny Austin kennya at carlislefsp.com -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Josh Dobbin Sent: Wednesday, September 20, 2000 11:08 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] Network Neighborhood Recognition and Domain login behind firewall. I finally got the PPTP software working on my Linux firewall, I want to be able to connect to the firewall and then be able to login to the NT domain on my w2k server behind the firewall. I been running around in circles with this. I don't know if I need to interface PPTPD with Samba or something else. I believe if we get this problem solved we would be able to have a very functional piece of software. thanks in advance. _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From wiredsec at hotmail.com Wed Sep 20 12:16:48 2000 From: wiredsec at hotmail.com (Joshua Anderson) Date: Wed, 20 Sep 2000 17:16:48 GMT Subject: [pptp-server] stopping Message-ID: How do you stop pptpd from running on a linux server? To stop it from restarting. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. From Lillian.Kulhanek at energy.on.ca Wed Sep 20 13:23:54 2000 From: Lillian.Kulhanek at energy.on.ca (Lillian Kulhanek) Date: Wed, 20 Sep 2000 14:23:54 -0400 Subject: [pptp-server] pptp without ppp Message-ID: <000901c0232f$efb92fe0$2c02a8c0@Lillian.energy.on.ca> > Most of the documentation I've read about assumes the pptp server to be on > the same machine as the machine that connects to the internet. If it's > behind this machine, is ppp still necessary, ie. does pptp require it? Yes, your missing the "true" functionality of PPP, it is Point-To-Point. A VPN is Point-To-Point, pppd really has nothing to do with modems or dialing (it lets "chat" handle that). PPP is used for DSL lines, Cisco routers, other type of VPNs, etc.... Yes, when I say out loud the words that make up the pptp and ppp abbreviations, it does seem like a silly question. ;) I was thinking more from a hardware perspective - ppp is required for a serial connection, e.g. between two modems, to transmit IP. I was wondering if you remove the serial device, is it still necessary to have the protocol for the serial devices? But since pptp needs ppp to run, and ppp is indeed used on media with non-serial interfaces, the point seems moot. From Josh at pollstar.com Wed Sep 20 14:11:37 2000 From: Josh at pollstar.com (Josh Massie) Date: Wed, 20 Sep 2000 12:11:37 -0700 Subject: [pptp-server] pptp without ppp Message-ID: Here's from RFC 1548: Abstract The Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over point-to-point links. PPP is comprised of three main components: 1. A method for encapsulating multi-protocol datagrams. 2. A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection. 3. A family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols. This document defines the PPP organization and methodology, and the PPP encapsulation, together with an extensible option negotiation mechanism which is able to negotiate a rich assortment of configuration parameters and provides additional management functions. The PPP Link Control Protocol (LCP) is described in terms of this mechanism. This document is the product of the Point-to-Point Protocol Working Group of the Internet Engineering Task Force (IETF). Comments should be submitted to the ietf-ppp at ucdavis.edu mailing list. PPP is a huge multiheaded monster (just peruse the RFC :-), and is sort of the "garbage can" that a bunch of other stuff has been kicked into. In the horrid world of encapsulation, an IP packet can be encapsulated in a PPP packet, which can be encapsulated in an IP packet (and on to infinity, depending on how many tunnels you have). So it doesn't matter what your riding on (serial cable, X.25, ethernet, T-X, DS-X, yelling out the door) Here's an example: Office A has an ethernet based LAN using IP internal space, and is linked to Office B via primnet. Office B is also in internal address land, and has a fiber link to the main office C, where the internet connection (and NAT box) is. Office D, in Switzerland (NATed as well), is linked in via a GRE VPN over the Internet. And in addition to data, they have a VOIP PBX at each location. You can pick up an handset at office A and get local Swiss dialtone via the PBX at office D, no long distance charges. I may be wrong, but I think that PPTP is a host based implementation of the GRE tunneling protocol. Lots of folk use GRE, including Cisco and Lucent (the old Ascend VPN stuff is all GRE). That's why you allow protocol 47 (GRE) through or to the firewall. The PPTP service is responsible for encrypting and encapsulating the information, but uses PPP to deliver it. Again, this last bit is pretty much my conjecture... josh massie extranet administrator pollstar.com email: josh at pollstar.com phone: (559) 271-7977 x 4477 fax: (559) 271-7979 http://www.pollstar.com >>> "Lillian Kulhanek" 09/20/00 11:23AM >>> > Most of the documentation I've read about assumes the pptp server to be on > the same machine as the machine that connects to the internet. If it's > behind this machine, is ppp still necessary, ie. does pptp require it? Yes, your missing the "true" functionality of PPP, it is Point-To-Point. A VPN is Point-To-Point, pppd really has nothing to do with modems or dialing (it lets "chat" handle that). PPP is used for DSL lines, Cisco routers, other type of VPNs, etc.... Yes, when I say out loud the words that make up the pptp and ppp abbreviations, it does seem like a silly question. ;) I was thinking more from a hardware perspective - ppp is required for a serial connection, e.g. between two modems, to transmit IP. I was wondering if you remove the serial device, is it still necessary to have the protocol for the serial devices? But since pptp needs ppp to run, and ppp is indeed used on media with non-serial interfaces, the point seems moot. From bdenheyer at next-comm.com Wed Sep 20 19:50:22 2000 From: bdenheyer at next-comm.com (Brian Denheyer) Date: Wed, 20 Sep 2000 17:50:22 -0700 (PDT) Subject: [pptp-server] what does this mean Message-ID: <14793.23374.857196.700462@xavier.nextcomminc.com> We definitely seem to be having reasonably reproducible problems with pptp. Can anybody tell me what these error messages mean, or where they might come from ? Sep 20 08:29:24 pptpd[24120]: GRE: read(fd=5,buffer=804d9c0,len=8196) from PTY failed: status = -1 error = Input/output error Sep 20 08:29:24 pptpd[24120]: CTRL: PTY read or GRE write failed (pty,gre) =(5,6) Sep 20 08:29:24 pptpd[24120]: CTRL: Client 12.72.37.31 control connection finished Brian From alan at silveregg.co.jp Wed Sep 20 23:37:21 2000 From: alan at silveregg.co.jp (Alan Chung) Date: Thu, 21 Sep 2000 13:37:21 +0900 Subject: [pptp-server] HELP for windows client problem!!! In-Reply-To: Message-ID: <4.2.0.58.J.20000921133002.00adf850@pear.silveregg.co.jp> Thanks for your help. I have downloaded source and patch for ppp-2.3.11. I recompiled kernel again and installed modules. Like you mentioned, everything works fine. But I am still having the same problem while trying to access from windows 2000 client. Same kind of problem, 128-bit not supported. The following are the ppp log dump. Please give me some advise if you have any idea about this problem? I can now successfully login pptp server from either windows98 or NT though. Thanks. Sep 21 12:44:06 lemon pptpd[661]: MGR: Launching /usr/local/sbin/pptpctrl to handle client Sep 21 12:44:06 lemon pptpd[661]: CTRL: local address = 192.168.0.53 Sep 21 12:44:06 lemon pptpd[661]: CTRL: remote address = 192.168.0.53 Sep 21 12:44:06 lemon pptpd[661]: CTRL: Client 192.168.0.29 control connection started Sep 21 12:44:06 lemon pptpd[661]: CTRL: Received PPTP Control Message (type: 1) Sep 21 12:44:06 lemon pptpd[661]: CTRL: Made a START CTRL CONN RPLY packet Sep 21 12:44:06 lemon pptpd[661]: CTRL: I wrote 156 bytes to the client. Sep 21 12:44:06 lemon pptpd[661]: CTRL: Sent packet to client Sep 21 12:44:06 lemon pptpd[661]: CTRL: Received PPTP Control Message (type: 7) Sep 21 12:44:06 lemon pptpd[661]: CTRL: Set parameters to 1525 maxbps, 64 window size Sep 21 12:44:06 lemon pptpd[661]: CTRL: Made a OUT CALL RPLY packet Sep 21 12:44:06 lemon pptpd[661]: CTRL: Starting call (launching pppd, opening GRE) Sep 21 12:44:06 lemon pptpd[661]: CTRL: pty_fd = 4 Sep 21 12:44:06 lemon pptpd[661]: CTRL: tty_fd = 5 Sep 21 12:44:06 lemon pptpd[662]: CTRL (PPPD Launcher): Connection speed = 115200 Sep 21 12:44:06 lemon pptpd[662]: CTRL (PPPD Launcher): local address = 192.168.0.53 Sep 21 12:44:06 lemon pptpd[662]: CTRL (PPPD Launcher): remote address = 192.168.0.53 Sep 21 12:44:07 lemon pptpd[661]: CTRL: I wrote 32 bytes to the client. Sep 21 12:44:07 lemon pptpd[661]: CTRL: Sent packet to client Sep 21 12:44:07 lemon pptpd[661]: CTRL: Received PPTP Control Message (type: 15) Sep 21 12:44:07 lemon pptpd[661]: CTRL: Got a SET LINK INFO packet with standard ACCMs Sep 21 12:44:07 lemon pptpd[661]: GRE: Discarding duplicate packet Sep 21 12:44:09 lemon pptpd[661]: CTRL: Received PPTP Control Message (type: 15) Sep 21 12:44:09 lemon pptpd[661]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Sep 21 12:44:09 lemon pptpd[661]: CTRL: Received PPTP Control Message (type: 15) Sep 21 12:44:09 lemon pptpd[661]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Sep 21 12:44:09 lemon pptpd[661]: CTRL: Received PPTP Control Message (type: 12) Sep 21 12:44:09 lemon pptpd[661]: CTRL: Made a CALL DISCONNECT RPLY packet Sep 21 12:44:09 lemon pptpd[661]: CTRL: Received CALL CLR request (closing call) Sep 21 12:44:09 lemon pptpd[661]: CTRL: I wrote 148 bytes to the client. Sep 21 12:44:09 lemon pptpd[661]: CTRL: Sent packet to client Sep 21 12:44:09 lemon pptpd[661]: CTRL: Error with select(), quitting Sep 21 12:44:09 lemon pptpd[661]: CTRL: Client 192.168.0.29 control connection finished Sep 21 12:44:09 lemon pptpd[661]: CTRL: Exiting now Sep 21 12:44:09 lemon pptpd[469]: MGR: Reaped child 661 Sep 21 12:44:21 lemon pptpd[622]: CTRL: Received PPTP Control Message (type: 5) Sep 21 12:44:21 lemon pptpd[622]: CTRL: Made a ECHO RPLY packet Sep 21 12:44:21 lemon pptpd[622]: CTRL: I wrote 20 bytes to the client. Sep 21 12:44:21 lemon pptpd[622]: CTRL: Sent packet to client At ?? 10:24 00/09/20 +0200, you wrote: >i had the same problems when compiling. >in fact i removed the #include of the missing files in the rc4 sources. > >after, to avoid problems, i used lastest patches on >ftp://ftp.binarix.com/pub/ppp-mppe/ > >their ppp-2.3.11 patch already contains all the rc4 needed files. great. > >" >ppp-2.3.11-openssl-0.9.5-mppe.patch.gz (30/03/2000) >--------------------------------------------------- > >This is the ppp-2.3.10 patch adjusted for ppp-2.3.11. The cryto files are >from >the new OpenSSL-0.9.5. Apply to ppp-2.3.11 source. >" > > >the only problem i've got was when i made >make kernel > >the if-pppvar.h file was not copied in the kernel so i had to do it myself. > > > > > -----Message d'origine----- > > De?: Alan Chung [mailto:alan at silveregg.co.jp] > > Envoye?: mercredi 20 septembre 2000 10:03 > > A?: Christian Pedersen - Mailinglist > > Cc?: pptp-server at lists.schulte.org > > Objet?: Re:[pptp-server] windows client problem > > > > > > Thanks for the message. Do you have any idea how to fix this? > > > > There was actually a little thing that occurred while I > > recompiled my kernel. > > > > I copied rc4.h and rc4_enc.c into ppp-2.3.10/linux source > > directory and > > then make kernel, as the installation guide says. But when I > > recompile my > > kernel and make modules, it appeared a error saying that > > other rc4* files > > are not found (such as rc4_locl.h and rc4_skey.c). Even I > > knew rc4_key is > > not needed (again, as the installation says), I made copies > > of those two > > files from SSLeay source directory to linux/driver/net and it didn't > > complain any more. > > > > Any idea? > > > > Alan > > > > > > >Well guess that you are missing the RC4 files.. The encryption... > > > > > >Alan Chung (20-09-2000 02:06): > > > >Hi, everyone, > > > > > > > >I have installed pptp server and compiled kernel modules > > as installation > > > >guides. Also I have patched > > ppp-2.3.10-openssl-norc4-mppe.patch for my > > > >ppp-2.3.10.tar.gz. NT and 98 work fine but not for 2000. > > For supporting > > > >128 bit, I also patched a file named > > "encpack_win2000admin_en" for my > > > >windows 2000 machines. But even after I patched it, I > > still got the 742 > > > >error saying that authentication mppe-128 on client side > > (win 2000 client) > > > >is not supported. > > > > > > > >Does anyone have any idea? > > > > > > > >Alan > > > > > > > >_______________________________________________ > > > >pptp-server maillist - pptp-server at lists.schulte.org > > > >http://lists.schulte.org/mailman/listinfo/pptp-server > > > >List services provided by www.schulteconsulting.com! > > > > > > > > > > > > Christian Pedersen / Wallin Computer > > > Ahlgade 5 \ 4300 Holb? / 59441490 > > > Direct 59451497 / christian at wallin.dk > > > > > > LinuX / Teamware \ Networking / Firewalls > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > > > >________________________________________________________________________ >CARTESIS disclaimer - http://www.cartesis.com >The information transmitted is intended only for the person or entity to >which it is addressed and may contain confidential and/or privileged >material. Any review, retransmission, dissemination or other use of, >or taking of any action in reliance upon this information by persons or >entities other than the intended recipient is prohibited. >If you received this in error, please contact the sender and delete the >material from any computer. >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! ************************************* ???????????????? ??????? ************************************* ????????????????? ???? 2-14-15 ??????303? TEL : 03-3560-1831 FAX : 03-3560-1832 Email: alan at silveregg.co.jp Homepage: http://www.silveregg.co.jp ************************************* From alan at silveregg.co.jp Thu Sep 21 00:22:01 2000 From: alan at silveregg.co.jp (Alan Chung) Date: Thu, 21 Sep 2000 14:22:01 +0900 Subject: [pptp-server] Linux firewall Message-ID: <4.2.0.58.J.20000921141522.00ae2ee0@pear.silveregg.co.jp> I have successfully setup a pptp server and tested it locally. After I put it behind my current Redhat 6.2 firewall, it failed to connect to server. I have the current ipchains rules setup for PPTP, # port forwarding for 1723 ipmasqadm portfw -a -P tcp -L 211.2.228.100 1723 -R 192.168.0.6 1723 # redirect protocol 47 /usr/local/sbin/ipfwd --masq 192.168.0.6 47 & # ipchains section $IPCHAINS -A input -p tcp -d 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A input -p tcp -s 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A input -p 47 -d 192.168.0.2/24 -j ACCEPT $IPCHAINS -A input -p 47 -s 192.168.0.2/24 -j ACCEPT $IPCHAINS -A output -p tcp -d 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A output -p tcp -s 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A output -p 47 -d 192.168.0.2/24 -j ACCEPT $IPCHAINS -A output -p 47 -s 192.168.0.2/24 -j ACCEPT $IPCHAINS -A forward -p tcp -d 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A forward -p tcp -s 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A forward -p 47 -d 192.168.0.2/24 -j ACCEPT $IPCHAINS -A forward -p 47 -s 192.168.0.2/24 -j ACCEPT But I got the following error when I tried to access from my pptp-linux client to server through firewall, warn[open_inetsock:pptp_callmgr.c:287]: connect: No route to host fatal[callmgr_main:pptp_callmgr.c:122]: Could not open control connection to 211.2.228.100 fatal[launch_callmgr:pptp.c:213]: Call manager exited with error 256 Any clue? Thanks in advance. Alan From alan at silveregg.co.jp Thu Sep 21 00:24:28 2000 From: alan at silveregg.co.jp (Alan Chung) Date: Thu, 21 Sep 2000 14:24:28 +0900 Subject: [pptp-server] Linux firewall Message-ID: <4.2.0.58.J.20000921142356.00adb100@pear.silveregg.co.jp> I have successfully setup a pptp server and tested it locally. After I put it behind my current Redhat 6.2 firewall, it failed to connect to server. I have the current ipchains rules setup for PPTP, # port forwarding for 1723 ipmasqadm portfw -a -P tcp -L 211.2.228.100 1723 -R 192.168.0.6 1723 # redirect protocol 47 /usr/local/sbin/ipfwd --masq 192.168.0.6 47 & # ipchains section $IPCHAINS -A input -p tcp -d 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A input -p tcp -s 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A input -p 47 -d 192.168.0.2/24 -j ACCEPT $IPCHAINS -A input -p 47 -s 192.168.0.2/24 -j ACCEPT $IPCHAINS -A output -p tcp -d 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A output -p tcp -s 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A output -p 47 -d 192.168.0.2/24 -j ACCEPT $IPCHAINS -A output -p 47 -s 192.168.0.2/24 -j ACCEPT $IPCHAINS -A forward -p tcp -d 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A forward -p tcp -s 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A forward -p 47 -d 192.168.0.2/24 -j ACCEPT $IPCHAINS -A forward -p 47 -s 192.168.0.2/24 -j ACCEPT But I got the following error when I tried to access from my pptp-linux client to server through firewall, warn[open_inetsock:pptp_callmgr.c:287]: connect: No route to host fatal[callmgr_main:pptp_callmgr.c:122]: Could not open control connection to 211.2.228.100 fatal[launch_callmgr:pptp.c:213]: Call manager exited with error 256 And got 629 error if access from windows 98 client? Any clue? Thanks in advance. Alan From alan at silveregg.co.jp Thu Sep 21 00:34:06 2000 From: alan at silveregg.co.jp (Alan Chung) Date: Thu, 21 Sep 2000 14:34:06 +0900 Subject: [pptp-server] Linux firewall Message-ID: <4.2.0.58.J.20000921142356.00adb100@pear.silveregg.co.jp> I have successfully setup a pptp server and tested it locally. After I put it behind my current Redhat 6.2 firewall, it failed to connect to server. I have the current ipchains rules setup for PPTP, # port forwarding for 1723 ipmasqadm portfw -a -P tcp -L 211.2.228.100 1723 -R 192.168.0.6 1723 # redirect protocol 47 /usr/local/sbin/ipfwd --masq 192.168.0.6 47 & # ipchains section $IPCHAINS -A input -p tcp -d 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A input -p tcp -s 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A input -p 47 -d 192.168.0.2/24 -j ACCEPT $IPCHAINS -A input -p 47 -s 192.168.0.2/24 -j ACCEPT $IPCHAINS -A output -p tcp -d 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A output -p tcp -s 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A output -p 47 -d 192.168.0.2/24 -j ACCEPT $IPCHAINS -A output -p 47 -s 192.168.0.2/24 -j ACCEPT $IPCHAINS -A forward -p tcp -d 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A forward -p tcp -s 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A forward -p 47 -d 192.168.0.2/24 -j ACCEPT $IPCHAINS -A forward -p 47 -s 192.168.0.2/24 -j ACCEPT But I got the following error when I tried to access from my pptp-linux client to server through firewall, warn[open_inetsock:pptp_callmgr.c:287]: connect: No route to host fatal[callmgr_main:pptp_callmgr.c:122]: Could not open control connection to 211.2.228.100 fatal[launch_callmgr:pptp.c:213]: Call manager exited with error 256 And got 629 error if access from windows 98 client? Any clue? Thanks in advance. Alan From alan at silveregg.co.jp Thu Sep 21 01:32:50 2000 From: alan at silveregg.co.jp (Alan Chung) Date: Thu, 21 Sep 2000 15:32:50 +0900 Subject: [pptp-server] Linux firewall Message-ID: <4.2.0.58.J.20000921145611.00b0a420@pear.silveregg.co.jp> I have successfully setup a pptp server and tested it locally. After I put it behind my current Redhat 6.2 firewall, it failed to connect to server. I have the current ipchains rules setup for PPTP, # port forwarding for 1723 ipmasqadm portfw -a -P tcp -L 211.2.228.100 1723 -R 192.168.0.6 1723 # redirect protocol 47 /usr/local/sbin/ipfwd --masq 192.168.0.6 47 & # ipchains section $IPCHAINS -A input -p tcp -d 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A input -p tcp -s 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A input -p 47 -d 192.168.0.2/24 -j ACCEPT $IPCHAINS -A input -p 47 -s 192.168.0.2/24 -j ACCEPT $IPCHAINS -A output -p tcp -d 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A output -p tcp -s 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A output -p 47 -d 192.168.0.2/24 -j ACCEPT $IPCHAINS -A output -p 47 -s 192.168.0.2/24 -j ACCEPT $IPCHAINS -A forward -p tcp -d 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A forward -p tcp -s 192.168.0.2/24 1723 -j ACCEPT $IPCHAINS -A forward -p 47 -d 192.168.0.2/24 -j ACCEPT $IPCHAINS -A forward -p 47 -s 192.168.0.2/24 -j ACCEPT But I got the following error when I tried to access from my pptp-linux client to server through firewall, warn[open_inetsock:pptp_callmgr.c:287]: connect: No route to host fatal[callmgr_main:pptp_callmgr.c:122]: Could not open control connection to 211.2.228.100 fatal[launch_callmgr:pptp.c:213]: Call manager exited with error 256 And got 629 error if access from windows 98 client? Any clue? Thanks in advance. Alan From ppauleau at cartesis.com Thu Sep 21 02:22:04 2000 From: ppauleau at cartesis.com (Philippe PAULEAU) Date: Thu, 21 Sep 2000 09:22:04 +0200 Subject: [pptp-server] stopping Message-ID: to stop respawn edit the inittab file. ( remove the line ) > -----Message d'origine----- > De : Joshua Anderson [mailto:wiredsec at hotmail.com] > Envoy? : mercredi 20 septembre 2000 19:17 > ? : pptp-server at lists.schulte.org > Objet : [pptp-server] stopping > > > How do you stop pptpd from running on a linux server? To stop it from > restarting. > ______________________________________________________________ > ___________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! ________________________________________________________________________ CARTESIS disclaimer - http://www.cartesis.com The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. From jvonau at home.com Thu Sep 21 02:38:03 2000 From: jvonau at home.com (Jerry Vonau) Date: Thu, 21 Sep 2000 02:38:03 -0500 Subject: [pptp-server] Linux firewall References: <4.2.0.58.J.20000921145611.00b0a420@pear.silveregg.co.jp> Message-ID: <39C9BADB.1C5115F0@home.com> Hello Allen: >> What is the Ip of the server that you are forwarding to?? 6 or 2 Jerry Alan Chung wrote: > I have successfully setup a pptp server and tested it locally. After I put > it behind my current Redhat 6.2 firewall, it failed to connect to server. > > I have the current ipchains rules setup for PPTP, > > # port forwarding for 1723 > >>ipmasqadm portfw -a -P tcp -L 211.2.228.100 1723 -R 192.168.0.6 1723 > > # redirect protocol 47 > /usr/local/sbin/ipfwd --masq 192.168.0.6 47 & > > # ipchains section > >>$IPCHAINS -A input -p tcp -d 192.168.0.2/24 1723 -j ACCEPT > >>$IPCHAINS -A input -p tcp -s 192.168.0.2/24 1723 -j ACCEPT > $IPCHAINS -A input -p 47 -d 192.168.0.2/24 -j ACCEPT > $IPCHAINS -A input -p 47 -s 192.168.0.2/24 -j ACCEPT > > $IPCHAINS -A output -p tcp -d 192.168.0.2/24 1723 -j ACCEPT > $IPCHAINS -A output -p tcp -s 192.168.0.2/24 1723 -j ACCEPT > $IPCHAINS -A output -p 47 -d 192.168.0.2/24 -j ACCEPT > $IPCHAINS -A output -p 47 -s 192.168.0.2/24 -j ACCEPT > > $IPCHAINS -A forward -p tcp -d 192.168.0.2/24 1723 -j ACCEPT > $IPCHAINS -A forward -p tcp -s 192.168.0.2/24 1723 -j ACCEPT > $IPCHAINS -A forward -p 47 -d 192.168.0.2/24 -j ACCEPT > $IPCHAINS -A forward -p 47 -s 192.168.0.2/24 -j ACCEPT > > But I got the following error when I tried to access from my pptp-linux > client to server through firewall, > > warn[open_inetsock:pptp_callmgr.c:287]: connect: No route to host > fatal[callmgr_main:pptp_callmgr.c:122]: Could not open control connection > to 211.2.228.100 > fatal[launch_callmgr:pptp.c:213]: Call manager exited with error 256 > > And got 629 error if access from windows 98 client? > > Any clue? > > Thanks in advance. > > Alan > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From alan at silveregg.co.jp Thu Sep 21 03:21:17 2000 From: alan at silveregg.co.jp (Alan Chung) Date: Thu, 21 Sep 2000 17:21:17 +0900 Subject: [pptp-server] Linux firewall In-Reply-To: <39C9BADB.1C5115F0@home.com> References: <4.2.0.58.J.20000921145611.00b0a420@pear.silveregg.co.jp> Message-ID: <4.2.0.58.J.20000921171944.00ae0de0@pear.silveregg.co.jp> I am sorry I forgot to correct 192.168.0.6 to 2. They refer to the same machine. Any clue? At ?? 02:38 00/09/21 -0500, you wrote: >Hello Allen: > > >> What is the Ip of the server that you are forwarding to?? 6 or 2 > >Jerry > >Alan Chung wrote: > > > I have successfully setup a pptp server and tested it locally. After I put > > it behind my current Redhat 6.2 firewall, it failed to connect to server. > > > > I have the current ipchains rules setup for PPTP, > > > > # port forwarding for 1723 > > >>ipmasqadm portfw -a -P tcp -L 211.2.228.100 1723 -R 192.168.0.6 1723 > > > > # redirect protocol 47 > > /usr/local/sbin/ipfwd --masq 192.168.0.6 47 & > > > > # ipchains section > > >>$IPCHAINS -A input -p tcp -d 192.168.0.2/24 1723 -j ACCEPT > > >>$IPCHAINS -A input -p tcp -s 192.168.0.2/24 1723 -j ACCEPT > > $IPCHAINS -A input -p 47 -d 192.168.0.2/24 -j ACCEPT > > $IPCHAINS -A input -p 47 -s 192.168.0.2/24 -j ACCEPT > > > > $IPCHAINS -A output -p tcp -d 192.168.0.2/24 1723 -j ACCEPT > > $IPCHAINS -A output -p tcp -s 192.168.0.2/24 1723 -j ACCEPT > > $IPCHAINS -A output -p 47 -d 192.168.0.2/24 -j ACCEPT > > $IPCHAINS -A output -p 47 -s 192.168.0.2/24 -j ACCEPT > > > > $IPCHAINS -A forward -p tcp -d 192.168.0.2/24 1723 -j ACCEPT > > $IPCHAINS -A forward -p tcp -s 192.168.0.2/24 1723 -j ACCEPT > > $IPCHAINS -A forward -p 47 -d 192.168.0.2/24 -j ACCEPT > > $IPCHAINS -A forward -p 47 -s 192.168.0.2/24 -j ACCEPT > > > > But I got the following error when I tried to access from my pptp-linux > > client to server through firewall, > > > > warn[open_inetsock:pptp_callmgr.c:287]: connect: No route to host > > fatal[callmgr_main:pptp_callmgr.c:122]: Could not open control connection > > to 211.2.228.100 > > fatal[launch_callmgr:pptp.c:213]: Call manager exited with error 256 > > > > And got 629 error if access from windows 98 client? > > > > Any clue? > > > > Thanks in advance. > > > > Alan > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! ************************************* ???????????????? ??????? ************************************* ????????????????? ???? 