From ckhui at school.net.hk Sun Apr 1 10:02:14 2001 From: ckhui at school.net.hk (Hui Chun Kit) Date: Sun, 01 Apr 2001 23:02:14 +0800 Subject: [pptp-server] Questions on Win98SE/ME and poptop Message-ID: <3AC742F5.2D5FF71F@school.net.hk> Dear all, I 've reading messages on this list and trying out the poptop on RH7 for some time without much luck. Can anyone tell me whether this is possible and did anyone every succeeded? If so, what are the steps required? or where can I find some docs? Clients : Win98SE / WinME Server RH7 using encrypted connections and MSCHAP authenticating to a NT server (SP6) ? Thanks. Jacky Hui -- Best Rgds, Jacky Hui Hong Kong From berzerke at swbell.net Sun Apr 1 10:39:29 2001 From: berzerke at swbell.net (robert) Date: Sun, 01 Apr 2001 09:39:29 -0600 Subject: [pptp-server] Looking for the 128-bit Win98 patch In-Reply-To: <3AC6BE07.68F1B573@McQuil.com> References: <3AC6BE07.68F1B573@McQuil.com> Message-ID: <01040110392903.12576@linux> Try doing a search at: http://ftpsearch.lycos.com/ and search for msdun128 On Saturday 31 March 2001 23:35, Jim McQuillan wrote: > I'm looking for the 128-bit encryption patch for Win98. I followed the > link > in the instructions to go to > > http://support.microsoft.com/Support/NTServer/128Eula.asp > > There is a message saying that it has been pulled, and will > return 'Shortly'. > > Anybody have another link? > > Thanks, > Jim McQuillan > jam at ltsp.org > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From jam at McQuil.com Sun Apr 1 11:01:12 2001 From: jam at McQuil.com (Jim McQuillan) Date: Sun, 01 Apr 2001 12:01:12 -0400 Subject: [pptp-server] Looking for the 128-bit Win98 patch References: <3AC6BE07.68F1B573@McQuil.com> <01040110392903.12576@linux> Message-ID: <3AC750C8.A55ABAE4@McQuil.com> Robert, Thanks for the response, but ftpsearch.lycos.com doesn't have any matches for msdun128. Anybody else have any ideas where I can get the 128-bit patch for Win98 (And win95) ? Thanks, Jim McQuillan jam at ltsp.org robert wrote: > > Try doing a search at: http://ftpsearch.lycos.com/ and search for msdun128 > > On Saturday 31 March 2001 23:35, Jim McQuillan wrote: > > I'm looking for the 128-bit encryption patch for Win98. I followed the > > link > > in the instructions to go to > > > > http://support.microsoft.com/Support/NTServer/128Eula.asp > > > > There is a message saying that it has been pulled, and will > > return 'Shortly'. > > > > Anybody have another link? > > > > Thanks, > > Jim McQuillan > > jam at ltsp.org > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! From djolivier at bigfoot.com Sun Apr 1 11:18:22 2001 From: djolivier at bigfoot.com (Douglas J. Olivier) Date: Sun, 1 Apr 2001 09:18:22 -0700 Subject: [pptp-server] Looking for the 128-bit Win98 patch In-Reply-To: <3AC750C8.A55ABAE4@McQuil.com> Message-ID: <000401c0bac7$6545def0$0201a8c0@kahunabro.dakotacom.net> I found it go down to the other search box one at the top only searches Lycos. If you find the Win95 one let me know. -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org] On Behalf Of Jim McQuillan Sent: Sunday, April 01, 2001 9:01 AM To: robert Cc: pptp-server at lists.schulte.org Subject: Re: [pptp-server] Looking for the 128-bit Win98 patch Robert, Thanks for the response, but ftpsearch.lycos.com doesn't have any matches for msdun128. Anybody else have any ideas where I can get the 128-bit patch for Win98 (And win95) ? Thanks, Jim McQuillan jam at ltsp.org robert wrote: > > Try doing a search at: http://ftpsearch.lycos.com/ and search for msdun128 > > On Saturday 31 March 2001 23:35, Jim McQuillan wrote: > > I'm looking for the 128-bit encryption patch for Win98. I followed the > > link > > in the instructions to go to > > > > http://support.microsoft.com/Support/NTServer/128Eula.asp > > > > There is a message saying that it has been pulled, and will > > return 'Shortly'. > > > > Anybody have another link? > > > > Thanks, > > Jim McQuillan > > jam at ltsp.org > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From vgill at technologist.com Sun Apr 1 12:26:55 2001 From: vgill at technologist.com (Gill, Vern) Date: Sun, 1 Apr 2001 10:26:55 -0700 Subject: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D68@ftp.gillnet.org> For what it's worth to all of you, I have successfully connected to pptpd-1.1.2/pppd-2.4.0 from w2ksp1. This is right across my lan, but that shouldn't matter. If anyone wants to try connecting to my system from a w2k client, let me know and I will set an acct. for you... Just in case, here are my configs; /etc/ppp/options.pptpd #debug #kdebug 9 lock proxyarp name xxxxxx auth +chap +chapms +chapms-v2 # This will remove the domain in front of the username # E.G. DOMAIN\\username becomes username chapms-strip-domain #mppe-40 mppe-128 mppe-stateless require-chap require-mppe require-mppe-stateless ms-dns 192.168.xxx.xxx ms-dns xxx.xxx.xxx.xxx ms-wins 192.168.xxx.xxx ms-wins 192.168.xxx.xxx idle 1800 mtu 1490 mru 1490 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 30 lcp-echo-interval 5 deflate 0 ipx ipx-network 4 /etc/pptpd.conf speed 115200 option /etc/ppp/options.pptp debug localip 192.168.xxx.1 remoteip 192.168.xxx.40-49 #ipxnets 00001000-00001FFF #listen 192.168.xxx.1 pidfile /var/run/pptpd.pid # pptpd -v PoPToP v1.1.2 # pppd -v pppd version 2.4.0 # grep ppp /etc/modules.conf alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate # From original RFC draft alias ppp-compress-26 ppp_deflate # Final standard per ppp-2.3.4 README /var/log/messages Apr 1 10:13:16 xxxxx pptpd[1990]: CTRL: Starting call (launching pppd, opening GRE) Apr 1 10:13:16 xxxxx pppd[1991]: pppd 2.4.0 started by root, uid 0 Apr 1 10:13:16 xxxxx pppd[1991]: Using interface ppp1 Apr 1 10:13:16 xxxxx pppd[1991]: Connect: ppp1 <--> /dev/pts/0 Apr 1 10:13:19 xxxxx pptpd[1990]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Apr 1 10:13:19 xxxxx pppd[1991]: MSCHAP-v2 peer authentication succeeded for user Apr 1 10:13:19 xxxxx pppd[1991]: found interface eth0 for proxy arp Apr 1 10:13:19 xxxxx pppd[1991]: local IP address 192.168.xxx.1 Apr 1 10:13:19 xxxxx pppd[1991]: remote IP address 192.168.xxx.31 Apr 1 10:13:19 xxxxx pppd[1991]: MPPE 128 bit, stateless compression enabled Apr 1 10:13:19 xxxxx pppd[1991]: stateless MPPE enforced Apr 1 10:13:19 xxxxx pppdparam: Connection speed is 115200 Apr 1 10:13:19 xxxxx pppdparam: New IP Address is 192.168.xxx.1 Apr 1 10:13:19 xxxxx pppdparam: New Gateway Address is 192.168.xxx.31 Apr 1 10:13:19 xxxxx pppdparam: ppp1 is connected at 115200 to /dev/pts/0 Apr 1 10:13:19 xxxxx pppdparam: with an IP of 192.168.xxx.1, and a gateway of 192.168.xxx.31 Good luck... From vgill at technologist.com Sun Apr 1 12:31:21 2001 From: vgill at technologist.com (Gill, Vern) Date: Sun, 1 Apr 2001 10:31:21 -0700 Subject: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D69@ftp.gillnet.org> By the way, forgot to mention, this is kernel 2.4.2 and using iptables-1.2.1. My pppd is modular, as well as my mppe and iptables stuff. Not sure if it makes a difference, just thought I'd mention it... -----Original Message----- From: Gill, Vern Sent: Sunday, April 01, 2001 10:27 AM To: 'robert'; Christopher Tresco; Charlie Brady Cc: Keith T. Garner; pptp-server at lists.schulte.org Subject: RE: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 For what it's worth to all of you, I have successfully connected to pptpd-1.1.2/pppd-2.4.0 from w2ksp1. This is right across my lan, but that shouldn't matter. If anyone wants to try connecting to my system from a w2k client, let me know and I will set an acct. for you... Just in case, here are my configs; /etc/ppp/options.pptpd #debug #kdebug 9 lock proxyarp name xxxxxx auth +chap +chapms +chapms-v2 # This will remove the domain in front of the username # E.G. DOMAIN\\username becomes username chapms-strip-domain #mppe-40 mppe-128 mppe-stateless require-chap require-mppe require-mppe-stateless ms-dns 192.168.xxx.xxx ms-dns xxx.xxx.xxx.xxx ms-wins 192.168.xxx.xxx ms-wins 192.168.xxx.xxx idle 1800 mtu 1490 mru 1490 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 30 lcp-echo-interval 5 deflate 0 ipx ipx-network 4 /etc/pptpd.conf speed 115200 option /etc/ppp/options.pptp debug localip 192.168.xxx.1 remoteip 192.168.xxx.40-49 #ipxnets 00001000-00001FFF #listen 192.168.xxx.1 pidfile /var/run/pptpd.pid # pptpd -v PoPToP v1.1.2 # pppd -v pppd version 2.4.0 # grep ppp /etc/modules.conf alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate # From original RFC draft alias ppp-compress-26 ppp_deflate # Final standard per ppp-2.3.4 README /var/log/messages Apr 1 10:13:16 xxxxx pptpd[1990]: CTRL: Starting call (launching pppd, opening GRE) Apr 1 10:13:16 xxxxx pppd[1991]: pppd 2.4.0 started by root, uid 0 Apr 1 10:13:16 xxxxx pppd[1991]: Using interface ppp1 Apr 1 10:13:16 xxxxx pppd[1991]: Connect: ppp1 <--> /dev/pts/0 Apr 1 10:13:19 xxxxx pptpd[1990]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Apr 1 10:13:19 xxxxx pppd[1991]: MSCHAP-v2 peer authentication succeeded for user Apr 1 10:13:19 xxxxx pppd[1991]: found interface eth0 for proxy arp Apr 1 10:13:19 xxxxx pppd[1991]: local IP address 192.168.xxx.1 Apr 1 10:13:19 xxxxx pppd[1991]: remote IP address 192.168.xxx.31 Apr 1 10:13:19 xxxxx pppd[1991]: MPPE 128 bit, stateless compression enabled Apr 1 10:13:19 xxxxx pppd[1991]: stateless MPPE enforced Apr 1 10:13:19 xxxxx pppdparam: Connection speed is 115200 Apr 1 10:13:19 xxxxx pppdparam: New IP Address is 192.168.xxx.1 Apr 1 10:13:19 xxxxx pppdparam: New Gateway Address is 192.168.xxx.31 Apr 1 10:13:19 xxxxx pppdparam: ppp1 is connected at 115200 to /dev/pts/0 Apr 1 10:13:19 xxxxx pppdparam: with an IP of 192.168.xxx.1, and a gateway of 192.168.xxx.31 Good luck... From berzerke at swbell.net Sun Apr 1 12:53:44 2001 From: berzerke at swbell.net (robert) Date: Sun, 01 Apr 2001 11:53:44 -0600 Subject: [pptp-server] Looking for the 128-bit Win98 patch In-Reply-To: <3AC750C8.A55ABAE4@McQuil.com> References: <3AC6BE07.68F1B573@McQuil.com> <01040110392903.12576@linux> <3AC750C8.A55ABAE4@McQuil.com> Message-ID: <01040112534404.12576@linux> http://www.bhamcland.com/ts/patches.html has a copy. Can't vouch for it though. On Sunday 01 April 2001 11:01, Jim McQuillan wrote: > Robert, > > Thanks for the response, but ftpsearch.lycos.com > doesn't have any matches for msdun128. > > Anybody else have any ideas where I can get the 128-bit > patch for Win98 (And win95) ? > > Thanks, > Jim McQuillan > jam at ltsp.org > > robert wrote: > > Try doing a search at: http://ftpsearch.lycos.com/ and search for > > msdun128 > > > > On Saturday 31 March 2001 23:35, Jim McQuillan wrote: > > > I'm looking for the 128-bit encryption patch for Win98. I followed the > > > link > > > in the instructions to go to > > > > > > http://support.microsoft.com/Support/NTServer/128Eula.asp > > > > > > There is a message saying that it has been pulled, and will > > > return 'Shortly'. > > > > > > Anybody have another link? > > > > > > Thanks, > > > Jim McQuillan > > > jam at ltsp.org > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From teastep at seattlefirewall.dyndns.org Sun Apr 1 14:22:35 2001 From: teastep at seattlefirewall.dyndns.org (Tom Eastep) Date: Sun, 1 Apr 2001 12:22:35 -0700 (PDT) Subject: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: <8D043DEA73DFD411958A00A0C90AB7607D68@ftp.gillnet.org> Message-ID: Vern, Thus spoke Gill, Vern: > For what it's worth to all of you, I have successfully connected to > pptpd-1.1.2/pppd-2.4.0 from w2ksp1. This is right across my lan, but > that shouldn't matter. If anyone wants to try connecting to my system > from a w2k client, let me know and I will set an acct. for you... > The reported problems with the combination cited in the subject isn't that a connection can't be established but rather with the inability to pass traffic once the connection has been made. Are you reporting that you were able to actually use this connection to pass traffic? -Tom -- Tom Eastep \ Alt Email: tom at seattlefirewall.dyndns.org ICQ #60745924 \ Websites: http://seawall.sourceforge.net teastep at evergo.net \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_________________________________________ From berzerke at swbell.net Sun Apr 1 14:48:36 2001 From: berzerke at swbell.net (robert) Date: Sun, 01 Apr 2001 14:48:36 -0500 Subject: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: <=?utf-8?q?@mta5.rcsntx.swbell.net> References: Message-ID: <0GB4001KPPKPWS@mta5.rcsntx.swbell.net> ?= MIME-Version: 1.0 Message-Id: <01040114483600.25410 at linux> Content-Transfer-Encoding: 8bit Actually, the problem seems to only when the connection is encrypted. Traffic doesn't flow across the encrypted channel. Unencrypted is reported as ok. I'm come across something that leads me to believe encrypted *MIGHT* work with pptpd 1.0.1 (and W2K). Since I don't have a W2K to test against, could someone using the 2.4 kernel, 2.4 pppd try an encrypted connection with pptpd 1.0.1 and not pptpd 1.1.2 and report back success or failure? On Sunday 01 April 2001 14:22, Tom Eastep wrote: > Vern, > > Thus spoke Gill, Vern: > > For what it's worth to all of you, I have successfully connected to > > pptpd-1.1.2/pppd-2.4.0 from w2ksp1. This is right across my lan, but > > that shouldn't matter. If anyone wants to try connecting to my system > > from a w2k client, let me know and I will set an acct. for you... > > The reported problems with the combination cited in the subject isn't that > a connection can't be established but rather with the inability to pass > traffic once the connection has been made. Are you reporting that you were > able to actually use this connection to pass traffic? > > -Tom From teastep at seattlefirewall.dyndns.org Sun Apr 1 14:56:58 2001 From: teastep at seattlefirewall.dyndns.org (Tom Eastep) Date: Sun, 1 Apr 2001 12:56:58 -0700 (PDT) Subject: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: <0GB4001KPPKPWS@mta5.rcsntx.swbell.net> Message-ID: Thus spoke robert: > Actually, the problem seems to only when the connection is encrypted. Traffic > doesn't flow across the encrypted channel. Unencrypted is reported as ok. > I'm come across something that leads me to believe encrypted *MIGHT* work > with pptpd 1.0.1 (and W2K). Since I don't have a W2K to test against, could > someone using the 2.4 kernel, 2.4 pppd try an encrypted connection with pptpd > 1.0.1 and not pptpd 1.1.2 and report back success or failure? > I'll do so and report... -Tom -- Tom Eastep \ Alt Email: tom at seattlefirewall.dyndns.org ICQ #60745924 \ Websites: http://seawall.sourceforge.net teastep at evergo.net \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_________________________________________ From teastep at seattlefirewall.dyndns.org Sun Apr 1 15:22:55 2001 From: teastep at seattlefirewall.dyndns.org (Tom Eastep) Date: Sun, 1 Apr 2001 13:22:55 -0700 (PDT) Subject: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: Message-ID: Thus spoke Tom Eastep: > > I'm come across something that leads me to believe encrypted *MIGHT* work > > with pptpd 1.0.1 (and W2K). Since I don't have a W2K to test against, could > > someone using the 2.4 kernel, 2.4 pppd try an encrypted connection with pptpd > > 1.0.1 and not pptpd 1.1.2 and report back success or failure? > > > > I'll do so and report... > > -Tom > I actually have it working with pptpd 1.1.2. In looking at Vern's /etc/ppp/options file I noticed some differences with mine. I changed mine as follows. Changed: mtu 1400 -> mtu 1490 mru 1400 -> mru 1490 Added: ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 My file is: lock mtu 1490 mru 1490 ms-wins 192.168.1.3 ms-dns 192.168.2.2 proxyarp auth +chap +chapms +chapms-v2 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 mppe-128 mppe-stateless Since the last time I tried this, I've also upgraded to kernel version 2.4.3. Log: Apr 1 13:05:10 firewall pptpd[1922]: CTRL: Starting call (launching pppd, opening GRE) Apr 1 13:05:10 firewall pppd[1923]: pppd 2.4.0 started by root, uid 0 Apr 1 13:05:10 firewall pppd[1923]: Using interface ppp0 Apr 1 13:05:10 firewall pppd[1923]: Connect: ppp0 <--> /dev/pts/0 Apr 1 13:05:12 firewall pppd[1923]: MSCHAP-v2 peer authentication succeeded for CPQTDM\\TEastep Apr 1 13:05:12 firewall pppd[1923]: found interface eth1 for proxy arp Apr 1 13:05:12 firewall pppd[1923]: local IP address 192.168.1.1 Apr 1 13:05:12 firewall pppd[1923]: remote IP address 192.168.1.20 Apr 1 13:05:12 firewall pppd[1923]: MPPE 128 bit, stateless compression enabled -Tom -- Tom Eastep \ Alt Email: tom at seattlefirewall.dyndns.org ICQ #60745924 \ Websites: http://seawall.sourceforge.net teastep at evergo.net \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_________________________________________ From ctresco at mit.edu Sun Apr 1 15:41:14 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Sun, 1 Apr 2001 16:41:14 -0400 Subject: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: Message-ID: I just tried adding those setting w/ 2.4.2 kernel and pptpd 1.1.2. Still the same problem. Seems the 2.4.3 kernel fixes something??? ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Tom Eastep Sent: Sunday, April 01, 2001 4:23 PM To: robert Cc: Gill, Vern; Christopher Tresco; Charlie Brady; Keith T. Garner; pptp-server at lists.schulte.org Subject: Re: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 Thus spoke Tom Eastep: > > I'm come across something that leads me to believe encrypted *MIGHT* work > > with pptpd 1.0.1 (and W2K). Since I don't have a W2K to test against, could > > someone using the 2.4 kernel, 2.4 pppd try an encrypted connection with pptpd > > 1.0.1 and not pptpd 1.1.2 and report back success or failure? > > > > I'll do so and report... > > -Tom > I actually have it working with pptpd 1.1.2. In looking at Vern's /etc/ppp/options file I noticed some differences with mine. I changed mine as follows. Changed: mtu 1400 -> mtu 1490 mru 1400 -> mru 1490 Added: ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 My file is: lock mtu 1490 mru 1490 ms-wins 192.168.1.3 ms-dns 192.168.2.2 proxyarp auth +chap +chapms +chapms-v2 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 mppe-128 mppe-stateless Since the last time I tried this, I've also upgraded to kernel version 2.4.3. Log: Apr 1 13:05:10 firewall pptpd[1922]: CTRL: Starting call (launching pppd, opening GRE) Apr 1 13:05:10 firewall pppd[1923]: pppd 2.4.0 started by root, uid 0 Apr 1 13:05:10 firewall pppd[1923]: Using interface ppp0 Apr 1 13:05:10 firewall pppd[1923]: Connect: ppp0 <--> /dev/pts/0 Apr 1 13:05:12 firewall pppd[1923]: MSCHAP-v2 peer authentication succeeded for CPQTDM\\TEastep Apr 1 13:05:12 firewall pppd[1923]: found interface eth1 for proxy arp Apr 1 13:05:12 firewall pppd[1923]: local IP address 192.168.1.1 Apr 1 13:05:12 firewall pppd[1923]: remote IP address 192.168.1.20 Apr 1 13:05:12 firewall pppd[1923]: MPPE 128 bit, stateless compression enabled -Tom -- Tom Eastep \ Alt Email: tom at seattlefirewall.dyndns.org ICQ #60745924 \ Websites: http://seawall.sourceforge.net teastep at evergo.net \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_________________________________________ _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From ctresco at mit.edu Sun Apr 1 15:48:50 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Sun, 1 Apr 2001 16:48:50 -0400 Subject: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: Message-ID: I also just conclued that reverting back to pptpd 1.0.1 doesn't solve the problem. I am going to upgrade to kernel 2.4.3 now and verify it fixed the problem. ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Christopher Tresco Sent: Sunday, April 01, 2001 4:41 PM To: Tom Eastep; robert Cc: Gill, Vern; Charlie Brady; Keith T. Garner; pptp-server at lists.schulte.org Subject: RE: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 I just tried adding those setting w/ 2.4.2 kernel and pptpd 1.1.2. Still the same problem. Seems the 2.4.3 kernel fixes something??? ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Tom Eastep Sent: Sunday, April 01, 2001 4:23 PM To: robert Cc: Gill, Vern; Christopher Tresco; Charlie Brady; Keith T. Garner; pptp-server at lists.schulte.org Subject: Re: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 Thus spoke Tom Eastep: > > I'm come across something that leads me to believe encrypted *MIGHT* work > > with pptpd 1.0.1 (and W2K). Since I don't have a W2K to test against, could > > someone using the 2.4 kernel, 2.4 pppd try an encrypted connection with pptpd > > 1.0.1 and not pptpd 1.1.2 and report back success or failure? > > > > I'll do so and report... > > -Tom > I actually have it working with pptpd 1.1.2. In looking at Vern's /etc/ppp/options file I noticed some differences with mine. I changed mine as follows. Changed: mtu 1400 -> mtu 1490 mru 1400 -> mru 1490 Added: ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 My file is: lock mtu 1490 mru 1490 ms-wins 192.168.1.3 ms-dns 192.168.2.2 proxyarp auth +chap +chapms +chapms-v2 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 mppe-128 mppe-stateless Since the last time I tried this, I've also upgraded to kernel version 2.4.3. Log: Apr 1 13:05:10 firewall pptpd[1922]: CTRL: Starting call (launching pppd, opening GRE) Apr 1 13:05:10 firewall pppd[1923]: pppd 2.4.0 started by root, uid 0 Apr 1 13:05:10 firewall pppd[1923]: Using interface ppp0 Apr 1 13:05:10 firewall pppd[1923]: Connect: ppp0 <--> /dev/pts/0 Apr 1 13:05:12 firewall pppd[1923]: MSCHAP-v2 peer authentication succeeded for CPQTDM\\TEastep Apr 1 13:05:12 firewall pppd[1923]: found interface eth1 for proxy arp Apr 1 13:05:12 firewall pppd[1923]: local IP address 192.168.1.1 Apr 1 13:05:12 firewall pppd[1923]: remote IP address 192.168.1.20 Apr 1 13:05:12 firewall pppd[1923]: MPPE 128 bit, stateless compression enabled -Tom -- Tom Eastep \ Alt Email: tom at seattlefirewall.dyndns.org ICQ #60745924 \ Websites: http://seawall.sourceforge.net teastep at evergo.net \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_________________________________________ _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From kgarner at kgarner.com Sun Apr 1 15:59:33 2001 From: kgarner at kgarner.com (Keith T. Garner) Date: Sun, 1 Apr 2001 15:59:33 -0500 Subject: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: <8D043DEA73DFD411958A00A0C90AB7607D68@ftp.gillnet.org>; from vgill@technologist.com on Sun, Apr 01, 2001 at 10:26:55AM -0700 References: <8D043DEA73DFD411958A00A0C90AB7607D68@ftp.gillnet.org> Message-ID: <20010401155933.A8195@nickel.kgarner.com> On Sun, Apr 01, 2001 at 10:26:55, Gill, Vern said: > For what it's worth to all of you, I have successfully connected to > pptpd-1.1.2/pppd-2.4.0 from w2ksp1. This is right across my lan, but > that shouldn't matter. If anyone wants to try connecting to my system > from a w2k client, let me know and I will set an acct. for you... Vern, you are my hero! I got it working by modifying my options.pptp to look like yours. I can't tell anyone what the silver bullet is, as my fiancee will kill me if I spend any more time in front of a computer on a Sunday. I just had to try if you had it working and, thanks to you, I did. :) Of course, life is not entirely perfect...what patch for pppd would fix the following messages: Apr 1 15:37:59 firewall pppd[10875]: In file /etc/ppp/options: unrecognized option 'require-mppe' Apr 1 15:38:46 firewall pppd[10879]: In file /etc/ppp/options: unrecognized option 'require-mppe-stateless' It looks like I must be missing a patch. Keith -- Keith T. Garner kgarner at kgarner.com The Net Squad, Internet Solutions Architect garner at thenetsquad.com "Yea though I walk through the valley of point-and-click, I will fear no command line: for UNIX art with me; thy kernel and thy shell they comfort me." From ctresco at mit.edu Sun Apr 1 16:24:27 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Sun, 1 Apr 2001 17:24:27 -0400 Subject: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: Message-ID: HAH. I take that back, those settings did make a difference. It works. At first I only added Gil's settings that I was missing - didn't work, then I pasted the options file directly from his email. Voila!! The lines that I had but he didn't have were: noauth, defaultroute, debug With these lines, my Win9x/NT boxes worked fine, just not Win2K boxes. ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Christopher Tresco Sent: Sunday, April 01, 2001 4:49 PM To: Christopher Tresco; Tom Eastep; robert Cc: Gill, Vern; Charlie Brady; Keith T. Garner; pptp-server at lists.schulte.org Subject: RE: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 I also just conclued that reverting back to pptpd 1.0.1 doesn't solve the problem. I am going to upgrade to kernel 2.4.3 now and verify it fixed the problem. ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Christopher Tresco Sent: Sunday, April 01, 2001 4:41 PM To: Tom Eastep; robert Cc: Gill, Vern; Charlie Brady; Keith T. Garner; pptp-server at lists.schulte.org Subject: RE: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 I just tried adding those setting w/ 2.4.2 kernel and pptpd 1.1.2. Still the same problem. Seems the 2.4.3 kernel fixes something??? ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Tom Eastep Sent: Sunday, April 01, 2001 4:23 PM To: robert Cc: Gill, Vern; Christopher Tresco; Charlie Brady; Keith T. Garner; pptp-server at lists.schulte.org Subject: Re: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 Thus spoke Tom Eastep: > > I'm come across something that leads me to believe encrypted *MIGHT* work > > with pptpd 1.0.1 (and W2K). Since I don't have a W2K to test against, could > > someone using the 2.4 kernel, 2.4 pppd try an encrypted connection with pptpd > > 1.0.1 and not pptpd 1.1.2 and report back success or failure? > > > > I'll do so and report... > > -Tom > I actually have it working with pptpd 1.1.2. In looking at Vern's /etc/ppp/options file I noticed some differences with mine. I changed mine as follows. Changed: mtu 1400 -> mtu 1490 mru 1400 -> mru 1490 Added: ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 My file is: lock mtu 1490 mru 1490 ms-wins 192.168.1.3 ms-dns 192.168.2.2 proxyarp auth +chap +chapms +chapms-v2 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 mppe-128 mppe-stateless Since the last time I tried this, I've also upgraded to kernel version 2.4.3. Log: Apr 1 13:05:10 firewall pptpd[1922]: CTRL: Starting call (launching pppd, opening GRE) Apr 1 13:05:10 firewall pppd[1923]: pppd 2.4.0 started by root, uid 0 Apr 1 13:05:10 firewall pppd[1923]: Using interface ppp0 Apr 1 13:05:10 firewall pppd[1923]: Connect: ppp0 <--> /dev/pts/0 Apr 1 13:05:12 firewall pppd[1923]: MSCHAP-v2 peer authentication succeeded for CPQTDM\\TEastep Apr 1 13:05:12 firewall pppd[1923]: found interface eth1 for proxy arp Apr 1 13:05:12 firewall pppd[1923]: local IP address 192.168.1.1 Apr 1 13:05:12 firewall pppd[1923]: remote IP address 192.168.1.20 Apr 1 13:05:12 firewall pppd[1923]: MPPE 128 bit, stateless compression enabled -Tom -- Tom Eastep \ Alt Email: tom at seattlefirewall.dyndns.org ICQ #60745924 \ Websites: http://seawall.sourceforge.net teastep at evergo.net \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_________________________________________ _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From vgill at technologist.com Sun Apr 1 17:29:51 2001 From: vgill at technologist.com (Gill, Vern) Date: Sun, 1 Apr 2001 15:29:51 -0700 Subject: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D6C@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Absolutely >>Are you reporting that you were able to actually use this >>connection to pass traffic? Works like a champ... -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOsgRJheamMdwy9TXEQKVhgCg19T5onrHRhbkBmUxOxLci1tkE/oAoJ5u NsYZ7T2o2W3nw+pgWZjF8hWM =joYA -----END PGP SIGNATURE----- From vgill at technologist.com Sun Apr 1 17:40:44 2001 From: vgill at technologist.com (Gill, Vern) Date: Sun, 1 Apr 2001 15:40:44 -0700 Subject: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D6D@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you guys are still having a problem, please check out my page about this program. Go to http://linus.yi.org and click the PPP tab at the top. I have posted my conf file, my options file, all the patches used for my site, the original patches as well as my combined patch (which I HIGHLY recommend) and the pre-patched ppp-2.4.0 source tree. Please check it out... -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOsgTtBeamMdwy9TXEQK8HACfQTOcQQNXfVeyKizkeEgfzCRdS4kAnRPZ cTYu2JUrMNeoCA4Ks5fJQtyR =enJz -----END PGP SIGNATURE----- From ctresco at mit.edu Sun Apr 1 17:42:58 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Sun, 1 Apr 2001 18:42:58 -0400 Subject: [pptp-server] Browsing and Netbios forwarding In-Reply-To: <8D043DEA73DFD411958A00A0C90AB7607D6C@ftp.gillnet.org> Message-ID: If someone is using samba on their pptp box that ISN'T acting as a PDC but allows browsing, could you paste your smb.conf??? I am having a terrible time getting it to work. Also, Anyone know what became of that netbios forwarder that I have seen on samba.org? Its a broken link atm. Does it work? ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Gill, Vern Sent: Sunday, April 01, 2001 6:30 PM To: 'Tom Eastep'; Gill, Vern Cc: 'robert'; Christopher Tresco; Charlie Brady; Keith T. Garner; pptp-server at lists.schulte.org Subject: RE: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Absolutely >>Are you reporting that you were able to actually use this >>connection to pass traffic? Works like a champ... -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOsgRJheamMdwy9TXEQKVhgCg19T5onrHRhbkBmUxOxLci1tkE/oAoJ5u NsYZ7T2o2W3nw+pgWZjF8hWM =joYA -----END PGP SIGNATURE----- _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From kimquang.vo at ost.eltele.no Mon Apr 2 00:58:44 2001 From: kimquang.vo at ost.eltele.no (Kim Quang Vo) Date: Mon, 02 Apr 2001 07:58:44 +0200 Subject: [pptp-server] unsubcribe Message-ID: unsubcribe From sash at exoft.tomsk.ru Mon Apr 2 02:16:26 2001 From: sash at exoft.tomsk.ru (sash) Date: Mon, 2 Apr 2001 15:16:26 +0800 Subject: [pptp-server] How I can know who is connected over my VPN-server (IP-Adress) Message-ID: I want to log who and from here connect to my VPN-server In ip-down script I found login name who was connected but I did'n found from here Help PLS Thanks Ganush A From godfrey at hattaways.com Mon Apr 2 05:02:11 2001 From: godfrey at hattaways.com (Godfrey Livingstone) Date: Mon, 02 Apr 2001 22:02:11 +1200 Subject: [pptp-server] How I can know who is connected over my VPN-server (IP-Adress) References: Message-ID: <3AC84E23.50AE5FDF@hattaways.com> The following logs even failed connections that tcp_wrappers rejects. This only works if tcp_wrappers is used. The patch also works with latter versions of pptpd. "User" is only logged if an ident server is running, so in the case of win9x the user is not logged however the ip and hostname is always logged. Godfrey --- pptpd-1.0.0/pptpmanager.c Thu Sep 23 12:01:28 1999 +++ pptpd-1.0.0.patched/pptpmanager.c Mon Sep 25 14:46:51 2000 @@ -188,11 +188,20 @@ * type deny so probably best to just drop it immediately like * this, as tcp wrappers usually do. */ + syslog(LOG_INFO, "CTRL: DENYED by tcp_wrappers connection from %s [%s] user \"%s\"", + eval_hostname(&(r.client)), + eval_hostaddr(&(r.client)), + eval_user(&r)); close(clientSocket); /* this would never be file descriptor 0, so use it as a error * value */ clientSocket = 0; + } else { + syslog(LOG_INFO, "CTRL: ALLOWED by tcp_wrappers connection from %s [%s] user \"%s\"", + eval_hostname(&(r.client)), + eval_hostaddr(&(r.client)), + eval_user(&r)); } } #endif sash wrote: > I want to log who and from here connect to my VPN-server > In ip-down script I found login name who was connected but I did'n found > from here > Help PLS > Thanks > Ganush A > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From heg at linpro.no Mon Apr 2 05:12:10 2001 From: heg at linpro.no (Hans Einar Gautun) Date: Mon, 2 Apr 2001 12:12:10 +0200 Subject: [pptp-server] win2k, pptpd 1.2.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: <01033020005400.10542@linux>; from berzerke@swbell.net on Sat, Mar 31, 2001 at 04:00:54 +0200 References: <20010330185520.B31233@nickel.kgarner.com> <01033020005400.10542@linux> Message-ID: <20010402121210.A10924@beth> I have a working setting with w2k client, rh7 with kernel 2.2.18 patched with ppp 2.3.11, ppp 2.3.11 with pach, 40 bit encryption and pptpd 1.0.1. It did'nt work with kernel 2.4.2, ppp 2.4.0, but winME did. On Sat, 31 Mar 2001 04:00:54 robert wrote: > Has anyone gotten W2K with encryption working on a pptpd setup running > 2.2 > kernel series and/or pppd 2.3 series? > > To answer your question, the setup works fine with both windows 98 and 95 > > clients. I don't have access to w2k or me clients to test. > > Out of curiosity, is the w2k using NAT? According to M$: If the Virtual > Private Network (VPN) client is behind any network device performing > Network > Address Translation (NAT), the L2TP session fails because encrypted IPSec > > Encapsulating Security Payload (ESP) packets become corrupted. > > The problem *seems* to be w2k, not pptpd. I know M$ purposely created > incompatibilties with bind and kerbos (sp?). I wonder if we have hit > upon > another incompatibilty...or a bug???? > > On Friday 30 March 2001 18:55, Keith T. Garner wrote: > > I just setup and got running pptpd 1.2.2 on a > > machine with the 2.4.2 kernel. I followed the HOWTO at > > http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt. It was a > > great amount of help, thanks to whomever threw it together. > > > > After digging through the past two months worth of archives on this > > mailing list, it looks like I've hit what has become a common problem. > > > > Using win2k with encryption off, it works flawlessly. Packets go back > > and forth with easy, giving me access to our private networks. > > > > However, using win2k as a client against the server with encryption on > > (128 bit stateless) all packages between ppp0 on the server and the > > win2k client seem to just disappear into the void. As others have > said, > > packets appears to be going over the line thanks to the blinky lights > > on win2k, and I do see "ACCEPTS" being matched in the iptables. > > > > I just wanted to toss out that "yes, this is a real problem, and it > > appears to be an issue with mppe and win2k." I haven't had a chance > > to test it with other clients yet, and I plan on doing it either this > > weekend or on Monday. > > > > Actually, my coworker had a win98 box up that I could test with > quickly. > > Doing both encyrpted and non-encrypted connections, the win98 box can > > connect and work flawlessly as a pptp client. > > > > So, to sum up, win98 works well both encrypted and nonencrypted. > > win2k only works well unecrypted. Adding more logs to the fire of > > "win2k isn't working encypted with the stone soup in the subject." > > > > Anything I can do to help, send logs to the list or whatever, let me > know. > > (I'm too mentally fried this week to dig into it further at this > point.) > > > > Keith > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > Hans Einar Gautun From mickh at kincrome.com.au Mon Apr 2 06:02:27 2001 From: mickh at kincrome.com.au (Michael Hayes) Date: Mon, 2 Apr 2001 21:02:27 +1000 Subject: [pptp-server] ipmasqadm, ipfwd etc Message-ID: <01cb01c0bb64$68e49b30$640aa8c0@Mick> Hi, I have a poptop server tested and working on the firewall at work, I can connect from windows clients at other peoples houses (not behind firewalls). Unfortunately I can't get connect from my home, behind a masq ipchains firewall. I have been doing some reading and can't for the life of me get it to work. While testing I have only been using a very small set of rules. ipchains -A forward -s 192.168.10.0/24 -d 0.0.0.0/0.0.0.0 -j MASQ ipchains -A input -p tcp -s 0.0.0.0/0 -d 192.168.10.0/24 1723 -j ACCEPT ipmasqadm portfw -a -P tcp -L 203.164.64.43 1723 -R 192.168.10.100 1723 ipfwd --masq 192.168.10.100 47 & My internal windows machine that I am trying to connect from is 192.168.10.100 and my external ip is 203.164.64.43. Could anyone point me in the direction of something I might be doing wrong. Thanks Mick From mickh at kincrome.com.au Mon Apr 2 06:35:14 2001 From: mickh at kincrome.com.au (Michael Hayes) Date: Mon, 2 Apr 2001 21:35:14 +1000 Subject: [pptp-server] Fw: ipmasqadm, ipfwd etc Message-ID: <001001c0bb69$01892820$640aa8c0@Mick> Thanks I found the ip_masq_pptp.o module and all is well. mick ----- Original Message ----- From: "Michael Hayes" To: Sent: Monday, April 02, 2001 9:02 PM Subject: ipmasqadm, ipfwd etc > Hi, > > I have a poptop server tested and working on the firewall at work, I can > connect from windows clients at other peoples houses (not behind firewalls). > Unfortunately I can't get connect from my home, behind a masq ipchains > firewall. I have been doing some reading and can't for the life of me get > it to work. > > While testing I have only been using a very small set of rules. > > ipchains -A forward -s 192.168.10.0/24 -d 0.0.0.0/0.0.0.0 -j MASQ > ipchains -A input -p tcp -s 0.0.0.0/0 -d 192.168.10.0/24 1723 -j ACCEPT > ipmasqadm portfw -a -P tcp -L 203.164.64.43 1723 -R 192.168.10.100 1723 > ipfwd --masq 192.168.10.100 47 & > > My internal windows machine that I am trying to connect from is > 192.168.10.100 and my external ip is 203.164.64.43. > Could anyone point me in the direction of something I might be doing wrong. > > Thanks > > Mick > From sash at exoft.tomsk.ru Mon Apr 2 23:21:53 2001 From: sash at exoft.tomsk.ru (sash) Date: Tue, 3 Apr 2001 12:21:53 +0800 Subject: [pptp-server] How I can know who is connected over my VPN-server (IP-Adress) Message-ID: > The following logs even failed connections that tcp_wrappers > rejects. This > only works if tcp_wrappers is used. > > The patch also works with latter versions of pptpd. > > "User" is only logged if an ident server is running, so in > the case of win9x > the user is not logged however the ip and hostname is always logged. > > Godfrey My situation: I'm using pptpd( from inittab) when user connects with my VPN-server, it runs pppd, pppd runs ip-up script. This script inserts record (ip-adress for client, User name from pppd pppd environments) into my SQL-server. When client is down (disconnected)- pppd runs ip-down script. Thhis script inserts additional informational such as received and sended bytes, connection time from pppd environments. I need a log for my SQL-server from the address the client was connected !I need an IP address of a clinet. I can see this information in my syslog but I can't use it How can I use this information ? If pptpd set environment about client IP adress this will be good ! Thanks Sash > > > From werner.hofer at igs.at Tue Apr 3 03:28:00 2001 From: werner.hofer at igs.at (werner.hofer at igs.at) Date: Tue, 3 Apr 2001 10:28:00 +0200 Subject: [pptp-server] pptpd W2K it works! Message-ID: Thanks to all who worked on the W2K problem! My working configuration: pptpd (PoPToP) version 1.1.2 pppd version 2.4.0 linux kernel 2.4.0 Gill Verns patch(http://linus.yi.org - PPP Section) and options-file did the rest - so mppe encryption works on my Configuration. Cowles Steve (http://www.infohiiway.com/pptp/proxyarp.html)helped me a lot with the proxyarp stuff. And who ever wrote this http://home.swbell.net/berzerke/2.4_kernel_PPTPD-HOWTO.txt did a great job - to give me a clue at the beginning. Ing. Werner Hofer ____________________________________________________ IGS Systemmanagement GmbH & Co KG Dorfplatz 5 A-4531 Piberbach phone: +43 7228 6451 0 home: http://www.igs.at fax: +43 7228 6451 30 eMail: igs at igs.at hotline: fax: +43 7228 6451 20 eMail: hotline at igs.at ____________________________________________________ NEWSFLASH___________________________________________ - Erfolgreich mit der IGS e-commerce-L?sung! - ?nderung in den ?? 131 und 132 Abs.3 BAO bzgl. "Zurverf?gungstellung von Datentr?gern an Betriebspr?fer"! NEWSFLASH___________________________________________ From michael at alife.de Tue Apr 3 03:00:23 2001 From: michael at alife.de (Michael Lantzen) Date: Tue, 3 Apr 2001 10:00:23 +0200 Subject: [pptp-server] chapms-v2 and pam Message-ID: <000801c0bc14$31fb1440$7877f3c3@lifestyle.lokal> Hi, does anyone know if it is possible to configure chapms-v2 in pppd not to use the /etc/ppp/chap-secrets? I want to use pam to access the usernames and passwords from a nt-domain controler. bye Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: From winter at sar-gmbh.com Tue Apr 3 04:17:47 2001 From: winter at sar-gmbh.com (Winter, Thomas) Date: Tue, 3 Apr 2001 11:17:47 +0200 Subject: [pptp-server] VPN connection to Bintec X1200 (with VPN Licence) Message-ID: Hi, has anyone managed to get a connection between a Bintec X1200 and pptpd 1.1.2 on a linux server? bye, Tom From ctresco at mit.edu Tue Apr 3 08:15:35 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Tue, 3 Apr 2001 09:15:35 -0400 Subject: [pptp-server] How I can know who is connected over my VPN-server (IP-Adress) In-Reply-To: Message-ID: Until functionality like that is written in, you can write a script that parses your syslog and pulls out the ip. ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of sash Sent: Tuesday, April 03, 2001 12:22 AM To: pptp-server at lists.schulte.org Subject: RE: [pptp-server] How I can know who is connected over my VPN-server (IP-Adress) > The following logs even failed connections that tcp_wrappers > rejects. This > only works if tcp_wrappers is used. > > The patch also works with latter versions of pptpd. > > "User" is only logged if an ident server is running, so in > the case of win9x > the user is not logged however the ip and hostname is always logged. > > Godfrey My situation: I'm using pptpd( from inittab) when user connects with my VPN-server, it runs pppd, pppd runs ip-up script. This script inserts record (ip-adress for client, User name from pppd pppd environments) into my SQL-server. When client is down (disconnected)- pppd runs ip-down script. Thhis script inserts additional informational such as received and sended bytes, connection time from pppd environments. I need a log for my SQL-server from the address the client was connected !I need an IP address of a clinet. I can see this information in my syslog but I can't use it How can I use this information ? If pptpd set environment about client IP adress this will be good ! Thanks Sash > > > _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From ctresco at mit.edu Tue Apr 3 08:17:33 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Tue, 3 Apr 2001 09:17:33 -0400 Subject: [pptp-server] chapms-v2 and pam In-Reply-To: <000801c0bc14$31fb1440$7877f3c3@lifestyle.lokal> Message-ID: That is possible only if you use PAP and pam_smb. I believe there are a few emails in the archive of this list about it. ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Michael Lantzen Sent: Tuesday, April 03, 2001 4:00 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] chapms-v2 and pam Hi, does anyone know if it is possible to configure chapms-v2 in pppd not to use the /etc/ppp/chap-secrets? I want to use pam to access the usernames and passwords from a nt-domain controler. bye Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: From walterm at Gliatech.com Tue Apr 3 08:50:24 2001 From: walterm at Gliatech.com (Michael Walter) Date: Tue, 3 Apr 2001 09:50:24 -0400 Subject: [pptp-server] Website and download locations Message-ID: Hello All, I have recently run into a need to rebuild my firewall/vpn (up for two years now, thanks for a great and stable vpn solution). I will be using the 2.4.2 kernel(custom build). First I recall from lurking on this list for the past two years that the website for the most recent poptop implementations had changed. Can someone please supply me the current address? Second, are there any gotcha's or issues that I need to be aware of in working with poptop on this kernel. Finally, whenever I do a build like this it is necessary for me to document the build such that someone with no linux experience can repeat the build (in case I leave the company ;) ). Last time I did this, I submitted to this group and some information was added to the Redhat howto. I'll gladly submit my instructions to the group, and redhat howto maintainer again if there is a need. Thanks, Michael J. Walter rhce mcdba mcse+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From berzerke at swbell.net Tue Apr 3 09:10:45 2001 From: berzerke at swbell.net (robert) Date: Tue, 03 Apr 2001 09:10:45 -0500 Subject: [pptp-server] Website and download locations In-Reply-To: References: Message-ID: <01040309104500.00822@linux> Instructions for the 2.4 kernel can be found at http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt among other places. This howto has been updated to include W2K encryption support. Iptables info is still preliminary, but some info is there. I'm working on better iptables info as time (and wife) allow. On Tuesday 03 April 2001 08:50, Michael Walter wrote: > Hello All, > > I have recently run into a need to rebuild my firewall/vpn (up for two > years now, thanks for a great and stable vpn solution). I will be using > the 2.4.2 kernel(custom build). First I recall from lurking on this list > for the past two years that the website for the most recent poptop > implementations had changed. Can someone please supply me the current > address? Second, are there any gotcha's or issues that I need to be aware > of in working with poptop on this kernel. Finally, whenever I do a build > like this it is necessary for me to document the build such that someone > with no linux experience can repeat the build (in case I leave the company > ;) ). Last time I did this, I submitted to this group and some information > was added to the Redhat howto. I'll gladly submit my instructions to the > group, and redhat howto maintainer again if there is a need. > > > Thanks, > > Michael J. Walter > rhce mcdba mcse+i a+ > Network Administrator > Gliatech, Inc. > 23420 Commerce Park Rd. > Beachwood, Ohio 44122 > Tel: (216) 831-3200 > Email: walterm at gliatech.com ---------------------------------------- Content-Type: text/html; charset="iso-8859-1"; name="Attachment: 1" Content-Transfer-Encoding: 7bit Content-Description: ---------------------------------------- From JaminC at adapt-tele.com Tue Apr 3 09:22:27 2001 From: JaminC at adapt-tele.com (Jamin Collins) Date: Tue, 3 Apr 2001 09:22:27 -0500 Subject: [pptp-server] Performance difference between TCPIP and SMB tr affic Message-ID: I may be reading too much into this, but I'm getting the impression that both of the tests are being perfromed through the PPTP connection. Thus, the encryption/decryption is happening for both the FTP and the SMB transfers. Thus his concern over why FTP is 10 times faster than SMB. Jamin W. Collins > -----Original Message----- > From: robert [mailto:berzerke at swbell.net] > Sent: Friday, March 30, 2001 9:07 AM > To: Tife Chan; pptp-server at lists.schulte.org > Subject: Re: [pptp-server] Performance difference between > TCPIP and SMB traffic > > > Understand that *some* slowness is normal. Think what has to > happen to those > little packets. (This order may be wrong..) First they are > encrypted, then > encapsulated, then the routing is changed, then they are sent > over the wire, > were the process is reversed. These changes take time, > although not much for > each packet. None of these steps occur with ftp, so there is > less overhead. > Now how much slowness is normal I don't know. I'll have to > do some tests > myself and post the results here later. > > > On Thursday 29 March 2001 21:43, Tife Chan wrote: > > Hi all, > > > > I found that passing SMB traffic through the pptp link is > much slower than > > TCPIP. I have network A and network B and they are > connected together with > > two linux servers using pptp. When ftp a file from network > A to network B, > > the speed is fine. > > But when I try to copy the same file from network A to > network B through > > Windows Explorer, the speed is much much slower. > > > > Any idea? > > > > Thanks. > > > > Regards, > > Tife Chan > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From teastep at seattlefirewall.dyndns.org Tue Apr 3 09:21:11 2001 From: teastep at seattlefirewall.dyndns.org (Tom Eastep) Date: Tue, 3 Apr 2001 07:21:11 -0700 (PDT) Subject: [pptp-server] Website and download locations In-Reply-To: <01040309104500.00822@linux> Message-ID: Thus spoke robert: > Instructions for the 2.4 kernel can be found at > http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt among other > places. This howto has been updated to include W2K encryption support. > Iptables info is still preliminary, but some info is there. I'm working on > better iptables info as time (and wife) allow. > You can also find an iptables-based firewall at http://shorewall.sourceforge.net I haven't yet updated the site with instructions for PoPToP but I'm running PoPToP on my firewall system here. I'll try to get the site updated in the next day or so... -Tom -- Tom Eastep \ Alt Email: tom at seattlefirewall.dyndns.org ICQ #60745924 \ Websites: http://seawall.sourceforge.net teastep at evergo.net \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_________________________________________ From tife.chan at adsociety.com Tue Apr 3 10:46:38 2001 From: tife.chan at adsociety.com (Tife Chan) Date: Tue, 3 Apr 2001 23:46:38 +0800 Subject: [pptp-server] Performance difference between TCPIP and SMB traffic In-Reply-To: Message-ID: Yes, exactly what i'm thinking. I peformed another test, under local network enviro6nment, SMB is about 3 times slower than FTP. Back to the VPN, as both FTP and SMB traffic is encrypted, theoretically.. the max speed for SMB should be 3 times slower than usual TCP traffic. Anything I'm missing? Regards, Tife Chan > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jamin Collins > Sent: Tuesday, April 03, 2001 10:22 PM > To: 'robert'; Tife Chan; pptp-server at lists.schulte.org > Subject: RE: [pptp-server] Performance difference between TCPIP and SMB > traffic > > > I may be reading too much into this, but I'm getting the impression that > both of the tests are being perfromed through the PPTP connection. Thus, > the encryption/decryption is happening for both the FTP and the SMB > transfers. Thus his concern over why FTP is 10 times faster than SMB. > > Jamin W. Collins > > > -----Original Message----- > > From: robert [mailto:berzerke at swbell.net] > > Sent: Friday, March 30, 2001 9:07 AM > > To: Tife Chan; pptp-server at lists.schulte.org > > Subject: Re: [pptp-server] Performance difference between > > TCPIP and SMB traffic > > > > > > Understand that *some* slowness is normal. Think what has to > > happen to those > > little packets. (This order may be wrong..) First they are > > encrypted, then > > encapsulated, then the routing is changed, then they are sent > > over the wire, > > were the process is reversed. These changes take time, > > although not much for > > each packet. None of these steps occur with ftp, so there is > > less overhead. > > Now how much slowness is normal I don't know. I'll have to > > do some tests > > myself and post the results here later. > > > > > > On Thursday 29 March 2001 21:43, Tife Chan wrote: > > > Hi all, > > > > > > I found that passing SMB traffic through the pptp link is > > much slower than > > > TCPIP. I have network A and network B and they are > > connected together with > > > two linux servers using pptp. When ftp a file from network > > A to network B, > > > the speed is fine. > > > But when I try to copy the same file from network A to > > network B through > > > Windows Explorer, the speed is much much slower. > > > > > > Any idea? > > > > > > Thanks. > > > > > > Regards, > > > Tife Chan > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > From Steve at SteveCowles.com Tue Apr 3 11:11:08 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Tue, 3 Apr 2001 11:11:08 -0500 Subject: [pptp-server] Performance difference between TCPIP and SMB tr affic Message-ID: <90769AF04F76D41186C700A0C90AFC3EE71D@defiant.infohiiway.com> > -----Original Message----- > From: Jamin Collins [mailto:JaminC at adapt-tele.com] > Sent: Tuesday, April 03, 2001 9:22 AM > To: 'robert'; Tife Chan; pptp-server at lists.schulte.org > Subject: RE: [pptp-server] Performance difference between > TCPIP and SMB tr affic > > > I may be reading too much into this, but I'm getting the > impression that both of the tests are being perfromed through > the PPTP connection. Thus, the encryption/decryption is happening > for both the FTP and the SMB transfers. Thus his concern over why > FTP is 10 times faster than SMB. > > Jamin W. Collins I agree, there is something else wrong if he is getting a 10x differnece between FTP and SMB packets. Personally, I have also noticed a differnece in speed when using FTP verus SMB, but not on the order of 10x. I have never measured the differnece, but I would say I see a 15-20% decrease when using SMB. FWIW: SMB packets are also an encapsulated (netbios) which is then encapsulated again (and possibly encrypted) into a GRE packet before being sent across the tunnel. In contrast, FTP uses raw TCP/IP as its transport, but its packets are still encapsulated/encrpyted into a GRE packet before being sent across the tunnel. If I was to guess at where the problem lies, it would be in one of the following areas: 1) How Netbios is configured on Windows or Samba (like the "socket options" in smb.conf) 2) The TCP Window size (TCPWIN) 3) The MTU/MRU parameters of the PPTP tunnel. Without using a packet sniffer its hard to tell, but its possible that the SMB packets (after being encapsulated twice) are being fragmented at the PPTP server/router. Thus causing additional overhead because the GRE packets are now lager than the allowed MRU/MTU (bytes) and have to be broken up into two packets to be properly transmitted across the tunnel. That my two bits. If I get some time, I will try to create a packet capture on the difference between FTP/SMB transfers across a PPTP tunnel. If I remember right, packets that have been fragmented are flagged as such and easliy spotted. Steve Cowles > > > -----Original Message----- > > From: robert [mailto:berzerke at swbell.net] > > Sent: Friday, March 30, 2001 9:07 AM > > To: Tife Chan; pptp-server at lists.schulte.org > > Subject: Re: [pptp-server] Performance difference between > > TCPIP and SMB traffic > > > > > > Understand that *some* slowness is normal. Think what has to > > happen to those little packets. (This order may be wrong..) > > First they are encrypted, then encapsulated, then the routing > > is changed, then they are sent over the wire, were the process > > is reversed. These changes take time, although not much for > > each packet. None of these steps occur with ftp, so there is > > less overhead. Now how much slowness is normal I don't know. > > I'll have to do some tests myself and post the results here > > later. > > > > > > > On Thursday 29 March 2001 21:43, Tife Chan wrote: > > > Hi all, > > > > > > I found that passing SMB traffic through the pptp link is > > > much slower than TCPIP. I have network A and network B and > > > they are connected together with two linux servers using pptp. > > > When ftp a file from network A to network B, the speed is fine. > > > But when I try to copy the same file from network A to network > > > B through Windows Explorer, the speed is much much slower. > > > > > > Any idea? > > > > > > Thanks. > > > > > > Regards, > > > Tife Chan From ajennamo at uncc.edu Tue Apr 3 12:38:08 2001 From: ajennamo at uncc.edu (Andy Ennamorato) Date: Tue, 3 Apr 2001 13:38:08 -0400 (EDT) Subject: [pptp-server] chapms-v2 and pam In-Reply-To: <000801c0bc14$31fb1440$7877f3c3@lifestyle.lokal> Message-ID: I'm looking to do the same thing with PPTP/PPPD, but have it use PAM to authenticate with Kerberos on Unix. Is this also possible? Andy ajennamo at uncc.edu On Tue, 3 Apr 2001, Michael Lantzen wrote: > Hi, > > does anyone know if it is possible to configure chapms-v2 in pppd not to use the /etc/ppp/chap-secrets? I want to use pam to access the usernames and passwords from a nt-domain controler. > > bye > Michael > From scott at scojoh.com Tue Apr 3 14:52:16 2001 From: scott at scojoh.com (Scott Johnston) Date: Tue, 03 Apr 2001 15:52:16 -0400 Subject: [pptp-server] Performance difference between TCPIP and SMB traffic References: Message-ID: <3ACA29F0.7EC68E4E@scojoh.com> I see a similar and significant difference between ftp and smb on internal networks as well as over the pptp link. I always thought it was caused by windows being less than efficient in the way it copied files. Scott Tife Chan wrote: > > Hi all, > > I found that passing SMB traffic through the pptp link is much slower than TCPIP. > I have network A and network B and they are connected together with two linux servers using pptp. > When ftp a file from network A to network B, the speed is fine. > But when I try to copy the same file from network A to network B through Windows Explorer, > the speed is much much slower. > > Any idea? > > Thanks. > > Regards, > Tife Chan > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From jward at cem.msu.edu Tue Apr 3 16:19:22 2001 From: jward at cem.msu.edu (Joe Ward) Date: Tue, 03 Apr 2001 17:19:22 -0400 Subject: [pptp-server] Performance difference between TCPIP and SMB traffic In-Reply-To: <3ACA29F0.7EC68E4E@scojoh.com> References: Message-ID: <5.0.2.1.2.20010403171707.00b0f0d0@pop3.norton.antivirus> okay so I asked my NT engineer friend to enlighten me on this subject. We talked about this long ago, well before I even started using vpn tunnels and the like. below is the blurb from that conversation. -------------- The issue is with latency. SMB is a poor WAN protocol. It takes about 53 packets to just rename a file. This is 1 packet, ack, 1 packet, ack, etc. The reason is directory traversal. Each step into a directory requires a full security check. So, instead of a single "Hey, rename this file" packet, you have a packet for each step into the filesystem. So, fine in a LAN, sucks in a WAN. ------------------------------- this explains a lot with my case in particular. I get a huge number of out of order packets, thing are better now that I upgraded to the latest pptpd, but it still drops packets cause the buffer isn't that big (unless someone can explain how to up that figure) I've also wanted to go back and look at the mtu settings and such from the options file thread. but I have not had the opportunity to do so. in hopes of tweaking everything the best I can. also explains alot based on the past arguments of wrapping, encoding, unwrapping etc. true you have to do this for ftp, but you dont' transfer as many packets with ftp as you do with SMB. -Joe Ward At 4/3/2001 03:52 PM, Scott Johnston wrote: >I see a similar and significant difference between ftp and smb on >internal networks as well as over the pptp link. I always thought it >was caused by windows being less than efficient in the way it copied >files. > >Scott > >Tife Chan wrote: > > > > Hi all, > > > > I found that passing SMB traffic through the pptp link is much slower > than TCPIP. > > I have network A and network B and they are connected together with two > linux servers using pptp. > > When ftp a file from network A to network B, the speed is fine. > > But when I try to copy the same file from network A to network B > through Windows Explorer, > > the speed is much much slower. > > > > Any idea? > > > > Thanks. > > > > Regards, > > Tife Chan > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! From charlieb at e-smith.com Tue Apr 3 16:44:21 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Tue, 3 Apr 2001 17:44:21 -0400 (EDT) Subject: [pptp-server] Performance difference between TCPIP and SMB traffic In-Reply-To: <5.0.2.1.2.20010403171707.00b0f0d0@pop3.norton.antivirus> Message-ID: On Tue, 3 Apr 2001, Joe Ward wrote: > this explains a lot with my case in particular. I get a huge number of out > of order packets, thing are better now that I upgraded to the latest > pptpd, but it still drops packets cause the buffer isn't that big (unless > someone can explain how to up that figure) PPTP degrades very quickly with dropped packets, and out of order packets are the equivalent of multiple dropped packets (ameliorated somewhat by the limited packet reordering in the latest pptpd). -- Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From vgill at technologist.com Tue Apr 3 20:55:36 2001 From: vgill at technologist.com (Gill, Vern) Date: Tue, 3 Apr 2001 18:55:36 -0700 Subject: [pptp-server] Website and download locations Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D72@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can also check out http://linus.yi.org. I have most of the various patches for pppd if you click on the ppp tab. Under the Masq tab you will find a "usable" iptables script... Enjoy... - -----Original Message----- From: Tom Eastep [mailto:teastep at seattlefirewall.dyndns.org] Sent: Tuesday, April 03, 2001 7:21 AM To: robert Cc: Michael Walter; pptp-server at lists.schulte.org Subject: Re: [pptp-server] Website and download locations Thus spoke robert: > Instructions for the 2.4 kernel can be found at > http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt among > other places. This howto has been updated to include W2K > encryption support. Iptables info is still preliminary, but some > info is there. I'm working on better iptables info as time (and > wife) allow. > You can also find an iptables-based firewall at http://shorewall.sourceforge.net I haven't yet updated the site with instructions for PoPToP but I'm running PoPToP on my firewall system here. I'll try to get the site updated in the next day or so... - -Tom - -- Tom Eastep \ Alt Email: tom at seattlefirewall.dyndns.org ICQ #60745924 \ Websites: http://seawall.sourceforge.net teastep at evergo.net \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_________________________________________ _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOsqB8ReamMdwy9TXEQIKUACdGwwB0DwtQTJrKFK+AoSW1KH7ILwAnjra pcOxALhy5ZbdpaLlElA87HJE =gNBo -----END PGP SIGNATURE----- From vgill at technologist.com Tue Apr 3 20:57:33 2001 From: vgill at technologist.com (Gill, Vern) Date: Tue, 3 Apr 2001 18:57:33 -0700 Subject: [pptp-server] win2k, pptpd 1.2.2, pppd 2.4.0 and Linux 2.4.2 Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D73@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hans, I have a (several actually) working w2k client hitting pptpd-1.1.2, kernel-2.4.2, ppp-2.4.0... If you want more info, check out my site at http://linus.yi.org. Click on the PPP tab... - -----Original Message----- From: Hans Einar Gautun [mailto:heg at linpro.no] Sent: Monday, April 02, 2001 3:12 AM To: robert; kgarner at kgarner.com; pptp-server at lists.schulte.org Subject: Re: [pptp-server] win2k, pptpd 1.2.2, pppd 2.4.0 and Linux 2.4.2 I have a working setting with w2k client, rh7 with kernel 2.2.18 patched with ppp 2.3.11, ppp 2.3.11 with pach, 40 bit encryption and pptpd 1.0.1. It did'nt work with kernel 2.4.2, ppp 2.4.0, but winME did. On Sat, 31 Mar 2001 04:00:54 robert wrote: > Has anyone gotten W2K with encryption working on a pptpd setup > running 2.2 > kernel series and/or pppd 2.3 series? > > To answer your question, the setup works fine with both windows 98 > and 95 > > clients. I don't have access to w2k or me clients to test. > > Out of curiosity, is the w2k using NAT? According to M$: If the > Virtual Private Network (VPN) client is behind any network device > performing Network > Address Translation (NAT), the L2TP session fails because encrypted > IPSec > > Encapsulating Security Payload (ESP) packets become corrupted. > > The problem *seems* to be w2k, not pptpd. I know M$ purposely > created incompatibilties with bind and kerbos (sp?). I wonder if > we have hit upon > another incompatibilty...or a bug???? > > On Friday 30 March 2001 18:55, Keith T. Garner wrote: > > I just setup and got running pptpd 1.2.2 on a > > machine with the 2.4.2 kernel. I followed the HOWTO at > > http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt. It > > was a great amount of help, thanks to whomever threw it together. > > > > After digging through the past two months worth of archives on > > this mailing list, it looks like I've hit what has become a > > common problem. > > > > Using win2k with encryption off, it works flawlessly. Packets go > > back and forth with easy, giving me access to our private > > networks. > > > > However, using win2k as a client against the server with > > encryption on (128 bit stateless) all packages between ppp0 on > > the server and the win2k client seem to just disappear into the > > void. As others have > said, > > packets appears to be going over the line thanks to the blinky > > lights on win2k, and I do see "ACCEPTS" being matched in the > > iptables. > > > > I just wanted to toss out that "yes, this is a real problem, and > > it appears to be an issue with mppe and win2k." I haven't had a > > chance to test it with other clients yet, and I plan on doing it > > either this weekend or on Monday. > > > > Actually, my coworker had a win98 box up that I could test with > quickly. > > Doing both encyrpted and non-encrypted connections, the win98 box > > can connect and work flawlessly as a pptp client. > > > > So, to sum up, win98 works well both encrypted and nonencrypted. > > win2k only works well unecrypted. Adding more logs to the fire > > of "win2k isn't working encypted with the stone soup in the > > subject." > > > > Anything I can do to help, send logs to the list or whatever, let > > me > know. > > (I'm too mentally fried this week to dig into it further at this > point.) > > > > Keith > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > Hans Einar Gautun _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOsqCZxeamMdwy9TXEQItFQCgmwYCr63mxYVw8p8ih3uFEPaZmf0AoIOC I8jYUa5EGSKknUksLHIqy2lr =F9+Q -----END PGP SIGNATURE----- From doc at docwardo.net Tue Apr 3 22:55:54 2001 From: doc at docwardo.net (Joe Ward) Date: Tue, 03 Apr 2001 23:55:54 -0400 Subject: [pptp-server] Performance difference between TCPIP and SMB traffic In-Reply-To: References: <5.0.2.1.2.20010403171707.00b0f0d0@pop3.norton.antivirus> Message-ID: <5.1.0.12.2.20010403235049.00ad60c0@argus.cem.msu.edu> well, with the reordering It's a heck of alot better than without. now I'm only loseing maybe 40 out of 40,000 packets (as opposed to thousands that are out of order) I do have a problem though. I really really need to turn off that darn message: Apr 3 23:52:52 liquid pptpd[9067]: Buffering out-of-order packet; got 61018 after 61016 cause I really dont' care about it if it has to reorder the packet, just weather or not it drops them. Sooooo I am not at liberty to scour the source code right now (due to time issues) and was hoping someone might be able to point it out to me ;) I'm using version: 1.1.2. -Joe At 4/3/2001 05:44 PM, Charlie Brady wrote: >On Tue, 3 Apr 2001, Joe Ward wrote: > > > this explains a lot with my case in particular. I get a huge number of out > > of order packets, thing are better now that I upgraded to the latest > > pptpd, but it still drops packets cause the buffer isn't that big (unless > > someone can explain how to up that figure) > >PPTP degrades very quickly with dropped packets, and out of order packets >are the equivalent of multiple dropped packets (ameliorated somewhat by >the limited packet reordering in the latest pptpd). > >-- > > Charlie Brady charlieb at e-smith.com > http://www.e-smith.org (development) http://www.e-smith.com (corporate) > Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 > e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From berzerke at swbell.net Tue Apr 3 23:53:26 2001 From: berzerke at swbell.net (robert) Date: Tue, 03 Apr 2001 23:53:26 -0500 Subject: [pptp-server] Performance difference between TCPIP and SMB tr affic In-Reply-To: References: Message-ID: <01040323532600.01147@linux> I didn't read it that way. I read it as normal (non VPN) FTP and VPN SMB. Your reading could change the answer significantly. On Tuesday 03 April 2001 09:22, Jamin Collins wrote: > I may be reading too much into this, but I'm getting the impression that > both of the tests are being perfromed through the PPTP connection. Thus, > the encryption/decryption is happening for both the FTP and the SMB > transfers. Thus his concern over why FTP is 10 times faster than SMB. > > Jamin W. Collins > > > -----Original Message----- > > From: robert [mailto:berzerke at swbell.net] > > Sent: Friday, March 30, 2001 9:07 AM > > To: Tife Chan; pptp-server at lists.schulte.org > > Subject: Re: [pptp-server] Performance difference between > > TCPIP and SMB traffic > > > > > > Understand that *some* slowness is normal. Think what has to > > happen to those > > little packets. (This order may be wrong..) First they are > > encrypted, then > > encapsulated, then the routing is changed, then they are sent > > over the wire, > > were the process is reversed. These changes take time, > > although not much for > > each packet. None of these steps occur with ftp, so there is > > less overhead. > > Now how much slowness is normal I don't know. I'll have to > > do some tests > > myself and post the results here later. > > > > On Thursday 29 March 2001 21:43, Tife Chan wrote: > > > Hi all, > > > > > > I found that passing SMB traffic through the pptp link is > > > > much slower than > > > > > TCPIP. I have network A and network B and they are > > > > connected together with > > > > > two linux servers using pptp. When ftp a file from network > > > > A to network B, > > > > > the speed is fine. > > > But when I try to copy the same file from network A to > > > > network B through > > > > > Windows Explorer, the speed is much much slower. > > > > > > Any idea? > > > > > > Thanks. > > > > > > Regards, > > > Tife Chan > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! From christopher at schulte.org Wed Apr 4 01:34:14 2001 From: christopher at schulte.org (Christopher Schulte) Date: Wed, 04 Apr 2001 01:34:14 -0500 Subject: [pptp-server] ADMINISTRIVIA: test search engine for list archives Message-ID: <5.1.0.12.0.20010404012410.035ae0e8@pop.schulte.org> I've got a test search engine in place for the list archives. It might be rough, broken or whatever. If some of you could try it out, that'd be great. If it's something useful, I'll make sure it's added to the list info, and webpage. I'll probably also rm the entire message base, regenerate archive messages, and create a custom 404 ErrorDocument for search engine hits which tells them to look at the search page. http://lists.schulte.org/htdig/lists/pptp-server/search.html I have it updating the search database @ 12am daily, as such: # daily htdig and clean log accesses from it 0 0 * * * /opt/www/htdig/bin/rundig 1> /dev/null 2> /dev/null 0 1 * * * /usr/local/apache/logs/remove-htdig.sh 1> /dev/null 2> /dev/null General feedback is welcome, but I can't promise a response or implementation of new features. ;p Thanks, -- Christopher Schulte Finger for PGP key, or for UNIX impaired: http://noc.schulte.org/cgi-bin/noc/finger.cgi From henrik.schuller at etx.ericsson.se Wed Apr 4 02:06:55 2001 From: henrik.schuller at etx.ericsson.se (=?ISO-8859-1?Q?Henrik_Sch=FCller_=28ETX=29?=) Date: Wed, 4 Apr 2001 09:06:55 +0200 Subject: [pptp-server] pptpd and DHCP Message-ID: <8DE93563AC71D311B30400508B5D5D8B013480A5@ESELINT201> Hi guys, How are you all ? :) I am pretty new to this with pptp and VPNs in general and I have what i would guess a pretty easy question. How do I do to let the pptp-server get IPs from the DHCP-server in the same machine and hand it out to the client? Thanks in advance! Henrik Sch?ller From michael at alife.de Wed Apr 4 03:04:39 2001 From: michael at alife.de (Michael Lantzen) Date: Wed, 4 Apr 2001 10:04:39 +0200 Subject: AW: [pptp-server] chapms-v2 and pam In-Reply-To: Message-ID: <000501c0bcdd$e60f4a90$7867a8c0@lifestyle.lokal> Sure, you could authentificate against a nt domain with pam_smb_auth.so > -----Urspr?ngliche Nachricht----- > Von: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]Im Auftrag von Andy > Ennamorato > Gesendet am: Dienstag, 3. April 2001 19:38 > An: ajennamo at uncc.edu > Cc: pptp-server at lists.schulte.org > Betreff: Re: [pptp-server] chapms-v2 and pam > > I'm looking to do the same thing with PPTP/PPPD, but have it use > PAM to authenticate with Kerberos on Unix. Is this also possible? > > Andy > ajennamo at uncc.edu > > > > On Tue, 3 Apr 2001, Michael Lantzen wrote: > > > Hi, > > > > does anyone know if it is possible to configure chapms-v2 in > pppd not to use the /etc/ppp/chap-secrets? I want to use pam to > access the usernames and passwords from a nt-domain controler. > > > > bye > > Michael > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From sash at exoft.tomsk.ru Wed Apr 4 06:54:43 2001 From: sash at exoft.tomsk.ru (sash) Date: Wed, 4 Apr 2001 19:54:43 +0800 Subject: [pptp-server] How I can know who is connected over my VPN-server (IP-Adress) Message-ID: > The following logs even failed connections that tcp_wrappers > rejects. This > only works if tcp_wrappers is used. > > The patch also works with latter versions of pptpd. > > "User" is only logged if an ident server is running, so in > the case of win9x > the user is not logged however the ip and hostname is always logged. > > Godfrey My situation: I'm using pptpd( from inittab) when user connects with my VPN-server, it runs pppd, pppd runs ip-up script. This script inserts record (ip-adress for client, User name from pppd pppd environments) into my SQL-server. When client is down (disconnected)- pppd runs ip-down script. Thhis script inserts additional informational such as received and sended bytes, connection time from pppd environments. I need a log for my SQL-server from the address the client was connected !I need an IP address of a clinet. I can see this information in my syslog but I can't use it How can I use this information ? If pptpd set environment about client IP adress this will be good ! Thanks Sash > > > From teastep at seattlefirewall.dyndns.org Wed Apr 4 09:37:17 2001 From: teastep at seattlefirewall.dyndns.org (Tom Eastep) Date: Wed, 4 Apr 2001 07:37:17 -0700 (PDT) Subject: [pptp-server] Performance difference between TCPIP and SMB traffic In-Reply-To: <5.1.0.12.2.20010403235049.00ad60c0@argus.cem.msu.edu> Message-ID: Thus spoke Joe Ward: > > cause I really dont' care about it if it has to reorder the packet, just > weather or not it drops them. Sooooo I am not at liberty to scour the > source code right now (due to time issues) and was hoping someone might be > able to point it out to me ;) I'm using version: 1.1.2. > cd pptpd-1.1.2 grep out-of-order *.c -Tom -- Tom Eastep \ Alt Email: tom at seattlefirewall.dyndns.org ICQ #60745924 \ Websites: http://seawall.sourceforge.net teastep at evergo.net \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_________________________________________ From pobox-1 at bigfoot.com Wed Apr 4 09:42:15 2001 From: pobox-1 at bigfoot.com (mrauscher) Date: Wed, 4 Apr 2001 07:42:15 -0700 Subject: [pptp-server] frees/wan and PoPToP on the same server? Message-ID: Hope this isn't redundant, but couldn't find a reference in previous posts... but, are there problems/issues with running pptp (PoPToP) and ipsec (frees/wan) tunnels to the same server? It seems like if the subnets are all distinct, they should stay out of each others way, right? Am I missing something? From gpearce at tibus.net Wed Apr 4 09:46:10 2001 From: gpearce at tibus.net (Gavin Pearce) Date: Wed, 4 Apr 2001 15:46:10 +0100 Subject: [pptp-server] Getting PoPTop to use encrypted Paswords Message-ID: Other than using the samba patch does any one know how to get pptpd to use the /etc/passwd file ?? if possible GAVIN PEARCE From teastep at seattlefirewall.dyndns.org Wed Apr 4 10:24:42 2001 From: teastep at seattlefirewall.dyndns.org (Tom Eastep) Date: Wed, 4 Apr 2001 08:24:42 -0700 (PDT) Subject: [pptp-server] frees/wan and PoPToP on the same server? In-Reply-To: Message-ID: Thus spoke mrauscher: > Hope this isn't redundant, but couldn't find a reference in > previous posts... but, are there problems/issues with running > pptp (PoPToP) and ipsec (frees/wan) tunnels to the same server? > It seems like if the subnets are all distinct, they should stay > out of each others way, right? Am I missing something? > I run both on the same system here without difficulty. -Tom -- Tom Eastep \ Alt Email: tom at seattlefirewall.dyndns.org ICQ #60745924 \ Websites: http://seawall.sourceforge.net teastep at evergo.net \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_________________________________________ From pstarzew at gbp.com Wed Apr 4 10:30:25 2001 From: pstarzew at gbp.com (Pete Starzewski) Date: Wed, 04 Apr 2001 10:30:25 -0500 Subject: [pptp-server] Windows NT client 720 error Message-ID: <4.3.2.7.1.20010404102416.00b1ae50@mail06.gbp.com> Hi, I'm new to the list and PoPToP. I installed it and it is working GREAT!!!....with one exception. I have an NT4 client that keeps getting a 720 error when it tries to connect. I searched the archives and I have seen several questions asked about it but never a reply. I have other NT4 systems that connect fine. Here is the log entries from the failed connect. Apr 4 10:12:45 viper pptpd[9028]: CTRL: Received PPTP Control Message (type: 15 ) Apr 4 10:12:45 viper pptpd[9028]: CTRL: Got a SET LINK INFO packet with standar d ACCMs Apr 4 10:12:45 viper pptpd[9029]: CTRL (PPPD Launcher): local address = 10.8.99 .2 Apr 4 10:12:45 viper pptpd[9029]: CTRL (PPPD Launcher): remote address = 10.8.9 9.102 Apr 4 10:12:45 viper pptpd[9028]: CTRL: Received PPTP Control Message (type: 15 ) Apr 4 10:12:45 viper pptpd[9028]: CTRL: Ignored a SET LINK INFO packet with rea l ACCMs! Apr 4 10:12:46 viper pptpd[9028]: CTRL: Received PPTP Control Message (type: 12 ) Apr 4 10:12:46 viper pptpd[9028]: CTRL: Made a CALL DISCONNECT RPLY packet Apr 4 10:12:46 viper pptpd[9028]: CTRL: Received CALL CLR request (closing call ) Apr 4 10:12:46 viper pptpd[9028]: CTRL: I wrote 148 bytes to the client. Apr 4 10:12:46 viper pptpd[9028]: CTRL: Sent packet to client Apr 4 10:12:46 viper pptpd[9028]: CTRL: Error with select(), quitting Apr 4 10:12:46 viper pptpd[9028]: CTRL: Client 24.164.241.232 control connectio n finished Apr 4 10:12:46 viper pptpd[9028]: CTRL: Exiting now Apr 4 10:12:46 viper pptpd[8993]: MGR: Reaped child 9028 Based on what I see, my guess is that it is choking when the IP address is assigned. I only see the following message in the logs that looks fishy and does not appear on a successful connect. Received PPTP Control Message (type: 12) Can anyone tell me what this means? Thanks, Pete Pete Starzewski Network Systems Engineer Green Bay Packaging Inc. From herve.guehl at dedigate.com Wed Apr 4 10:48:39 2001 From: herve.guehl at dedigate.com (=?iso-8859-1?Q?Herv=E9_Guehl?=) Date: Wed, 4 Apr 2001 17:48:39 +0200 Subject: [pptp-server] ppp_mppe kernel 2.4.. Message-ID: <12EDCF4FE1D70A448BD3244329D8D059107AB4@exch01.dedigate.com> Hi, I dont know if it is the right place for that mail.. If not please redirect me to the right mailling list... I have problems with ppp_mppe & kernel 2.4 Downloaded the patches for kerneml and pppd.. applied them.. But When I connect with a W2K client, There is the whole auth process... W2K is proud to say that the connection is up... and then... nothing... seems that the ppp interface is up but nothing goes through... can anyone help.. Thx. Herv? From berzerke at swbell.net Wed Apr 4 12:40:04 2001 From: berzerke at swbell.net (robert) Date: Wed, 04 Apr 2001 12:40:04 -0500 Subject: [pptp-server] ppp_mppe kernel 2.4.. In-Reply-To: <12EDCF4FE1D70A448BD3244329D8D059107AB4@exch01.dedigate.com> References: <12EDCF4FE1D70A448BD3244329D8D059107AB4@exch01.dedigate.com> Message-ID: <01040412400400.02909@linux> Check the lists. This problem was recently solved. See also http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt or http://linus.yi.org The first has more details, the second more patches. On Wednesday 04 April 2001 10:48, Herv? Guehl wrote: > Hi, I dont know if it is the right place for that mail.. If not please > redirect me to the right mailling list... > > I have problems with ppp_mppe & kernel 2.4 > > Downloaded the patches for kerneml and pppd.. applied them.. > > But When I connect with a W2K client, There is the whole auth process... > W2K is proud to say that the connection is up... and then... nothing... > seems that the ppp interface is up but nothing goes through... > > can anyone help.. > > Thx. > > Herv? > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From GeorgeV at citadelcomputer.com.au Wed Apr 4 17:58:40 2001 From: GeorgeV at citadelcomputer.com.au (George Vieira) Date: Thu, 5 Apr 2001 08:58:40 +1000 Subject: [pptp-server] How I can know who is connected over my VPN-ser ver (IP-Adress) Message-ID: <200FAA488DE0D41194F10010B597610D0A6F1D@JUPITER> I think there was a message mentioning a quick customised patch to do this but that was like a month or so ago.... someone else was asking the same thing. I think it would be a good idea if pptpd could store an enviroment setting with the external IP address rather than using a script to detect it. eg. ip-up.local ---- grep pptp /var/log/secure | grep "$4" | tail -1 # $4 containing the pptp client IP (or was that $5)... or whatever.. (I don't know what the tcp_wrappers logs look like to filter it out)... thanks, George Vieira -----Original Message----- From: sash [mailto:sash at exoft.tomsk.ru] Sent: Wednesday, April 04, 2001 9:55 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] How I can know who is connected over my VPN-server (IP-Adress) > The following logs even failed connections that tcp_wrappers > rejects. This > only works if tcp_wrappers is used. > > The patch also works with latter versions of pptpd. > > "User" is only logged if an ident server is running, so in > the case of win9x > the user is not logged however the ip and hostname is always logged. > > Godfrey My situation: I'm using pptpd( from inittab) when user connects with my VPN-server, it runs pppd, pppd runs ip-up script. This script inserts record (ip-adress for client, User name from pppd pppd environments) into my SQL-server. When client is down (disconnected)- pppd runs ip-down script. Thhis script inserts additional informational such as received and sended bytes, connection time from pppd environments. I need a log for my SQL-server from the address the client was connected !I need an IP address of a clinet. I can see this information in my syslog but I can't use it How can I use this information ? If pptpd set environment about client IP adress this will be good ! Thanks Sash > > > _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From GeorgeV at citadelcomputer.com.au Wed Apr 4 18:17:47 2001 From: GeorgeV at citadelcomputer.com.au (George Vieira) Date: Thu, 5 Apr 2001 09:17:47 +1000 Subject: [pptp-server] pptpd and DHCP Message-ID: <200FAA488DE0D41194F10010B597610D0A6F23@JUPITER> I don't think you can without some special handling of proxyarps etc.. You'll have to select a range outside of your DHCP server and copy it's setting from the main server. I have that and it works, it's not like your gonna change your DHCP settings every week anyway. thanks, George Vieira -----Original Message----- From: Henrik Sch?ller (ETX) [mailto:henrik.schuller at etx.ericsson.se] Sent: Wednesday, April 04, 2001 5:07 PM To: 'pptp-server at lists.schulte.org' Subject: [pptp-server] pptpd and DHCP Hi guys, How are you all ? :) I am pretty new to this with pptp and VPNs in general and I have what i would guess a pretty easy question. How do I do to let the pptp-server get IPs from the DHCP-server in the same machine and hand it out to the client? Thanks in advance! Henrik Sch?ller _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From sinergy at xiles.org Wed Apr 4 21:52:30 2001 From: sinergy at xiles.org (Dustin W) Date: Wed, 4 Apr 2001 22:52:30 -0400 Subject: [pptp-server] For the love of God, why won't this list unsubscribe!?!?! I have followed the directions sent by help! In-Reply-To: <5.0.2.1.2.20010314134452.00b16008@pop3.norton.antivirus> Message-ID: From sinergy at xiles.org Wed Apr 4 22:31:04 2001 From: sinergy at xiles.org (Dustin W) Date: Wed, 4 Apr 2001 23:31:04 -0400 Subject: [pptp-server] THANKS ZACH! Message-ID: THANKS ZACH! Nice to see helpfull people in the community! By the way... you spelled your name incorrectly - shouldn't it be Zac[K]? -----Original Message----- From: Zach Lowry [mailto:zlowry at home.com] Sent: Wednesday, April 04, 2001 11:18 PM To: 'Dustin W' Subject: RE: [pptp-server] For the love of God, why won't this list unsubscribe!?!?! I have followed the directions sent by help! Perhaps, because you're an idiot. :) -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Dustin W Sent: Wednesday, April 04, 2001 9:53 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] For the love of God, why won't this list unsubscribe!?!?! I have followed the directions sent by help! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From jake at tenon.com Thu Apr 5 00:30:10 2001 From: jake at tenon.com (jake) Date: Wed, 4 Apr 2001 22:30:10 -0700 Subject: [pptp-server] Win2k will not make pptp connection outside router Help needed Message-ID: <000b01c0bd91$7b838ba0$0400a8c0@santab1.ca.home.com> Peeps, I am fishing for ideas. If I am fucking this up, I would even appreciate a quick e-mail saying I'm an idiot and why. I have been getting this ( SEE BELOW ) in my pptp.log file whenever I try to connect via a win2k Pro client. This is bugging the shit out of me. Maybe my pppd server is too old? Version 2.3.5? I have linux kernel 2.0.35 I am working with poptop 1.1.2. 1.0.1 wouldn't compile. I am operating the server behind a NAT router. Win 98 AND ME will connect from the same side of the router as poptop, but a remote win 2k client hangs on verifying user name and password. Are my packets out of order? -Thanks Jake Mar 26 11:50:10 jake pppd[6995]: pppd 2.3.5 started by root, uid 0 Mar 26 11:50:10 jake pppd[6995]: Using interface ppp0 Mar 26 11:50:10 jake pppd[6995]: Connect: ppp0 <--> /dev/ttyp2 Mar 26 11:50:10 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:10 jake pppd[6995]: rcvd [LCP ConfReq id=0x0 ] Mar 26 11:50:10 jake pppd[6995]: sent [LCP ConfAck id=0x0 ] Mar 26 11:50:12 jake pppd[6995]: rcvd [LCP ConfReq id=0x1 ] Mar 26 11:50:12 jake pppd[6995]: sent [LCP ConfAck id=0x1 ] Mar 26 11:50:13 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:15 jake pppd[6995]: rcvd [LCP ConfReq id=0x2 ] Mar 26 11:50:15 jake pppd[6995]: sent [LCP ConfAck id=0x2 ] Mar 26 11:50:16 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:19 jake pppd[6995]: rcvd [LCP ConfReq id=0x3 ] Mar 26 11:50:19 jake pppd[6995]: sent [LCP ConfAck id=0x3 ] Mar 26 11:50:19 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:22 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:23 jake pppd[6995]: rcvd [LCP ConfReq id=0x4 ] Mar 26 11:50:23 jake pppd[6995]: sent [LCP ConfAck id=0x4 ] Mar 26 11:50:25 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:27 jake pppd[6995]: rcvd [LCP ConfReq id=0x5 ] Mar 26 11:50:27 jake pppd[6995]: sent [LCP ConfAck id=0x5 ] Mar 26 11:50:28 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:31 jake pppd[6995]: rcvd [LCP ConfReq id=0x6 ] Mar 26 11:50:31 jake pppd[6995]: sent [LCP ConfAck id=0x6 ] Mar 26 11:50:31 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:34 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:35 jake pppd[6995]: rcvd [LCP ConfReq id=0x7 ] Mar 26 11:50:35 jake pppd[6995]: sent [LCP ConfAck id=0x7 ] Mar 26 11:50:37 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:39 jake pppd[6995]: rcvd [LCP ConfReq id=0x8 ] Mar 26 11:50:39 jake pppd[6995]: sent [LCP ConfAck id=0x8 ] Mar 26 11:50:40 jake pppd[6995]: LCP: timeout sending Config-Requests Mar 26 11:50:40 jake pppd[6995]: Connection terminated. Mar 26 11:50:40 jake pppd[6995]: Exit. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ostergaard at cubbyhole.net Thu Apr 5 06:07:58 2001 From: ostergaard at cubbyhole.net (AJ Ostergaard) Date: Thu, 5 Apr 2001 12:07:58 +0100 Subject: [pptp-server] Authenticating using CHAP and PAM Message-ID: <004c01c0bdc0$ac62a3d0$9d0310ac@cogentcom.co.uk> Hello all, I am trying to set-up a secure VPN for remote users to access our internal networks and have everything working in terms of MPPE, PAP, CHAP, PPP to PAM, PAM to NT etc. but: Correct me if I'm wrong but PPP invokes PAM (and thus NT) only when using PAP. PAP is far from secure as it sends password over net in plaintext so my users NT passwords would be floating around. Also if I use PAP I can't have MPPE. Thus if I want an encrypted VPN I need to use MSCHAPv2 (fine as clients are all W2k) but then I can't authenticate against NT. There are two reasons I want to authenticate against NT. Firstly I don't want another place to have to administer usernames and passwords. Secondly I don't want a file with my users plaintext passwords lying around. As far as I can tell MSCHAP needs the secret to be in the chap-secrets file. I guess this is because the CHAP algorithm needs access to the secret string? If so I am in a lose/lose situation. Does any of this make sense? Comments? Thanks, AJ 99 little bugs in the code, 99 bugs in the code, fix one bug, compile it again... 101 little bugs in the code.... From lantzen at alife.de Thu Apr 5 08:07:28 2001 From: lantzen at alife.de (Michael Lantzen) Date: Thu, 05 Apr 2001 15:07:28 +0200 Subject: [pptp-server] Authenticating using CHAP and PAM In-Reply-To: <004c01c0bdc0$ac62a3d0$9d0310ac@cogentcom.co.uk> Message-ID: <4.3.2.7.2.20010405150535.00b03688@mail.alife.de> I just asked the same yesterday. The only way to go is to use samba to mirror the passwords onto the linux box and put an entry into the chap-secrets that links to the smbpasswd. As far as i know thats the only way to currently get the functionality you want and not having the passwords unencrypted in any place. bye Michael At 12:07 05.04.2001 +0100, AJ Ostergaard wrote: >Hello all, > >I am trying to set-up a secure VPN for remote users to access our internal >networks and have everything working in terms of MPPE, PAP, CHAP, PPP to >PAM, PAM to NT etc. but: > >Correct me if I'm wrong but PPP invokes PAM (and thus NT) only when using >PAP. PAP is far from secure as it sends password over net in plaintext so my >users NT passwords would be floating around. Also if I use PAP I can't have >MPPE. > >Thus if I want an encrypted VPN I need to use MSCHAPv2 (fine as clients are >all W2k) but then I can't authenticate against NT. > >There are two reasons I want to authenticate against NT. Firstly I don't >want another place to have to administer usernames and passwords. Secondly I >don't want a file with my users plaintext passwords lying around. > >As far as I can tell MSCHAP needs the secret to be in the chap-secrets file. >I guess this is because the CHAP algorithm needs access to the secret >string? If so I am in a lose/lose situation. > >Does any of this make sense? > >Comments? > >Thanks, >AJ > >99 little bugs in the code, 99 bugs in the code, > fix one bug, compile it again... > 101 little bugs in the code.... > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! From ostergaard at cubbyhole.net Thu Apr 5 08:20:39 2001 From: ostergaard at cubbyhole.net (AJ Ostergaard) Date: Thu, 5 Apr 2001 14:20:39 +0100 Subject: [pptp-server] Authenticating using CHAP and PAM References: <4.3.2.7.2.20010405150535.00b03688@mail.alife.de> Message-ID: <005801c0bdd3$3768ad50$9d0310ac@cogentcom.co.uk> Thanks for that. I'll start getting samba installed right away but I can't fathom what the entry that links chap-secrets to smbpasswd would look like. Aren't the entries in smbpasswd encrypted? If so can CHAP use them? AJ ----- Original Message ----- From: "Michael Lantzen" To: "AJ Ostergaard" ; Sent: Thursday, April 05, 2001 2:07 PM Subject: Re: [pptp-server] Authenticating using CHAP and PAM > I just asked the same yesterday. The only way to go is to use samba to > mirror the passwords onto the linux box and put an entry into the > chap-secrets that links to the smbpasswd. As far as i know thats the only > way to currently get the functionality you want and not having the > passwords unencrypted in any place. > > bye > Michael > At 12:07 05.04.2001 +0100, AJ Ostergaard wrote: > >Hello all, > > > >I am trying to set-up a secure VPN for remote users to access our internal > >networks and have everything working in terms of MPPE, PAP, CHAP, PPP to > >PAM, PAM to NT etc. but: > > > >Correct me if I'm wrong but PPP invokes PAM (and thus NT) only when using > >PAP. PAP is far from secure as it sends password over net in plaintext so my > >users NT passwords would be floating around. Also if I use PAP I can't have > >MPPE. > > > >Thus if I want an encrypted VPN I need to use MSCHAPv2 (fine as clients are > >all W2k) but then I can't authenticate against NT. > > > >There are two reasons I want to authenticate against NT. Firstly I don't > >want another place to have to administer usernames and passwords. Secondly I > >don't want a file with my users plaintext passwords lying around. > > > >As far as I can tell MSCHAP needs the secret to be in the chap-secrets file. > >I guess this is because the CHAP algorithm needs access to the secret > >string? If so I am in a lose/lose situation. > > > >Does any of this make sense? > > > >Comments? > > > >Thanks, > >AJ > > > >99 little bugs in the code, 99 bugs in the code, > > fix one bug, compile it again... > > 101 little bugs in the code.... > > > >_______________________________________________ > >pptp-server maillist - pptp-server at lists.schulte.org > >http://lists.schulte.org/mailman/listinfo/pptp-server > >List services provided by www.schulteconsulting.com! From ctresco at mit.edu Thu Apr 5 09:10:40 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Thu, 5 Apr 2001 10:10:40 -0400 Subject: [pptp-server] Authenticating using CHAP and PAM In-Reply-To: <005801c0bdd3$3768ad50$9d0310ac@cogentcom.co.uk> Message-ID: You need to goto http://linux.yi.org and read up... > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of AJ Ostergaard > Sent: Thursday, April 05, 2001 9:21 AM > To: Michael Lantzen; pptp-server at lists.schulte.org > Subject: Re: [pptp-server] Authenticating using CHAP and PAM > > > Thanks for that. I'll start getting samba installed right away but I can't > fathom what the entry that links chap-secrets to smbpasswd would > look like. > Aren't the entries in smbpasswd encrypted? If so can CHAP use them? > > AJ > > ----- Original Message ----- > From: "Michael Lantzen" > To: "AJ Ostergaard" ; > > Sent: Thursday, April 05, 2001 2:07 PM > Subject: Re: [pptp-server] Authenticating using CHAP and PAM > > > > I just asked the same yesterday. The only way to go is to use samba to > > mirror the passwords onto the linux box and put an entry into the > > chap-secrets that links to the smbpasswd. As far as i know > thats the only > > way to currently get the functionality you want and not having the > > passwords unencrypted in any place. > > > > bye > > Michael > > At 12:07 05.04.2001 +0100, AJ Ostergaard wrote: > > >Hello all, > > > > > >I am trying to set-up a secure VPN for remote users to access our > internal > > >networks and have everything working in terms of MPPE, PAP, > CHAP, PPP to > > >PAM, PAM to NT etc. but: > > > > > >Correct me if I'm wrong but PPP invokes PAM (and thus NT) only > when using > > >PAP. PAP is far from secure as it sends password over net in > plaintext so > my > > >users NT passwords would be floating around. Also if I use PAP I can't > have > > >MPPE. > > > > > >Thus if I want an encrypted VPN I need to use MSCHAPv2 (fine as clients > are > > >all W2k) but then I can't authenticate against NT. > > > > > >There are two reasons I want to authenticate against NT. > Firstly I don't > > >want another place to have to administer usernames and passwords. > Secondly I > > >don't want a file with my users plaintext passwords lying around. > > > > > >As far as I can tell MSCHAP needs the secret to be in the chap-secrets > file. > > >I guess this is because the CHAP algorithm needs access to the secret > > >string? If so I am in a lose/lose situation. > > > > > >Does any of this make sense? > > > > > >Comments? > > > > > >Thanks, > > >AJ > > > > > >99 little bugs in the code, 99 bugs in the code, > > > fix one bug, compile it again... > > > 101 little bugs in the code.... > > > > > >_______________________________________________ > > >pptp-server maillist - pptp-server at lists.schulte.org > > >http://lists.schulte.org/mailman/listinfo/pptp-server > > >List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From ctresco at mit.edu Thu Apr 5 09:13:39 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Thu, 5 Apr 2001 10:13:39 -0400 Subject: [pptp-server] Authenticating using CHAP and PAM In-Reply-To: Message-ID: duh.. http://linus.yi.org Sorry. > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Christopher > Tresco > Sent: Thursday, April 05, 2001 10:11 AM > To: AJ Ostergaard; Michael Lantzen; pptp-server at lists.schulte.org > Subject: RE: [pptp-server] Authenticating using CHAP and PAM > > > You need to goto http://linux.yi.org and read up... > > > > > > -----Original Message----- > > From: pptp-server-admin at lists.schulte.org > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of AJ Ostergaard > > Sent: Thursday, April 05, 2001 9:21 AM > > To: Michael Lantzen; pptp-server at lists.schulte.org > > Subject: Re: [pptp-server] Authenticating using CHAP and PAM > > > > > > Thanks for that. I'll start getting samba installed right away > but I can't > > fathom what the entry that links chap-secrets to smbpasswd would > > look like. > > Aren't the entries in smbpasswd encrypted? If so can CHAP use them? > > > > AJ > > > > ----- Original Message ----- > > From: "Michael Lantzen" > > To: "AJ Ostergaard" ; > > > > Sent: Thursday, April 05, 2001 2:07 PM > > Subject: Re: [pptp-server] Authenticating using CHAP and PAM > > > > > > > I just asked the same yesterday. The only way to go is to use samba to > > > mirror the passwords onto the linux box and put an entry into the > > > chap-secrets that links to the smbpasswd. As far as i know > > thats the only > > > way to currently get the functionality you want and not having the > > > passwords unencrypted in any place. > > > > > > bye > > > Michael > > > At 12:07 05.04.2001 +0100, AJ Ostergaard wrote: > > > >Hello all, > > > > > > > >I am trying to set-up a secure VPN for remote users to access our > > internal > > > >networks and have everything working in terms of MPPE, PAP, > > CHAP, PPP to > > > >PAM, PAM to NT etc. but: > > > > > > > >Correct me if I'm wrong but PPP invokes PAM (and thus NT) only > > when using > > > >PAP. PAP is far from secure as it sends password over net in > > plaintext so > > my > > > >users NT passwords would be floating around. Also if I use > PAP I can't > > have > > > >MPPE. > > > > > > > >Thus if I want an encrypted VPN I need to use MSCHAPv2 (fine > as clients > > are > > > >all W2k) but then I can't authenticate against NT. > > > > > > > >There are two reasons I want to authenticate against NT. > > Firstly I don't > > > >want another place to have to administer usernames and passwords. > > Secondly I > > > >don't want a file with my users plaintext passwords lying around. > > > > > > > >As far as I can tell MSCHAP needs the secret to be in the > chap-secrets > > file. > > > >I guess this is because the CHAP algorithm needs access to the secret > > > >string? If so I am in a lose/lose situation. > > > > > > > >Does any of this make sense? > > > > > > > >Comments? > > > > > > > >Thanks, > > > >AJ > > > > > > > >99 little bugs in the code, 99 bugs in the code, > > > > fix one bug, compile it again... > > > > 101 little bugs in the code.... > > > > > > > >_______________________________________________ > > > >pptp-server maillist - pptp-server at lists.schulte.org > > > >http://lists.schulte.org/mailman/listinfo/pptp-server > > > >List services provided by www.schulteconsulting.com! > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From charlieb at e-smith.com Thu Apr 5 10:06:44 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Thu, 5 Apr 2001 11:06:44 -0400 (EDT) Subject: [pptp-server] Authenticating using CHAP and PAM In-Reply-To: <004c01c0bdc0$ac62a3d0$9d0310ac@cogentcom.co.uk> Message-ID: On Thu, 5 Apr 2001, AJ Ostergaard wrote: > Correct me if I'm wrong but PPP invokes PAM (and thus NT) only when using > PAP. PAP is far from secure as it sends password over net in plaintext so my > users NT passwords would be floating around. Also if I use PAP I can't have > MPPE. > > Thus if I want an encrypted VPN I need to use MSCHAPv2 (fine as clients are > all W2k) but then I can't authenticate against NT. > > There are two reasons I want to authenticate against NT. Firstly I don't > want another place to have to administer usernames and passwords. Secondly I > don't want a file with my users plaintext passwords lying around. > > As far as I can tell MSCHAP needs the secret to be in the chap-secrets file. > I guess this is because the CHAP algorithm needs access to the secret > string? If so I am in a lose/lose situation. > > Does any of this make sense? What you say all matches my understanding. The PPP daemon needs the NT hash (which it can derive from a plaintext password) in order to do MSCHAPv2 authentication, and needs to do MSCHAPv2 authentication to set up MPPE. If we have understood this correctly, the best you can do is to find/make a tool to periodically dump the NT hashes from the NT box and store them in chap-secrets or smbpasswd. Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From ctresco at mit.edu Thu Apr 5 11:54:21 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Thu, 5 Apr 2001 12:54:21 -0400 Subject: [pptp-server] WinME troubles In-Reply-To: Message-ID: After I fixed all those Win2K troubles, WinME is exhibiting the same troubles as 2K was. Anyone experience this? From jake at tenon.com Thu Apr 5 17:39:25 2001 From: jake at tenon.com (jake at tenon.com) Date: Thu, 05 Apr 2001 22:39:25 GMT Subject: [pptp-server] Win2k will not make pptp connection outside router Help needed Message-ID: <200104052239.PAA16335@hector.tenon.com> An embedded and charset-unspecified text was scrubbed... Name: not available URL: From Steve at SteveCowles.com Thu Apr 5 21:37:57 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Thu, 5 Apr 2001 21:37:57 -0500 Subject: [pptp-server] Win2k will not make pptp connection outside rou ter Help needed Message-ID: <90769AF04F76D41186C700A0C90AFC3EE72B@defiant.infohiiway.com> > -----Original Message----- > From: jake at tenon.com [mailto:jake at tenon.com] > Sent: Thursday, April 05, 2001 5:39 PM > To: jvonau at home.com > Cc: pptp-server at lists.schulte.org > Subject: Re: [pptp-server] Win2k will not make pptp connection outside > router Help needed > > Thanks for the response Jerry. > > I should have mentioned that the router is a Netgear RT314 ( > a fine piece if I may say so ). It SAYS it will do PPTP, but > I have tried behind the router and Win ME connects fine. This > makes me suspicious that the router is doing bad things, but my > log (BELOW) says that there are ppp transactions taking place > and that the timeout is stopping the stuff. > Maybe it's just talking too slowly. > > If all this isn't enough, I can't install a newer pppd > because its kernel code won't compile. sheeesh > > -Jake I just installed an RT-314 for one of my customers today. Nice little router/firewall for the price. I also configured this companies NT server with PPTP and RAS so their road warriors/home office employees could establish VPN's into the office LAN. During my validation procedures, I had concurrent Win98se, Win98me and W2K clients connecting into this NT PPTP server through the RT314. All OS's worked fine after I found the proper port/protocol forwarding equivalent commands of the RT-314. If you haven't done so already, goto netgear's website -> customer support -> knowledge base and search for "application notes". Then select the application notes for the RT311/RT314. The PPTP configuration section will be available. I followed these instructions and had no problems at all. BTW: I downloaded and installed the latest firmware (3.22) for the RT314 before I put this unit into production and enabled masqueraded PPTP support. If you have already followed the above instructions, then maybe your problem *is* related to the version of pppd and/or the kernel your running. Steve Cowles From jake at tenon.com Thu Apr 5 21:50:52 2001 From: jake at tenon.com (jake) Date: Thu, 5 Apr 2001 19:50:52 -0700 Subject: [pptp-server] Win2k will not make pptp connection outside router Help needed References: <90769AF04F76D41186C700A0C90AFC3EE72B@defiant.infohiiway.com> Message-ID: <000401c0be44$64f671a0$0400a8c0@santab1.ca.home.com> Steve, Thanks for the response. I saw those instructions and did what they said. All I really did to the router was to map the 1723 port to the correct internal IP address. I also installed the latest 3.22 firmware. No dice yet. What do you mean by "enabled masqueraded PPTP support." This might be the key. -Thanks again Jake ----- Original Message ----- From: "Cowles, Steve" To: Cc: Sent: Thursday, April 05, 2001 7:37 PM Subject: RE: [pptp-server] Win2k will not make pptp connection outside router Help needed > > -----Original Message----- > > From: jake at tenon.com [mailto:jake at tenon.com] > > Sent: Thursday, April 05, 2001 5:39 PM > > To: jvonau at home.com > > Cc: pptp-server at lists.schulte.org > > Subject: Re: [pptp-server] Win2k will not make pptp connection outside > > router Help needed > > > > Thanks for the response Jerry. > > > > I should have mentioned that the router is a Netgear RT314 ( > > a fine piece if I may say so ). It SAYS it will do PPTP, but > > I have tried behind the router and Win ME connects fine. This > > makes me suspicious that the router is doing bad things, but my > > log (BELOW) says that there are ppp transactions taking place > > and that the timeout is stopping the stuff. > > Maybe it's just talking too slowly. > > > > If all this isn't enough, I can't install a newer pppd > > because its kernel code won't compile. sheeesh > > > > -Jake > > I just installed an RT-314 for one of my customers today. Nice little > router/firewall for the price. I also configured this companies NT server > with PPTP and RAS so their road warriors/home office employees could > establish VPN's into the office LAN. During my validation procedures, I had > concurrent Win98se, Win98me and W2K clients connecting into this NT PPTP > server through the RT314. All OS's worked fine after I found the proper > port/protocol forwarding equivalent commands of the RT-314. > > If you haven't done so already, goto netgear's website -> customer support > -> knowledge base and search for "application notes". Then select the > application notes for the RT311/RT314. The PPTP configuration section will > be available. I followed these instructions and had no problems at all. BTW: > I downloaded and installed the latest firmware (3.22) for the RT314 before I > put this unit into production and enabled masqueraded PPTP support. > > If you have already followed the above instructions, then maybe your problem > *is* related to the version of pppd and/or the kernel your running. > > Steve Cowles > From Steve at SteveCowles.com Thu Apr 5 22:12:57 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Thu, 5 Apr 2001 22:12:57 -0500 Subject: [pptp-server] Win2k will not make pptp connection outside rou ter Help needed Message-ID: <90769AF04F76D41186C700A0C90AFC3EE72C@defiant.infohiiway.com> > -----Original Message----- > From: jake [mailto:jake at tenon.com] > Sent: Thursday, April 05, 2001 9:51 PM > To: Cowles, Steve; pptp-server at lists.schulte.org > Subject: Re: [pptp-server] Win2k will not make pptp connection outside > router Help needed > > > Steve, > > Thanks for the response. > > I saw those instructions and did what they said. All I > really did to the router was to map the 1723 port to the > correct internal IP address. I also installed the latest > 3.22 firmware. No dice yet. > > What do you mean by "enabled masqueraded PPTP support." This > might be the key. > > -Thanks again > > Jake Sorry for the confusion. I should have stuck with Netgears terminology. Masqueraded PPTP support is more of a linux term. If you followed the instructions on Netgears website. i.e. Map port 1723 to the internal ip of your PPTP server, then the RT-314 is setup correctly. Thats all I did. Steve Cowles From giulioo at pobox.com Fri Apr 6 02:04:10 2001 From: giulioo at pobox.com (Giulio Orsero) Date: Fri, 06 Apr 2001 09:04:10 +0200 Subject: [pptp-server] Win2k will not make pptp connection outside rou ter Help needed In-Reply-To: <90769AF04F76D41186C700A0C90AFC3EE72C@defiant.infohiiway.com> References: <90769AF04F76D41186C700A0C90AFC3EE72C@defiant.infohiiway.com> Message-ID: <20010406070710.E807016621@i3.golden.dom> On Thu, 5 Apr 2001 22:12:57 -0500, you wrote: >Sorry for the confusion. I should have stuck with Netgears terminology. >Masqueraded PPTP support is more of a linux term. If you followed the >instructions on Netgears website. i.e. Map port 1723 to the internal ip of >your PPTP server, then the RT-314 is setup correctly. Thats all I did. I'm interested in this because we are searching for a router which can do hdsl/v35 and masq pptp. I had a lot of emails with cyclades tech supp for pr1000 but could not get a definitive answer. So now we are looking at cyclades pc300 card (to use in an lrp box) or setting up a lrp box to do masq pptp behind a generic hdsl router. We don't want to spend big money on this router. Out of curiosity I searched the netgear site, not good, so I went http://www.zyxel.com/doc/p314/app/pptp.htm (I understand zyxel and netgear are relatives??) They talk about 1723, but not protocol 47. how do they handle masq/forwarding of p47? Thanks -- giulioo at pobox.com From christopher at schulte.org Fri Apr 6 02:23:25 2001 From: christopher at schulte.org (Christopher Schulte) Date: Fri, 06 Apr 2001 02:23:25 -0500 Subject: [pptp-server] ADMINISTRIVIA: archive search engine (part II) Message-ID: <5.1.0.12.0.20010406015344.03f689c8@pop.schulte.org> Heya again folks... sorry to blast another email off to ya'll but I figured some might find this of interest. The feedback I got was good, so I've linked the search page http://lists.schulte.org/htdig/lists/pptp-server/search.html to the main list page. I fired off a mail to Matthew Ramsay asking him to update his official page. I threw together a small mod to my webserver so a link to the search page is dynamically inserted into the top of every archive message. I did that because a fair number of hits come from search engines like google, altavista, excite and so on. Those folks should also be aware that a local search engine exists. Back on the server side, I updated apache to 1.3.19, and sendmail to 8.12.0.Beta5. RSS, DUL and MAPS are still in place. I've also implemented weekly full backups of the entire mailing list software and archives. The information it contains is too valuable not to have backed up. ;p Any other questions I didn't address? Drop me an email. --chris -- Christopher Schulte Finger for PGP key, or for UNIX impaired: http://noc.schulte.org/cgi-bin/noc/finger.cgi From johnf at inodes.org Fri Apr 6 05:12:29 2001 From: johnf at inodes.org (John Ferlito) Date: Fri, 6 Apr 2001 20:12:29 +1000 Subject: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.2.19 In-Reply-To: <8D043DEA73DFD411958A00A0C90AB7607D68@ftp.gillnet.org>; from vgill@technologist.com on Sun, Apr 01, 2001 at 10:26:55AM -0700 References: <8D043DEA73DFD411958A00A0C90AB7607D68@ftp.gillnet.org> Message-ID: <20010406201229.A1052@inodes.org> On Sun, Apr 01, 2001 at 10:26:55AM -0700, Gill, Vern wrote: > For what it's worth to all of you, I have successfully connected to > pptpd-1.1.2/pppd-2.4.0 from w2ksp1. This is right across my lan, but > that shouldn't matter. If anyone wants to try connecting to my system > from a w2k client, let me know and I will set an acct. for you... > I'd like to confirm I've also got this working but under a 2.2 kernel. The secret is the nodefaultroute option. If you specifiy it then it just doesn't work with encryption. When I'll get a chance I'll have a quick look at the source to see if there's any good reason for this. For now I have to go round doing a whole heap of config changes :) -- John Ferlito Senior Engineer - Bulletproof Networks ph: +61 (0) 410 519 382 http://www.bulletproof.net.au/ From gustavo at liubob.com.ar Fri Apr 6 07:35:28 2001 From: gustavo at liubob.com.ar (Gustavo Martin Ortega) Date: Fri, 6 Apr 2001 09:35:28 -0300 Subject: [pptp-server] Only one ip public Message-ID: <028a01c0be96$1078fbf0$04c129c8@liubob.com.ar> I have a private lan and a windown milenium with one ip public. What can i do to using only this one ip public, connect all the private lan to my vpn server ? Thanks a lot. Gustavo Mart?n Ortega. Administrador de Redes. Liubob Informatica S.R.L. Av. Belgrano 845 7?A - Capital Federal. Tel: +54-11-4-331-6722/5782 email: gustavo at liubob.com.ar -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steve at SteveCowles.com Fri Apr 6 09:39:48 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Fri, 6 Apr 2001 09:39:48 -0500 Subject: [pptp-server] Win2k will not make pptp connection outside rou ter Help needed Message-ID: <90769AF04F76D41186C700A0C90AFC3EE731@defiant.infohiiway.com> > -----Original Message----- > From: Giulio Orsero [mailto:giulioo at pobox.com] > Sent: Friday, April 06, 2001 2:04 AM > To: pptp-server at lists.schulte.org > Subject: Re: [pptp-server] Win2k will not make pptp connection outside > rou ter Help needed > > > On Thu, 5 Apr 2001 22:12:57 -0500, you wrote: > > >Sorry for the confusion. I should have stuck with Netgears > >terminology. Masqueraded PPTP support is more of a linux term. > >If you followed the instructions on Netgears website. i.e. Map > >port 1723 to the internal ip of your PPTP server, then the > >RT-314 is setup correctly. Thats all I did. > > I'm interested in this because we are searching for a router > which can do hdsl/v35 and masq pptp. I had a lot of emails > with cyclades tech supp for pr1000 but could not get a definitive > answer. So now we are looking at cyclades pc300 card (to use in > an lrp box) or setting up a lrp box to do masq pptp behind a generic > hdsl router. We don't want to spend big money on this router. I have not used the pc300 card, but I have used LRP in the past and had excellent results. Since LRP uses a standard linux 2.2.x kernel you will need to apply the VPN masq patches to add MASQ VPN support. i.e. ip_masq_pptp.o > > Out of curiosity I searched the netgear site, not good, so I went > http://www.zyxel.com/doc/p314/app/pptp.htm (I understand zyxel > and netgear are relatives??) > > They talk about 1723, but not protocol 47. how do they handle > masq/forwarding of p47? Thats a good question. In fact, I asked the same question when I setup the RT-314. Somehow, this box "magically" handles masquerading protocol 47 (GRE) packets when you configure port 1723 to be forwarded to an internal IP address. FWIW: I installed a SonicWall firewall ( www.sonicwall.com ) a few weeks ago and its MASQ PPTP configuration was the same. I only forwarded port 1723 to an internal PTP server. It handled protocol 47 behind the scenes. Steve Cowles From vgill at technologist.com Fri Apr 6 18:01:37 2001 From: vgill at technologist.com (Gill, Vern) Date: Fri, 6 Apr 2001 16:01:37 -0700 Subject: [pptp-server] Authenticating using CHAP and PAM Message-ID: <8D043DEA73DFD411958A00A0C90AB760045AD3@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for the pointer Chris, but it is http://linus.yi.org ^ it's linus with an S, not linux with an X - -----Original Message----- From: Christopher Tresco [mailto:ctresco at mit.edu] Sent: Thursday, April 05, 2001 7:11 AM To: AJ Ostergaard; Michael Lantzen; pptp-server at lists.schulte.org Subject: RE: [pptp-server] Authenticating using CHAP and PAM You need to goto http://linux.yi.org and read up... -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOs5KixeamMdwy9TXEQJ0ngCg/x4mlv0oD6zAU/pkPWTzCgUQL5MAoPs7 zfmOHsUfIxrJKD2A91NkTtrV =4R6Y -----END PGP SIGNATURE----- From charlieb at e-smith.com Fri Apr 6 18:34:41 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Fri, 6 Apr 2001 19:34:41 -0400 (EDT) Subject: [pptp-server] Authenticating using CHAP and PAM In-Reply-To: <8D043DEA73DFD411958A00A0C90AB760045AD3@ftp.gillnet.org> Message-ID: On Fri, 6 Apr 2001, Gill, Vern wrote: > Thanks for the pointer Chris, but it is http://linus.yi.org Or http://linus.yi.org/plain/ for the frames challenged. Or if you want to see some real content :-) -- Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From lillian_kulhanek at yahoo.ca Fri Apr 6 23:25:28 2001 From: lillian_kulhanek at yahoo.ca (Lillian Kulhanek) Date: Sat, 7 Apr 2001 00:25:28 -0400 (EDT) Subject: [pptp-server] can I have a pptp vpn between two nat's? Message-ID: <20010407042528.30836.qmail@web11001.mail.yahoo.com> Here's the setup: Lan1 (Win98SE clients) is masqueraded behind a linux gateway. The linux pptp server is behind the gateway, with port forwarding occurring from the gateway to pptp server. (vpn masquerading) Lan2 (Wind98SE & NT4Server) is nat'ed behind a cisco 1600. The NT server has a public address as well (2 nics). The NT server was set up as a pptp server as well, for the sake of testing. The goal is for lan2 clients to log on to and access lan1. Here's what we can do: 1) Home users can connect to Lan1 with pptp. Proves that the pptp server is working. 2) From a pc with a private address in lan1, I can connect to the pptp server in lan2, using its public address. Proves that there is no port/protocol blockage, at least in that direction. A pc in lan2 CANNOT make a pptp connection to the pc in lan1. I was wondering if this was because of nat'ing on both sides? But isn't portforwarding supposed to take care of this? I don't remember reading anything that says I can't do this. Can anyone enlighten me on why or why not? Would this also explain why I can't run NetMeeting between the two lan's? Although, I can't see a reason why this should not work. Could this be a routing issue on the cisco box (to which the isp limits access)? Answers, pointers to url's, greatly appreciated. A timely response would also be appreciated, since I'm at lan2 flying back to lan1 in a few days. Thanks, Lillian PS Finally, am I missing something obvious, even an obvious alternate solution? _______________________________________________________ Do You Yahoo!? Get your free @yahoo.ca address at http://mail.yahoo.ca From vgill at technologist.com Fri Apr 6 23:58:03 2001 From: vgill at technologist.com (Gill, Vern) Date: Fri, 6 Apr 2001 21:58:03 -0700 Subject: [pptp-server] Authenticating using CHAP and PAM Message-ID: <8D043DEA73DFD411958A00A0C90AB760045AD4@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Actually I just added a "links" page for the java-lly challenged. But I guess it could apply to the frames challenged as well. http://linus.yi.org/links.html Enjoy - -----Original Message----- From: Charlie Brady [mailto:charlieb at e-smith.com] Sent: Friday, April 06, 2001 4:35 PM To: Gill, Vern Cc: 'Christopher Tresco'; AJ Ostergaard; Michael Lantzen; pptp-server at lists.schulte.org Subject: RE: [pptp-server] Authenticating using CHAP and PAM On Fri, 6 Apr 2001, Gill, Vern wrote: > Thanks for the pointer Chris, but it is http://linus.yi.org Or http://linus.yi.org/plain/ for the frames challenged. Or if you want to see some real content :-) - -- Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOs6eDReamMdwy9TXEQJflACfY48Wc08UE7CTkGGqJCg6iLXY6qwAoJ8g JU32hk8uzGMn1+OVHPUmLFLv =yriy -----END PGP SIGNATURE----- From Steve at SteveCowles.com Sat Apr 7 00:22:55 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Sat, 7 Apr 2001 00:22:55 -0500 Subject: [pptp-server] can I have a pptp vpn between two nat's? Message-ID: <90769AF04F76D41186C700A0C90AFC3EE73A@defiant.infohiiway.com> > -----Original Message----- > From: Lillian Kulhanek [mailto:lillian_kulhanek at yahoo.ca] > Sent: Friday, April 06, 2001 11:25 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] can I have a pptp vpn between two nat's? > > > Here's the setup: > > Lan1 (Win98SE clients) is masqueraded behind a linux > gateway. The linux pptp server is behind the gateway, > with port forwarding occurring from the gateway to > pptp server. (vpn masquerading) > > Lan2 (Wind98SE & NT4Server) is nat'ed behind a cisco > 1600. The NT server has a public address as well (2 > nics). The NT server was set up as a pptp server as > well, for the sake of testing. > > The goal is for lan2 clients to log on to and access > lan1. > > Here's what we can do: > > 1) Home users can connect to Lan1 with pptp. > Proves that the pptp server is working. > > 2) From a pc with a private address in lan1, I can > connect to the pptp server in lan2, using its public > address. > Proves that there is no port/protocol blockage, at > least in that direction. > > A pc in lan2 CANNOT make a pptp connection to the pc > in lan1. I was wondering if this was because of > nat'ing on both sides? But isn't portforwarding > supposed to take care of this? > > I don't remember reading anything that says I can't do > this. Can anyone enlighten me on why or why not? > Would this also explain why I can't run NetMeeting > between the two lan's? Although, I can't see a reason > why this should not work. Could this be a routing > issue on the cisco box (to which the isp limits > access)? > > Answers, pointers to url's, greatly appreciated. A > timely response would also be appreciated, since I'm > at lan2 flying back to lan1 in a few days. > > Thanks, > Lillian > > PS Finally, am I missing something obvious, even an > obvious alternate solution? Have you considered establishing a LAN-to-LAN tunnel between lan1 and lan2 using your linux box and the NT server instead of multiple host-to-lan tunnels? This way the clients on each lan do not have to establish tunnels to communicate with the other lans. i.e. You establish one tunnel. Here's an example of what I'm talking about. NOTE: Although I'm using IPSEC in the following (real world) example, the same thing can be accomplished using PPTP. My LAN (lan1) network address is: 192.168.9.0/24 (eth0) Remote LAN (lan2) network address is: 192.168.1.0/24 (ipsec0) NOTE: I have edited the following for clarity. On my linux firewall, my routing tables are: [root at firewall mail]# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags irtt Iface x.x.113.176 0.0.0.0 255.255.255.252 U 0 eth1 192.168.9.0 0.0.0.0 255.255.255.0 U 0 eth0 192.168.1.0 x.x.113.177 255.255.255.0 UG 0 ipsec0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 lo 0.0.0.0 x.x.113.177 0.0.0.0 UG 0 eth1 [root at firewall mail]# At the other end of the tunnel, its gateway route tables are basically reversed. i.e. Its ipsec0 points to 192.168.9.0/24. Now all the client/servers on LAN1 (192.168.9.0/24) can access all client/servers on LAN2 (192.168.1.0/24) and vice-versa. The key here is that none of the client/servers on both lans are establishing tunnels, just the linux gateways. i.e. LAN-to-LAN tunnel. FWIW: I also run PPTP on my linux box so that road warrior types can establish tunnels from remote sites. Steve Cowles From jvonau at home.com Sat Apr 7 04:01:17 2001 From: jvonau at home.com (Jerry Vonau) Date: Sat, 07 Apr 2001 04:01:17 -0500 Subject: [pptp-server] can I have a pptp vpn between two nat's? References: <20010407042528.30836.qmail@web11001.mail.yahoo.com> Message-ID: <3ACED75D.55C4DA5@home.com> Lillian: You can get a pptp vpn client from: http://merced.needsabeating.com/pptp/howto.html (latest version) also has pppd pre-patched for 128 bit mppe in rpm or tar (works great, no fussing with patching pppd) http://cag.lcs.mit.edu/~cananian/Projects/PPTP/ (original version) and do what Steve was suggesting. I'm doing that now with 2 remote lans and the main lan all linked up. Jerry Vonau Lillian Kulhanek wrote: > Here's the setup: > > Lan1 (Win98SE clients) is masqueraded behind a linux > gateway. The linux pptp server is behind the gateway, > with port forwarding occurring from the gateway to > pptp server. (vpn masquerading) > > Lan2 (Wind98SE & NT4Server) is nat'ed behind a cisco > 1600. The NT server has a public address as well (2 > nics). The NT server was set up as a pptp server as > well, for the sake of testing. > > The goal is for lan2 clients to log on to and access > lan1. > > Here's what we can do: > > 1) Home users can connect to Lan1 with pptp. > Proves that the pptp server is working. > > 2) From a pc with a private address in lan1, I can > connect to the pptp server in lan2, using its public > address. > Proves that there is no port/protocol blockage, at > least in that direction. > > A pc in lan2 CANNOT make a pptp connection to the pc > in lan1. I was wondering if this was because of > nat'ing on both sides? But isn't portforwarding > supposed to take care of this? > > I don't remember reading anything that says I can't do > this. Can anyone enlighten me on why or why not? > Would this also explain why I can't run NetMeeting > between the two lan's? Although, I can't see a reason > why this should not work. Could this be a routing > issue on the cisco box (to which the isp limits > access)? > > Answers, pointers to url's, greatly appreciated. A > timely response would also be appreciated, since I'm > at lan2 flying back to lan1 in a few days. > > Thanks, > Lillian > > PS Finally, am I missing something obvious, even an > obvious alternate solution? > > _______________________________________________________ > Do You Yahoo!? > Get your free @yahoo.ca address at http://mail.yahoo.ca > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From mdrobnak at optonline.net Sat Apr 7 23:40:05 2001 From: mdrobnak at optonline.net (Matthew Drobnak) Date: Sun, 08 Apr 2001 00:40:05 -0400 (EDT) Subject: [pptp-server] Win2k - pptp encyption problems -- a solution Message-ID: <0GBG00J04IAT13@mta4.srv.hcvlny.cv.net> Upon searching of the archive, I came upon a solution.. however, I will keep you in suspense for the moment. I think the problem is with Win2k SP1 AND / OR the "High Encryption Pack." I think everyone who applied that is going to run into this problem. Therefore, the solution, which also worked for me, is that the 40 bit MPPE encryption protocol CANNOT be enabled. Once it is either commented out, the connection works flawlessly. A problem here, however. I think the exact opposite is true for out-of-the-box win2k... if there's no 40bit available, it will fail negotiations, and not be able to connect at all.. Anyone care to test this theory? For completeness, here's what I'm running: * kernel 2.4.3 * pppd 2.4.0 * pptp 1.1.2 (to fix the manager exiting after the last connection problem) my options.pptp file: lock mtu 1490 mru 1490 debug auth +chap +chapms +chapms-v2 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 #mppe-40 mppe-128 mppe-stateless ms-dns 172.16.1.1 proxyarp Hope this helps bring an end to this saga... -Matthew Drobnak From zhourainman at sina.com Sat Apr 7 23:39:44 2001 From: zhourainman at sina.com (zhourainman) Date: Sun, 08 Apr 2001 12:39:44 +0800 Subject: [pptp-server] Re: Message-ID: <20010408043944.11905.qmail@sina.com> confirm 329629 ______________________________________ =================================================================== ???????????????? (http://mail.sina.com.cn) ??????????????!????"????????",????"????????"? (http://newchat.sina.com.cn) From siddharth at egujarat.net Sun Apr 8 05:27:54 2001 From: siddharth at egujarat.net (root) Date: Sun, 08 Apr 2001 15:57:54 +0530 Subject: [pptp-server] how do i authenthicate a linux client to a linux server Message-ID: <3AD03D2A.6DEF1B6B@egujarat.net> whenever i connect using pptp i get the following errors Apr 8 15:55:40 ns09 pppd[30607]: Using interface ppp0 Apr 8 15:55:40 ns09 pppd[30607]: Connect: ppp0 <--> /dev/pts/1 Apr 8 15:55:43 ns09 pppd[30607]: LCP terminated by peer (peer refused to authenticate) Apr 8 15:55:46 ns09 pppd[30607]: Connection terminated. Apr 8 15:55:46 ns09 pppd[30607]: Exit. Apr 8 15:55:46 ns09 pptpd[30606]: Error reading from pppd: Input/output error Apr 8 15:55:46 ns09 pptpd[30606]: CTRL: GRE read or PTY write failed (gre,pty)=(5,4) From jvonau at home.com Sun Apr 8 09:56:55 2001 From: jvonau at home.com (Jerry Vonau) Date: Sun, 08 Apr 2001 09:56:55 -0500 Subject: [pptp-server] how do i authenthicate a linux client to a linux server References: <3AD03D2A.6DEF1B6B@egujarat.net> Message-ID: <3AD07C37.2EE04AB3@home.com> Posting some config files helps to see what the problem is...... What is in your options file on the client? off the top of my head add "noauth" if it missing Jerry Vonau root wrote: > whenever i connect using pptp i get the following errors > > Apr 8 15:55:40 ns09 pppd[30607]: Using interface ppp0 > Apr 8 15:55:40 ns09 pppd[30607]: Connect: ppp0 <--> /dev/pts/1 > Apr 8 15:55:43 ns09 pppd[30607]: LCP terminated by peer (peer refused > to authenticate) > Apr 8 15:55:46 ns09 pppd[30607]: Connection terminated. > Apr 8 15:55:46 ns09 pppd[30607]: Exit. > Apr 8 15:55:46 ns09 pptpd[30606]: Error reading from pppd: Input/output > error > Apr 8 15:55:46 ns09 pptpd[30606]: CTRL: GRE read or PTY write failed > (gre,pty)=(5,4) > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From varrianh at computone.com Mon Apr 9 08:53:02 2001 From: varrianh at computone.com (Varrian Hall) Date: Mon, 9 Apr 2001 09:53:02 -0400 Subject: [pptp-server] FW: MsChapv2, RFC2759 Message-ID: <95B97DD42B78D31193A8005004D1E05C54305A@mustang.computone.com> > Hello Everyone, > > My name is Varrian Hall. I am in great need of MSChapv2 assistance. > Presently, my authenticator calculation(20 octets made into 40 hex digits: > "S=40 hex digits") does not equal the 40 Hex digit(excluding "S=") > response. I have written my code based on RFC2759. My > GenerateAuthenticatorResponse( ) function is where the problem lies. > Again, it's based on the GenerateAuthenticatorResponse( ) function in > RFC2759. I'm thinking it must be a new update, because some of the code > in GenerateAuthenticatorResponse( ) is used elsewhere and it is working > fine. The SHA.. functions are in ChallengeHash and it works fine. The > MD4.. functions are in NTPasswordHash, and it works fine. My problem is > in the last SHA_Final function call in GenerateAuthenticatorResponse( ) > that produces the 20 octet result. This result(expanded to 40 octets) > never matches the result sent to me from a Win2K pc. > These results have to match in order for the server/client to be > authenticated. > Could you please help, > > varrianh at computone.com > Varrian Hall > Computone Corp > 770 625 0000 x1201 -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve at silug.org Mon Apr 9 11:55:43 2001 From: steve at silug.org (Steven Pritchard) Date: Mon, 9 Apr 2001 11:55:43 -0500 (CDT) Subject: [pptp-server] Win2k - pptp encyption problems -- a solution In-Reply-To: <0GBG00J04IAT13@mta4.srv.hcvlny.cv.net> "from Matthew Drobnak at Apr 8, 2001 00:40:05 am" Message-ID: <200104091655.f39GthX16984@osiris.silug.org> Matthew Drobnak said: > Therefore, the solution, which also worked for me, is that the > 40 bit MPPE encryption protocol CANNOT be enabled. Once it is either > commented out, the connection works flawlessly. A problem here, > however. I think the exact opposite is true for out-of-the-box > win2k... if there's no 40bit available, it will fail negotiations, and > not be able to connect at all.. Anyone care to test this theory? My testing seems to indicate that the exact opposite is also true for Windows 98SE and possibly also ME. Without "mppe-40" in /etc/ppp/options, they will connect and negotiate MPPE 128 bit, but pppd spews messages like these for all traffic: Apr 9 11:34:00 ra0 pppd[9521]: rcvd [Compressed data] 90 00 bb 5c a3 2d a7 0d ... Apr 9 11:34:04 ra0 pppd[9521]: rcvd [Compressed data] 90 01 c3 1a 0e cb c2 29 ... No traffic actually goes across the link. Simply adding "mppe-40" to /etc/ppp/options makes everything work perfectly. (The clients still negotiate MPPE 128 bit.) This is on 2.4.2 with pptpd 1.1.2, with what I think are all of the current pppd and kernel patches. (I'd check to see what all I've applied, but the box with source is unavailable at the moment thanks to an office move...) Steve -- steve at silug.org | Southern Illinois Linux Users Group (618)398-7320 | See web site for meeting details. Steven Pritchard | http://www.silug.org/ From hughy at computone.com Mon Apr 9 17:31:21 2001 From: hughy at computone.com (Hugh Young) Date: Mon, 9 Apr 2001 18:31:21 -0400 Subject: [pptp-server] Latest MsChapv2 code Message-ID: <95B97DD42B78D31193A8005004D1E05C37BAF5@mustang.computone.com> Hello, Currently I'm writing code that enables my product to handle both in and outbound MsChapv2 calls. My code, which is written from RFC2759 works fine up to a certain point. Inside a MsChapv2 success packet, there is a 40hex digit response that I have to calculate and match on my end in order to open up a connection. My code(based on RFC2759) correctly calculates the PeerChallenge and Authenticator response using MD4, SHA, and the expanded Unicodepassword. However, when using this code in the GenerateAuthenticatorResponse which is also called in CheckAuthenticatorResponse, the 40 digits(42 digits with "S","=") do not match. Could you please provide some assistance in locating some updated code, advising me what the problem might be, or if necessary please forward this email along. Thanks, Hugh Young 770 625 0000 x1201 -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve at silug.org Mon Apr 9 20:59:11 2001 From: steve at silug.org (Steven Pritchard) Date: Mon, 9 Apr 2001 20:59:11 -0500 (CDT) Subject: [pptp-server] Win2k - pptp encyption problems -- a solution In-Reply-To: <200104091655.f39GthX16984@osiris.silug.org> "from Steven Pritchard at Apr 9, 2001 11:55:43 am" Message-ID: <200104100159.f3A1xCm18791@osiris.silug.org> OK, it gets even better... I decided to test Windows 2000. With "mppe-40" commented out, everything works perfectly. With it uncommented, the link doesn't work. Then I noticed something odd... I started pinging the other side of the link. The connection came up, and this log message appeared: Apr 9 20:47:27 ra0 pppd[10021]: Script /etc/ppp/ip-up finished (pid 10023), status = 0x0 The other side of the link responded to pings at this point! Then the following showed up in the logs: Apr 9 20:47:30 ra0 pppd[10021]: sent [CCP ConfReq id=0x3 ] Apr 9 20:47:33 ra0 pppd[10021]: sent [CCP ConfReq id=0x3 ] Apr 9 20:47:34 ra0 pppd[10021]: rcvd [CCP ConfAck id=0x3 ] Apr 9 20:47:34 ra0 pppd[10021]: MPPE 128 bit, stateless compression enabled Apr 9 20:47:34 ra0 pppd[10021]: stateless MPPE enforced Apr 9 20:47:34 ra0 pppd[10021]: rcvd [CCP ConfReq id=0x8 ] Apr 9 20:47:34 ra0 pppd[10021]: sent [CCP ConfReq id=0x4 ] Apr 9 20:47:34 ra0 pppd[10021]: sent [CCP ConfAck id=0x8 ] Apr 9 20:47:34 ra0 pppd[10021]: rcvd [CCP ConfAck id=0x3 ] Apr 9 20:47:34 ra0 pppd[10021]: rcvd [CCP ConfAck id=0x3 ] Apr 9 20:47:34 ra0 pppd[10021]: rcvd [CCP ConfRej id=0x4 ] Apr 9 20:47:34 ra0 pppd[10021]: sent [CCP ConfReq id=0x5 ] Apr 9 20:47:34 ra0 pppd[10021]: rcvd [CCP ConfNak id=0x5 ] Apr 9 20:47:34 ra0 pppd[10021]: sent [CCP ConfReq id=0x6 ] Apr 9 20:47:34 ra0 pppd[10021]: rcvd [CCP ConfAck id=0x6 ] Apr 9 20:47:34 ra0 pppd[10021]: MPPE 128 bit, stateless compression enabled Apr 9 20:47:34 ra0 pppd[10021]: stateless MPPE enforced At this point, the other side of the link stopped responding to pings. Anyone want to take a guess at what is happening? Steve -- steve at silug.org | Southern Illinois Linux Users Group (618)398-7320 | See web site for meeting details. Steven Pritchard | http://www.silug.org/ From mdrobnak at optonline.net Mon Apr 9 23:24:24 2001 From: mdrobnak at optonline.net (Matthew Drobnak) Date: Tue, 10 Apr 2001 00:24:24 -0400 (EDT) Subject: [pptp-server] Win2k - pptp encyption problems -- a solution Message-ID: <0GBK0051I6W4FQ@mta8.srv.hcvlny.cv.net> What did you do to make this message appear? What patches are you using? I do not get anything that says "enforced," only "enabled"...but it works here too. Win2k 128, Win98 128 (using PPPMAC.VXD from WinME) Good enough for me. -Matthew Drobnak > Apr 9 20:47:34 ra0 pppd[10021]: stateless MPPE enforced From ERobertstad at txc.com Mon Apr 9 23:21:09 2001 From: ERobertstad at txc.com (Eirik Robertstad) Date: Tue, 10 Apr 2001 00:21:09 -0400 Subject: [pptp-server] PPTPD & GRE problems?! Message-ID: <3AD28A35.2060806@txc.com> I just can't seam to get this working.... can anyone out there help me out with this please? Here is what I'm getting in my log file: pptpd[25025]: MGR: Launching /sbin/pptpctrl to handle client pptpd[2310]: MGR: Reaped child 25025 modprobe: modprobe: Can't locate module tty-ldisc-3 pptpd[25025]: CTRL: local address = 192.168.0.234 pptpd[25025]: CTRL: remote address = 192.168.1.234 pptpd[25025]: CTRL: Client 172.18.0.253 control connection started pptpd[25025]: CTRL: Received PPTP Control Message (type: 1) pptpd[25025]: CTRL: Made a START CTRL CONN RPLY packet pptpd[25025]: CTRL: I wrote 156 bytes to the client. pptpd[25025]: CTRL: Sent packet to client pptpd[25025]: CTRL: Received PPTP Control Message (type: 7) pptpd[25025]: CTRL: Set parameters to 0 maxbps, 16 window size pptpd[25025]: CTRL: Made a OUT CALL RPLY packet pptpd[25025]: CTRL: Starting call (launching pppd, opening GRE) pptpd[25025]: CTRL: pty_fd = 4 pptpd[25025]: CTRL: tty_fd = 5 pptpd[25026]: CTRL (PPPD Launcher): Connection speed = 115200 pptpd[25026]: CTRL (PPPD Launcher): local address = 192.168.0.234 pptpd[25026]: CTRL (PPPD Launcher): remote address = 192.168.1.234 pptpd[25025]: CTRL: I wrote 32 bytes to the client. pptpd[25025]: CTRL: Sent packet to client pptpd[25025]: GRE: read(fd=4,buffer=809c180,len=8196) from PTY failed: status = -1 error = Input/output error pptpd[25025]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) pptpd[25025]: CTRL: Client 172.18.0.253 control connection finished pptpd[25025]: CTRL: Exiting now From pstarzew at gbp.com Tue Apr 10 08:03:51 2001 From: pstarzew at gbp.com (Pete Starzewski) Date: Tue, 10 Apr 2001 08:03:51 -0500 Subject: [pptp-server] PPTPD & GRE problems?! In-Reply-To: <3AD28A35.2060806@txc.com> Message-ID: <4.3.2.7.1.20010410080140.00b1c430@mail06.gbp.com> Looks like something is blocking GRE packets. Do you possibley have a firewall in the way? I have even seen some posts in the archive where ISPs were blocking GRE. You may also want to check your ipchains config on the poptop server. Pete At 12:21 AM 4/10/01 -0400, you wrote: >I just can't seam to get this working.... can anyone out there help me out >with this please? Here is what I'm getting in my log file: > >pptpd[25025]: MGR: Launching /sbin/pptpctrl to handle client >pptpd[2310]: MGR: Reaped child 25025 >modprobe: modprobe: Can't locate module tty-ldisc-3 >pptpd[25025]: CTRL: local address = 192.168.0.234 >pptpd[25025]: CTRL: remote address = 192.168.1.234 >pptpd[25025]: CTRL: Client 172.18.0.253 control connection started >pptpd[25025]: CTRL: Received PPTP Control Message (type: 1) >pptpd[25025]: CTRL: Made a START CTRL CONN RPLY packet >pptpd[25025]: CTRL: I wrote 156 bytes to the client. >pptpd[25025]: CTRL: Sent packet to client >pptpd[25025]: CTRL: Received PPTP Control Message (type: 7) >pptpd[25025]: CTRL: Set parameters to 0 maxbps, 16 window size >pptpd[25025]: CTRL: Made a OUT CALL RPLY packet >pptpd[25025]: CTRL: Starting call (launching pppd, opening GRE) >pptpd[25025]: CTRL: pty_fd = 4 >pptpd[25025]: CTRL: tty_fd = 5 >pptpd[25026]: CTRL (PPPD Launcher): Connection speed = 115200 >pptpd[25026]: CTRL (PPPD Launcher): local address = 192.168.0.234 >pptpd[25026]: CTRL (PPPD Launcher): remote address = 192.168.1.234 >pptpd[25025]: CTRL: I wrote 32 bytes to the client. >pptpd[25025]: CTRL: Sent packet to client >pptpd[25025]: GRE: read(fd=4,buffer=809c180,len=8196) from PTY failed: >status = -1 error = Input/output error >pptpd[25025]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) >pptpd[25025]: CTRL: Client 172.18.0.253 control connection finished >pptpd[25025]: CTRL: Exiting now > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! From ERobertstad at txc.com Tue Apr 10 08:19:16 2001 From: ERobertstad at txc.com (Eirik Robertstad) Date: Tue, 10 Apr 2001 09:19:16 -0400 Subject: [Fwd: Re: [pptp-server] PPTPD & GRE problems?!] Message-ID: <3AD30854.8070407@txc.com> The system PoPToP is running on is a firewall, but I've tried putting in to allow ALL packets of ANY protocall just for testing. It's running a firewall by the name of Astaro (www.astaro.com). I guess then... what command should I send to IPtables to open up GRE totaly, insted of trying to do it by ANY protocall? Thanks, Eirik Robertstad Pete Starzewski wrote: > Looks like something is blocking GRE packets. Do you possibley have a > firewall in the way? I have even seen some posts in the archive where > ISPs were blocking GRE. You may also want to check your ipchains config > on the poptop server. > > Pete > > > At 12:21 AM 4/10/01 -0400, you wrote: > >> I just can't seam to get this working.... can anyone out there help me >> out with this please? Here is what I'm getting in my log file: >> >> pptpd[25025]: MGR: Launching /sbin/pptpctrl to handle client >> pptpd[2310]: MGR: Reaped child 25025 >> modprobe: modprobe: Can't locate module tty-ldisc-3 >> pptpd[25025]: CTRL: local address = 192.168.0.234 >> pptpd[25025]: CTRL: remote address = 192.168.1.234 >> pptpd[25025]: CTRL: Client 172.18.0.253 control connection started >> pptpd[25025]: CTRL: Received PPTP Control Message (type: 1) >> pptpd[25025]: CTRL: Made a START CTRL CONN RPLY packet >> pptpd[25025]: CTRL: I wrote 156 bytes to the client. >> pptpd[25025]: CTRL: Sent packet to client >> pptpd[25025]: CTRL: Received PPTP Control Message (type: 7) >> pptpd[25025]: CTRL: Set parameters to 0 maxbps, 16 window size >> pptpd[25025]: CTRL: Made a OUT CALL RPLY packet >> pptpd[25025]: CTRL: Starting call (launching pppd, opening GRE) >> pptpd[25025]: CTRL: pty_fd = 4 >> pptpd[25025]: CTRL: tty_fd = 5 >> pptpd[25026]: CTRL (PPPD Launcher): Connection speed = 115200 >> pptpd[25026]: CTRL (PPPD Launcher): local address = 192.168.0.234 >> pptpd[25026]: CTRL (PPPD Launcher): remote address = 192.168.1.234 >> pptpd[25025]: CTRL: I wrote 32 bytes to the client. >> pptpd[25025]: CTRL: Sent packet to client >> pptpd[25025]: GRE: read(fd=4,buffer=809c180,len=8196) from PTY failed: >> status = -1 error = Input/output error >> pptpd[25025]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) >> pptpd[25025]: CTRL: Client 172.18.0.253 control connection finished >> pptpd[25025]: CTRL: Exiting now >> >> _______________________________________________ >> pptp-server maillist - pptp-server at lists.schulte.org >> http://lists.schulte.org/mailman/listinfo/pptp-server >> List services provided by www.schulteconsulting.com! > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From ERobertstad at txc.com Tue Apr 10 09:33:41 2001 From: ERobertstad at txc.com (Eirik Robertstad) Date: Tue, 10 Apr 2001 10:33:41 -0400 Subject: [pptp-server] PPTPD & GRE problems?! References: <4.3.2.7.1.20010410080140.00b1c430@mail06.gbp.com> <4.3.2.7.1.20010410091142.00b0fba0@mail06.gbp.com> Message-ID: <3AD319C5.90600@txc.com> Well that's part of the problem, they arn't to quick to respond to problems, and when it comes to PPTP, they don't fully suport it from what I see. Most of the VPN is focused on the IPSec option insted, so I turned here for some general help. There doesn't seam to be many docs on using PoPToP with the 2.4 kernal that I've found, or using PoPToP on a firewall system. Between that and if it's behind a firewall it looks like it can only be used for one client (totaly useless). Thanks again, Eirik Robertstad Pete Starzewski wrote: > At 09:18 AM 4/10/01 -0400, you wrote: > >> The system PoPToP is running on is a firewall, but I've tried putting >> in to allow ALL packets of ANY protocall just for testing. It's >> running a firewall by the name of Astaro (www.astaro.com). >> >> I guess then... what command should I send to IPtables to open up GRE >> totaly, insted of trying to do it by ANY protocall? >> >> Thanks, >> Eirik Robertstad > > > Eirik, > > Here is something I found on the astaro web site.. > > > Topic: PPTP > elfering > Junior Member > Member # 308 > > Rate Member > posted 01 March 2001 22:08 > > Is there a way to setup PPTP support for > machines inside the firewall? I don't see anything > regarding the GRE protcol. > > Posts: 1 | From: Omaha, Nebraska, USA | > Registered: Mar 2001 | IP: Logged > > Gert Hansen > Astaro Admin > Member # 3 > > Rate Member > posted 03 March 2001 06:54 > > you can enable that protocol using the Protocol > Any with some drop rules in front of that. > > fyi: you can nat or masquerade only one pptp > connection to the same pptp server. > > CHeers GErt > > They talk about "drop rules". I would suggest contacting the vendor to > get a truly diffinative answer. It sounds like you are on the right > track with the Protocol set to "Any". Sorry I can't help you more. I > may even be all wet about it being a problem with the firewall, but that > error in the log certainly points to something blocking the GRE packets. > > Pete > >> Pete Starzewski wrote: >> >>> Looks like something is blocking GRE packets. Do you possibley have >>> a firewall in the way? I have even seen some posts in the archive >>> where ISPs were blocking GRE. You may also want to check your >>> ipchains config on the poptop server. >>> Pete >>> >>> At 12:21 AM 4/10/01 -0400, you wrote: >>> >>>> I just can't seam to get this working.... can anyone out there help >>>> me out with this please? Here is what I'm getting in my log file: >>>> pptpd[25025]: MGR: Launching /sbin/pptpctrl to handle client >>>> pptpd[2310]: MGR: Reaped child 25025 >>>> modprobe: modprobe: Can't locate module tty-ldisc-3 >>>> pptpd[25025]: CTRL: local address = 192.168.0.234 >>>> pptpd[25025]: CTRL: remote address = 192.168.1.234 >>>> pptpd[25025]: CTRL: Client 172.18.0.253 control connection started >>>> pptpd[25025]: CTRL: Received PPTP Control Message (type: 1) >>>> pptpd[25025]: CTRL: Made a START CTRL CONN RPLY packet >>>> pptpd[25025]: CTRL: I wrote 156 bytes to the client. >>>> pptpd[25025]: CTRL: Sent packet to client >>>> pptpd[25025]: CTRL: Received PPTP Control Message (type: 7) >>>> pptpd[25025]: CTRL: Set parameters to 0 maxbps, 16 window size >>>> pptpd[25025]: CTRL: Made a OUT CALL RPLY packet >>>> pptpd[25025]: CTRL: Starting call (launching pppd, opening GRE) >>>> pptpd[25025]: CTRL: pty_fd = 4 >>>> pptpd[25025]: CTRL: tty_fd = 5 >>>> pptpd[25026]: CTRL (PPPD Launcher): Connection speed = 115200 >>>> pptpd[25026]: CTRL (PPPD Launcher): local address = 192.168.0.234 >>>> pptpd[25026]: CTRL (PPPD Launcher): remote address = 192.168.1.234 >>>> pptpd[25025]: CTRL: I wrote 32 bytes to the client. >>>> pptpd[25025]: CTRL: Sent packet to client >>>> pptpd[25025]: GRE: read(fd=4,buffer=809c180,len=8196) from PTY >>>> failed: status = -1 error = Input/output error >>>> pptpd[25025]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) >>>> pptpd[25025]: CTRL: Client 172.18.0.253 control connection finished >>>> pptpd[25025]: CTRL: Exiting now >>>> _______________________________________________ >>>> pptp-server maillist - pptp-server at lists.schulte.org >>>> http://lists.schulte.org/mailman/listinfo/pptp-server >>>> List services provided by www.schulteconsulting.com! >>> >>> >>> _______________________________________________ >>> pptp-server maillist - pptp-server at lists.schulte.org >>> http://lists.schulte.org/mailman/listinfo/pptp-server >>> List services provided by www.schulteconsulting.com! >> From tomryan at camlaw.rutgers.edu Tue Apr 10 09:35:17 2001 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Tue, 10 Apr 2001 10:35:17 -0400 (EDT) Subject: [pptp-server] problems with linksys etherfast cable/dsl router Message-ID: I'm trying to get a pc connected to a linksys to talk to my pptp server. If I connect directly to the cable modem all works well, add in the linksys and no go. linksys is running firmware 1.35. I would appreciate any help you can give. Thank you. Tom -- _______________________________________________________________________ Tom Ryan Voice: 856-225-6361 Consulting System Administrator Fax: 856-969-7900 Rutgers School of Law - Camden From charlieb at e-smith.com Tue Apr 10 09:57:36 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Tue, 10 Apr 2001 10:57:36 -0400 (EDT) Subject: [pptp-server] PPTPD & GRE problems?! In-Reply-To: <3AD319C5.90600@txc.com> Message-ID: On Tue, 10 Apr 2001, Eirik Robertstad wrote: > turned here for some general help. There doesn't seam to be many docs > on using PoPToP with the 2.4 kernal that I've found, or using PoPToP on > a firewall system. Between that and if it's behind a firewall it looks > like it can only be used for one client (totaly useless). No, totally useless would be if it could be used for no clients. Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From mikes at hartwellcorp.com Tue Apr 10 16:08:21 2001 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Tue, 10 Apr 2001 14:08:21 -0700 Subject: [pptp-server] PoPToP crashing on SMP RedHat-7 Message-ID: <91A5926EFF44D3118B1200104B7276EB654FD2@hart-exchange.hartwellcorp.com> Poptop version 1.1.2 keeps crashing on me. I have it running on an i386 RedHat-7 system using kernel-smp-2.2.17-14. My pppd version is 2.3.11 and has all the patches I could find (chapms-v2, mppe, require-mppe, strip-msdomain and the RedHat patches). The kernel log contains the following: Apr 8 00:03:20 guardian kernel: Unable to handle kernel NULL pointer dereferenc e at virtual address 00000070 Apr 8 00:03:20 guardian kernel: current->tss.cr3 = 0ed0a000, %cr3 = 0ed0a000 Apr 8 00:03:20 guardian kernel: *pde = 00000000 Apr 8 00:03:20 guardian kernel: Oops: 0002 Apr 8 00:03:20 guardian kernel: CPU: 1 Apr 8 00:03:20 guardian kernel: EIP: 0010:[aic7xxx:__insmod_aic7xxx_S.bss_L2 56+328003/281562878] Apr 8 00:03:20 guardian kernel: EFLAGS: 00010282 Apr 8 00:03:20 guardian kernel: eax: 00004000 ebx: 0000006e ecx: c2771c00 edx: 00000000 Apr 8 00:03:20 guardian kernel: esi: c2771ed9 edi: c2771c48 ebp: c2771c48 esp: ceb97ebc Apr 8 00:03:20 guardian kernel: ds: 0018 es: 0018 ss: 0018 Apr 8 00:03:20 guardian kernel: Process pptpctrl (pid: 25208, process nr: 107, stackpage=ceb97000) Apr 8 00:03:20 guardian kernel: Stack: cdfc8000 00000000 ffff6e1f 00000002 c277 1c48 00000000 c234d000 c2771f2e Apr 8 00:03:21 guardian kernel: 0000008f d0879f6c c2771c00 c2771c00 cdfc 8000 ceb97f8c 00000000 d0879b8b Apr 8 00:03:21 guardian kernel: c2771c00 cdfc8000 c6f88000 c01bb77a cdfc 8000 00000000 c6f88000 c01b0a3a Apr 8 00:03:21 guardian kernel: Call Trace: [aic7xxx:__insmod_aic7xxx_S.bss_L25 6+327212/281563669] [aic7xxx:__insmod_aic7xxx_S.bss_L256+326219/281564662] [pty_ unthrottle+38/88] [check_unthrottle+42/48] [read_chan+1678/1984] [tty_read+174/2 08] [sys_read+192/228] Apr 8 00:03:21 guardian kernel: [system_call+52/56] [startup_32+43/170] Apr 8 00:03:21 guardian kernel: Code: f0 ff 4a 70 0f 94 c0 84 c0 74 09 52 e8 0c bc 8d ef 83 c4 04 I've seen one other reference to this problem in the archives but the author was using version 1.0. No solution was posted other than "I think the new version doesn't do this." Any thoughts? -------------------- Michael St. Laurent Hartwell Corporation From mrp at hafatel.com Tue Apr 10 19:50:14 2001 From: mrp at hafatel.com (Mike McPherson) Date: Wed, 11 Apr 2001 10:50:14 +1000 Subject: [pptp-server] (no subject) Message-ID: <022901c0c221$62c59880$cd79a8c0@netpci.com> Can anyone tell me what I may have done wrong. I set up PopTop 1.0.1 on redhat 6.2 using the instructions from http://poptop.lineo.com/releases/PoPToP-RedHat-HOWTO.txt for no encryption. WINDOWS 98 Error Message: The computer you're dialing in to does not respond to a network request. Check your server type setting in the properties of the connection. If this problem persists, check with your network administrator. pptpd error log: Apr 11 10:45:54 dev2 pptpd[2033]: MGR: Launching /usr/local/sbin/pptpctrl to han dle client Apr 11 10:45:54 dev2 pptpd[2033]: CTRL: local address = 192.168.0.235 Apr 11 10:45:54 dev2 pptpd[2033]: CTRL: remote address = 192.168.1.235 Apr 11 10:45:54 dev2 pptpd[2033]: CTRL: pppd speed = 115200 Apr 11 10:45:54 dev2 pptpd[2033]: CTRL: Client 192.168.121.1 control connection started Apr 11 10:45:54 dev2 pptpd[2033]: CTRL: Received PPTP Control Message (type: 1) Apr 11 10:45:54 dev2 pptpd[2033]: CTRL: Made a START CTRL CONN RPLY packet Apr 11 10:45:54 dev2 pptpd[2033]: CTRL: I wrote 156 bytes to the client. Apr 11 10:45:54 dev2 pptpd[2033]: CTRL: Sent packet to client Apr 11 10:45:54 dev2 pptpd[2033]: CTRL: Received PPTP Control Message (type: 7) Apr 11 10:45:54 dev2 pptpd[2033]: CTRL: Set parameters to 0 maxbps, 16 window si ze Apr 11 10:45:54 dev2 pptpd[2033]: CTRL: Made a OUT CALL RPLY packet Apr 11 10:45:54 dev2 pptpd[2033]: CTRL: Starting call (launching pppd, opening G RE) Apr 11 10:45:54 dev2 pptpd[2033]: CTRL: pty_fd = 4 Apr 11 10:45:54 dev2 pptpd[2033]: CTRL: tty_fd = 5 Apr 11 10:45:54 dev2 pptpd[2033]: CTRL: I wrote 32 bytes to the client. Apr 11 10:45:54 dev2 pptpd[2033]: CTRL: Sent packet to client Apr 11 10:45:54 dev2 pptpd[2034]: CTRL (PPPD Launcher): Connection speed = 11520 0 Apr 11 10:45:54 dev2 pptpd[2034]: CTRL (PPPD Launcher): local address = 192.168. 0.235 Apr 11 10:45:54 dev2 pptpd[2034]: CTRL (PPPD Launcher): remote address = 192.168 .1.235 Apr 11 10:45:54 dev2 pppd[2034]: pppd 2.4.1 started by root, uid 0 Apr 11 10:45:54 dev2 pppd[2034]: Using interface ppp0 Apr 11 10:45:54 dev2 pppd[2034]: Connect: ppp0 <--> /dev/pts/0 Apr 11 10:45:54 dev2 pppd[2034]: sent [LCP ConfReq id=0x1 ] Apr 11 10:46:21 dev2 last message repeated 9 times Apr 11 10:46:24 dev2 pptpd[2033]: CTRL: Received PPTP Control Message (type: 12) Apr 11 10:46:24 dev2 pptpd[2033]: CTRL: Made a CALL DISCONNECT RPLY packet Apr 11 10:46:24 dev2 pptpd[2033]: CTRL: Received CALL CLR request (closing call) Apr 11 10:46:24 dev2 pptpd[2033]: CTRL: I wrote 148 bytes to the client. Apr 11 10:46:24 dev2 pptpd[2033]: CTRL: Sent packet to client Apr 11 10:46:24 dev2 pptpd[2033]: CTRL: Error with select(), quitting Apr 11 10:46:24 dev2 pptpd[2033]: CTRL: Client 192.168.121.1 control connection finished Apr 11 10:46:24 dev2 pptpd[2033]: CTRL: Exiting now Apr 11 10:46:24 dev2 pptpd[2026]: MGR: Reaped child 2033 Apr 11 10:46:24 dev2 pppd[2034]: Modem hangup Apr 11 10:46:24 dev2 pppd[2034]: Connection terminated. Apr 11 10:46:24 dev2 pppd[2034]: Exit. ##############? print "\n Welcome to NEPP";$?=1;while ($?){ print "\n$?";$?++;if ($? == 1000) { print "\n$?"."\nWell almost never ending :?";exit;}} ##############? -------------- next part -------------- An HTML attachment was scrubbed... URL: From jimmc at irobot.com Tue Apr 10 19:56:53 2001 From: jimmc at irobot.com (Jim McCormack) Date: Tue, 10 Apr 2001 20:56:53 -0400 (EDT) Subject: [pptp-server] Help with no blank smb passwd patches Message-ID: <3410.192.168.57.201.986950613.squirrel@webmail.irobot.com> Hello All: I am trying to use smbpasswd for authentication for ppp. What is unclear to me is what is the correct patch available to prevent the blank smb password problem and anyone know why I am having the problem I am. I tried to follow the threads on the mailing list. Based on those threads I have applied a patch(es) from http://www.hattaway.co.nz/patches/ First I applied the ordinary pppsmb.pat and then the blank_passwd_fix2.diff patch. The patches applied fine, but I can;t get it to work. I get the follwing errors. I think I saw that someone else had this same problem: ----------- Apr 10 20:44:09 pptp pppd[2282]: no secret in samba secret file /etc/samba/smbpasswd Apr 10 20:44:09 pptp pppd[2282]: The remote system is required to authenticate itself Apr 10 20:44:09 pptp pppd[2282]: but I couldn't find any suitable secret (password) for it to use to do so. ------ I have also extracted the ppp-2.3.11 sources cleanly and applied all of the following patches. All of the patches apply with no error: ppp-2.3.11-openssl-norc4-mppe.patch ppp_mppe_compressed_data_fix.diff pppsmbnoblank.patch strip-MSdomain-patch.diff I then recompile, make and make install and restart everything. Once again I still get the error above. It is interesting to note that I don't have any problem using usernames and passwords spelled out in chap-secrets instead of smbpasswd. Finally, thanks to everyone who contributes to this project, be it how-tos, patches or etc. Thanks ahead of time for any help. Cheers! Jim McCormack From mrp at hafatel.com Tue Apr 10 20:37:18 2001 From: mrp at hafatel.com (Mike McPherson) Date: Wed, 11 Apr 2001 11:37:18 +1000 Subject: [pptp-server] Error message Message-ID: <023a01c0c227$f298ff00$cd79a8c0@netpci.com> /usr/sbin/pppd: The remote system is required to authenticate itself /usr/sbin/pppd: but I couldn't find any suitable secret (password) for it to use to do so. What is this error ? ##############? print "\n Welcome to NEPP";$?=1;while ($?){ print "\n$?";$?++;if ($? == 1000) { print "\n$?"."\nWell almost never ending :?";exit;}} ##############? -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at snake.supranet.net Tue Apr 10 20:46:47 2001 From: john at snake.supranet.net (John Heyer) Date: Tue, 10 Apr 2001 20:46:47 -0500 (CDT) Subject: [pptp-server] FreeBSD 3.2 Problems In-Reply-To: <88786160BFD1D211B10800A0C9EC744EAB7AA4@corp.atsworld.com> Message-ID: On Wed, 14 Mar 2001, Smith, Rick wrote: > > Hi all, trying to run PopTop 1.0.1 on FreeBSD 3.2 RELEASE. > > I can get ONE connection up and running, but every additional connection > attempt closes immediately upon trying with a "620" error from Microsoft. > > Using PPTPD with Windows 2000 client in PAP only mode. > > Never did seem to get standard Microsoft CHAP working properly. If anyone > has suggestions there, I'd love to hear them. > > Thanks > Rick Might want to check your Kernel, because the "GENERIC" kernel only includes one tun device. Check my page at http://heyer.supranet.net/pptp for more details. I'm able to do multiple connections with my FreeBSD 4.1 / PoPToP 1.0.1 box no problem including CHAP support, but have never tried Win2K clients so I don't know if that's an issue. -- Johh Heyer - john at personal.supranet.net - http://heyer.supranet.net "Me fail English? That's unpossible!" -- Ralph Wiggam From ctresco at economics.mit.edu Tue Apr 10 21:49:17 2001 From: ctresco at economics.mit.edu (Chris Tresco) Date: Tue, 10 Apr 2001 19:49:17 -0700 (PDT) Subject: [pptp-server] Error message In-Reply-To: <023a01c0c227$f298ff00$cd79a8c0@netpci.com> References: <023a01c0c227$f298ff00$cd79a8c0@netpci.com> Message-ID: <62362.18.162.2.39.986957357.squirrel@econ-wp.mit.edu> You need to populate /etc/ppp/chap-secrets > /usr/sbin/pppd: The remote system is required to authenticate > itself > /usr/sbin/pppd: but I couldn't find any suitable secret (password) for > it to use > to do so. > > What is this error ? > > ##############? > print "\n Welcome to NEPP";$?=1;while ($?){ > print "\n$?";$?++;if ($? == 1000) { > print "\n$?"."