[pptp-server] strange problem on connection
Jean-Paul Chavant
chavant at geosys.fr
Wed Sep 27 10:03:55 CDT 2000
hello,
i have installed a VPN Server on a Linux box. My client is a Win95 box.
I ve made tests in a local area with private IP address (192.168 & 172.16)
All worked very well (firewall/PPTP Server/Ping/... except neibourhood
network ...)
Then i installed my VPN server. New IP address (one private on my LAN :
192.168.1.252, the other one on my public area).
I ve made modifications on my firewall rules (modification of the variable).
Now when i try to connect with my client (from my public zone) i got the
error 629.
in the log of pptp i ve (packet filtered are logged) :
Sep 26 16:56:42 endeavour pptpd[770]: MGR: Launching /usr/sbin/pptpctrl to
handle client
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: local address = 192.168.0.1
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: remote address = 192.168.0.100
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Client 195.115.78.5 control
connection started
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Received PPTP Control Message
(type: 1)
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Made a START CTRL CONN RPLY
packet
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: I wrote 156 bytes to the client.
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Sent packet to client
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Received PPTP Control Message
(type: 7)
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Set parameters to 0 maxbps, 16
window size
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Made a OUT CALL RPLY packet
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Starting call (launching pppd,
opening GRE)
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: pty_fd = 4
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: tty_fd = 5
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: I wrote 32 bytes to the client.
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Sent packet to client
Sep 26 16:56:43 endeavour pptpd[771]: CTRL (PPPD Launcher): Connection speed
= 115200
Sep 26 16:56:43 endeavour pptpd[771]: CTRL (PPPD Launcher): local address =
192.168.0.1
Sep 26 16:56:43 endeavour pptpd[771]: CTRL (PPPD Launcher): remote address =
192.168.0.100
Sep 26 16:56:43 endeavour pptpd[770]: GRE:
read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error =
Erreur d'entrée/sortie
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: PTY read or GRE write failed
(pty,gre)=(4,5)
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Client 195.115.78.5 control
connection finished
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Exiting now
Sep 26 16:56:43 endeavour pptpd[723]: MGR: Reaped child 770
Sep 26 16:56:42 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6
195.115.78.5:1030 195.115.78.4:1723 L=64 S=0x0A I=31744 F=0x4000 T=128 SYN
(#4)
Sep 26 16:56:42 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6
195.115.78.5:1030 195.115.78.4:1723 L=52 S=0x0A I=32000 F=0x4000 T=128 (#4)
Sep 26 16:56:42 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6
195.115.78.5:1030 195.115.78.4:1723 L=208 S=0x0A I=32256 F=0x4000 T=128 (#4)
Sep 26 16:56:42 endeavour pptpd[770]: CTRL: Client 195.115.78.5 control
connection started
Sep 26 16:56:42 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6
195.115.78.5:1030 195.115.78.4:1723 L=220 S=0x0A I=32512 F=0x4000 T=128 (#4)
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Starting call (launching pppd,
opening GRE)
Sep 26 16:56:43 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=47
195.115.78.5:65535 195.115.78.4:65535 L=50 S=0x00 I=32768 F=0x0000 T=128
(#5)
Sep 26 16:56:43 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6
195.115.78.5:1030 195.115.78.4:1723 L=52 S=0x0A I=33024 F=0x4000 T=128 (#4)
Sep 26 16:56:43 endeavour pppd[771]: The remote system is required to
authenticate itself
Sep 26 16:56:43 endeavour pppd[771]: but I couldn't find any suitable secret
(password) for it to use to do so.
Sep 26 16:56:43 endeavour pppd[771]: (None of the available passwords would
let it use an IP address.)
Sep 26 16:56:43 endeavour pptpd[770]: GRE:
read(fd=4,buffer=804d7e0,len=8196) from PTY failed: status = -1 error =
Erreur d'entrée/sortie
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: PTY read or GRE write failed
(pty,gre)=(4,5)
Sep 26 16:56:43 endeavour kernel: Packet log: input ACCEPT eth1 PROTO=6
195.115.78.5:1030 195.115.78.4:1723 L=52 S=0x0A I=33280 F=0x4000 T=128 (#4)
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: Client 195.115.78.5 control
connection finished
thereis 2 errors i notice :
Sep 26 16:56:43 endeavour pppd[771]: The remote system is required to
authenticate itself
Sep 26 16:56:43 endeavour pppd[771]: but I couldn't find any suitable secret
(password) for it to use to do so.
Sep 26 16:56:43 endeavour pppd[771]: (None of the available passwords would
let it use an IP address.)
Sep 26 16:56:43 endeavour pptpd[770]: CTRL: PTY read or GRE write failed
(pty,gre)=(4,5)
my chap-secret file is :
# Secrets for authentication using CHAP
# client server secret IP addresses
Mj09tt12 endeavour ******** *
GEOSYS\\Mj09tt12 endeavour ******** *
My question is why my systems had worked very well with internal IP
and why now with public IP it doens t work ... ???