2-14-15 ??????303? TEL : 03-3560-1831 FAX : 03-3560-1832 Email: alan at silveregg.co.jp Homepage: http://www.silveregg.co.jp ************************************* From mikem at softscreen.co.uk Thu Sep 21 03:32:02 2000 From: mikem at softscreen.co.uk (Mike Marks) Date: Thu, 21 Sep 2000 09:32:02 +0100 Subject: [pptp-server] PPTP newbie Message-ID: <001a01c023a6$6d65b820$65010a64@mlmpcd1> I hope someone can help with my problem. I am new to PPTP and am trying to set up a small network so my remote salesmen (Windows 98SE) can dial a local ISP and then use PPTP to gain access to my network and in particular use the AS/400 (running TCP/IP on the network). So far I have got PPTP running on Mandrake 7.0 and casn make an ISP connection followed by a VPN connection, but then I cannot ping any devices on the local network. Also, anything I try to do goes through the ISP connection not the VPN one (or at least the flashing lights are on the ISP DUN not the VPN DUN). All my devices (local and remote) have the IP address set up in the range 100.10.1.xxx but obviously when both the PPTP server and the PC connect to the internet they are given different IP addresses that can change every time. Any suggestions as to what I am doing wrong ? Mike Marks -------------- next part -------------- An HTML attachment was scrubbed... URL: From MSmith at webtonetech.com Thu Sep 21 08:20:32 2000 From: MSmith at webtonetech.com (Michael Smith) Date: Thu, 21 Sep 2000 09:20:32 -0400 Subject: [pptp-server] undefined reference to `ip_masq_hash_key' when compiling jhardin' s pptp masquerading patches to kernel Message-ID: <0124736A07E0D311A7FA00A0C9DCE5567655E2@pantera.webtonetech.com> I am currently using RH 6.2 with kernel 2.2.16-3. After patching ip_masq_vpn-2.2.15.patch to the kernel and patching ip_masq_vpn-RH2.14.patch and ip_masq_vpn-RH2.16-2.patch to the ipv4 source directory, I get the following. I, of course, did a "make dep" and "make clean" after selecting all the VPN masquerading stuff from "make menuconfig". net/network.a(ipv4.o): In function `ip_masq_hash': ipv4.o(.text+0x23e): undefined reference to `ip_masq_hash_key' ipv4.o(.text+0x285): undefined reference to `ip_masq_hash_key' ipv4.o(.text+0x2b1): undefined reference to `ip_masq_hash_key' net/network.a(ipv4.o): In function `__ip_masq_in_get': ipv4.o(.text+0x362): undefined reference to `ip_masq_hash_key' ipv4.o(.text+0x3c1): undefined reference to `ip_masq_hash_key' net/network.a(ipv4.o)(.text+0x45d): more undefined references to `ip_masq_hash_key' follow Before I started digging into the source I thought that maybe someone had been through this. Thanks in advance for any help.... Michael A. Smith From vlast at eetc.com Thu Sep 21 10:08:28 2000 From: vlast at eetc.com (Vlad Strezhnev) Date: Thu, 21 Sep 2000 10:08:28 -0500 Subject: [pptp-server] what does this mean In-Reply-To: <14793.23374.857196.700462@xavier.nextcomminc.com> Message-ID: <39C9DE1C.22372.E2EC510@localhost> We had similar problem with pptpd server behind masquerading firewall. The kernel on the firewall (2.2.17) was not patched with ip_masq_vpn.patch. After we applied the patch the problem was gone. Might look in Linux VPN Masquerade HOWTO: Patching and configuring kernel for VPN Masquerade support for details. On 20 Sep 2000, at 17:50, Brian Denheyer wrote: > > We definitely seem to be having reasonably reproducible problems with pptp. > > Can anybody tell me what these error messages mean, or where they > might come from ? > > Sep 20 08:29:24 pptpd[24120]: GRE: read(fd=5,buffer=804d9c0,len=8196) from > PTY failed: status = -1 error = Input/output error > Sep 20 08:29:24 pptpd[24120]: CTRL: PTY read or GRE write failed (pty,gre) > =(5,6) > Sep 20 08:29:24 pptpd[24120]: CTRL: Client 12.72.37.31 control connection > finished > > Brian > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From len at ghy.com Thu Sep 21 10:52:19 2000 From: len at ghy.com (Leonard L. Goldenstein) Date: Thu, 21 Sep 2000 10:52:19 -0500 Subject: [pptp-server] Protocol-Reject Issue Message-ID: Hello to everyone on the list. I have seen this problem posted where pppd gives "Protocol-Reject for unsupported protocol" messages to the system log. Unfortunately I have not seen much in the way of any solutions for the problem. I ask that if anyone has experience with this situation and/or a solution to please post to the list to help out all others with this problem. I have setup PoPToP 1.0.0 following a combination of the HOWTO on the website and this document: http://www.vanja.com/PPTP.txt Software: Linux 2.2.17 PoPToP 1.0.0 RPM pppd-2.3.11.tar.gz ppp-2.3.11-openssl-0.9.5-mppe.patch.gz Everything compiled fine. My options.pptp file is (yes, pptpd is set to use this file): lock +chap auth proxyarp +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless ms-dns 1.1.1.4 ms-wins 1.1.1.4 I can connect to the server from Win98 with no problem: Sep 21 10:38:36 access pppd[16427]: pppd 2.3.11 started by root, uid 0 Sep 21 10:38:36 access pppd[16427]: Using interface ppp1 Sep 21 10:38:36 access pppd[16427]: Connect: ppp1 <--> /dev/pts/6 Sep 21 10:38:36 access pppd[16427]: MSCHAP peer authentication succeeded for GHY \\len Sep 21 10:38:36 access pppd[16427]: found interface eth0 for proxy arp Sep 21 10:38:36 access pppd[16427]: local IP address 1.1.1.4 Sep 21 10:38:36 access pppd[16427]: remote IP address 1.1.1.225 Sep 21 10:38:36 access pppd[16427]: MPPE 40 bit, stateless compression enabled Sep 21 10:39:58 access pppd[16427]: Protocol-Reject for unsupported protocol 0x3f Sep 21 10:39:59 access pppd[16427]: Protocol-Reject for unsupported protocol 0xf 9 Sep 21 10:40:01 access pppd[16427]: Protocol-Reject for unsupported protocol 0xb 1 Sep 21 10:40:02 access pppd[16427]: Protocol-Reject for unsupported protocol 0xc a85 Sep 21 10:40:04 access pppd[16427]: Protocol-Reject for unsupported protocol 0x6 8df Sep 21 10:40:05 access pppd[16427]: Protocol-Reject for unsupported protocol 0xf 3 etc... However as you can see, after establishing the connection, i am unable to send any traffic over the network. All I get is the Protocol Reject messages until I disconnect the connection. *ANY* Help on this issue is *VERY* greatly appreciated. Thank You. ----------------------------------------------------- Leonard L. Goldenstein Information Services Consultant Geo. H. Young & Co. Ltd. 809 - 167 Lombard Ave. Winnipeg, MB R3B 3H8 Phone: (204) 947-6851 Fax: (204) 947-3306 len at ghy.com http://www.ghy.com From len at ghy.com Thu Sep 21 11:19:57 2000 From: len at ghy.com (Leonard L. Goldenstein) Date: Thu, 21 Sep 2000 11:19:57 -0500 Subject: [pptp-server] RE: Protocol-Reject Issue In-Reply-To: Message-ID: One thing I did forget to mention is that the VPN connection works great without encryption when I don't have the mppe-40, mppe-128, mppe-stateless options in the pppd config. As soon as I get encryption running, nothing works except the login. Help? :) ----------------------------------------------------- Leonard L. Goldenstein Information Services Consultant Geo. H. Young & Co. Ltd. 809 - 167 Lombard Ave. Winnipeg, MB R3B 3H8 Phone: (204) 947-6851 Fax: (204) 947-3306 len at ghy.com http://www.ghy.com > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Leonard L. > Goldenstein > Sent: Thursday, September 21, 2000 10:52 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Protocol-Reject Issue > > > Hello to everyone on the list. > I have seen this problem posted where pppd gives "Protocol-Reject for > unsupported protocol" messages to the system log. Unfortunately > I have not > seen much in the way of any solutions for the problem. I ask > that if anyone > has experience with this situation and/or a solution to please post to the > list to help out all others with this problem. > > I have setup PoPToP 1.0.0 following a combination of the HOWTO on the > website and this document: > http://www.vanja.com/PPTP.txt > > Software: > Linux 2.2.17 > PoPToP 1.0.0 RPM > pppd-2.3.11.tar.gz > ppp-2.3.11-openssl-0.9.5-mppe.patch.gz > > Everything compiled fine. > > My options.pptp file is (yes, pptpd is set to use this file): > lock > +chap > auth > proxyarp > +chapms > +chapms-v2 > mppe-40 > mppe-128 > mppe-stateless > ms-dns 1.1.1.4 > ms-wins 1.1.1.4 > > I can connect to the server from Win98 with no problem: > > Sep 21 10:38:36 access pppd[16427]: pppd 2.3.11 started by root, uid 0 > Sep 21 10:38:36 access pppd[16427]: Using interface ppp1 > Sep 21 10:38:36 access pppd[16427]: Connect: ppp1 <--> /dev/pts/6 > Sep 21 10:38:36 access pppd[16427]: MSCHAP peer authentication > succeeded for > GHY > \\len > Sep 21 10:38:36 access pppd[16427]: found interface eth0 for proxy arp > Sep 21 10:38:36 access pppd[16427]: local IP address 1.1.1.4 > Sep 21 10:38:36 access pppd[16427]: remote IP address 1.1.1.225 > Sep 21 10:38:36 access pppd[16427]: MPPE 40 bit, stateless compression > enabled > Sep 21 10:39:58 access pppd[16427]: Protocol-Reject for > unsupported protocol > 0x3f > Sep 21 10:39:59 access pppd[16427]: Protocol-Reject for > unsupported protocol > 0xf > 9 > Sep 21 10:40:01 access pppd[16427]: Protocol-Reject for > unsupported protocol > 0xb > 1 > Sep 21 10:40:02 access pppd[16427]: Protocol-Reject for > unsupported protocol > 0xc > a85 > Sep 21 10:40:04 access pppd[16427]: Protocol-Reject for > unsupported protocol > 0x6 > 8df > Sep 21 10:40:05 access pppd[16427]: Protocol-Reject for > unsupported protocol > 0xf > 3 > etc... > > However as you can see, after establishing the connection, i am unable to > send any traffic over the network. All I get is the Protocol Reject > messages until I disconnect the connection. > > *ANY* Help on this issue is *VERY* greatly appreciated. > Thank You. > ----------------------------------------------------- > Leonard L. Goldenstein > Information Services Consultant > > Geo. H. Young & Co. Ltd. > 809 - 167 Lombard Ave. > Winnipeg, MB R3B 3H8 > Phone: (204) 947-6851 > Fax: (204) 947-3306 > > len at ghy.com > http://www.ghy.com > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From drjchris at yahoo.com Thu Sep 21 11:18:45 2000 From: drjchris at yahoo.com (Chris Carella) Date: Thu, 21 Sep 2000 09:18:45 -0700 (PDT) Subject: [pptp-server] MPPE Encryption??? Message-ID: <20000921161845.98916.qmail@web9705.mail.yahoo.com> How do I know if MPPE is working? Do I have to choose 'require data encryption' on the MS client? Also I get this error 'modprobe: Can't locate module ppp-compress-18 ' in my log, and I do have 'alias ppp-compress-18 ppp_mppe ' in my modules.conf file... can mppe be working if I keep getting this error? Does anyone know how to solve this error? Thanks Chris --- Landy Manderson wrote: > Try > /windows98/downloads/contents/WURecommended/S_WUNetworking/VPN/Default.asp > at www.microsoft.com. > > On Thu, 15 Jun 2000 23:49:21 +0300 you said: > >I had the same problem with pptp. When encryption > was disabled (on the W98 > >client machine), everything was working OK. If I > tried to enable it, no IP > >traffic would > >pass through the link, although is seemed to be > connected. > >I fixed the problem by downloading a patch from > Microsoft, called 'vpnupd'. I > >don't remember exactly where it is located on the > site; try searching for it. > _______________________________________________ > pptp-server maillist - > pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > > __________________________________________________ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/ From drjchris at yahoo.com Thu Sep 21 11:24:19 2000 From: drjchris at yahoo.com (Chris Carella) Date: Thu, 21 Sep 2000 09:24:19 -0700 (PDT) Subject: [pptp-server] Mppe Question Message-ID: <20000921162419.29458.qmail@web9708.mail.yahoo.com> I know my server is doing MSCHAP authentication but how can I tell if it is doing mppe? Do I have to select "require encrypted data" on the Win client... and also I get this error "can't locate module ppp-compress-18" and I have the line alias ppp-compress-18 ppp_mppe in modules.conf... anyone know why that module isn't working? And can MPPE work without it? Thanks Chris __________________________________________________ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/ From jared at wanware.com Thu Sep 21 11:55:08 2000 From: jared at wanware.com (Jared Riley) Date: Thu, 21 Sep 2000 12:55:08 -0400 Subject: [pptp-server] RE: Protocol-Reject Issue References: Message-ID: <39CA3D6C.BDEC6228@wanware.com> Hi, Also being new to pptp, I had the same problem a few days ago. The problem is on the client end. You must apply the vpn update, available from microsoft at http://www.microsoft.com/windows95/downloads/default.asp, or http://www.microsoft.com/windows98/downloads/corporate.asp Jared "Leonard L. Goldenstein" wrote: > > One thing I did forget to mention is that the VPN connection works great > without encryption when I don't have the mppe-40, mppe-128, mppe-stateless > options in the pppd config. > > As soon as I get encryption running, nothing works except the login. > > Help? :) > > ----------------------------------------------------- > Leonard L. Goldenstein > Information Services Consultant > > Geo. H. Young & Co. Ltd. > 809 - 167 Lombard Ave. > Winnipeg, MB R3B 3H8 > Phone: (204) 947-6851 > Fax: (204) 947-3306 > > len at ghy.com > http://www.ghy.com > > > -----Original Message----- > > From: pptp-server-admin at lists.schulte.org > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Leonard L. > > Goldenstein > > Sent: Thursday, September 21, 2000 10:52 AM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] Protocol-Reject Issue > > > > > > Hello to everyone on the list. > > I have seen this problem posted where pppd gives "Protocol-Reject for > > unsupported protocol" messages to the system log. Unfortunately > > I have not > > seen much in the way of any solutions for the problem. I ask > > that if anyone > > has experience with this situation and/or a solution to please post to the > > list to help out all others with this problem. > > > > I have setup PoPToP 1.0.0 following a combination of the HOWTO on the > > website and this document: > > http://www.vanja.com/PPTP.txt > > > > Software: > > Linux 2.2.17 > > PoPToP 1.0.0 RPM > > pppd-2.3.11.tar.gz > > ppp-2.3.11-openssl-0.9.5-mppe.patch.gz > > > > Everything compiled fine. > > > > My options.pptp file is (yes, pptpd is set to use this file): > > lock > > +chap > > auth > > proxyarp > > +chapms > > +chapms-v2 > > mppe-40 > > mppe-128 > > mppe-stateless > > ms-dns 1.1.1.4 > > ms-wins 1.1.1.4 > > > > I can connect to the server from Win98 with no problem: > > > > Sep 21 10:38:36 access pppd[16427]: pppd 2.3.11 started by root, uid 0 > > Sep 21 10:38:36 access pppd[16427]: Using interface ppp1 > > Sep 21 10:38:36 access pppd[16427]: Connect: ppp1 <--> /dev/pts/6 > > Sep 21 10:38:36 access pppd[16427]: MSCHAP peer authentication > > succeeded for > > GHY > > \\len > > Sep 21 10:38:36 access pppd[16427]: found interface eth0 for proxy arp > > Sep 21 10:38:36 access pppd[16427]: local IP address 1.1.1.4 > > Sep 21 10:38:36 access pppd[16427]: remote IP address 1.1.1.225 > > Sep 21 10:38:36 access pppd[16427]: MPPE 40 bit, stateless compression > > enabled > > Sep 21 10:39:58 access pppd[16427]: Protocol-Reject for > > unsupported protocol > > 0x3f > > Sep 21 10:39:59 access pppd[16427]: Protocol-Reject for > > unsupported protocol > > 0xf > > 9 > > Sep 21 10:40:01 access pppd[16427]: Protocol-Reject for > > unsupported protocol > > 0xb > > 1 > > Sep 21 10:40:02 access pppd[16427]: Protocol-Reject for > > unsupported protocol > > 0xc > > a85 > > Sep 21 10:40:04 access pppd[16427]: Protocol-Reject for > > unsupported protocol > > 0x6 > > 8df > > Sep 21 10:40:05 access pppd[16427]: Protocol-Reject for > > unsupported protocol > > 0xf > > 3 > > etc... > > > > However as you can see, after establishing the connection, i am unable to > > send any traffic over the network. All I get is the Protocol Reject > > messages until I disconnect the connection. > > > > *ANY* Help on this issue is *VERY* greatly appreciated. > > Thank You. > > ----------------------------------------------------- > > Leonard L. Goldenstein > > Information Services Consultant > > > > Geo. H. Young & Co. Ltd. > > 809 - 167 Lombard Ave. > > Winnipeg, MB R3B 3H8 > > Phone: (204) 947-6851 > > Fax: (204) 947-3306 > > > > len at ghy.com > > http://www.ghy.com > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! -- Jared Riley Software Engineer jared at wanware.com From bdenheyer at next-comm.com Thu Sep 21 12:23:12 2000 From: bdenheyer at next-comm.com (Brian Denheyer) Date: Thu, 21 Sep 2000 10:23:12 -0700 (PDT) Subject: [pptp-server] what does this mean In-Reply-To: <39C9DE1C.22372.E2EC510@localhost> References: <14793.23374.857196.700462@xavier.nextcomminc.com> <39C9DE1C.22372.E2EC510@localhost> Message-ID: <14794.17408.871373.970148@xavier.nextcomminc.com> Yes, but the question remains. If the firewall is filtering or otherwise mishandling the packets. How would pptp ever work in the first place? This is an error we are getting on an established and already working connection. Just trying to understand instead of blindly patching for the fun of it. Brian From dwaller at precisiondrive.com Thu Sep 21 14:12:23 2000 From: dwaller at precisiondrive.com (Dave Waller) Date: Thu, 21 Sep 2000 14:12:23 -0500 Subject: [pptp-server] pptpctrl no worky Message-ID: <39CA5D97.CB175C73@precisiondrive.com> I have balled something up and it is making me nuts. I used to have a working pptpd but now pptpctrl results in s seg fault. Am I missing a lib od something? Dave Waller From mickh at Kincrome.com.au Thu Sep 21 17:38:48 2000 From: mickh at Kincrome.com.au (Michael Hayes) Date: Fri, 22 Sep 2000 08:38:48 +1000 Subject: [pptp-server] D/L's In-Reply-To: <39CA5D97.CB175C73@precisiondrive.com> Message-ID: Hi, I was just wondering where the best place to d/l the ppp-2.3.11-openssl-0.9.5-mppe.patch.gz file is, I can't seem to find it. Thanks Mick From mickh at Kincrome.com.au Thu Sep 21 17:51:02 2000 From: mickh at Kincrome.com.au (Michael Hayes) Date: Fri, 22 Sep 2000 08:51:02 +1000 Subject: [pptp-server] D/L's In-Reply-To: Message-ID: Sorry, I read some archives and found it... Thanks -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Michael Hayes Sent: Friday, 22 September 2000 08:39 To: pptp-server at lists.schulte.org Subject: [pptp-server] D/L's Hi, I was just wondering where the best place to d/l the ppp-2.3.11-openssl-0.9.5-mppe.patch.gz file is, I can't seem to find it. Thanks Mick _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From dlaursen at waverider.com Thu Sep 21 17:18:35 2000 From: dlaursen at waverider.com (Don Laursen) Date: Thu, 21 Sep 2000 16:18:35 -0600 Subject: [pptp-server] D/L's References: Message-ID: <004501c0241a$016e2840$7401000a@nis001> ftp://ftp.linuxcare.com.au/pub/ppp/ppp-2.3.11.tar.gz ftp://ftp.binarix.com/pub/ppp-mppe/ppp-2.3.11-openssl-0.9.5-mppe.patch.gz ----- Original Message ----- From: "Michael Hayes" To: Sent: Thursday, September 21, 2000 4:38 PM Subject: [pptp-server] D/L's > Hi, > > I was just wondering where the best place to d/l the > ppp-2.3.11-openssl-0.9.5-mppe.patch.gz file is, I can't seem to find > it. > > Thanks > > Mick > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From pgw99 at doc.ic.ac.uk Thu Sep 21 18:04:30 2000 From: pgw99 at doc.ic.ac.uk (Philip Willoughby) Date: Fri, 22 Sep 2000 00:04:30 +0100 (BST) Subject: [pptp-server] Windows 2000 <-> Linux VPN Message-ID: I have a problem: From harald at iki.fi Fri Sep 22 01:11:03 2000 From: harald at iki.fi (Harald Hannelius) Date: Fri, 22 Sep 2000 09:11:03 +0300 (EEST) Subject: [pptp-server] pptpctrl no worky In-Reply-To: <39CA5D97.CB175C73@precisiondrive.com> Message-ID: The same goes for me. I'm running on different slackwares. I posted a report on this a week ago, but to no response... On Thu, 21 Sep 2000, Dave Waller wrote: > I have balled something up and it is making me nuts. > > I used to have a working pptpd but now pptpctrl results in s seg fault. > > Am I missing a lib od something? > > Dave Waller > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > Harald H Hannelius | Harald at iki.fi | GSM +358405470870 From eilander at cobweb.nl Fri Sep 22 05:23:33 2000 From: eilander at cobweb.nl (Thijs Eilander) Date: Fri, 22 Sep 2000 12:23:33 +0200 Subject: [pptp-server] protocol 47 forwarding on 2.4.x Message-ID: Does someone know how/if I can forward protocol 47 on a 2.4.0 kernel ? I can't use stable kernel because the lack of aironet drivers in it :( Regards, Thijs Eilander From jor at c2i.net Fri Sep 22 05:47:43 2000 From: jor at c2i.net (Jan Olav Rolfsnes) Date: Fri, 22 Sep 2000 12:47:43 +0200 Subject: [pptp-server] protocol 47 forwarding on 2.4.x References: Message-ID: <39CB38CF.D23B0750@c2i.net> Regarding to the HOWTO-PoPToP document you can specify the IP protocol by their numbers in ipchain for kernels newer than 2.2. It is possible to run ipchain with following parameters: ipchain -I forward -p 47 -d 10.0.0.10 -j ACCEPT Regards, Jan Olav Rolfsnes Thijs Eilander wrote: > Does someone know how/if I can forward protocol 47 on a 2.4.0 kernel ? > > I can't use stable kernel because the lack of aironet drivers in it :( > > Regards, > > Thijs Eilander > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From ed at schernau.com Fri Sep 22 05:53:15 2000 From: ed at schernau.com (Edward Schernau) Date: Fri, 22 Sep 2000 06:53:15 -0400 Subject: [pptp-server] protocol 47 forwarding on 2.4.x References: <39CB38CF.D23B0750@c2i.net> Message-ID: <39CB3A1B.D4E1891A@schernau.com> Jan Olav Rolfsnes wrote: > > Regarding to the HOWTO-PoPToP document you can specify the IP protocol by > their numbers in ipchain for kernels newer than 2.2. It is possible to run > ipchain with following parameters: > > ipchain -I forward -p 47 -d 10.0.0.10 -j ACCEPT So does this eliminate the need for the special kernel patch for PPTP forwarding, if you have a Windows client behind the Linux IPMasq firewall? -- Edward Schernau, mailto:ed at schernau.com Network Architect http://www.schernau.com RC5-64#: 243249 e-gold acct #:131897 From jor at c2i.net Fri Sep 22 09:10:48 2000 From: jor at c2i.net (Jan Olav Rolfsnes) Date: Fri, 22 Sep 2000 16:10:48 +0200 Subject: [pptp-server] Automatic address translation of GRE Message-ID: <39CB6868.E5E5AD72@c2i.net> Hi all, have any of you had problems with dynamic address translation of GRE packages? Say that we have the following network: Internet | | 193.160.201.2 +----------------+ | fw | +----------------+ | .1 | 10.0.0.0 -------------------------------------------------------- | .2 | .3 | | +-----------+ +-----------+ | m1 | | m2 | +-----------+ +-----------+ In my network the firewall NATs in dynamic mode and NATs the internal addresses into one public internet address. And that works all right as long as m1 and m2 use UDP or TCP for internet services. If m1 does a TCP request to an internet address the internal address 10.0.0.2 is translated to the public address 193.160.201.2. At the same time the firewall change the source port number of the TCP packet to a unique port number associated with m1's IP address. When the fw receives the reply the fw recognize the TCP port number, change the IP address associated with this port number and replace the port number with the original. So this works fine as long as we use TCP and UDP packages and the firewall knows what port number is. But what happens if we want to route GRE packages over the firewall? Its impossible for the fw to route correctly. How can we solve this problem? Is this a disadvantage by using tunneling protocols like PPTP? Other VPN protocols use UDP as a tunneling protocol. Maybe that is smarter to use in this case? Regards, Jan Olav Rolfsnes From ed at schernau.com Fri Sep 22 10:35:31 2000 From: ed at schernau.com (Edward Schernau) Date: Fri, 22 Sep 2000 11:35:31 -0400 Subject: [pptp-server] Automatic address translation of GRE References: <39CB6868.E5E5AD72@c2i.net> Message-ID: <39CB7C43.B87FD4E2@schernau.com> Jan Olav Rolfsnes wrote: > So this works fine as long as we use TCP and UDP packages and the > firewall knows what port number is. But what happens if we want to route > GRE packages over the firewall? Its impossible for the fw to route > correctly. How can we solve this problem? Is this a disadvantage by > using tunneling protocols like PPTP? Other VPN protocols use UDP as a > tunneling protocol. Maybe that is smarter to use in this case? There is a kernel patch for 2.2.15 which applies to 2.2.16 with no problems, and works perfectly. However, someone recently suggested that you use "-p 47" in your ipchains rules, and it works. Or does this mean you've already patched??? -- Edward Schernau, mailto:ed at schernau.com Network Architect http://www.schernau.com RC5-64#: 243249 e-gold acct #:131897 From natecars at real-time.com Fri Sep 22 11:32:32 2000 From: natecars at real-time.com (Nate Carlson) Date: Fri, 22 Sep 2000 11:32:32 -0500 (CDT) Subject: [pptp-server] protocol 47 forwarding on 2.4.x In-Reply-To: <39CB3A1B.D4E1891A@schernau.com> Message-ID: On Fri, 22 Sep 2000, Edward Schernau wrote: > > Regarding to the HOWTO-PoPToP document you can specify the IP protocol by > > their numbers in ipchain for kernels newer than 2.2. It is possible to run > > ipchain with following parameters: > > > > ipchain -I forward -p 47 -d 10.0.0.10 -j ACCEPT > > So does this eliminate the need for the special kernel patch > for PPTP forwarding, if you have a Windows client behind the > Linux IPMasq firewall? No. That patch allows PPTP to be masq'd. -- Nate Carlson | Phone : (952)943-8700 http://www.real-time.com | Fax : (952)943-8500 From orion at bld.cqg.com Sat Sep 23 14:06:45 2000 From: orion at bld.cqg.com (Orion Poplawski) Date: Sat, 23 Sep 2000 13:06:45 -0600 Subject: [pptp-server] Cannot dial in Message-ID: <004501c02591$6bdb6580$0500000a@cynosure> Have PPTP 1.1.1 with PPP 2.3.11 installed and configured as follows: /etc/pptp.conf: debug localip 192.168.20.240 remoteip 192.168.20.241-245 listen /etc/ppp/options: #ms-dns 192.168.20.90 #ms-dns 192.168.20.83 #ms-wins 192.168.20.90 #ms-wins 192.168.20.83 debug auth proxyarp require-chap #+chapms #+chapms-v2 #+mppe-40 #+mppe-128 #+mppe-stateless I've also tried with various permutations of the above. However is always get the following error after timing out during "Verifying username and password.." when trying to connect from my NT4 box: Disconnected. Error 629: The data link was terminated by the remote machine. Looking at the debug log I see: Sep 23 13:08:52 bldigw pptpd[24935]: CTRL: Made a START CTRL CONN RPLY packet Sep 23 13:08:52 bldigw pptpd[24935]: CTRL: I wrote 156 bytes to the client. Sep 23 13:08:52 bldigw pptpd[24935]: CTRL: Sent packet to client Sep 23 13:08:52 bldigw pptpd[24935]: CTRL: Received PPTP Control Message (type: 7) Sep 23 13:08:52 bldigw pptpd[24935]: CTRL: 0 min_bps, 152 max_bps, 32 window siz e Sep 23 13:08:52 bldigw pptpd[24935]: CTRL: Made a OUT CALL RPLY packet Sep 23 13:08:52 bldigw pptpd[24935]: CTRL: pty_fd = 4 Sep 23 13:08:52 bldigw pptpd[24935]: CTRL: tty_fd = 5 Sep 23 13:08:52 bldigw pptpd[24935]: CTRL: I wrote 32 bytes to the client. Sep 23 13:08:52 bldigw pptpd[24936]: CTRL (PPPD Launcher): Connection speed = 11 5200 Sep 23 13:08:52 bldigw pptpd[24936]: CTRL (PPPD Launcher): local address = 192.1 68.20.240 Sep 23 13:08:52 bldigw pptpd[24936]: CTRL (PPPD Launcher): remote address = 192. 