[pptp-server] strange problem on connection

Jean-Paul Chavant chavant at geosys.fr
Wed Sep 27 10:03:55 CDT 2000


hello,

i have installed a VPN Server on a Linux box. My client is a Win95 box.
I ve made tests in a local area with private IP address (192.168 & 172.16)

All worked very well (firewall/PPTP Server/Ping/... except neibourhood
network ...)

Then i installed my VPN server. New IP address (one private on my LAN :
192.168.1.252, the other one on my public area).
I ve made modifications on my firewall rules (modification of the variable).

Now when i try to connect with my client (from my public zone) i got the
error 629.

in the log of pptp i ve (packet filtered are logged) :

Sep 26 16:56:42 endeavour pptpd[770]: MGR: Launching /usr/sbin/pptpctrl to
handle client
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: local address = 192.168.0.1
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: remote address = 192.168.0.100
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Client 195.115.78.5 control
connection started
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Received PPTP Control Message
(type: 1)
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Made a START CTRL CONN RPLY
packet
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: I wrote 156 bytes to the client.
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Sent packet to client
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Received PPTP Control Message
(type: 7)
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Set parameters to 0 maxbps, 16
window size
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Made a OUT CALL RPLY packet
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Starting call (launching pppd,
opening GRE)
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: pty_fd = 4
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: tty_fd = 5
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: I wrote 32 bytes to the client.
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Sent packet to client
Sep 26 16:56:43 endeavour pptpd[771]: CTRL (PPPD Launcher): Connection speed
= 115200
Sep 26 16:56:43 endeavour pptpd[771]: CTRL (PPPD Launcher): local address =
192.168.0.1
Sep 26 16:56:43 endeavour pptpd[771]: CTRL (PPPD Launcher): remote address =
192.168.0.100
Sep 26 16:56:43 endeavour pptpd[770]: GRE:
read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error =
Erreur d'entrée/sortie
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: PTY read or GRE write failed
(pty,gre)=(4,5)
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Client 195.115.78.5 control
connection finished
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Exiting now
Sep 26 16:56:43 endeavour pptpd[723]: MGR: Reaped child 770
Sep 26 16:56:42 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6
195.115.78.5:1030 195.115.78.4:1723 L=64 S=0x0A I=31744 F=0x4000 T=128 SYN
(#4)
Sep 26 16:56:42 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6
195.115.78.5:1030 195.115.78.4:1723 L=52 S=0x0A I=32000 F=0x4000 T=128 (#4)
Sep 26 16:56:42 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6
195.115.78.5:1030 195.115.78.4:1723 L=208 S=0x0A I=32256 F=0x4000 T=128 (#4)
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Client 195.115.78.5 control
connection started
Sep 26 16:56:42 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6
195.115.78.5:1030 195.115.78.4:1723 L=220 S=0x0A I=32512 F=0x4000 T=128 (#4)
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Starting call (launching pppd,
opening GRE)
Sep 26 16:56:43 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=47
195.115.78.5:65535 195.115.78.4:65535 L=50 S=0x00 I=32768 F=0x0000 T=128
(#5)
Sep 26 16:56:43 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6
195.115.78.5:1030 195.115.78.4:1723 L=52 S=0x0A I=33024 F=0x4000 T=128 (#4)
Sep 26 16:56:43 endeavour pppd[771]: The remote system is required to
authenticate itself
Sep 26 16:56:43 endeavour pppd[771]: but I couldn't find any suitable secret
(password) for it to use to do so.
Sep 26 16:56:43 endeavour pppd[771]: (None of the available passwords would
let it use an IP address.)
Sep 26 16:56:43 endeavour pptpd[770]: GRE:
read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error =
Erreur d'entrée/sortie
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: PTY read or GRE write failed
(pty,gre)=(4,5)
Sep 26 16:56:43 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6
195.115.78.5:1030 195.115.78.4:1723 L=52 S=0x0A I=33280 F=0x4000 T=128 (#4)
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Client 195.115.78.5 control
connection finished

thereis 2 errors i notice :

Sep 26 16:56:43 endeavour pppd[771]: The remote system is required to
authenticate itself
Sep 26 16:56:43 endeavour pppd[771]: but I couldn't find any suitable secret
(password) for it to use to do so.
Sep 26 16:56:43 endeavour pppd[771]: (None of the available passwords would
let it use an IP address.)


Sep 26 16:56:43 endeavour pptpd[770]: CTRL: PTY read or GRE write failed
(pty,gre)=(4,5)


my chap-secret file is :

# Secrets for authentication using CHAP
# client				server			secret			IP addresses
Mj09tt12				endeavour			********			*
GEOSYS\\Mj09tt12			endeavour			********			*


My question is why my systems had worked very well with internal IP
and why now with public IP it doens t work ... ???
SomeOne have an idea ?