\nWell almost never ending :?";exit;}} > ##############? From khaight at firespout.com Wed Apr 11 06:38:23 2001 From: khaight at firespout.com (Kris Haight) Date: Wed, 11 Apr 2001 07:38:23 -0400 Subject: [pptp-server] problems with linksys etherfast cable/dsl route r Message-ID: <37E1E2BB9C28D311AB390008C707D2A60BAD1095@nycexis01.mi8.com> I've also noticed this problem with a netopia router. It doesnt authenticate at all. The syslog says it gave some Input/Output Error. I've however havent had a problem with my software firewall (WinRoute Pro) at all. The Documentation for WinRoute says I dont need to do anything at all. -- Kris -----Original Message----- From: Tom Ryan [mailto:tomryan at camlaw.rutgers.edu] Sent: Tuesday, April 10, 2001 10:35 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] problems with linksys etherfast cable/dsl router I'm trying to get a pc connected to a linksys to talk to my pptp server. If I connect directly to the cable modem all works well, add in the linksys and no go. linksys is running firmware 1.35. I would appreciate any help you can give. Thank you. Tom -- _______________________________________________________________________ Tom Ryan Voice: 856-225-6361 Consulting System Administrator Fax: 856-969-7900 Rutgers School of Law - Camden _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From Steve at SteveCowles.com Wed Apr 11 08:23:49 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Wed, 11 Apr 2001 08:23:49 -0500 Subject: [pptp-server] problems with linksys etherfast cable/dsl route r Message-ID: <90769AF04F76D41186C700A0C90AFC3EE74D@defiant.infohiiway.com> Personally, I have not installed the Linksys firewall, but based on the content of these posts... it sounds like you need to find the port forwarding equivalent command set so that inbound TCP port 1723 and/or protocol 47 (GRE) packets are properly forwarded to your PPTP server behind the firewall/router. Consider checking LinkSys/Netopia's website. Specifically - the FAQ and Knowledge base sections. Steve Cowles > -----Original Message----- > From: Kris Haight [mailto:khaight at firespout.com] > Sent: Wednesday, April 11, 2001 6:38 AM > To: 'Tom Ryan'; pptp-server at lists.schulte.org > Subject: RE: [pptp-server] problems with linksys etherfast cable/dsl > route r > > > I've also noticed this problem with a netopia router. It > doesnt authenticate at all. The syslog says it gave some > Input/Output Error. > > I've however havent had a problem with my software firewall > (WinRoute Pro) at all. The Documentation for WinRoute says > I dont need to do anything at all. > > -- Kris > > -----Original Message----- > From: Tom Ryan [mailto:tomryan at camlaw.rutgers.edu] > Sent: Tuesday, April 10, 2001 10:35 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] problems with linksys etherfast > cable/dsl router > > > I'm trying to get a pc connected to a linksys to talk to my > pptp server. If I connect directly to the cable modem all > works well, add in the linksys and no go. > > linksys is running firmware 1.35. > > I would appreciate any help you can give. > > Thank you. > > Tom From tomryan at camlaw.rutgers.edu Wed Apr 11 11:53:32 2001 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Wed, 11 Apr 2001 12:53:32 -0400 (EDT) Subject: [pptp-server] problems with linksys etherfast cable/dsl route r In-Reply-To: <90769AF04F76D41186C700A0C90AFC3EE74D@defiant.infohiiway.com> Message-ID: I upgraded the firmware on the linksys and now everything works fine. (well almost anyway :) I'm running pptpd standalone, ie /usr/local/sbin/pptpd -c /etc/pptpd.conf -o /etc/ppp/pptpoptions The first connection works perfectly, connections attempted after that fail, UNLESS I kill/restart pptpd. Any ideas? Tom p.s. this is the same for both 1.0.1 and 1.1.2 of the software. On Wed, 11 Apr 2001, Cowles, Steve wrote: > Personally, I have not installed the Linksys firewall, but based on the > content of these posts... it sounds like you need to find the port > forwarding equivalent command set so that inbound TCP port 1723 and/or > protocol 47 (GRE) packets are properly forwarded to your PPTP server behind > the firewall/router. > > Consider checking LinkSys/Netopia's website. Specifically - the FAQ and > Knowledge base sections. > > Steve Cowles > > > -----Original Message----- > > From: Kris Haight [mailto:khaight at firespout.com] > > Sent: Wednesday, April 11, 2001 6:38 AM > > To: 'Tom Ryan'; pptp-server at lists.schulte.org > > Subject: RE: [pptp-server] problems with linksys etherfast cable/dsl > > route r > > > > > > I've also noticed this problem with a netopia router. It > > doesnt authenticate at all. The syslog says it gave some > > Input/Output Error. > > > > I've however havent had a problem with my software firewall > > (WinRoute Pro) at all. The Documentation for WinRoute says > > I dont need to do anything at all. > > > > -- Kris > > > > -----Original Message----- > > From: Tom Ryan [mailto:tomryan at camlaw.rutgers.edu] > > Sent: Tuesday, April 10, 2001 10:35 AM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] problems with linksys etherfast > > cable/dsl router > > > > > > I'm trying to get a pc connected to a linksys to talk to my > > pptp server. If I connect directly to the cable modem all > > works well, add in the linksys and no go. > > > > linksys is running firmware 1.35. > > > > I would appreciate any help you can give. > > > > Thank you. > > > > Tom > -- _______________________________________________________________________ Tom Ryan Voice: 856-225-6361 Consulting System Administrator Fax: 856-969-7900 Rutgers School of Law - Camden From vgill at technologist.com Fri Apr 13 18:12:04 2001 From: vgill at technologist.com (Gill, Vern) Date: Fri, 13 Apr 2001 16:12:04 -0700 Subject: [pptp-server] problems with linksys etherfast cable/dsl route r Message-ID: <8D043DEA73DFD411958A00A0C90AB760045ADD@ftp.gillnet.org> If the Netopia router you are referring to is a DSL router, you will need to add the "export" of "filter" for the pptp port... -----Original Message----- From: Kris Haight [mailto:khaight at firespout.com] Sent: Wednesday, April 11, 2001 4:38 AM To: 'Tom Ryan'; pptp-server at lists.schulte.org Subject: RE: [pptp-server] problems with linksys etherfast cable/dsl route r I've also noticed this problem with a netopia router. It doesnt authenticate at all. The syslog says it gave some Input/Output Error. I've however havent had a problem with my software firewall (WinRoute Pro) at all. The Documentation for WinRoute says I dont need to do anything at all. -- Kris -----Original Message----- From: Tom Ryan [mailto:tomryan at camlaw.rutgers.edu] Sent: Tuesday, April 10, 2001 10:35 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] problems with linksys etherfast cable/dsl router I'm trying to get a pc connected to a linksys to talk to my pptp server. If I connect directly to the cable modem all works well, add in the linksys and no go. linksys is running firmware 1.35. I would appreciate any help you can give. Thank you. Tom -- _______________________________________________________________________ Tom Ryan Voice: 856-225-6361 Consulting System Administrator Fax: 856-969-7900 Rutgers School of Law - Camden _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From nico at rai-usa.com Sat Apr 14 15:26:15 2001 From: nico at rai-usa.com (Nico D) Date: Sat, 14 Apr 2001 16:26:15 -0400 (EDT) Subject: [pptp-server] Peer is not authorized to use remote address Message-ID: I currently running a server with RedHat6.2 on it with pppd 2.3.11 and pptpd1.0.1 I can connect to another pptpd server without a problem from my windows ME box, but when I connect to this server. i get a "peer is not authorized to use remote address 192.168.0.x" my pptpd.conf file is debug options /etc/ppp/options.pptpd localip 192.168.0.40-50 remoteip 192.168.0.51-61 my options.pptpd file is auth require-chap proxyarp +chap name pptpd The settings are identical on both servers, but I set the one up along time ago and I can't remember what I did. The new server is giving me this error, and I need to get it fixed. Any help would be very helpful. ta -nico -- ***************************** Nico Darrow RHCE System/Network Administrator Reinicke Athens, INC ph. 706-613-0088 em. nico at rai-usa.com ***************************** "Never trust a tech who tattoes his IP address on his arm, especially if its DHCP." - /. From xfzhu at seu.edu.cn Sat Apr 14 19:36:49 2001 From: xfzhu at seu.edu.cn (Zhu Xiaofeng) Date: Sun, 15 Apr 2001 08:36:49 +0800 Subject: [pptp-server] Peer is not authorized to use remote address References: Message-ID: <000d01c0c544$28b432c0$521877ca@SUNSHINE> check your /etc/ppp/chap-secrets ----- Original Message ----- From: "Nico D" To: Sent: Sunday, April 15, 2001 4:26 AM Subject: [pptp-server] Peer is not authorized to use remote address > I currently running a server with RedHat6.2 on it with pppd 2.3.11 > and pptpd1.0.1 > > I can connect to another pptpd server without a problem from my > windows ME box, but when I connect to this server. i get a > "peer is not authorized to use remote address 192.168.0.x" > > my pptpd.conf file is > debug > options /etc/ppp/options.pptpd > localip 192.168.0.40-50 > remoteip 192.168.0.51-61 > > my options.pptpd file is > auth > require-chap > proxyarp > +chap > name pptpd > > The settings are identical on both servers, but I set the one up along > time ago and I can't remember what I did. The new server is giving me this > error, and I need to get it fixed. Any help would be very helpful. > > ta > -nico > > -- > ***************************** > Nico Darrow RHCE > System/Network Administrator > Reinicke Athens, INC > ph. 706-613-0088 > em. nico at rai-usa.com > ***************************** > "Never trust a tech who tattoes his IP address on his arm, especially if > its DHCP." - /. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From mrp at hafatel.com Sun Apr 15 18:10:02 2001 From: mrp at hafatel.com (Mike McPherson) Date: Mon, 16 Apr 2001 09:10:02 +1000 Subject: [pptp-server] PPTP Installation Problems Message-ID: <001201c0c601$343db4a0$cd79a8c0@netpci.com> I am having a problem I hope someone can help me with. http://poptop.lineo.com/releases/PoPToP-RedHat-HOWTO.txt This is the instructions I am using for installing this. I am running kernel 2.2.14-5.0smp on a dual cpu. I grabbed the latest ppp version 2.4.0 and the mppe patch for 2.4.0 ppp-2.4.0.tar.gz ppp-2.4.0-openssl-0.9.6-mppe.patch.gz ppp_mppe_compressed_data_fix.diff I unzip and tar the files as directed. I am logged in as root I run the patches I make menuconfig I make dep I make clean I cd to my ppp installation dir run ./configure make make kernel < --- this is where I get an error message of no rules for make kernel What am I doing wrong ?? ##############? print "\n Welcome to NEPP";$?=1;while ($?){ print "\n$?";$?++;if ($? == 1000) { print "\n$?"."\nWell almost never ending :?";exit;}} ##############? -------------- next part -------------- An HTML attachment was scrubbed... URL: From mrp at hafatel.com Sun Apr 15 23:12:11 2001 From: mrp at hafatel.com (Mike McPherson) Date: Mon, 16 Apr 2001 14:12:11 +1000 Subject: [pptp-server] Another try Message-ID: <000e01c0c62b$6a732bc0$cd79a8c0@netpci.com> [cd /usr/src] "WORKS" [tar -zxvf ppp-2.3.11.tar.gz] "WORKS" [gunzip ppp-2.3.11-openssl-0.9.5-mppe.patch.gz] "WORKS" [cd ppp-2.3.11] # should now be in /usr/src/ppp-2.3.11 "WORKS" [patch -p1 < ../ppp-2.3.11-openssl-0.9.5-mppe.patch] "WORKS" [cd linux] # should now be in /usr/src/ppp-2.3.11/linux "WORKS" [patch < ../../ppp_mppe_compressed_data_fix.diff] "ERROR IS HERE" OK making the assumption that something in my kernel was screwed I blew away the system and started everything from scratch... My server is install with Redhat 6.2 kernel 2.2.14-5.0smp on a dual i686 processor. I did the install with the everything option. Running the above I get the following error: patching file 'ppp_mppe.c' Hunk #1 FAILED at 509. 1 out of 1 Hunk FAILED -- saving rejects to ppp_mppe.c.rej Any help is greatly appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: From berzerke at swbell.net Sun Apr 15 23:33:52 2001 From: berzerke at swbell.net (robert) Date: Sun, 15 Apr 2001 23:33:52 -0500 Subject: [pptp-server] PPTP Installation Problems In-Reply-To: <001201c0c601$343db4a0$cd79a8c0@netpci.com> References: <001201c0c601$343db4a0$cd79a8c0@netpci.com> Message-ID: <01041523335203.25529@linux> ppp changed between 2.2 and 2.4 kernels. I suspect if you use an older version of ppp (and the appropriate patches), your problem will disappear. Or you could use the 2.4 kernel...There is a Howto. On Sunday 15 April 2001 18:10, Mike McPherson wrote: > I am having a problem I hope someone can help me with. > > http://poptop.lineo.com/releases/PoPToP-RedHat-HOWTO.txt > > This is the instructions I am using for installing this. > I am running kernel 2.2.14-5.0smp on a dual cpu. > > I grabbed the latest ppp version 2.4.0 and the mppe patch for 2.4.0 > ppp-2.4.0.tar.gz > ppp-2.4.0-openssl-0.9.6-mppe.patch.gz > ppp_mppe_compressed_data_fix.diff > > I unzip and tar the files as directed. > I am logged in as root > > I run the patches > > I make menuconfig > I make dep > I make clean > I cd to my ppp installation dir > run ./configure > make > make kernel < --- this is where I get an error message of no rules for > make kernel > > What am I doing wrong ?? > > > > > > ##############? > print "\n Welcome to NEPP";$?=1;while ($?){ > print "\n$?";$?++;if ($? == 1000) { > print "\n$?"."\nWell almost never ending :?";exit;}} > ##############? ---------------------------------------- Content-Type: text/html; charset="iso-8859-1"; name="Attachment: 1" Content-Transfer-Encoding: quoted-printable Content-Description: ---------------------------------------- From wadeb at burgettsys.com Mon Apr 16 02:52:03 2001 From: wadeb at burgettsys.com (Wade Burgett) Date: Mon, 16 Apr 2001 00:52:03 -0700 Subject: [pptp-server] PPTP Installation Problems References: <001201c0c601$343db4a0$cd79a8c0@netpci.com> Message-ID: <00a901c0c64a$4473e760$6f1f170a@burgettsys.com> My setup is totally diff with linux(debian, 2.4.2 kernel) but I used ppp2.4.0 I built the kernel and ppp completely seperately. There were patches for each. for the kernel the standard (after patches): make menuconfig (note there was nothing I turned on after applying the patch to 2.4.2 at least - it made the ppp_mppe module automatically). make dep clean bzImage modules modules_install. and then with ppp applied patches then just ./configure make make install i didnt have to have ppp build the kernel. Thats not unhead of (freeswan does that) but wasnt necessary for my build. wade Wade Burgett Burgett Systems http://www.burgettsys.com/ ----- Original Message ----- From: Mike McPherson To: pptp-server at lists.schulte.org Sent: Sunday, April 15, 2001 4:10 PM Subject: [pptp-server] PPTP Installation Problems I am having a problem I hope someone can help me with. http://poptop.lineo.com/releases/PoPToP-RedHat-HOWTO.txt This is the instructions I am using for installing this. I am running kernel 2.2.14-5.0smp on a dual cpu. I grabbed the latest ppp version 2.4.0 and the mppe patch for 2.4.0 ppp-2.4.0.tar.gz ppp-2.4.0-openssl-0.9.6-mppe.patch.gz ppp_mppe_compressed_data_fix.diff I unzip and tar the files as directed. I am logged in as root I run the patches I make menuconfig I make dep I make clean I cd to my ppp installation dir run ./configure make make kernel < --- this is where I get an error message of no rules for make kernel What am I doing wrong ?? ##############? print "\n Welcome to NEPP";$?=1;while ($?){ print "\n$?";$?++;if ($? == 1000) { print "\n$?"."\nWell almost never ending :?";exit;}} ##############? -------------- next part -------------- An HTML attachment was scrubbed... URL: From mrp at hafatel.com Mon Apr 16 03:08:03 2001 From: mrp at hafatel.com (Mike McPherson) Date: Mon, 16 Apr 2001 18:08:03 +1000 Subject: [pptp-server] Installed Message-ID: <000e01c0c64c$5d12c820$cd79a8c0@netpci.com> I got it installed and working now... I will write who / what / where / when / how and why on it and post it for everyone.... A little tricky but it works beautiffuly now... Now on to ipchains ##############? print "\n Welcome to NEPP";$?=1;while ($?){ print "\n$?";$?++;if ($? == 1000) { print "\n$?"."\nWell almost never ending :?";exit;}} ##############? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcd at amherst.com Mon Apr 16 13:36:16 2001 From: rcd at amherst.com (Robert Dege) Date: Mon, 16 Apr 2001 14:36:16 -0400 Subject: [pptp-server] PPTP behind a Firewall Message-ID: <3ADB3BA0.6040304@amherst.com> Perhaps someone can help me here. I am trying (exhaustively) to get my PPTP server behind a firewall. I believe that I almost have it working, but one minor thing stands in my way. I receive this message on the firewall when attempting a PPTP connection: Apr 16 13:22:47 odo kernel: ip_masq_gre(): creating GRE masq for 172.28.254.46 -> 12.19.228.58 CID=0 MCID=643A Apr 16 13:22:47 odo kernel: ip_demasq_gre(): 12.19.228.58 -> 12.19.228.52 CID=0 no masq table, discarding For some reason, the MASQID is getting lost between the masqing & demasq'ing of the GRE packets. I am running IPFwd --masq $IP 47 I have John Hardin's PPTP kernel patch running (both on the firewall). And I know that the PPTP server works becuase i can successfully connect when I remove it from behind the firewall. Can anybody help me here??? Thanks -Rob From berzerke at swbell.net Mon Apr 16 13:53:29 2001 From: berzerke at swbell.net (robert) Date: Mon, 16 Apr 2001 13:53:29 -0500 Subject: [pptp-server] PPTP behind a Firewall In-Reply-To: <3ADB3BA0.6040304@amherst.com> References: <3ADB3BA0.6040304@amherst.com> Message-ID: <01041613532900.28105@linux> I'm guessing your using ipchains. If so, there is a kernel patch needed to masquerade the pptp connections. I'm (s-l-o-w-l-y) working on something for iptables. On Monday 16 April 2001 13:36, Robert Dege wrote: > Perhaps someone can help me here. I am trying (exhaustively) to get my > PPTP server behind a firewall. I believe that I almost have it working, > but one minor thing stands in my way. > > I receive this message on the firewall when attempting a PPTP connection: > > Apr 16 13:22:47 odo kernel: ip_masq_gre(): creating GRE masq for > 172.28.254.46 -> 12.19.228.58 CID=0 MCID=643A > Apr 16 13:22:47 odo kernel: ip_demasq_gre(): 12.19.228.58 -> > 12.19.228.52 CID=0 no masq table, discarding > > For some reason, the MASQID is getting lost between the masqing & > demasq'ing of the GRE packets. > > I am running IPFwd --masq $IP 47 > I have John Hardin's PPTP kernel patch running > (both on the firewall). > > And I know that the PPTP server works becuase i can successfully connect > when I remove it from behind the firewall. > > Can anybody help me here??? > > > Thanks > -Rob > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From mckendry at mediaone.net Mon Apr 16 17:53:07 2001 From: mckendry at mediaone.net (John McKendry) Date: Mon, 16 Apr 2001 18:53:07 -0400 Subject: [pptp-server] PPTP behind a Firewall References: <3ADB3BA0.6040304@amherst.com> Message-ID: <3ADB77D3.72FEB74D@mediaone.net> Robert Dege wrote: > > Perhaps someone can help me here. I am trying (exhaustively) to get my > PPTP server behind a firewall. I believe that I almost have it working, > but one minor thing stands in my way. > > I receive this message on the firewall when attempting a PPTP connection: > > Apr 16 13:22:47 odo kernel: ip_masq_gre(): creating GRE masq for > 172.28.254.46 -> 12.19.228.58 CID=0 MCID=643A > Apr 16 13:22:47 odo kernel: ip_demasq_gre(): 12.19.228.58 -> > 12.19.228.52 CID=0 no masq table, discarding > > For some reason, the MASQID is getting lost between the masqing & > demasq'ing of the GRE packets. > You should be seeing ip__pptp() messages. Are you using the Linux PPTP client? I found that the commonly available Linux client uses the wrong CallID once a PPTP session is established, and it causes the sort of symptom you're seeing - masquerading doesn't recognize the traffic as PPTP and tries to handle it as plain GRE. If this doesn't involve the Linux client, I can't help. If it does, I'll either track down the patch or put a new one together. John From teastep at seattlefirewall.dyndns.org Mon Apr 16 18:04:53 2001 From: teastep at seattlefirewall.dyndns.org (Tom Eastep) Date: Mon, 16 Apr 2001 16:04:53 -0700 (PDT) Subject: [pptp-server] PPTP behind a Firewall In-Reply-To: <3ADB77D3.72FEB74D@mediaone.net> Message-ID: Thus spoke John McKendry: > Robert Dege wrote: > > > > Perhaps someone can help me here. I am trying (exhaustively) to get my > > PPTP server behind a firewall. I believe that I almost have it working, > > but one minor thing stands in my way. > > > > I receive this message on the firewall when attempting a PPTP connection: > > > > Apr 16 13:22:47 odo kernel: ip_masq_gre(): creating GRE masq for > > 172.28.254.46 -> 12.19.228.58 CID=0 MCID=643A > > Apr 16 13:22:47 odo kernel: ip_demasq_gre(): 12.19.228.58 -> > > 12.19.228.52 CID=0 no masq table, discarding > > > > For some reason, the MASQID is getting lost between the masqing & > > demasq'ing of the GRE packets. > > > You should be seeing ip__pptp() messages. Are you using the Linux > PPTP client? I found that the commonly available Linux client uses the > wrong CallID once a PPTP session is established, and it causes the > sort of symptom you're seeing - masquerading doesn't recognize the > traffic as PPTP and tries to handle it as plain GRE. I have a patch to pptp-linux that corrects that problem: ftp://seattlefirewall.dyndns.org/pub/patches/callid.patch -Tom -- Tom Eastep \ Alt Email: tom at seattlefirewall.dyndns.org ICQ #60745924 \ Websites: http://seawall.sourceforge.net teastep at evergo.net \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_________________________________________ From richter at ecos.de Mon Apr 16 23:41:25 2001 From: richter at ecos.de (Gerald Richter) Date: Tue, 17 Apr 2001 06:41:25 +0200 Subject: [pptp-server] Windows NT 4 and 128 Bit encryption Message-ID: <004201c0c6f8$a9bdef40$0a0c0b0a@gr.ecos.de> Hi, I have pptpd with 128Bit encrytion running fine with Win2K and Win98SE, but Windows NT doesn't like 128Bit encrytion (40Bit works also on NT). As far as I see 128Bit encrytion on WinNT is missing. I have SP6a and IE 5.5 with 128Bit encrytion, but something seems to miss. I didn't found any pointers in the mailing list archives nor on the microsoft website. Does anybody know how to upgrade NT to 128Bit ? Thanks Gerald ------------------------------------------------------------- Gerald Richter ecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: richter at ecos.de Voice: +49 6133 925131 WWW: http://www.ecos.de Fax: +49 6133 925152 ------------------------------------------------------------- From walterm at Gliatech.com Tue Apr 17 07:37:00 2001 From: walterm at Gliatech.com (Michael Walter) Date: Tue, 17 Apr 2001 08:37:00 -0400 Subject: [pptp-server] Windows NT 4 and 128 Bit encryption Message-ID: You simply need to download and install the 128bit version of sp6a. It is available at: http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/128bitX86/de fault.asp Thanks, Michael J. Walter rhce mcdba mcse+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Gerald Richter [mailto:richter at ecos.de] Sent: Tuesday, April 17, 2001 12:41 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] Windows NT 4 and 128 Bit encryption Hi, I have pptpd with 128Bit encrytion running fine with Win2K and Win98SE, but Windows NT doesn't like 128Bit encrytion (40Bit works also on NT). As far as I see 128Bit encrytion on WinNT is missing. I have SP6a and IE 5.5 with 128Bit encrytion, but something seems to miss. I didn't found any pointers in the mailing list archives nor on the microsoft website. Does anybody know how to upgrade NT to 128Bit ? Thanks Gerald ------------------------------------------------------------- Gerald Richter ecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: richter at ecos.de Voice: +49 6133 925131 WWW: http://www.ecos.de Fax: +49 6133 925152 ------------------------------------------------------------- _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From rcd at amherst.com Tue Apr 17 07:50:55 2001 From: rcd at amherst.com (Robert Dege) Date: Tue, 17 Apr 2001 08:50:55 -0400 Subject: [pptp-server] PPTP behind a Firewall References: Message-ID: <3ADC3C2F.9070301@amherst.com> Thanks for the reply. Unfortunately, I am not using the PPTP client at the moment. I am using a Win98 box. Here's what happens: 1. Win98 box tries to make a PPTP connection. 2. For some odd reason, ip_masq_pptp module does not load by default. I have to manually insmod it. Once I do that, I start to receive the ip_masq_gre errors. Yet, lsmod claims that ip_masq_pptp is unused: Module Size Used by ip_masq_pptp 6848 0 (unused) ip_masq_ftp 2656 1 (Do I possibly have to add something to the modules.conf file???) 3. Debugging info shows: Apr 16 13:22:47 odo kernel: ip_masq_gre(): creating GRE masq for 172.28.254.46 -> 12.19.228.58 CID=0 MCID=643A Apr 16 13:22:47 odo kernel: ip_demasq_gre(): 12.19.228.58 -> 12.19.228.52 CID=0 no masq table, discarding This occurs during the inital handshake. Doing a tcpdump on IP 47 shows that the packets are still being passed to the pptp server & received back despite the debugging messages. 4. PPTP on the Win98 box finally fails due to timeout. I can post the PPTP server debugging info if anybody thinks it will help. Any response is appreciated. -Rob >> You should be seeing ip__pptp() messages. Are you using the Linux >> PPTP client? I found that the commonly available Linux client uses the >> wrong CallID once a PPTP session is established, and it causes the >> sort of symptom you're seeing - masquerading doesn't recognize the >> traffic as PPTP and tries to handle it as plain GRE. > > > I have a patch to pptp-linux that corrects that problem: > > ftp://seattlefirewall.dyndns.org/pub/patches/callid.patch > > -Tom From richter at ecos.de Tue Apr 17 08:41:07 2001 From: richter at ecos.de (Gerald Richter) Date: Tue, 17 Apr 2001 15:41:07 +0200 Subject: [pptp-server] Windows NT 4 and 128 Bit encryption References: Message-ID: <000f01c0c744$0e9233e0$0a0c0b0a@gr.ecos.de> > You simply need to download and install the 128bit version of sp6a. It is > available at: > http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/128bitX86/de > fault.asp > I knew this page already, but this is for an english NT, unfortunately there is no german version of this service pack and the english one won't install over the an german windows NT :-( Anyway thanks for your reply Gerald ------------------------------------------------------------- Gerald Richter ecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: richter at ecos.de Voice: +49 6133 925131 WWW: http://www.ecos.de Fax: +49 6133 925152 ------------------------------------------------------------- From kimquang.vo at ost.eltele.no Tue Apr 17 09:01:50 2001 From: kimquang.vo at ost.eltele.no (Kim Quang Vo) Date: Tue, 17 Apr 2001 16:01:50 +0200 Subject: [pptp-server] unsubcribe Message-ID: unsubcribe From adreyer at math.uni-paderborn.de Tue Apr 17 10:11:01 2001 From: adreyer at math.uni-paderborn.de (Achim Dreyer) Date: Tue, 17 Apr 2001 17:11:01 +0200 (MET DST) Subject: [pptp-server] Windows NT 4 and 128 Bit encryption In-Reply-To: <000f01c0c744$0e9233e0$0a0c0b0a@gr.ecos.de> Message-ID: On Tue, 17 Apr 2001, Gerald Richter wrote: > > You simply need to download and install the 128bit version of sp6a. It is > > available at: > > > http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/128bitX86/de > > fault.asp > > > > I knew this page already, but this is for an english NT, unfortunately there > is no german version of this service pack and the english one won't install > over the an german windows NT :-( Hy, This is a FAQ from the german magazine c't: ( German Version: http://www.heise.de/ct/faq/qna/nt_sp_6.shtml ) translated: - Can't install SP6 under NT4 with 128-Bit encryption. - There is no german Version of the SP with 128Bit encryption. To install the SP the installation routine has to be modified. One file from the SP has to be changed before the actual update is performed. Start the .EXE file with option '/x', then edit the file 'update.inf' in section [CheckSecurity.System32.files] delete the hint to file 'Schannel.dll'. This actually prohibits a DLL version check on this file during the update. Ciao, Achim From eldrec at rpi.edu Tue Apr 17 10:28:22 2001 From: eldrec at rpi.edu (Chris Eldredge) Date: Tue, 17 Apr 2001 11:28:22 -0400 (EDT) Subject: [pptp-server] Win2k - pptp encyption problems -- a solution Message-ID: I just read that message about commenting out mppe-40 and it definately fixed everything for win2k and linux 2.4.2 w/ poptop 1.1.2 and ppp 2.4.0. I had it working but enabled mppe-40 for a friend who didn't have strong encryption on his windoze computer. A couple days later I couldn't figure out why the heck it stopped working. Thanks guys. Chris Eldredge eldrec at rpi.edu signature files are only clever the first time you read them. then they are boring. this one is boring the first time you read it. but thats good, because now you wont be let down next time you read it. From charlieb at e-smith.com Tue Apr 17 11:06:30 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Tue, 17 Apr 2001 12:06:30 -0400 (EDT) Subject: [pptp-server] PPTP behind a Firewall In-Reply-To: <3ADC3C2F.9070301@amherst.com> Message-ID: On Tue, 17 Apr 2001, Robert Dege wrote: > Here's what happens: > > 1. Win98 box tries to make a PPTP connection. > 2. For some odd reason, ip_masq_pptp module does not load by default. IP masq modules never load by default. > I have to manually insmod it. Once I do that, I start to receive the > ip_masq_gre errors. Yet, lsmod claims that ip_masq_pptp is unused: > > Module Size Used by > ip_masq_pptp 6848 0 (unused) > ip_masq_ftp 2656 1 Yes, it is "unused" - no other module makes use of that module. Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From richter at ecos.de Tue Apr 17 12:48:40 2001 From: richter at ecos.de (Gerald Richter) Date: Tue, 17 Apr 2001 19:48:40 +0200 Subject: [pptp-server] Windows NT 4 and 128 Bit encryption References: <200104171702.f3HH29eq037659@poontang.schulte.org> Message-ID: <004401c0c766$c883db10$0a0c0b0a@gr.ecos.de> > > This is a FAQ from the german magazine c't: > ( German Version: http://www.heise.de/ct/faq/qna/nt_sp_6.shtml ) > Thanks for the translation, but that's also not new for me. That's the exact setup that I have here: IE 5.5 with 128 Bit encrytion and Win NT 4 SP 6A with the modified service pack (as described in the ct faq), so the service pack will install. But, unfortunately PPTP doesn't use 128 encrytion. 40 Bit works fine, if don't have the "mppe-40" option for pppd (only the "mppe-128" and "mppe-stateless"), the log says MPPE 40 bit, stateless transmit compression enabled and I get a lot of rcvd [Compressed data] xx xx xx sent [CCP ResetReq id=0xd] No trafic goes over the line. As soon as I add the "mppe-40" option everything works fine. Windows 98 and Win2K works correctly with 128Bit. More ideas ? Thanks Gerald > translated: > > - Can't install SP6 under NT4 with 128-Bit encryption. > > - There is no german Version of the SP with 128Bit encryption. To install > the SP the installation routine has to be modified. One file from the SP > has to be changed before the actual update is performed. Start the .EXE > file with option '/x', then edit the file 'update.inf' in section > [CheckSecurity.System32.files] delete the hint to file 'Schannel.dll'. > This actually prohibits a DLL version check on this file during the > update. > > ------------------------------------------------------------- Gerald Richter ecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: richter at ecos.de Voice: +49 6133 925131 WWW: http://www.ecos.de Fax: +49 6133 925152 ------------------------------------------------------------- From ERobertstad at txc.com Tue Apr 17 20:29:06 2001 From: ERobertstad at txc.com (Eirik Robertstad) Date: Tue, 17 Apr 2001 21:29:06 -0400 Subject: [pptp-server] IPTables and GRE... Message-ID: <3ADCEDE2.8040008@txc.com> I have PoPToP on the same server that is running the firewall, 2.4 kernal using IPTables. I'm having a hell of a time getting this to work. Does anyone know the rules to put into IPTables to get this to work?! Thanks From ctresco at economics.mit.edu Tue Apr 17 20:37:36 2001 From: ctresco at economics.mit.edu (Christopher Trescp) Date: Tue, 17 Apr 2001 21:37:36 -0400 Subject: [pptp-server] IPTables and GRE... In-Reply-To: <3ADCEDE2.8040008@txc.com> Message-ID: hehe... modprobe ipchains -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Eirik Robertstad Sent: Tuesday, April 17, 2001 9:29 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] IPTables and GRE... I have PoPToP on the same server that is running the firewall, 2.4 kernal using IPTables. I'm having a hell of a time getting this to work. Does anyone know the rules to put into IPTables to get this to work?! Thanks _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From mdrobnak at optonline.net Tue Apr 17 22:18:56 2001 From: mdrobnak at optonline.net (Matthew Drobnak) Date: Tue, 17 Apr 2001 23:18:56 -0400 (EDT) Subject: [pptp-server] IPTables and GRE Message-ID: <0GBY009DOX6B63@mta6.srv.hcvlny.cv.net> Afaik, the only two rules you'll need are to allow incoming traffic using protocol number 47, as well as TCP port 1723. If you're restricting outbound traffic, add outgoing rules as well. iptables -A INPUT -j ACCEPT -i ethX --proto 47 iptables -A INPUT -j ACCEPT -i ethX -p tcp --dport 1723 Hope that helps. The -i ethX is optional -- it allows traffic only on that interface. -Matthew Drobnak From berzerke at swbell.net Tue Apr 17 22:13:34 2001 From: berzerke at swbell.net (robert) Date: Tue, 17 Apr 2001 22:13:34 -0500 Subject: [pptp-server] IPTables and GRE... In-Reply-To: <3ADCEDE2.8040008@txc.com> References: <3ADCEDE2.8040008@txc.com> Message-ID: <01041722133400.05159@linux> My web page has a sample firewall with rules that allow running a PoPToP *server*. The script is a little old (there are some minor issues I'm working on), but the pptpd section works fine. See http://home.swbell.net/berzerke On Tuesday 17 April 2001 20:29, Eirik Robertstad wrote: > I have PoPToP on the same server that is running the firewall, 2.4 > kernal using IPTables. > > I'm having a hell of a time getting this to work. Does anyone know the > rules to put into IPTables to get this to work?! > > Thanks > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From eldrec at rpi.edu Tue Apr 17 22:39:22 2001 From: eldrec at rpi.edu (Chris Eldredge) Date: Tue, 17 Apr 2001 23:39:22 -0400 (EDT) Subject: [pptp-server] IPTables and GRE... In-Reply-To: Message-ID: That would work, but if you've taken the time to upgrade to kernel 2.4.x, I would suggest migrating away from ipchains and moving over to iptables. It isn't necessarily a big issue, but iptables has some fixes for some of the perhaps subtle design flaws in ipchains. Its worth the time... Chris Eldredge eldrec at rpi.edu On Tue, 17 Apr 2001, Christopher Trescp wrote: > hehe... > > modprobe ipchains > > > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Eirik > Robertstad > Sent: Tuesday, April 17, 2001 9:29 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] IPTables and GRE... > > > I have PoPToP on the same server that is running the firewall, 2.4 > kernal using IPTables. > > I'm having a hell of a time getting this to work. Does anyone know the > rules to put into IPTables to get this to work?! > > Thanks > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From ERobertstad at txc.com Tue Apr 17 23:12:05 2001 From: ERobertstad at txc.com (Eirik Robertstad) Date: Wed, 18 Apr 2001 00:12:05 -0400 Subject: [pptp-server] IPTables and GRE References: <0GBY009DOX6B63@mta6.srv.hcvlny.cv.net> Message-ID: <3ADD1415.6050600@txc.com> Looks like I did have it correct then. I've added this for the input rules and the output rules... yet I'm still getting the same errors. I thought it was the firewall blocking it, but I've even tryed to open the firewall totaly open. I've also looked in tcpdump for any data on the GRE protocal, but nothing shows up. Only activity on the port 1723. Windows just reports: Error 629: You have been disconnected from the computer you dialed. Double-click the connection to try again. And pptpd just shows: Apr 17 23:02:25 transfire pptpd[23878]: MGR: Reaped child 24169 Apr 17 23:02:25 transfire pptpd[24169]: CTRL: local address = 172.18.0.2 Apr 17 23:02:25 transfire pptpd[24169]: CTRL: remote address = 172.18.0.52 Apr 17 23:02:25 transfire pptpd[24169]: CTRL: Client 198.138.97.250 control connection started Apr 17 23:02:25 transfire pptpd[24169]: CTRL: Received PPTP Control Message (type: 1) Apr 17 23:02:25 transfire pptpd[24169]: CTRL: Made a START CTRL CONN RPLY packet Apr 17 23:02:25 transfire pptpd[24169]: CTRL: I wrote 156 bytes to the client. Apr 17 23:02:25 transfire pptpd[24169]: CTRL: Sent packet to client Apr 17 23:02:25 transfire pptpd[24169]: CTRL: Received PPTP Control Message (type: 7) Apr 17 23:02:25 transfire pptpd[24169]: CTRL: Set parameters to 0 maxbps, 16 window size Apr 17 23:02:25 transfire pptpd[24169]: CTRL: Made a OUT CALL RPLY packet Apr 17 23:02:25 transfire pptpd[24169]: CTRL: Starting call (launching pppd, opening GRE) Apr 17 23:02:25 transfire pptpd[24169]: CTRL: pty_fd = 4 Apr 17 23:02:25 transfire pptpd[24169]: CTRL: tty_fd = 5 Apr 17 23:02:25 transfire pptpd[24170]: CTRL (PPPD Launcher): Connection speed = 115200 Apr 17 23:02:25 transfire pptpd[24170]: CTRL (PPPD Launcher): local address = 172.18.0.2 Apr 17 23:02:25 transfire pptpd[24170]: CTRL (PPPD Launcher): remote address = 172.18.0.52 Apr 17 23:02:25 transfire pptpd[24169]: CTRL: I wrote 32 bytes to the client. Apr 17 23:02:25 transfire pptpd[24169]: CTRL: Sent packet to client Apr 17 23:02:25 transfire pptpd[24169]: GRE: read(fd=4,buffer=809c180,len=8196) from PTY failed: status = -1 error = Input/output error Apr 17 23:02:25 transfire pptpd[24169]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Apr 17 23:02:25 transfire pptpd[24169]: CTRL: Client 198.138.97.250 control connection finished Apr 17 23:02:25 transfire pptpd[24169]: CTRL: Exiting now I'm at a total loss, I can't get any more information out of pptpd of what would be going on. Thanks, Eirik Robertstad Matthew Drobnak wrote: > > Afaik, the only two rules you'll need are to allow incoming traffic using > protocol > number 47, as well as TCP port 1723. If you're restricting outbound > traffic, add > outgoing rules as well. > > > iptables -A INPUT -j ACCEPT -i ethX --proto 47 > iptables -A INPUT -j ACCEPT -i ethX -p tcp --dport 1723 > > > Hope that helps. The -i ethX is optional -- it allows traffic only on that > interface. > > -Matthew Drobnak > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From penso at linuxfr.org Wed Apr 18 07:25:05 2001 From: penso at linuxfr.org (Fabien Penso) Date: 18 Apr 2001 14:25:05 +0200 Subject: [pptp-server] IPTables and GRE... In-Reply-To: References: Message-ID: CE> That would work, but if you've taken the time to upgrade to kernel 2.4.x, CE> I would suggest migrating away from ipchains and moving over to iptables. CE> It isn't necessarily a big issue, but iptables has some fixes for some of CE> the perhaps subtle design flaws in ipchains. Its worth the time... Is also have few more, doesn't it ;) *Grin*. From teastep at seattlefirewall.dyndns.org Wed Apr 18 09:54:31 2001 From: teastep at seattlefirewall.dyndns.org (Tom Eastep) Date: Wed, 18 Apr 2001 07:54:31 -0700 (PDT) Subject: [pptp-server] IPTables and GRE... In-Reply-To: <01041722133400.05159@linux> Message-ID: Thus spoke robert: > My web page has a sample firewall with rules that allow running a PoPToP > *server*. The script is a little old (there are some minor issues I'm > working on), but the pptpd section works fine. See > http://home.swbell.net/berzerke > I'm also running PoPToP on the same box as Shorewall (http://shorewall.sourceforge.net). See http://shorewall.sourceforge.net/myfiles.html for my ruleset and look comments containing PPTP. -Tom -- Tom Eastep \ Alt Email: tom at seattlefirewall.dyndns.org ICQ #60745924 \ Websites: http://seawall.sourceforge.net teastep at evergo.net \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_________________________________________ From mikes at hartwellcorp.com Wed Apr 18 11:44:25 2001 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Wed, 18 Apr 2001 09:44:25 -0700 Subject: [pptp-server] Desperate... please help! Message-ID: <91A5926EFF44D3118B1200104B7276EB654FF4@hart-exchange.hartwellcorp.com> I keep experiencing system crashes that look like (I think) are caused by the pptpctrl process. I really need help on this one as it is causing big problems. The system: i386 RedHat-7.0 with all current updates applied. PoPToP-1.1.2 and pppd-2.3.11 with patches for mschap-v2, mppe, require-mppe and strip msdomain added. The log: Apr 17 23:29:17 guardian pptpd[1223]: CTRL: Received PPTP Control Message (type: 5) Apr 17 23:29:17 guardian pptpd[1223]: CTRL: Made a ECHO RPLY packet Apr 17 23:29:17 guardian pptpd[1223]: CTRL: I wrote 20 bytes to the client. Apr 17 23:29:17 guardian pptpd[1223]: CTRL: Sent packet to client Apr 17 23:29:17 guardian pppd[1224]: sent [LCP EchoReq id=0x8 magic=0xf1ec7cc9] Apr 17 23:29:17 guardian pppd[1224]: Timeout 0x805319c:0x8078f40 in 30 seconds. Apr 17 23:29:19 guardian pppd[1224]: rcvd [LCP EchoRep id=0x8 magic=0x3759] Apr 17 23:29:38 guardian kernel: Unable to handle kernel NULL pointer dereference at virtual address 00000070 Apr 17 23:29:38 guardian kernel: current->tss.cr3 = 091d6000, %cr3 = 091d6000 Apr 17 23:29:38 guardian kernel: *pde = 00000000 Apr 17 23:29:38 guardian kernel: Oops: 0002 Apr 17 23:29:38 guardian pptpd[773]: MGR: Reaped child 1223 Apr 17 23:29:38 guardian kernel: CPU: 0 Apr 17 23:29:38 guardian kernel: EIP: 0010:[aic7xxx:__insmod_aic7xxx_S.bss_L256+299331/281585857] Apr 17 23:29:38 guardian kernel: EFLAGS: 00010286 Apr 17 23:29:38 guardian kernel: eax: 80000000 ebx: 0000007f ecx: cfff0c00 edx: 00000000 Apr 17 23:29:38 guardian kernel: esi: cfff0ecc edi: cfff0c48 ebp: cfff0c48 esp: c3ff7ebc Apr 17 23:29:38 guardian kernel: ds: 0018 es: 0018 ss: 0018 Apr 17 23:29:38 guardian kernel: Process pptpctrl (pid: 1223, process nr: 45, stackpage=c3ff7000) Apr 17 23:29:38 guardian kernel: Stack: c3d1b000 00000000 ffff7f98 00000011 cfff0c48 00000000 cc310800 cfff0f2e Apr 17 23:29:38 guardian kernel: 0000008f d0872f6c cfff0c00 cfff0c00 c3d1b000 c3ff7f8c 00000000 d0872b8b Apr 17 23:29:38 guardian kernel: cfff0c00 c3d1b000 c4093000 c01bb77a c3d1b000 00000000 c4093000 c01b0a3a Apr 17 23:29:38 guardian kernel: Call Trace: [aic7xxx:__insmod_aic7xxx_S.bss_L256+298540/281586648] [aic7xxx:__insmod_aic7xxx_S.bss_L256+297547/281587641] [pty_unthrottle+38/88] [check_unthrottle+42/48] [read_chan+1678/1984] [tty_read+174/208] [sys_read+192/228] Apr 17 23:29:38 guardian kernel: [system_call+52/56] [startup_32+43/170] Apr 17 23:29:38 guardian kernel: Code: f0 ff 4a 70 0f 94 c0 84 c0 74 09 52 e8 0c 2c 8e ef 83 c4 04 Apr 17 23:29:47 guardian pppd[1224]: sent [LCP EchoReq id=0x9 magic=0xf1ec7cc9] Apr 17 23:29:47 guardian pppd[1224]: Timeout 0x805319c:0x8078f40 in 30 seconds. -------------------- Michael St. Laurent Hartwell Corporation From Tbenson at associatedbp.com Wed Apr 18 12:24:59 2001 From: Tbenson at associatedbp.com (Trevor Benson) Date: Wed, 18 Apr 2001 10:24:59 -0700 Subject: [pptp-server] IP/MAC Theft Message-ID: <378253B6F337D411BB0B009027C3F0432CE5F2@EMAILSERVER> Problem, Each time I configure a RedHat 6.1 Server and enable the pptpd I start having IP address thefts. Actually what is occurring is the firewalls internal interface starts to report that its MAC address belongs to different IP address's on my local network. I originally swapped network cards, cables, and even into a new HP switch, to ensure the switch wasn't failing. Now I have gone so far as to purchase a whole new system, and rebuild the VPN server. I am experiencing the same issue with ALL new hardware, and IP address's. But this system still seems to send a message that reports to the switch that it's MAC is attached to another IP. Has anyone else here experienced this, and if so please let me know how you resolved it. Mail any replies to Tbenson at associatedbp.com please, as I have not received anything from the mail list directly yet. Thanks, Trevor Benson Director of Information Technology Associated Business Products From charlieb at e-smith.com Wed Apr 18 12:34:08 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Wed, 18 Apr 2001 13:34:08 -0400 (EDT) Subject: [pptp-server] IP/MAC Theft In-Reply-To: <378253B6F337D411BB0B009027C3F0432CE5F2@EMAILSERVER> Message-ID: On Wed, 18 Apr 2001, Trevor Benson wrote: > Problem, > > Each time I configure a RedHat 6.1 Server and enable the pptpd I start > having IP address thefts. Actually what is occurring is the firewalls > internal interface starts to report that its MAC address belongs to > different IP address's on my local network. I originally swapped network > cards, cables, and even into a new HP switch, to ensure the switch wasn't > failing. Now I have gone so far as to purchase a whole new system, and > rebuild the VPN server. I am experiencing the same issue with ALL new > hardware, and IP address's. But this system still seems to send a message > that reports to the switch that it's MAC is attached to another IP. Has > anyone else here experienced this, and if so please let me know how you > resolved it. Have a read up on "proxyarp" - it does just what you have observed, and is intended. It's how remote machines can talk to other machines on your network. If you don't want that, just remove the proxyarp option. > Mail any replies to Tbenson at associatedbp.com > please, as I have not received anything > from the mail list directly yet. It's considered good form to join up to a mailing list if you are interested in reading follow ups to your question. Otherwise you seem to be saying "I want your help, but can't be bothered making an effort." :-) -- Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From charlieb at e-smith.com Wed Apr 18 13:56:25 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Wed, 18 Apr 2001 14:56:25 -0400 (EDT) Subject: [pptp-server] IP/MAC Theft In-Reply-To: <378253B6F337D411BB0B009027C3F0432CE5F6@EMAILSERVER> Message-ID: On Wed, 18 Apr 2001, Trevor Benson wrote: > Proxyarp is required for the pptp to work from what I understand. No, it's not. It is required, however, to allow the remote machine to contact any other machines on your LAN, and vice version. > But why would this cause my internal interface to 'steal' IP address's > from other systems on my network? Because that is exactly what proxyarp is. > If I turn this off then it would disable my > routing to my internal machines. Correct. > Sounds like this is a quirk more then a intended result. It is in fact the intended result. ARP is Address Resolution Protocol. A machine on the LAN has a packet for, say, 192.168.1.5. It uses ARP to find a MAC address corresponding to that IP address, so that it can unicast the packet direct to that MAC address. It does an ethernet broadcast of an ARP query - "hey, someone tell me the ethernet address of 192.168.1.5". Now suppose that 192.168.1.5 is the IP address of your PPTP connected remote host. That remote host is not sitting on the ethernet, and can't respond with "Hey, I'm 192.168.1.5 and this is my ethernet address". Instead, the PPTP server acts as a proxy (proxyarp, see), and says "I'm 192.168.1.5". Hence your confusion about IP addresses and the MAC address of your server. To think of it another way, your server temporarily acquires more than one IP address. -- Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From charlieb at e-smith.com Wed Apr 18 14:39:16 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Wed, 18 Apr 2001 15:39:16 -0400 (EDT) Subject: [pptp-server] IP/MAC Theft In-Reply-To: <378253B6F337D411BB0B009027C3F0432CE5F9@EMAILSERVER> Message-ID: On Wed, 18 Apr 2001, Trevor Benson wrote: > From your writing though, my Poptop server should be claiming address's of > machines that are remote to this location, so that it will direct packets > back out to them. My problem is that the firewalls internal interface is > respondint to lets say 192.168.1-20 (all LOCAL servers that remote VPN > clients connect to). This there is a ARP for who is Server1 and VPN responds > as being that MAC/IP combo. Not the external host trying to access this > server. Thus not taking over adrress's of my VPN clients with Proxy arps. > But taking over my internal machines that are the servers the clients wish > to reach, thus knocking them out for intervals of up to 5 minutes or more > since the cashing of the ARP entry says on the switch to send all packets > for Server1 TO Poptop1, not send all packets for VPNClient1 to Poptop1. > Causing my network to fail in essence when everyone is dropped from their > server connections. I would assume from your description this is not the > intended results.... Check your pptp configuration and be doubly sure that you are not allocating internal addresses to your PPTP clients. Other than that, I can't offer you any more advice. Cheers. -- Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From anesthes at cisdi.com Wed Apr 18 14:30:12 2001 From: anesthes at cisdi.com (Joey Coco) Date: Wed, 18 Apr 2001 14:30:12 -0500 (EST) Subject: [pptp-server] IP/MAC Theft In-Reply-To: Message-ID: Hi, > No, it's not. It is required, however, to allow the remote machine to > contact any other machines on your LAN, and vice version. Well thats not really true.. Its required to simulate that remote machine being on the lan, however you can still contact everything on the lan assuming routing has been setup properly. > > But why would this cause my internal interface to 'steal' IP address's > > from other systems on my network? > > Because that is exactly what proxyarp is. It shouldn't "steal" everythings IP address. It should only proxy arps when it assigns IP's to remote users from the pool. -- Joe From Tbenson at associatedbp.com Wed Apr 18 17:45:40 2001 From: Tbenson at associatedbp.com (Trevor Benson) Date: Wed, 18 Apr 2001 15:45:40 -0700 Subject: [pptp-server] proxy arp controlling internal LAN Address's Message-ID: <378253B6F337D411BB0B009027C3F0432CE5FD@EMAILSERVER> Here is the following configuration files for Poptop. I have reviewed and all the settings seem to be viable, can anyone point out why this would be responding for address's that are listed as local? The address's it tries to steal are 192.168.1.2 and 192.168.1.6 both are internal systems that are being accessed by VPN clients on the back end. Every few hours I have a burst of ARP traffic where this machine is proxying for the internal systems, not the external clients. Am I missing something in the config file that would point this out to me? Any assistance is appreciated, or pointers to documentation on how to configure proxy arp individually to lock it down. Thanks for any assistance ahead of time. ----/etc/ppp/options.pptp---- lock debug auth +chap proxyarp ms-wins 192.168.1.6 ----/etc/pptpd.conf---- debug option /etc/ppp/options.pptp localip 192.168.1.1-64,192.168.1.116-254 remoteip 192.168.1.65-115 All the clients in the chaps-secrets file are configured for IP 65-115, none of them are in the local IP range. Thanks, Trevor Benson Director of Information Technology Associated Business Products From mrp at hafatel.com Wed Apr 18 17:49:48 2001 From: mrp at hafatel.com (Mike McPherson) Date: Thu, 19 Apr 2001 08:49:48 +1000 Subject: [pptp-server] SMP 2.2.14-5.0 Problem Message-ID: <003401c0c859$e44a6820$cd79a8c0@netpci.com> Well after much grief and sorrow trying to install PoPToP 1.0.1... I can't get it to work stable on a Dual CPU machine. I loaded it on a older single cpu without a hitch. :( ##############? print "\n Welcome to NEPP";$?=1;while ($?){ print "\n$?";$?++;if ($? == 1000) { print "\n$?"."\nWell almost never ending :?";exit;}} ##############? -------------- next part -------------- An HTML attachment was scrubbed... URL: From GeorgeV at citadelcomputer.com.au Wed Apr 18 17:56:30 2001 From: GeorgeV at citadelcomputer.com.au (George Vieira) Date: Thu, 19 Apr 2001 08:56:30 +1000 Subject: [pptp-server] proxy arp controlling internal LAN Address's Message-ID: <200FAA488DE0D41194F10010B597610D0D1CC2@JUPITER> Your 'localip' is in range of those IP addresses. Your only require 1 IP for the localip config.. not a range.. why waste it? thanks, George Vieira -----Original Message----- From: Trevor Benson [mailto:Tbenson at associatedbp.com] Sent: Thursday, April 19, 2001 8:46 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] proxy arp controlling internal LAN Address's Here is the following configuration files for Poptop. I have reviewed and all the settings seem to be viable, can anyone point out why this would be responding for address's that are listed as local? The address's it tries to steal are 192.168.1.2 and 192.168.1.6 both are internal systems that are being accessed by VPN clients on the back end. Every few hours I have a burst of ARP traffic where this machine is proxying for the internal systems, not the external clients. Am I missing something in the config file that would point this out to me? Any assistance is appreciated, or pointers to documentation on how to configure proxy arp individually to lock it down. Thanks for any assistance ahead of time. ----/etc/ppp/options.pptp---- lock debug auth +chap proxyarp ms-wins 192.168.1.6 ----/etc/pptpd.conf---- debug option /etc/ppp/options.pptp localip 192.168.1.1-64,192.168.1.116-254 remoteip 192.168.1.65-115 All the clients in the chaps-secrets file are configured for IP 65-115, none of them are in the local IP range. Thanks, Trevor Benson Director of Information Technology Associated Business Products _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From mikes at hartwellcorp.com Wed Apr 18 17:57:18 2001 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Wed, 18 Apr 2001 15:57:18 -0700 Subject: [pptp-server] SMP 2.2.14-5.0 Problem Message-ID: <91A5926EFF44D3118B1200104B7276EB654FF7@hart-exchange.hartwellcorp.com> I'm having the same problem with 1.1.2 on a Dual CPU system using kernel 2.2.17-14. Even running it with a single processor kernel didn't solve the issue. -------------------- Michael St. Laurent Hartwell Corporation -----Original Message----- From: Mike McPherson [mailto:mrp at hafatel.com] Sent: Wednesday, April 18, 2001 3:50 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] SMP 2.2.14-5.0 Problem Well after much grief and sorrow trying to install PoPToP 1.0.1... I can't get it to work stable on a Dual CPU machine. I loaded it on a older single cpu without a hitch. :( ##############? print "\n Welcome to NEPP";$?=1;while ($?){ print "\n$?";$?++;if ($? == 1000) { print "\n$?"."