168.20.241 Sep 23 13:08:52 bldigw pptpd[24935]: CTRL: Sent packet to client Sep 23 13:08:52 bldigw pppd[24936]: sent [LCP ConfReq id=0x1 ] Sep 23 13:08:52 bldigw pppd[24936]: Timeout 0x8050160:0x80772b8 in 3 seconds. Sep 23 13:08:52 bldigw pptpd[24935]: CTRL: Received PPTP Control Message (type: 15) Sep 23 13:08:52 bldigw pptpd[24935]: CTRL: Got a SET LINK INFO packet with stand ard ACCMs Sep 23 13:08:52 bldigw pppd[24936]: rcvd [LCP ConfReq id=0x0 ] Sep 23 13:08:52 bldigw pppd[24936]: lcp_reqci: returning CONFACK. Sep 23 13:08:52 bldigw pppd[24936]: sent [LCP ConfAck id=0x0 ] Sep 23 13:08:54 bldigw pppd[24936]: rcvd [LCP ConfReq id=0x0 ] Sep 23 13:08:54 bldigw pppd[24936]: lcp_reqci: returning CONFACK. Sep 23 13:08:54 bldigw pppd[24936]: sent [LCP ConfAck id=0x0 ] Sep 23 13:08:55 bldigw pppd[24936]: sent [LCP ConfReq id=0x1 ] Sep 23 13:08:55 bldigw pppd[24936]: Timeout 0x8050160:0x80772b8 in 3 seconds. These last 8 messages repeat a few times , until: Sep 23 13:09:21 bldigw pppd[24936]: rcvd [LCP ConfReq id=0x0 ] Sep 23 13:09:21 bldigw pppd[24936]: lcp_reqci: returning CONFACK. Sep 23 13:09:21 bldigw pppd[24936]: sent [LCP ConfAck id=0x0 ] Sep 23 13:09:22 bldigw pptpd[24935]: CTRL: Exiting now Sep 23 13:09:22 bldigw pptpd[819]: MGR: Reaped child 24935 So it looks like the two machines are commincating fine (no blocked packets) but they can't agree on the PPP configuration. Any ideas? TIA, - Orion Poplawski From godfrey at hattaway-associates.com Sat Sep 23 22:57:59 2000 From: godfrey at hattaway-associates.com (Godfrey) Date: Sun, 24 Sep 2000 15:57:59 +1200 Subject: [pptp-server] tcp wrappers, 128 bit encription References: <004501c02591$6bdb6580$0500000a@cynosure> Message-ID: <39CD7BC6.9857570D@hattaway-associates.com> 1. Does anyone have a patch so that pptpd works with tcp_wrappers that they can share. I have patched it myself and it appears to be working but I want to check that my patch is correct (my C is very rusty). 2. Where can I get the 128 bit encription upgrade for win98 I have tried everywhere on Micro$ofts sit but have had no luck the Explorer upgrade upgrades explorers encription to 128 but not pptp. Thanks Godfrey Livingstone From Marc_Eisenbarth at baylor.edu Sat Sep 23 23:35:47 2000 From: Marc_Eisenbarth at baylor.edu (Marc Eisenbarth) Date: Sat, 23 Sep 2000 23:35:47 -0500 Subject: [pptp-server] help with FreeBSD. Message-ID: <39CD84A3.53069034@baylor.edu> I'm getting the following debug output: Sep 23 23:11:19 olympus pptpd[73968]: MGR: Manager process started Sep 23 23:11:27 olympus pptpd[73969]: MGR: Launching /usr/local/sbin/pptpctrl to handle client Sep 23 23:11:27 olympus pptpd[73969]: CTRL: pppd speed = 115200 Sep 23 23:11:27 olympus pptpd[73969]: CTRL: pppd options file = /etc/ppp/options Sep 23 23:11:27 olympus pptpd[73969]: CTRL: Client 148.104.2.222 control connection started Sep 23 23:11:27 olympus pptpd[73969]: CTRL: Received PPTP Control Message (type: 1) Sep 23 23:11:27 olympus pptpd[73969]: CTRL: Made a START CTRL CONN RPLY packet Sep 23 23:11:27 olympus pptpd[73969]: CTRL: I wrote 156 bytes to the client. Sep 23 23:11:27 olympus pptpd[73969]: CTRL: Sent packet to client Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Received PPTP Control Message (type: 7) Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Set parameters to 1525 maxbps, 64 window size Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Made a OUT CALL RPLY packet Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Starting call (launching pppd, opening GRE) Sep 23 23:11:29 olympus pptpd[73969]: CTRL: pty_fd = 6 Sep 23 23:11:29 olympus pptpd[73969]: CTRL: tty_fd = 5 Sep 23 23:11:29 olympus pptpd[73969]: CTRL: I wrote 32 bytes to the client. Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Sent packet to client Sep 23 23:11:29 olympus pptpd[73969]: GRE: Discarding duplicate packet Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Received PPTP Control Message (type: 15) Sep 23 23:11:29 olympus ppp[73970]: Warning: Label pptp rejected -direct connection: Configuration label not found Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Got a SET LINK INFO packet with standard ACCMs Sep 23 23:11:29 olympus pptpd[73969]: GRE: read(fd=6,buffer=804d840,len=8196) from PTY failed: status = 0 error = No error Sep 23 23:11:29 olympus pptpd[73969]: CTRL: PTY read or GRE write failed (pty,gre)=(6,5) Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Client 148.104.2.222 control connection finished Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Exiting now Sep 23 23:11:29 olympus pptpd[73968]: MGR: Reaped child 73969 Also, I'm running FreeBSD... what's wrong?? Thanks in advance, -Marc From john.hovell at home.com Sun Sep 24 00:06:39 2000 From: john.hovell at home.com (John Hovell) Date: Sun, 24 Sep 2000 01:06:39 -0400 Subject: [pptp-server] pptp with tcpwrappers? Message-ID: <39CD8BDF.1EE8C2B2@home.com> Hello all -- I am wondering if anyone has an intelligent way to run pptp to restrict access to the hosts you want.... I am trying to start it in /etc/inetd.conf... but it isn't working too well... either with wait or nowait. I have the respawning disabled in /etc/inittab. Does PoPToP support tcp_wrappers in any way, or is there a way to restrict hosts in PoPToP's own config? Thanks, John From godfrey at hattaway-associates.com Sun Sep 24 00:30:11 2000 From: godfrey at hattaway-associates.com (Godfrey) Date: Sun, 24 Sep 2000 17:30:11 +1200 Subject: [pptp-server] help with FreeBSD. References: <39CD84A3.53069034@baylor.edu> Message-ID: <39CD9163.E4179875@hattaway-associates.com> Have you upgraded your 95/98 Clients with vpnupd.exe available from microsoft. see http://www.microsoft.com/windows98/downloads/corporate.asp Godfrey Marc Eisenbarth wrote: > I'm getting the following debug output: > > Sep 23 23:11:19 olympus pptpd[73968]: MGR: Manager process > started > Sep 23 23:11:27 olympus pptpd[73969]: MGR: Launching > /usr/local/sbin/pptpctrl to handle client > Sep 23 23:11:27 olympus pptpd[73969]: CTRL: pppd speed = > 115200 > Sep 23 23:11:27 olympus pptpd[73969]: CTRL: pppd options > file = /etc/ppp/options > Sep 23 23:11:27 olympus pptpd[73969]: CTRL: Client > 148.104.2.222 control connection started > Sep 23 23:11:27 olympus pptpd[73969]: CTRL: Received PPTP > Control Message (type: 1) > Sep 23 23:11:27 olympus pptpd[73969]: CTRL: Made a START > CTRL CONN RPLY packet > Sep 23 23:11:27 olympus pptpd[73969]: CTRL: I wrote 156 > bytes to the client. > Sep 23 23:11:27 olympus pptpd[73969]: CTRL: Sent packet > to client > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Received PPTP > Control Message (type: 7) > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Set > parameters to 1525 maxbps, 64 window size > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Made a OUT > CALL RPLY packet > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Starting call > (launching pppd, opening GRE) > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: pty_fd = 6 > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: tty_fd = 5 > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: I wrote 32 > bytes to the client. > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Sent packet > to client > Sep 23 23:11:29 olympus pptpd[73969]: GRE: Discarding > duplicate packet > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Received PPTP > Control Message (type: 15) > Sep 23 23:11:29 olympus ppp[73970]: Warning: Label pptp > rejected -direct connection: Configuration label not found > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Got a SET > LINK INFO packet with standard ACCMs > Sep 23 23:11:29 olympus pptpd[73969]: GRE: > read(fd=6,buffer=804d840,len=8196) from PTY failed: status = 0 error = > No error > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: PTY read or GRE > write failed (pty,gre)=(6,5) > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Client > 148.104.2.222 control connection finished > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Exiting now > Sep 23 23:11:29 olympus pptpd[73968]: MGR: Reaped child > 73969 > > Also, I'm running FreeBSD... what's wrong?? > > Thanks in advance, > -Marc > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From Steve.Cowles at infohiiway.com Sun Sep 24 08:36:09 2000 From: Steve.Cowles at infohiiway.com (Cowles, Steve) Date: Sun, 24 Sep 2000 08:36:09 -0500 Subject: [pptp-server] pptp with tcpwrappers? Message-ID: <90769AF04F76D41186C700A0C90AFC3EE541@DEFIANT> You could restrict access to your PopTop server at your firewall. i.e. ipchains. Then start PopTop as a daemon instead of from tcp_wrappers. This is how my system is configured. An example using ipchains with default input policy already set to DENY: 1.2.3.4 is remote pptp client IP address 5.6.7.8 is external IP address of the firewall. Also could be the same IP as PopTop server. ipchains -A input -p TCP -s 1.2.3.4 --dport 1723 -j ACCEPT ipchains -A input -p 47 -s 1.2.3.4 -d 5.6.7.8 -j ACCEPT Steve Cowles > -----Original Message----- > From: John Hovell [mailto:john.hovell at home.com] > Sent: Sunday, September 24, 2000 12:07 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] pptp with tcpwrappers? > > > Hello all -- > > I am wondering if anyone has an intelligent way to run pptp > to restrict access to the hosts you want.... > > I am trying to start it in /etc/inetd.conf... but it isn't working too > well... either with wait or nowait. I have the respawning disabled in > /etc/inittab. > > Does PoPToP support tcp_wrappers in any way, or is there a way to > restrict hosts in PoPToP's own config? > > Thanks, > John > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From Marc_Eisenbarth at baylor.edu Sun Sep 24 12:25:32 2000 From: Marc_Eisenbarth at baylor.edu (Marc Eisenbarth) Date: Sun, 24 Sep 2000 12:25:32 -0500 Subject: [pptp-server] help with FreeBSD [2]. References: <39CD84A3.53069034@baylor.edu> <39CD9163.E4179875@hattaway-associates.com> Message-ID: <39CE390C.D21AFC2@baylor.edu> All my clients are Windows 2000 machines. It looks like its a problem with permissions/insufficient PTYs.. but I don't know much about this... -Marc Godfrey wrote: > Have you upgraded your 95/98 Clients with vpnupd.exe available from > microsoft. > see http://www.microsoft.com/windows98/downloads/corporate.asp > > Godfrey > > Marc Eisenbarth wrote: > > > I'm getting the following debug output: > > > > Sep 23 23:11:19 olympus pptpd[73968]: MGR: Manager process > > started > > Sep 23 23:11:27 olympus pptpd[73969]: MGR: Launching > > /usr/local/sbin/pptpctrl to handle client > > Sep 23 23:11:27 olympus pptpd[73969]: CTRL: pppd speed = > > 115200 > > Sep 23 23:11:27 olympus pptpd[73969]: CTRL: pppd options > > file = /etc/ppp/options > > Sep 23 23:11:27 olympus pptpd[73969]: CTRL: Client > > 148.104.2.222 control connection started > > Sep 23 23:11:27 olympus pptpd[73969]: CTRL: Received PPTP > > Control Message (type: 1) > > Sep 23 23:11:27 olympus pptpd[73969]: CTRL: Made a START > > CTRL CONN RPLY packet > > Sep 23 23:11:27 olympus pptpd[73969]: CTRL: I wrote 156 > > bytes to the client. > > Sep 23 23:11:27 olympus pptpd[73969]: CTRL: Sent packet > > to client > > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Received PPTP > > Control Message (type: 7) > > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Set > > parameters to 1525 maxbps, 64 window size > > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Made a OUT > > CALL RPLY packet > > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Starting call > > (launching pppd, opening GRE) > > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: pty_fd = 6 > > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: tty_fd = 5 > > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: I wrote 32 > > bytes to the client. > > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Sent packet > > to client > > Sep 23 23:11:29 olympus pptpd[73969]: GRE: Discarding > > duplicate packet > > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Received PPTP > > Control Message (type: 15) > > Sep 23 23:11:29 olympus ppp[73970]: Warning: Label pptp > > rejected -direct connection: Configuration label not found > > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Got a SET > > LINK INFO packet with standard ACCMs > > Sep 23 23:11:29 olympus pptpd[73969]: GRE: > > read(fd=6,buffer=804d840,len=8196) from PTY failed: status = 0 error = > > No error > > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: PTY read or GRE > > write failed (pty,gre)=(6,5) > > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Client > > 148.104.2.222 control connection finished > > Sep 23 23:11:29 olympus pptpd[73969]: CTRL: Exiting now > > Sep 23 23:11:29 olympus pptpd[73968]: MGR: Reaped child > > 73969 > > > > Also, I'm running FreeBSD... what's wrong?? > > > > Thanks in advance, > > -Marc > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From godfrey at hattaway-associates.com Sun Sep 24 15:25:22 2000 From: godfrey at hattaway-associates.com (Godfrey) Date: Mon, 25 Sep 2000 08:25:22 +1200 Subject: [pptp-server] pptp with tcpwrappers? References: <90769AF04F76D41186C700A0C90AFC3EE541@DEFIANT> Message-ID: <39CE6332.87C0A055@hattaway-associates.com> This only works if you know the IP addresses of the clients that will connect. What if you only know the domain name as is the case when road warriors connect to an ISP then to pptpd? Then using tcp_wrappers to restrict who can access PopTop is useful. You do not need to start PopTop from tcp_wrappers you can access the tcp_wrappers library from PopTop if you change pptdctrl.c to get it to check with tcp_wrappers if the connection is allowed. This way you can still run it as a daemon. "Cowles, Steve" wrote: > You could restrict access to your PopTop server at your firewall. i.e. > ipchains. Then start PopTop as a daemon instead of from tcp_wrappers. This > is how my system is configured. > > An example using ipchains with default input policy already set to DENY: > > 1.2.3.4 is remote pptp client IP address > 5.6.7.8 is external IP address of the firewall. Also could be the same IP as > PopTop server. > > ipchains -A input -p TCP -s 1.2.3.4 --dport 1723 -j ACCEPT > ipchains -A input -p 47 -s 1.2.3.4 -d 5.6.7.8 -j ACCEPT > > Steve Cowles > > > -----Original Message----- > > From: John Hovell [mailto:john.hovell at home.com] > > Sent: Sunday, September 24, 2000 12:07 AM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] pptp with tcpwrappers? > > > > > > Hello all -- > > > > I am wondering if anyone has an intelligent way to run pptp > > to restrict access to the hosts you want.... > > > > I am trying to start it in /etc/inetd.conf... but it isn't working too > > well... either with wait or nowait. I have the respawning disabled in > > /etc/inittab. > > > > Does PoPToP support tcp_wrappers in any way, or is there a way to > > restrict hosts in PoPToP's own config? > > > > Thanks, > > John > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From ctooley at amoa.org Sun Sep 24 16:43:00 2000 From: ctooley at amoa.org (ctooley at amoa.org) Date: Sun, 24 Sep 2000 16:43:00 -0500 Subject: [pptp-server] Trying to compile the modules to use the MS PPP stuff. Message-ID: <86256964.00773898.00@amoa.org> Is the correct place to ask questions about the MSCHAP/MPPE patches to ppp (figured here was as good as any as I got the patches from the PoPToP website)? I'm trying to compile the modules and I'm getting all kinds of errors with PPP_MAGIC not being defined.??? Chris Tooley From SCody at Gulbrandsen.com Mon Sep 25 07:32:20 2000 From: SCody at Gulbrandsen.com (Steve Cody) Date: Mon, 25 Sep 2000 08:32:20 -0400 Subject: [pptp-server] More than just password authentication? Message-ID: I use PoPToP on a Redhat linux system. It is working great. My only issue is that I don't like to have the only barrier between a hacker and my network be a username and password. I rely on my firewall for security. Currently, I have a generic username and password and when my users need to connect, they give me their IP address and I allow that through my firewall for the length of their VPN connection. This is obviously not the best way to provide VPN access for my users. It has several limitations. The problem with using only username/password authentication is that any hacker with a brute force hacking program, and enough time on their hands can start at 6pm on a Friday night and maybe get somewhere by Sunday.... You know what I mean? I would like to have a way to allow my Windows clients to connect without merely having a username and password. Are there better ways of authenticating users? When I connect to my linux systems for administrative purposes, I use RSA authentication. I don't have to worry about the username and password. Is anything similar to this available for PoPToP/PPP? I need to have it open to all IP addresses. Thanks in advance! Steve Cody, MCSE Information Systems Administrator Gulbrandsen Manufacturing, Inc. Office - 803.531.2413 x102 Email - scody at gulbrandsen.com From chavant at geosys.fr Mon Sep 25 10:01:02 2000 From: chavant at geosys.fr (Jean-Paul Chavant) Date: Mon, 25 Sep 2000 17:01:02 +0200 Subject: [pptp-server] problem connecting to PoPTop server Message-ID: <004901c02701$6c1a7e20$7c03a8c0@pcjpc> hello, I have installed PoPToP with http://www.moretonbay.com/vpn/releases/PoPToP-RedHat-HOWTO.txt (step 3.0) when i connect from my Win95 box to my VPN PoPToP box i got the error 629 (pptpd daemon is running ...). on the /var/log/messages i have : Sep 25 05:10:47 endeavour kernel: CSLIP: code copyright 1989 Regents of the University of California Sep 25 05:10:47 endeavour kernel: PPP: version 2.3.7 (demand dialling) Sep 25 05:10:47 endeavour kernel: PPP line discipline registered. Sep 25 05:10:47 endeavour kernel: registered device ppp0 Sep 25 05:10:47 endeavour pppd[768]: The remote system is required to authenticate itself Sep 25 05:10:47 endeavour pppd[768]: but I couldn't find any suitable secret (password) for it to use to do so. Sep 25 05:10:47 endeavour pptpd[767]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Erreur d'entr?e/sortie Sep 25 05:10:47 endeavour pptpd[767]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Sep 25 05:10:47 endeavour pptpd[767]: CTRL: Client 192.168.3.124 control connection finished My VPN box is linux 2.2.14 with ppp-2.3.11 and pptpd-1.0.0 (rpm package) and i don't use ms-chap and mppe. /etc/ppp/option debug auth +chap proxyarp lock /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses test test /etc/ppp/pa-secrets # Secrets for authentication using PAP # client server secret IP addresses test test /etc/pptpd.conf localip 192.168.0.245 remoteip 192.168.0.234-238 My first problem is why in the /var/log/messages the kernel says PPP: version 2.3.7 (i have installed the 2.3.11 ... ) ? Someone can help me ? JPaul From kennya at carlislefsp.com Mon Sep 25 11:00:47 2000 From: kennya at carlislefsp.com (Kenny Austin) Date: Mon, 25 Sep 2000 11:00:47 -0500 Subject: [pptp-server] problem connecting to PoPTop server In-Reply-To: <004901c02701$6c1a7e20$7c03a8c0@pcjpc> Message-ID: <000e01c02709$c59bb9c0$5f020a0a@carlislefsp.com> >/etc/ppp/chap-secrets > ># Secrets for authentication using CHAP ># client server secret IP addresses >test test > >/etc/ppp/pa-secrets ># Secrets for authentication using PAP ># client server secret IP addresses >test test You don't need to have anything in /etc/ppp/pap-secrets (pptpd will be using chaps). The chap-secrets (i hate to use the word, but can't think of a better way) space delimited.. (ouch) in that ppp will read what you have as client=test, server=test, secret= ,IP addresses= . put asterisks * instead, so that it reads: test * test * which would be client=test, server=* (anything), secret=test, IP Addresses=* (it will then be assigned from pptpd.conf) Kenny Austin kennya at carlislefsp.com From ldong99 at yahoo.com Mon Sep 25 13:20:47 2000 From: ldong99 at yahoo.com (Lishuang Dong) Date: Mon, 25 Sep 2000 11:20:47 -0700 (PDT) Subject: [pptp-server] PPTP client for SunOS5.7 Message-ID: <20000925182047.24623.qmail@web3301.mail.yahoo.com> does anybody test the PPTP client on SunOS5.7 with network card? I installed PPTP package without PPPD, and when I run "pptp host_IPaddress", I got the error "Error: No such file or directory". thank you for your help! lisa __________________________________________________ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/ From ldong99 at yahoo.com Mon Sep 25 13:59:48 2000 From: ldong99 at yahoo.com (Lishuang Dong) Date: Mon, 25 Sep 2000 11:59:48 -0700 (PDT) Subject: [pptp-server] PPTP client for SunOS5.7 Message-ID: <20000925185948.718.qmail@web3301.mail.yahoo.com> does anybody test the PPTP client on SunOS5.7 with network card? I installed PPTP package without PPPD, and when I run "pptp host_IPaddress", I got the error "Error: No such file or directory". thank you for your help! lisa __________________________________________________ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/ From ldong99 at yahoo.com Mon Sep 25 14:00:28 2000 From: ldong99 at yahoo.com (Lishuang Dong) Date: Mon, 25 Sep 2000 12:00:28 -0700 (PDT) Subject: [pptp-server] PPPD and PPTP package for SunOS5.7 Sparc Message-ID: <20000925190028.927.qmail@web3301.mail.yahoo.com> Does anyone know where I can download PPPD and PPTP package for SunOS5.7 on Sparc. thanks a lot! lisa __________________________________________________ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/ From alagana at discmail.com Mon Sep 25 15:33:10 2000 From: alagana at discmail.com (Aldo S. Lagana) Date: Mon, 25 Sep 2000 16:33:10 -0400 Subject: [pptp-server] PoPToP v 1.0.0 installation on Linux kernel 2.2.14 Message-ID: I cannot get the ppp_mppe.c file to get compiled into the modules directory - I have had no problems with it on kernel version 2.2.10 (these are both on Caldera distro). I get the patch and apply it...it seems to create the file (or make does - I am not sure), but when it is said and done I do not have the ppp_mppe.o file available to load as a module. This is a clean kernel install, so that should not be a problem... any ideas will help Aldo S Lagana alagana at DISCmail.com 860 674 0550 www.DISClink.com From umar at pointer.web.id Mon Sep 25 18:07:12 2000 From: umar at pointer.web.id (umar at pointer.web.id) Date: Mon, 25 Sep 2000 23:07:12 GMT Subject: [pptp-server] PPPD and PPTP package for SunOS5.7 Sparc In-Reply-To: <20000925190028.927.qmail@web3301.mail.yahoo.com> References: <20000925190028.927.qmail@web3301.mail.yahoo.com> Message-ID: <20000925230712.29966.qmail@pointer.web.id> Waktu itu, Lishuang Dong menulis: I'm trying to have downstream connection from speedcast ( http://www.speedcast.com) I just tried to use pptp for vpn connection to them but still can't activated the satelite connection. They don't support vpn connection from Linux-box Need someone to help me. Best Regards, MUST ---- http://www.pointer.web.id From dosachoff at hotmail.com Mon Sep 25 19:12:19 2000 From: dosachoff at hotmail.com (Derek Osachoff) Date: Mon, 25 Sep 2000 17:12:19 PDT Subject: [pptp-server] EOF errors ? Message-ID: Greetings, I have been using PoPToP for about 6 months now. With great results - looking forward to 1.1.1. But I seem to have this re-occurring problem. This will happen every couple of weeks (usually on a weekend too) where no one is able to log in. And the syslog is filing up with errors like: Sep 25 11:29:07 yvr pptpd[27376]: CTRL: EOF or bad error reading ctrl packet length. Sep 25 11:29:07 yvr pptpd[27376]: CTRL: couldn't read packet header (exit) Sep 25 11:29:07 yvr pptpd[27376]: CTRL: Unexpected control message 0 in disconnect sequence To stop this I kill the pid and stop/start the service. What is happening. Is it one of my users that is causing this (staying on too long etc.)? This is beginning to really erk me and I would appriciate any suggestions / comments. Thanks in advance, Derek _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. From cresswell at comcen.com.au Tue Sep 26 03:12:46 2000 From: cresswell at comcen.com.au (ron) Date: Tue, 26 Sep 2000 19:12:46 +1100 Subject: [pptp-server] Newbie question - hopefully trivial! Message-ID: <39D05A7E.8C9E47A2@comcen.com.au> Hi folks, I want to connect our two offices together using PopTop, and I think I'm ok to go ahead and implement it. However, I have a "what then" question! Our two offices both have Linux firewalls and I have two other Linux machines ready to form the VPN connection through those firewalls. I want not only to be able to do things like telnet and ftp back and forth, but also to be able to have the Windows machines in one office browse the windoze machines in the other office. If the termination point of the VPN connection is a Linux box, how do I achieve that? Here are my thoughts so far - any comments would be very welcome, as I feeling my way in the dark! 1. Set up the VPN connection (doh) 2. Get the routing tables right on the two VPN boxes, so that traffic aimed at the other office goes down the PPTP interface, and other traffic goes directly to the firewall (for routing to the internet). 