SomeOne have an idea ?
JPAUL
PS : my firewall file rules
#!/bin/sh
#
# Source function library.
. /etc/rc.d/init.d/functions
PATH=/sbin:/bin:/usr/sbin:/usr/bin
# See how we were called.
case "$1" in
start)
echo -e "\\nStarting firewall...\\n\\n "
### Activation de IP forwarding et de l adressage dynamique
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
### Desactivation des ICMP redirects.
for file in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $file
done
### Desactivation source routed packets.
for file in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $file
done
### Activation de l anti-spoofing.
for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $file
done
### Definition de l adresse IP externe et du nom de l interface externe
extip="*.*.*.*/32"
extint="eth1"
### Definition de l adresse IP interne et du nom de l interface interne
intint="eth0"
intnet="192.168.0.0/16"
intip="192.168.1.252/32"
### Definition de l adresse IP vpn
vpnnet="192.168.0.0/24"
### Autre definitions
ALL="0.0.0.0/0"
############################################################################
#
#
# TRAFIC ENTRANT : vidage des regles et politique par defaut = REJECT
#
############################################################################
#
ipchains -P input REJECT
ipchains -F input
# N importe qui de l interrieur depuis l interface interne peut aller n
importe
# ou
ipchains -A input -i $intint -s $intnet -d $ALL -j ACCEPT
# Anti Spoofing : paquet pretendant faire partie du reseau interne et
accedant
# par l interface externe = REJECT + LOG
#
ipchains -A input -i $extint -s $intnet -d $ALL -l -j REJECT
# l interface de loopback est valide
#
ipchains -A input -i lo -s $ALL -d $ALL -j ACCEPT
# Regles pour les connexions PPTP
# N importe qui de l exterieur peut rentrer sur l interface externe a
# destination du serveur VPN
#
ipchains -A input -i $extint -p tcp -d $extip 1723 -j ACCEPT -l
ipchains -A input -i $extint -p 47 -d $extip -j ACCEPT -l
# Tout le reste est interdit (de n importe ou vers n importe ou qui rentre
sur
# n importe quelle interface : REJECT + LOG
#
ipchains -A input -s $ALL -d $ALL -l -j REJECT
############################################################################
#
#
# TRAFIC SORTANT : vidage des regles et politique par defaut = REJECT
#
############################################################################
#
ipchains -P output REJECT
ipchains -F output
#ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# N importe qui peut sortir sur le reseau interne par l interface interne
#
ipchains -A output -i $intint -s $ALL -d $intnet -j ACCEPT
# N importe quoi de l interface externe ne peut sortir sur le reseau interne
# REJECT + LOG
#
ipchains -A output -i $extint -s $ALL -d $intnet -l -j REJECT
# N importe quoi du reseau interne ne peut sortir par l interface externe
# REJECT + LOG
#
ipchains -A output -i $extint -s $intnet -d $ALL -l -j REJECT
# Tout ce qui sort par l interface externe est autorise
#
#ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -p tcp -i $extint -s $extip 1723 -d $ALL -j ACCEPT
ipchains -A output -p 47 -i $extint -s $extip -d $ALL -j ACCEPT
# l interface de loopback est valide
#
ipchains -A output -i lo -s $ALL -d $ALL -j ACCEPT
# Tout le reste est interdit (de n importe ou vers n importe ou qui rentre
sur
# n importe quelle interface : REJECT + LOG
#
ipchains -A output -s $ALL -d $ALL -l -j REJECT
############################################################################
#
#
# TRAFIC SORTANT : vidage des regles et politique par defaut = REJECT
#
############################################################################
#
ipchains -P forward REJECT
ipchains -F forward
#ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# Regles de forwarding pour PPTP du reseau vpn vers le reseau local
#
#ipchains -A forward -s $vpnnet -d $intnet -j ACCEPT -l
#ipchains -A forward -s $intnet -d $vpnnet -j ACCEPT -l
# Tout le reste est interdit (de n importe ou vers n importe ou qui rentre
sur
# n importe quelle interface : REJECT + LOG
ipchains -A forward -s $ALL -d $ALL -l -j REJECT
ipchains -L
### End of rules
;;
stop)
echo -e "\\nShutting down firewall...\\n\\n "
ipchains -P input ACCEPT
ipchains -F input
ipchains -P output ACCEPT
ipchains -F output
ipchains -P forward ACCEPT
ipchains -F forward
ipchains -L
;;
status)
echo -e "\\n\\nFirewall status at $HOSTNAME - `date`\\n"
ipchains -L -n -v
;;
restart)
$0 stop
$0 start
;;
reset)
echo -e "\\n\\nFirewall counters reseted at $HOSTNAME - `date`\\n"
ipchains -L -n -Z -v
;;
*)
echo "Usage: $0 {start|stop|restart|status|reset}"
exit 1
esac
More information about the pptp-server
mailing list