\nWell almost never ending :?";exit;}} ##############? -------------- next part -------------- An HTML attachment was scrubbed... URL: From charlieb at e-smith.com Wed Apr 18 18:01:26 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Wed, 18 Apr 2001 19:01:26 -0400 (EDT) Subject: [pptp-server] proxy arp controlling internal LAN Address's In-Reply-To: <378253B6F337D411BB0B009027C3F0432CE5FD@EMAILSERVER> Message-ID: On Wed, 18 Apr 2001, Trevor Benson wrote: > Here is the following configuration files for Poptop. I have reviewed and > all the settings seem to be viable, can anyone point out why this would be > responding for address's that are listed as local? The address's it tries > to steal are 192.168.1.2 and 192.168.1.6 both are internal systems that are > being accessed by VPN clients on the back end. Every few hours I have a > burst of ARP traffic where this machine is proxying for the internal > systems, not the external clients. Am I missing something in the config > file that would point this out to me? Any assistance is appreciated, or > pointers to documentation on how to configure proxy arp individually to lock > it down. Thanks for any assistance ahead of time. > > > ----/etc/ppp/options.pptp---- > lock > debug > auth > +chap > proxyarp > ms-wins 192.168.1.6 > > ----/etc/pptpd.conf---- > debug > option /etc/ppp/options.pptp > localip 192.168.1.1-64,192.168.1.116-254 Here is your problem. Replace this with just: localip 192.168.1.x where 192.168.1.x is the IP address of your server (192.168.1.1?). You are confusing your PPTP server by allowing it to choose already-taken IP addresses for the local end of connections it creates. -- Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From kaca at hongkong.com Thu Apr 19 00:16:48 2001 From: kaca at hongkong.com (kaca at hongkong.com) Date: Thu, 19 Apr 2001 13:16:48 +0800 (CST) Subject: [pptp-server] Configuration problem Message-ID: <0U989580868351.09051@mail2.hongkong.com> I'm quite sure that the VPN connection is sucessful. But I dont know why I cant access any stuffs in the PPTP server after the connnection. Anything I go wrong? Is it a must to include proxyarp in the option.pptp file? I found there's "Cannot determine ethernet address for proxy ARP" errors in the log file. Can I just remove the proxyarp option? Is it something wrong in my pptp.conf file? i set the localip and remoteip as 192.168.0.1 and 192.168.1.1 respectively. (Actually, I'm pretty confused about the use of the localip and remoteip.) Thanks for your kind attention. --------------------------------------------- ?w??????HongKong.com?l???t?? Thank you for using hongkong.com Email system From karan_ingale at yahoo.com Thu Apr 19 01:09:07 2001 From: karan_ingale at yahoo.com (Karan Ingale) Date: Wed, 18 Apr 2001 23:09:07 -0700 (PDT) Subject: [pptp-server] PPTP Message-ID: <20010419060907.36951.qmail@web10803.mail.yahoo.com> Hello, I am running Redhat Linux 6.2 on a Pentium machine. I have applied the Kernel patch for PPTP. I am using IPChains to filter out specific outgoing and incoming traffic. I use a Windows 2000 machine from the internal network, to make a VPN session with a server on the internet. If I don't apply any rules for ipchains (All Accept), I am able to make the connection. But as soon as I apply the following rules, I am not able to make a VPN connection with the VPN server on the internet. This is the policy I used to deny all ports ipchains --policy input DENY ipchains --policy output DENY ipchains --policy forward DENY This is the policy for PPTP ipchains --append input \ --jump ACCEPT \ --interface $EXTERNAL_INTERFACE \ --source $EXTERNAL_NETWORK $PPTP \ --destination $LOCALHOST $UNPRIVPORTS \ --protocol tcp # --protocol tcp ! -y #SYN BIT Check ipchains --append output \ --jump ACCEPT \ --interface $EXTERNAL_INTERFACE \ --source $LOCALHOST $UNPRIVPORTS \ --destination $EXTERNAL_NETWORK $PPTP \ --protocol tcp ipchains --append input \ --jump ACCEPT \ --interface $EXTERNAL_INTERFACE \ --source $EXTERNAL_NETWORK $PPTP \ --destination $LOCALHOST $UNPRIVPORTS \ --protocol udp ipchains --append output \ --jump ACCEPT \ --interface $EXTERNAL_INTERFACE \ --source $LOCALHOST $UNPRIVPORTS \ --destination $EXTERNAL_NETWORK $PPTP \ --protocol udp I have similar policies for other ports. They work just fine. Can anybody solve my problem? Thanks. Karan. Systems Engineer. Disha Technologies. __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ From GeorgeV at citadelcomputer.com.au Thu Apr 19 01:19:19 2001 From: GeorgeV at citadelcomputer.com.au (George Vieira) Date: Thu, 19 Apr 2001 16:19:19 +1000 Subject: [pptp-server] Configuration problem Message-ID: <200FAA488DE0D41194F10010B597610D0D1D43@JUPITER> To get proxyarp working, the IP addresses on the VPN must be on the same subnet as the local ethX address of the local LAN. otherwise you will receive those errors. You don't need proxyarp but it helps local LAN machines to know how to reach to the VPN machines and possibly vice versa. thanks, George Vieira -----Original Message----- From: kaca at hongkong.com [mailto:kaca at hongkong.com] Sent: Thursday, April 19, 2001 3:17 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] Configuration problem I'm quite sure that the VPN connection is sucessful. But I dont know why I cant access any stuffs in the PPTP server after the connnection. Anything I go wrong? Is it a must to include proxyarp in the option.pptp file? I found there's "Cannot determine ethernet address for proxy ARP" errors in the log file. Can I just remove the proxyarp option? Is it something wrong in my pptp.conf file? i set the localip and remoteip as 192.168.0.1 and 192.168.1.1 respectively. (Actually, I'm pretty confused about the use of the localip and remoteip.) Thanks for your kind attention. --------------------------------------------- ?w??????HongKong.com?l???t?? Thank you for using hongkong.com Email system _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From GeorgeV at citadelcomputer.com.au Thu Apr 19 01:26:06 2001 From: GeorgeV at citadelcomputer.com.au (George Vieira) Date: Thu, 19 Apr 2001 16:26:06 +1000 Subject: [pptp-server] PPTP Message-ID: <200FAA488DE0D41194F10010B597610D0D1D44@JUPITER> Is your $LOCALHOST containing 127.0.0.1? This won't work and should contains your external IP address.. Can you give me/us a listing of your ipchains -L -n -v --linenumbers thanks, George Vieira -----Original Message----- From: Karan Ingale [mailto:karan_ingale at yahoo.com] Sent: Thursday, April 19, 2001 4:09 PM To: pptp-server at lists.schulte.org Cc: shirish at dishatech.com Subject: [pptp-server] PPTP Hello, I am running Redhat Linux 6.2 on a Pentium machine. I have applied the Kernel patch for PPTP. I am using IPChains to filter out specific outgoing and incoming traffic. I use a Windows 2000 machine from the internal network, to make a VPN session with a server on the internet. If I don't apply any rules for ipchains (All Accept), I am able to make the connection. But as soon as I apply the following rules, I am not able to make a VPN connection with the VPN server on the internet. This is the policy I used to deny all ports ipchains --policy input DENY ipchains --policy output DENY ipchains --policy forward DENY This is the policy for PPTP ipchains --append input \ --jump ACCEPT \ --interface $EXTERNAL_INTERFACE \ --source $EXTERNAL_NETWORK $PPTP \ --destination $LOCALHOST $UNPRIVPORTS \ --protocol tcp # --protocol tcp ! -y #SYN BIT Check ipchains --append output \ --jump ACCEPT \ --interface $EXTERNAL_INTERFACE \ --source $LOCALHOST $UNPRIVPORTS \ --destination $EXTERNAL_NETWORK $PPTP \ --protocol tcp ipchains --append input \ --jump ACCEPT \ --interface $EXTERNAL_INTERFACE \ --source $EXTERNAL_NETWORK $PPTP \ --destination $LOCALHOST $UNPRIVPORTS \ --protocol udp ipchains --append output \ --jump ACCEPT \ --interface $EXTERNAL_INTERFACE \ --source $LOCALHOST $UNPRIVPORTS \ --destination $EXTERNAL_NETWORK $PPTP \ --protocol udp I have similar policies for other ports. They work just fine. Can anybody solve my problem? Thanks. Karan. Systems Engineer. Disha Technologies. __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From shirish at dishatech.com Thu Apr 19 02:26:18 2001 From: shirish at dishatech.com (Shirish Bhagwat) Date: Thu, 19 Apr 2001 12:56:18 +0530 Subject: [pptp-server] PPTP References: <200FAA488DE0D41194F10010B597610D0D1D44@JUPITER> Message-ID: <3ADE9319.4FDB2D6E@dishatech.com> $LOCALHOST contains ip address of the external interface. Line numbers obtained for 1723 port which is PPTP port are given below. Thanks Shirish root at dishatech.com wrote: > 0 0 ACCEPT tcp !y---- 0xFF 0x00 eth0 0.0.0.0/0 10.1.1.10 1723 -> 1024:65535 > 0 0 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 10.1.1.10 1723 -> 1024:65535 > 0 0 ACCEPT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 10.1.1.10 1024:65535 -> 1723 > 0 0 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 10.1.1.10 1024:65535 -> 1723 > 0 0 ACCEPT tcp ------ 0xFF 0x00 eth0 10.1.1.10 0.0.0.0/0 1024:65535 -> 1723 > 0 0 ACCEPT udp ------ 0xFF 0x00 eth0 10.1.1.10 0.0.0.0/0 1024:65535 -> 1723 > 0 0 ACCEPT tcp !y---- 0xFF 0x00 eth0 10.1.1.10 0.0.0.0/0 1723 -> 1024:65535 > 0 0 ACCEPT udp ------ 0xFF 0x00 eth0 10.1.1.10 0.0.0.0/0 1723 -> 1024:65535 George Vieira wrote: > Is your $LOCALHOST containing 127.0.0.1? This won't work and should contains > your external IP address.. > > Can you give me/us a listing of your > > ipchains -L -n -v --linenumbers > > thanks, > George Vieira > > -----Original Message----- > From: Karan Ingale [mailto:karan_ingale at yahoo.com] > Sent: Thursday, April 19, 2001 4:09 PM > To: pptp-server at lists.schulte.org > Cc: shirish at dishatech.com > Subject: [pptp-server] PPTP > > Hello, > I am running Redhat Linux 6.2 on a Pentium machine. I > have applied the Kernel patch for PPTP. I am using > IPChains to filter out specific outgoing and incoming > traffic. > I use a Windows 2000 machine from the internal > network, to make a VPN session with a server on the > internet. If I don't apply any rules for ipchains (All > Accept), I am able to make the connection. But as soon > as I apply the following rules, I am not able to make > a VPN connection with the VPN server on the internet. > > This is the policy I used to deny all ports > > ipchains --policy input DENY > ipchains --policy output DENY > ipchains --policy forward DENY > > This is the policy for PPTP > > ipchains --append input \ > --jump ACCEPT \ > --interface $EXTERNAL_INTERFACE \ > --source $EXTERNAL_NETWORK $PPTP \ > --destination $LOCALHOST $UNPRIVPORTS \ > --protocol tcp > # --protocol tcp ! -y #SYN BIT > Check > > ipchains --append output \ > --jump ACCEPT \ > --interface $EXTERNAL_INTERFACE \ > --source $LOCALHOST $UNPRIVPORTS \ > --destination $EXTERNAL_NETWORK $PPTP \ > --protocol tcp > > ipchains --append input \ > --jump ACCEPT \ > --interface $EXTERNAL_INTERFACE \ > --source $EXTERNAL_NETWORK $PPTP \ > --destination $LOCALHOST $UNPRIVPORTS \ > --protocol udp > > ipchains --append output \ > --jump ACCEPT \ > --interface $EXTERNAL_INTERFACE \ > --source $LOCALHOST $UNPRIVPORTS \ > --destination $EXTERNAL_NETWORK $PPTP \ > --protocol udp > > I have similar policies for other ports. They work > just fine. > Can anybody solve my problem? > > Thanks. > > Karan. > > Systems Engineer. > Disha Technologies. > > __________________________________________________ > Do You Yahoo!? > Yahoo! Auctions - buy the things you want at great prices > http://auctions.yahoo.com/ > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From kaca at hongkong.com Thu Apr 19 05:11:53 2001 From: kaca at hongkong.com (kaca at hongkong.com) Date: Thu, 19 Apr 2001 18:11:53 +0800 (CST) Subject: [pptp-server] PPTP connnection Message-ID: <7s989580818846.02427@mail1.hongkong.com> According to the log file, i think my VPN connection is successful, but I cant access any stuff in the PPTP server. There're two "modem-light" in the start bar tray to indicate the connection to the ISP and my PPTP server. I found that the one representing the connection of ISP blinkson-and-off, but not for the PPTP one. What I've gone wrong? ---------------------------------------------- ?w??????HongKong.com?l???t?? Thank you for using hongkong.com Email system From charlieb at e-smith.com Thu Apr 19 05:16:39 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Thu, 19 Apr 2001 06:16:39 -0400 (EDT) Subject: [pptp-server] PPTP In-Reply-To: <20010419060907.36951.qmail@web10803.mail.yahoo.com> Message-ID: On Wed, 18 Apr 2001, Karan Ingale wrote: > I use a Windows 2000 machine from the internal > network, to make a VPN session with a server on the > internet. If I don't apply any rules for ipchains (All > Accept), I am able to make the connection. But as soon > as I apply the following rules, I am not able to make > a VPN connection with the VPN server on the internet. > > This is the policy I used to deny all ports > > ipchains --policy input DENY > ipchains --policy output DENY > ipchains --policy forward DENY > > This is the policy for PPTP > > ipchains --append input \ > --jump ACCEPT \ > --interface $EXTERNAL_INTERFACE \ > --source $EXTERNAL_NETWORK $PPTP \ > --destination $LOCALHOST $UNPRIVPORTS \ > --protocol tcp > # --protocol tcp ! -y #SYN BIT > Check .... You don't mention masquerading, so I assume that you are routing your internal network to the Internet. You need to have forwarding rules which allow traffic - your policy is DENY. You do mention that other protocols are working, which surprises me a little. You also need to have rules which allow GRE traffic - protocol 47, IIRC. Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From pstarzew at gbp.com Thu Apr 19 08:26:13 2001 From: pstarzew at gbp.com (Pete Starzewski) Date: Thu, 19 Apr 2001 08:26:13 -0500 Subject: [pptp-server] SMP 2.2.14-5.0 Problem Message-ID: <4.3.2.7.1.20010419082210.00bb4520@mail06.gbp.com> I have run into other SMP related problems with 2.2 kernels. One particularly nasty one has to do with linuxconf in a system with a dual proc motherboard, but with only one cpu installed. I sure hope the 2.4 kernel fixed some of these nasties. Pete Pete Starzewski Network Systems Engineer Green Bay Packaging Inc. From Steve at SteveCowles.com Thu Apr 19 10:25:36 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Thu, 19 Apr 2001 10:25:36 -0500 Subject: [pptp-server] Configuration problem Message-ID: <90769AF04F76D41186C700A0C90AFC3EE756@defiant.infohiiway.com> > -----Original Message----- > From: kaca at hongkong.com [mailto:kaca at hongkong.com] > Sent: Thursday, April 19, 2001 12:17 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Configuration problem > > > I'm quite sure that the VPN connection is sucessful. But I > dont know why I cant access any stuffs in the PPTP server > after the connnection. Anything I go wrong? > > Is it a must to include proxyarp in the option.pptp file? I > found there's "Cannot determine ethernet address for proxy > ARP" errors in the log file. Can I just remove the proxyarp option? > > Is it something wrong in my pptp.conf file? > i set the localip and remoteip as 192.168.0.1 and 192.168.1.1 > respectively. > (Actually, I'm pretty confused about the use of the localip > and remoteip.) > > Thanks for your kind attention. > The proxy arp errors can usually be fixed by assigning IP addresses in pptpd.conf (local/remote) that are within the network address range of the PPTP servers LAN interface (like eth0 or eth1). If thats not an option (due to your network design), then consider using ip aliasing to bind the network addresses to what is specified in your pptpd.conf to your PPTP servers LAN interface. Checkout the kernel source documentation directory /usr/src/linux/Documentation/networking/alias.txt for info on ip aliasing. Steve Cowles From josh.howlett at bristol.ac.uk Thu Apr 19 10:25:22 2001 From: josh.howlett at bristol.ac.uk (Josh Howlett) Date: Thu, 19 Apr 2001 16:25:22 +0100 Subject: [pptp-server] stateless encryption Message-ID: Hi all, I have a problem with MPPE 40-bit encryption. It works for a couple of minutes, then seizes up. The client is Windows 2000. My set-up is Linux 2.4 with ppp-2.4.0 + all the latest patches from ftp://ftp.binarix.com/pub/ppp-mppe/ I have: mppe-40 mppe-stateless in my ppp options file, but I pppd starts up in none-stateless mode: pppd 2.4.0 started by root, uid 0 Using interface ppp0 Connect: ppp0 <--> /dev/pts/1 MSCHAP-v2 peer authentication suceeded for ***** MPPE 40 bit, non-stateless compression enabled found interface eth0 for proxy arp local IP address *********** remote IP address *********** Protocol-Reject for unsupported protocol 0xa614 .............. etc etc. I ran "tcpdump -a -i ppp0 -w /tmp/out", and parts of the traffic are readable. Could it be that the encryption isn't working somehow? I have "require encryption" enabled on the Windows client, and the Windows machine seems to think that the connection is encrypted... thanks, josh. ------------------- Josh Howlett, Network Supervisor, Networking and Digital Communications, Information Services. j.f.howlett at bris.ac.uk | 0117 9546895 From themmaster at digitalme.com Thu Apr 19 14:38:54 2001 From: themmaster at digitalme.com (Hein-Pieter van Braam) Date: Thu, 19 Apr 2001 18:38:54 -0100 Subject: [pptp-server] pptp, proxyarp and routing Message-ID: <01041918385404.00868@tmm-wks-01> Hi all, could someone please explain to me how I can set up a network with 2 servers: - a pptp/masq server - a samba server so that clients connected to the internet can access the samba machine? log into it with their cute little microsoft network clients etc??? thanx From nelson at zz.st Thu Apr 19 11:47:09 2001 From: nelson at zz.st (nelson ) Date: Fri, 20 Apr 2001 00:47:09 +0800 Subject: [pptp-server] very slow connection through pptp Message-ID: <200104200047.AA5111986@zz.st> Hi all, I just successful to setup the poptop server in my linux box. But after everything going well, I discover my connection between my server and workstation just like the modem speed, all my server and workstation was use 1.5Mb adsl connection,I want to know where was going wrong? If anybody know how fix it, please post to the mail list or email to me nelson at zz.st. Thank you for advance. From nesquik at lyngstol.kvalito.no Thu Apr 19 13:24:12 2001 From: nesquik at lyngstol.kvalito.no (=?iso-8859-1?Q?Kristian_Lyngst=F8l?=) Date: Thu, 19 Apr 2001 20:24:12 +0200 Subject: [pptp-server] pptp, proxyarp and routing In-Reply-To: <01041918385404.00868@tmm-wks-01>; from themmaster@digitalme.com on Thu, Apr 19, 2001 at 06:38:54PM -0100 References: <01041918385404.00868@tmm-wks-01> Message-ID: <20010419202412.A27103@lyngstol.net> On Thu, Apr 19, 2001 at 06:38:54PM -0100, Hein-Pieter van Braam wrote: > Hi all, > > could someone please explain to me how I can set up a network with 2 servers: > > - a pptp/masq server > - a samba server > > so that clients connected to the internet can access the samba machine? log > into it with their cute little microsoft network clients etc??? > > thanx > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! I belive the simplest sollution would be to make the samba server use private IP/NAT, and maybe not even connect it to the internet (that is, not define a default route). Then set up pptpd to either give out the same type of IP's (NAT/Private ips) or "normal" ips but define a route to the samba server. (the samba server should then also have a route to the pptp server. I would do something like this (ASCII is beautifull): pptp-client \ pptp-client -(Internet) -[a] pptp-server [b] - [c] samba server / pptp-client Where A is a valid IP accesable from internet B is a local address not accesable from the internet (192.168.0.1, 10.1.1.1, etc) C is a local address not accesable from the internet (192.168.0.2,etc) The samba server wont need any special configuration. The pptp-server would need to use ip-masquarading for connections from pptp-client(s) to the internet (If the routs at the pptp-client is configured so that the default gw is pptp-server (it really shouldn't be, tho)). It should give pptp-client(s) an ip in the same range as [B] and [C], if not, the samba server will need to know how to access that type of ips ('route add -net 194.29.201.0 netmask 255.255.255.192 gw 10.1.1.1' for example) -- Med vennlig hilsen / Best Regards ---------------------------------+------------------------- Kristian Lyngst?l | Kvalito IT AS avd. Oslo tlf: 90 84 24 35 | 21 00 99 00 mail: kristianl at oslo.kvalito.no | oslo at kvalito.no ---------------------------------+------------------------- From GeorgeV at citadelcomputer.com.au Thu Apr 19 17:14:27 2001 From: GeorgeV at citadelcomputer.com.au (George Vieira) Date: Fri, 20 Apr 2001 08:14:27 +1000 Subject: [pptp-server] PPTP Message-ID: <200FAA488DE0D41194F10010B597610D0D1D58@JUPITER> 10.1.1.10 looks like your internal IP addresses of your PPTP server. This will not work and requires the External IP of the machine. Does this machine HAVE an external IP or is it using NAT provided by the router? thanks, George Vieira -----Original Message----- From: Shirish Bhagwat [mailto:shirish at dishatech.com] Sent: Thursday, April 19, 2001 5:26 PM To: George Vieira Cc: karan_ingale at hotmail.com; pptp-server at lists.schulte.org Subject: Re: [pptp-server] PPTP $LOCALHOST contains ip address of the external interface. Line numbers obtained for 1723 port which is PPTP port are given below. Thanks Shirish root at dishatech.com wrote: > 0 0 ACCEPT tcp !y---- 0xFF 0x00 eth0 0.0.0.0/0 10.1.1.10 1723 -> 1024:65535 > 0 0 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 10.1.1.10 1723 -> 1024:65535 > 0 0 ACCEPT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 10.1.1.10 1024:65535 -> 1723 > 0 0 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 10.1.1.10 1024:65535 -> 1723 > 0 0 ACCEPT tcp ------ 0xFF 0x00 eth0 10.1.1.10 0.0.0.0/0 1024:65535 -> 1723 > 0 0 ACCEPT udp ------ 0xFF 0x00 eth0 10.1.1.10 0.0.0.0/0 1024:65535 -> 1723 > 0 0 ACCEPT tcp !y---- 0xFF 0x00 eth0 10.1.1.10 0.0.0.0/0 1723 -> 1024:65535 > 0 0 ACCEPT udp ------ 0xFF 0x00 eth0 10.1.1.10 0.0.0.0/0 1723 -> 1024:65535 George Vieira wrote: > Is your $LOCALHOST containing 127.0.0.1? This won't work and should contains > your external IP address.. > > Can you give me/us a listing of your > > ipchains -L -n -v --linenumbers > > thanks, > George Vieira > > -----Original Message----- > From: Karan Ingale [mailto:karan_ingale at yahoo.com] > Sent: Thursday, April 19, 2001 4:09 PM > To: pptp-server at lists.schulte.org > Cc: shirish at dishatech.com > Subject: [pptp-server] PPTP > > Hello, > I am running Redhat Linux 6.2 on a Pentium machine. I > have applied the Kernel patch for PPTP. I am using > IPChains to filter out specific outgoing and incoming > traffic. > I use a Windows 2000 machine from the internal > network, to make a VPN session with a server on the > internet. If I don't apply any rules for ipchains (All > Accept), I am able to make the connection. But as soon > as I apply the following rules, I am not able to make > a VPN connection with the VPN server on the internet. > > This is the policy I used to deny all ports > > ipchains --policy input DENY > ipchains --policy output DENY > ipchains --policy forward DENY > > This is the policy for PPTP > > ipchains --append input \ > --jump ACCEPT \ > --interface $EXTERNAL_INTERFACE \ > --source $EXTERNAL_NETWORK $PPTP \ > --destination $LOCALHOST $UNPRIVPORTS \ > --protocol tcp > # --protocol tcp ! -y #SYN BIT > Check > > ipchains --append output \ > --jump ACCEPT \ > --interface $EXTERNAL_INTERFACE \ > --source $LOCALHOST $UNPRIVPORTS \ > --destination $EXTERNAL_NETWORK $PPTP \ > --protocol tcp > > ipchains --append input \ > --jump ACCEPT \ > --interface $EXTERNAL_INTERFACE \ > --source $EXTERNAL_NETWORK $PPTP \ > --destination $LOCALHOST $UNPRIVPORTS \ > --protocol udp > > ipchains --append output \ > --jump ACCEPT \ > --interface $EXTERNAL_INTERFACE \ > --source $LOCALHOST $UNPRIVPORTS \ > --destination $EXTERNAL_NETWORK $PPTP \ > --protocol udp > > I have similar policies for other ports. They work > just fine. > Can anybody solve my problem? > > Thanks. > > Karan. > > Systems Engineer. > Disha Technologies. > > __________________________________________________ > Do You Yahoo!? > Yahoo! Auctions - buy the things you want at great prices > http://auctions.yahoo.com/ > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From dreadboy at hotmail.com Thu Apr 19 17:17:15 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Thu, 19 Apr 2001 16:17:15 -0600 Subject: [pptp-server] MPPE Compression Message-ID: One question about compression. When I connect to my NT PPTP server, of course I get MPPE compression. When I connect to my Linux PPTP server, I like the fact that I'm connecting with 128-bit encryption, but there is no compression. Keeps reading 0% compressed packets. I've put all of the ppp-deflate settings into /etc/modules.conf but to no avail. What gives? =| _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From naresh at optimnetworks.com Thu Apr 19 17:21:07 2001 From: naresh at optimnetworks.com (Naresh) Date: Thu, 19 Apr 2001 15:21:07 -0700 Subject: [pptp-server] Cannot ping after connecting. References: <01041918385404.00868@tmm-wks-01> Message-ID: <3ADF64D3.C68FBE9@optimnetworks.com> Hi, I am testing a pptp server locally and trying to simulate the remote connection. I have a Win 2K pc with internet address and the pptp server on same network with local address. I am able to establish Vpn connection from Win2k machine but unable to ping local ip addresses. Here are some config. settings: [root at buzz /root]# iptables -L -n -v Chain INPUT (policy ACCEPT 10502 packets, 1127656 bytes) pkts bytes target prot opt in out source destination 4 296 ACCEPT all -- lo * 127.0.0.0/8 0.0.0.0/0 0 0 ACCEPT all -- lo * 10.1.2.0/24 0.0.0.0/0 80 4405 ACCEPT all -- eth0 * 10.1.2.0/24 0.0.0.0/0 1349 114K ACCEPT 47 -- eth0 * 0.0.0.0/0 0.0.0.0/0 186 13323 ACCEPT all -- ppp+ * 10.1.2.0/24 10.1.2.0/24 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4 240 ACCEPT all -- eth0 * 10.1.2.0/24 0.0.0.0/0 8 480 ACCEPT all -- * eth0 0.0.0.0/0 10.1.2.0/24 Chain OUTPUT (policy ACCEPT 10657 packets, 4613238 bytes) pkts bytes target prot opt in out source destination 4 296 ACCEPT all -- * lo 0.0.0.0/0 127.0.0.0/8 0 0 ACCEPT all -- * lo 10.1.2.0/24 0.0.0.0/0 116 8180 ACCEPT all -- * eth0 10.1.2.0/24 0.0.0.0/0 1606 73530 ACCEPT 47 -- * eth0 0.0.0.0/0 0.0.0.0/0 200 14835 ACCEPT all -- * ppp+ 10.1.2.0/24 10.1.2.0/24 [root at buzz /root]# ----------------------------------------------- /etc/ppp/options: name * lock mtu 1490 mru 1490 proxyarp auth +chap +chapms +chapms-v2 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 mppe-128 mppe-40 mppe-stateless defaultroute debug ------------------------ [root at buzz /root]# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.1.2.247 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0 63.107.13.192 0.0.0.0 255.255.255.192 U 40 0 0 eth0 10.1.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo 0.0.0.0 10.1.2.2 0.0.0.0 UG 40 0 0 eth0 [root at buzz /root]# --------------------- [root at buzz /root]# lsmod Module Size Used by ip_gre 7040 0 (unused) ppp_mppe 23712 2 (autoclean) ppp_async 6672 1 (autoclean) ppp_generic 18816 3 (autoclean) [ppp_mppe ppp_async] slhc 4864 0 (autoclean) [ppp_generic] iptable_filter 1856 0 (autoclean) (unused) iptable_nat 19744 0 (unused) ip_conntrack 23520 1 [iptable_nat] ip_tables 13696 4 [iptable_filter iptable_nat] unix 16656 47 (autoclean) [root at buzz /root]# Can someone please tell me where I went wrong. i did not put any masq. rules since I'll be using FW1 for NAT. Thanks, Naresh From dreadboy at hotmail.com Thu Apr 19 17:26:00 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Thu, 19 Apr 2001 16:26:00 -0600 Subject: [pptp-server] PPP Multilink Framing Message-ID: Should I have PPP Multilink Framing enabled on my pptpd server? If so, what benefits does it offer? _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From Steve at SteveCowles.com Thu Apr 19 17:59:30 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Thu, 19 Apr 2001 17:59:30 -0500 Subject: [pptp-server] MPPE Compression Message-ID: <90769AF04F76D41186C700A0C90AFC3EE757@defiant.infohiiway.com> > -----Original Message----- > From: Dread Boy [mailto:dreadboy at hotmail.com] > Sent: Thursday, April 19, 2001 5:17 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] MPPE Compression > > > One question about compression. When I connect to my NT PPTP > server, of course I get MPPE compression. When I connect to > my Linux PPTP server, I like the fact that I'm connecting with > 128-bit encryption, but there is no compression. Keeps reading > 0% compressed packets. > > I've put all of the ppp-deflate settings into > /etc/modules.conf but to no avail. What gives? =| I don't know, but I have observed the same thing. If I establish a VPN into my NT based PPTP server, the W2K client shows some decent compression ratios, but when establishing a VPN into my PoPToP based PPTP server (using the same W2K client), I see no compression at all. Steve Cowles From GeorgeV at citadelcomputer.com.au Thu Apr 19 18:01:57 2001 From: GeorgeV at citadelcomputer.com.au (George Vieira) Date: Fri, 20 Apr 2001 09:01:57 +1000 Subject: [pptp-server] PPP Multilink Framing Message-ID: <200FAA488DE0D41194F10010B597610D0D1D69@JUPITER> Multilink PPP is only used for multiple PPP connections at act as one big connection. This usually has to be supported by your ISP too so both ends split the traffic over the multiple lines. 30 x 56Kb modems act as a T1 connection... almost... Correct me if I'm wrong but I'm pretty sure that's what it's used for. thanks, George Vieira -----Original Message----- From: Dread Boy [mailto:dreadboy at hotmail.com] Sent: Friday, April 20, 2001 8:26 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] PPP Multilink Framing Should I have PPP Multilink Framing enabled on my pptpd server? If so, what benefits does it offer? _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From jvonau at home.com Thu Apr 19 22:40:17 2001 From: jvonau at home.com (Jerry Vonau) Date: Thu, 19 Apr 2001 22:40:17 -0500 Subject: [pptp-server] Cannot ping after connecting. References: <01041918385404.00868@tmm-wks-01> <3ADF64D3.C68FBE9@optimnetworks.com> Message-ID: <3ADFAFA1.1640DAF7@home.com> Naresh: I think you missing a forwarding rule for the ppp interface ie: forward -i ppp0 -s 10.1.2.0/24 -d 10.1.2.0/24 -j ACCEPT Jerry Vonau Naresh wrote: > Hi, > > I am testing a pptp server locally and trying to simulate the remote > connection. I have a Win 2K pc with internet address and the pptp server on same > network with local address. I am able to establish Vpn connection from Win2k > machine but unable to ping local ip addresses. Here are some config. settings: > > [root at buzz /root]# iptables -L -n -v > Chain INPUT (policy ACCEPT 10502 packets, 1127656 bytes) > pkts bytes target prot opt in out source destination > 4 296 ACCEPT all -- lo * 127.0.0.0/8 0.0.0.0/0 > 0 0 ACCEPT all -- lo * 10.1.2.0/24 0.0.0.0/0 > 80 4405 ACCEPT all -- eth0 * 10.1.2.0/24 0.0.0.0/0 > 1349 114K ACCEPT 47 -- eth0 * 0.0.0.0/0 0.0.0.0/0 > 186 13323 ACCEPT all -- ppp+ * 10.1.2.0/24 10.1.2.0/24 > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 4 240 ACCEPT all -- eth0 * 10.1.2.0/24 0.0.0.0/0 > 8 480 ACCEPT all -- * eth0 0.0.0.0/0 10.1.2.0/24 > > Chain OUTPUT (policy ACCEPT 10657 packets, 4613238 bytes) > pkts bytes target prot opt in out source destination > 4 296 ACCEPT all -- * lo 0.0.0.0/0 127.0.0.0/8 > 0 0 ACCEPT all -- * lo 10.1.2.0/24 0.0.0.0/0 > 116 8180 ACCEPT all -- * eth0 10.1.2.0/24 0.0.0.0/0 > 1606 73530 ACCEPT 47 -- * eth0 0.0.0.0/0 0.0.0.0/0 > 200 14835 ACCEPT all -- * ppp+ 10.1.2.0/24 10.1.2.0/24 > [root at buzz /root]# > > ----------------------------------------------- > /etc/ppp/options: > > name * > lock > mtu 1490 > mru 1490 > proxyarp > auth > +chap > +chapms > +chapms-v2 > ipcp-accept-local > ipcp-accept-remote > lcp-echo-failure 3 > lcp-echo-interval 5 > deflate 0 > mppe-128 > mppe-40 > mppe-stateless > defaultroute > debug > > ------------------------ > > [root at buzz /root]# netstat -nr > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window irtt Iface > 10.1.2.247 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0 > 63.107.13.192 0.0.0.0 255.255.255.192 U 40 0 0 eth0 > 10.1.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 > 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo > 0.0.0.0 10.1.2.2 0.0.0.0 UG 40 0 0 eth0 > [root at buzz /root]# > > --------------------- > [root at buzz /root]# lsmod > Module Size Used by > ip_gre 7040 0 (unused) > ppp_mppe 23712 2 (autoclean) > ppp_async 6672 1 (autoclean) > ppp_generic 18816 3 (autoclean) [ppp_mppe ppp_async] > slhc 4864 0 (autoclean) [ppp_generic] > iptable_filter 1856 0 (autoclean) (unused) > iptable_nat 19744 0 (unused) > ip_conntrack 23520 1 [iptable_nat] > ip_tables 13696 4 [iptable_filter iptable_nat] > unix 16656 47 (autoclean) > [root at buzz /root]# > > Can someone please tell me where I went wrong. i did not put any masq. rules > since I'll be using FW1 for NAT. > > Thanks, > Naresh > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From shirish at dishatech.com Thu Apr 19 23:56:37 2001 From: shirish at dishatech.com (Shirish Bhagwat) Date: Fri, 20 Apr 2001 10:26:37 +0530 Subject: [pptp-server] PPTP References: <200FAA488DE0D41194F10010B597610D0D1D58@JUPITER> Message-ID: <3ADFC185.5FCE45E@dishatech.com> internal interface IP address is 192.168.1.x External interface is 10.1.1.10 The external interface talks to TE4 modem (DSL router). All other ports like Telnet, smtp, irc, etc are going through this same firewall much the same way and they all seem to be working alright. If you want I can send you my firewall script. Thanks Shirish Bhagwat George Vieira wrote: > 10.1.1.10 looks like your internal IP addresses of your PPTP server. This > will not work and requires the External IP of the machine. > > Does this machine HAVE an external IP or is it using NAT provided by the > router? > > thanks, > George Vieira > > -----Original Message----- > From: Shirish Bhagwat [mailto:shirish at dishatech.com] > Sent: Thursday, April 19, 2001 5:26 PM > To: George Vieira > Cc: karan_ingale at hotmail.com; pptp-server at lists.schulte.org > Subject: Re: [pptp-server] PPTP > > $LOCALHOST contains ip address of the external interface. > > Line numbers obtained for 1723 port which is PPTP port are given below. > > Thanks > Shirish > root at dishatech.com wrote: > > > 0 0 ACCEPT tcp !y---- 0xFF 0x00 eth0 > 0.0.0.0/0 10.1.1.10 1723 -> 1024:65535 > > 0 0 ACCEPT udp ------ 0xFF 0x00 eth0 > 0.0.0.0/0 10.1.1.10 1723 -> 1024:65535 > > 0 0 ACCEPT tcp ------ 0xFF 0x00 eth0 > 0.0.0.0/0 10.1.1.10 1024:65535 -> 1723 > > 0 0 ACCEPT udp ------ 0xFF 0x00 eth0 > 0.0.0.0/0 10.1.1.10 1024:65535 -> 1723 > > 0 0 ACCEPT tcp ------ 0xFF 0x00 eth0 > 10.1.1.10 0.0.0.0/0 1024:65535 -> 1723 > > 0 0 ACCEPT udp ------ 0xFF 0x00 eth0 > 10.1.1.10 0.0.0.0/0 1024:65535 -> 1723 > > 0 0 ACCEPT tcp !y---- 0xFF 0x00 eth0 > 10.1.1.10 0.0.0.0/0 1723 -> 1024:65535 > > 0 0 ACCEPT udp ------ 0xFF 0x00 eth0 > 10.1.1.10 0.0.0.0/0 1723 -> 1024:65535 > > George Vieira wrote: > > > Is your $LOCALHOST containing 127.0.0.1? This won't work and should > contains > > your external IP address.. > > > > Can you give me/us a listing of your > > > > ipchains -L -n -v --linenumbers > > > > thanks, > > George Vieira > > > > -----Original Message----- > > From: Karan Ingale [mailto:karan_ingale at yahoo.com] > > Sent: Thursday, April 19, 2001 4:09 PM > > To: pptp-server at lists.schulte.org > > Cc: shirish at dishatech.com > > Subject: [pptp-server] PPTP > > > > Hello, > > I am running Redhat Linux 6.2 on a Pentium machine. I > > have applied the Kernel patch for PPTP. I am using > > IPChains to filter out specific outgoing and incoming > > traffic. > > I use a Windows 2000 machine from the internal > > network, to make a VPN session with a server on the > > internet. If I don't apply any rules for ipchains (All > > Accept), I am able to make the connection. But as soon > > as I apply the following rules, I am not able to make > > a VPN connection with the VPN server on the internet. > > > > This is the policy I used to deny all ports > > > > ipchains --policy input DENY > > ipchains --policy output DENY > > ipchains --policy forward DENY > > > > This is the policy for PPTP > > > > ipchains --append input \ > > --jump ACCEPT \ > > --interface $EXTERNAL_INTERFACE \ > > --source $EXTERNAL_NETWORK $PPTP \ > > --destination $LOCALHOST $UNPRIVPORTS \ > > --protocol tcp > > # --protocol tcp ! -y #SYN BIT > > Check > > > > ipchains --append output \ > > --jump ACCEPT \ > > --interface $EXTERNAL_INTERFACE \ > > --source $LOCALHOST $UNPRIVPORTS \ > > --destination $EXTERNAL_NETWORK $PPTP \ > > --protocol tcp > > > > ipchains --append input \ > > --jump ACCEPT \ > > --interface $EXTERNAL_INTERFACE \ > > --source $EXTERNAL_NETWORK $PPTP \ > > --destination $LOCALHOST $UNPRIVPORTS \ > > --protocol udp > > > > ipchains --append output \ > > --jump ACCEPT \ > > --interface $EXTERNAL_INTERFACE \ > > --source $LOCALHOST $UNPRIVPORTS \ > > --destination $EXTERNAL_NETWORK $PPTP \ > > --protocol udp > > > > I have similar policies for other ports. They work > > just fine. > > Can anybody solve my problem? > > > > Thanks. > > > > Karan. > > > > Systems Engineer. > > Disha Technologies. > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Auctions - buy the things you want at great prices > > http://auctions.yahoo.com/ > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! From karan_ingale at yahoo.com Fri Apr 20 01:22:59 2001 From: karan_ingale at yahoo.com (Karan Ingale) Date: Thu, 19 Apr 2001 23:22:59 -0700 (PDT) Subject: [pptp-server] PPTP In-Reply-To: Message-ID: <20010420062259.5056.qmail@web10801.mail.yahoo.com> Hi Charlie, I have enabled masquerading through ipchains. I am sending the policy file I am using. I don't know what GRE is. Can you elaborate please. Thanks. Karan. --- Charlie Brady wrote: > > On Wed, 18 Apr 2001, Karan Ingale wrote: > > > I use a Windows 2000 machine from the internal > > network, to make a VPN session with a server on > the > > internet. If I don't apply any rules for ipchains > (All > > Accept), I am able to make the connection. But as > soon > > as I apply the following rules, I am not able to > make > > a VPN connection with the VPN server on the > internet. > > > > This is the policy I used to deny all ports > > > > ipchains --policy input DENY > > ipchains --policy output DENY > > ipchains --policy forward DENY > > > > This is the policy for PPTP > > > > ipchains --append input \ > > --jump ACCEPT \ > > --interface $EXTERNAL_INTERFACE \ > > --source $EXTERNAL_NETWORK $PPTP > \ > > --destination $LOCALHOST $UNPRIVPORTS > \ > > --protocol tcp > > # --protocol tcp ! -y #SYN BIT > > Check > > .... > > You don't mention masquerading, so I assume that you > are routing your > internal network to the Internet. > > You need to have forwarding rules which allow > traffic - your policy is > DENY. You do mention that other protocols are > working, which surprises me > a little. > > You also need to have rules which allow GRE traffic > - protocol 47, IIRC. > > Charlie Brady > charlieb at e-smith.com > http://www.e-smith.org (development) > http://www.e-smith.com (corporate) > Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 > (613) 564 7739 > e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P > 1P1 Canada > > > _______________________________________________ > pptp-server maillist - > pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: rc.fw URL: From timwilson at mediaone.net Fri Apr 20 07:06:24 2001 From: timwilson at mediaone.net (Tim Wilson) Date: Fri, 20 Apr 2001 07:06:24 -0500 Subject: [pptp-server] HELP! Linux GW not MPPE encrypting Message-ID: I have a Linux gateway that I want to use as a PPTP VPN server for win98 clients. I am running kernel 2.4.2 so I followed the directions for patching linux 2.4 and ppp 2.4 to get mppe going (I found these directions on this mailing list; they are reproduced below). It sure seemed to be working great...the debug log shows MPPE successfully negotiated, and the win98 client status display indicates that encryption is being used. Then I looked at the packets with tcpdump. Problem is: the Linux box doesn't encrypt anything it sends! The downlink data (server to client) is PPP type 0021 (IPv4) and the encapsulated PPP contents are plaintext. The win98 client does encrypt its stuff (sends PPP frame type 00fd) and the Linux box decrypts it OK. Thanks for any advice (please reply direct as I am currently not on the mailing list). Here's the directions I used to install: (snip) Get the following patches from ftp://ftp.binarix.com/pub/ppp-mppe/ linux-2.4.0-openssl-0.9.6-mppe.patch ppp-2.4.0-openssl-0.9.6-mppe.patch Get ppp-2.4.0.tar.gz from ftp://linuxcare.com.au/pub/ppp Get linux kernel from the usual places. Apply linux-xxx.patch to kernel and compile. In configuration, select all the PPP stuff as modules. Apply ppp-xxx.patch to ppp-2.4.0, compile, install. Boot new kernel. Add following lines to /etc/ppp/options mppe-40 mppe-128 mppe-stateless Put "alias ppp-compress-18 ppp_mppe" to modutils configuration if you want to have mppe module loaded automatically. (snip) ----------------------------------------------------------- Tim Wilson * Systems Engineer Cambia Networks * 5600 N. River Road, Rosemont IL 60018 Phone 847.885.3090 * Fax 847.993.3097 * Mobile 847.207.4177 -------------- next part -------------- A non-text attachment was scrubbed... Name: Tim Wilson.vcf Type: text/x-vcard Size: 420 bytes Desc: not available URL: From josh.howlett at bristol.ac.uk Fri Apr 20 07:22:21 2001 From: josh.howlett at bristol.ac.uk (Josh Howlett) Date: Fri, 20 Apr 2001 13:22:21 +0100 Subject: [pptp-server] HELP! Linux GW not MPPE encrypting In-Reply-To: References: Message-ID: I've had the same problem, and I've seen one other comment last year stating it as well. He provided a fix for ppp 2.8.10 which isn't much use for a 2.4.x kernel. I haven't heard of any other solutions. Presumably it must be working for some of you out there, or are we happy with one way encryption!? josh. On Fri, 20 Apr 2001 07:06:24 -0500 Tim Wilson wrote: > I have a Linux gateway that I want to use as a PPTP VPN server for win98 > clients. I am running kernel 2.4.2 so I followed the directions for patching > linux 2.4 and ppp 2.4 to get mppe going (I found these directions on this > mailing list; they are reproduced below). > > It sure seemed to be working great...the debug log shows MPPE successfully > negotiated, and the win98 client status display indicates that encryption is > being used. Then I looked at the packets with tcpdump. Problem is: the Linux > box doesn't encrypt anything it sends! The downlink data (server to client) > is PPP type 0021 (IPv4) and the encapsulated PPP contents are plaintext. The > win98 client does encrypt its stuff (sends PPP frame type 00fd) and the > Linux box decrypts it OK. > > > Thanks for any advice (please reply direct as I am currently not on the > mailing list). > > > Here's the directions I used to install: > (snip) > > Get the following patches from ftp://ftp.binarix.com/pub/ppp-mppe/ > > linux-2.4.0-openssl-0.9.6-mppe.patch > ppp-2.4.0-openssl-0.9.6-mppe.patch > > Get ppp-2.4.0.tar.gz from ftp://linuxcare.com.au/pub/ppp > Get linux kernel from the usual places. > > Apply linux-xxx.patch to kernel and compile. In configuration, select > all the PPP stuff as modules. Apply ppp-xxx.patch to ppp-2.4.0, > compile, install. Boot new kernel. > > Add following lines to /etc/ppp/options > > mppe-40 > mppe-128 > mppe-stateless > > Put "alias ppp-compress-18 ppp_mppe" to modutils configuration if you > want to have mppe module loaded automatically. > > (snip) > > > ----------------------------------------------------------- > Tim Wilson * Systems Engineer > Cambia Networks * 5600 N. River Road, Rosemont IL 60018 > Phone 847.885.3090 * Fax 847.993.3097 * Mobile 847.207.4177 > ------------------- Josh Howlett, Network Supervisor, Networking and Digital Communications, Information Services. j.f.howlett at bris.ac.uk | 0117 9546895 From gottwald at inf.fu-berlin.de Fri Apr 20 07:34:59 2001 From: gottwald at inf.fu-berlin.de (Marcus C. Gottwald) Date: Fri, 20 Apr 2001 14:34:59 +0200 Subject: [pptp-server] DHCP-like IP address handling Message-ID: <20010420143459.A7504@inf.fu-berlin.de> Hi! We are using PPTP to be able to control access to our university network. Wireless clients first have to establish the PPTP connection to get an official address and access to the net. Since notebook users tend to run around they lose the wireless connection quite frequently. When they return, the DHCP server will reassign them the same IP address as before, if possible. However, if the PPTP connection has been lost, re-establishing it won't help since usually a different IP is assigned. We do not want to have a fixed address assigned to every user but prefer a DHCP-like behaviour. Has anyone thought about implementing this into pptpd? I agree that it might be nicer to include this feature into pppd. However, no work seems to be done about that at the moment, so I thought I'd ask you before doing work someone else has already done. :-) Cheers, Marcus P.S.: I'm not yet subscribed to the list. -- Marcus C. Gottwald ? http://www.inf.fu-berlin.de/~gottwald/kontakt.html From herve.guehl at dedigate.com Fri Apr 20 08:01:21 2001 From: herve.guehl at dedigate.com (=?iso-8859-1?Q?Herv=E9_Guehl?=) Date: Fri, 20 Apr 2001 15:01:21 +0200 Subject: [pptp-server] ppp help pls... Message-ID: <12EDCF4FE1D70A448BD3244329D8D059107AD7@exch01.dedigate.com> I just need something for pppd, and I'd like to know where to start... Just want to assign statically both ip adresses of the ppp link (both different for each conn..). If you ask why I explain shortly... Want to play with pptp-server and vlans... Can anyone help me ? Or just give me the direction... Thx... Regards.. Herv?. From rcd at amherst.com Fri Apr 20 08:14:56 2001 From: rcd at amherst.com (Robert Dege) Date: Fri, 20 Apr 2001 09:14:56 -0400 Subject: [pptp-server] ppp help pls... References: <12EDCF4FE1D70A448BD3244329D8D059107AD7@exch01.dedigate.com> Message-ID: <3AE03650.7030507@amherst.com> What do you mean by both ip addresses of the ppp link? From what I know, you can configure pptp with the --with-pppd-ip-alloc option. This will allow you to statically assign IP addresses to a connection based upon user login. This is done in the chap-secrets file. The PPTP HOW-TO has a step-by-step procedure on how to configure it. -Rob Herv? Guehl wrote: > > I just need something for pppd, and I'd like to know where to start... > > Just want to assign statically both ip adresses of the ppp link (both > different for each conn..). > > If you ask why I explain shortly... Want to play with pptp-server and > vlans... > > Can anyone help me ? > Or just give me the direction... > > Thx... > Regards.. > > Herv?. > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From herve.guehl at dedigate.com Fri Apr 20 08:40:44 2001 From: herve.guehl at dedigate.com (=?iso-8859-1?Q?Herv=E9_Guehl?=) Date: Fri, 20 Apr 2001 15:40:44 +0200 Subject: [pptp-server] ppp help pls... Message-ID: <12EDCF4FE1D70A448BD3244329D8D059107AD8@exch01.dedigate.com> > -----Message d'origine----- > De : Robert Dege [mailto:rcd at amherst.com] > Envoy? : Friday, April 20, 2001 3:15 PM > ? : Herv? Guehl > Cc : Pptp-Server (E-mail) > Objet : Re: [pptp-server] ppp help pls... > > > What do you mean by both ip addresses of the ppp link? > > From what I know, you can configure pptp with the > --with-pppd-ip-alloc I know that.. thx.. And I apologize for my bad english... What I mean is for each ppp link assign two different ip adresses bases on the user id... ex: user1 10.0.0.1:10.0.02 user2 192.168.0.1:192.168.0.2 and so on.... I hope I can make myself clear... Regards... Herv? > option. This will allow you to statically assign IP addresses to a > connection based upon user login. This is done in the > chap-secrets file. > > The PPTP HOW-TO has a step-by-step procedure on how to configure it. > > -Rob > > Herv? Guehl wrote: > > > > > I just need something for pppd, and I'd like to know where > to start... > > > > Just want to assign statically both ip adresses of the ppp > link (both > > different for each conn..). > > > > If you ask why I explain shortly... Want to play with > pptp-server and > > vlans... > > > > Can anyone help me ? > > Or just give me the direction... > > > > Thx... > > Regards.. > > > > Herv?. > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > From pstarzew at gbp.com Fri Apr 20 09:25:16 2001 From: pstarzew at gbp.com (Pete Starzewski) Date: Fri, 20 Apr 2001 09:25:16 -0500 Subject: [pptp-server] Re: MPPE compression Message-ID: <4.3.2.7.1.20010420092121.00b215f0@mail06.gbp.com> This may sound like a stupid question, but just how do you confirm compression/encryption? I've read that people are using tcpdump. I tried it and maybe I am missing something (probably the case), but I can't see anything in the packet info about packets being compressed or encrypted. Please enlighten me. thanks, Pete Pete Starzewski Network Systems Engineer Green Bay Packaging Inc. From charlieb at e-smith.com Fri Apr 20 09:30:33 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Fri, 20 Apr 2001 10:30:33 -0400 (EDT) Subject: [pptp-server] PPTP In-Reply-To: <20010420062259.5056.qmail@web10801.mail.yahoo.com> Message-ID: On Thu, 19 Apr 2001, Karan Ingale wrote: > Hi Charlie, > I have enabled masquerading through ipchains. I am > sending the policy file I am using. > I don't know what GRE is. Can you elaborate please. I already did, it's protocol 47, otherwise known as Generic Routing Encapsulation. See http://www.es.net/pub/rfcs/rfc1702.txt. ... > > You also need to have rules which allow GRE traffic > > - protocol 47, IIRC. Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From josh.howlett at bristol.ac.uk Fri Apr 20 09:36:24 2001 From: josh.howlett at bristol.ac.uk (Josh Howlett) Date: Fri, 20 Apr 2001 15:36:24 +0100 Subject: [pptp-server] Re: MPPE compression In-Reply-To: <4.3.2.7.1.20010420092121.00b215f0@mail06.gbp.com> References: <4.3.2.7.1.20010420092121.00b215f0@mail06.gbp.com> Message-ID: tcpdump -a -i eth0 -w /tmp/eth0 Ping across eth0. more /tmp/eth0 ICMP request/replies have sequences such as abcdefghij.... in them. Obviously, if the link is encrypted, you won't read this. josh. On Fri, 20 Apr 2001 09:25:16 -0500 Pete Starzewski wrote: > This may sound like a stupid question, but just how do you confirm > compression/encryption? I've read that people are using tcpdump. I tried > it and maybe I am missing something (probably the case), but I can't see > anything in the packet info about packets being compressed or > encrypted. Please enlighten me. > > thanks, > > Pete > > > Pete Starzewski > Network Systems Engineer > Green Bay Packaging Inc. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > ------------------- Josh Howlett, Network Supervisor, Networking and Digital Communications, Information Services. j.f.howlett at bris.ac.uk | 0117 9546895 From timwilson at mediaone.net Fri Apr 20 09:42:47 2001 From: timwilson at mediaone.net (Tim Wilson) Date: Fri, 20 Apr 2001 09:42:47 -0500 Subject: [pptp-server] Re: MPPE compression In-Reply-To: <4.3.2.7.1.20010420092121.00b215f0@mail06.gbp.com> Message-ID: You run tcpdump on the interface where tunneled packets are supposed to be. Use the -x option to show hex packet contents, and DONT FORGET to also use -s2048 so that tcpdump captures the whole packet (not just the first few bytes). Like this: tcpdump -i ethx -n -x -s2048 Look in the tcpdump output for gre-encapsulated packets--that's the tunneled pptp data. The first 20 bytes of that packet is the IP header. The next 12 bytes are the gre encapsulating header (usually 20 bytes; sometimes 22 bytes). Right after the gre header is the encapsulated PPP frame. If it's plain ipv4, the first byte is hex 21 (a compressed version of 0x0021, the PPP frame type for ipv4). If it's compressed/encrypted, the first byte is fd (short for 0x00fd). BTW, I just upgraded my kernel to 2.4.3 and it still doesn't encrypt sent packets. Anybody else see this?? > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Pete Starzewski > Sent: Friday, April 20, 2001 9:25 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Re: MPPE compression > > > This may sound like a stupid question, but just how do you confirm > compression/encryption? I've read that people are using tcpdump. > I tried > it and maybe I am missing something (probably the case), but I can't see > anything in the packet info about packets being compressed or > encrypted. Please enlighten me. > > thanks, > > Pete > > > Pete Starzewski > Network Systems Engineer > Green Bay Packaging Inc. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From pkrebs at lvu.at Fri Apr 20 10:28:55 2001 From: pkrebs at lvu.at (Krebs Peter) Date: Fri, 20 Apr 2001 17:28:55 +0200 Subject: [pptp-server] routing with windows 2k Message-ID: <80F72BA317B7D411AF660000832D7042339C52@exchange01.intern.lvu.at> Hi, We have the following configuration: pptpd on our firewall with the local network 10.8.0.x ppp clients get addresse from 192.168.1.32-254 this works fine now i have the problem to allow access to a server in the network 10.8.24.0 this works fine if the pptp clients uses the tunnel for the default gateway. If they do not use the tunnel the win98 clients can only access the 192.168.1.0 network -> no problem i used nat to place the 10.8.24.0 server into the 192.168.1.0 network the problem now is that win2k clients (192.168.1.99 for example) with disabled default gateway on the remote-network option do not automatical add a route to the 192.168.1.0 network and therefore are unable to connect to 192.168.1.2. If i add the route after the connection is established it works. any idea how to fix this windows feature? -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steve at SteveCowles.com Fri Apr 20 12:30:18 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Fri, 20 Apr 2001 12:30:18 -0500 Subject: [pptp-server] routing with windows 2k Message-ID: <90769AF04F76D41186C700A0C90AFC3EE759@defiant.infohiiway.com> -----Original Message----- From: Krebs Peter [mailto:pkrebs at lvu.at] Sent: Friday, April 20, 2001 10:29 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] routing with windows 2k Hi, We have the following configuration: pptpd on our firewall with the local network 10.8.0.x ppp clients get addresse from 192.168.1.32-254 this works fine now i have the problem to allow access to a server in the network 10.8.24.0 this works fine if the pptp clients uses the tunnel for the default gateway. If they do not use the tunnel the win98 clients can only access the 192.168.1.0 network -> no problem i used nat to place the 10.8.24.0 server into the 192.168.1.0 network Sounds correct since you are assigning your PPTP clients to a different subnet than the PPTP servers LAN interface. If you select "Use Default Gateway", then W2K will NOT add the 192.168.1.0 network route. I will create a new Default Gateway entry with a metric of 1 and the existing Default Gateway will then get a metric of 2. If you un-select "Use Default Gateway", then W2K should add "just" the 192.168.1.0 network route. the problem now is that win2k clients (192.168.1.99 for example) with disabled default gateway on the remote-network option do not automatical add a route to the 192.168.1.0 network and therefore are unable to connect to 192.168.1.2. If i add the route after the connection is established it works. Personally, I have never observed what you described above. Without the default gateway enabled, I have always seen W2K add the (in your case) 192.168.1.0/24 network route. You would have to add your 10.0.0.0 network manually, if needed. any idea how to fix this windows feature? The problem your describing is odd. If your pptpd.conf and ppp.options file are correct, then I really don't know what could be causing your problem. FWIW: The only *feature* that really irritates me is W2K (really any M$ PPTP client) will, be default, add a CLASS based route. i.e. 192.168.x.0 will add a 24 bit network route, a 10.x.x.0 will add a 8 bit network route.There are times (based on network design) that I would like for the PPTP clients to honor the netmask statement in the ppp options file. like... 192.168.0.0/255.255.252.0 - so that 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24 could be accessed (through the tunnel) with one summarized route. So far, I have been unable to get this type of netmask to work. :-( Steve Cowles -------------- next part -------------- An HTML attachment was scrubbed... URL: From timwilson at mediaone.net Fri Apr 20 12:47:13 2001 From: timwilson at mediaone.net (Tim Wilson) Date: Fri, 20 Apr 2001 12:47:13 -0500 Subject: [pptp-server] FIXED one-way encryption Message-ID: I FIXED IT!! via many printks. See if you agree: There's a logic bug in ppp_generic.c. Right around line 1985, it reads: case CCP_CONFREQ: case CCP_TERMREQ: case CCP_TERMACK: /* * CCP is going down - disable compression */ if (inbound) ppp->rstate &= ~SC_DECOMP_RUN; else ppp->xstate &= ~SC_COMP_RUN; break; This is wrong. If I *receive* a confreq then that means the other end wants me to send a confack stating what compression I am willing to send. In other words, a received confreq proposes contains proposals on what the peer willing to receive, and therefore what I compressions I can use on transmit. Therefore, an inbound confreq should kill off my transmit compressor, not my receive compressor. And the converse is true. I changed the if() as follows if (!inbound) ppp->rstate &= ~SC_DECOMP_RUN; else ppp->xstate &= ~SC_COMP_RUN; break; And it works. But upon thinking about it, I'm not sure that's right...does it handle the Term-req and Term-ack correctly? Maybe it should really be: case CCP_TERMACK: /* Sending or receive term-ack kills CCP both ways */ ppp->rstate &= ~SC_DECOMP_RUN; ppp->xstate &= ~SC_COMP_RUN; break; case CCP_CONFREQ: if (!inbound) ppp->rstate &= ~SC_DECOMP_RUN; else ppp->xstate &= ~SC_COMP_RUN; break; Comments anybody?? ----------------------------------------------------------- Tim Wilson * Systems Engineer Cambia Networks * 5600 N. River Road, Rosemont IL 60018 Phone 847.885.3090 * Fax 847.993.3097 * Mobile 847.207.4177 -------------- next part -------------- A non-text attachment was scrubbed... Name: Tim Wilson.vcf Type: text/x-vcard Size: 420 bytes Desc: not available URL: From naresh at optimnetworks.com Fri Apr 20 12:51:56 2001 From: naresh at optimnetworks.com (Naresh) Date: Fri, 20 Apr 2001 10:51:56 -0700 Subject: Fw: [pptp-server] Cannot ping after connecting. References: <001001c0c962$993d4000$d2ba1004@nkn> Message-ID: <3AE0773C.9979A0EF@optimnetworks.com> > Hi I added this forwarding also but still cannot ping. Following is an output of tcpdump eth0 on pptp server while pinging to the client (buzz to Woody). I am implementing it on a machine with one eth0 card. Masq will be done by FW1. I can connect to pptp server thru Win2K machine but cannot access local network. Any Ideas? Thanks, Naresh -------------- next part -------------- buzz > woody: icmp: echo request (DF) 10:40:43.444352 eth0 > gre-proto-0x880B (gre encap) 10:40:43.549337 eth0 < [|gre] (gre encap) 10:40:44.444229 ppp0 > buzz > woody: icmp: echo request (DF) 10:40:44.444357 eth0 > gre-proto-0x880B (gre encap) 10:40:44.549500 eth0 < [|gre] (gre encap) 10:40:44.934400 eth0 > gre-proto-0x880B (gre encap) 10:40:44.934818 eth0 < gre-proto-0x880B (gre encap) 10:40:44.934909 eth0 > [|gre] (gre encap) 10:40:45.444219 ppp0 > buzz > woody: icmp: echo request (DF) 10:40:45.444349 eth0 > gre-proto-0x880B (gre encap) 10:40:45.549646 eth0 < [|gre] (gre encap) 10:40:46.444212 ppp0 > buzz > woody: icmp: echo request (DF) 10:40:46.444329 eth0 > gre-proto-0x880B (gre encap) 10:40:46.549788 eth0 < [|gre] (gre encap) 10:40:47.444221 ppp0 > buzz > woody: icmp: echo request (DF) 10:40:47.444337 eth0 > gre-proto-0x880B (gre encap) 10:40:47.549932 eth0 < [|gre] (gre encap) 10:40:48.444218 ppp0 > buzz > woody: icmp: echo request (DF) 10:40:48.444332 eth0 > gre-proto-0x880B (gre encap) 10:40:48.550157 eth0 < [|gre] (gre encap) --------------------------------------------------------------------------------- My IPtable rules are: #!