3. Set all the machines inside the office, which currently have the firewall as their default gateway, to point to the VPN machine as their default gateway. I *think* that'll be ok. But the complicating factor is that we have a single class C network which is subnetted between the offices, so that our netmask is 255.255.255.128 (in fact it's split into 4 groups, but that's unnecessarily complicated). So how would broadcast packets be treated? They are no longer being sent out to the same IP address in the two offices (one might be 192.168.2.255 and the other might be 192.168.2.127) so would the two networks be able to see each other? Or have I simply misunderstood the nature of broadcast packets? As I said, any comments would be very welcome! Warm regards Ron From SCody at Gulbrandsen.com Tue Sep 26 08:05:08 2000 From: SCody at Gulbrandsen.com (Steve Cody) Date: Tue, 26 Sep 2000 09:05:08 -0400 Subject: [pptp-server] Newbie question - hopefully trivial! Message-ID: Your broadcast packets will not go across the routers through the VPN. The broadcasts will stay on their local subnet. In order for you to browse the opposite side of your VPN connection, you'll either have to have a WINS server(s), or set up lmhosts files on the clients. With Samba in linux, you can set them up as WINS servers and as the Master browsers on your network. Your configuration as you suggested will work. Depending on how big your office The only problem you may have is keeping the connection up and automating the connection/reconnection. I have a similar configuration as you and have tried the PoPToP solution for the VPN and it didn't work for me. I ended up using the VPN using SSH How-to. That works great for me. Good luck. Steve Cody -----Original Message----- From: ron [mailto:cresswell at comcen.com.au] Sent: Tuesday, September 26, 2000 4:13 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] Newbie question - hopefully trivial! Hi folks, I want to connect our two offices together using PopTop, and I think I'm ok to go ahead and implement it. However, I have a "what then" question! Our two offices both have Linux firewalls and I have two other Linux machines ready to form the VPN connection through those firewalls. I want not only to be able to do things like telnet and ftp back and forth, but also to be able to have the Windows machines in one office browse the windoze machines in the other office. If the termination point of the VPN connection is a Linux box, how do I achieve that? Here are my thoughts so far - any comments would be very welcome, as I feeling my way in the dark! 1. Set up the VPN connection (doh) 2. Get the routing tables right on the two VPN boxes, so that traffic aimed at the other office goes down the PPTP interface, and other traffic goes directly to the firewall (for routing to the internet). 3. Set all the machines inside the office, which currently have the firewall as their default gateway, to point to the VPN machine as their default gateway. I *think* that'll be ok. But the complicating factor is that we have a single class C network which is subnetted between the offices, so that our netmask is 255.255.255.128 (in fact it's split into 4 groups, but that's unnecessarily complicated). So how would broadcast packets be treated? They are no longer being sent out to the same IP address in the two offices (one might be 192.168.2.255 and the other might be 192.168.2.127) so would the two networks be able to see each other? Or have I simply misunderstood the nature of broadcast packets? As I said, any comments would be very welcome! Warm regards Ron _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From aalang at rutgersinsurance.com Tue Sep 26 10:39:14 2000 From: aalang at rutgersinsurance.com (Adam Lang) Date: Tue, 26 Sep 2000 11:39:14 -0400 Subject: [pptp-server] accessing internal computers Message-ID: <004d01c027cf$ecc634a0$330a0a0a@Adam> The setup I have is a VPN with an internal IP of 10.10.10.x and external ip of 38.138.71.x There is another server with the ip address of 10.10.10.x2 I successfully set up pptpd and was able to have a win98 client connect to the VPN server and ping its internal address, but I could not ping a server inseide the network. I was looking over the faq and got a bit confused on the solution. Any help would be appreciated on configurations I need to change or do. Adam Lang Systems Engineer Rutgers Casualty Insurance Company From superhero21 at hotmail.com Tue Sep 26 11:35:29 2000 From: superhero21 at hotmail.com (Piti Cherntanomwong) Date: Tue, 26 Sep 2000 16:35:29 GMT Subject: [pptp-server] PPtP problem Message-ID: Hi, I run pptpd for vpn server and run pptp on linux client. How can I know it work or not? There 's no error. My server is 192.41.170.18 and client is 192.41.170.17. They are same network. Thank you very much Can _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. From tony at secureea.com Tue Sep 26 13:15:14 2000 From: tony at secureea.com (Tony Simone) Date: Tue, 26 Sep 2000 14:15:14 -0400 Subject: [pptp-server] Newbie question - hopefully trivial! References: <39D05A7E.8C9E47A2@comcen.com.au> Message-ID: <39D0E7B2.7825D397@secureea.com> Ron, Not to stomp on PoPToP, because it is great stuff and I'm very happy using it, but for your scenario you may want to consider IPSec. FreeS/WAN (at www.freeswan.org) is a wonderful little IPSec implementation that does exactly what you want. Like PPTP, there is a kernel rebuild, software installation, and general brain-expansion needed to make it work. I'm currently using it between my company and a client's office and it works great. We are using PPTP for the home users connecting in to each individual network so they can browse their network and such. As another user mentioned, you will still need WINS to get windoze browsing going between both sites. You can certainly do the same thing with PPTP, and it may be easier for you to configure at this point. The advantage of IPSec is that you get heavy duty encryption (3des, although with many implementations you can use others), fairly granular control over connections, and keying via RSA public key exchange. Understand that there is a substantial (at least for my brain :) learning curve. Happy VPN'ing. -Tony ron wrote: > Hi folks, > > I want to connect our two offices together using PopTop, and I think I'm > ok to go ahead and implement it. However, I have a "what then" question! > > Our two offices both have Linux firewalls and I have two other Linux > machines ready to form the VPN connection through those firewalls. I > want not only to be able to do things like telnet and ftp back and > forth, but also to be able to have the Windows machines in one office > browse the windoze machines in the other office. If the termination > point of the VPN connection is a Linux box, how do I achieve that? > > Here are my thoughts so far - any comments would be very welcome, as I > feeling my way in the dark! > > 1. Set up the VPN connection (doh) > 2. Get the routing tables right on the two VPN boxes, so that traffic > aimed at the other office goes down the PPTP interface, and other > traffic goes directly to the firewall (for routing to the internet). > 3. Set all the machines inside the office, which currently have the > firewall as their default gateway, to point to the VPN machine as their > default gateway. > > I *think* that'll be ok. But the complicating factor is that we have a > single class C network which is subnetted between the offices, so that > our netmask is 255.255.255.128 (in fact it's split into 4 groups, but > that's unnecessarily complicated). So how would broadcast packets be > treated? They are no longer being sent out to the same IP address in the > two offices (one might be 192.168.2.255 and the other might be > 192.168.2.127) so would the two networks be able to see each other? Or > have I simply misunderstood the nature of broadcast packets? > > As I said, any comments would be very welcome! > > Warm regards > > Ron > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From pchilders at pharsalia.com Wed Sep 27 01:04:35 2000 From: pchilders at pharsalia.com (Patrick Childers) Date: Tue, 26 Sep 2000 23:04:35 -0700 Subject: [pptp-server] Past the VPN Server Message-ID: <001b01c02848$d0420d80$0200a8c0@patrick> I am having trouble routing past the VPN server, and I read all the how-tos, but I'm still stumped. Here is the setup: CLIENT connects to PPTP IP: 208.62.67.104 CLIENT gets IP : 192.168.34.10 CLIENT sees SERVER AS 192.168.34.1 SERVER's INTERNAL IP is 192.168.100.4 I need to be able to ping all inside servers 192.168.100.1-254. NOTE: I can ping 192.168.100.4 Also, the server sends all the wins/dns info through ppp/options correctly. but the gateway shows as the client's IP. Shouldn't the gateway be the pptpd server. If I'm correct how would I specify this? Thanks Patrick Childers From Steve.Cowles at infohiiway.com Wed Sep 27 01:10:47 2000 From: Steve.Cowles at infohiiway.com (Cowles, Steve) Date: Wed, 27 Sep 2000 01:10:47 -0500 Subject: [pptp-server] Past the VPN Server Message-ID: <90769AF04F76D41186C700A0C90AFC3EE543@defiant.infohiiway.com> > -----Original Message----- > From: Patrick Childers [mailto:pchilders at pharsalia.com] > Sent: Wednesday, September 27, 2000 1:05 AM > To: PPTP List > Subject: [pptp-server] Past the VPN Server > > > I am having trouble routing past the VPN server, > and I read all the how-tos, but I'm still stumped. > > Here is the setup: > CLIENT connects to PPTP IP: 208.62.67.104 > CLIENT gets IP : 192.168.34.10 > CLIENT sees SERVER AS 192.168.34.1 > > SERVER's INTERNAL IP is 192.168.100.4 > > I need to be able to ping all inside servers > 192.168.100.1-254. > NOTE: I can ping 192.168.100.4 > A couple of things that you might want to check: 1) Do you have "proxyarp" specified in your /etc/ppp/options file? Without proxyarp, the other systems on your network will not be able to route to your remote system. You should see an entry in your /var/log/messages file when you establish your VPN like... pppd[30864]: found interface eth0 for proxy arp 2) IP_FORWARDING must be enabled on the pptp server so that packets can be routed (forwarded) from eth* to ppp* devices (and vice-versa). > Also, the server sends all the wins/dns info through > ppp/options correctly. But the gateway shows as the > client's IP. Shouldn't the gateway be the pptpd server. Not necessarily. In fact, I usually discourage specifying the gateway being the pptpd server with PPTP VPN's. When you do so, ALL internet traffic including your local LAN traffic is routed through your PPTP server. Is this really what you are wanting? All you really need to communicate with your 192.168.34.0/24 network (in addition to what is mentioned above) is a static route (on the remote pptp client) that defines that 192.168.34.0/24 is routed through the PPTP clients local address. This route addition should be created automatically on windows based PPTP clients when you establish the VPN. netstat -rn should confirm this. Your default route should still be pointing to your ISP's router or your ppp address (not pptp address) if using dialup. > If I'm correct how would I specify this? If your PPTP client is Windows based and you "still" want to use the pptpd server as the default gateway, then enable "Use default gateway on remote network" in your PPTP profile connection. This will add a second default route in addition to the current one that should already be pointing to your ISP's gateway (or ppp address if using dialup). Note that the "metric" value should be changed from 1 to 2 on the original default route while the PPTP VPN is active. Steve Cowles > > Thanks > Patrick Childers From chavant at geosys.fr Wed Sep 27 03:08:28 2000 From: chavant at geosys.fr (Jean-Paul Chavant) Date: Wed, 27 Sep 2000 10:08:28 +0200 Subject: [pptp-server] pptp routing Message-ID: <000b01c0285a$1e23bc40$7c03a8c0@pcjpc.geosys.fr> hello, i ve established successfully my connexion to my VPN server (Linux + PoPToP) now i try to ping computers on the private LAN. my network : [192.168.1.x]-----(router)-----[192.168.3.x]-----(vpnserver)-----[172.16.0.x ]-----(client) vpnserver is 192.168.3.252 and 172.16.0.1 client is 172.16.0.10 vpn network is 192.168.0.x (server ip is 192.168.0.1 and client ip is 192.168.0.100) When i do a pipng on server ips (192.168.3.252/172.16.0.1) it works fine When i do a ping on a computer on the network 1 or 3 i can see thet the packets are forwarded (with tcpdump) but they never come back apparently (computers on network 1 and 3 doens't have the routes to go to 192.168.0.x). I think my problem comes from proxy arp ... but i don't know how the start up it ... :( i ve tried to use this script in the ip-up.local but i seemes it doesn t work ... #! /bin/bash REMOTE_IP_ADDRESS=$5 date > /var/run/ppp.up echo "REMOTE_IP_ADDRESS = " $REMOTE_IP_ADDRESS >> /var/log/ppp.log arp --set $REMOTE_IP_ADDRESS 'MAC_ADDRESS' pub >> /var/log/ppp.log exit 0 i use the MAC ADDRESS of the vpnServer Nic witch is on the LAN 3. This is correct ? Someone could help me ? Thanx, JPaul. From chavant at geosys.fr Wed Sep 27 05:02:39 2000 From: chavant at geosys.fr (Jean-Paul Chavant) Date: Wed, 27 Sep 2000 12:02:39 +0200 Subject: [pptp-server] PPTP & Samba Message-ID: <002401c0286a$11e5ef60$7c03a8c0@pcjpc.geosys.fr> Hello, my pptp connexion works. here is my network : [192.168.2.x] | 2 [192.168.1.x]----[Unix router]----[192.168.3.x]-----[VPN Server]-----[172.16.0.x]-----[client] 3 2 252 1 10 to be able to ping any computers i have to add a route on my router ... (route add 192.168.0.0 gw 192.168.3.252) (this solves apparently the problem of the arp resolution ...) vpn network IP is 192.168.0.x My Unix Routeur is also my WINS server (Samba) My Logon controler is a M$ PDC (Win NT 4.0) wich is on 192.168.1.x 192.168.3.x network. In this situation, my computer on my private LAN doens't see my VPN client in the neighbourhood network and vice versa. I can reach from any network a computer by executing the command \\IP_Address. How can i do to see all the computer in the neighbourhood network (from 192.168.1.x , 192.168.3.x and 192.168.0.x) ? My Wins server has to stay on my Unix Router. I have installed Samba on my VPN Server and it acts as a proxy Wins ... but it doesn't work ... anybody know how to do to see all computers in neighbourhood network ? JPaul From aaa at netman.dk Wed Sep 27 06:15:24 2000 From: aaa at netman.dk (Alaa Al-Amood) Date: Wed, 27 Sep 2000 13:15:24 +0200 Subject: [pptp-server] PPTP & Samba References: <002401c0286a$11e5ef60$7c03a8c0@pcjpc.geosys.fr> Message-ID: <39D1D6CC.FEB00EF4@netman.dk> Hi You have to configure samba as a WINS server here is the samba (/etc/smb.conf)configuration which work very well for me [global] domain logons = yes domain master= yes local master =no browse list = yes mangled stack = 100 max xmit = 8192 password level = 0 printing = bsd read size = 8192 security = user os level = 65 wins support = yes ; wins server = password level = 8 username level = 8 ; workgroup name workgroup = netman netbios name = snow ; for WinNT 4.0 sp3 clients encrypt passwords = yes ; all services are browsable browsable = yes ; restrict access to local hosts hosts allow = 192.68.72. 172.16.0. 127.0.0.1 deny hosts = ALL ; server announcement server string = WINS & VPN Server (Samba %v) ;configure Samba to use multiple interfaces interfaces = 192.168.0.1/255.255.255.0 172.16.0.2/255.255.0.0 ; remote browse sync = 192.168.0.255 172.16.255.255 remote announce = 192.168.0.255 172.16.255.255 ; seperate log file for each client machine log file = /var/log/samba/log.%m # You may wish to use password encryption. Please read # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation. # Do not enable this option unless you have read those documents encrypt passwords = yes smb passwd file = /etc/smbpasswd share modes = yes ;setting up master domain ; annouce version = 4.0 preferred master = yes [homes] comment = home directories writable = yes ; read and write for user, read acces to group and no access for others create mask = 640 force create mode = 0 directory mask = 750 force directory mode = 0 after that you have to add the follwing line to the /etc/ppp/options ms-wins 193.88.72.38 #Samba wins server regards Alaa Jean-Paul Chavant wrote: > Hello, > > my pptp connexion works. > > here is my network : > > [192.168.2.x] > | > 2 > [192.168.1.x]----[Unix router]----[192.168.3.x]-----[VPN > Server]-----[172.16.0.x]-----[client] > 3 2 252 1 > 10 > > to be able to ping any computers i have to add a route on my router ... > (route add 192.168.0.0 gw 192.168.3.252) (this solves apparently the problem > of the arp resolution ...) > > vpn network IP is 192.168.0.x > > My Unix Routeur is also my WINS server (Samba) > My Logon controler is a M$ PDC (Win NT 4.0) wich is on 192.168.1.x > 192.168.3.x network. > > In this situation, my computer on my private LAN doens't see my VPN client > in the neighbourhood network and vice versa. > > I can reach from any network a computer by executing the command > \\IP_Address. > How can i do to see all the computer in the neighbourhood network (from > 192.168.1.x , 192.168.3.x and 192.168.0.x) ? > > My Wins server has to stay on my Unix Router. > > I have installed Samba on my VPN Server and it acts as a proxy Wins ... but > it doesn't work ... > > anybody know how to do to see all computers in neighbourhood network ? > > JPaul > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From phil at vibrationresearch.com Wed Sep 27 09:47:57 2000 From: phil at vibrationresearch.com (Philip Van Baren) Date: Wed, 27 Sep 2000 10:47:57 -0400 Subject: [pptp-server] Packet reordering patch Message-ID: <000401c02891$ecf349f0$4500a8c0@vibrationresearch.com> I made a patch to pptpd-1.1.1 which implements a simple packet reordering scheme. This made a huge difference on my network which has many out-of-order packets. Note that if in addition to your packet order problems you are getting dropped packets and you have encryption enabled, you will still probably see the message: Sep 27 00:03:15 gateway pppd[10544]: rcvd [Compressed data] 10 32 ae 68 c0 8e e1 92 ... in your log file after a packet gets dropped, after which the link seems to lock up. The only way I have been able to solve this problem so far is to disable encryption because pppd doesn't seem to recover from lost packets when encryption is enabled. Has anyone found a way to get pppd to recover nicely from lost packets when using encryption? (I am using this with pptpd-1.1.1 and pppd-2.3.11 and kernel 2.2.17) Phil Van Baren phil at vibrationresearch.com Here is the patch to add packet reordering: diff -u pptpd-1.1.1/pptpgre.c pptpd-1.1.1-reorder/pptpgre.c --- pptpd-1.1.1/pptpgre.c Thu Dec 23 20:03:44 1999 +++ pptpd-1.1.1-reorder/pptpgre.c Wed Sep 27 09:36:20 2000 @@ -73,6 +73,7 @@ memset (gre, 0, sizeof (*gre)); reset_pty_to_gre (gre); + gre->seq_recv = -1; /* Open IP protocol socket */ gre->gre_fd = socket(AF_INET, SOCK_RAW, PPTP_PROTO); @@ -437,7 +438,8 @@ static int read_gre (struct gre_state *gre) { - int status, offset=0; + int status, offset=0,i,j; + int recv_time; unsigned char buffer[GRE_PACKET_SIZE + 64 /* ip header */]; struct gre_rcv_packet *recv_packet; unsigned char *data; @@ -449,10 +451,6 @@ memset (buffer, 0x66, sizeof(buffer)); status = read (gre->gre_fd, buffer, sizeof(buffer)); - recv_packet = &gre->window[(gre->gre_current_packet - + gre->gre_num_packets) % - (PCKT_RECV_WINDOW_SIZE + 1)]; - if (status < 0) { if (errno == EAGAIN || errno == EINTR) { /*syslog (LOG_INFO, "GRE read() wants retry");*/ @@ -480,11 +478,9 @@ return 0; } - memset (recv_packet, 0x11, sizeof(*recv_packet)); - /* FIXME: Too much copying. Should just buffer the IP header. */ - memcpy (recv_packet, &buffer[offset], status); - + recv_packet = (struct gre_rcv_packet *) (buffer+offset); header = recv_packet->header; + recv_time = time(NULL); /* Validate the packet. */ if ((ntoh8 (header.ver) & ~PPTP_GRE_FLAG_A) != PPTP_GRE_VER @@ -532,7 +528,8 @@ if (has_payload) { u_int32_t seq; - if (gre->gre_num_packets >= PCKT_RECV_WINDOW_SIZE) { + /* Keep 8 packets of buffer room for packet reordering */ + if (gre->gre_num_packets >= (PCKT_RECV_WINDOW_SIZE-PCKT_REORDER_SIZE)) { syslog (LOG_ERR, "GRE: window overflowed. Dropping packet..."); return 1; } @@ -546,15 +543,10 @@ data = recv_packet->body.one.data; } - if (pptpctrl_debug && seq != gre->seq_recv + 1) { - syslog (LOG_INFO, "Unexpected sequence number; got %u after %u", - seq, gre->seq_recv); - } - /* Check sequence number; discard if out of order */ if (!seq_less_than (gre->seq_recv, seq)) { syslog (LOG_WARNING, - "Discarding out-of-order packet %x, already have %x", + "Discarding out-of-order packet %u, already have %u", seq, gre->seq_recv); return 0; } @@ -568,8 +560,108 @@ return 0; } - gre->seq_recv = seq; - gre->gre_num_packets++; + i=seq - gre->seq_recv - 1; + + /* If this packet is beyond the reorder buffer, + * or if it has been 3 seconds size we last accepted a packet, + * stop waiting for the missing packet */ + if ((i >= PCKT_REORDER_SIZE) || (recv_time > (gre->gre_last_recv_time+PCKT_REORDER_WAIT_TIME)) ) { + if(gre->gre_num_packets > 0) { + /* There are still packets in the queue, so we can't skip packets yet */ + if(pptpctrl_debug) { + syslog (LOG_INFO, "Dropping out-of-order packet; got %u after %u", + PCKT_REORDER_SIZE,seq, gre->seq_recv); + } + return 0; + } + /* Stop waiting for the oldest packet */ + for(j=0 ; (jwindow[(gre->gre_current_packet+j)%(PCKT_RECV_WINDOW_SIZE+1)].header.p ayload_len == 0) ; j++); + + /* Missing more than PCKT_REORDER_SIZE consecutive packets - just ignore them and process this new packet */ + if(pptpctrl_debug) { + if(recv_time > (gre->gre_last_recv_time+PCKT_REORDER_WAIT_TIME)) { + /* Hide this message on the first packet because it is meaningless */ + if(gre->gre_last_recv_time != 0) + syslog (LOG_INFO, "Packet reorder timeout."); + } else if(j==PCKT_REORDER_SIZE) { + syslog (LOG_INFO, "Missing %d consecutive packets; got %u after %u", + PCKT_REORDER_SIZE,seq, gre->seq_recv); + } else { + syslog (LOG_INFO, "Exceeded packet reorder buffer size; got %u after %u; skipping %d packets", + seq, gre->seq_recv,j); + } + } + if(j==PCKT_REORDER_SIZE) { + memcpy(&gre->window[gre->gre_current_packet],buffer+offset,status); + /* + if(pptpctrl_debug) { + syslog(LOG_INFO,"Filling packet buffer slot %d with packet %u",gre->gre_current_packet,seq); + } + */ + gre->seq_recv = seq; + gre->gre_num_packets++; + gre->gre_last_recv_time=recv_time; + return 1; + } + + /* Else skip forward to the oldest previously received packet */ + gre->gre_current_packet=(gre->gre_current_packet+j) % (PCKT_RECV_WINDOW_SIZE+1); + gre->seq_recv += j; + + i-=j; + } + /* Buffer the latest packet if it isn't too far ahead, else just drop it */ + if(i < PCKT_REORDER_SIZE) { + if(pptpctrl_debug && (i>0)) { + syslog (LOG_INFO, "Buffering out-of-order packet; got %u after %u", + seq, gre->seq_recv); + } + memcpy(&gre->window[(gre->gre_current_packet+gre->gre_num_packets+i) % (PCKT_RECV_WINDOW_SIZE+1)],buffer+offset,status); + /* + if(pptpctrl_debug) { + syslog(LOG_INFO,"Filling packet buffer slot %d with packet %u (curr=%d,n=%d,i=%d)",(gre->gre_current_packet+gre->gre_num_packets+i) % (PCKT_RECV_WINDOW_SIZE+1),seq,gre->gre_current_packet,gre->gre_num_packets,i ); + } + */ + } else if(pptpctrl_debug) { + syslog (LOG_INFO, "Dropping out-of-order packet %u",seq); + } + + /* Skip lost packets if we get PCKT_REORDER_SIZE consecutive following packets */ + + if((gre->gre_num_packets==0) && (gre->window[gre->gre_current_packet].header.payload_len == 0)) { + for(i=0,j=1;(i < (PCKT_REORDER_RESUME_SIZE)) && (jwindow[(gre->gre_current_packet+j) % (PCKT_RECV_WINDOW_SIZE+1)].header.payload_len != 0) { + i++; + } else { + i=0; + } + } + if(i >= (PCKT_REORDER_RESUME_SIZE)) { + /* Advance counters over the lost packet(s) */ + for(j=1 ; (jwindow[(gre->gre_current_packet+j)%(PCKT_RECV_WINDOW_SIZE+1)].header.p ayload_len == 0) ; j++); + if(pptpctrl_debug) { + syslog (LOG_INFO, "Gave up waiting for %d lost packets",j); + } + + gre->gre_current_packet=(gre->gre_current_packet+j) % (PCKT_RECV_WINDOW_SIZE+1); + gre->seq_recv += j; + } + } + + /* Add all consecutive available packets to the queue */ + for(j=0 ; (jwindow[(gre->gre_current_packet+gre->gre_num_packets+j)%(PCKT_RECV_WIN DOW_SIZE+1)].header.payload_len != 0) ; j++); + /* + if(pptpctrl_debug && (j>1)) { + syslog(LOG_INFO,"Adding %d packets to the queue",j); + } + */ + gre->seq_recv += j; + gre->gre_num_packets += j; + if(j>0) { + gre->gre_last_recv_time = recv_time; + return 1; + } + return 0; #if 0 /* Dump start of packet. */ @@ -578,7 +670,6 @@ status, data[0], data[1], data[2], data[3], data[4], data[5], data[6]); #endif - return 1; } if (!has_payload && !has_ack) @@ -627,8 +718,8 @@ packet = &gre->window[gre->gre_current_packet]; header = packet->header; if (header.protocol != ntoh16(PPTP_GRE_PROTO)) { - syslog (LOG_ERR, "INTERNAL ERROR: Bad protocol %x in gre_to_hdlc", - ntoh16(header.protocol)); + syslog (LOG_ERR, "INTERNAL ERROR: Bad protocol %x in gre_to_hdlc, buffer slot %d", + ntoh16(header.protocol),gre->gre_current_packet); } data = (PPTP_GRE_IS_A (ntoh8 (header.ver)) @@ -656,8 +747,8 @@ gre->gre_current_packet = ((gre->gre_current_packet + 1) % (PCKT_RECV_WINDOW_SIZE + 1)); - /* Fill packet with garbage */ - memset (packet, 0x33, sizeof (*packet)); + /* Zero out the packet so the payload_len parameter is zero which indicates this slot is empty */ + memset (packet, 0x00, sizeof (*packet)); } /* Send some stuff to the PTY. Return 1 if we wrote something, 0 if diff -u pptpd-1.1.1/pptpgre.h pptpd-1.1.1-reorder/pptpgre.h --- pptpd-1.1.1/pptpgre.h Thu Dec 23 16:43:33 1999 +++ pptpd-1.1.1-reorder/pptpgre.h Wed Sep 27 09:36:16 2000 @@ -14,6 +14,26 @@ #define GRE_PACKET_SIZE 2048 #define HDLC_PACKET_SIZE (2*GRE_PACKET_SIZE + 6) +/* Variables to control the packet reordering scheme: + * PCKT_REORDER_SIZE + * this is the number of packets ahead of the current packet that + * will get buffered while waiting for a packet. If a new packet + * comes in more than this far ahead, we stop waiting for the missing packet + * + * PCKT_REORDER_RESUME_SIZE + * if this many consecutive packets are available in the buffer + * while we are waiting for a lost packet, then we will stop waiting + * for the missing packet + * + * PCKT_REORDER_WAIT_TIME + * if a new packet comes in and this many seconds have expired since + * we last passed on a packet to pppd, then we will stop waiting + * for the missing packet + */ +#define PCKT_REORDER_SIZE 8 +#define PCKT_REORDER_RESUME_SIZE 4 +#define PCKT_REORDER_WAIT_TIME 3 + enum gre_header_type { GRE_HEAD_ONE, GRE_HEAD_BOTH }; struct gre_xmit_packet { @@ -72,6 +92,7 @@ struct gre_rcv_packet window[PCKT_RECV_WINDOW_SIZE+1]; int gre_current_packet; int gre_num_packets; + int gre_last_recv_time; /* PTY output state */ int pty_fd; From marcus.rapp at twest.com Wed Sep 27 10:02:00 2000 From: marcus.rapp at twest.com (Marcus Rapp) Date: Wed, 27 Sep 2000 17:02:00 +0200 Subject: [pptp-server] Problems after IP-Change Message-ID: <39D20BE8.31A0DE4A@twest.com> Hi we are using PopTop succesfully for about half a year now in our company. but since we moved and have another internal ip for the vpn-gateway (in another subnet) we have problems. I configured the new ip on the machine and the machine can connect everywhere perfectly. the problem is: we can still log into VPN successfully with all the clients that were working before, but the can't connect to our LAN. If I try to ping or telnet somewhere into our LAN i get the following in syslog : ----- ... Sep 28 16:27:49 vpngate pppd[6612]: sent [LCP ProtRej id=0x9b 79 bd 09 5d ea 04 20 c7 da 7e b3 82 90 c5 db ad 1f 92 57 16 b3 f3 0b fe a8 23 a7 88 a8 c0 ae 21 a0 ab 56 70 79 5c 9e b5 36 7e 39 65 6a ac] Sep 28 16:27:50 vpngate pppd[6612]: rcvd [proto=0xced2] fd 20 e4 75 ac 35 f3 66 88 4f 3b 14 0b e7 33 7f 94 a2 22 ba c1 69 ce b3 d7 e3 4c 8b d9 7f 73 f6 ... Sep 28 16:27:50 vpngate pppd[6612]: Unsupported protocol (0xced2) received Sep 28 16:27:50 vpngate pppd[6612]: sent [LCP ProtRej id=0x9c ce d2 fd 20 e4 75 ac 35 f3 66 88 4f 3b 14 0b e7 33 7f 94 a2 22 ba c1 69 ce b3 d7 e3 4c 8b d9 7f 73 f6 cd 83 88 89 df 36 fa 83 ad 60 49 c4] Sep 28 16:27:50 vpngate pppd[6612]: rcvd [proto=0xd8d5] b9 63 47 1d 25 18 a8 b0 0a a6 cb a7 e2 67 03 6d 30 02 c4 e8 4c 74 b6 bb 5d 30 a7 48 d9 3b e3 a8 ... Sep 28 16:27:50 vpngate pppd[6612]: Unsupported protocol (0xd8d5) received Sep 28 16:27:50 vpngate pppd[6612]: sent [LCP ProtRej id=0x9d d8 d5 b9 63 47 1d 25 18 a8 b0 0a a6 cb a7 e2 67 03 6d 30 02 c4 e8 4c 74 b6 bb 5d 30 a7 48 d9 3b e3 a8 9b 21 a4 7c 65 58 91 a1 54 ff 9f 9d] Sep 28 16:27:50 vpngate pppd[6612]: rcvd [proto=0x3233] db 61 a2 f4 e9 a8 2c b4 10 30 f0 c3 a9 0e 61 fe 3d b3 81 ee 62 97 c5 c7 cf fb 66 92 54 13 17 71 ... Sep 28 16:27:50 vpngate pppd[6612]: Unsupported protocol (0x3233) received Sep 28 16:27:50 vpngate pppd[6612]: sent [LCP ProtRej id=0x9e 32 33 db 61 a2 f4 e9 a8 2c b4 10 30 f0 c3 a9 0e 61 fe 3d b3 81 ee 62 97 c5 c7 cf fb 66 92 54 13 17 71 36 25 f8 fe 4a cf 95 03 9a 7f 5b e7 33 7f 00 23 48 f2 44 a4 e6 17 6e 38 fe 94 90 9f] ... ----- I checked all the modules are loaded correctly (if not logging in should not work) and i really can't tell what the problem could be ? can anyone help ? Marcus From chavant at geosys.fr Wed Sep 27 10:03:55 2000 From: chavant at geosys.fr (Jean-Paul Chavant) Date: Wed, 27 Sep 2000 17:03:55 +0200 Subject: [pptp-server] strange problem on connection Message-ID: <000001c02894$27b1abc0$7c03a8c0@pcjpc.geosys.fr> hello, i have installed a VPN Server on a Linux box. My client is a Win95 box. I ve made tests in a local area with private IP address (192.168 & 172.16) All worked very well (firewall/PPTP Server/Ping/... except neibourhood network ...) Then i installed my VPN server. New IP address (one private on my LAN : 192.168.1.252, the other one on my public area). I ve made modifications on my firewall rules (modification of the variable). Now when i try to connect with my client (from my public zone) i got the error 629. in the log of pptp i ve (packet filtered are logged) : Sep 26 16:56:42 endeavour pptpd[770]: MGR: Launching /usr/sbin/pptpctrl to handle client Sep 26 16:56:42 endeavour pptpd[770]: CTRL: local address = 192.168.0.1 Sep 26 16:56:42 endeavour pptpd[770]: CTRL: remote address = 192.168.0.100 Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Client 195.115.78.5 control connection started Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Received PPTP Control Message (type: 1) Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Made a START CTRL CONN RPLY packet Sep 26 16:56:42 endeavour pptpd[770]: CTRL: I wrote 156 bytes to the client. Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Sent packet to client Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Received PPTP Control Message (type: 7) Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Set parameters to 0 maxbps, 16 window size Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Made a OUT CALL RPLY packet Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Starting call (launching pppd, opening GRE) Sep 26 16:56:43 endeavour pptpd[770]: CTRL: pty_fd = 4 Sep 26 16:56:43 endeavour pptpd[770]: CTRL: tty_fd = 5 Sep 26 16:56:43 endeavour pptpd[770]: CTRL: I wrote 32 bytes to the client. Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Sent packet to client Sep 26 16:56:43 endeavour pptpd[771]: CTRL (PPPD Launcher): Connection speed = 115200 Sep 26 16:56:43 endeavour pptpd[771]: CTRL (PPPD Launcher): local address = 192.168.0.1 Sep 26 16:56:43 endeavour pptpd[771]: CTRL (PPPD Launcher): remote address = 192.168.0.100 Sep 26 16:56:43 endeavour pptpd[770]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Erreur d'entr?e/sortie Sep 26 16:56:43 endeavour pptpd[770]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Client 195.115.78.5 control connection finished Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Exiting now Sep 26 16:56:43 endeavour pptpd[723]: MGR: Reaped child 770 Sep 26 16:56:42 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6 195.115.78.5:1030 195.115.78.4:1723 L=64 S=0x0A I=31744 F=0x4000 T=128 SYN (#4) Sep 26 16:56:42 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6 195.115.78.5:1030 195.115.78.4:1723 L=52 S=0x0A I=32000 F=0x4000 T=128 (#4) Sep 26 16:56:42 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6 195.115.78.5:1030 195.115.78.4:1723 L=208 S=0x0A I=32256 F=0x4000 T=128 (#4) Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Client 195.115.78.5 control connection started Sep 26 16:56:42 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6 195.115.78.5:1030 195.115.78.4:1723 L=220 S=0x0A I=32512 F=0x4000 T=128 (#4) Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Starting call (launching pppd, opening GRE) Sep 26 16:56:43 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=47 195.115.78.5:65535 195.115.78.4:65535 L=50 S=0x00 I=32768 F=0x0000 T=128 (#5) Sep 26 16:56:43 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6 195.115.78.5:1030 195.115.78.4:1723 L=52 S=0x0A I=33024 F=0x4000 T=128 (#4) Sep 26 16:56:43 endeavour pppd[771]: The remote system is required to authenticate itself Sep 26 16:56:43 endeavour pppd[771]: but I couldn't find any suitable secret (password) for it to use to do so. Sep 26 16:56:43 endeavour pppd[771]: (None of the available passwords would let it use an IP address.) Sep 26 16:56:43 endeavour pptpd[770]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Erreur d'entr?e/sortie Sep 26 16:56:43 endeavour pptpd[770]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Sep 26 16:56:43 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6 195.115.78.5:1030 195.115.78.4:1723 L=52 S=0x0A I=33280 F=0x4000 T=128 (#4) Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Client 195.115.78.5 control connection finished thereis 2 errors i notice : Sep 26 16:56:43 endeavour pppd[771]: The remote system is required to authenticate itself Sep 26 16:56:43 endeavour pppd[771]: but I couldn't find any suitable secret (password) for it to use to do so. Sep 26 16:56:43 endeavour pppd[771]: (None of the available passwords would let it use an IP address.) Sep 26 16:56:43 endeavour pptpd[770]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) my chap-secret file is : # Secrets for authentication using CHAP # client server secret IP addresses Mj09tt12 endeavour ******** * GEOSYS\\Mj09tt12 endeavour ******** * My question is why my systems had worked very well with internal IP and why now with public IP it doens t work ... ??? SomeOne have an idea ? JPAUL PS : my firewall file rules #!/bin/sh # # Source function library. . /etc/rc.d/init.d/functions PATH=/sbin:/bin:/usr/sbin:/usr/bin # See how we were called. case "$1" in start) echo -e "\\nStarting firewall...\\n\\n " ### Activation de IP forwarding et de l adressage dynamique echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_always_defrag echo 1 > /proc/sys/net/ipv4/ip_dynaddr echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ### Desactivation des ICMP redirects. for file in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $file done ### Desactivation source routed packets. for file in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $file done ### Activation de l anti-spoofing. for file in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $file done ### Definition de l adresse IP externe et du nom de l interface externe extip="*.*.*.*/32" extint="eth1" ### Definition de l adresse IP interne et du nom de l interface interne intint="eth0" intnet="192.168.0.0/16" intip="192.168.1.252/32" ### Definition de l adresse IP vpn vpnnet="192.168.0.0/24" ### Autre definitions ALL="0.0.0.0/0" ############################################################################ # # # TRAFIC ENTRANT : vidage des regles et politique par defaut = REJECT # ############################################################################ # ipchains -P input REJECT ipchains -F input # N importe qui de l interrieur depuis l interface interne peut aller n importe # ou ipchains -A input -i $intint -s $intnet -d $ALL -j ACCEPT # Anti Spoofing : paquet pretendant faire partie du reseau interne et accedant # par l interface externe = REJECT + LOG # ipchains -A input -i $extint -s $intnet -d $ALL -l -j REJECT # l interface de loopback est valide # ipchains -A input -i lo -s $ALL -d $ALL -j ACCEPT # Regles pour les connexions PPTP # N importe qui de l exterieur peut rentrer sur l interface externe a # destination du serveur VPN # ipchains -A input -i $extint -p tcp -d $extip 1723 -j ACCEPT -l ipchains -A input -i $extint -p 47 -d $extip -j ACCEPT -l # Tout le reste est interdit (de n importe ou vers n importe ou qui rentre sur # n importe quelle interface : REJECT + LOG # ipchains -A input -s $ALL -d $ALL -l -j REJECT ############################################################################ # # # TRAFIC SORTANT : vidage des regles et politique par defaut = REJECT # ############################################################################ # ipchains -P output REJECT ipchains -F output #ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # N importe qui peut sortir sur le reseau interne par l interface interne # ipchains -A output -i $intint -s $ALL -d $intnet -j ACCEPT # N importe quoi de l interface externe ne peut sortir sur le reseau interne # REJECT + LOG # ipchains -A output -i $extint -s $ALL -d $intnet -l -j REJECT # N importe quoi du reseau interne ne peut sortir par l interface externe # REJECT + LOG # ipchains -A output -i $extint -s $intnet -d $ALL -l -j REJECT # Tout ce qui sort par l interface externe est autorise # #ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT ipchains -A output -p tcp -i $extint -s $extip 1723 -d $ALL -j ACCEPT ipchains -A output -p 47 -i $extint -s $extip -d $ALL -j ACCEPT # l interface de loopback est valide # ipchains -A output -i lo -s $ALL -d $ALL -j ACCEPT # Tout le reste est interdit (de n importe ou vers n importe ou qui rentre sur # n importe quelle interface : REJECT + LOG # ipchains -A output -s $ALL -d $ALL -l -j REJECT ############################################################################ # # # TRAFIC SORTANT : vidage des regles et politique par defaut = REJECT # ############################################################################ # ipchains -P forward REJECT ipchains -F forward #ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # Regles de forwarding pour PPTP du reseau vpn vers le reseau local # #ipchains -A forward -s $vpnnet -d $intnet -j ACCEPT -l #ipchains -A forward -s $intnet -d $vpnnet -j ACCEPT -l # Tout le reste est interdit (de n importe ou vers n importe ou qui rentre sur # n importe quelle interface : REJECT + LOG ipchains -A forward -s $ALL -d $ALL -l -j REJECT ipchains -L ### End of rules ;; stop) echo -e "\\nShutting down firewall...\\n\\n " ipchains -P input ACCEPT ipchains -F input ipchains -P output ACCEPT ipchains -F output ipchains -P forward ACCEPT ipchains -F forward ipchains -L ;; status) echo -e "\\n\\nFirewall status at $HOSTNAME - `date`\\n" ipchains -L -n -v ;; restart) $0 stop $0 start ;; reset) echo -e "\\n\\nFirewall counters reseted at $HOSTNAME - `date`\\n" ipchains -L -n -Z -v ;; *) echo "Usage: $0 {start|stop|restart|status|reset}" exit 1 esac From htcengrs at pacbell.net Wed Sep 27 11:16:15 2000 From: htcengrs at pacbell.net (Waleed Alrawi) Date: Wed, 27 Sep 2000 09:16:15 -0700 Subject: [pptp-server] Removal form the mail list Message-ID: Hi Please advise me on how to remove my email form the email list. Thanks in advance Waleed From chavant at geosys.fr Wed Sep 27 12:28:38 2000 From: chavant at geosys.fr (Jean-Paul Chavant) Date: Wed, 27 Sep 2000 19:28:38 +0200 Subject: [pptp-server] some observations Message-ID: <000001c028a8$5f983040$7c03a8c0@pcjpc.geosys.fr> Hello, i ve noticed that PPP doesn't want login/passwd whith more than 7 characters. Is it possible to solve this ? The result if i use login/passwd with more than 7 characters is a 629 error on my Win9x client ... I ve noticed another problem. On my VPN box (Linux Mandrake), on a connection, the ip-up script is called ... but when the connection go down the ip-down script isn't called. So i have firewall rules who are useless/needless ... why the ip-down script isn't called ? Is it a problem of ppp ? Another problem is the doc to install a VPN connexion on an NTServer on the moretonbay.com site. apparently it's not NT shootscreens ... Or my NT version is strange ... ? Thx JPaul From jdewitt at broadcastzone.com Wed Sep 27 15:56:47 2000 From: jdewitt at broadcastzone.com (Josiah DeWitt) Date: Wed, 27 Sep 2000 13:56:47 -0700 Subject: [pptp-server] Plain Text Passwords Message-ID: Is there any way to avoid plaintext password (secret) in the chap/pap secrets file and or use (NT) domain user/pw lists. -j -------------- next part -------------- An HTML attachment was scrubbed... URL: From dosachoff at hotmail.com Wed Sep 27 17:02:13 2000 From: dosachoff at hotmail.com (Derek Osachoff) Date: Wed, 27 Sep 2000 15:02:13 PDT Subject: [pptp-server] 1.0 > 1.0.1 Message-ID: What is the simplest way to upgrade 1.0 to 1.0.1? OR just go through the install/make procedure again. I ask because I installed it on a box with ppp.10 and patches... I do get that EOF loop and believe that upgrading will eliminate that (?). Thanks in advance, Derek _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. From chavant at geosys.fr Thu Sep 28 03:13:36 2000 From: chavant at geosys.fr (Jean-Paul Chavant) Date: Thu, 28 Sep 2000 10:13:36 +0200 Subject: [pptp-server] error 678 Message-ID: <000001c02924$007987e0$7c03a8c0@pcjpc.geosys.fr> hello, i have a Linux PPTP Server installed. When I connect to my server with my client2 from my Public LAN there is no problem. When I connect to my server with my client1 from my ISP access i got the error 678. All connection (modem) and configuration (IP address, ...) of the client1 are good. When I connect to my server with my client3 with direct access to internet (LS / ADSL) i got the error 629. On my log a can see a request from client3 to my VPN server on port 1723. (Public LAN) [client1]---(ISP)----(internet)----[router]------[PPTP Server]----(Private LAN) | | | [client2] | (client3) chap-secrets is the same for the 3 tests ... What is happening ? JPaul -------------- next part -------------- A non-text attachment was scrubbed... Name: test1.gif Type: image/gif Size: 23871 bytes Desc: not available URL: From tdn at stack.ru Thu Sep 28 05:33:05 2000 From: tdn at stack.ru (Dmitry Tolpanov) Date: Thu, 28 Sep 2000 17:33:05 +0700 Subject: [pptp-server] FreeBSD. Message-ID: <403931122.20000928173305@cons.tsk.ru> Hi. Can anybody point me to any information about installing and tunnig of PoPToP PPTP daemon on FreeBSD. Thanks. Dmitry. From yvo at boudenoodt.com Thu Sep 28 08:52:13 2000 From: yvo at boudenoodt.com (Yvo Boudenoodt) Date: Thu, 28 Sep 2000 15:52:13 +0200 Subject: [pptp-server] error 678 Message-ID: <11B0293266FBD31186E300400541CE2F4C58@NTSERVER> probably your provider is filtering one or more ports needed for ppp -----Original Message----- From: Jean-Paul Chavant [mailto:chavant at geosys.fr] Sent: Thursday, September 28, 2000 10:14 AM To: Pptp Subject: [pptp-server] error 678 hello, i have a Linux PPTP Server installed. When I connect to my server with my client2 from my Public LAN there is no problem. When I connect to my server with my client1 from my ISP access i got the error 678. All connection (modem) and configuration (IP address, ...) of the client1 are good. When I connect to my server with my client3 with direct access to internet (LS / ADSL) i got the error 629. On my log a can see a request from client3 to my VPN server on port 1723. (Public LAN) [client1]---(ISP)----(internet)----[router]------[PPTP Server]----(Private LAN) | | | [client2] | (client3) chap-secrets is the same for the 3 tests ... What is happening ? JPaul From chavant at geosys.fr Thu Sep 28 08:57:30 2000 From: chavant at geosys.fr (Jean-Paul Chavant) Date: Thu, 28 Sep 2000 15:57:30 +0200 Subject: [pptp-server] error 678 In-Reply-To: <11B0293266FBD31186E300400541CE2F4C58@NTSERVER> Message-ID: <000201c02954$0ae2c7c0$7c03a8c0@pcjpc.geosys.fr> i have found one possible error ... i forget to specify a default route ... | -----Original Message----- | From: Yvo Boudenoodt [mailto:yvo at boudenoodt.com] | Sent: jeudi 28 septembre 2000 15:52 | To: 'chavant at geosys.fr'; Pptp | Subject: RE: [pptp-server] error 678 | | | probably your provider is filtering one or more ports needed for ppp | | -----Original Message----- | From: Jean-Paul Chavant [mailto:chavant at geosys.fr] | Sent: Thursday, September 28, 2000 10:14 AM | To: Pptp | Subject: [pptp-server] error 678 | | | hello, | | i have a Linux PPTP Server installed. | | When I connect to my server with my client2 from my Public | LAN there is no | problem. | | When I connect to my server with my client1 from my ISP | access i got the | error 678. | All connection (modem) and configuration (IP address, ...) of | the client1 | are good. | | When I connect to my server with my client3 with direct | access to internet | (LS / ADSL) i got the error 629. On my log a can see a | request from client3 | to my VPN server on port 1723. | | | (Public LAN) | [client1]---(ISP)----(internet)----[router]------[PPTP | Server]----(Private | LAN) | | | | | [client2] | | | (client3) | | chap-secrets is the same for the 3 tests ... | | What is happening ? | | JPaul | From aalang at rutgersinsurance.com Thu Sep 28 09:36:37 2000 From: aalang at rutgersinsurance.com (Adam Lang) Date: Thu, 28 Sep 2000 10:36:37 -0400 Subject: [pptp-server] routing References: <11B0293266FBD31186E300400541CE2F4C58@NTSERVER> Message-ID: <006701c02959$8203f720$330a0a0a@Adam> I'm still stuck on a problem from earlier. I really have no idea left on how to fix it and I have read the FAQs. I have an internal network of 10.10.10.0. I have a PPTP server at address 10.10.10.26. It is connected to the Internet at address 38.138.71.195. The local ip for the PPTP server for the tunnel is 192.168.0.100. It hands out the address of 192.168.0.150 for the remote client. The remote client connects to the PPTP server fine and can ping upto 10.10.10.26. How do I get the remote client to ping another server on the 10.10.10.0 network? Also, I do have "proxyarp" in the options file. If I can't get this in the next day or so, I'm just going to drop it and look to use something else. Adam Lang Systems Engineer Rutgers Casualty Insurance Company From chavant at geosys.fr Thu Sep 28 09:44:48 2000 From: chavant at geosys.fr (Jean-Paul Chavant) Date: Thu, 28 Sep 2000 16:44:48 +0200 Subject: [pptp-server] numer of connection problem Message-ID: <000501c0295a$a64e03e0$7c03a8c0@pcjpc.geosys.fr> hello, my VPN Server works. When i connect one client it s OK (ping) when the second connects to my server it is OK but i can t ping it (and vice versa) someone got this problem before ? JPaul From Faisal.Puthuparackat at CQSL.com Thu Sep 28 10:02:46 2000 From: Faisal.Puthuparackat at CQSL.com (Faisal P) Date: Thu, 28 Sep 2000 11:02:46 -0400 Subject: [pptp-server] Auth mechanism... Message-ID: <00092811233100.00896@raindrop> Hi ppl, I have a somewhat unique problem here.... We have a network that consists of a bunch of clients that need to access the Internet. They are on ethernet. We need them to authenticate before they can reach the Internet. The problem is we actually needed to implement authenticated dhcp, but there no implementations that I know that exist at this point. So finally we decided to go in for a VPN between the client and the server running pptp. This allows to authenticate using regular CHAP and windoze ppl can use it pretty easily. It also allows us to control who goes thru us etc. Now we also needed ldap support with pptp, so I patched pppd to support a generalized authentication mechanism (like the @file in the chap-secrets file, if you put |program, pppd will now ask program to actually fetch the password. So even chap works, provided the LDAP server can provide clear-text passwords.) No, it isn't as insecure as it looks. I have taken care of that. But the problem is that, before I had left for a holiday, I had this mechanism working perfectly. We then had to reinstall the server. Now I can't even get the pptp to work if I just patch pppd to use mppe. With noauth in the /etc/ppp/options file, everything is fine (yeah right) but without it, I get the 'GRE: could not read from PTY' error. I could not find a solution for it on the mailing list that was really helpful. Now I suspect that pppd is dying when it's asked to authenticate, but I can't figure how. It used to work perfectly earlier. (reminds me of my Windoze days) Anyways, if anyone has any ideas, please let me know. I'll post the full error logs later tomorrow.. BTW, if anyone wants the pppd patch that adds support for generalized password retrieval, plese let me know. I'll post it. Another more important question is: Am I doing this right ? I mean, all I really need is authentication on an ethernet network. I'm sure this pptp thing is overkill in some aspects. If anyone has any better ideas on how I could achieve this, it would be greatly appreciated. thanx again. Faisal. From aalang at rutgersinsurance.com Thu Sep 28 10:34:37 2000 From: aalang at rutgersinsurance.com (Adam Lang) Date: Thu, 28 Sep 2000 11:34:37 -0400 Subject: [pptp-server] numer of connection problem References: <000501c0295a$a64e03e0$7c03a8c0@pcjpc.geosys.fr> Message-ID: <00b501c02961$9cab1c40$330a0a0a@Adam> You seem to be pretty much on the ball with your setup. Are you able to ping additional computers on your internal network? (computers on the same internal network as your PPTP server). Adam Lang Systems Engineer Rutgers Casualty Insurance Company ----- Original Message ----- From: "Jean-Paul Chavant" To: "Pptp" Sent: Thursday, September 28, 2000 10:44 AM Subject: [pptp-server] numer of connection problem > hello, > > my VPN Server works. > > When i connect one client it s OK (ping) > when the second connects to my server it is OK but i can t ping it (and vice > versa) > > someone got this problem before ? > > JPaul > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From drjchris at yahoo.com Thu Sep 28 10:35:27 2000 From: drjchris at yahoo.com (Chris Carella) Date: Thu, 28 Sep 2000 08:35:27 -0700 (PDT) Subject: [pptp-server] routing Message-ID: <20000928153527.5215.qmail@web9703.mail.yahoo.com> When I first installed PoPToP, I ran into similar problems, my problem was that ip forwarding was not turned on. Type this command if your unsure cat /proc/sys/net/ipv4/ip_forward if you get 1.. then it is turned on, if you get 0 to turn it on type echo 1 > /proc/sys/net/ipv4/ip_forward If that doesn't work then you don't have ip forwarding compiled into your kernel and you need to recompile Hope that helps Chris --- Adam Lang wrote: > I'm still stuck on a problem from earlier. I really > have no idea left on > how to fix it and I have read the FAQs. > > I have an internal network of 10.10.10.0. I have a > PPTP server at address > 10.10.10.26. > > It is connected to the Internet at address > 38.138.71.195. > > The local ip for the PPTP server for the tunnel is > 192.168.0.100. It hands > out the address of 192.168.0.150 for the remote > client. > > The remote client connects to the PPTP server fine > and can ping upto > 10.10.10.26. > > How do I get the remote client to ping another > server on the 10.10.10.0 > network? > > Also, I do have "proxyarp" in the options file. > > If I can't get this in the next day or so, I'm just > going to drop it and > look to use something else. > > Adam Lang > Systems Engineer > Rutgers Casualty Insurance Company > > _______________________________________________ > pptp-server maillist - > pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > > __________________________________________________ Do You Yahoo!? Yahoo! Photos - 35mm Quality Prints, Now Get 15 Free! http://photos.yahoo.com/ From aalang at rutgersinsurance.com Thu Sep 28 10:50:12 2000 From: aalang at rutgersinsurance.com (Adam Lang) Date: Thu, 28 Sep 2000 11:50:12 -0400 Subject: [pptp-server] routing References: <20000928153527.5215.qmail@web9703.mail.yahoo.com> Message-ID: <00cd01c02963$c9695b00$330a0a0a@Adam> Is there a way to look to see if ip forwarding is compiled in the kernel? I set it to 1 and when I connect and try to ping past the PPTP server, I get request timed out. Also, do I need that script for ip-up.local? (I do have it in place, just curious if it isneeded). Adam Lang Systems Engineer Rutgers Casualty Insurance Company ----- Original Message ----- From: "Chris Carella" To: "Adam Lang" ; "Pptp" Sent: Thursday, September 28, 2000 11:35 AM Subject: Re: [pptp-server] routing > When I first installed PoPToP, I ran into similar > problems, my problem was that ip forwarding was not > turned on. Type this command if your unsure > > cat /proc/sys/net/ipv4/ip_forward > > if you get 1.. then it is turned on, if you get 0 > to turn it on type > echo 1 > /proc/sys/net/ipv4/ip_forward > > If that doesn't work then you don't have ip forwarding > compiled into your kernel and you need to recompile > > Hope that helps > Chris > > > --- Adam Lang wrote: > > I'm still stuck on a problem from earlier. I really > > have no idea left on > > how to fix it and I have read the FAQs. > > > > I have an internal network of 10.10.10.0. I have a > > PPTP server at address > > 10.10.10.26. > > > > It is connected to the Internet at address > > 38.138.71.195. > > > > The local ip for the PPTP server for the tunnel is > > 192.168.0.100. It hands > > out the address of 192.168.0.150 for the remote > > client. > > > > The remote client connects to the PPTP server fine > > and can ping upto > > 10.10.10.26. > > > > How do I get the remote client to ping another > > server on the 10.10.10.0 > > network? > > > > Also, I do have "proxyarp" in the options file. > > > > If I can't get