JPAUL


PS : my firewall file rules

#!/bin/sh
#

# Source function library.
. /etc/rc.d/init.d/functions


PATH=/sbin:/bin:/usr/sbin:/usr/bin


# See how we were called.

case "$1" in
  start)
        echo -e "\\nStarting firewall...\\n\\n "

### Activation de IP forwarding et de l adressage dynamique

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

### Desactivation des ICMP redirects.

for file in /proc/sys/net/ipv4/conf/*/accept_redirects; do
  echo 0 > $file
done

### Desactivation source routed packets.

for file in /proc/sys/net/ipv4/conf/*/accept_source_route; do
  echo 0 > $file
done


### Activation de l anti-spoofing.

for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
  echo 1 > $file
done

### Definition de l adresse IP externe et du nom de l interface externe

extip="*.*.*.*/32"
extint="eth1"

### Definition de l adresse IP interne et du nom de l interface interne

intint="eth0"
intnet="192.168.0.0/16"
intip="192.168.1.252/32"

### Definition de l adresse IP vpn

vpnnet="192.168.0.0/24"

### Autre definitions

ALL="0.0.0.0/0"

############################################################################
#
#
# TRAFIC ENTRANT : vidage des regles et politique par defaut = REJECT
#
############################################################################
#

ipchains -P input REJECT
ipchains -F input

# N importe qui de l interrieur depuis l interface interne peut aller n
importe
# ou
ipchains -A input -i $intint -s $intnet -d $ALL -j ACCEPT

# Anti Spoofing : paquet pretendant faire partie du reseau interne et
accedant
# par l interface externe = REJECT + LOG
#
ipchains -A input -i $extint -s $intnet -d $ALL -l -j REJECT

# l interface de loopback est valide
#
ipchains -A input -i lo -s $ALL -d $ALL -j ACCEPT

# Regles pour les connexions PPTP
# N importe qui de l exterieur peut rentrer sur l interface externe a
# destination du serveur VPN
#
ipchains -A input -i $extint -p tcp -d $extip 1723 -j ACCEPT -l
ipchains -A input -i $extint -p 47 -d $extip -j ACCEPT -l


# Tout le reste est interdit (de n importe ou vers n importe ou qui rentre
sur
# n importe quelle interface : REJECT + LOG
#
ipchains -A input -s $ALL -d $ALL -l -j REJECT



############################################################################
#
#
# TRAFIC SORTANT : vidage des regles et politique par defaut = REJECT
#
############################################################################
#

ipchains -P output REJECT
ipchains -F output

#ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

# N importe qui peut sortir sur le reseau interne par l interface interne
#
ipchains -A output -i $intint -s $ALL -d $intnet -j ACCEPT

# N importe quoi de l interface externe ne peut sortir sur le reseau interne
# REJECT + LOG
#
ipchains -A output -i $extint -s $ALL -d $intnet -l -j REJECT

# N importe quoi du reseau interne ne peut sortir par l interface externe
# REJECT + LOG
#
ipchains -A output -i $extint -s $intnet -d $ALL -l -j REJECT

# Tout ce qui sort par l interface externe est autorise
#
#ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -p tcp -i $extint -s $extip 1723 -d $ALL -j ACCEPT
ipchains -A output -p 47 -i $extint -s $extip -d $ALL -j ACCEPT

# l interface de loopback est valide
#
ipchains -A output -i lo -s $ALL -d $ALL -j ACCEPT

# Tout le reste est interdit (de n importe ou vers n importe ou qui rentre
sur
# n importe quelle interface : REJECT + LOG
#
ipchains -A output -s $ALL -d $ALL -l -j REJECT



############################################################################
#
#
# TRAFIC SORTANT : vidage des regles et politique par defaut = REJECT
#
############################################################################
#

ipchains -P forward REJECT
ipchains -F forward

#ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

# Regles de forwarding pour PPTP du reseau vpn vers le reseau local
#
#ipchains -A forward -s $vpnnet -d $intnet -j ACCEPT -l
#ipchains -A forward -s $intnet -d $vpnnet -j ACCEPT -l

# Tout le reste est interdit (de n importe ou vers n importe ou qui rentre
sur
# n importe quelle interface : REJECT + LOG

ipchains -A forward -s $ALL -d $ALL -l -j REJECT

ipchains -L
### End of rules
        ;;

  stop)
        echo -e "\\nShutting down firewall...\\n\\n "
ipchains -P input ACCEPT
ipchains -F input
ipchains -P output ACCEPT
ipchains -F output
ipchains -P forward ACCEPT
ipchains -F forward
ipchains -L
        ;;

  status)
    echo -e "\\n\\nFirewall status at $HOSTNAME - `date`\\n"
    ipchains -L -n -v
        ;;

  restart)
        $0 stop
        $0 start
        ;;

  reset)
    echo -e "\\n\\nFirewall counters reseted at $HOSTNAME - `date`\\n"
    ipchains -L -n -Z -v
    ;;
  *)
    echo "Usage: $0 {start|stop|restart|status|reset}"
    exit 1

esac




More information about the pptp-server mailing list