/bin/sh #Iptable firewall v0.3 #Define some constants echo "Seting up firewall....." LOCALNETWORK="10.1.2.0/24" INTINT="eth0" #The internal interface # User should not have to change anything below here LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" MULTICAST="224.0.0.0/4" CLASS_E="240.0.0.0/5" ANYWHERE="any/0" BROADCAST_SRC="0.0.0.0/32" BROADCAST_DEST="255.255.255.255/32" PRIVPORTS="0:1023" PUBLICPORTS="1024:65535" SOCKS_PORT="1080" XWINDOW_PORTS="6000:6023" # traceroute usually uses -S 32769:65535 -D 33434:33523 TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DEST_PORTS="33434:33523" #============================================= # Non iptables stuff #============================================= # Kill spoofed packets for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Activate the forwarding! echo 1 >/proc/sys/net/ipv4/ip_forward # Insert the required kernel modules modprobe iptable_nat modprobe ip_conntrack modprobe ip_conntrack_ftp #============================================= # Flush the old rules and set default policies #============================================= echo "Setting defaults" /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -t nat -P POSTROUTING ACCEPT /sbin/iptables -t nat -P PREROUTING ACCEPT /sbin/iptables -t nat -P OUTPUT ACCEPT #============================================= # Filter rules #============================================= # Filter out some troublesome things I would drop anyway /sbin/iptables -t nat -A PREROUTING -i ppp+ \ -s 192.168.0.56 -j DROP #Loopback interface is valid /sbin/iptables -A INPUT -i lo -s $LOOPBACK -j ACCEPT /sbin/iptables -A OUTPUT -o lo -d $LOOPBACK -j ACCEPT /sbin/iptables -t nat -A OUTPUT -s $LOOPBACK -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -s $LOOPBACK -j ACCEPT #Yes, I know lo looks strange, but otherwise there are problems. #Some local network traffic does pass through lo rather than #the internal interface. /sbin/iptables -t nat -A POSTROUTING -o lo -s $LOCALNETWORK -j ACCEPT /sbin/iptables -A INPUT -i lo -s $LOCALNETWORK -j ACCEPT /sbin/iptables -A OUTPUT -o lo -s $LOCALNETWORK -j ACCEPT echo "Loopback setup" #Allow unlimited LAN traffic /sbin/iptables -A INPUT -i $INTINT -s $LOCALNETWORK -j ACCEPT /sbin/iptables -A OUTPUT -o $INTINT -s $LOCALNETWORK -j ACCEPT # In the NAT table (-t nat), Append a rule (-A) after routing # (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to #This next allows local broadcasts from this machine. /sbin/iptables -t nat -A OUTPUT -s $LOCALNETWORK -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o $INTINT -s $LOCALNETWORK \ -j ACCEPT /sbin/iptables -t nat -A PREROUTING -s $LOCALNETWORK -j ACCEPT echo "LAN traffic allowed" # Anything coming from our internal network should have only our # address #Allow forwarding from inside to out and vice versa /sbin/iptables -A FORWARD -i $INTINT -s $LOCALNETWORK -j ACCEPT /sbin/iptables -A FORWARD -o $INTINT -d $LOCALNETWORK -j ACCEPT #Allow pptpd connections (port 1723) /sbin/iptables -t nat -A PREROUTING -i $INTINT -p TCP \ --sport $PUBLICPORTS --dport 1723 -j ACCEPT /sbin/iptables -t nat -A OUTPUT -o $INTINT -p 47 -j ACCEPT /sbin/iptables -A OUTPUT -o $INTINT -p 47 -j ACCEPT /sbin/iptables -A INPUT -i $INTINT -p 47 -j ACCEPT /sbin/iptables -A INPUT -i ppp+ \ -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT /sbin/iptables -A OUTPUT -o ppp+ \ -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT /sbin/iptables -A FORWARD -i ppp+ -s 10.1.2.0/24 -d 10.1.2.0/24 -j ACCEPT echo "PPTPD allowed" /sbin/iptables -t nat -A OUTPUT -j LOG --log-prefix "Out NAT logging." From charlieb at e-smith.com Fri Apr 20 13:07:51 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Fri, 20 Apr 2001 14:07:51 -0400 (EDT) Subject: [pptp-server] FIXED one-way encryption In-Reply-To: Message-ID: On Fri, 20 Apr 2001, Tim Wilson wrote: > Comments anybody?? First comment is to be absolutely sure that you are correct about the lack of encryption. Do not trust tcpdump on the end point machine - make sure that you sniff en-route. Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From richter at ecos.de Fri Apr 20 16:41:43 2001 From: richter at ecos.de (Gerald Richter) Date: Fri, 20 Apr 2001 23:41:43 +0200 Subject: [pptp-server] PPTP behind a Firewall Message-ID: <002701c0c9e4$652d06b0$0a0c0b0a@gr.ecos.de> >I'm guessing your using ipchains. If so, there is a kernel patch needed to >masquerade the pptp connections. I'm (s-l-o-w-l-y) working on something for >iptables. Do I understand this right: There is currently no chance to get a PPTP server runing behind a Linux firewall that use iptables nat ? Do you have any estimations how long "s-l-o-w-l-y" will take ? Thanks Gerald ------------------------------------------------------------- Gerald Richter ecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: richter at ecos.de Voice: +49 6133 925131 WWW: http://www.ecos.de Fax: +49 6133 925152 ------------------------------------------------------------- From naresh at optimnetworks.com Fri Apr 20 17:17:59 2001 From: naresh at optimnetworks.com (Naresh) Date: Fri, 20 Apr 2001 15:17:59 -0700 Subject: Fw: [pptp-server] Cannot ping after connecting. References: <001001c0c962$993d4000$d2ba1004@nkn> <3AE0773C.9979A0EF@optimnetworks.com> <01042013352101.14913@linux> Message-ID: <3AE0B597.9F5B6265@optimnetworks.com> Hi Robert, I did run the full iptables script on my linux box. It sure became a good firewall :) Now the problem is, I can connect to it using Win2K VPN but cannot access the local network. I think everything whatever is mentioned on your site I did. Here are some outputs. Please let me know if some more inputs are required. Thanks, Naresh robert wrote: > On Friday 20 April 2001 12:51, you wrote: > > > Hi > > > > I added this forwarding also but still cannot ping. Following is an > > output of tcpdump eth0 on pptp server while pinging to the client (buzz to > > Woody). I am implementing it on a machine with one eth0 card. Masq will be > > done by FW1. I can connect to pptp server thru Win2K machine but cannot > > access local network. > > > > Any Ideas? > > > > Thanks, > > Naresh > > Try using the more complete (but still has some minor issues) firewall script > at http://home.swbell.net/berzerke rather than the stripped down one. The > full is more throughly tested. It's possible I left something out on the > stripped down one (probably not). Let me know if that solves your problem so > I can update as appropriate. > > The author of the script (and howto). -------------- next part -------------- Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 127.0.0.0/8 anywhere ACCEPT all -- 10.1.2.0/24 anywhere ACCEPT all -- 10.1.2.0/24 anywhere ACCEPT icmp -- anywhere anywhere icmp source-quench state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp parameter-problem state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp time-exceeded state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-reply state RELATED,ESTABLISHED DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG DROP tcp -- anywhere anywhere tcp flags:NONE/FIN,SYN,RST,PSH,ACK,URG ACCEPT udp -- 0.0.0.0 255.255.255.255 udp spt:bootps dpt:bootpc state ESTABLISHED ACCEPT udp -- 0.0.0.0 255.255.255.255 udp spt:bootpc dpt:bootps state NEW,ESTABLISHED ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1024:65535 ACCEPT tcp -- anywhere anywhere tcp spt:domain dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:www dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:https dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:smtp dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:pop3 dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:ssh ACCEPT tcp -- anywhere anywhere tcp spt:nntp state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:2064 dpts:1024:65535 state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:whois dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:1024:65535 ACCEPT udp -- anywhere anywhere udp spt:4000 dpts:1024:65535 ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 ACCEPT 47 -- anywhere anywhere ACCEPT all -- 10.1.2.0/24 10.1.2.0/24 REJECT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:auth reject-with icmp-port-unreachable LOG all -- anywhere anywhere LOG level warning prefix `Input packet dropped' Chain FORWARD (policy DROP) target prot opt source destination DROP all -- !10.1.2.0/24 anywhere ACCEPT all -- 10.1.2.0/24 anywhere ACCEPT all -- anywhere 10.1.2.0/24 DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG DROP tcp -- anywhere anywhere tcp flags:NONE/FIN,SYN,RST,PSH,ACK,URG DROP all -- 192.168.0.0/16 anywhere DROP all -- 172.16.0.0/12 anywhere DROP all -- 10.0.0.0/8 anywhere LOG tcp -- anywhere anywhere tcp spts:netbios-ns:netbios-ssn LOG level warning prefix `SMB tried to cross.' LOG udp -- anywhere anywhere udp spts:netbios-ns:netbios-ssn LOG level warning prefix `SMB tried to cross.' DROP tcp -- anywhere anywhere tcp spts:netbios-ns:netbios-ssn DROP udp -- anywhere anywhere udp spts:netbios-ns:netbios-ssn ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED LOG all -- anywhere anywhere LOG level warning prefix `Forward packet dropped' Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere 127.0.0.0/8 ACCEPT all -- 10.1.2.0/24 anywhere ACCEPT all -- 10.1.2.0/24 anywhere ACCEPT icmp -- anywhere anywhere icmp source-quench state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp parameter-problem state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp time-exceeded state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW ACCEPT udp -- anywhere anywhere udp spts:32769:65535 dpts:33434:33523 state NEW DROP tcp -- anywhere anywhere tcp spts:netbios-ns:netbios-ssn DROP udp -- anywhere anywhere udp spts:netbios-ns:netbios-ssn ACCEPT udp -- 0.0.0.0 255.255.255.255 udp spt:bootpc dpt:bootps state NEW,ESTABLISHED ACCEPT udp -- 0.0.0.0 255.255.255.255 udp spt:bootps dpt:bootpc state ESTABLISHED ACCEPT udp -- anywhere anywhere udp spts:1024:65535 dpt:domain ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:domain state NEW,RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:www ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:https ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:smtp ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:nntp ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:2064 ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:whois state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp ACCEPT udp -- anywhere anywhere udp spts:1024:65535 dpt:4000 ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 ACCEPT 47 -- anywhere anywhere ACCEPT all -- 10.1.2.0/24 10.1.2.0/24 LOG all -- anywhere anywhere LOG level warning prefix `Output packet dropped' Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.1.2.247 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0 63.107.13.192 0.0.0.0 255.255.255.192 U 40 0 0 eth1 10.1.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo 0.0.0.0 10.1.2.247 0.0.0.0 UG 40 0 0 ppp0 Module Size Used by ppp_mppe 23708 2 (autoclean) bsd_comp 4204 0 (autoclean) ppp_async 6668 1 (autoclean) ppp_generic 18816 3 (autoclean) [ppp_mppe bsd_comp ppp_async] slhc 4860 0 (autoclean) [ppp_generic] ipt_limit 1132 1 (autoclean) ipt_REJECT 2100 1 (autoclean) ipt_LOG 3460 9 (autoclean) ipt_state 792 26 (autoclean) ipt_MASQUERADE 1980 1 (autoclean) ip_conntrack_ftp 2552 0 (unused) iptable_nat 19744 0 [ipt_MASQUERADE] ip_conntrack 23512 3 [ipt_state ipt_MASQUERADE ip_conntrack_ftp iptable_nat] iptable_filter 1848 0 (autoclean) (unused) ip_tables 13688 9 [ipt_limit ipt_REJECT ipt_LOG ipt_state ipt_MASQUERADE iptable_nat iptable_filter] ip_gre 7544 0 (unused) loop 7732 0 (unused) From berzerke at swbell.net Fri Apr 20 17:33:10 2001 From: berzerke at swbell.net (robert) Date: Fri, 20 Apr 2001 17:33:10 -0500 Subject: [pptp-server] PPTP behind a Firewall In-Reply-To: <002701c0c9e4$652d06b0$0a0c0b0a@gr.ecos.de> References: <002701c0c9e4$652d06b0$0a0c0b0a@gr.ecos.de> Message-ID: <01042017331002.14913@linux> On Friday 20 April 2001 16:41, Gerald Richter wrote: > >I'm guessing your using ipchains. If so, there is a kernel patch needed > > to masquerade the pptp connections. I'm (s-l-o-w-l-y) working on > > something > > for > > >iptables. > > Do I understand this right: There is currently no chance to get a PPTP > server runing behind a Linux firewall that use iptables nat ? I don't know. I believe it should work, but theory and practice are often different. > > Do you have any estimations how long "s-l-o-w-l-y" will take ? Work and wife demand much of my time. Unfortunately, no. > > Thanks > > Gerald > From naresh at optimnetworks.com Fri Apr 20 17:56:07 2001 From: naresh at optimnetworks.com (Naresh) Date: Fri, 20 Apr 2001 15:56:07 -0700 Subject: Fw: [pptp-server] Cannot ping after connecting. References: <001001c0c962$993d4000$d2ba1004@nkn> <01042013352101.14913@linux> <3AE0B597.9F5B6265@optimnetworks.com> <01042017380203.14913@linux> Message-ID: <3AE0BE87.FF6A697A@optimnetworks.com> Robert, Thanks for responding so quick. Here is my complete script and errors logged in /var/log/messages. Local Subnet I am using: 10.1.2.0/24 Thanks, Naresh robert wrote: > Could you resend the constants you used (or the whole script). I can't find > it in my mailbox anymore. Also, what is your local network subnet. > > On Friday 20 April 2001 17:17, you wrote: > > Hi Robert, > > > > I did run the full iptables script on my linux box. It sure became a > > good firewall :) Now the problem is, I can connect to it using Win2K VPN > > but cannot access the local network. I think everything whatever is > > mentioned on your site I did. Here are some outputs. Please let me know if > > some more inputs are required. > > > > Thanks, > > Naresh > > > > robert wrote: > > > On Friday 20 April 2001 12:51, you wrote: > > > > > Hi > > > > > > > > I added this forwarding also but still cannot ping. Following is an > > > > output of tcpdump eth0 on pptp server while pinging to the client (buzz > > > > to Woody). I am implementing it on a machine with one eth0 card. Masq > > > > will be done by FW1. I can connect to pptp server thru Win2K machine > > > > but cannot access local network. > > > > > > > > Any Ideas? > > > > > > > > Thanks, > > > > Naresh > > > > > > Try using the more complete (but still has some minor issues) firewall > > > script at http://home.swbell.net/berzerke rather than the stripped down > > > one. The full is more throughly tested. It's possible I left something > > > out on the stripped down one (probably not). Let me know if that solves > > > your problem so I can update as appropriate. > > > > > > The author of the script (and howto). > > ---------------------------------------- > Content-Type: text/plain; charset="us-ascii"; name="result.1" > Content-Transfer-Encoding: 7bit > Content-Description: > ---------------------------------------- -------------- next part -------------- Apr 20 14:52:18 www kernel: CSLIP: code copyright 1989 Regents of the University of California Apr 20 14:52:18 www kernel: PPP generic driver version 2.4.1 Apr 20 14:52:18 www pppd[2384]: pppd 2.4.0 started by root, uid 0 Apr 20 14:52:18 www pppd[2384]: Using interface ppp0 Apr 20 14:52:18 www pppd[2384]: Connect: ppp0 <--> /dev/pts/4 Apr 20 14:52:18 www pptpd[2383]: GRE: Discarding duplicate packet Apr 20 14:52:20 www pptpd[2383]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Apr 20 14:52:20 www kernel: PPP BSD Compression module registered Apr 20 14:52:20 www kernel: PPP MPPE compression module registered Apr 20 14:52:20 www pppd[2384]: MSCHAP-v2 peer authentication succeeded for test Apr 20 14:52:20 www pppd[2384]: found interface eth0 for proxy arp Apr 20 14:52:20 www pppd[2384]: local IP address 10.1.2.236 Apr 20 14:52:20 www pppd[2384]: remote IP address 10.1.2.247 Apr 20 14:52:20 www pppd[2384]: MPPE 40 bit, stateless compression enabled Apr 20 14:52:20 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:26:60:25:08:00 SRC=63.107.13.247 DST=63.107.13.255 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53720 PROTO=UDP SPT=520 DPT=520 LEN=32 Apr 20 14:52:20 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:26:60:25:08:00 SRC=63.107.13.247 DST=63.107.13.255 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53720 PROTO=UDP SPT=520 DPT=520 LEN=32 Apr 20 14:52:20 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53714 PROTO=UDP SPT=137 DPT=137 LEN=76 Apr 20 14:52:21 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53727 PROTO=UDP SPT=137 DPT=137 LEN=76 Apr 20 14:52:22 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53730 PROTO=UDP SPT=137 DPT=137 LEN=76 Apr 20 14:52:22 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53733 PROTO=UDP SPT=137 DPT=137 LEN=76 Apr 20 14:52:23 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53737 PROTO=UDP SPT=137 DPT=137 LEN=76 Apr 20 14:52:24 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53741 PROTO=UDP SPT=137 DPT=137 LEN=76 Apr 20 14:52:24 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:a5:27:a1:c5:08:00 SRC=209.209.1.1 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=41289 PROTO=UDP SPT=2301 DPT=2301 LEN=20 Apr 20 14:52:25 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53745 PROTO=UDP SPT=137 DPT=137 LEN=76 Apr 20 14:52:25 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53748 PROTO=UDP SPT=137 DPT=137 LEN=76 Apr 20 14:52:26 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53754 PROTO=UDP SPT=137 DPT=137 LEN=76 Apr 20 14:52:26 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53755 PROTO=UDP SPT=137 DPT=137 LEN=76 Apr 20 14:52:26 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=53759 PROTO=UDP SPT=68 DPT=67 LEN=308 Apr 20 14:52:27 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53763 PROTO=UDP SPT=137 DPT=137 LEN=76 Apr 20 14:52:27 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53764 PROTO=UDP SPT=137 DPT=137 LEN=76 Apr 20 14:52:28 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53768 PROTO=UDP SPT=137 DPT=137 LEN=76 Apr 20 14:52:28 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53769 PROTO=UDP SPT=137 DPT=137 LEN=76 Apr 20 14:52:28 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53773 PROTO=UDP SPT=137 DPT=137 LEN=76 Apr 20 14:52:28 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53774 PROTO=UDP SPT=137 DPT=137 LEN=76 Apr 20 14:52:29 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=53779 PROTO=UDP SPT=68 DPT=67 LEN=308 Apr 20 14:52:29 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=204 TOS=0x00 PREC=0x00 TTL=128 ID=53781 PROTO=UDP SPT=138 DPT=138 LEN=184 Apr 20 14:52:31 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=204 TOS=0x00 PREC=0x00 TTL=128 ID=53788 PROTO=UDP SPT=138 DPT=138 LEN=184 Apr 20 14:52:32 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=204 TOS=0x00 PREC=0x00 TTL=128 ID=53792 PROTO=UDP SPT=138 DPT=138 LEN=184 Apr 20 14:52:34 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=204 TOS=0x00 PREC=0x00 TTL=128 ID=53798 PROTO=UDP SPT=138 DPT=138 LEN=184 Apr 20 14:52:37 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:03:37:f5:08:00 SRC=63.107.13.234 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=31908 PROTO=UDP SPT=2301 DPT=2301 LEN=20 Apr 20 14:52:37 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:03:37:f5:08:00 SRC=63.107.13.234 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=31908 PROTO=UDP SPT=2301 DPT=2301 LEN=20 Apr 20 14:52:54 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:26:60:25:08:00 SRC=63.107.13.247 DST=63.107.13.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=53844 PROTO=UDP SPT=137 DPT=137 LEN=58 Apr 20 14:52:54 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:26:60:25:08:00 SRC=63.107.13.247 DST=63.107.13.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=53844 PROTO=UDP SPT=137 DPT=137 LEN=58 Apr 20 14:52:54 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=53846 PROTO=UDP SPT=137 DPT=137 LEN=58 Apr 20 14:52:55 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=53864 PROTO=UDP SPT=137 DPT=137 LEN=58 Apr 20 14:52:55 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=53868 PROTO=UDP SPT=137 DPT=137 LEN=58 Apr 20 14:52:59 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=53877 PROTO=UDP SPT=138 DPT=138 LEN=209 Apr 20 14:52:59 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:26:60:25:08:00 SRC=63.107.13.247 DST=63.107.13.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=53879 PROTO=UDP SPT=138 DPT=138 LEN=209 Apr 20 14:52:59 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:26:60:25:08:00 SRC=63.107.13.247 DST=63.107.13.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=53879 PROTO=UDP SPT=138 DPT=138 LEN=209 Apr 20 14:53:11 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:03:37:f5:08:00 SRC=202.202.202.20 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=48548 PROTO=UDP SPT=2301 DPT=2301 LEN=20 Apr 20 14:53:17 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:a5:27:a1:c5:08:00 SRC=63.107.13.242 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=48714 PROTO=UDP SPT=2301 DPT=2301 LEN=20 Apr 20 14:53:17 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:a5:27:a1:c5:08:00 SRC=63.107.13.242 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=48714 PROTO=UDP SPT=2301 DPT=2301 LEN=20 Apr 20 14:53:24 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:a5:27:a1:c5:08:00 SRC=209.209.1.1 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=58186 PROTO=UDP SPT=2301 DPT=2301 LEN=20 Apr 20 14:53:32 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:10:b5:95:e5:01:08:00 SRC=63.107.13.248 DST=63.107.13.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=49925 PROTO=UDP SPT=138 DPT=138 LEN=209 Apr 20 14:53:32 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:10:b5:95:e5:01:08:00 SRC=63.107.13.248 DST=63.107.13.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=49925 PROTO=UDP SPT=138 DPT=138 LEN=209 Apr 20 14:53:37 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:03:37:f5:08:00 SRC=63.107.13.234 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=65444 PROTO=UDP SPT=2301 DPT=2301 LEN=20 Apr 20 14:53:37 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:03:37:f5:08:00 SRC=63.107.13.234 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=65444 PROTO=UDP SPT=2301 DPT=2301 LEN=20 Apr 20 14:53:43 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:a5:27:a1:c5:08:00 SRC=63.107.13.242 DST=63.107.13.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=19275 PROTO=UDP SPT=138 DPT=138 LEN=209 Apr 20 14:53:43 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:a5:27:a1:c5:08:00 SRC=63.107.13.242 DST=63.107.13.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=19275 PROTO=UDP SPT=138 DPT=138 LEN=209 Apr 20 14:53:45 www kernel: Output packet droppedIN= OUT=eth1 SRC=63.107.13.210 DST=63.107.13.236 LEN=961 TOS=0x10 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=23 DPT=33172 WINDOW=5792 RES=0x00 ACK PSH URGP=0 Apr 20 14:53:53 www kernel: Input packet droppedIN=eth1 OUT= MAC=00:02:b3:26:34:b0:00:02:b3:26:34:f3:08:00 SRC=63.107.13.236 DST=63.107.13.210 LEN=54 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=33172 DPT=23 WINDOW=63712 RES=0x00 ACK PSH URGP=0 Apr 20 14:54:02 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:08:00:20:e5:ee:5c:08:00 SRC=63.107.13.195 DST=63.107.13.255 LEN=180 TOS=0x00 PREC=0x00 TTL=1 ID=36583 DF PROTO=UDP SPT=56513 DPT=111 LEN=160 Apr 20 14:54:02 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:08:00:20:e5:ee:5c:08:00 SRC=63.107.13.195 DST=63.107.13.255 LEN=180 TOS=0x00 PREC=0x00 TTL=1 ID=36583 DF PROTO=UDP SPT=56513 DPT=111 LEN=160 Apr 20 14:54:02 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:08:00:20:e5:ee:5c:08:00 SRC=63.107.13.195 DST=63.107.13.255 LEN=180 TOS=0x00 PREC=0x00 TTL=1 ID=36584 DF PROTO=UDP SPT=56513 DPT=111 LEN=160 Apr 20 15:15:25 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=57305 PROTO=UDP SPT=137 DPT=137 LEN=58 Apr 20 15:15:26 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=57309 PROTO=UDP SPT=137 DPT=137 LEN=58 Apr 20 15:15:28 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128 ID=57316 PROTO=UDP SPT=138 DPT=138 LEN=182 Apr 20 15:15:28 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=57318 PROTO=UDP SPT=137 DPT=137 LEN=58 -------------- next part -------------- #!/bin/sh #Iptable firewall v0.3 #Define some constants echo "Seting up firewall....." LOCALNETWORK="10.1.2.0/24" INTINT="eth0" #The internal interface EXTINT="eth1" #The external interface #INTIP="192.168.1.1" #The internal interface address - Not used # User should not have to change anything below here LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" MULTICAST="224.0.0.0/4" CLASS_E="240.0.0.0/5" ANYWHERE="any/0" BROADCAST_SRC="0.0.0.0/32" BROADCAST_DEST="255.255.255.255/32" PRIVPORTS="0:1023" PUBLICPORTS="1024:65535" NFS_PORT="2049" SOCKS_PORT="1080" XWINDOW_PORTS="6000:6023" # traceroute usually uses -S 32769:65535 -D 33434:33523 TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DEST_PORTS="33434:33523" #============================================= # Non iptables stuff #============================================= # Kill spoofed packets for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Activate the forwarding! echo 1 >/proc/sys/net/ipv4/ip_forward # Insert the required kernel modules modprobe iptable_nat modprobe ip_conntrack modprobe ip_conntrack_ftp #============================================= # Flush the old rules and set default policies #============================================= echo "Setting defaults" /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -t nat -P POSTROUTING ACCEPT /sbin/iptables -t nat -P PREROUTING ACCEPT /sbin/iptables -t nat -P OUTPUT ACCEPT #============================================= # Filter rules #============================================= # Filter out some troublesome things I would drop anyway /sbin/iptables -t nat -A PREROUTING -i ppp+ \ -s 192.168.0.56 -j DROP #Loopback interface is valid /sbin/iptables -A INPUT -i lo -s $LOOPBACK -j ACCEPT /sbin/iptables -A OUTPUT -o lo -d $LOOPBACK -j ACCEPT /sbin/iptables -t nat -A OUTPUT -s $LOOPBACK -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -s $LOOPBACK -j ACCEPT #Yes, I know lo looks strange, but otherwise there are problems. #Some local network traffic does pass through lo rather than #the internal interface. /sbin/iptables -t nat -A POSTROUTING -o lo -s $LOCALNETWORK -j ACCEPT /sbin/iptables -A INPUT -i lo -s $LOCALNETWORK -j ACCEPT /sbin/iptables -A OUTPUT -o lo -s $LOCALNETWORK -j ACCEPT echo "Loopback setup" #Allow unlimited LAN traffic /sbin/iptables -A INPUT -i $INTINT -s $LOCALNETWORK -j ACCEPT /sbin/iptables -A OUTPUT -o $INTINT -s $LOCALNETWORK -j ACCEPT # In the NAT table (-t nat), Append a rule (-A) after routing # (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to # MASQUERADE the connection (-j MASQUERADE). /sbin/iptables -t nat -A POSTROUTING -o $EXTINT -s $LOCALNETWORK \ -j MASQUERADE echo "Masquerading enabled" #This next allows local broadcasts from this machine. /sbin/iptables -t nat -A OUTPUT -s $LOCALNETWORK -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o $INTINT -s $LOCALNETWORK \ -j ACCEPT /sbin/iptables -t nat -A PREROUTING -s $LOCALNETWORK -j ACCEPT echo "LAN traffic allowed" # Anything coming from our internal network should have only our # address /sbin/iptables -A FORWARD -i $INTINT -s ! $LOCALNETWORK -j DROP #Allow forwarding from inside to out and vice versa /sbin/iptables -A FORWARD -i $INTINT -s $LOCALNETWORK -j ACCEPT /sbin/iptables -A FORWARD -o $INTINT -d $LOCALNETWORK -j ACCEPT #Allow some ICMP messages #Allow source quench (type 4) /sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type source-quench \ -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type source-quench \ -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow parameter problem status (type 12) /sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type parameter-problem \ -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type parameter-problem \ -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow Destination unreachable (type 3) /sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type \ destination-unreachable -m state --state ESTABLISHED,RELATED \ -j ACCEPT /sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type \ destination-unreachable -m state --state ESTABLISHED,RELATED \ -j ACCEPT #Allow time exceeded (type 11) messages /sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type \ time-exceeded -m state --state ESTABLISHED,RELATED \ -j ACCEPT /sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type \ time-exceeded -m state --state ESTABLISHED,RELATED \ -j ACCEPT #Allow outgoing pings (type 8 and type 0) #/sbin/iptables -t nat -A PREROUTING -i $INTINT -p ICMP --icmp-type \ # echo-reply -j DROP /sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type \ echo-reply -m state --state ESTABLISHED,RELATED \ -j ACCEPT /sbin/iptables -t nat -A OUTPUT -o $EXTINT -p ICMP --icmp-type \ echo-request -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p ICMP --icmp-type \ echo-request -j ACCEPT /sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type \ echo-request -m state --state NEW \ -j ACCEPT echo "Some ICMP allowed" #Allow traceroute #By default, it uses UDP packets, and tends (for Linux at least) #to use source ports 32769-65536 and destination ports # 33434:33523. It can be made to any port, however. # Note that the input is handles by the icmp type 3 above. /sbin/iptables -A OUTPUT -o $EXTINT -p UDP --sport $TRACEROUTE_SRC_PORTS \ --dport $TRACEROUTE_DEST_PORTS -m state --state NEW -j ACCEPT /sbin/iptables -t nat -A OUTPUT -o $EXTINT -p UDP \ --sport $TRACEROUTE_SRC_PORTS \ --dport $TRACEROUTE_DEST_PORTS -j ACCEPT echo "traceroute allowed" # Kill malformed packets -- enhance this list yourself! # Block XMAS packets /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP # Block NULL packets /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP echo "Some malformed packets blocked" # Anything coming from the Internet should have a real Internet address /sbin/iptables -A FORWARD -i $EXTINT -s 192.168.0.0/16 -j DROP /sbin/iptables -A FORWARD -i $EXTINT -s 172.16.0.0/12 -j DROP /sbin/iptables -A FORWARD -i $EXTINT -s 10.0.0.0/8 -j DROP # Block outgoing network filesharing protocols that aren't designed # to leave the LAN -- log the SMB ones # SMB / Windows filesharing /sbin/iptables -A FORWARD -p tcp --sport 137:139 -j LOG \ --log-level warning --log-prefix "SMB tried to cross." /sbin/iptables -A FORWARD -p udp --sport 137:139 -j LOG \ --log-level warning --log-prefix "SMB tried to cross." /sbin/iptables -A FORWARD -p tcp --sport 137:139 -j DROP /sbin/iptables -A FORWARD -p udp --sport 137:139 -j DROP /sbin/iptables -A OUTPUT -o $EXTINT -p tcp --sport 137:139 -j DROP /sbin/iptables -A OUTPUT -o $EXTINT -p udp --sport 137:139 -j DROP #Allow DHCP traffic /sbin/iptables -t nat -A PREROUTING -i $EXTINT -p UDP -s $DHCPSERVER \ --sport 67 --dport 68 -j ACCEPT /sbin/iptables -A OUTPUT -o $EXTINT -p UDP -s $BROADCAST_SRC --sport 68 \ -d $BROADCAST_DEST --dport 67 -m state --state NEW,ESTABLISHED \ -j ACCEPT /sbin/iptables -A INPUT -i $EXTINT -p UDP -s $BROADCAST_SRC --sport 67 \ -d $BROADCAST_DEST --dport 68 -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -o $EXTINT -p UDP -s $ANYWHERE --sport 68 \ -d $DHCPSERVER --dport 67 -m state --state NEW,ESTABLISHED \ -j ACCEPT /sbin/iptables -A INPUT -i $EXTINT -p UDP -s $DHCPSERVER --sport 67 \ -d $ANYWHERE --dport 68 -m state --state ESTABLISHED -j ACCEPT #Internal DHCP server /sbin/iptables -t nat -A PREROUTING -i $INTINT -p UDP -s $DHCPSERVER2 \ --sport 68 --dport 67 -j ACCEPT /sbin/iptables -A OUTPUT -o $INTINT -p UDP -s $BROADCAST_SRC --sport 67 \ -d $BROADCAST_DEST --dport 68 -m state --state ESTABLISHED \ -j ACCEPT /sbin/iptables -A INPUT -i $INTINT -p UDP -s $BROADCAST_SRC --sport 68 \ -d $BROADCAST_DEST --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -o $INTINT -p UDP -s $ANYWHERE --sport 67 \ -d $DHCPSERVER --dport 68 -m state --state ESTABLISHED \ -j ACCEPT /sbin/iptables -A INPUT -i $INTINT -p UDP -s $DHCPSERVER2 --sport 68 \ -d $ANYWHERE --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT echo "DCHP allowed" #Allow DNS (port 53 TCP and UDP) /sbin/iptables -A OUTPUT -o $EXTINT -p UDP --sport $PUBLICPORTS \ --dport 53 -j ACCEPT /sbin/iptables -t nat -A OUTPUT -o $EXTINT -p UDP --sport $PUBLICPORTS \ --dport 53 -j ACCEPT /sbin/iptables -A INPUT -i $EXTINT -p UDP --sport 53 \ --dport $PUBLICPORTS -j ACCEPT /sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 53 -j ACCEPT /sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 53 \ --dport $PUBLICPORTS -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p UDP --sport $PUBLICPORTS \ --dport 53 -j ACCEPT echo "DNS queries allowed" #Allow Web access (ports 80 and 443) /sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 80 -j ACCEPT /sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 80 \ --dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 443 -j ACCEPT /sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 443 \ --dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 80 -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 80 -j ACCEPT /sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 443 -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 443 -j ACCEPT echo "Web and Secure Web allowed" #Allow Email (port 25 and 110) /sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 25 -j ACCEPT /sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 25 -j ACCEPT /sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 25 \ --dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 110 -j ACCEPT /sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 110 -j ACCEPT /sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 110 \ --dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -t nat -A POSTROUTNG -o $EXTINT -p TCP --dport 110 \ --sport $PUBLICPORTS -j ACCEPT echo "Email allowed (except IMAP)" #Allow ssh (port 22 - client access) /sbin/iptables -A OUTPUT -o $EXTINT -p TCP \ --dport 22 -j ACCEPT /sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP \ --dport 22 -j ACCEPT /sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 22 \ -j ACCEPT echo "SSH client allowed" #Allows usenet (port 119) /sbin/iptables -A OUTPUT -o $EXTINT -p TCP \ --dport 119 -j ACCEPT /sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP \ --dport 119 -j ACCEPT /sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 119 \ -m state --state NEW,ESTABLISHED -j ACCEPT echo "News allowed" #Allow distributed.net /sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 2064 -j ACCEPT /sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 2064 \ --dport $PUBLICPORTS -m state --state NEW,ESTABLISHED -j ACCEPT echo "Distributed.net allowed" #Allow outgoing whois(port 43) /sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 43 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 43 -j ACCEPT /sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 43 \ --dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT echo "whois allowed" #Allow FTP /sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 21 -j ACCEPT /sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport $PUBLICPORTS -j ACCEPT /sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \ --sport $PUBLICPORTS --dport 21 -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP \ --sport $PUBLICPORTS --dport 21 -j ACCEPT /sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 21 -j ACCEPT /sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 21 \ --dport $PUBLICPORTS -j ACCEPT echo "FTP allowed" #Allow ICQ (UDP port 4000 and TCP public ports) /sbin/iptables -A OUTPUT -o $EXTINT -p UDP --sport $PUBLICPORTS \ --dport 4000 -j ACCEPT /sbin/iptables -A INPUT -i $EXTINT -p UDP --sport 4000 \ --dport $PUBLICPORTS -j ACCEPT /sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport $PUBLICPORTS -j ACCEPT /sbin/iptables -A INPUT -i $EXTINT -p TCP --sport $PUBLICPORTS \ --dport $PUBLICPORTS -j ACCEPT /sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 4000 -j ACCEPT /sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \ --sport $PUBLICPORTS --dport 4000 -j ACCEPT /sbin/iptables -t nat -A OUTPUT -o $EXTINT -p UDP \ --sport $PUBLICPORTS --dport 4000 -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p UDP \ --sport $PUBLICPORTS --dport 4000 -j ACCEPT #Don't think this one does anything. /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT echo "ICQ allowed" #Allow pptpd connections (port 1723) /sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \ --sport $PUBLICPORTS --dport 1723 -j ACCEPT /sbin/iptables -t nat -A OUTPUT -o $EXTINT -p 47 -j ACCEPT /sbin/iptables -A OUTPUT -o $EXTINT -p 47 -j ACCEPT /sbin/iptables -A INPUT -i $EXTINT -p 47 -j ACCEPT /sbin/iptables -A INPUT -i ppp+ \ -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT /sbin/iptables -A OUTPUT -o ppp+ \ -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT echo "PPTPD allowed" #Reject port 113 #I can't reject in nat, so let it through. The next rule will block. /sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \ --dport 113 -j ACCEPT /sbin/iptables -A INPUT -i $EXTINT -p TCP --sport $PUBLICPORTS \ --dport 113 -j REJECT #Limit logging of pings. /sbin/iptables -t nat -A PREROUTING -i $EXTINT -p ICMP --icmp-type \ echo-request -m limit -j LOG --log-prefix "Ping dropped.." /sbin/iptables -t nat -A PREROUTING -i $EXTINT -p ICMP --icmp-type \ echo-request -j DROP #Log everything else (which would be dropped anyway) /sbin/iptables -A INPUT -j LOG --log-prefix "Input packet dropped" /sbin/iptables -A OUTPUT -j LOG --log-prefix "Output packet dropped" /sbin/iptables -A FORWARD -j LOG --log-prefix "Forward packet dropped" /sbin/iptables -t nat -A PREROUTING -j LOG --log-prefix "PreNat logging." /sbin/iptables -t nat -A POSTROUTING -j LOG \ --log-prefix "PostNat logging." /sbin/iptables -t nat -A OUTPUT -j LOG --log-prefix "Out NAT logging." From Steve at SteveCowles.com Fri Apr 20 19:53:42 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Fri, 20 Apr 2001 19:53:42 -0500 Subject: [pptp-server] PPTP behind a Firewall Message-ID: <90769AF04F76D41186C700A0C90AFC3EE75A@defiant.infohiiway.com> > -----Original Message----- > From: Gerald Richter [mailto:richter at ecos.de] > Sent: Friday, April 20, 2001 4:42 PM > To: berzerke at swbell.net > Cc: pptp-server at lists.schulte.org > Subject: Re: [pptp-server] PPTP behind a Firewall > > > >I'm guessing your using ipchains. If so, there is a kernel > patch needed to > >masquerade the pptp connections. I'm (s-l-o-w-l-y) working > on something > for > >iptables. > > Do I understand this right: There is currently no chance to get a PPTP > server runing behind a Linux firewall that use iptables nat ? > > Do you have any estimations how long "s-l-o-w-l-y" will take ? > Have you checked out John Hardin's website?? Most of it is based on masquerading PPTP clients and servers with the 2.2.x kernels, but there is a section on the 2.4.x kernels with an iptables example. Although, I don't think it applies to a masq'd server, just a masq'd client behind the firewall. Might be worth a look though. Checkout: http://www.impsec.org/linux/masquerade/ip_masq_vpn.html Steve Cowles From chris at ceeriff.net Fri Apr 20 20:42:02 2001 From: chris at ceeriff.net (Chris Riffle) Date: Fri, 20 Apr 2001 20:42:02 -0500 Subject: [pptp-server] Remove from mailing list Message-ID: Please remove ?chris at ceeriff.net? from pptp mail list. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From danielb at tihlde.org Sat Apr 21 04:24:58 2001 From: danielb at tihlde.org (Daniel Buchmann) Date: Sat, 21 Apr 2001 11:24:58 +0200 (CEST) Subject: [pptp-server] pppd error message: unrecognized option '+chapms' Message-ID: Hi. Sorry, I know this has been asked before, but I couldn't find any answers to it in the mailing list archive... I believe this is the same problem as in a post by Daniell Freed, Thu Mar 23 13:42:16 2000. See http://lists.schulte.org/pipermail/pptp-server/2000-March/007059.html I am running pppd-2.4.1 on linux 2.4.3. (and pptpd version: 1.0.1) My pppd complains about the +chapms and +chapms-v2 options, but it does not complain about the mppe-* options. How can I make it recognize these options? I have patched the pppd-2.4.1 source with this patch: ppp-2.4.0-openssl-0.9.6-mppe.patch.gz And when I compile, I can clearly see that the -DCHAPMS=1 option is specified. If I comment out +chapms and +chapms-v2, pppd runs fine, but when connecting from my Win98-SE box, I get these messages from pppd: Apr 20 23:41:04 capella pppd[1182]: sent [LCP ConfReq id=0x1 ] Apr 20 23:41:04 capella pppd[1182]: rcvd [LCP ConfReq id=0x1 ] Apr 20 23:41:04 capella pppd[1182]: sent [LCP ConfAck id=0x1 ] Apr 20 23:41:07 capella pppd[1182]: rcvd [LCP ConfReq id=0x2 ] Apr 20 23:41:07 capella pppd[1182]: sent [LCP ConfAck id=0x2 ] Apr 20 23:41:07 capella pppd[1182]: sent [LCP ConfReq id=0x1 ] Apr 20 23:41:10 capella pppd[1182]: rcvd [LCP ConfReq id=0x3 ] Apr 20 23:41:10 capella pppd[1182]: sent [LCP ConfAck id=0x3 ] Apr 20 23:41:10 capella pppd[1182]: sent [LCP ConfReq id=0x1 ] Apr 20 23:41:13 capella pppd[1182]: rcvd [LCP ConfReq id=0x4 ] Apr 20 23:41:13 capella pppd[1182]: sent [LCP ConfAck id=0x4 ] Apr 20 23:41:13 capella pppd[1182]: sent [LCP ConfReq id=0x1 ] Apr 20 23:41:16 capella pppd[1182]: rcvd [LCP ConfReq id=0x5 ] Apr 20 23:41:16 capella pppd[1182]: sent [LCP ConfAck id=0x5 ] Apr 20 23:41:16 capella pppd[1182]: sent [LCP ConfReq id=0x1 ] Apr 20 23:41:19 capella pppd[1182]: rcvd [LCP ConfReq id=0x6 ] Apr 20 23:41:19 capella pppd[1182]: sent [LCP ConfAck id=0x6 ] Apr 20 23:41:19 capella pppd[1182]: sent [LCP ConfReq id=0x1 ] Apr 20 23:41:20 capella pppd[1182]: rcvd [LCP TermReq id=0x7] Apr 20 23:41:20 capella pppd[1182]: sent [LCP TermAck id=0x7] Then the connection is terminated. Is this because I have enabled chapms and/or chapms-v2? (Because I couldn't) Anybody else encountered this problem? -Daniel From ALEXXX at teleline.es Sat Apr 21 10:28:29 2001 From: ALEXXX at teleline.es (javi) Date: Sat, 21 Apr 2001 17:28:29 +0200 Subject: [pptp-server] (no subject) Message-ID: <3AE1A71D.C978F487@teleline.es> confirm 771363 -------------- next part -------------- A non-text attachment was scrubbed... Name: ALEXXX.vcf Type: text/x-vcard Size: 116 bytes Desc: Tarjeta para javi URL: From kaca at hongkong.com Sat Apr 21 12:13:01 2001 From: kaca at hongkong.com (kaca at hongkong.com) Date: Sun, 22 Apr 2001 01:13:01 +0800 (CST) Subject: [pptp-server] (no subject) Message-ID: <9k989577988698.15370@mail2.hongkong.com> I got the following messages from the log file after the VPN connection, What's it exactly? anything I went wrong? CCP terminated by peer LCP terminated by peer --------------------------------------------- ?w??????HongKong.com?l???t?? Thank you for using hongkong.com Email system From lancel at terraserv.mine.nu Sat Apr 21 12:54:46 2001 From: lancel at terraserv.mine.nu (Lance Lorton) Date: Sat, 21 Apr 2001 10:54:46 -0700 Subject: [pptp-server] Getting Win9x and Win2k both routing... Message-ID: <000801c0ca8c$27a3eae0$0500a8c0@terra2k> I am having trouble getting both win9x and Win2k to both route once connected. Win2k is easy if I comment out mppe-40 and leave mppe-128 in the options file, routing works great. Win9x connects fine with 128bit encryption, but wont talk to anything on the local net. Win95 clients have had the Dun 1.3 installed and Win9x have the 128bit Dial up networking patch. Win2k has the 128bit dial up networking patch. Frustrating because I have a need for both types of clients to connect. Any ideas on getting both Win9x and Win2k to route with 128bit encryption? My setup: PPP 2.4.0 with the smbpw-mppe-stripdom-requiremppe.diff patch Kernel 2.4.2 with the linux-2.4.0-openssl-0.9.6-mppe.patch Poptop 1.1.2 My options file: name terraserv debug noauth proxyarp +chap +chapms +chapms-v2 chapms-strip-domain #mppe-40 mppe-128 mppe-stateless require-chap require-mppe require-mppe-stateless ms-dns 192.168.0.254 ms-wins 192.168.0.254 -------------- next part -------------- An HTML attachment was scrubbed... URL: From chris at ceeriff.net Sat Apr 21 13:08:17 2001 From: chris at ceeriff.net (Chris Riffle) Date: Sat, 21 Apr 2001 13:08:17 -0500 Subject: [pptp-server] REMOVE Message-ID: ANYBODY? WHAT DO I NEED TO DO TO GET REMOVED FROM THIS LIST? THANKS. -------------- next part -------------- An HTML attachment was scrubbed... URL: From charlieb at e-smith.com Sat Apr 21 13:20:25 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Sat, 21 Apr 2001 14:20:25 -0400 (EDT) Subject: [pptp-server] REMOVE In-Reply-To: Message-ID: On Sat, 21 Apr 2001, Chris Riffle wrote: > ANYBODY? > WHAT DO I NEED TO DO TO GET REMOVED FROM THIS LIST? There information about unsubscribing from the list attached to each message that comes from the list. You may need to view full mail headers to read it. When you find it, it'll look like this: List-Unsubscribe: , And please - DON'T SHOUT. It's rude. Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From berzerke at swbell.net Sat Apr 21 14:28:24 2001 From: berzerke at swbell.net (robert) Date: Sat, 21 Apr 2001 14:28:24 -0500 Subject: [pptp-server] Getting Win9x and Win2k both routing... In-Reply-To: <000801c0ca8c$27a3eae0$0500a8c0@terra2k> References: <000801c0ca8c$27a3eae0$0500a8c0@terra2k> Message-ID: <01042114282400.17197@linux> I don't have W2K, so I can't test this myself, but try this option file (you can use a name rather than *): name * lock mtu 1490 mru 1490 proxyarp auth +chap +chapms +chapms-v2 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 mppe-128 mppe-40 mppe-stateless Let me know if it works. There are other who will have the same problem. On Saturday 21 April 2001 12:54, Lance Lorton wrote: > I am having trouble getting both win9x and Win2k to both route once > connected. > > Win2k is easy if I comment out mppe-40 and leave mppe-128 in the options > file, routing works great. Win9x connects fine with 128bit encryption, but > wont talk to anything on the local net. > > Win95 clients have had the Dun 1.3 installed and Win9x have the 128bit Dial > up networking patch. Win2k has the 128bit dial up networking patch. > > Frustrating because I have a need for both types of clients to connect. > Any ideas on getting both Win9x and Win2k to route with 128bit encryption? > > My setup: > PPP 2.4.0 with the smbpw-mppe-stripdom-requiremppe.diff patch > Kernel 2.4.2 with the linux-2.4.0-openssl-0.9.6-mppe.patch > Poptop 1.1.2 > > My options file: > > name terraserv > debug > noauth > proxyarp > +chap > +chapms > +chapms-v2 > chapms-strip-domain > #mppe-40 > mppe-128 > mppe-stateless > require-chap > require-mppe > require-mppe-stateless > ms-dns 192.168.0.254 > ms-wins 192.168.0.254 ---------------------------------------- Content-Type: text/html; charset="iso-8859-1"; name="Attachment: 1" Content-Transfer-Encoding: quoted-printable Content-Description: ---------------------------------------- From JaminC at adapt-tele.com Sat Apr 21 16:59:00 2001 From: JaminC at adapt-tele.com (Jamin Collins) Date: Sat, 21 Apr 2001 16:59:00 -0500 Subject: [pptp-server] REMOVE Message-ID: Follow the instructions you received when joining this list, just like any other. Jamin -----Original Message----- From: Chris Riffle [mailto:chris at ceeriff.net] Sent: Saturday, April 21, 2001 1:08 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] REMOVE ANYBODY? WHAT DO I NEED TO DO TO GET REMOVED FROM THIS LIST? THANKS. From JaminC at adapt-tele.com Sun Apr 22 10:04:32 2001 From: JaminC at adapt-tele.com (Jamin Collins) Date: Sun, 22 Apr 2001 10:04:32 -0500 Subject: [pptp-server] SMP 2.2.14-5.0 Problem Message-ID: Silly question, but is anyone working on making PoPToP work on SMP machines? I don't have the foggiest where to begin with something like this. Jamin W. Collins -----Original Message----- From: Michael St. Laurent [mailto:mikes at hartwellcorp.com] Sent: Wednesday, April 18, 2001 5:57 PM To: 'Mike McPherson'; pptp-server at lists.schulte.org Subject: RE: [pptp-server] SMP 2.2.14-5.0 Problem I'm having the same problem with 1.1.2 on a Dual CPU system using kernel 2.2.17-14. Even running it with a single processor kernel didn't solve the issue. -------------------- Michael St. Laurent Hartwell Corporation -----Original Message----- From: Mike McPherson [mailto:mrp at hafatel.com] Sent: Wednesday, April 18, 2001 3:50 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] SMP 2.2.14-5.0 Problem Well after much grief and sorrow trying to install PoPToP 1.0.1... I can't get it to work stable on a Dual CPU machine. I loaded it on a older single cpu without a hitch. :( ##############? print "\n Welcome to NEPP";$?=1;while ($?){ print "\n$?";$?++;if ($? == 1000) { print "\n$?"."\nWell almost never ending :?";exit;}} ##############? From angelbracket at yahoo.com Sun Apr 22 12:05:35 2001 From: angelbracket at yahoo.com (notgiven noteither) Date: Sun, 22 Apr 2001 10:05:35 -0700 (PDT) Subject: [pptp-server] updated redhad manual ? Message-ID: <20010422170535.2347.qmail@web3001.mail.yahoo.com> Hi, I know there is a "how to/poptop" for redhat 6.0 on the poptop site, but is there someone who has noted down his installing procedure for a redhat 7/7.1 with the 2.4.2 kernel. Especially important to detail: - patching : - which patches - how to apply them on the kernel - ipchains & iptables with poptop for these kernels - forwarding incoming INnet-traffic to a lan- poptopserver. If someone would have such a faq, pls let me know :) mvg, SH. __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ From Postmaster at mail.edge.net Sun Apr 22 12:36:53 2001 From: Postmaster at mail.edge.net (Mail Administrator) Date: Sun, 22 Apr 2001 12:36:53 -0500 Subject: [pptp-server] Mail System Error - Returned Mail Message-ID: <20010422173653.AAA4987@mail.edge.net> This Message was undeliverable due to the following reason: Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within 1 days. Host [192.168.1.26] is not responding. The following recipients did not receive your message: Please reply to Postmaster at mail.edge.net if you feel this message to be in error. -------------- next part -------------- An embedded message was scrubbed... From: unknown sender Subject: no subject Date: no date Size: 56 URL: From charlieb at e-smith.com Sun Apr 22 14:17:20 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Sun, 22 Apr 2001 15:17:20 -0400 (EDT) Subject: [pptp-server] Patch: making stateful MPPE comply with draft-ietf-pppext-mppe-05.txt Message-ID: While investigating some problems I had with MPPE back around new Year, I found some places where the MPPE patches did not comply with the IETF drafts for the proptocol. From berzerke at swbell.net Sun Apr 22 18:33:48 2001 From: berzerke at swbell.net (robert) Date: Sun, 22 Apr 2001 18:33:48 -0500 Subject: [pptp-server] updated redhad manual ? In-Reply-To: <20010422170535.2347.qmail@web3001.mail.yahoo.com> References: <20010422170535.2347.qmail@web3001.mail.yahoo.com> Message-ID: <01042218334800.01083@linux> There is the 2.4 kernel howto at http://home.swbell.net/berzerke It's not Redhat specific, but it does cover the 2.4 kernels. On Sunday 22 April 2001 12:05, notgiven noteither wrote: > Hi, > > I know there is a "how to/poptop" for redhat 6.0 > on the poptop site, but is there someone who has noted > down his installing procedure for a redhat 7/7.1 with > the 2.4.2 kernel. > Especially important to detail: > - patching : > - which patches > - how to apply them on the kernel > - ipchains & iptables with poptop for these kernels > - forwarding incoming INnet-traffic to a lan- > poptopserver. > > If someone would have such a faq, pls let me know > > :) > > mvg, SH. > > > > > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Auctions - buy the things you want at great prices > http://auctions.yahoo.com/ > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From mikes at hartwellcorp.com Mon Apr 23 11:30:31 2001 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Mon, 23 Apr 2001 09:30:31 -0700 Subject: [pptp-server] SMP 2.2.14-5.0 Problem Message-ID: <91A5926EFF44D3118B1200104B7276EB655004@hart-exchange.hartwellcorp.com> Don't know, I've yet to see any response from any of the developers to any of the reports on the list. -------------------- Michael St. Laurent Hartwell Corporation > -----Original Message----- > From: Jamin Collins [mailto:JaminC at adapt-tele.com] > Sent: Sunday, April 22, 2001 8:05 AM > To: 'Michael St. Laurent'; 'Mike McPherson'; > pptp-server at lists.schulte.org > Subject: RE: [pptp-server] SMP 2.2.14-5.0 Problem > > > Silly question, but is anyone working on making PoPToP work > on SMP machines? > I don't have the foggiest where to begin with something like this. > > Jamin W. Collins > -----Original Message----- > From: Michael St. Laurent [mailto:mikes at hartwellcorp.com] > Sent: Wednesday, April 18, 2001 5:57 PM > To: 'Mike McPherson'; pptp-server at lists.schulte.org > Subject: RE: [pptp-server] SMP 2.2.14-5.0 Problem > > > I'm having the same problem with 1.1.2 on a Dual CPU system > using kernel > 2.2.17-14. Even running it with a single processor kernel > didn't solve the > issue. > > > > -------------------- > Michael St. Laurent > Hartwell Corporation > -----Original Message----- > From: Mike McPherson [mailto:mrp at hafatel.com] > Sent: Wednesday, April 18, 2001 3:50 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] SMP 2.2.14-5.0 Problem > > > Well after much grief and sorrow trying to install PoPToP 1.0.1... > I can't get it to work stable on a Dual CPU machine. > I loaded it on a older single cpu without a hitch. > :( > > ##############? > print "\n Welcome to NEPP";$?