this in the next day or so, I'm just > > going to drop it and > > look to use something else. > > > > Adam Lang > > Systems Engineer > > Rutgers Casualty Insurance Company > > > > _______________________________________________ > > pptp-server maillist - > > pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > > > > > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Photos - 35mm Quality Prints, Now Get 15 Free! > http://photos.yahoo.com/ From kennya at carlislefsp.com Thu Sep 28 11:17:22 2000 From: kennya at carlislefsp.com (Kenny Austin) Date: Thu, 28 Sep 2000 11:17:22 -0500 Subject: [pptp-server] routing In-Reply-To: <006701c02959$8203f720$330a0a0a@Adam> Message-ID: <000c01c02967$968d8040$5f020a0a@carlislefsp.com> As Christ Carella said, make sure that /proc/sys/net/ipv4/ip_forward is set to 1. Redhat also has a value for forwarding in another file, something like /etc/sysconf/network that needs to be set to 1. Anyways, what is probably the really problem is that your 10.10.10.0 networks doesn't know the route to your 192.168.0.0 (vpn) network. The ping is probably getting to the intranet, it is just that they try sending the reply back through their default gateway, which is more then likely off ot the internet or some other places that has no clue where 192.168.0.0 is. The best way to fix this would be to add a route statement to your default router that says the network 192.168.0.0 is accessible via 10.10.10.26. Or, if i understand proxyarp correctly, you could assign your vpn clients addresses on the same subnet as your intranet, and with proxyarp on, the vpn server would proxy the vpn clients arp address/ip address to itself, thus receiving the packets itself and passing them on to the correct vpn client... if you go with the first suggest (what you are doing now/what i prefer myself), which is having all of the vpn clients on their own subnet, you can disable the proxyarp option. I hope i have actually be helpful, let me know if there is anything else i can do. Kenny Austin kennya at carlislefsp.com -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Adam Lang Sent: Thursday, September 28, 2000 9:37 AM To: Pptp Subject: [pptp-server] routing I'm still stuck on a problem from earlier. I really have no idea left on how to fix it and I have read the FAQs. I have an internal network of 10.10.10.0. I have a PPTP server at address 10.10.10.26. It is connected to the Internet at address 38.138.71.195. The local ip for the PPTP server for the tunnel is 192.168.0.100. It hands out the address of 192.168.0.150 for the remote client. The remote client connects to the PPTP server fine and can ping upto 10.10.10.26. How do I get the remote client to ping another server on the 10.10.10.0 network? Also, I do have "proxyarp" in the options file. If I can't get this in the next day or so, I'm just going to drop it and look to use something else. Adam Lang Systems Engineer Rutgers Casualty Insurance Company _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From aalang at rutgersinsurance.com Thu Sep 28 11:23:45 2000 From: aalang at rutgersinsurance.com (Adam Lang) Date: Thu, 28 Sep 2000 12:23:45 -0400 Subject: [pptp-server] routing References: <000c01c02967$968d8040$5f020a0a@carlislefsp.com> Message-ID: <00f301c02968$79b952e0$330a0a0a@Adam> So I should add the routing information to my Internet router (since that is the default gateway)? I was assuming it was a routing problem, but am not sure how to have fixed it. Adam Lang Systems Engineer Rutgers Casualty Insurance Company ----- Original Message ----- From: "Kenny Austin" To: "'Adam Lang'" ; Sent: Thursday, September 28, 2000 12:17 PM Subject: RE: [pptp-server] routing > As Christ Carella said, make sure that /proc/sys/net/ipv4/ip_forward is > set to 1. Redhat also has a value for forwarding in another file, > something like /etc/sysconf/network that needs to be set to 1. > Anyways, what is probably the really problem is that your 10.10.10.0 > networks doesn't know the route to your 192.168.0.0 (vpn) network. > The ping is probably getting to the intranet, it is just that they > try sending the reply back through their default gateway, which is > more then likely off ot the internet or some other places that has no > clue where 192.168.0.0 is. The best way to fix this would be to add > a route statement to your default router that says the network > 192.168.0.0 is accessible via 10.10.10.26. > Or, if i understand proxyarp correctly, you could assign your vpn > clients addresses on the same subnet as your intranet, and with proxyarp > on, the vpn server would proxy the vpn clients arp address/ip address to > itself, thus receiving the packets itself and passing them on to the correct > vpn client... if you go with the first suggest (what you are doing now/what > i prefer myself), which is having all of the vpn clients on their own > subnet, > you can disable the proxyarp option. > I hope i have actually be helpful, let me know if there is anything else i > can do. > Kenny Austin > kennya at carlislefsp.com > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Adam Lang > Sent: Thursday, September 28, 2000 9:37 AM > To: Pptp > Subject: [pptp-server] routing > > > I'm still stuck on a problem from earlier. I really have no idea left on > how to fix it and I have read the FAQs. > > I have an internal network of 10.10.10.0. I have a PPTP server at address > 10.10.10.26. > > It is connected to the Internet at address 38.138.71.195. > > The local ip for the PPTP server for the tunnel is 192.168.0.100. It hands > out the address of 192.168.0.150 for the remote client. > > The remote client connects to the PPTP server fine and can ping upto > 10.10.10.26. > > How do I get the remote client to ping another server on the 10.10.10.0 > network? > > Also, I do have "proxyarp" in the options file. > > If I can't get this in the next day or so, I'm just going to drop it and > look to use something else. > > Adam Lang > Systems Engineer > Rutgers Casualty Insurance Company > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > From kennya at carlislefsp.com Thu Sep 28 11:27:55 2000 From: kennya at carlislefsp.com (Kenny Austin) Date: Thu, 28 Sep 2000 11:27:55 -0500 Subject: [pptp-server] Auth mechanism... In-Reply-To: <00092811233100.00896@raindrop> Message-ID: <000d01c02969$0f3636d0$5f020a0a@carlislefsp.com> Post the patch, that way in a few months when I decided I want it, I can spend a few hours on google searching the mailing list archives, and maybe find it again. I hope this stuff gets added to the d/l section of the new website. ..about authenticating, you could use a proxy server that requires you to logon to it or have your dhcp server not give out a default router/a fake one and have your users logon to a samba/NT domain that has a route statement in their startup scripts that adds the correct router to the machine? only problems i can think of with that is that the PDC would have to be on the same subnet but it probably already is, and that if a user logged off the machine without restarting it, someone else could come along and bypass the logon screen and still have access to the internet unless you set windows to require users to logon.... just some ideas.. Kenny Austin kennya at carlislefsp.com ----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Faisal P Sent: Thursday, September 28, 2000 10:03 AM To: Pptp Subject: [pptp-server] Auth mechanism... Hi ppl, I have a somewhat unique problem here.... We have a network that consists of a bunch of clients that need to access the Internet. They are on ethernet. We need them to authenticate before they can reach the Internet. The problem is we actually needed to implement authenticated dhcp, but there no implementations that I know that exist at this point. So finally we decided to go in for a VPN between the client and the server running pptp. This allows to authenticate using regular CHAP and windoze ppl can use it pretty easily. It also allows us to control who goes thru us etc. Now we also needed ldap support with pptp, so I patched pppd to support a generalized authentication mechanism (like the @file in the chap-secrets file, if you put |program, pppd will now ask program to actually fetch the password. So even chap works, provided the LDAP server can provide clear-text passwords.) No, it isn't as insecure as it looks. I have taken care of that. But the problem is that, before I had left for a holiday, I had this mechanism working perfectly. We then had to reinstall the server. Now I can't even get the pptp to work if I just patch pppd to use mppe. With noauth in the /etc/ppp/options file, everything is fine (yeah right) but without it, I get the 'GRE: could not read from PTY' error. I could not find a solution for it on the mailing list that was really helpful. Now I suspect that pppd is dying when it's asked to authenticate, but I can't figure how. It used to work perfectly earlier. (reminds me of my Windoze days) Anyways, if anyone has any ideas, please let me know. I'll post the full error logs later tomorrow.. BTW, if anyone wants the pppd patch that adds support for generalized password retrieval, plese let me know. I'll post it. Another more important question is: Am I doing this right ? I mean, all I really need is authentication on an ethernet network. I'm sure this pptp thing is overkill in some aspects. If anyone has any better ideas on how I could achieve this, it would be greatly appreciated. thanx again. Faisal. _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From aalang at rutgersinsurance.com Thu Sep 28 11:54:13 2000 From: aalang at rutgersinsurance.com (Adam Lang) Date: Thu, 28 Sep 2000 12:54:13 -0400 Subject: Fw: [pptp-server] routing Message-ID: <011c01c0296c$bb3fc7e0$330a0a0a@Adam> Adam Lang Systems Engineer Rutgers Casualty Insurance Company ----- Original Message ----- From: "Adam Lang" To: Sent: Thursday, September 28, 2000 12:53 PM Subject: Re: [pptp-server] routing > Also, is it possible to just add a static route to the target computer? The > VPN is going to only access one internal computer. I was trying that, but I > couldn't get a route add line to stick. > > Adam Lang > Systems Engineer > Rutgers Casualty Insurance Company > ----- Original Message ----- > From: "Kenny Austin" > To: "'Adam Lang'" > Sent: Thursday, September 28, 2000 12:35 PM > Subject: RE: [pptp-server] routing > > > > If your internet router is the intranet's default router, yes. > > Tell your internet router that 10.10.10.29 is the gateway for the > > 192.168.0.0 network, > > and make sure that it doesn't allow internet traffic to get there. > > If it still doesn't work then you need to checkout the setup of your vpn > > server, ie: routing enabled, ipchains not denying it, etc. > > Kenny Austin > > kennya at carlislefsp.com > > > > -----Original Message----- > > From: Adam Lang [mailto:aalang at rutgersinsurance.com] > > Sent: Thursday, September 28, 2000 11:24 AM > > To: kennya at carlislefsp.com; pptp-server at lists.schulte.org > > Subject: Re: [pptp-server] routing > > > > > > So I should add the routing information to my Internet router (since that > is > > the default gateway)? > > > > I was assuming it was a routing problem, but am not sure how to have fixed > > it. > > > > Adam Lang > > Systems Engineer > > Rutgers Casualty Insurance Company > > ----- Original Message ----- > > From: "Kenny Austin" > > To: "'Adam Lang'" ; > > > > Sent: Thursday, September 28, 2000 12:17 PM > > Subject: RE: [pptp-server] routing > > > > > > > As Christ Carella said, make sure that /proc/sys/net/ipv4/ip_forward is > > > set to 1. Redhat also has a value for forwarding in another file, > > > something like /etc/sysconf/network that needs to be set to 1. > > > Anyways, what is probably the really problem is that your 10.10.10.0 > > > networks doesn't know the route to your 192.168.0.0 (vpn) network. > > > The ping is probably getting to the intranet, it is just that they > > > try sending the reply back through their default gateway, which is > > > more then likely off ot the internet or some other places that has no > > > clue where 192.168.0.0 is. The best way to fix this would be to add > > > a route statement to your default router that says the network > > > 192.168.0.0 is accessible via 10.10.10.26. > > > Or, if i understand proxyarp correctly, you could assign your vpn > > > clients addresses on the same subnet as your intranet, and with proxyarp > > > on, the vpn server would proxy the vpn clients arp address/ip address to > > > itself, thus receiving the packets itself and passing them on to the > > correct > > > vpn client... if you go with the first suggest (what you are doing > > now/what > > > i prefer myself), which is having all of the vpn clients on their own > > > subnet, > > > you can disable the proxyarp option. > > > I hope i have actually be helpful, let me know if there is anything else > i > > > can do. > > > Kenny Austin > > > kennya at carlislefsp.com > > > > > > -----Original Message----- > > > From: pptp-server-admin at lists.schulte.org > > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Adam Lang > > > Sent: Thursday, September 28, 2000 9:37 AM > > > To: Pptp > > > Subject: [pptp-server] routing > > > > > > > > > I'm still stuck on a problem from earlier. I really have no idea left > on > > > how to fix it and I have read the FAQs. > > > > > > I have an internal network of 10.10.10.0. I have a PPTP server at > address > > > 10.10.10.26. > > > > > > It is connected to the Internet at address 38.138.71.195. > > > > > > The local ip for the PPTP server for the tunnel is 192.168.0.100. It > > hands > > > out the address of 192.168.0.150 for the remote client. > > > > > > The remote client connects to the PPTP server fine and can ping upto > > > 10.10.10.26. > > > > > > How do I get the remote client to ping another server on the 10.10.10.0 > > > network? > > > > > > Also, I do have "proxyarp" in the options file. > > > > > > If I can't get this in the next day or so, I'm just going to drop it and > > > look to use something else. > > > > > > Adam Lang > > > Systems Engineer > > > Rutgers Casualty Insurance Company > > > > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > List services provided by www.schulteconsulting.com! > > > > > > > > > > > From aalang at rutgersinsurance.com Thu Sep 28 13:05:21 2000 From: aalang at rutgersinsurance.com (Adam Lang) Date: Thu, 28 Sep 2000 14:05:21 -0400 Subject: [pptp-server] routing References: <000301c02973$a2d01e60$0d01a8c0@mtmc1.on.wave.home.com> Message-ID: <014c01c02976$aabd8240$330a0a0a@Adam> Ok, I got it up and running. This is hat the deal was: IP_forwarding was setup all along (RedHat 6.2). I had the network and VPN set up correctly. The ONE thing I was missing was the static route so that the computers inside the network could find the VPN gateway. As an AS/400 is the only system to be connected to, I added the static route to it (network=192.168.0.0 subnet=255.255.255.0 gateway=10.10.10.26) and it worked. Adam Lang Systems Engineer Rutgers Casualty Insurance Company ----- Original Message ----- From: "Joseph Wong (PSII)" To: "'Adam Lang'" Sent: Thursday, September 28, 2000 1:43 PM Subject: RE: [pptp-server] routing > Adam: > > Did you add route to the 10.10.10.0 segment ? > > For a win98 client, I would expect to add something like this : > route add 10.10.10.0 MASK 255.255.255.0 192.168.0.150 > > regards > joe > > > > -----Original Message----- > > From: pptp-server-admin at lists.schulte.org > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Adam Lang > > Sent: Thursday, September 28, 2000 10:37 AM > > To: Pptp > > Subject: [pptp-server] routing > > > > > > I'm still stuck on a problem from earlier. I really have no > > idea left on > > how to fix it and I have read the FAQs. > > > > I have an internal network of 10.10.10.0. I have a PPTP > > server at address > > 10.10.10.26. > > > > It is connected to the Internet at address 38.138.71.195. > > > > The local ip for the PPTP server for the tunnel is > > 192.168.0.100. It hands > > out the address of 192.168.0.150 for the remote client. > > > > The remote client connects to the PPTP server fine and can ping upto > > 10.10.10.26. > > > > How do I get the remote client to ping another server on the > > 10.10.10.0 > > network? > > > > Also, I do have "proxyarp" in the options file. > > > > If I can't get this in the next day or so, I'm just going to > > drop it and > > look to use something else. > > > > Adam Lang > > Systems Engineer > > Rutgers Casualty Insurance Company > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > From natecars at real-time.com Thu Sep 28 14:14:59 2000 From: natecars at real-time.com (Nate Carlson) Date: Thu, 28 Sep 2000 14:14:59 -0500 (CDT) Subject: [pptp-server] PPTP client for SunOS5.7 In-Reply-To: <20000925185948.718.qmail@web3301.mail.yahoo.com> Message-ID: On Mon, 25 Sep 2000, Lishuang Dong wrote: > does anybody test the PPTP client on SunOS5.7 with > network card? > > I installed PPTP package without PPPD, and when I run > "pptp host_IPaddress", I > got the error "Error: No such file or directory". > > thank you for your help! > > lisa Lisa, AFAIK, anything PPTP requires PPP. Try installing pppd, even though you are using a network card instead of a modem. -- Nate Carlson | Phone : (952)943-8700 http://www.real-time.com | Fax : (952)943-8500 From htcengrs at pacbell.net Thu Sep 28 20:21:57 2000 From: htcengrs at pacbell.net (Waleed Alrawi) Date: Thu, 28 Sep 2000 18:21:57 -0700 Subject: [pptp-server] REMOVE ME Message-ID: HOW DO I REMOVE MY EMAIL ADDRESS OFF THE LIST THANKS IN ADVANCE From alan at silveregg.co.jp Thu Sep 28 21:59:33 2000 From: alan at silveregg.co.jp (Alan Chung) Date: Fri, 29 Sep 2000 11:59:33 +0900 Subject: [pptp-server] looking for help with pptp through ipchains Message-ID: <4.2.0.58.J.20000929115927.00a6a4b0@pear.silveregg.co.jp> Hi, everyone, I am really hoping if anyone can help me with this problem about ipchains. Hi, I hope someone out there can help me with this. I have a pptp server behind a ipchains linux firewall. The following is my setup: 210.12.130.172 --> internal pptp server's external IP (an IP alias on firewall) 210.12.130.0/24 --> network/mask of firewall 192.168.0.5 --> internal pptp server's internal IP # port forwarding for 1723 ipmasqadm portfw -a -P tcp -L 210.12.130.172 1723 -R 192.168.0.5 1723 # redirect protocol 47 /usr/local/sbin/ipfwd --masq --syslog 192.168.0.5 47 & # ipchains part for VPN $IPCHAINS -A input -p tcp -s 0/0 -d 210.12.130.0/24 1723 -j ACCEPT $IPCHAINS -A input -p 47 -s 0/0 -d 210.12.130.0/24 -j ACCEPT $IPCHAINS -A output -p tcp -s 210.12.130.0/24 -d 0/0 1723 -j ACCEPT $IPCHAINS -A output -p 47 -s 210.12.130.0/24 -d 0/0 -j ACCEPT $IPCHAINS -A forward -p tcp -s 192.168.0.5/24 -d 210.12.130.172/24 1723 -j MASQ $IPCHAINS -A forward -p 47 -s 192.168.0.5/24 -d 210.12.130.172/24 -j MASQ I have patched ip_vpn_masq and compiled my kernel 2.2.14 already and everything looks just fine for me. When I tried to connect to the internal pptp server from outside through the ipchains box, it seems that conection was built (tail -f /var/log/messages on pptp server) but got a 650 error which means 47 and 1723 is not going through properly. Does anyone have a similar experience? Looking for help and any feekback is appreciated. Alan From Cobb42 at aol.com Thu Sep 28 22:35:15 2000 From: Cobb42 at aol.com (Cobb42 at aol.com) Date: Thu, 28 Sep 2000 23:35:15 EDT Subject: [pptp-server] remove PLEASE! Message-ID: <60.74de2f0.270567f3@aol.com> PLEASE REMOVE MY NAME FROM YOUR LIST! THANK YOU From tdn at stack.ru Thu Sep 28 23:35:39 2000 From: tdn at stack.ru (Dmitry Tolpanov) Date: Fri, 29 Sep 2000 11:35:39 +0700 Subject: [pptp-server] Problem. Message-ID: <12568886653.20000929113539@cons.tsk.ru> I've just installed pptp server on FreeBSD. When i try to connect with it the following error occured: pptp: Configuration label not found What does it mean? May be there is a kind of misconfiguration. Thanks. Dmitry. From ed at schernau.com Fri Sep 29 00:05:34 2000 From: ed at schernau.com (Edward Schernau) Date: Fri, 29 Sep 2000 01:05:34 -0400 Subject: [pptp-server] remove PLEASE! References: <60.74de2f0.270567f3@aol.com> Message-ID: <39D4231E.8E081C61@schernau.com> NO! Hahahaha! You're trapped. Or maybe try unsubscribing... Cobb42 at aol.com wrote: > > PLEASE REMOVE MY NAME FROM YOUR LIST! > THANK YOU > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From Steve.Cowles at infohiiway.com Fri Sep 29 01:01:36 2000 From: Steve.Cowles at infohiiway.com (Cowles, Steve) Date: Fri, 29 Sep 2000 01:01:36 -0500 Subject: [pptp-server] looking for help with pptp through ipchains Message-ID: <90769AF04F76D41186C700A0C90AFC3EE545@defiant.infohiiway.com> I run a masq'd PPTP server such as what your are describing. See my comments below. Steve Cowles > -----Original Message----- > From: Alan Chung [mailto:alan at silveregg.co.jp] > Sent: Thursday, September 28, 2000 10:00 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] looking for help with pptp through ipchains > > > Hi, everyone, > > I am really hoping if anyone can help me with this problem > about ipchains. > Hi, > > I hope someone out there can help me with this. > > I have a pptp server behind a ipchains linux firewall. The > following is my setup: > > 210.12.130.172 --> internal pptp server's external IP (an > IP alias on firewall) Huh!! IP aliasing (in the linux world) allows you to bind multiple IP addresses to one interface. Does your firewall have 2 interfaces? One that is public (external) and one that is private (internal). If I'm interpreting your post correctly, the above IP address is bound to either eth0 or eth1 which is physically connected to internet (public side). > 210.12.130.0/24 --> network/mask of firewall > 192.168.0.5 --> internal pptp server's internal IP So that the rest of my post makes since and to verify that I am interpreting your post correctly, I am assuming the following... 210.12.130.172/24 = public (external) IP address of firewall 192.168.0.1/24 = private (internal) IP address of firewall 192.168.0.5 = IP address of masq'd PPTP server > > # port forwarding for 1723 > ipmasqadm portfw -a -P tcp -L 210.12.130.172 1723 -R 192.168.0.5 1723 > > # redirect protocol 47 > /usr/local/sbin/ipfwd --masq --syslog 192.168.0.5 47 & > If the IP address of your MASQ'd PPTP server is 192.168.0.5, then the above ipmasqadm/ipfwd commands looks to be correct. > # ipchains part for VPN > $IPCHAINS -A input -p tcp -s 0/0 -d 210.12.130.0/24 1723 -j ACCEPT > $IPCHAINS -A input -p 47 -s 0/0 -d 210.12.130.0/24 -j ACCEPT I have never tried the above ipchain syntax, but it looks sound. Although, I think I would specify the external IP address (210.12.130.172/32) instead of the network address for the destination. On my firewall, I specify the external interface to achieve the same results of ACCEPTING proto 47/port 1723 on the input chain: ipchains -A input -p TCP -i eth1 --dport 1723 -j ACCEPT ipchains -A input -p 47 -i eth1 -j ACCEPT > > $IPCHAINS -A output -p tcp -s 210.12.130.0/24 -d 0/0 1723 -j ACCEPT > $IPCHAINS -A output -p 47 -s 210.12.130.0/24 -d 0/0 -j ACCEPT > I can't really offer much as far as examples on the output chain. Until you get this working (on your input chain), you might consider setting your default "output" policy to ACCEPT. Then tighten up your output rules as needed. > $IPCHAINS -A forward -p tcp -s 192.168.0.5/24 -d > 210.12.130.172/24 1723 -j MASQ > $IPCHAINS -A forward -p 47 -s 192.168.0.5/24 -d > 210.12.130.172/24 -j MASQ Since you are running a "masq'd" PPTP server, the above "forwarding" rules are NOT needed and are probably causing you all of your problems. ipmasqadm and ipfwd are already "port forwarding/masqing" your inbound connection to your masq'd pptp server. I really have no way to verify this, but my assumption would be "including the above forwarding rules would probably re-masq - already masq'd packets". Which would never work in this case. > > I have patched ip_vpn_masq and compiled my kernel 2.2.14 already and > everything looks just fine for me. When I tried to connect > to the internal pptp server from outside through the ipchains box, > it seems that conection was built (tail -f /var/log/messages on pptp > server) but got a 650 error which means 47 and 1723 is not going > through properly. Does anyone have a similar experience? If you have patched your kernel with John Hardin's VPN patches, make sure that the module "ip_masq_pptp.o" is loaded. i.e. insmod ip_masq_pptp Just my two cents. > > Looking for help and any feekback is appreciated. > > Alan > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From beutner at algonet.se Fri Sep 29 02:44:33 2000 From: beutner at algonet.se (Magnus Beutner) Date: Fri, 29 Sep 2000 09:44:33 +0200 Subject: [pptp-server] Problem. References: <12568886653.20000929113539@cons.tsk.ru> Message-ID: <002401c029e9$1d0bdf50$1e7511ac@datorteket.lan> Hi I'm glad I can help on this one... It means what it says, in Your configuration file (ppp.conf) You propably have a line saying: default: [any directives that should be valid all times] What You are missing is a line line (label) saying: pptp: [directives special for this type of connection] If You intend to have the ppp-daemon for this single purpose (pptp), You can fill all of Your directives in either one and delete all the remaining 'labels'. DON'T FORGET TO BACKUP ppp.conf FIRST !!! ----- Original Message ----- From: "Dmitry Tolpanov" To: Sent: Friday, September 29, 2000 6:35 AM Subject: [pptp-server] Problem. > I've just installed pptp server on FreeBSD. > When i try to connect with it the following error occured: > > pptp: Configuration label not found > > What does it mean? May be there is a kind of misconfiguration. > > Thanks. > > Dmitry. > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From stefano.pisani at eunosia.it Fri Sep 29 05:07:14 2000 From: stefano.pisani at eunosia.it (Stefano Pisani) Date: Fri, 29 Sep 2000 12:07:14 +0200 Subject: [pptp-server] Could not determine local IP address Message-ID: <003701c029fd$0aa19440$5601a8c0@in.eunosia.it> I have problems connecting from WinNT to Linux Box with pptpd-1.1.1 and pptpd-1.0 (same error) Can you help me to discover the problem? Thank you. Stefano - Italy /etc/pptpd.conf speed 115200 debug localip 192.168.1.3 remoteip 192.168.3.1-255 #ipxnets 00001000-00001FFF listen 213.255.51.3 pidfile /var/run/pptpd.pid /etc/ppp/options debug kdebug 1 ms-dns 192.168.1.203 ms-dns 192.168.1.201 ms-wins 192.168.1.203 ms-wins 192.168.1.201 auth +pap proxyarp Sep 29 11:59:00 mx pptpd[11488]: MGR: Launching /usr/local/sbin/pptpctrl to hand le client Sep 29 11:59:00 mx pptpd[11488]: CTRL: local address = 192.168.1.3 Sep 29 11:59:00 mx pptpd[11488]: CTRL: remote address = 192.168.3.1 Sep 29 11:59:00 mx pptpd[11488]: CTRL: pppd speed = 115200 Sep 29 11:59:00 mx pptpd[11488]: CTRL: pppd options file = /etc/ppp/toptions Sep 29 11:59:00 mx pptpd[11488]: CTRL: Client 151.21.2.8 control connection star ted Sep 29 11:59:00 mx pptpd[11488]: CTRL: Received PPTP Control Message (type: 1) Sep 29 11:59:00 mx pptpd[11488]: CTRL: Made a START CTRL CONN RPLY packet Sep 29 11:59:00 mx pptpd[11488]: CTRL: I wrote 156 bytes to the client. Sep 29 11:59:00 mx pptpd[11488]: CTRL: Sent packet to client Sep 29 11:59:00 mx pptpd[11488]: CTRL: Received PPTP Control Message (type: 7) Sep 29 11:59:00 mx pptpd[11488]: CTRL: 0 min_bps, 152 max_bps, 32 window size Sep 29 11:59:00 mx pptpd[11488]: CTRL: Made a OUT CALL RPLY packet Sep 29 11:59:00 mx pptpd[11488]: CTRL: Starting call (launching pppd, opening GR E) Sep 29 11:59:00 mx pptpd[11488]: CTRL: pty_fd = 5 Sep 29 11:59:00 mx pptpd[11488]: CTRL: tty_fd = 6 Sep 29 11:59:00 mx pptpd[11489]: CTRL (PPPD Launcher): Connection speed = 115200 Sep 29 11:59:00 mx pptpd[11489]: CTRL (PPPD Launcher): local address = 192.168.1 .3 Sep 29 11:59:00 mx pptpd[11489]: CTRL (PPPD Launcher): remote address = 192.168. 3.1 Sep 29 11:59:00 mx pptpd[11488]: CTRL: I wrote 32 bytes to the client. Sep 29 11:59:00 mx pptpd[11488]: CTRL: Sent packet to client Sep 29 11:59:00 mx kernel: ppp_ioctl: set dbg flags to 10000 Sep 29 11:59:00 mx kernel: ppp_ioctl: set flags to 10000 Sep 29 11:59:00 mx kernel: ppp_tty_ioctl: set xasyncmap Sep 29 11:59:00 mx kernel: ppp_tty_ioctl: set xmit asyncmap ffffffff Sep 29 11:59:00 mx kernel: ppp_ioctl: set flags to 10000 Sep 29 11:59:00 mx kernel: ppp_ioctl: set mru to 5dc Sep 29 11:59:00 mx kernel: ppp_tty_ioctl: set rcv asyncmap ffffffff Sep 29 11:59:00 mx pppd[11489]: pppd 2.3.10 started by root, uid 0 Sep 29 11:59:00 mx pppd[11489]: Using interface ppp0 Sep 29 11:59:00 mx pppd[11489]: Connect: ppp0 <--> /dev/pts/1 Sep 29 11:59:00 mx pppd[11489]: Warning - secret file /etc/ppp/pap-secrets has w orld and/or group access Sep 29 11:59:00 mx pppd[11489]: sent [LCP ConfReq id=0x1 ] Sep 29 11:59:00 mx pppd[11489]: rcvd [LCP ConfReq id=0x0 < accomp> ] Sep 29 11:59:00 mx pppd[11489]: sent [LCP ConfRej id=0x0 ] Sep 29 11:59:00 mx kernel: ppp: tossing frame (e0) Sep 29 11:59:00 mx pptpd[11488]: CTRL: Received PPTP Control Message (type: 15) Sep 29 11:59:00 mx pptpd[11488]: CTRL: Got a SET LINK INFO packet with standard ACCMs Sep 29 11:59:01 mx pppd[11489]: rcvd [LCP ConfAck id=0x1 ] Sep 29 11:59:01 mx pppd[11489]: rcvd [LCP ConfReq id=0x1 < accomp>] Sep 29 11:59:01 mx pppd[11489]: sent [LCP EchoReq id=0x0 magic=0x2e053c33] Sep 29 11:59:01 mx kernel: ppp_tty_ioctl: set xmit asyncmap ffffffff Sep 29 11:59:01 mx kernel: ppp_ioctl: set flags to f010003 Sep 29 11:59:01 mx kernel: ppp_ioctl: set mru to 5dc Sep 29 11:59:01 mx kernel: ppp_tty_ioctl: set rcv asyncmap 0 Sep 29 11:59:01 mx pptpd[11488]: CTRL: Received PPTP Control Message (type: 15) Sep 29 11:59:01 mx pptpd[11488]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Sep 29 11:59:01 mx kernel: ppp_ioctl: set flags to f010043 Sep 29 11:59:01 mx kernel: ppp_proto_ccp rcvd=0 code=1 flags=f010043 Sep 29 11:59:01 mx pppd[11489]: rcvd [LCP code=0xc id=0x2 00 00 0f 21 4d 53 52 4 1 53 56 34 2e 30 30] Sep 29 11:59:01 mx pppd[11489]: sent [LCP CodeRej id=0x2 0c 02 00 12 00 00 0f 21 4d 53 52 41 53 56 34 2e 30 30] Sep 29 11:59:01 mx pppd[11489]: rcvd [LCP code=0xc id=0x3 00 00 0f 21 4d 53 52 4 1 53 2d 31 2d 45 4e 31 30 30 35] Sep 29 11:59:01 mx pppd[11489]: sent [LCP CodeRej id=0x3 0c 03 00 16 00 00 0f 21 4d 53 52 41 53 2d 31 2d 45 4e 31 30 30 35] Sep 29 11:59:01 mx pppd[11489]: rcvd [PAP AuthReq id=0xa user="user" password="s ecret"] Sep 29 11:59:01 mx pppd[11489]: Warning - secret file /etc/ppp/pap-secrets has w orld and/or group access Sep 29 11:59:01 mx pppd[11489]: sent [PAP AuthAck id=0xa "Login ok"] Sep 29 11:59:01 mx pppd[11489]: sent [IPCP ConfReq id=0x1 ] Sep 29 11:59:01 mx pppd[11489]: sent [CCP ConfReq id=0x1 ] Sep 29 11:59:01 mx pppd[11489]: rcvd [LCP EchoRep id=0x0 magic=0xf21] Sep 29 11:59:01 mx kernel: ppp_proto_ccp rcvd=1 code=1 flags=f010043 Sep 29 11:59:01 mx kernel: ppp_proto_ccp rcvd=0 code=4 flags=f010043 Sep 29 11:59:02 mx kernel: ppp_proto_ccp rcvd=1 code=4 flags=f010043 Sep 29 11:59:02 mx kernel: ppp_proto_ccp rcvd=0 code=1 flags=f010043 Sep 29 11:59:01 mx pppd[11489]: rcvd [CCP ConfReq id=0x4 < 12 06 01 00 00 01>] Sep 29 11:59:01 mx pppd[11489]: sent [CCP ConfRej id=0x4 < 12 06 01 00 00 01>] Sep 29 11:59:01 mx pppd[11489]: rcvd [IPCP ConfReq id=0x5 ] Sep 29 11:59:01 mx pppd[11489]: sent [IPCP ConfNak id=0x5 ] Sep 29 11:59:01 mx pppd[11489]: rcvd [IPCP ConfRej id=0x1 ] Sep 29 11:59:01 mx pppd[11489]: sent [IPCP ConfReq id=0x2 ] Sep 29 11:59:02 mx pppd[11489]: rcvd [CCP ConfRej id=0x1 ] Sep 29 11:59:02 mx pppd[11489]: sent [CCP ConfReq id=0x2] Sep 29 11:59:02 mx kernel: ppp_proto_ccp rcvd=1 code=5 flags=f010043 Sep 29 11:59:02 mx kernel: ppp_proto_ccp rcvd=0 code=6 flags=f010043 Sep 29 11:59:02 mx pppd[11489]: rcvd [CCP TermReq id=0x6 00 00 02 dc] Sep 29 11:59:02 mx pppd[11489]: sent [CCP TermAck id=0x6] Sep 29 11:59:02 mx pppd[11489]: rcvd [IPCP ConfReq id=0x7 ] Sep 29 11:59:02 mx pppd[11489]: sent [IPCP ConfAck id=0x7 ] Sep 29 11:59:02 mx pppd[11489]: rcvd [IPCP ConfRej id=0x2 ] Sep 29 11:59:02 mx pppd[11489]: sent [IPCP ConfReq id=0x3] Sep 29 11:59:02 mx kernel: ppp_ioctl: set flags to f01004b Sep 29 11:59:02 mx kernel: ppp: set np 0 to 1 Sep 29 11:59:02 mx pppd[11489]: rcvd [IPCP ConfAck id=0x3] Sep 29 11:59:02 mx pppd[11489]: Could not determine local IP address Sep 29 11:59:02 mx pppd[11489]: sent [IPCP TermReq id=0x4 "Could not determine l ocal IP address"] Sep 29 11:59:03 mx kernel: ppp0: ccp closed Sep 29 11:59:03 mx kernel: ppp_ioctl: set flags to f01000b Sep 29 11:59:03 mx kernel: ppp_tty_ioctl: set xmit asyncmap ffffffff Sep 29 11:59:03 mx kernel: ppp_ioctl: set flags to f010008 Sep 29 11:59:03 mx kernel: ppp_ioctl: set mru to 5dc Sep 29 11:59:03 mx kernel: ppp_tty_ioctl: set rcv asyncmap 0 Sep 29 11:59:03 mx pppd[11489]: rcvd [IPCP TermAck id=0x4] Sep 29 11:59:03 mx pppd[11489]: sent [LCP TermReq id=0x4 "No network protocols r unning"] Sep 29 11:59:03 mx pptpd[11488]: CTRL: Received PPTP Control Message (type: 15) Sep 29 11:59:03 mx pptpd[11488]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Sep 29 11:59:03 mx kernel: ppp: channel ppp0 closing. Sep 29 11:59:03 mx kernel: ppp0 released Sep 29 11:59:03 mx kernel: ppp0: ccp closed Sep 29 11:59:03 mx pptpd[11487]: MGR: Reaped child 11488 Sep 29 11:59:03 mx pptpd[11488]: Error reading from pppd: Input/output error Sep 29 11:59:03 mx pptpd[11488]: CTRL: GRE read or PTY write failed (gre,pty)=(6 ,5) Sep 29 11:59:03 mx pptpd[11488]: CTRL: Client 151.21.2.8 control connection fini shed Sep 29 11:59:03 mx pptpd[11488]: CTRL: Exiting now Sep 29 11:59:03 mx pppd[11489]: rcvd [LCP TermAck id=0x4] Sep 29 11:59:03 mx pppd[11489]: Connection terminated. Sep 29 11:59:03 mx pppd[11489]: Connect time 0.1 minutes. Sep 29 11:59:03 mx pppd[11489]: Sent 569 bytes, received 549 bytes. Sep 29 11:59:03 mx pppd[11489]: Exit. From chavant at geosys.fr Fri Sep 29 05:08:00 2000 From: chavant at geosys.fr (Jean-Paul Chavant) Date: Fri, 29 Sep 2000 12:08:00 +0200 Subject: [pptp-server] ping problem Message-ID: <000701c029fd$25af8b20$7c03a8c0@pcjpc.geosys.fr> Hello, hereis my architecture : LAN0}---PPTP Server----(public zone)----INTERNET-----USWEST----(cisco675)----{LAN1 | | client0 WANADOO (ISP) | client1 A. My client0 can connect ping and browse the network (Samba with IP address) B. My client1 and my computer on LAN1 can only connect. They can't ping. If i ping them, icmp packets go to the distant computer but they never come back ... Which is the difference between A and B ? Why A can do everything he wants and not B ? the configuration is the same (they all can connect and only A can ping ...) ? I don t see where is the problem ... JPaul From mtr at iwk.dk Fri Sep 29 06:02:34 2000 From: mtr at iwk.dk (Morten Troen) Date: Fri, 29 Sep 2000 13:02:34 +0200 Subject: [pptp-server] IPSec over PPTP. Message-ID: <001a01c02a04$c52a1880$019b11ac@IDANTDOM> Hi pptp-list, I hope I'm not ripping up in an old discussion, but I would like a discription on how to set up IPSec over PPTP. I'm a fairly new member of the list so I've only received the latest mail about IPSec over PPTP, and I'm currently looking through the archives for a discription. If anyone could give me a hint or a discription it would be great. Morten Troen. -------------- next part -------------- An HTML attachment was scrubbed... URL: From aalang at rutgersinsurance.com Fri Sep 29 07:42:05 2000 From: aalang at rutgersinsurance.com (Adam Lang) Date: Fri, 29 Sep 2000 08:42:05 -0400 Subject: [pptp-server] REMOVE ME References: Message-ID: <000701c02a12$ac54f240$330a0a0a@Adam> Click on the link at the bottom of the message, and follow the directions. (the http: link) Adam Lang Systems Engineer Rutgers Casualty Insurance Company ----- Original Message ----- From: "Waleed Alrawi" To: Sent: Thursday, September 28, 2000 9:21 PM Subject: [pptp-server] REMOVE ME > HOW DO I REMOVE MY EMAIL ADDRESS OFF THE LIST > > THANKS IN ADVANCE > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From aalang at rutgersinsurance.com Fri Sep 29 07:46:33 2000 From: aalang at rutgersinsurance.com (Adam Lang) Date: Fri, 29 Sep 2000 08:46:33 -0400 Subject: [pptp-server] remove PLEASE! References: <60.74de2f0.270567f3@aol.com> <39D4231E.8E081C61@schernau.com> Message-ID: <001b01c02a13$4c0f7300$330a0a0a@Adam> Haven't you noticed with many list groups, the people that sign themselves up expect others to get them off the list. They're lucky that there is an easy way to do it. Call your ISP, and change your email address. That way you will no longer get messages from the list. :) Adam Lang Systems Engineer Rutgers Casualty Insurance Company ----- Original Message ----- From: "Edward Schernau" To: Sent: Friday, September 29, 2000 1:05 AM Subject: Re: [pptp-server] remove PLEASE! > NO! Hahahaha! You're trapped. Or maybe try > unsubscribing... > > Cobb42 at aol.com wrote: > > > > PLEASE REMOVE MY NAME FROM YOUR LIST! > > THANK YOU > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From aalang at rutgersinsurance.com Fri Sep 29 07:50:49 2000 From: aalang at rutgersinsurance.com (Adam Lang) Date: Fri, 29 Sep 2000 08:50:49 -0400 Subject: [pptp-server] IPSec over PPTP. References: <001a01c02a04$c52a1880$019b11ac@IDANTDOM> Message-ID: <003401c02a13$e5048dc0$330a0a0a@Adam> I'd assume if you want to use IPSEC, you should use Freeswan. IPSec is it's inherent protocol. As far as I know with that though, is that you need to use a client besides microsoft VPN. (Apparently there are ones to download for free). Adam Lang Systems Engineer Rutgers Casualty Insurance Company ----- Original Message ----- From: "Morten Troen" To: Sent: Friday, September 29, 2000 7:02 AM Subject: [pptp-server] IPSec over PPTP. Hi pptp-list, I hope I'm not ripping up in an old discussion, but I would like a discription on how to set up IPSec over PPTP. I'm a fairly new member of the list so I've only received the latest mail about IPSec over PPTP, and I'm currently looking through the archives for a discription. If anyone could give me a hint or a discription it would be great. Morten Troen. From aalang at rutgersinsurance.com Fri Sep 29 07:51:57 2000 From: aalang at rutgersinsurance.com (Adam Lang) Date: Fri, 29 Sep 2000 08:51:57 -0400 Subject: [pptp-server] ping problem References: <000701c029fd$25af8b20$7c03a8c0@pcjpc.geosys.fr> Message-ID: <003d01c02a14$0d47dda0$330a0a0a@Adam> It would be assumes that that is a routing issue. Do the computers youare pining know how to find client1? I'd check all your routing tables. Adam Lang Systems Engineer Rutgers Casualty Insurance Company ----- Original Message ----- From: "Jean-Paul Chavant" To: "Pptp" Sent: Friday, September 29, 2000 6:08 AM Subject: [pptp-server] ping problem > Hello, > > hereis my architecture : > > > > LAN0}---PPTP Server----(public > zone)----INTERNET-----USWEST----(cisco675)----{LAN1 > | | > client0 WANADOO (ISP) > | > client1 > > A. My client0 can connect ping and browse the network (Samba with IP > address) > > B. My client1 and my computer on LAN1 can only connect. They can't ping. If > i ping them, icmp packets go to the distant computer but they never come > back ... > > Which is the difference between A and B ? Why A can do everything he wants > and not B ? the configuration is the same (they all can connect and only A > can ping ...) ? > > I don t see where is the problem ... > > JPaul > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From ed at schernau.com Fri Sep 29 08:06:49 2000 From: ed at schernau.com (Edward Schernau) Date: Fri, 29 Sep 2000 09:06:49 -0400 Subject: [pptp-server] PPTP encryption or IPSEC Message-ID: <39D493E9.85262CAB@schernau.com> Previous post brought up an interesting point. To get from point A to point B, possibly from inside firewalls, but across the Internet, whats the best way? Use PPTP with encryption, or PPTP (to get a remote address - just pure tunnelling) and then run IPSEC to scramble up the bits? -- Edward Schernau, mailto:ed at schernau.com Network Architect http://www.schernau.com RC5-64#: 243249 e-gold acct #:131897 From aalang at rutgersinsurance.com Fri Sep 29 08:42:49 2000 From: aalang at rutgersinsurance.com (Adam Lang) Date: Fri, 29 Sep 2000 09:42:49 -0400 Subject: [pptp-server] ping problem References: <001301c02a17$9a6b1fa0$7c03a8c0@pcjpc.geosys.fr> Message-ID: <00c301c02a1b$288285a0$330a0a0a@Adam> Have you tried connecting to the network over VPN the same way as client0 does? (Same internet connection, etc.) Adam Lang Systems Engineer Rutgers Casualty Insurance Company ----- Original Message ----- From: "Jean-Paul Chavant" To: "Adam Lang" Sent: Friday, September 29, 2000 9:17 AM Subject: RE: [pptp-server] ping problem > client0 and client1 are virtualy on the same network. So if i can ping > client0 from anywhere, i will be able to do the same thing to client1. OR > it's not real ... :( > > JPaul > > | -----Original Message----- > | From: Adam Lang [mailto:aalang at rutgersinsurance.com] > | Sent: vendredi 29 septembre 2000 14:52 > | To: chavant at geosys.fr; Pptp > | Subject: Re: [pptp-server] ping problem > | > | > | It would be assumes that that is a routing issue. Do the > | computers youare > | pining know how to find client1? I'd check all your routing tables. > | > | Adam Lang > | Systems Engineer > | Rutgers Casualty Insurance Company > | ----- Original Message ----- > | From: "Jean-Paul Chavant" > | To: "Pptp" > | Sent: Friday, September 29, 2000 6:08 AM > | Subject: [pptp-server] ping problem > | > | > | > Hello, > | > > | > hereis my architecture : > | > > | > > | > > | > LAN0}---PPTP Server----(public > | > zone)----INTERNET-----USWEST----(cisco675)----{LAN1 > | > | | > | > client0 WANADOO (ISP) > | > | > | > client1 > | > > | > A. My client0 can connect ping and browse the network (Samba with IP > | > address) > | > > | > B. My client1 and my computer on LAN1 can only connect. > | They can't ping. > | If > | > i ping them, icmp packets go to the distant computer but > | they never come > | > back ... > | > > | > Which is the difference between A and B ? Why A can do > | everything he wants > | > and not B ? the configuration is the same (they all can > | connect and only A > | > can ping ...) ? > | > > | > I don t see where is the problem ... > | > > | > JPaul > | > > | > > | > _______________________________________________ > | > pptp-server maillist - pptp-server at lists.schulte.org > | > http://lists.schulte.org/mailman/listinfo/pptp-server > | > List services provided by www.schulteconsulting.com! > | From aalang at rutgersinsurance.com Fri Sep 29 08:54:12 2000 From: aalang at rutgersinsurance.com (Adam Lang) Date: Fri, 29 Sep 2000 09:54:12 -0400 Subject: [pptp-server] PPTP encryption or IPSEC References: <39D493E9.85262CAB@schernau.com> Message-ID: <00cb01c02a1c$bf58e9a0$330a0a0a@Adam> I think it comes down to more of an issue of platforms. IPSEC will/is part of ipv6. That means any OS that adopts it will be able to run IPSEC connections (Win2K does now I believe). The way I believe I am going to go is: if I want VPN with win9x or NT 4 (Pro) clients, I will run PPTP due to the simplicity of installation and use for the end user. If I am going to have a static VPN between networks, I will have a VPN box at each end running something like Freeswan and IPSec. Poptop was a lot easier to manage for dynamic remote connections, but when the connections are going to be static, I would use the more secure IPsec implementation. Also, turnkey routers and VPNs supporting ipv6 will be using ipsec also, so it will be easier to integrate other networks that use such products. So, in a nutshell, I believe that the only reason PPTP is running on linux, is because of Microsoft's use of PPTP. Once they start moving away from it, especially in their server base, more emphasis will be on IPSec, but since win9x is not going away any time soon, use of PPTP will still be needed. If I am wrong in any of my assumptions, please let me know. Adam Lang Systems Engineer Rutgers Casualty Insurance Company ----- Original Message ----- From: "Edward Schernau" To: Sent: Friday, September 29, 2000 9:06 AM Subject: [pptp-server] PPTP encryption or IPSEC > Previous post brought up an interesting point. > > To get from point A to point B, possibly from inside > firewalls, but across the Internet, whats the best > way? > > Use PPTP with encryption, or PPTP (to get a remote > address - just pure tunnelling) and then run IPSEC to > scramble up the bits? > -- > Edward Schernau, mailto:ed at schernau.com > Network Architect http://www.schernau.com > RC5-64#: 243249 e-gold acct #:131897 > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From kennya at carlislefsp.com Fri Sep 29 09:04:53 2000 From: kennya at carlislefsp.com (Kenny Austin) Date: Fri, 29 Sep 2000 09:04:53 -0500 Subject: [pptp-server] PPTP encryption or IPSEC In-Reply-To: <39D493E9.85262CAB@schernau.com> Message-ID: <000601c02a1e$3e391e10$5f020a0a@carlislefsp.com> If the connection is made between the two firewall/routers, then I would personally use something besides PPTP, the biggest advantage to PPTP is that vpn client comes with Windows, but if it is two firewalls that you are setting the connection up inbetween, that doesn't matter. Look into VPND, or using SSH to encrypt the tunnel between the two networks. That is what I would do.. but then again, if everyone did things the way I did, I wouldn't have a job or girlfriend, so do whatever floats your boat. Kenny Austin kennya at carlislefsp.com -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Edward Schernau Sent: Friday, September 29, 2000 8:07 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] PPTP encryption or IPSEC Previous post brought up an interesting point. To get from point A to point B, possibly from inside firewalls, but across the Internet, whats the best way? Use PPTP with encryption, or PPTP (to get a remote address - just pure tunnelling) and then run IPSEC to scramble up the bits? -- Edward Schernau, mailto:ed at schernau.com Network Architect http://www.schernau.com RC5-64#: 243249 e-gold acct #:131897 _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From cduffy at ecst.csuchico.edu Fri Sep 29 09:48:45 2000 From: cduffy at ecst.csuchico.edu (Charles C. Duffy) Date: Fri, 29 Sep 2000 07:48:45 -0700 Subject: [pptp-server] PPTP encryption or IPSEC In-Reply-To: <39D493E9.85262CAB@schernau.com>; from ed@schernau.com on Fri, Sep 29, 2000 at 09:06:49AM -0400 References: <39D493E9.85262CAB@schernau.com> Message-ID: <20000929074845.A26044@ecst.csuchico.edu> On Fri, Sep 29, 2000 at 09:06:49AM -0400, Edward Schernau wrote: > Previous post brought up an interesting point. > > To get from point A to point B, possibly from inside > firewalls, but across the Internet, whats the best > way? > > Use PPTP with encryption, or PPTP (to get a remote > address - just pure tunnelling) and then run IPSEC to > scramble up the bits? Why not do the tunnel with only IPSec if you're going to use it at all? From matthewr at moreton.com.au Fri Sep 29 10:28:26 2000 From: matthewr at moreton.com.au (Matthew Ramsay) Date: Fri, 29 Sep 2000 08:28:26 -0700 Subject: [pptp-server] remove PLEASE! References: <60.74de2f0.270567f3@aol.com> Message-ID: <002301c02a2a$02320740$6500a8c0@hazel> most intelligent people go to the web site and unsubscribe themselves.. some people need special attention. ----- Original Message ----- From: To: Sent: Thursday, September 28, 2000 8:35 PM Subject: [pptp-server] remove PLEASE! > PLEASE REMOVE MY NAME FROM YOUR LIST! > THANK YOU > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From SCody at Gulbrandsen.com Fri Sep 29 10:42:27 2000 From: SCody at Gulbrandsen.com (Steve Cody) Date: Fri, 29 Sep 2000 11:42:27 -0400 Subject: [pptp-server] remove PLEASE! Message-ID: The clue should be his email address. insert_newbie_here at aol.com -----Original Message----- From: matthewr at moreton.com.au [mailto:matthewr at moreton.com.au] Sent: Friday, September 29, 2000 11:28 AM To: Cobb42 at aol.com Cc: pptp-server at lists.schulte.org Subject: Re: [pptp-server] remove PLEASE! most intelligent people go to the web site and unsubscribe themselves.. some people need special attention. ----- Original Message ----- From: To: Sent: Thursday, September 28, 2000 8:35 PM Subject: [pptp-server] remove PLEASE! > PLEASE REMOVE MY NAME FROM YOUR LIST! > THANK YOU > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From aalang at rutgersinsurance.com Fri Sep 29 11:37:34 2000 From: aalang at rutgersinsurance.com (Adam Lang) Date: Fri, 29 Sep 2000 12:37:34 -0400 Subject: [pptp-server] REMOVE ME References: Message-ID: <002b01c02a33$91cb6aa0$330a0a0a@6014cwpza006> At the bottom of that page it has a text field with a button that says "edit options": Above it says: To change your subscription (set options like digest and delivery modes, get a reminder of your password, or unsubscribe from pptp-server), enter your subscription email address: Adam Lang Systems Engineer Rutgers Casualty Insurance Company ----- Original Message ----- From: "Waleed Alrawi" To: "Adam Lang" Sent: Friday, September 29, 2000 12:01 PM Subject: RE: [pptp-server] REMOVE ME > I have followed the following and it seems to not work any additional info > would be appreciated. > > Thanks > > "You can unsubscribe from this list at any time. Just open a web browser > and point it at http://lists.schulte.org/mailman/listinfo/pptp-server. " > > -----Original Message----- > From: Adam Lang [mailto:aalang at rutgersinsurance.com] > Sent: Friday, September 29, 2000 5:42 AM > To: htcengrs at pacbell.net; pptp-server at lists.schulte.org > Subject: Re: [pptp-server] REMOVE ME > > > Click on the link at the bottom of the message, and follow the directions. > (the http: link) > > Adam Lang > Systems Engineer > Rutgers Casualty Insurance Company > ----- Original Message ----- > From: "Waleed Alrawi" > To: > Sent: Thursday, September 28, 2000 9:21 PM > Subject: [pptp-server] REMOVE ME > > > > HOW DO I REMOVE MY EMAIL ADDRESS OFF THE LIST > > > > THANKS IN ADVANCE > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! From aalang at rutgersinsurance.com Fri Sep 29 12:08:24 2000 From: aalang at rutgersinsurance.com (Adam Lang) Date: Fri, 29 Sep 2000 13:08:24 -0400 Subject: [pptp-server] Multiple subnets Message-ID: <009601c02a37$e0c74ee0$330a0a0a@6014cwpza006> Here is a question: How do I setup poptop for multiple subnets? Say for remote employees I want them to get ranges from 10.10.9.0 And for non employees (clients) I want to give a range of 10.10.8.0 I guess I really can't do that, can I? Adam Lang Systems Engineer Rutgers Casualty Insurance Company From kennya at carlislefsp.com Fri Sep 29 13:10:13 2000 From: kennya at carlislefsp.com (Kenny Austin) Date: Fri, 29 Sep 2000 13:10:13 -0500 Subject: [pptp-server] Too Many Removes Message-ID: <001601c02a40$83f26bb0$5f020a0a@carlislefsp.com> Wow I thought, I haven't seen this many post on the pptp mailing list for quite awhile. I clicked on my pptp folder (yes, i am using outlook with message rules to sort my email) and saw eight emails with the word "REMOVE" in the subject. "Did someone let the retard class out to play in the pptp mailing list?", I asked myself. So I invested a few minutes of my time to further study what as before me. "Ahh....", I said out loud, "It must be that one has become lost and stumbled across this group of pptp mailing list bullies, whom have decided that it was much more profitable to themselves to throw rocks at the poor retard." So I reasoned to myself, and came to the conclusion that I would add yet one more totally unrelated email to the list. Yes, I realize that now the next person downloading these emails will ask himself "Did someone let the 9 retards out to play?" and that I now make up 11.1% of the stupidity that has taken place today. But it is worth it say: Grow up. kenny, (yeah, maybe reading all that slashdot today wore of on me.. heheh) From kennya at carlislefsp.com Fri Sep 29 13:14:25 2000 From: kennya at carlislefsp.com (Kenny Austin) Date: Fri, 29 Sep 2000 13:14:25 -0500 Subject: [pptp-server] Multiple subnets In-Reply-To: <009601c02a37$e0c74ee0$330a0a0a@6014cwpza006> Message-ID: <001701c02a41$19fc2650$5f020a0a@carlislefsp.com> I had pretty much the same question a while ago, but I don't believe that it is possible to list ranges in chap-secrets. Someone told me to use 192.168.1.1-20 but ppp (mine at least) wouldn't accept that. So i believe that you will have to either run multi copies of pptpd (that idea sucks) or assign each user a few ips from chap-secrets. If you do find a way to do this... let me know. Kenny Austin kennya at carlislefsp.com -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Adam Lang Sent: Friday, September 29, 2000 12:08 PM To: Pptp Subject: [pptp-server] Multiple subnets Here is a question: How do I setup poptop for multiple subnets? Say for remote employees I want them to get ranges from 10.10.9.0 And for non employees (clients) I want to give a range of 10.10.8.0 I guess I really can't do that, can I? Adam Lang Systems Engineer Rutgers Casualty Insurance Company _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From dan at fullmotions.com Fri Sep 29 18:17:06 2000 From: dan at fullmotions.com (Danny L. Brow, Jr.) Date: Fri, 29 Sep 2000 19:17:06 -0400 Subject: [pptp-server] Ipchains - Linux Firewall. Message-ID: <000701c02a6b$62996060$0200a8c0@sys1> Hello, I am trying to get through my fire wall to connect to a pptp vpn server at my friends place. I can connect to the system with an internet IP. but When I try going through my firewall I get an 615 error. Linux ports 47 and 1723 will not come back to this system, this is what I am not sure the problem is. I don't want to have to setup all the system on my network, one by one to have vpn go through the firewall. I would like a one or two line solutions to it, so I can enter the line and all the systems can go through the firewall. Or do I have to install the pptp_masq patch to get this to work? Help me..... Thankz Dan. From beutner at algonet.se Fri Sep 29 21:49:34 2000 From: beutner at algonet.se (Magnus Beutner) Date: Sat, 30 Sep 2000 04:49:34 +0200 Subject: [pptp-server] Problem Message-ID: <005901c02a89$1260bdf0$1e7511ac@datorteket.lan> Hi I have a network behind a Linux (Slackware, I might add :) ), a masquerading firewall, protecting the inside net = 172.17.116.0/23 I tried to connect from the outside 193.x.x.x with a Win95 (msdun1.3) to my VPN-server (FreeBSD 4.1). I could ping any direction... my config files below.... = = = = = = = = ** /usr/local/etc/rc.d/pptpd.sh - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ( there is more, but some of you propably already hate me for this long mail.....(sorry)) #!/bin/sh /usr/local/sbin/pptpd -c /etc/ppp/pptpd.conf *** /etc/ppp/pptpd.conf/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - option /etc/ppp/options pidfile /var/run/pptpd.pid *** /etc/ppp/ppp.conf / - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - default: # Log EVERYTHING! # set log async cbcp ccp chat command connect debug dns hdlc id0 ipcp lcp lqm phase physical sync tcp/ip timer tun # Normal debug-log. # set log Phase Chat LCP IPCP CCP tun command # Pretty informative (pptp). set log cbcp ccp chat command connect debug dns id0 ipcp lcp lqm phase sync tcp/ip tun set speed 115200 set timeout 3600 allow users * allow modes enable chap enable proxy accept dns set dns 172.17.117.30 193.14.211.2 set nbns 172.17.117.30 172.17.117.10 set ifaddr 172.17.116.1 172.17.116.50-172.17.116.59 255.255.254.0 add HISADDR #--------------------------------------------------------------# # This are kept just so the pppd doesn't complain. pptp: *** /etc/ppp/ppp.secret #--------------------------------------------------------------# #UserName Password test xxx *** /etc/ppp/options *** /etc/ppp/ppp.linkup *** /etc/ppp/ppp.linkdown The 3 files above are totally empty (works anyway)! - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I'm fully aware that this IS NOT a final solution, but it's a start I do NOT recommend using this without further testing ( haven't done any packet-sniffing on a connection yet). I've placed these files in a tar.gz @ location: http://www.algonet.se/~beutner/linux/ppp_example.tar.gz // EOF. ----- Original Message ----- From: "Dmitry Tolpanov" > I'm just faced another problem. > First of all i need to say that i've found the solution for Linux > http://www.moretonbay.com/vpn/releases/HOWTO-PoPToP.txt > but i can't use it in FreeBSD. > I'll try to discribe step by step. (Sorry for my poor English :) > > The net topology is similar to HOWTO: > > 192.168.8.142 192.168.56.10 192.168.56.11 192.168.56.12 > ________ _______ ______ _____ > | | | | | | | | > | client |------->| fire |-------->| pptp |----->| host | > | | | wall | | srvr | | | > |________| |_______| |______| |______| > H H > H 192.168.8.10 H > H H > H===================================H > 192.168.5.12 pptp connection 192.168.5.11 > > The problem is the following. When i connect through PPTP, i can ping > both "client" and "pptp-server". But i can ping any host in > "pptp-server's" network. I get the following error: > > Cannot determine ethernet address for proxy ARP > > The solution in HOWTO offers to add new entry in ARP table > > arp --set 192.168.5.12 00:60:08:98:14:13 pub > > And it shoult solve the problem. Butt :). when i try to do so in > FreeBSD in answers: > > cannot intuit interface index and type for 192.168.5.12 > > As i understand the system tries to find interface which serves in > this network and can't process this. I wonder how it works in Linux! > That is. > > In this sutuation i have two questions. > 1. How can i add new ARP entry properly. This question is concern of > FreeBSD gurues; > 2. Is there any other solution for this problem. > > Any help appreciated ! > Thanks a lot. > > Dmitry. > From beutner at algonet.se Fri Sep 29 22:02:09 2000 From: beutner at algonet.se (Magnus Beutner) Date: Sat, 30 Sep 2000 05:02:09 +0200 Subject: [pptp-server] Could not determine local IP address References: <003701c029fd$0aa19440$5601a8c0@in.eunosia.it> Message-ID: <007701c02a8a$d4139340$1e7511ac@datorteket.lan> Hi This propably hasn't got anything to do with it, but I noticed that You have flag:644 on Your 'pap-secrets' -file. should be 600 By the way, are You routing GRE (protocol #47) thru Your system? // EOF. ----- Original Message ----- From: "Stefano Pisani" To: Cc: Sent: Friday, September 29, 2000 12:07 PM Subject: [pptp-server] Could not determine local IP address > I have problems connecting from WinNT to Linux Box with pptpd-1.1.1 and > pptpd-1.0 (same error) > Can you help me to discover the problem? > Thank you. > > 4d 53 52 41 53 2d 31 2d 45 4e 31 30 30 35] > Sep 29 11:59:01 mx pppd[11489]: rcvd [PAP AuthReq id=0xa user="user" > password="s > ecret"] * * * * * * > Sep 29 11:59:01 mx pppd[11489]: Warning - secret file /etc/ppp/pap-secrets > has w > orld and/or group access * * * * * * > Sep 29 11:59:01 mx pppd[11489]: sent [PAP AuthAck id=0xa "Login ok"] > Sep 29 11:59:01 mx pppd[11489]: sent [IPCP ConfReq id=0x1 From adi at certsite.com Sat Sep 30 09:43:27 2000 From: adi at certsite.com (Adi) Date: Sat, 30 Sep 2000 10:43:27 -0400 Subject: [pptp-server] RPMs for PPTP with MSCHAP/MPPE patch Message-ID: <39D5FC0F.BBB90B82@certsite.com> Hi, I built PPTP with the MSCHAP/MPPE patches a while back, and thought they might be useful to others. I posted links on the mailing list, but since then the links have changed. Maybe you could post them on the main PPTP website? (http://www.moretonbay.com/vpn/download_pptp.html) I don't know about legalities (encryption restrictions), so if you want you could just link to their location on my server: redhat 6.1: http://adiraj.org/sw/RPMS/ppp/ppp-modules-2.3.10-2mschap_mppe_rh61.i386.rpm http://adiraj.org/sw/RPMS/ppp/ppp-2.3.10-2mschap_mppe_rh61.i386.rpm http://adiraj.org/sw/RPMS/ppp/ppp-2.3.10-2mschap_mppe_rh61.src.rpm redhat 6.2: http://adiraj.org/sw/RPMS/ppp/ppp-modules-2.3.10-2mschap_mppe_rh62.i386.rpm http://adiraj.org/sw/RPMS/ppp/ppp-2.3.10-2mschap_mppe_rh62.i386.rpm http://adiraj.org/sw/RPMS/ppp/ppp-2.3.10-2mschap_mppe_rh62.src.rpm Thanks, -Adi From teastep at evergo.net Sat Sep 30 10:59:31 2000 From: teastep at evergo.net (Tom Eastep) Date: Sat, 30 Sep 2000 08:59:31 -0700 (PDT) Subject: [pptp-server] looking for help with pptp through ipchains In-Reply-To: <4.2.0.58.J.20000929115927.00a6a4b0@pear.silveregg.co.jp> Message-ID: Alan, Thus spoke Alan Chung: > Hi, everyone, > > I am really hoping if anyone can help me with this problem about ipchains. > Hi, > > I hope someone out there can help me with this. > > I have a pptp server behind a ipchains linux firewall. The following is my > setup: > > 210.12.130.172 --> internal pptp server's external IP (an IP alias on > firewall) > 210.12.130.0/24 --> network/mask of firewall > 192.168.0.5 --> internal pptp server's internal IP > > # port forwarding for 1723 > ipmasqadm portfw -a -P tcp -L 210.12.130.172 1723 -R 192.168.0.5 1723 > > # redirect protocol 47 > /usr/local/sbin/ipfwd --masq --syslog 192.168.0.5 47 & > > # ipchains part for VPN > $IPCHAINS -A input -p tcp -s 0/0 -d 210.12.130.0/24 1723 -j ACCEPT > $IPCHAINS -A input -p 47 -s 0/0 -d 210.12.130.0/24 -j ACCEPT > > $IPCHAINS -A output -p tcp -s 210.12.130.0/24 -d 0/0 1723 -j ACCEPT > $IPCHAINS -A output -p 47 -s 210.12.130.0/24 -d 0/0 -j ACCEPT > > $IPCHAINS -A forward -p tcp -s 192.168.0.5/24 -d 210.12.130.172/24 1723 -j MASQ Unless all of your clients are in the 210.12.130.0/24 subnet, you will want to relax the above rule... > $IPCHAINS -A forward -p 47 -s 192.168.0.5/24 -d > 210.12.130.172/24 -j MASQ > > I have patched ip_vpn_masq and compiled my kernel 2.2.14 already and > everything looks just fine for me. When I tried to connect to the internal > pptp server from outside through the ipchains box, it seems that conection > was built (tail -f /var/log/messages on pptp server) but got a 650 error > which means 47 and 1723 is not going through properly. Does anyone have a > similar experience? > I have gotten this to work in the past -- the only thing that I see about your setup is mentioned above... -Tom -- Tom Eastep \ Eastep's First Principle of Computing: ICQ #60745924 \ "Any sane computer will tell you how it teastep at evergo.net \ works if you ask it the proper questions" Shoreline, Washington USA \___________________________________________ From dimambro at pacbell.net Sat Sep 30 15:09:42 2000 From: dimambro at pacbell.net (Brian L. DiMambro) Date: Sat, 30 Sep 2000 13:09:42 -0700 Subject: [pptp-server] GRE/Protocol errors ...... Message-ID: <5.0.0.25.0.20000930123631.022ecec0@postoffice.pacbell.net> Hi all. I am seeing these errors after enabling encryption. Info. RH 2.2.14-5.0 kernel ppp-2.3.11 ppp-2.3.11-openssl-0.9.5-mppe.patch ppp_RH.patch pptpd-1.0.0 from rpm then installed 1.0.1 compiled from source my options file ..... lock debug auth +chap proxyarp ms-dns 192.168.20.245 +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless These errors came from a W2K client with encryption and compression enabled. I'm getting the folllowing errors: pptpd-1.0.0 installed GRE: Discarding duplicate packet Sep 30 12:36:32 wclvs2-0 pppd[991]: Unsupported protocol 0xbd0f received Sep 30 12:36:33 wclvs2-0 pppd[991]: Unsupported protocol 0x8798 received Sep 30 12:36:33 wclvs2-0 pptpd[990]: GRE: Discarding out of order packet Sep 30 12:36:33 wclvs2-0 pptpd[1029]: GRE: Discarding out of order packet Sep 30 12:36:33 wclvs2-0 pptpd[990]: GRE: Discarding duplicate packet Sep 30 12:36:33 wclvs2-0 pptpd[1029]: GRE: Discarding duplicate packet Sep 30 12:36:34 wclvs2-0 pppd[1030]: Unsupported protocol 0x2fc0 received Sep 30 12:36:35 wclvs2-0 pptpd[990]: GRE: Discarding duplicate packet Sep 30 12:36:35 wclvs2-0 pptpd[1029]: GRE: Discarding duplicate packet Sep 30 12:36:35 wclvs2-0 pppd[1030]: Unsupported protocol 0xbbb3 received Sep 30 12:36:38 wclvs2-0 pppd[1030]: Unsupported protocol 0x7b9a received Sep 30 12:36:38 wclvs2-0 pppd[1030]: Unsupported protocol 0x590f received Sep 30 12:36:38 wclvs2-0 pppd[1030]: Unsupported protocol 0x836b received Sep 30 12:36:39 wclvs2-0 pppd[1030]: Unsupported protocol 0xc8cd received Sep 30 12:36:42 wclvs2-0 pppd[1030]: Unsupported protocol 0x11c9 received Sep 30 12:36:42 wclvs2-0 pppd[1030]: Unsupported protocol 0xe1c4 received After 1.0.1 Sep 30 12:53:50 wclvs2-0 pptpd[2620]: GRE: Discarding out of order packet Sep 30 12:53:50 wclvs2-0 pptpd[2620]: GRE: Discarding out of order packet Sep 30 12:53:51 wclvs2-0 pptpd[2620]: GRE: Discarding duplicate packet Sep 30 12:53:51 wclvs2-0 pppd[2621]: Unsupported protocol 0xdeb2 received More Sep 30 12:54:12 wclvs2-0 pptpd[2715]: GRE: Discarding duplicate packet Sep 30 12:54:42 wclvs2-0 pppd[2621]: Unsupported protocol 0x2b8d received Sep 30 12:54:43 wclvs2-0 pppd[2621]: Unsupported protocol 0x4fa4 received Sep 30 12:54:43 wclvs2-0 pppd[2621]: Unsupported protocol 0xd7cd received Sep 30 12:54:43 wclvs2-0 pppd[2621]: Unsupported protocol 0x8c7a received Sep 30 12:54:43 wclvs2-0 pppd[2621]: Unsupported protocol 0xaa9 received Sep 30 12:54:43 wclvs2-0 pppd[2621]: Unsupported protocol 0x1be9 received Sep 30 12:54:44 wclvs2-0 pppd[2621]: Unsupported protocol 0xd009 received Sep 30 12:54:44 wclvs2-0 pppd[2621]: Unsupported protocol 0x84f7 received Sep 30 12:54:44 wclvs2-0 pppd[2621]: Unsupported protocol 0x3ed5 received Any help will be greatly appreciated. Thanks in advance Brian From pchilders at pharsalia.com Sat Sep 30 19:08:14 2000 From: pchilders at pharsalia.com (Patrick Childers) Date: Sat, 30 Sep 2000 17:08:14 -0700 Subject: [pptp-server] Linux Client? Message-ID: <002401c02b3b$b65baca0$0200a8c0@patrick> Thanks to everyone so far for helping me setup our VPN sever, I could not have gotten this far with the list. But anyway I can't get the linux pptp client to work on my any system. We are using standard redhat-6.2 installs. I installed the mppe modules, but the pptp-client returns that "The remote system is required to authenticate itself but I counldn't find any suitable secret (password) for it to use to do so." I assume to is asking for the login/password, but how do I hand that to the cleint. Thanks Patrick Here is the server's syslog -------------------------------------------------------------- Sep 30 17:09:32 phathat pptpd[2413]: CTRL: Client 209.187.165.235 control connection started Sep 30 17:09:33 phathat pptpd[2413]: CTRL: Starting call (launching pppd, opening GRE) Sep 30 17:09:33 phathat pppd[2414]: pppd 2.3.10 started by root, uid 0 Sep 30 17:09:33 phathat pppd[2414]: Using interface ppp0 Sep 30 17:09:33 phathat pppd[2414]: Connect: ppp0 <--> /dev/pts/0 Sep 30 17:09:36 phathat pptpd[2266]: GRE: Discarding out of order packet Sep 30 17:09:36 phathat pptpd[2413]: GRE: Discarding out of order packet Sep 30 17:09:39 phathat pptpd[2266]: GRE: Discarding out of order packet Sep 30 17:09:39 phathat pptpd[2413]: GRE: Discarding out of order packet Sep 30 17:09:42 phathat pptpd[2266]: GRE: Discarding out of order packet Sep 30 17:09:42 phathat pptpd[2413]: GRE: Discarding out of order packet Sep 30 17:09:45 phathat pptpd[2266]: GRE: Discarding out of order packet Sep 30 17:09:45 phathat pptpd[2413]: GRE: Discarding out of order packet Sep 30 17:09:48 phathat pptpd[2266]: GRE: Discarding out of order packet Sep 30 17:09:48 phathat pptpd[2413]: GRE: Discarding out of order packet Sep 30 17:10:00 phathat pptpd[2266]: GRE: Discarding out of order packet Sep 30 17:10:00 phathat pptpd[2413]: GRE: Discarding out of order packet Sep 30 17:10:03 phathat pppd[2414]: LCP: timeout sending Config-Requests Sep 30 17:10:03 phathat pppd[2414]: Connection terminated. Sep 30 17:10:03 phathat pppd[2414]: Exit. Sep 30 17:10:03 phathat pptpd[2413]: GRE: read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Input/output error Sep 30 17:10:03 phathat pptpd[2413]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Sep 30 17:10:03 phathat pptpd[2413]: CTRL: Client 209.187.165.235 control connection finished -------------- next part -------------- An HTML attachment was scrubbed... URL: From jvonau at home.com Sat Sep 30 17:08:32 2000 From: jvonau at home.com (Jerry Vonau) Date: Sat, 30 Sep 2000 17:08:32 -0500 Subject: [pptp-server] Linux Client? References: <002401c02b3b$b65baca0$0200a8c0@patrick> Message-ID: <39D66460.1A5FD3ED@home.com> Can you post your options file? How are you invoking the client? You have to use all your options on the command line when you start it Something like: /usr/sbin/pptp SERVERIP lock noauth debug user USERNAME +chapms-v2 mppe-128 mppe-stateless noauth Replace UPPERCASE with your stuff. Your mileage may vary. Jerry Patrick Childers wrote: > Thanks to everyone so far for helping me setup our VPN sever, I could > not have gotten this far with the list. But anyway I can't get the > linux pptp client to work on my any system. We are using standard > redhat-6.2 installs. I installed the mppe modules, but the pptp-client > returns that "The remote system is required to authenticate itself but > I counldn't find any suitable secret (password) for it to use to do > so." I assume to is asking for the login/password, but how do I hand > that to the cleint. ThanksPatrick Here is the server's > syslog--------------------------------------------------------------Sep > 30 17:09:32 phathat pptpd[2413]: CTRL: Client 209.187.165.235 control > connection started > Sep 30 17:09:33 phathat pptpd[2413]: CTRL: Starting call (launching > pppd, opening GRE) > Sep 30 17:09:33 phathat pppd[2414]: pppd 2.3.10 started by root, uid 0 > > Sep 30 17:09:33 phathat pppd[2414]: Using interface ppp0 > Sep 30 17:09:33 phathat pppd[2414]: Connect: ppp0 <--> /dev/pts/0 > Sep 30 17:09:36 phathat pptpd[2266]: GRE: Discarding out of order > packet > Sep 30 17:09:36 phathat pptpd[2413]: GRE: Discarding out of order > packet > Sep 30 17:09:39 phathat pptpd[2266]: GRE: Discarding out of order > packet > Sep 30 17:09:39 phathat pptpd[2413]: GRE: Discarding out of order > packet > Sep 30 17:09:42 phathat pptpd[2266]: GRE: Discarding out of order > packet > Sep 30 17:09:42 phathat pptpd[2413]: GRE: Discarding out of order > packet > Sep 30 17:09:45 phathat pptpd[2266]: GRE: Discarding out of order > packet > Sep 30 17:09:45 phathat pptpd[2413]: GRE: Discarding out of order > packet > Sep 30 17:09:48 phathat pptpd[2266]: GRE: Discarding out of order > packet > Sep 30 17:09:48 phathat pptpd[2413]: GRE: Discarding out of order > packet > Sep 30 17:10:00 phathat pptpd[2266]: GRE: Discarding out of order > packet > Sep 30 17:10:00 phathat pptpd[2413]: GRE: Discarding out of order > packet > Sep 30 17:10:03 phathat pppd[2414]: LCP: timeout sending > Config-Requests > Sep 30 17:10:03 phathat pppd[2414]: Connection terminated. > Sep 30 17:10:03 phathat pppd[2414]: Exit. > Sep 30 17:10:03 phathat pptpd[2413]: GRE: > read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error > = Input/output error > Sep 30 17:10:03 phathat pptpd[2413]: CTRL: PTY read or GRE write > failed (pty,gre)=(4,5) > Sep 30 17:10:03 phathat pptpd[2413]: CTRL: Client 209.187.165.235 > control connection finished From jvonau at home.com Sat Sep 30 22:26:32 2000 From: jvonau at home.com (Jerry Vonau) Date: Sat, 30 Sep 2000 22:26:32 -0500 Subject: [pptp-server] Linux Client? References: <002401c02b3b$b65baca0$0200a8c0@patrick> <39D66460.1A5FD3ED@home.com> <001b01c02b65$04adbc80$0200a8c0@patrick> Message-ID: <39D6AEE7.3CC3D36C@home.com> Check /var/run/pptp, if you see you an ip number, delete it and try again Jerry Patrick Childers wrote: > Thanks that works, but the server kills my connection because > I don't authenticate. How to I send my password? > > Patrick > > SYSLOG: > Sep 30 22:05:50 phathat pptpd[2700]: CTRL: Starting call (launching pppd, > opening GRE) > Sep 30 22:05:50 phathat pppd[2701]: pppd 2.3.10 started by root, uid 0 > Sep 30 22:05:50 phathat pppd[2701]: Using interface ppp1 > Sep 30 22:05:50 phathat pppd[2701]: Connect: ppp1 <--> /dev/pts/3 > Sep 30 22:05:52 phathat pptpd[2700]: GRE: Discarding duplicate packet > Sep 30 22:05:54 phathat pppd[2701]: peer refused to authenticate: > terminating link > Sep 30 22:05:54 phathat pppd[2701]: Connection terminated. > Sep 30 22:05:54 phathat pppd[2701]: Exit. > > ----- Original Message ----- > From: "Jerry Vonau" > To: "Patrick Childers" > Cc: "PPTP List" > Sent: Saturday, September 30, 2000 3:08 PM > Subject: Re: [pptp-server] Linux Client? > > > Can you post your options file? How are you invoking the client? You > > have to use all your options on the command line when you start it > > Something like: /usr/sbin/pptp SERVERIP lock noauth debug user USERNAME > > +chapms-v2 mppe-128 mppe-stateless noauth Replace UPPERCASE with your > > stuff. > > Your mileage may vary. > > > > Jerry > > > > > > > > Patrick Childers wrote: > > > > > Thanks to everyone so far for helping me setup our VPN sever, I could > > > not have gotten this far with the list. But anyway I can't get the > > > linux pptp client to work on my any system. We are using standard > > > redhat-6.2 installs. I installed the mppe modules, but the pptp-client > > > returns that "The remote system is required to authenticate itself but > > > I counldn't find any suitable secret (password) for it to use to do > > > so." I assume to is asking for the login/password, but how do I hand > > > that to the cleint. ThanksPatrick Here is the server's > > > syslog--------------------------------------------------------------Sep > > > 30 17:09:32 phathat pptpd[2413]: CTRL: Client 209.187.165.235 control > > > connection started > > > Sep 30 17:09:33 phathat pptpd[2413]: CTRL: Starting call (launching > > > pppd, opening GRE) > > > Sep 30 17:09:33 phathat pppd[2414]: pppd 2.3.10 started by root, uid 0 > > > > > > Sep 30 17:09:33 phathat pppd[2414]: Using interface ppp0 > > > Sep 30 17:09:33 phathat pppd[2414]: Connect: ppp0 <--> /dev/pts/0 > > > Sep 30 17:09:36 phathat pptpd[2266]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:36 phathat pptpd[2413]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:39 phathat pptpd[2266]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:39 phathat pptpd[2413]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:42 phathat pptpd[2266]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:42 phathat pptpd[2413]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:45 phathat pptpd[2266]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:45 phathat pptpd[2413]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:48 phathat pptpd[2266]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:48 phathat pptpd[2413]: GRE: Discarding out of order > > > packet > > > Sep 30 17:10:00 phathat pptpd[2266]: GRE: Discarding out of order > > > packet > > > Sep 30 17:10:00 phathat pptpd[2413]: GRE: Discarding out of order > > > packet > > > Sep 30 17:10:03 phathat pppd[2414]: LCP: timeout sending > > > Config-Requests > > > Sep 30 17:10:03 phathat pppd[2414]: Connection terminated. > > > Sep 30 17:10:03 phathat pppd[2414]: Exit. > > > Sep 30 17:10:03 phathat pptpd[2413]: GRE: > > > read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error > > > = Input/output error > > > Sep 30 17:10:03 phathat pptpd[2413]: CTRL: PTY read or GRE write > > > failed (pty,gre)=(4,5) > > > Sep 30 17:10:03 phathat pptpd[2413]: CTRL: Client 209.187.165.235 > > > control connection finished > > From jvonau at home.com Sat Sep 30 22:35:09 2000 From: jvonau at home.com (Jerry Vonau) Date: Sat, 30 Sep 2000 22:35:09 -0500 Subject: [pptp-server] Linux Client? References: <002401c02b3b$b65baca0$0200a8c0@patrick> <39D66460.1A5FD3ED@home.com> <001c01c02b65$080f3700$0200a8c0@patrick> Message-ID: <39D6B0ED.640E4E6E@home.com> In the /etc/ppp/options file lock noauth debug user USER password PASSWORD noauth +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless My client connets to an nt server Your mileage may vary Jerry Patrick Childers wrote: > Thanks that works, but the server kills my connection because > I don't authenticate. How to I send my password? > > Patrick > > SYSLOG: > Sep 30 22:05:50 phathat pptpd[2700]: CTRL: Starting call (launching pppd, > opening GRE) > Sep 30 22:05:50 phathat pppd[2701]: pppd 2.3.10 started by root, uid 0 > Sep 30 22:05:50 phathat pppd[2701]: Using interface ppp1 > Sep 30 22:05:50 phathat pppd[2701]: Connect: ppp1 <--> /dev/pts/3 > Sep 30 22:05:52 phathat pptpd[2700]: GRE: Discarding duplicate packet > Sep 30 22:05:54 phathat pppd[2701]: peer refused to authenticate: > terminating link > Sep 30 22:05:54 phathat pppd[2701]: Connection terminated. > Sep 30 22:05:54 phathat pppd[2701]: Exit. > > ----- Original Message ----- > From: "Jerry Vonau" > To: "Patrick Childers" > Cc: "PPTP List" > Sent: Saturday, September 30, 2000 3:08 PM > Subject: Re: [pptp-server] Linux Client? > > > Can you post your options file? How are you invoking the client? You > > have to use all your options on the command line when you start it > > Something like: /usr/sbin/pptp SERVERIP lock noauth debug user USERNAME > > +chapms-v2 mppe-128 mppe-stateless noauth Replace UPPERCASE with your > > stuff. > > Your mileage may vary. > > > > Jerry > > > > > > > > Patrick Childers wrote: > > > > > Thanks to everyone so far for helping me setup our VPN sever, I could > > > not have gotten this far with the list. But anyway I can't get the > > > linux pptp client to work on my any system. We are using standard > > > redhat-6.2 installs. I installed the mppe modules, but the pptp-client > > > returns that "The remote system is required to authenticate itself but > > > I counldn't find any suitable secret (password) for it to use to do > > > so." I assume to is asking for the login/password, but how do I hand > > > that to the cleint. ThanksPatrick Here is the server's > > > syslog--------------------------------------------------------------Sep > > > 30 17:09:32 phathat pptpd[2413]: CTRL: Client 209.187.165.235 control > > > connection started > > > Sep 30 17:09:33 phathat pptpd[2413]: CTRL: Starting call (launching > > > pppd, opening GRE) > > > Sep 30 17:09:33 phathat pppd[2414]: pppd 2.3.10 started by root, uid 0 > > > > > > Sep 30 17:09:33 phathat pppd[2414]: Using interface ppp0 > > > Sep 30 17:09:33 phathat pppd[2414]: Connect: ppp0 <--> /dev/pts/0 > > > Sep 30 17:09:36 phathat pptpd[2266]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:36 phathat pptpd[2413]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:39 phathat pptpd[2266]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:39 phathat pptpd[2413]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:42 phathat pptpd[2266]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:42 phathat pptpd[2413]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:45 phathat pptpd[2266]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:45 phathat pptpd[2413]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:48 phathat pptpd[2266]: GRE: Discarding out of order > > > packet > > > Sep 30 17:09:48 phathat pptpd[2413]: GRE: Discarding out of order > > > packet > > > Sep 30 17:10:00 phathat pptpd[2266]: GRE: Discarding out of order > > > packet > > > Sep 30 17:10:00 phathat pptpd[2413]: GRE: Discarding out of order > > > packet > > > Sep 30 17:10:03 phathat pppd[2414]: LCP: timeout sending > > > Config-Requests > > > Sep 30 17:10:03 phathat pppd[2414]: Connection terminated. > > > Sep 30 17:10:03 phathat pppd[2414]: Exit. > > > Sep 30 17:10:03 phathat pptpd[2413]: GRE: > > > read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error > > > = Input/output error > > > Sep 30 17:10:03 phathat pptpd[2413]: CTRL: PTY read or GRE write > > > failed (pty,gre)=(4,5) > > > Sep 30 17:10:03 phathat pptpd[2413]: CTRL: Client 209.187.165.235 > > > control connection finished > >