=1;while ($?){ > print "\n$?";$?++;if ($? == 1000) { > print "\n$?"."\nWell almost never ending :?";exit;}} > ##############? > From aviram-beyondsecurity-aviram-pptp at beyondsecurity.com Mon Apr 23 14:29:49 2001 From: aviram-beyondsecurity-aviram-pptp at beyondsecurity.com (Aviram Jenik) Date: Mon, 23 Apr 2001 21:29:49 +0200 Subject: [pptp-server] netmask problem Message-ID: <01e701c0cc2b$c3caed10$fe01a8c0@aviram> Hi, I installed pptpd from RPMs, and configured it with the common settings. However, when Windows clients connect, their netmask is set to 255.255.255.255. This, of course, makes it impossible for them to connect to hosts on the internal network. I couldn't find any place to change this setting - only the IP address can be set. How can I fix this problem? My configuration: Redhat 7.0, pptpd-1.0.1-1, ppp-2.3.11-7. /etc/pptpd.conf: debug localip 192.168.1.101-110 remoteip 192.168.1.111-120 TIA. - Aviram From giulioo at pobox.com Mon Apr 23 13:52:05 2001 From: giulioo at pobox.com (Giulio Orsero) Date: Mon, 23 Apr 2001 20:52:05 +0200 Subject: [pptp-server] netmask problem In-Reply-To: <01e701c0cc2b$c3caed10$fe01a8c0@aviram> References: <01e701c0cc2b$c3caed10$fe01a8c0@aviram> Message-ID: <20010423185401.74138165D4@i3.golden.dom> On Mon, 23 Apr 2001 21:29:49 +0200, you wrote: >I installed pptpd from RPMs, and configured it with the common settings. >However, when Windows clients connect, their netmask is set to >255.255.255.255. This, of course, makes it impossible for them to connect to >hosts on the internal network. Very likely 255.255.255.255 is the netmask you see for the pppX interface. The actual netmask used on the vpn by the win9x client is the one you see running winipcfg from windows (start, run, winipcfg). -- giulioo at pobox.com From Steve at SteveCowles.com Mon Apr 23 15:19:08 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Mon, 23 Apr 2001 15:19:08 -0500 Subject: [pptp-server] netmask problem Message-ID: <90769AF04F76D41186C700A0C90AFC3EE762@defiant.infohiiway.com> > -----Original Message----- > From: Aviram Jenik > [mailto:aviram-beyondsecurity-aviram-pptp at beyondsecurity.com] > Sent: Monday, April 23, 2001 2:30 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] netmask problem > > > Hi, > > I installed pptpd from RPMs, and configured it with the > common settings. However, when Windows clients connect, > their netmask is set to 255.255.255.255. This, of course, > makes it impossible for them to connect to hosts on the > internal network. > > I couldn't find any place to change this setting - only the > IP address can be set. How can I fix this problem? Let make sure we are comparing apples to apples here. i.e. A tunnel netmask vs. a LAN netmask. The netmask of the PPTP tunnel is *always* 255.255.255.255. (ppp0) Your windows client should also add an additional network route at its end. In your case, it should add a 192.168.1.0/255.255.255.0 route via the PPTP tunnel. Type: route print - on your windows client to verify after establishing your tunnel. Also, make sure you have "proxyarp" listed in your /etc/ppp/options file so the other hosts on the LAN know how to route data back to the client via the PPTP server. Steve Cowles From mikes at hartwellcorp.com Mon Apr 23 15:43:33 2001 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Mon, 23 Apr 2001 13:43:33 -0700 Subject: [pptp-server] SMP 2.2.14-5.0 Problem Message-ID: <91A5926EFF44D3118B1200104B7276EB655006@hart-exchange.hartwellcorp.com> OK, it appears that poptop working for some but not for others on SMP machines. Perhaps we might find a pattern if we all reported to the list what versions and patches are being used and on what motherboard it is being run. I'll go first: Software: ----------------------------------------- PoPToP - 1.1.2 pppd - 2.3.11 Redhat - 7.0 Kernel - 2.2.17-14smp Patches: ----------------------------------------- MSChap-v2 & MPPE Encryption for 2.3.11 Require-MPPE Strip MS Domain Motherboard/Hardware: ----------------------------------------- Tyan Thunder 100 BIOS Rev - 1.18.02 Chipset - 440BX AGP Dual P-III 600MHz Katmai Let me know if I forgot anything important. -------------------- Michael St. Laurent Hartwell Corporation > -----Original Message----- > From: Zach Lowry [mailto:zlowry at home.com] > Sent: Monday, April 23, 2001 12:45 PM > To: 'Michael St. Laurent' > Subject: RE: [pptp-server] SMP 2.2.14-5.0 Problem > > > I've had it working with 2.2.16, 2.2.17-14RH, and the like. > Just followed > the directions, and it worked fine on my Dual PPro Machine. > > Zach > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Michael St. > Laurent > Sent: Monday, April 23, 2001 11:31 AM > To: 'Jamin Collins'; Michael St. Laurent; 'Mike McPherson'; > pptp-server at lists.schulte.org > Subject: RE: [pptp-server] SMP 2.2.14-5.0 Problem > > > Don't know, I've yet to see any response from any of the > developers to any > of the reports on the list. > > > -------------------- > Michael St. Laurent > Hartwell Corporation > > > > -----Original Message----- > > From: Jamin Collins [mailto:JaminC at adapt-tele.com] > > Sent: Sunday, April 22, 2001 8:05 AM > > To: 'Michael St. Laurent'; 'Mike McPherson'; > > pptp-server at lists.schulte.org > > Subject: RE: [pptp-server] SMP 2.2.14-5.0 Problem > > > > > > Silly question, but is anyone working on making PoPToP work > > on SMP machines? > > I don't have the foggiest where to begin with something like this. > > > > Jamin W. Collins > > -----Original Message----- > > From: Michael St. Laurent [mailto:mikes at hartwellcorp.com] > > Sent: Wednesday, April 18, 2001 5:57 PM > > To: 'Mike McPherson'; pptp-server at lists.schulte.org > > Subject: RE: [pptp-server] SMP 2.2.14-5.0 Problem > > > > > > I'm having the same problem with 1.1.2 on a Dual CPU system > > using kernel > > 2.2.17-14. Even running it with a single processor kernel > > didn't solve the > > issue. > > > > > > > > -------------------- > > Michael St. Laurent > > Hartwell Corporation > > -----Original Message----- > > From: Mike McPherson [mailto:mrp at hafatel.com] > > Sent: Wednesday, April 18, 2001 3:50 PM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] SMP 2.2.14-5.0 Problem > > > > > > Well after much grief and sorrow trying to install PoPToP 1.0.1... > > I can't get it to work stable on a Dual CPU machine. > > I loaded it on a older single cpu without a hitch. > > :( > > > > ##############? > > print "\n Welcome to NEPP";$?=1;while ($?){ > > print "\n$?";$?++;if ($? == 1000) { > > print "\n$?"."\nWell almost never ending :?";exit;}} > > ##############? > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From charlieb at e-smith.com Mon Apr 23 16:28:03 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Mon, 23 Apr 2001 17:28:03 -0400 (EDT) Subject: [pptp-server] SMP 2.2.14-5.0 Problem In-Reply-To: <91A5926EFF44D3118B1200104B7276EB655006@hart-exchange.hartwellcorp.com> Message-ID: On Mon, 23 Apr 2001, Michael St. Laurent wrote: > OK, it appears that poptop working for some but not for others on SMP > machines. Perhaps we might find a pattern if we all reported to the list > what versions and patches are being used and on what motherboard it is being > run. > > I'll go first: > > Software: > ----------------------------------------- > PoPToP - 1.1.2 > pppd - 2.3.11 > Redhat - 7.0 > Kernel - 2.2.17-14smp PoPToP - 1.1.2 pppd - 2.4.0 e-smith 4.1.2, which is based on Redhat - 7.0 Kernel - 2.2.16-22smp > Patches: > ----------------------------------------- > MSChap-v2 & MPPE Encryption for 2.3.11 > Require-MPPE > Strip MS Domain An smbpasswd patch My MPPE stateful patch You can all find ppp-2.4.0-11.{src,i386}.rpm on our ftp site, which builds/installs a suitably modified pppd and the supporting kernel modules. Rather than have a name clash with the existing ppp.o, this rpm includes a module named ppp-4mppe.o. In order for it to be loaded rather than the RedHat ppp.o, one needs an entry "alias ppp ppp-4mppe" in /etc/modules.conf. Based on my experience developing this RPM, the most likely problems you might have with SMP is getting the compile arguments just right when compiling kernel modules. Now, a development RFC. The only difference between ppp.o and ppp-4mppe.o is the maximum allowed size of the argument block sent to the kernel ppp module by ioctl calls. This is defined by CCP_MAX_OPTION_LENGTH, and is increased from 32 bytes to 64 bytes to allow MPPE keys to be communicated from the ppp daemon to the mppe kernel module. If the communication protocol was changed so that a pointer to the key was sent, rather than the key itself, then people wouldn't need to replace their vendor's ppp.o module, they'd just add the ppp-mppe.o module, and replace pppd. The ppp-mppe.o module would need to take the pointer and copy the key from user to kernel space. Any objections? Anyone care to help me develop and test the changes? -- Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From mikes at hartwellcorp.com Mon Apr 23 18:36:39 2001 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Mon, 23 Apr 2001 16:36:39 -0700 Subject: [pptp-server] SMP 2.2.14-5.0 Problem Message-ID: <91A5926EFF44D3118B1200104B7276EB65500E@hart-exchange.hartwellcorp.com> Charlie's probably right on the money with this one. I've downloaded the source RPMS from the e-smith site, modified the spec file to make it compile for the kernel version I have and then installed the results. I don't know if it has fixed the problem for certain as I usually only had a crash every few days or so but the fix "sounds right." If you wish to try the same thing you will also need to download and install the RPM for libsmbpw before the ppp-2.4.0-10 package will build. -------------------- Michael St. Laurent Hartwell Corporation > -----Original Message----- > From: Charlie Brady [mailto:charlieb at e-smith.com] > Sent: Monday, April 23, 2001 2:28 PM > To: Michael St. Laurent > Cc: 'pptp-server at lists.schulte.org'; 'zlowry at home.com'; 'Mike > McPherson'; 'Jamin Collins'; 'Pete Starzewski' > Subject: RE: [pptp-server] SMP 2.2.14-5.0 Problem > > > > On Mon, 23 Apr 2001, Michael St. Laurent wrote: > > > OK, it appears that poptop working for some but not for > others on SMP > > machines. Perhaps we might find a pattern if we all > reported to the list > > what versions and patches are being used and on what > motherboard it is being > > run. > > > > I'll go first: > > > > Software: > > ----------------------------------------- > > PoPToP - 1.1.2 > > pppd - 2.3.11 > > Redhat - 7.0 > > Kernel - 2.2.17-14smp > > PoPToP - 1.1.2 > pppd - 2.4.0 > e-smith 4.1.2, which is based on Redhat - 7.0 > Kernel - 2.2.16-22smp > > > Patches: > > ----------------------------------------- > > MSChap-v2 & MPPE Encryption for 2.3.11 > > Require-MPPE > > Strip MS Domain > > An smbpasswd patch > My MPPE stateful patch > > You can all find ppp-2.4.0-11.{src,i386}.rpm on our ftp site, which > builds/installs a suitably modified pppd and the supporting kernel > modules. Rather than have a name clash with the existing > ppp.o, this rpm > includes a module named ppp-4mppe.o. In order for it to be > loaded rather > than the RedHat ppp.o, one needs an entry "alias ppp ppp-4mppe" in > /etc/modules.conf. > > Based on my experience developing this RPM, the most likely > problems you > might have with SMP is getting the compile arguments just right when > compiling kernel modules. > > Now, a development RFC. The only difference between ppp.o and > ppp-4mppe.o > is the maximum allowed size of the argument block sent to the > kernel ppp > module by ioctl calls. This is defined by > CCP_MAX_OPTION_LENGTH, and is > increased from 32 bytes to 64 bytes to allow MPPE keys to be > communicated > from the ppp daemon to the mppe kernel module. > > If the communication protocol was changed so that a pointer > to the key was > sent, rather than the key itself, then people wouldn't need to replace > their vendor's ppp.o module, they'd just add the ppp-mppe.o > module, and > replace pppd. The ppp-mppe.o module would need to take the pointer and > copy the key from user to kernel space. > > Any objections? Anyone care to help me develop and test the changes? > > -- > > Charlie Brady charlieb at e-smith.com > http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From charlieb at e-smith.com Mon Apr 23 19:23:44 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Mon, 23 Apr 2001 20:23:44 -0400 (EDT) Subject: [pptp-server] SMP 2.2.14-5.0 Problem In-Reply-To: <91A5926EFF44D3118B1200104B7276EB65500E@hart-exchange.hartwellcorp.com> Message-ID: On Mon, 23 Apr 2001, Michael St. Laurent wrote: > Charlie's probably right on the money with this one. [...] > I don't know if it has fixed the problem for certain as I usually only > had a crash every few days or so but the fix "sounds right." I can't make any claim to have fixed your problem. I thought you just couldn't run it on an SMP machine - which can happen for all sorts of reasons, but most obviously if the compiled symbols don't match the requirements of the kernel. A crash every few days is another thing entirely. The MPPE protocol responds pretty badly to lost and out of order packets. PPP will also drop connections if the right responses don't arrive in time. BTW, what do you call "a crash"? Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From tim.wilfong at aubeta.net Mon Apr 23 21:13:26 2001 From: tim.wilfong at aubeta.net (Tim Wilfong) Date: Mon, 23 Apr 2001 19:13:26 -0700 Subject: [pptp-server] Using PoPToP in conjunction with L2TP and a PPP concentrator Message-ID: <944CCDEB4CCAD411A0FA0090278D39EB05F508@localhost> Has anyone tried using PoPToP to terminate the PPP session somewhere other than the server that that PoPToP is running on. i.e. It is feasible to take the PPP session and send it out an L2TP tunnel to an PPP concentrator, so that the user that is using PPTP to "dial-in" looks just like users dialing into that dial-up server. Has anyone tried experimenting with this? It seeems that PoPToP already sends the PPP sessions to a seperate PPP daemon to handle the termination of the PPP session, so it would be a matter of modifying an L2TP (or PPPoE, for that matter) client to take these sessions and tunnel them to a PPP concentrator. If this could be set up, then a Linux server running PoPToP could be used as a tunnel switcher to allow legacy PPTP clients to access an L2TP-based VPN server, thus allowing easier migration to an L2TP-based VPN solution. (Of course, there are many security implications from this, but let's ignore those for now.) -- Tim Wilfong From josh.howlett at bristol.ac.uk Tue Apr 24 03:57:03 2001 From: josh.howlett at bristol.ac.uk (Josh Howlett) Date: Tue, 24 Apr 2001 09:57:03 +0100 Subject: [pptp-server] mppe working In-Reply-To: References: Message-ID: For anyone who's having trouble with MPPE on 2.4.x and ppp-2.4.x, I recommend you try Thijs Eilander's patches to ppp-2.3.11 and linux 2.2.17 - it works perfectly! ftp://ftp.paranoid.nl/linux/pptpd/ Thanks Thijs! ------------------- Josh Howlett, Network Supervisor, Networking and Digital Communications, Information Services. j.f.howlett at bris.ac.uk | 0117 9546895 From tobias at extenda.se Tue Apr 24 06:33:29 2001 From: tobias at extenda.se (Tobias Bengtsson) Date: Tue, 24 Apr 2001 13:33:29 +0200 Subject: [pptp-server] PoPToP and stability Message-ID: <1F707ED4E8F5CA41BB3D0C4E8CA4182E15CA7C@extenda-nt4.extenda.local> Hi, I was wondering if anyone have gotten their pptpd server to work flawlessy, that is -- file copy operations and everything works. On my server (or client) I get lockups so I have to disconnect and reconnect when I try to copy a file... PPPD: 2.3.8 PPPTPD: 1.0.1 Kernel: Linux-2.2.18 With Best Regards Tobias From adam at morrison-ind.com Tue Apr 24 08:53:44 2001 From: adam at morrison-ind.com (Adam Tauno Williams) Date: Tue, 24 Apr 2001 09:53:44 -0400 (EDT) Subject: [pptp-server] PoPToP and stability In-Reply-To: <1F707ED4E8F5CA41BB3D0C4E8CA4182E15CA7C@extenda-nt4.extenda.local> References: <1F707ED4E8F5CA41BB3D0C4E8CA4182E15CA7C@extenda-nt4.extenda.local> Message-ID: <988120424.3ae5856809741@barracuda> >Hi, I was wondering if anyone have gotten their pptpd server to work >flawlessy, that is -- file copy operations and everything works. On my >server (or client) I get lockups so I have to disconnect and reconnect >when I try to copy a file... >PPPD: 2.3.8 >PPPTPD: 1.0.1 >Kernel: Linux-2.2.18 Is this a uni or SMP box? I use Linux 2.4.3, pppd 2.4.1b2, and pptp 1.0.2 on a dual P2-300 and have much the same problem, but it worked better under 2.2.18. I can hardly move any data since upgrading to 2.4.3. I know it isn't the network because I can run NT4sp6 in VMware on this box and establish a PPTP connection that works great. The PPTP server is on a Linux box and works great for windows users, haven't touched it in months, but the PPTP linux clients doesn't work well at all (for me anyway). Systems and Network Administrator Morrison Industries 1825 Monroe Ave NW. Grand Rapids, MI. 49505 From tobias at extenda.se Tue Apr 24 09:04:44 2001 From: tobias at extenda.se (Tobias Bengtsson) Date: Tue, 24 Apr 2001 16:04:44 +0200 Subject: SV: [pptp-server] PoPToP and stability Message-ID: <1F707ED4E8F5CA41BB3D0C4E8CA4182E15CA7F@extenda-nt4.extenda.local> It's a uni, I have some problems with the 2.4.x kernel on my other boxes aswell, when i ssh to it it just hangs for a while sometimes, I have heard from friends that they have the same problem though.. must be a 2.4.x bug :/ I will upgrade my pppd/ppptd later on to se if the problem consists. So you use a SMP box, how many users are using VPN? when it comes to load on the server I have no clue what it takes to run a pptpd server... // Tobias -----Ursprungligt meddelande----- Fr?n: Adam Tauno Williams [mailto:adam at morrison-ind.com] Skickat: den 24 april 2001 15:54 Till: pptp-server at lists.schulte.org ?mne: Re: [pptp-server] PoPToP and stability >Hi, I was wondering if anyone have gotten their pptpd server to work >flawlessy, that is -- file copy operations and everything works. On my >server (or client) I get lockups so I have to disconnect and reconnect >when I try to copy a file... >PPPD: 2.3.8 >PPPTPD: 1.0.1 >Kernel: Linux-2.2.18 Is this a uni or SMP box? I use Linux 2.4.3, pppd 2.4.1b2, and pptp 1.0.2 on a dual P2-300 and have much the same problem, but it worked better under 2.2.18. I can hardly move any data since upgrading to 2.4.3. I know it isn't the network because I can run NT4sp6 in VMware on this box and establish a PPTP connection that works great. The PPTP server is on a Linux box and works great for windows users, haven't touched it in months, but the PPTP linux clients doesn't work well at all (for me anyway). Systems and Network Administrator Morrison Industries 1825 Monroe Ave NW. Grand Rapids, MI. 49505 _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From adam at morrison-ind.com Tue Apr 24 09:25:13 2001 From: adam at morrison-ind.com (Adam Tauno Williams) Date: Tue, 24 Apr 2001 10:25:13 -0400 (EDT) Subject: [pptp-server] Re: PoPToP and stability In-Reply-To: <1F707ED4E8F5CA41BB3D0C4E8CA4182E15CA7F@extenda-nt4.extenda.local> References: <1F707ED4E8F5CA41BB3D0C4E8CA4182E15CA7F@extenda-nt4.extenda.local> Message-ID: <988122313.3ae58cc9abe82@barracuda> >It's a uni, I have some problems with the 2.4.x kernel on my other >boxes aswell, when i ssh to it it just hangs for a while sometimes, I have >heard from friends that they have the same problem though.. must be a 2.4.x >bug :/ Haven't had any other network issues with 2.4.x other than with PPTP. The 2.4.x supports seven LTSP X/Helix GNOME workstations so I know that networking is otherwise pretty solid (the NIC hardly drops below 3M/sec ever, and spikes a lot higher). >I will upgrade my pppd/ppptd later on to se if the problem consists. >So you use a SMP box, how many users are using VPN? The SMP box is the PPTP client. And is definitely where the problem is. The PopTop server is an IBM PS/2 Value point with a 33Mhz 386 and 20Mb of RAM. Humms along happily with 4~7 VPN users, and at his point has 407 days of uptime. It sits on the end of a T1 and Cisco 1600R router. >when it comes to load on the server I have no clue what it takes to run >a pptpd server... Almost nothing. From vgill at technologist.com Tue Apr 24 10:33:27 2001 From: vgill at technologist.com (Gill, Vern) Date: Tue, 24 Apr 2001 08:33:27 -0700 Subject: [pptp-server] mppe working Message-ID: <8D043DEA73DFD411958A00A0C90AB760045AF7@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For anyone who's having trouble with MPPE on 2.4.x and ppp-2.4.x, I suggest you visit my site at http://linus.yi.org, and click on the PPP page. I have had pptpd running under kernel 2.4 and ppp 2.4 for months now. I even have a combined patch on my site which includes the following features; mppe strip ms domain use smbpasswd for auth require mppe Check it out... - -----Original Message----- From: Josh Howlett [mailto:josh.howlett at bristol.ac.uk] Sent: Tuesday, April 24, 2001 1:57 AM To: pptp-server Subject: [pptp-server] mppe working For anyone who's having trouble with MPPE on 2.4.x and ppp-2.4.x, I recommend you try Thijs Eilander's patches to ppp-2.3.11 and linux 2.2.17 - it works perfectly! ftp://ftp.paranoid.nl/linux/pptpd/ Thanks Thijs! - ------------------- Josh Howlett, Network Supervisor, Networking and Digital Communications, Information Services. j.f.howlett at bris.ac.uk | 0117 9546895 _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOuWcjBeamMdwy9TXEQJx+QCg8mE/17iIzJTkjMW62JvYp7dK9C8AnjrI 7j+L40xBl9EPxICZ3Q+aR1yn =4F7N -----END PGP SIGNATURE----- From ctresco at economics.mit.edu Tue Apr 24 11:45:40 2001 From: ctresco at economics.mit.edu (Christopher Tresco) Date: Tue, 24 Apr 2001 12:45:40 -0400 Subject: [pptp-server] Re: PoPToP and stability In-Reply-To: <988122313.3ae58cc9abe82@barracuda> Message-ID: I have had the exact same problem on a SMP box. If pptpd is running, then the box will randomly stop responding on the network. Normally, if I keep some other machine pinging the box, this wont happen. WHen it does, it usually fixes itself within a few minutes. > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Adam Tauno > Williams > Sent: Tuesday, April 24, 2001 10:25 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Re: PoPToP and stability > > > >It's a uni, I have some problems with the 2.4.x kernel on my other > >boxes aswell, when i ssh to it it just hangs for a while > sometimes, I have > >heard from friends that they have the same problem though.. must > be a 2.4.x > >bug :/ > > Haven't had any other network issues with 2.4.x other than with > PPTP. The 2.4.x > supports seven LTSP X/Helix GNOME workstations so I know that > networking is > otherwise pretty solid (the NIC hardly drops below 3M/sec ever, > and spikes a lot > higher). > > >I will upgrade my pppd/ppptd later on to se if the problem consists. > >So you use a SMP box, how many users are using VPN? > > The SMP box is the PPTP client. And is definitely where the problem is. > > The PopTop server is an IBM PS/2 Value point with a 33Mhz 386 and > 20Mb of RAM. > Humms along happily with 4~7 VPN users, and at his point has 407 days of > uptime. It sits on the end of a T1 and Cisco 1600R router. > > >when it comes to load on the server I have no clue what it takes to run > >a pptpd server... > > Almost nothing. > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > From Tbenson at associatedbp.com Tue Apr 24 14:02:01 2001 From: Tbenson at associatedbp.com (Trevor Benson) Date: Tue, 24 Apr 2001 12:02:01 -0700 Subject: FW: [pptp-server] Using PoPToP in conjunction with L2TP and a PPP concentrator Message-ID: <378253B6F337D411BB0B009027C3F0432CE61F@EMAILSERVER> Thanks, Trevor -----Original Message----- From: Trevor Benson Sent: Tuesday, April 24, 2001 12:01 PM To: 'Tim Wilfong' Subject: RE: [pptp-server] Using PoPToP in conjunction with L2TP and a PPP concentrator Tim, I may be completely wrong on this. But it sounds like your talking about taking a 'tunnel' and then moving the ppp connection elsewhere. The tunnel is being created by the ppp connection, and then pptp tunneled inside it. So in essence I think you would be adding another ppp, not rerouting it. Since ppp is required for the tunnel to initiate, I don't think you could just reroute to a concentrator, since the tunnel you are referring to has to be created prior to routing on internal LAN. Like I said, I might have misread your question, or not have the full grasp of PoPToP, but I think that's accurate for what your asking. Thanks, Trevor -----Original Message----- From: Tim Wilfong [mailto:tim.wilfong at aubeta.net] Sent: Monday, April 23, 2001 7:13 PM To: 'pptp-server at lists.schulte.org' Subject: [pptp-server] Using PoPToP in conjunction with L2TP and a PPP concentrator Has anyone tried using PoPToP to terminate the PPP session somewhere other than the server that that PoPToP is running on. i.e. It is feasible to take the PPP session and send it out an L2TP tunnel to an PPP concentrator, so that the user that is using PPTP to "dial-in" looks just like users dialing into that dial-up server. Has anyone tried experimenting with this? It seeems that PoPToP already sends the PPP sessions to a seperate PPP daemon to handle the termination of the PPP session, so it would be a matter of modifying an L2TP (or PPPoE, for that matter) client to take these sessions and tunnel them to a PPP concentrator. If this could be set up, then a Linux server running PoPToP could be used as a tunnel switcher to allow legacy PPTP clients to access an L2TP-based VPN server, thus allowing easier migration to an L2TP-based VPN solution. (Of course, there are many security implications from this, but let's ignore those for now.) -- Tim Wilfong _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From Tbenson at associatedbp.com Tue Apr 24 14:02:10 2001 From: Tbenson at associatedbp.com (Trevor Benson) Date: Tue, 24 Apr 2001 12:02:10 -0700 Subject: FW: [pptp-server] PoPToP and stability Message-ID: <378253B6F337D411BB0B009027C3F0432CE620@EMAILSERVER> Thanks, Trevor -----Original Message----- From: Trevor Benson Sent: Tuesday, April 24, 2001 11:52 AM To: 'Tobias Bengtsson' Subject: RE: [pptp-server] PoPToP and stability When it comes to load on the server, I wouldn't worry too much. VPN is basically advanced routing, and I have used a 486 to compare when configured right against commercial routers. I used a pptpd server running on a HP Vectra 500, with 32 MB of RAM, and this machine FLEW, was never busy, and didn't have many problems routing. All these do is pass packets back and forth, most never stop on the local system unless you configure other services on the VPN server. I am sort of confused why anyone would move their VPN server to SMP when cisco uses processor chips that don't even match up to Pentiums, and have less memory, but cutting the 'little' overhead linux add's as an OS move like lightning. Therefore a Pentium 100-200 with 16-32MB RAM should run without a hitch. Mine connected over 20 concurrent connections and I was working on it the whole time, never saw a problem when it came to performance that would ever make me spend the money on a dual processor system for the VPN firewall. What reasons is everyone moving to SMP for these anyway? I assume you must be using this box for more then just VPN to spend money for something with that kind of processing power? Trevor -----Original Message----- From: Tobias Bengtsson [mailto:tobias at extenda.se] Sent: Tuesday, April 24, 2001 7:05 AM To: pptp-server at lists.schulte.org Subject: SV: [pptp-server] PoPToP and stability It's a uni, I have some problems with the 2.4.x kernel on my other boxes aswell, when i ssh to it it just hangs for a while sometimes, I have heard from friends that they have the same problem though.. must be a 2.4.x bug :/ I will upgrade my pppd/ppptd later on to se if the problem consists. So you use a SMP box, how many users are using VPN? when it comes to load on the server I have no clue what it takes to run a pptpd server... // Tobias -----Ursprungligt meddelande----- Fr?n: Adam Tauno Williams [mailto:adam at morrison-ind.com] Skickat: den 24 april 2001 15:54 Till: pptp-server at lists.schulte.org ?mne: Re: [pptp-server] PoPToP and stability >Hi, I was wondering if anyone have gotten their pptpd server to work >flawlessy, that is-file copy operations and everything works. On my >server (or client) I get lockups so I have to disconnect and reconnect >when I try to copy a file... >PPPD: 2.3.8 >PPPTPD: 1.0.1 >Kernel: Linux-2.2.18 Is this a uni or SMP box? I use Linux 2.4.3, pppd 2.4.1b2, and pptp 1.0.2 on a dual P2-300 and have much the same problem, but it worked better under 2.2.18. I can hardly move any data since upgrading to 2.4.3. I know it isn't the network because I can run NT4sp6 in VMware on this box and establish a PPTP connection that works great. The PPTP server is on a Linux box and works great for windows users, haven't touched it in months, but the PPTP linux clients doesn't work well at all (for me anyway). Systems and Network Administrator Morrison Industries 1825 Monroe Ave NW. Grand Rapids, MI. 49505 _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From walterm at Gliatech.com Tue Apr 24 14:27:58 2001 From: walterm at Gliatech.com (Michael Walter) Date: Tue, 24 Apr 2001 15:27:58 -0400 Subject: [pptp-server] PoPToP and stability Message-ID: Personally... Trend Interscan Viruswall, or for that matter any virus scanning software for the internet gateway will up the bar on gateway system configurations. Although you would still have to have a lot of users to require dual processors. (I am currently in the process of downgrading our corporate firewall, so I can re-dedicate the server, first time I have ever had a need to downgrade anything in my career ;) ) Thanks, Michael J. Walter rhce mcdba mcse+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Trevor Benson [mailto:Tbenson at associatedbp.com] Sent: Tuesday, April 24, 2001 3:02 PM To: PoPToP Server Mail list (E-mail) Subject: FW: [pptp-server] PoPToP and stability Thanks, Trevor -----Original Message----- From: Trevor Benson Sent: Tuesday, April 24, 2001 11:52 AM To: 'Tobias Bengtsson' Subject: RE: [pptp-server] PoPToP and stability When it comes to load on the server, I wouldn't worry too much. VPN is basically advanced routing, and I have used a 486 to compare when configured right against commercial routers. I used a pptpd server running on a HP Vectra 500, with 32 MB of RAM, and this machine FLEW, was never busy, and didn't have many problems routing. All these do is pass packets back and forth, most never stop on the local system unless you configure other services on the VPN server. I am sort of confused why anyone would move their VPN server to SMP when cisco uses processor chips that don't even match up to Pentiums, and have less memory, but cutting the 'little' overhead linux add's as an OS move like lightning. Therefore a Pentium 100-200 with 16-32MB RAM should run without a hitch. Mine connected over 20 concurrent connections and I was working on it the whole time, never saw a problem when it came to performance that would ever make me spend the money on a dual processor system for the VPN firewall. What reasons is everyone moving to SMP for these anyway? I assume you must be using this box for more then just VPN to spend money for something with that kind of processing power? Trevor -----Original Message----- From: Tobias Bengtsson [mailto:tobias at extenda.se] Sent: Tuesday, April 24, 2001 7:05 AM To: pptp-server at lists.schulte.org Subject: SV: [pptp-server] PoPToP and stability It's a uni, I have some problems with the 2.4.x kernel on my other boxes aswell, when i ssh to it it just hangs for a while sometimes, I have heard from friends that they have the same problem though.. must be a 2.4.x bug :/ I will upgrade my pppd/ppptd later on to se if the problem consists. So you use a SMP box, how many users are using VPN? when it comes to load on the server I have no clue what it takes to run a pptpd server... // Tobias -----Ursprungligt meddelande----- Fr?n: Adam Tauno Williams [mailto:adam at morrison-ind.com] Skickat: den 24 april 2001 15:54 Till: pptp-server at lists.schulte.org ?mne: Re: [pptp-server] PoPToP and stability >Hi, I was wondering if anyone have gotten their pptpd server to work >flawlessy, that is-file copy operations and everything works. On my >server (or client) I get lockups so I have to disconnect and reconnect >when I try to copy a file... >PPPD: 2.3.8 >PPPTPD: 1.0.1 >Kernel: Linux-2.2.18 Is this a uni or SMP box? I use Linux 2.4.3, pppd 2.4.1b2, and pptp 1.0.2 on a dual P2-300 and have much the same problem, but it worked better under 2.2.18. I can hardly move any data since upgrading to 2.4.3. I know it isn't the network because I can run NT4sp6 in VMware on this box and establish a PPTP connection that works great. The PPTP server is on a Linux box and works great for windows users, haven't touched it in months, but the PPTP linux clients doesn't work well at all (for me anyway). Systems and Network Administrator Morrison Industries 1825 Monroe Ave NW. Grand Rapids, MI. 49505 _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From jahall at nea.org Tue Apr 24 15:03:15 2001 From: jahall at nea.org (jahall at nea.org) Date: Tue, 24 Apr 2001 15:03:15 CDT Subject: [pptp-server] Compiling 2.2.14 kernel with patches Message-ID: I am trying to compile my RedHat 6.2 2.2.14 kernel with VPN support to connect to our corporate VPN. After applying the patches from ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html, when I tryu to compile the kernel, I receive the following messages: ip_masq_pptp.c: In function `ip_masq_gre': ip_masq_pptp.c:464: warning: passing arg 1 of `ip_masq_select_addr' from incompa tible pointer type ip_masq_pptp.c:464: warning: passing arg 2 of `ip_masq_select_addr' makes intege r from pointer without a cast ip_masq_pptp.c:464: too few arguments to function `ip_masq_select_addr' ip_masq_pptp.c: In function `printk_pptp_hdr': ip_masq_pptp.c:671: warning: long unsigned int format, unsigned int arg (arg 4) make[3]: *** [ip_masq_pptp.o] Error 1 make[3]: Leaving directory `/usr/src/linux-2.2.14/net/ipv4' make[2]: *** [first_rule] Error 2 make[2]: Leaving directory `/usr/src/linux-2.2.14/net/ipv4' make[1]: *** [_subdir_ipv4] Error 2 make[1]: Leaving directory `/usr/src/linux-2.2.14/net' make: *** [_dir_net] Error 2 Any ideas what I have missed? Thanks in advance for your assistance. Jay ******************************************************************* Only the individual sender is responsible for the content of the message, and the message does not necessarily reflect the position or policy of the National Education Association or its affiliates. From tim.wilfong at aubeta.net Tue Apr 24 15:46:13 2001 From: tim.wilfong at aubeta.net (Tim Wilfong) Date: Tue, 24 Apr 2001 13:46:13 -0700 Subject: [pptp-server] Using PoPToP in conjunction with L2TP and a PPP concentrator Message-ID: <944CCDEB4CCAD411A0FA0090278D39EB05F511@localhost> I know fairly well how L2TP works, but haven't been able to get enough info on PPTP to know that protocol as well (can't seem to find the RFC anywhere.) I assume PPTP works similarly to L2TP, though. With L2TP, a PPP session is encapsulated inside an L2TP tunnel -- thus, at the termination point of the tunnel, once you strip away the L2TP encapsulation, you now have a PPP session, which you can either terminate, or send through another tunnel to be terminated elsewhere. My understanding of PPTP is that it works similarly, but, again, I might be mistaken. Do you know where I might find the RFC for PPTP? (All pointers to it on the PoPToP site are bad.) -Tim -----Original Message----- From: Trevor Benson [mailto:Tbenson at associatedbp.com] Sent: Tuesday, April 24, 2001 12:01 PM To: 'Tim Wilfong' Subject: RE: [pptp-server] Using PoPToP in conjunction with L2TP and a PPP concentrator Tim, I may be completely wrong on this. But it sounds like your talking about taking a 'tunnel' and then moving the ppp connection elsewhere. The tunnel is being created by the ppp connection, and then pptp tunneled inside it. So in essence I think you would be adding another ppp, not rerouting it. Since ppp is required for the tunnel to initiate, I don't think you could just reroute to a concentrator, since the tunnel you are referring to has to be created prior to routing on internal LAN. Like I said, I might have misread your question, or not have the full grasp of PoPToP, but I think that's accurate for what your asking. Thanks, Trevor -----Original Message----- From: Tim Wilfong [mailto:tim.wilfong at aubeta.net] Sent: Monday, April 23, 2001 7:13 PM To: 'pptp-server at lists.schulte.org' Subject: [pptp-server] Using PoPToP in conjunction with L2TP and a PPP concentrator Has anyone tried using PoPToP to terminate the PPP session somewhere other than the server that that PoPToP is running on. i.e. It is feasible to take the PPP session and send it out an L2TP tunnel to an PPP concentrator, so that the user that is using PPTP to "dial-in" looks just like users dialing into that dial-up server. Has anyone tried experimenting with this? It seeems that PoPToP already sends the PPP sessions to a seperate PPP daemon to handle the termination of the PPP session, so it would be a matter of modifying an L2TP (or PPPoE, for that matter) client to take these sessions and tunnel them to a PPP concentrator. If this could be set up, then a Linux server running PoPToP could be used as a tunnel switcher to allow legacy PPTP clients to access an L2TP-based VPN server, thus allowing easier migration to an L2TP-based VPN solution. (Of course, there are many security implications from this, but let's ignore those for now.) -- Tim Wilfong _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From lists at earthling.2y.net Tue Apr 24 18:34:53 2001 From: lists at earthling.2y.net (Justin Kreger) Date: Tue, 24 Apr 2001 19:34:53 -0400 (EDT) Subject: [pptp-server] I'm back!!! Message-ID: Well... I got a new job, and started it, and guess what my new boss wants... pppd to use a NT server for Authentication..... Since i have been out of the loop for a few months, has anybody gotten around to wiriting some code to achieve this? Or am I going to have to dig around through my old email to find suggestions from the samba-tng ppl on the subject of authentication over a network..... Justin Kreger, MCP MCSE CCNA jkreger at earthling.2y.net jwkreger at uncg.edu From kennyjohn at tesco.net Wed Apr 25 03:55:27 2001 From: kennyjohn at tesco.net (Ken John) Date: Wed, 25 Apr 2001 09:55:27 +0100 Subject: [pptp-server] VPN Software for a MSc project Message-ID: <003c01c0cd65$7a21cb80$02468cd4@doreen> Hello everyone - I wonder if you can help me ? I am in the process of completing my Master of Science (e-Commerce) degree at the University of Wales and currently planning my final research project. This will include design and implementation of a Virtual Private Network with only 3 or 4 remote clients and a central server, probably all running Linux.The business is a prototype for a web based fast-food delivery service and is based on an SQL Server database, with all client-server interactions managed using Active Server Pages. Is there a good (hopefully free !) VPN package which is relatively easy to install and configure, and what other security features should I consider ? Thanks in advance for your help Ken John BSc CCNA -------------- next part -------------- An HTML attachment was scrubbed... URL: From mikes at hartwellcorp.com Wed Apr 25 12:07:56 2001 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Wed, 25 Apr 2001 10:07:56 -0700 Subject: [pptp-server] SMP 2.2.14-5.0 Problem Message-ID: <91A5926EFF44D3118B1200104B7276EB65501A@hart-exchange.hartwellcorp.com> OK, from reading over the list archives it looks to me as if part of the original require-mppe patch was dropped from the version that Patrick Reid blessed. If you compare the diff he quotes in the message http://lists.schulte.org/pipermail/pptp-server/2000-March/007042.html to the version that Martin Mueller suggests in the message http://lists.schulte.org/pipermail/pptp-server/2000-March/007058.html you will find a missing piece of code that Patrick had suggested be added. Somehow a previous version of the patch was used in his final post. The missing hunk is: @@ -357,6 +362,8 @@ { ccp_flags_set(unit, 0, 0); fsm_close(&ccp_fsm[unit], reason); + if ( ccp_wantoptions[unit].require_mppe || ccp_wantoptions[unit].require_mppe_stateless ) + lcp_close(unit,"Encryption got out of sync"); } /* This also appears to be missing from the "official" require-mppe patch posted at http://smop.de From tobias at extenda.se Wed Apr 25 12:14:22 2001 From: tobias at extenda.se (Tobias Bengtsson) Date: Wed, 25 Apr 2001 19:14:22 +0200 Subject: [pptp-server] Gave up waiting for 1 lost packets Message-ID: <1F707ED4E8F5CA41BB3D0C4E8CA4182EE703@extenda-nt4.extenda.local> Hiya guys, I just upgraded my pptpd to 1.1.2 and PPPD to 2.4.0 and applied the patch available from ftp.binarix.com. Everything seems to be like before, I can't connect using compression. When I started to copy a rather big file (13,6MB) I got these errors in my syslog. Anyone got any idea what I should do to get my connection more stable? I am still using the 2.2.18 kernel with pppd 2.4.0 (I guess it should work?) My syslog: Apr 25 19:00:25 oden pppd[21619]: Connect: ppp1 <--> /dev/pts/1 Apr 25 19:00:25 oden pppd[21619]: MSCHAP-v2 peer authentication succeeded for to bias Apr 25 19:00:25 oden pppd[21619]: found interface eth0 for proxy arp Apr 25 19:00:25 oden pppd[21619]: local IP address 10.200.1.152 Apr 25 19:00:25 oden pppd[21619]: remote IP address 10.200.1.161 Apr 25 19:00:32 oden pppd[21619]: MPPE 128 bit, stateless compression enabled Apr 25 19:00:32 oden pppd[21619]: MPPE 128 bit, stateless compression enabled Apr 25 19:08:09 oden pptpd[21618]: Buffering out-of-order packet; got 1265 after 1263 Apr 25 19:08:09 oden pptpd[21618]: Buffering out-of-order packet; got 1266 after 1263 Apr 25 19:08:09 oden pptpd[21618]: Buffering out-of-order packet; got 1267 after 1263 Apr 25 19:08:09 oden pptpd[21618]: Gave up waiting for 1 lost packets beginning with 1264 my /etc/ppp/options name * lock mtu 1490 mru 1490 proxyarp auth #defaultroute +chap +chapms +chapms-v2 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 mppe-128 mppe-40 mppe-stateless ms-wins 10.1.1.9 Cheers! Tobias From naresh at optimnetworks.com Wed Apr 25 19:51:33 2001 From: naresh at optimnetworks.com (Naresh) Date: Wed, 25 Apr 2001 17:51:33 -0700 Subject: [pptp-server] Running PPTP behind some firewall References: Message-ID: <3AE77115.2F57B4BB@optimnetworks.com> Hi Has anyone configured pptpd to run behind some firewall like FW1 or such. I tried with FW1 but since I NATing the gre is not supported by FW1 so couldn't do it. I tried a linksys box also by port forwarding the ports 47 and 1723 but it doesn't work. If anyone has something please let me know. Thanks, Naresh From charlieb at e-smith.com Wed Apr 25 20:31:19 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Wed, 25 Apr 2001 21:31:19 -0400 (EDT) Subject: [pptp-server] Running PPTP behind some firewall In-Reply-To: <3AE77115.2F57B4BB@optimnetworks.com> Message-ID: On Wed, 25 Apr 2001, Naresh wrote: > Has anyone configured pptpd to run behind some firewall like FW1 or > such. I tried with FW1 but since I NATing the gre is not supported by > FW1 so couldn't do it. I tried a linksys box also by port forwarding > the ports 47 and 1723 but it doesn't work. It's protocol 47, and TCP port 1723. One of our clients is running pptpd behind a firewall, but I don't know what flavour of firewall it is. Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From lists at earthling.2y.net Wed Apr 25 21:32:21 2001 From: lists at earthling.2y.net (Justin Kreger) Date: Wed, 25 Apr 2001 22:32:21 -0400 (EDT) Subject: [pptp-server] Gave up waiting for 1 lost packets In-Reply-To: <1F707ED4E8F5CA41BB3D0C4E8CA4182EE703@extenda-nt4.extenda.local> Message-ID: try lowering your mtu and mru... down around 750 works nice. Smaller packets might help. > name * > lock > mtu 1490 > mru 1490 > proxyarp > auth > #defaultroute > +chap > +chapms > +chapms-v2 > ipcp-accept-local > ipcp-accept-remote > lcp-echo-failure 3 > lcp-echo-interval 5 > deflate 0 > mppe-128 > mppe-40 > mppe-stateless > ms-wins 10.1.1.9 From berzerke at swbell.net Wed Apr 25 22:45:16 2001 From: berzerke at swbell.net (robert) Date: Wed, 25 Apr 2001 22:45:16 -0500 Subject: [pptp-server] Running PPTP behind some firewall In-Reply-To: <3AE77115.2F57B4BB@optimnetworks.com> References: <3AE77115.2F57B4BB@optimnetworks.com> Message-ID: <01042522451600.06220@linux> I have someone who ran a pptpd CLIENT behind a linksys dsl router/switch. Since I didn't do it myself, I can tell you everything, but I can tell you all he said he did is set the port forwarding for port 1723. Of course, there was only one client running. If a client can run, then a server should run too. BTW, it protocol 47, not port 47. On Wednesday 25 April 2001 19:51, Naresh wrote: > Hi > > Has anyone configured pptpd to run behind some firewall like FW1 or > such. I tried with FW1 but since I NATing the gre is not supported by FW1 > so couldn't do it. I tried a linksys box also by port forwarding the ports > 47 and 1723 but it doesn't work. If anyone has something please let me > know. > > Thanks, > Naresh > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From ERobertstad at txc.com Wed Apr 25 23:45:14 2001 From: ERobertstad at txc.com (Eirik Robertstad) Date: Thu, 26 Apr 2001 00:45:14 -0400 Subject: [pptp-server] PPTPD.Conf localip and remoteip question.... Message-ID: <3AE7A7DA.4040002@txc.com> Ok... I'm a little confused with this option. Do I really need to give more then one localip setting? And should the localip be, the IP of the local interface that is on the internel network? Does having x amount of remoteip's, have any effect of the amount of localip's you should have? Thanks, Eirik From Steve at SteveCowles.com Thu Apr 26 00:17:34 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Thu, 26 Apr 2001 00:17:34 -0500 Subject: [pptp-server] PPTPD.Conf localip and remoteip question.... Message-ID: <90769AF04F76D41186C700A0C90AFC3EE768@defiant.infohiiway.com> > -----Original Message----- > From: Eirik Robertstad [mailto:ERobertstad at txc.com] > Sent: Wednesday, April 25, 2001 11:45 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] PPTPD.Conf localip and remoteip question.... > > > Ok... I'm a little confused with this option. > Do I really need to give more then one localip setting? No. I use one IP for the localip setting. Although with PopTop, you do have the option of assigning a one-to-one mapping for the local/remote IP's. So far, I have not found a reason for doing so. > And should the localip be, the IP of the local interface > that is on the internel network? It does not have to be. I assign localip to be the same as my internal interface IP. Some folks (based on network design and/or security policy) assign the local/remote IP's to a different subnet. i.e. ip aliasing > > Does having x amount of remoteip's, have any effect of the amount of > localip's you should have? Not that I'm aware of. > > Thanks, > Eirik From GeorgeV at citadelcomputer.com.au Thu Apr 26 00:26:16 2001 From: GeorgeV at citadelcomputer.com.au (George Vieira) Date: Thu, 26 Apr 2001 15:26:16 +1000 Subject: [pptp-server] PPTPD.Conf localip and remoteip question.... Message-ID: <200FAA488DE0D41194F10010B597610D0D1F7F@JUPITER> No.. localip can have only 1 IP. Only apranoid people use it (hee hee). You can use any IP you want as this is only between the PPTP server and the client. BUT , if you want to use proxyarp so the client can see the internal network then your better off using the pptp servers internal IP.. or any other for that matter but it just wastes an IP on the network... thanks, George Vieira -----Original Message----- From: Eirik Robertstad [mailto:ERobertstad at txc.com] Sent: Thursday, April 26, 2001 2:45 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] PPTPD.Conf localip and remoteip question.... Ok... I'm a little confused with this option. Do I really need to give more then one localip setting? And should the localip be, the IP of the local interface that is on the internel network? Does having x amount of remoteip's, have any effect of the amount of localip's you should have? Thanks, Eirik _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From GeorgeV at citadelcomputer.com.au Thu Apr 26 01:04:50 2001 From: GeorgeV at citadelcomputer.com.au (George Vieira) Date: Thu, 26 Apr 2001 16:04:50 +1000 Subject: [pptp-server] PPTPD.Conf localip and remoteip question.... Message-ID: <200FAA488DE0D41194F10010B597610D0D1F8B@JUPITER> sorry that came out wrong.. localip only has to have only 1 IP.. (not CAN only have) thanks, George Vieira -----Original Message----- From: George Vieira Sent: Thursday, April 26, 2001 3:26 PM To: Eirik Robertstad Cc: PPTP List (E-mail) Subject: RE: [pptp-server] PPTPD.Conf localip and remoteip question.... No.. localip can have only 1 IP. Only apranoid people use it (hee hee). You can use any IP you want as this is only between the PPTP server and the client. BUT , if you want to use proxyarp so the client can see the internal network then your better off using the pptp servers internal IP.. or any other for that matter but it just wastes an IP on the network... thanks, George Vieira -----Original Message----- From: Eirik Robertstad [mailto:ERobertstad at txc.com] Sent: Thursday, April 26, 2001 2:45 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] PPTPD.Conf localip and remoteip question.... Ok... I'm a little confused with this option. Do I really need to give more then one localip setting? And should the localip be, the IP of the local interface that is on the internel network? Does having x amount of remoteip's, have any effect of the amount of localip's you should have? Thanks, Eirik _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From themmaster at digitalme.com Thu Apr 26 15:21:55 2001 From: themmaster at digitalme.com (Hein-Pieter van Braam) Date: Thu, 26 Apr 2001 19:21:55 -0100 Subject: [pptp-server] mppe working Message-ID: <01042619215502.01536@tmm-wks-01> Your site is down, http://linus.yi.org. From rcd at amherst.com Thu Apr 26 08:21:35 2001 From: rcd at amherst.com (Robert Dege) Date: Thu, 26 Apr 2001 09:21:35 -0400 Subject: [pptp-server] PPTPD.Conf localip and remoteip question.... References: <90769AF04F76D41186C700A0C90AFC3EE768@defiant.infohiiway.com> Message-ID: <3AE820DF.7010300@amherst.com> >> >> Ok... I'm a little confused with this option. >> Do I really need to give more then one localip setting? > > > No. I use one IP for the localip setting. Although with PopTop, you do have > the option of assigning a one-to-one mapping for the local/remote IP's. So > far, I have not found a reason for doing so. Would having this option possibly be for IPX use, since Poptop supports both IPX & TCP? I haven't investigated the IPX issues that people were/are having, but something about 1 IP with a network node address or something like that? -Rob From ville at lpg.fi Thu Apr 26 08:43:18 2001 From: ville at lpg.fi (ville) Date: Thu, 26 Apr 2001 16:43:18 +0300 Subject: [pptp-server] linux client to office network? Message-ID: <3AE825F6.D7663F98@lpg.fi> Howdy, Here's the sittuation: o u t s i d e | o f f i c e n e t w o r k home ---> adsl ---> firewall ---> cvs server ( NT RAS ) All the above; home, firewall and cvs are linux computers. But the firewall does some sort of masquerading and directs VPN connections to an NT RAS box for authentication and what not. Does this document: http://poptop.lineo.com/setup_pptp_client.html apply to my sittuation now? Mainly I am thinking what domain the remote machine belongs to, and remote machines name. Should I supply the firewall's name/domain or the NT RAS'? If the answer is firewall's, what should I supply as a name cause it only has an IP address and as far as I know doesn't belong to any NT domain. // ville From rcd at amherst.com Thu Apr 26 08:25:45 2001 From: rcd at amherst.com (Robert Dege) Date: Thu, 26 Apr 2001 09:25:45 -0400 Subject: [pptp-server] Running PPTP behind some firewall References: <3AE77115.2F57B4BB@optimnetworks.com> Message-ID: <3AE821D9.4070505@amherst.com> It took me forever to get PPTP to work behind a firewall. In fact, I ended up finding a bug with it. It was related with IP aliasing on the firewall & GRE packets getting dropped. I'm using Linux 2.2.18 with IPChains as my firewall, and Linux 2.2.17 as my pptp server. -Rob Naresh wrote: > Hi > > Has anyone configured pptpd to run behind some firewall like FW1 or such. I > tried with FW1 but since I NATing the gre is not supported by FW1 so couldn't do > it. I tried a linksys box also by port forwarding the ports 47 and 1723 but it > doesn't work. If anyone has something please let me know. > > Thanks, > Naresh From mjo at pbj.dk Thu Apr 26 08:49:00 2001 From: mjo at pbj.dk (Mikael Johnsen) Date: Thu, 26 Apr 2001 15:49:00 +0200 Subject: [pptp-server] Network Neighbourhood and net use Message-ID: <1DA605F7E2EAD411B7A9009027DDD2C35B32@PBJ-EXCHG> Hi Can someone please give me direct information about using the above items Med venlig hilsen / Best regards Mikael Johnsen Systemadministrator / System Administrator PBJ Consult A/S Phone: +45 43 62 74 00 Roholmsvej 10 G Fax: +45 43 62 74 24 DK-2620 Albertslund Email: mailto:mjo at pbj.dk Homepage: www.pbj.dk -------------- next part -------------- An HTML attachment was scrubbed... URL: From vlast at eetc.com Thu Apr 26 10:27:49 2001 From: vlast at eetc.com (Vlad Strezhnev) Date: Thu, 26 Apr 2001 10:27:49 -0500 Subject: [pptp-server] Running PPTP behind some firewall In-Reply-To: <3AE821D9.4070505@amherst.com> References: <3AE77115.2F57B4BB@optimnetworks.com> <3AE821D9.4070505@amherst.com> Message-ID: <01042610274900.00801@vlast> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is a "successfull" multi-platform setup running in our office for months now. (In fact since last October). PoPToP behind ipchains (RedHat 6.2 on Sparc) with IP masquerading. PoPToP server (RedHat 6.2 on Ruffian Alpha). PoPToP remote Linux client (PowerPPC 2000 on Power Macintosh 7200/75) on DSL connection behind Cisco 675 router with NAT. This setup is used to remotely monitor the network using Netsaint. The connection uses static virtual IP for the client and thus communication is two-way. We can use web server on PopTop client (by its virtual IP) to monitor and confgure Netsaint from the office. Also several "road-warriors" connects to PoPToP server using laptops with inbuild pptp client on Windows 98&2000 as well as TunnelBuilder on Macs. Here is link in all its beauty :-) [10.0.0.7(PoPToP Linux client)]-> [10.0.0.1(Cisco internal interface)]-> [DSL dinamic IP (Cisco external interface assigned by Quest]-> [x.x.x.x (Our firewall external IP)]-> [192.168.1.1 (Firewall internal IP)]-> [192.168.1.38 (PoPToP server IP)]-> [192.168.1.230 (PoPToP client virtual static IP)]-> [192.168.1.203 (PoPToP server virtual IP)] PoPToP rules! -isn't it? On Thursday 26 April 2001 08:25, you wrote: > It took me forever to get PPTP to work behind a firewall. In fact, I > ended up finding a bug with it. It was related with IP aliasing on the > firewall & GRE packets getting dropped. > > I'm using Linux 2.2.18 with IPChains as my firewall, and Linux 2.2.17 as > my pptp server. > > -Rob > > Naresh wrote: > > Hi > > > > Has anyone configured pptpd to run behind some firewall like FW1 or > > such. I tried with FW1 but since I NATing the gre is not supported by FW1 > > so couldn't do it. I tried a linksys box also by port forwarding the > > ports 47 and 1723 but it doesn't work. If anyone has something please let > > me know. > > > > Thanks, > > Naresh > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! - -- VLAD STREZHNEV System Engineer IndiVisual Learning, Inc. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBOug+e22oFIHLWbQwEQJdXwCfXPJbQzJCTJSbuivJ+dLkiuiPGc8AoIPi WwW8MRqbf7iGC9i7BqRrz1EE =pR0h -----END PGP SIGNATURE----- From Tbenson at associatedbp.com Thu Apr 26 10:46:57 2001 From: Tbenson at associatedbp.com (Trevor Benson) Date: Thu, 26 Apr 2001 08:46:57 -0700 Subject: [pptp-server] Network Neighbourhood and net use Message-ID: <378253B6F337D411BB0B009027C3F0432CE63D@EMAILSERVER> For Net Use itself I would run 'net help' and 'net help use'. These are Microsoft programs that have instructions for command line use. What are you asking about network neighborhood? Double click it and see what shows up, and then tell us what you are trying to do, or what you think is not working. Otherwise explaining how to use network neighborhood is like explaining how to open a box. Open it and you should see what you want, otherwise let us know whats wrong. Thanks, Trevor -----Original Message----- From: Mikael Johnsen [mailto:mjo at pbj.dk] Sent: Thursday, April 26, 2001 6:49 AM To: 'pptp-server at lists.schulte.org' Subject: [pptp-server] Network Neighbourhood and net use Hi Can someone please give me direct information about using the above items Med venlig hilsen / Best regards Mikael Johnsen Systemadministrator / System Administrator PBJ Consult A/S Phone: +45 43 62 74 00 Roholmsvej 10 G Fax: +45 43 62 74 24 DK-2620 Albertslund Email: mailto:mjo at pbj.dk Homepage: www.pbj.dk -------------- next part -------------- An HTML attachment was scrubbed... URL: From vgill at technologist.com Thu Apr 26 10:59:52 2001 From: vgill at technologist.com (Gill, Vern) Date: Thu, 26 Apr 2001 08:59:52 -0700 Subject: [pptp-server] mppe working Message-ID: <8D043DEA73DFD411958A00A0C90AB760045B05@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes I know. It was down for a short while yesterday. Should be ok now... PGP Signed! Why? "If all the personal computers in the world - ~260 million computers - were put to work on a single PGP-encrypted message, it would still take an estimated 12 million times the age of the universe, on average, to break a single message." - - William Crowell, Deputy Director of the National Security Agency, in testimony to the U.S. Congress, March 20, 1997 - -----Original Message----- From: Hein-Pieter van Braam [mailto:themmaster at digitalme.com] Sent: Thursday, April 26, 2001 1:22 PM To: pptp-server at lists.schulte.org Subject: RE: [pptp-server] mppe working Your site is down, http://linus.yi.org. _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOuhFyBeamMdwy9TXEQLFOwCgnJWTNtXq74uSzezuVzo75o3VHpQAn17K eIGgCgPLtgqmoK9YBXj0OOSD =1I6+ -----END PGP SIGNATURE----- From steve at silug.org Thu Apr 26 12:05:15 2001 From: steve at silug.org (Steven Pritchard) Date: Thu, 26 Apr 2001 12:05:15 -0500 (CDT) Subject: [pptp-server] mppe working In-Reply-To: <8D043DEA73DFD411958A00A0C90AB760045AF7@ftp.gillnet.org> "from Gill, Vern at Apr 24, 2001 08:33:27 am" Message-ID: <200104261705.f3QH5F706992@osiris.silug.org> Gill, Vern said: > For anyone who's having trouble with MPPE on 2.4.x and ppp-2.4.x, I > suggest you visit my site at http://linus.yi.org, and click on the > PPP page. I have had pptpd running under kernel 2.4 and ppp 2.4 for > months now. Have you tested this with Windows 98/ME/2000 clients? In my testing, I have either been able to get 98/ME working *or* 2000, but not both. Steve -- steve at silug.org | Southern Illinois Linux Users Group (618)398-7320 | See web site for meeting details. Steven Pritchard | http://www.silug.org/ From pistole at kiekeboe.cc Thu Apr 26 15:18:10 2001 From: pistole at kiekeboe.cc (Paul Schuur) Date: Thu, 26 Apr 2001 22:18:10 +0200 Subject: [pptp-server] linux client to office network? References: <3AE825F6.D7663F98@lpg.fi> Message-ID: <016801c0ce8e$03913620$1915200a@kiekeboe.cc> Hi ville, theoretically, if the VPN server is an NT box, there are two option -if your account is a local account, the domain name (=server name in this case) is optional. Just leave it blank for local accounts -if your account is a domain account, you need to specify the domain name, which, of course, you know. good luck! /Pistole ----- Original Message ----- From: "ville" To: Sent: Thursday, April 26, 2001 15:43 Subject: [pptp-server] linux client to office network? > Howdy, > > Here's the sittuation: > > o u t s i d e | o f f i c e n e t w o r k > home ---> adsl ---> firewall ---> cvs server > ( NT RAS ) > > > All the above; home, firewall and cvs are linux computers. But the > firewall does some sort of masquerading and directs VPN connections to > an NT RAS box for authentication and what not. > > Does this document: http://poptop.lineo.com/setup_pptp_client.html apply > to my sittuation now? Mainly I am thinking what domain the remote > machine belongs to, and remote machines name. Should I supply the > firewall's name/domain or the NT RAS'? If the answer is firewall's, what > should I supply as a name cause it only has an IP address and as far as > I know doesn't belong to any NT domain. > > > // ville > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From berzerke at swbell.net Fri Apr 27 01:27:52 2001 From: berzerke at swbell.net (robert) Date: Fri, 27 Apr 2001 01:27:52 -0500 Subject: [pptp-server] mppe working In-Reply-To: <200104261705.f3QH5F706992@osiris.silug.org> References: <200104261705.f3QH5F706992@osiris.silug.org> Message-ID: <01042701275202.10649@linux> On Thursday 26 April 2001 12:05, Steven Pritchard wrote: > Gill, Vern said: > > For anyone who's having trouble with MPPE on 2.4.x and ppp-2.4.x, I > > suggest you visit my site at http://linus.yi.org, and click on the > > PPP page. I have had pptpd running under kernel 2.4 and ppp 2.4 for > > months now. > > Have you tested this with Windows 98/ME/2000 clients? In my testing, > I have either been able to get 98/ME working *or* 2000, but not both. > > Steve See the 2.4 kernel howto at http://home.swbell.net/berzerke From that howto: 5.23 Q: I'm having problems with Windows 98SE/ME or Windows 2K running at the proper encryption level. What's going on? A: For Windows 2K, problems have been reported if you have the line [mppe-40] in the options file. Commenting it out seems to fix the problem. You can also try the alterative options file listed above. For Windows 98SE (and probably ME), it is the exact opposite. If you don't have the line [mppe-40], then the client will connect and negotiate MPPE 128 bit, but pppd spews messages like these for all traffic: Apr 9 11:34:00 ra0 pppd[9521]: rcvd [Compressed data] 90 00 bb 5c a3 2d a7 0d ... Apr 9 11:34:04 ra0 pppd[9521]: rcvd [Compressed data] 90 01 c3 1a 0e cb c2 29 ... No traffic actually goes across the link. Adding "mppe-40" to /etc/ppp/options makes everything work perfectly. The clients still negotiate MPPE 128 bit. The alternate options file is (delete the [ and ]'s): [name *] [lock] [mtu 1490] [mru 1490] [proxyarp] [auth] [+chap] [+chapms] [+chapms-v2] [ipcp-accept-local] [ipcp-accept-remote] [lcp-echo-failure 3] [lcp-echo-interval 5] [deflate 0] [mppe-128] [mppe-40] [mppe-stateless] From jvonau at home.com Fri Apr 27 02:18:54 2001 From: jvonau at home.com (Jerry Vonau) Date: Fri, 27 Apr 2001 02:18:54 -0500 Subject: [pptp-server] linux client to office network? References: <3AE825F6.D7663F98@lpg.fi> Message-ID: <3AE91D5D.6487B891@home.com> Have a look at: http://merced.needsabeating.com/pptp/howto.html Jerry Vonau ville wrote: > Howdy, > > Here's the sittuation: > > o u t s i d e | o f f i c e n e t w o r k > home ---> adsl ---> firewall ---> cvs server > ( NT RAS ) > > All the above; home, firewall and cvs are linux computers. But the > firewall does some sort of masquerading and directs VPN connections to > an NT RAS box for authentication and what not. > > Does this document: http://poptop.lineo.com/setup_pptp_client.html apply > to my sittuation now? Mainly I am thinking what domain the remote > machine belongs to, and remote machines name. Should I supply the > firewall's name/domain or the NT RAS'? If the answer is firewall's, what > should I supply as a name cause it only has an IP address and as far as > I know doesn't belong to any NT domain. > > // ville > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From john_g123 at yahoo.com Fri Apr 27 04:04:37 2001 From: john_g123 at yahoo.com (john) Date: Fri, 27 Apr 2001 02:04:37 -0700 (PDT) Subject: [pptp-server] Running PPTP behind some firewall In-Reply-To: <3AE77115.2F57B4BB@optimnetworks.com> Message-ID: <20010427090437.10270.qmail@web3503.mail.yahoo.com> To enable PPTP (MS PPTP) to pass through firewall you would need two explicit rules. One to allow the GRE protocol itself. (no 47) Two allow port 1723. please note the diff between port and protocol. it is the protocol no 47. (you are doing port) And do this for both directions. Incoming and also outgoing. I have done this and it works. If you have any problems let me know also. thanks --- Naresh wrote: > Hi > > Has anyone configured pptpd to run behind some > firewall like FW1 or such. I > tried with FW1 but since I NATing the gre is not > supported by FW1 so couldn't do > it. I tried a linksys box also by port forwarding > the ports 47 and 1723 but it > doesn't work. If anyone has something please let me > know. > > Thanks, > Naresh > > _______________________________________________ > pptp-server maillist - > pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ From karthik.subramanian at digital.com Fri Apr 27 04:36:57 2001 From: karthik.subramanian at digital.com (Subramanian, Karthik) Date: Fri, 27 Apr 2001 15:06:57 +0530 Subject: [pptp-server] ppp design documents Message-ID: <177E503C4DA3D311BC9D0008C791C3060455A36F@diexch01.xko.dec.com> hello everybody does anybody have a high level design document for ppp. Aim at perfection in everything, though in most things it is unattainable. However, they who aim at it, and persevere, will come much nearer to it than those whose laziness and despondency make them give it up as unattainable. --Lord Chesterfield From vgill at technologist.com Fri Apr 27 09:15:15 2001 From: vgill at technologist.com (Gill, Vern) Date: Fri, 27 Apr 2001 07:15:15 -0700 Subject: [pptp-server] mppe working Message-ID: <8D043DEA73DFD411958A00A0C90AB760045B08@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The options file available on my site allows both 98/ME AND 2k in no problems... PGP Signed! Why? "If all the personal computers in the world - ~260 million computers - were put to work on a single PGP-encrypted message, it would still take an estimated 12 million times the age of the universe, on average, to break a single message." - - William Crowell, Deputy Director of the National Security Agency, in testimony to the U.S. Congress, March 20, 1997 - -----Original Message----- From: Steven Pritchard [mailto:steve at silug.org] Sent: Thursday, April 26, 2001 10:05 AM To: Gill, Vern Cc: pptp-server at lists.schulte.org Subject: Re: [pptp-server] mppe working Gill, Vern said: > For anyone who's having trouble with MPPE on 2.4.x and ppp-2.4.x, I > suggest you visit my site at http://linus.yi.org, and click on the > PPP page. I have had pptpd running under kernel 2.4 and ppp 2.4 for > months now. Have you tested this with Windows 98/ME/2000 clients? In my testing, I have either been able to get 98/ME working *or* 2000, but not both. Steve - -- steve at silug.org | Southern Illinois Linux Users Group (618)398-7320 | See web site for meeting details. Steven Pritchard | http://www.silug.org/ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOul+xxeamMdwy9TXEQLINgCeL4HuigvPBwzaHWfV/R6V30TmFXsAn3Kg pC5rzlGQ423J35MSuw2sOBNe =ih4o -----END PGP SIGNATURE----- From dreadboy at hotmail.com Fri Apr 27 11:06:58 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Fri, 27 Apr 2001 10:06:58 -0600 Subject: [pptp-server] mppe working Message-ID: The site does work, there was just a typo in the message. There should be a period near the end of the address NOT a comma. It's easy to miss. The site is working. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From jvaughan at maad.com Fri Apr 27 14:57:55 2001 From: jvaughan at maad.com (John Vaughan) Date: Fri, 27 Apr 2001 13:57:55 -0600 Subject: [pptp-server] Lan to Lan/Linux to Linux vpn connection Message-ID: Hello Was wondering if anyone knew how or where to get specific information on a lan to lan connection using two linux boxes. Our situation: We have a primary office running a Linux Redhat 6.2 distro with 2.2.16 kernel. This is setup to allow VPN connections from windows laptops and home users. Works fine. We have a secondary office in another state. This office has a Linux Redhat 6.2 distro with 2.2.16 kernel also. This is setup to allow VPN connections from the laptop and home users wanting to access that office. Works fine. What we want to do is configure the Linux boxes so the people in the smaller office will have an always on VPN connection to the main office. Right now we just want the smaller office to be able to get onto the larger office lan and not vice-versa. Anyone have any ideas on how to accomplish this??? thanks John Vaughan Micro Analysis & Design, Inc. 4900 Pearl East Circle, Suite 201 E Boulder, CO 80301 303 442-6947 voice 303 442-8274 fax mailto:jvaughan at maad.com From Steve at SteveCowles.com Fri Apr 27 16:12:08 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Fri, 27 Apr 2001 16:12:08 -0500 Subject: [pptp-server] Lan to Lan/Linux to Linux vpn connection Message-ID: <90769AF04F76D41186C700A0C90AFC3EE76C@defiant.infohiiway.com> > -----Original Message----- > From: John Vaughan [mailto:jvaughan at maad.com] > Sent: Friday, April 27, 2001 2:58 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Lan to Lan/Linux to Linux vpn connection > > > Hello > > Was wondering if anyone knew how or where to get specific > information on a lan to lan connection using two linux boxes. > > Our situation: > > We have a primary office running a Linux Redhat 6.2 distro with > 2.2.16 kernel. This is setup to allow VPN connections from > windows laptops and home users. Works fine. > > We have a secondary office in another state. This office has > a Linux Redhat 6.2 distro with 2.2.16 kernel also. This is setup > to allow VPN connections from the laptop and home users wanting > to access that office. Works fine. > > What we want to do is configure the Linux boxes so the people > in the smaller office will have an always on VPN connection to > the main office. Right now we just want the smaller office to > be able to get onto the larger office lan and not vice-versa. > > Anyone have any ideas on how to accomplish this??? > > thanks If your open to new ideas, try using IPSEC for your lan-to-lan tunnels and stay with using pptp for your host-to-lan tunnels (road warriors). You can run both concurrently. Checkout: http://www.freeswan.org for FreeS/WAN ipsec source code and http://jixen.tripod.com for some very good examples on how to setup a lan-to-lan VPN using IPSEC. If you must continue using PPTP, then you will need to download the pptp client at http://cag.lcs.mit.edu/~cananian/Projects/PPTP and then establish a PPTP tunnel between your two linux boxes at each office. Then manually add the appropriate network routes for each LAN. The only thing I can think of to block two way traffic across the lan-to-lan tunnel would be to use ipchain rules to allow small office to large office traffic only. Steve Cowles From Tbenson at associatedbp.com Fri Apr 27 16:30:14 2001 From: Tbenson at associatedbp.com (Trevor Benson) Date: Fri, 27 Apr 2001 14:30:14 -0700 Subject: [pptp-server] Lan to Lan/Linux to Linux vpn connection Message-ID: <378253B6F337D411BB0B009027C3F0432CE648@EMAILSERVER> Another great vpn product for LAN to LAN vpn is vpnd, I have configured this and it works wonderfully. It is tunnerling but you get to configure ports on server and clients, so you can work it into almost any setup. I also found the configuration to be a bit more turnkey then the FreeS/WAN configuration. Just my opinion though, but I have it working in quite a few locations. Thanks, Trevor -----Original Message----- From: Cowles, Steve [mailto:Steve at stevecowles.com] Sent: Friday, April 27, 2001 2:12 PM To: 'John Vaughan'; pptp-server at lists.schulte.org Subject: RE: [pptp-server] Lan to Lan/Linux to Linux vpn connection > -----Original Message----- > From: John Vaughan [mailto:jvaughan at maad.com] > Sent: Friday, April 27, 2001 2:58 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Lan to Lan/Linux to Linux vpn connection > > > Hello > > Was wondering if anyone knew how or where to get specific > information on a lan to lan connection using two linux boxes. > > Our situation: > > We have a primary office running a Linux Redhat 6.2 distro with > 2.2.16 kernel. This is setup to allow VPN connections from > windows laptops and home users. Works fine. > > We have a secondary office in another state. This office has > a Linux Redhat 6.2 distro with 2.2.16 kernel also. This is setup > to allow VPN connections from the laptop and home users wanting > to access that office. Works fine. > > What we want to do is configure the Linux boxes so the people > in the smaller office will have an always on VPN connection to > the main office. Right now we just want the smaller office to > be able to get onto the larger office lan and not vice-versa. > > Anyone have any ideas on how to accomplish this??? > > thanks If your open to new ideas, try using IPSEC for your lan-to-lan tunnels and stay with using pptp for your host-to-lan tunnels (road warriors). You can run both concurrently. Checkout: http://www.freeswan.org for FreeS/WAN ipsec source code and http://jixen.tripod.com for some very good examples on how to setup a lan-to-lan VPN using IPSEC. If you must continue using PPTP, then you will need to download the pptp client at http://cag.lcs.mit.edu/~cananian/Projects/PPTP and then establish a PPTP tunnel between your two linux boxes at each office. Then manually add the appropriate network routes for each LAN. The only thing I can think of to block two way traffic across the lan-to-lan tunnel would be to use ipchain rules to allow small office to large office traffic only. Steve Cowles _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From chetan_off at yahoo.com Fri Apr 27 17:24:58 2001 From: chetan_off at yahoo.com (Chetan Ganpati) Date: Fri, 27 Apr 2001 15:24:58 -0700 (PDT) Subject: [pptp-server] connection problems Message-ID: <20010427222458.9113.qmail@web615.mail.yahoo.com> Hello, Can anyone help me with this? Have set up pptp on a RedHat 6.2 machine.When I connect from Win9x machines it works fine , but when i connect from a win2x I am able to connect but not ping the machines on the network. These are the messages in var/log/messages Connect: ppp0 <--> /dev/pts/1 GRE: Discarding duplicate packet CTRL: Ignored a SET LINK INFO packet with real ACCMs! MSCHAP-v2 peer authentication succeeded for user found interface eth1 for proxy arp local IP address 192.168.0.80 remote IP address 192.168.0.70 CTRL: Ignored a SET LINK INFO packet with real ACCMs! LCP terminated by peer (BM-^JuM-&^@ Thx. No, not yet. Can't get compilation right for that, yet. Others have stuff on this post, though I haven't tried any yet. >From: Naresh >To: Dread Boy >Subject: Re: [pptp-server] mppe working >Date: Fri, 27 Apr 2001 11:33:15 -0700 > >Hi there, > > I saw your faq and thanks very much it worked the first time I installed >it. >Do you have such faq for 2.4.x kernels too? > >Naresh > > >Dread Boy wrote: > > > The site does work, there was just a typo in the message. There should >be a > > period near the end of the address NOT a comma. > > > > It's easy to miss. The site is working. > > >_________________________________________________________________________ > > Get Your Private, Free E-mail from MSN Hotmail at >http://www.hotmail.com. > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From kurt.glazemakers at dedigate.com Sat Apr 28 05:46:11 2001 From: kurt.glazemakers at dedigate.com (Kurt Glazemakers) Date: Sat, 28 Apr 2001 12:46:11 +0200 Subject: [pptp-server] Proxy arp on multiple interfaces Message-ID: Hi, I want a to use the pptp server as followed: internet | |eth0 [.....pptp-server......] | | | | |eth1 |eth2 |eth3 |eth4 10.0.x.x/24 1.1/24 2.1/24 3.1/24 4.1/24 I have 4 pptp-accounts and I want to client A to have a proxy arped IP-address 10.0.1.1/24 on eth1, client B a proy arped on eth2 (10.0.2.1/24) , etc ... just depending on the logon and password they use. I'm already aware that this probably needs some reprogramming, unless someone needed this feature before. Does anyone of you can give me some tips to start ? I assume you need the change the ipcp.c file, and somewere add some features to the parse code for the configuration file. Or is there something else that need to be changed as well ? many thanks already in advanced, Kurt From kristianl at oslo.kvalito.no Sat Apr 28 09:18:19 2001 From: kristianl at oslo.kvalito.no (=?iso-8859-1?Q?Kristian_Lyngst=F8l?=) Date: Sat, 28 Apr 2001 16:18:19 +0200 Subject: [pptp-server] Howto with patches that works? Message-ID: <20010428161818.A4558@lyngstol.kvalito.no> Hi all, I have been running pptpd for some time now, but am haveing problems of diffrent types. I have gotten mschap of all kinds to work, but am haveing some problems with mppe encryption. I have poked around with diffrent pppd versions with patches and the same with pptpd it self, but still, some weird problems appear. Since I know this should work, I simply wonder if someone can direct me to a howto that is confirmed to work, preferably for 2.2.x kernels. That is, a howto that list up the specific patches I need to apply and what versions would work, etc. Anybody know of such a howto? I have no problems with compiling stuff and installing, but what I need is some kind of "this patch with this version works, get it from ...." . -- Med vennlig hilsen / Best regards ---------------------------------+------------------------- Kristian Lyngst?l | Kvalito IT AS avd. Oslo tlf: 90 84 24 35 | 21 00 99 00 mail: kristianl at oslo.kvalito.no | oslo at kvalito.no ---------------------------------+------------------------- From anesthes at cisdi.com Sat Apr 28 10:27:58 2001 From: anesthes at cisdi.com (Joey Coco) Date: Sat, 28 Apr 2001 10:27:58 -0500 (EST) Subject: [pptp-server] Lan to Lan/Linux to Linux vpn connection In-Reply-To: Message-ID: Hi, 90% of my PPTP stuff is linux to linux.. You should download the PPTP client, and connect the box's together.. You can use Zebra or some other dynamic routing engine to route your IP traffic, you can enable IPX, and just about anything else you wanna try.. -- Joe On Fri, 27 Apr 2001, John Vaughan wrote: > Hello > > Was wondering if anyone knew how or where to get specific information on a > lan to lan connection using two linux boxes. > > Our situation: > > We have a primary office running a Linux Redhat 6.2 distro with 2.2.16 > kernel. This is setup to allow VPN connections from windows laptops and > home users. Works fine. > > We have a secondary office in another state. This office has a Linux Redhat > 6.2 distro with 2.2.16 kernel also. This is setup to allow VPN connections > from the laptop and home users wanting to access that office. Works fine. > > What we want to do is configure the Linux boxes so the people in the smaller > office will have an always on VPN connection to the main office. Right now > we just want the smaller office to be able to get onto the larger office lan > and not vice-versa. > > Anyone have any ideas on how to accomplish this??? > > thanks > > John Vaughan > Micro Analysis & Design, Inc. > 4900 Pearl East Circle, Suite 201 E > Boulder, CO 80301 > 303 442-6947 voice > 303 442-8274 fax > mailto:jvaughan at maad.com > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ / "I'd like to think that everything is beautiful, and I'd like to think / \ that everything is fair. I'd like to think that everything is plentiful,\ / and i'd like to think that every body cares. We'd like to thank you.." / \ \ / http://members.cisdi.com/~anesthes/ -=- IM: imd3fc0n / \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ C r e a t i v e I l l u s i o n s S o f t w a r e D e s i g n, I n c. From jvonau at home.com Sat Apr 28 10:14:57 2001 From: jvonau at home.com (Jerry Vonau) Date: Sat, 28 Apr 2001 10:14:57 -0500 Subject: [pptp-server] linux client to office network? References: <3AE825F6.D7663F98@lpg.fi> <3AE91D5D.6487B891@home.com> Message-ID: <3AEADE71.284D6C4C@home.com> Jerry Vonau wrote: > Have a look at: > > http://merced.needsabeating.com/pptp/howto.html > > Jerry Vonau > > ville wrote: > > > Howdy, > > > > Here's the sittuation: > > > > o u t s i d e | o f f i c e n e t w o r k > > home ---> adsl ---> firewall ---> cvs server > > ( NT RAS ) > > > > All the above; home, firewall and cvs are linux computers. But the > > firewall does some sort of masquerading and directs VPN connections to > > an NT RAS box for authentication and what not. > > > > Does this document: http://poptop.lineo.com/setup_pptp_client.html apply > > to my sittuation now? Mainly I am thinking what domain the remote > > machine belongs to, and remote machines name. Should I supply the > > firewall's name/domain or the NT RAS'? If the answer is firewall's, what > > should I supply as a name cause it only has an IP address and as far as > > I know doesn't belong to any NT domain. > > > > // ville > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! From jvonau at home.com Sat Apr 28 10:24:46 2001 From: jvonau at home.com (Jerry Vonau) Date: Sat, 28 Apr 2001 10:24:46 -0500 Subject: [pptp-server] Proxy arp on multiple interfaces References: Message-ID: <3AEAE0BE.414E1A2A@home.com> Kurt: If you compile pptp with ./configure --with-pppd-ip-alloc, then ip's will be assigned from the chap-secrects file, based on the user log in name. The proxyarp option should pick up the required internal interface. Then comes the ipchains fun to make it all work right, but should be do-able. Jerry Vonau Kurt Glazemakers wrote: > Hi, > > I want a to use the pptp server as followed: > > internet > | > |eth0 > [.....pptp-server......] > | | | | > |eth1 |eth2 |eth3 |eth4 > 10.0.x.x/24 1.1/24 2.1/24 3.1/24 4.1/24 > > I have 4 pptp-accounts and I want to client A to have a proxy arped > IP-address 10.0.1.1/24 on eth1, client B a proy arped on eth2 > (10.0.2.1/24) , etc ... just depending on the logon and password they > use. > > I'm already aware that this probably needs some reprogramming, unless > someone needed this feature before. Does anyone of you can give me some > tips to start ? I assume you need the change the ipcp.c file, and > somewere add some features to the parse code for the configuration file. > Or is there something else that need to be changed as well ? > > many thanks already in advanced, > > Kurt > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From jvonau at home.com Sat Apr 28 10:50:06 2001 From: jvonau at home.com (Jerry Vonau) Date: Sat, 28 Apr 2001 10:50:06 -0500 Subject: [pptp-server] Howto with patches that works? References: <20010428161818.A4558@lyngstol.kvalito.no> Message-ID: <3AEAE6AD.F71A8154@home.com> Kristian: If your looking for pppd pre patched for just encryption try: http://merced.needsabeating.com/pptp.html Jerry Vonau Kristian Lyngst?l wrote: > Hi all, > > I have been running pptpd for some time now, but am haveing problems of diffrent > types. I have gotten mschap of all kinds to work, but am haveing some problems > with mppe encryption. I have poked around with diffrent pppd versions with > patches and the same with pptpd it self, but still, some weird problems appear. > > Since I know this should work, I simply wonder if someone can direct me to a > howto that is confirmed to work, preferably for 2.2.x kernels. That is, a howto > that list up the specific patches I need to apply and what versions would work, etc. > > Anybody know of such a howto? I have no problems with compiling stuff and > installing, but what I need is some kind of "this patch with this version works, > get it from ...." . > > -- > Med vennlig hilsen / Best regards > ---------------------------------+------------------------- > Kristian Lyngst?l | Kvalito IT AS avd. Oslo > tlf: 90 84 24 35 | 21 00 99 00 > mail: kristianl at oslo.kvalito.no | oslo at kvalito.no > ---------------------------------+------------------------- > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From poet at linuxports.com Sat Apr 28 10:19:21 2001 From: poet at linuxports.com (Poet/Joshua Drake) Date: Sat, 28 Apr 2001 08:19:21 -0700 (PDT) Subject: [pptp-server] Unsubscribe poet@linuxports.com In-Reply-To: Message-ID: Unsunbscribe poet at linuxports.com From nesquik at lyngstol.kvalito.no Sat Apr 28 12:01:53 2001 From: nesquik at lyngstol.kvalito.no (=?iso-8859-1?Q?Kristian_Lyngst=F8l?=) Date: Sat, 28 Apr 2001 19:01:53 +0200 Subject: [pptp-server] Howto with patches that works? In-Reply-To: <3AEAE6AD.F71A8154@home.com>; from jvonau@home.com on Sat, Apr 28, 2001 at 10:50:06AM -0500 References: <20010428161818.A4558@lyngstol.kvalito.no> <3AEAE6AD.F71A8154@home.com> Message-ID: <20010428190153.B13716@lyngstol.kvalito.no> On Sat, Apr 28, 2001 at 10:50:06AM -0500, Jerry Vonau wrote: > > Kristian: > > If your looking for pppd pre patched for just encryption try: > > http://merced.needsabeating.com/pptp.html > > Jerry Vonau > > Kristian Lyngst?l wrote: > > > Hi all, > > > > I have been running pptpd for some time now, but am haveing problems of diffrent > > types. I have gotten mschap of all kinds to work, but am haveing some problems > > with mppe encryption. I have poked around with diffrent pppd versions with > > patches and the same with pptpd it self, but still, some weird problems appear. > > > > Since I know this should work, I simply wonder if someone can direct me to a > > howto that is confirmed to work, preferably for 2.2.x kernels. That is, a howto > > that list up the specific patches I need to apply and what versions would work, etc. > > > > Anybody know of such a howto? I have no problems with compiling stuff and > > installing, but what I need is some kind of "this patch with this version works, > > get it from ...." . > > > > -- > > Med vennlig hilsen / Best regards > > ---------------------------------+------------------------- > > Kristian Lyngst?l | Kvalito IT AS avd. Oslo > > tlf: 90 84 24 35 | 21 00 99 00 > > mail: kristianl at oslo.kvalito.no | oslo at kvalito.no > > ---------------------------------+------------------------- > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > Hi Jerry, I was more like looking for a set of patches and versions that is known to compile (with little effort) and actually work, not a precompiled package. But I will try this sollution, since if it works, it would be just as good as if I knew what was done with the package :-) -- Med vennlig hilsen / Best regards ---------------------------------+------------------------- Kristian Lyngst?l | Kvalito IT AS avd. Oslo tlf: 90 84 24 35 | 21 00 99 00 mail: kristianl at oslo.kvalito.no | oslo at kvalito.no ---------------------------------+------------------------- From awilliam at whitemice.hn.org Sat Apr 28 15:02:21 2001 From: awilliam at whitemice.hn.org (Adam Tauno Williams) Date: Sat, 28 Apr 2001 16:02:21 -0400 Subject: [pptp-server] Howto with patches that works? In-Reply-To: <20010428190153.B13716@lyngstol.kvalito.no> References: <20010428161818.A4558@lyngstol.kvalito.no> <3AEAE6AD.F71A8154@home.com> <20010428190153.B13716@lyngstol.kvalito.no> Message-ID: <20010428160221.200e60fd.awilliam@whitemice.org> >I was more like looking for a set of patches and versions that is known to compile >(with little effort) and actually work, not a precompiled package. >But I will try this sollution, since if it works, it would be just as good as >if I knew what was done with the package :-) My version of pppd at http://ldapconsole.sourceforge.net has all the patches and works with the 2.2.x kernels, but apparently not with 2.4.x kernels. If you try it, please let me know. From dreadboy at hotmail.com Sat Apr 28 15:15:24 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Sat, 28 Apr 2001 14:15:24 -0600 Subject: [pptp-server] Howto with patches that work Message-ID: Check my site. No one's complained yet. http://members.home.net/dont-bug-me/pptpd/ _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From kurt.glazemakers at dedigate.com Sat Apr 28 15:54:55 2001 From: kurt.glazemakers at dedigate.com (Kurt Glazemakers) Date: Sat, 28 Apr 2001 22:54:55 +0200 Subject: [pptp-server] Troubles with W2000 pptp connection Message-ID: Hi again, first my thanks (especially Jerry) for the quick reply I got on my previous mail this day. Hopefully after this solving this problem my setup will work. Everything compiled and installed withut problems, but now I have some troubles to make a PPTP connection with a W2000 to my Linux box. I'm now trying to set up one single PPTP connection before I can try to use the IP-allocations on the multiple interfaces. My linux box is running RedHat 7.0 with Kernel 2.2.17. pptpd-1.0.1 and ppp 2.3.11 The windows error I got is : "TCP/IP CP reported 738: The server did not assign an address" My Linux log file gives the following output: Apr 29 04:30:20 pptp pptpd[5819]: CTRL: Client 192.168.6.26 control connection started Apr 29 04:30:20 pptp pptpd[5819]: CTRL: Starting call (launching pppd, opening GRE) Apr 29 04:30:20 pptp pppd[5820]: pppd 2.3.11 started by root, uid 0 Apr 29 04:30:20 pptp pppd[5820]: Using interface ppp0 Apr 29 04:30:20 pptp pppd[5820]: Connect: ppp0 <--> /dev/pts/0 Apr 29 04:30:20 pptp pptpd[5819]: Unexpected sequence number; got 0 after 0 Apr 29 04:30:20 pptp pptpd[5819]: Discarding out-of-order packet 0, already have 0 Apr 29 04:30:22 pptp pptpd[5819]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Apr 29 04:30:22 pptp pppd[5820]: MSCHAP-v2 peer authentication succeeded for client1 Apr 29 04:30:22 pptp pptpd[5819]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Apr 29 04:30:22 pptp pppd[5820]: MPPE 40 bit, stateless compression enabled Apr 29 04:30:22 pptp pppd[5820]: LCP terminated by peer ()M-BLM-^H^@ Just an idea for testing setup in the pptpd.conf file the IP ranges like so. locaip 10.0.1.x-x,10.0.2.x-x,10.0.3.x-x remoteip 10.0.1.x-x,10.0.2.x-x,10.0.3.x-x Then in the /etc/ppp/chap-secrets or whichever file you use to configure the users, specify a static address for each client in the 10.0.1 2 or 3 network and a IP address instead of dynamic assignment. See if proxy arp is smart enough to translate the clients into the proper subnet without recoding. Keep me up to date if this works or not, I have a few things like this that I will need to do as well. Thanks, Trevor -----Original Message----- From: Kurt Glazemakers [mailto:kurt.glazemakers at dedigate.com] Sent: Saturday, April 28, 2001 3:46 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] Proxy arp on multiple interfaces Hi, I want a to use the pptp server as followed: internet | |eth0 [.....pptp-server......] | | | | |eth1 |eth2 |eth3 |eth4 10.0.x.x/24 1.1/24 2.1/24 3.1/24 4.1/24 I have 4 pptp-accounts and I want to client A to have a proxy arped IP-address 10.0.1.1/24 on eth1, client B a proy arped on eth2 (10.0.2.1/24) , etc ... just depending on the logon and password they use. I'm already aware that this probably needs some reprogramming, unless someone needed this feature before. Does anyone of you can give me some tips to start ? I assume you need the change the ipcp.c file, and somewere add some features to the parse code for the configuration file. Or is there something else that need to be changed as well ? many thanks already in advanced, Kurt _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From chris.dos at clarent.com Sat Apr 28 16:59:53 2001 From: chris.dos at clarent.com (Chris Dos) Date: Sat, 28 Apr 2001 15:59:53 -0600 Subject: [pptp-server] Two Problems Message-ID: <3AEB3D59.B414D531@clarent.com> I got PoPTop working great. Thanks to all the great instructions around on making this happen. Especially http://www.vibrationresearch.com/pptpd. This information almost single handily saved me countless hours. I tried getting PoPTop working way back prior to version 1.0 and there were just to many problems getting encryption to work right. But with this new documentation, it only took about five hours to get everyting working. And I rolled out another server in about 45 minutes. Great job on this. Now, for the two little issues that I'd like to try and solve: I'd like to push down routes though the connection when they connect. This way they don't have to set the PPTP connection as their default route, and won't be seeing their traffic when they download MP3's at home. I'm sure there must be a way to do this, I just haven't been able to uncover it. Any ideas? The second seems to be as issue when there is more than person connecting to my PoPToP server through a NAT'd connection on their end. They can connect fine to a true Windows NT PPTP server, but not to my PoPToP server. They are both sitting behind the same cable modem (most likely AT&T's cable modem) and being NAT'd through said cable modem. Other than these two things, it's working great. Oh, we are seeing much better performance on the Linux PPTP server than the true Windows NT PPTP. A major two thumbs up for the hackers involved in this project! Chris Dos -- Chris Dos Lead Unix Engineer Clarent Corporation From berzerke at swbell.net Sat Apr 28 21:48:34 2001 From: berzerke at swbell.net (robert) Date: Sat, 28 Apr 2001 21:48:34 -0500 Subject: [pptp-server] Troubles with W2000 pptp connection In-Reply-To: References: Message-ID: <01042821483400.01241@linux> Try this options file. name * lock mtu 1490 mru 1490 proxyarp auth +chap +chapms +chapms-v2 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 mppe-128 mppe-40 mppe-stateless On Saturday 28 April 2001 15:54, Kurt Glazemakers wrote: > Hi again, > > first my thanks (especially Jerry) for the quick reply I got on my > previous mail this day. Hopefully after this solving this problem my > setup will work. > > Everything compiled and installed withut problems, but now I have some > troubles to make a PPTP connection with a W2000 to my Linux box. I'm now > trying to set up one single PPTP connection before I can try to use the > IP-allocations on the multiple interfaces. > > My linux box is running RedHat 7.0 with Kernel 2.2.17. pptpd-1.0.1 and > ppp 2.3.11 > > The windows error I got is : "TCP/IP CP reported 738: The server did > not assign an address" > > My Linux log file gives the following output: > > Apr 29 04:30:20 pptp pptpd[5819]: CTRL: Client 192.168.6.26 control > connection started > Apr 29 04:30:20 pptp pptpd[5819]: CTRL: Starting call (launching pppd, > opening GRE) > Apr 29 04:30:20 pptp pppd[5820]: pppd 2.3.11 started by root, uid 0 > Apr 29 04:30:20 pptp pppd[5820]: Using interface ppp0 > Apr 29 04:30:20 pptp pppd[5820]: Connect: ppp0 <--> /dev/pts/0 > Apr 29 04:30:20 pptp pptpd[5819]: Unexpected sequence number; got 0 > after 0 > Apr 29 04:30:20 pptp pptpd[5819]: Discarding out-of-order packet 0, > already have 0 > Apr 29 04:30:22 pptp pptpd[5819]: CTRL: Ignored a SET LINK INFO packet > with real ACCMs! > Apr 29 04:30:22 pptp pppd[5820]: MSCHAP-v2 peer authentication succeeded > for client1 > Apr 29 04:30:22 pptp pptpd[5819]: CTRL: Ignored a SET LINK INFO packet > with real ACCMs! > Apr 29 04:30:22 pptp pppd[5820]: MPPE 40 bit, stateless compression > enabled > Apr 29 04:30:22 pptp pppd[5820]: LCP terminated by peer > ()M-BLM-^H^@ Apr 29 04:30:22 pptp pppd[5820]: Modem hangup > Apr 29 04:30:22 pptp pppd[5820]: Connection terminated. > Apr 29 04:30:22 pptp pppd[5820]: Connect time 0.1 minutes. > Apr 29 04:30:22 pptp pppd[5820]: Sent 701 bytes, received 694 bytes. > Apr 29 04:30:22 pptp pppd[5820]: Exit. > Apr 29 04:30:22 pptp pptpd[5819]: GRE: read error: Bad file descriptor > Apr 29 04:30:22 pptp pptpd[5819]: CTRL: PTY read or GRE write failed > (pty,gre)=(-1,-1) > Apr 29 04:30:22 pptp pptpd[5819]: CTRL: Client 192.168.6.26 control > connection finished > > My pptp.conf file: > > debug > localip 10.20.100.4 > remoteip 10.20.100.240 > > My options.pptp: > lock > debug > name pptp > mtu 1490 > mru 1490 > proxyarp > refuse-pap > +chap > +chapms > +chapms-v2 > mppe-40 > mppe-128 > mppe-stateless > ms-dns 10.10.202.26 > > My chap-secrets: > # Secrets for authentication using CHAP > # client server secret IP addresses > client1 pptp test1 * > #client2 pptp test2 10.20.2.2 > #client3 pptp test3 10.20.3.2 > > My modules.conf > alias eth0 eepro100 > alias eth1 rtl8139 > alias char-major-108 off # This will be different for 2.3.x kernels > alias ppp-compress-18 ppp_mppe > alias ppp-compress-21 bsd_comp > alias ppp-compress-24 ppp_deflate > alias ppp-compress-26 ppp_deflate > > ifconfig: > eth0 Link encap:Ethernet HWaddr 00:03:47:16:85:CC > inet addr:10.20.100.4 Bcast:10.20.100.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:138 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > Interrupt:9 Base address:0xde80 > > eth1 Link encap:Ethernet HWaddr 00:E0:7D:95:9F:9F > inet addr:192.168.7.4 Bcast:192.168.7.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:2771 errors:0 dropped:0 overruns:0 frame:0 > TX packets:2553 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > Interrupt:10 Base address:0xd800 > > proxy_arp and ip_forward are both set to 1 in the /proc/sys/net... > > Anyone an idea ? > > Thanks, > > Kurt > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From vgill at technologist.com Sun Apr 29 18:59:21 2001 From: vgill at technologist.com (Gill, Vern) Date: Sun, 29 Apr 2001 16:59:21 -0700 Subject: [pptp-server] connection problems Message-ID: <8D043DEA73DFD411958A00A0C90AB760045B0C@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 See the options file on site, http://linus.yi.org Go to the PPP page PGP Signed! Why? "If all the personal computers in the world - ~260 million computers - were put to work on a single PGP-encrypted message, it would still take an estimated 12 million times the age of the universe, on average, to break a single message." - - William Crowell, Deputy Director of the National Security Agency, in testimony to the U.S. Congress, March 20, 1997 - -----Original Message----- From: Chetan Ganpati [mailto:chetan_off at yahoo.com] Sent: Friday, April 27, 2001 3:25 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] connection problems Hello, Can anyone help me with this? Have set up pptp on a RedHat 6.2 machine.When I connect from Win9x machines it works fine , but when i connect from a win2x I am able to connect but not ping the machines on the network. These are the messages in var/log/messages Connect: ppp0 <--> /dev/pts/1 GRE: Discarding duplicate packet CTRL: Ignored a SET LINK INFO packet with real ACCMs! MSCHAP-v2 peer authentication succeeded for user found interface eth1 for proxy arp local IP address 192.168.0.80 remote IP address 192.168.0.70 CTRL: Ignored a SET LINK INFO packet with real ACCMs! LCP terminated by peer (BM-^JuM-&^@ iQA/AwUBOuyquReamMdwy9TXEQJpKACgoKavSGeZtyrdZQPL2DFrAFkQZSEAn3Tx iLv7X0mFRwviJMIAtkgWUvIy =4m1X -----END PGP SIGNATURE----- From bkelly at coastsystems.net Sun Apr 29 21:45:22 2001 From: bkelly at coastsystems.net (Boyd Kelly) Date: Sun, 29 Apr 2001 19:45:22 -0700 Subject: [pptp-server] Newbie info Message-ID: I am setting up a small win2k network connected to the internet via dsl, and i am interested in having remote access to log on to the server. Will be using a linux firewall, and have looked at the VPN masqerade How-to. Can PoPTop be of any use to me? Boyd Kelly (mcse) Network Specialist Coast Systems T: 738-0959 C: 837-0765 E: bkelly at coastsystems.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From lantzen at lifestyle.lokal Mon Apr 30 04:13:48 2001 From: lantzen at lifestyle.lokal (Michael Lantzen) Date: Mon, 30 Apr 2001 11:13:48 +0200 Subject: [pptp-server] Suse 7.1 and Masquerading In-Reply-To: <9k989577988698.15370@mail2.hongkong.com> Message-ID: Did someone here sucessfully configure the masquerading in Suse 7.1 Kernel 2.2.18 to support pptp for the clients behind it? Thanks Michael From kurt.glazemakers at dedigate.com Mon Apr 30 06:04:25 2001 From: kurt.glazemakers at dedigate.com (Kurt Glazemakers) Date: Mon, 30 Apr 2001 13:04:25 +0200 Subject: FW: [pptp-server] Troubles with W2000 pptp connection Message-ID: Sorry Guys, it was my mistake. I forgot the options.pptp file in pptpd.conf (How stupid can a man be ?) It works fine now. I will never, never do it again :-) Kurt -----Original Message----- From: Kurt Glazemakers Sent: zaterdag 28 april 2001 22:55 To: pptp-server at lists.schulte.org Subject: [pptp-server] Troubles with W2000 pptp connection Hi again, first my thanks (especially Jerry) for the quick reply I got on my previous mail this day. Hopefully after this solving this problem my setup will work. Everything compiled and installed withut problems, but now I have some troubles to make a PPTP connection with a W2000 to my Linux box. I'm now trying to set up one single PPTP connection before I can try to use the IP-allocations on the multiple interfaces. My linux box is running RedHat 7.0 with Kernel 2.2.17. pptpd-1.0.1 and ppp 2.3.11 The windows error I got is : "TCP/IP CP reported 738: The server did not assign an address" My Linux log file gives the following output: Apr 29 04:30:20 pptp pptpd[5819]: CTRL: Client 192.168.6.26 control connection started Apr 29 04:30:20 pptp pptpd[5819]: CTRL: Starting call (launching pppd, opening GRE) Apr 29 04:30:20 pptp pppd[5820]: pppd 2.3.11 started by root, uid 0 Apr 29 04:30:20 pptp pppd[5820]: Using interface ppp0 Apr 29 04:30:20 pptp pppd[5820]: Connect: ppp0 <--> /dev/pts/0 Apr 29 04:30:20 pptp pptpd[5819]: Unexpected sequence number; got 0 after 0 Apr 29 04:30:20 pptp pptpd[5819]: Discarding out-of-order packet 0, already have 0 Apr 29 04:30:22 pptp pptpd[5819]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Apr 29 04:30:22 pptp pppd[5820]: MSCHAP-v2 peer authentication succeeded for client1 Apr 29 04:30:22 pptp pptpd[5819]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Apr 29 04:30:22 pptp pppd[5820]: MPPE 40 bit, stateless compression enabled Apr 29 04:30:22 pptp pppd[5820]: LCP terminated by peer ()M-BLM-^H^@ Yes Jerry, you were completly right. With this option it works really fine. I'v tested it with three accounts, on three interfaces and no problem. He always seams to use the local IP in the same subnet as the remote IP. (The remote IP's I have configured in the chap-secrets file). And I can connect to all the machines behind each interface. Kurt -----Original Message----- From: Jerry Vonau [mailto:jvonau at home.com] Sent: zaterdag 28 april 2001 17:25 To: Kurt Glazemakers Cc: pptp-server at lists.schulte.org Subject: Re: [pptp-server] Proxy arp on multiple interfaces Kurt: If you compile pptp with ./configure --with-pppd-ip-alloc, then ip's will be assigned from the chap-secrects file, based on the user log in name. The proxyarp option should pick up the required internal interface. Then comes the ipchains fun to make it all work right, but should be do-able. Jerry Vonau Kurt Glazemakers wrote: > Hi, > > I want a to use the pptp server as followed: > > internet > | > |eth0 > [.....pptp-server......] > | | | | > |eth1 |eth2 |eth3 |eth4 > 10.0.x.x/24 1.1/24 2.1/24 3.1/24 4.1/24 > > I have 4 pptp-accounts and I want to client A to have a proxy arped > IP-address 10.0.1.1/24 on eth1, client B a proy arped on eth2 > (10.0.2.1/24) , etc ... just depending on the logon and password they > use. > > I'm already aware that this probably needs some reprogramming, unless > someone needed this feature before. Does anyone of you can give me some > tips to start ? I assume you need the change the ipcp.c file, and > somewere add some features to the parse code for the configuration file. > Or is there something else that need to be changed as well ? > > many thanks already in advanced, > > Kurt > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From awdavis at waretec.com Mon Apr 30 12:46:45 2001 From: awdavis at waretec.com (Andrew W. Davis) Date: Mon, 30 Apr 2001 12:46:45 -0500 Subject: [pptp-server] Samba 2.2 & nt auth solution? Message-ID: <20010430124645.A724@falcon.waretec.com> finally samba 2.2 is here! it should now be possible to authenticate connecting vpn users against a nt domain controller. if anyone has tried this yet, please let me know your success/horror stories. I'll be getting into the thick of things this next week with this project. all input would be appreciated. It's my understanding that full functionality is only possible with a 2.4 kernel. I haven't had a huge amount of success with the new kernel, but has anyone compiled it to work with poptop and running a functional vpn server w/it? all inquerries/replies/input welcome... Andrew From janne at vicetech.se Mon Apr 30 13:59:05 2001 From: janne at vicetech.se (Jan Karlsson) Date: Mon, 30 Apr 2001 20:59:05 +0200 Subject: [pptp-server] Scripts Message-ID: <004e01c0d1a7$a143e9a0$4bf411c3@vicetech.se> Hello i wounder if there?s a possibility to make scrpits when you log in to pptpd server. Like net use scripts and stufff like that.. Best regards Janne -------------- next part -------------- An HTML attachment was scrubbed... URL: From siegmann.josephm at kendle.com Mon Apr 30 15:12:23 2001 From: siegmann.josephm at kendle.com (siegmann.josephm at kendle.com) Date: Mon, 30 Apr 2001 16:12:23 -0400 Subject: [pptp-server] Connection Manager 1.2 and Secure ID Cards Message-ID: Does anyone know how to make the Secure ID part work with the MS connection Manager PPTP Client? Is it possible? thanks From Tbenson at associatedbp.com Mon Apr 30 17:55:52 2001 From: Tbenson at associatedbp.com (Trevor Benson) Date: Mon, 30 Apr 2001 15:55:52 -0700 Subject: [pptp-server] Proxy arp on multiple interfaces Message-ID: <378253B6F337D411BB0B009027C3F0432CE656@EMAILSERVER> Isn't pptp default to with-pppd-ip-alloc enabled? I am using the chap-secrets to assign IP and just did a stock ./configure. The rest was just specifying static IP and the local pools to represent the clients on the LAN, which is all I had to do to get the same result. Hmm. Thanks, Trevor -----Original Message----- From: Kurt Glazemakers [mailto:kurt.glazemakers at dedigate.com] Sent: Monday, April 30, 2001 4:10 AM To: pptp-server at lists.schulte.org Subject: RE: [pptp-server] Proxy arp on multiple interfaces Yes Jerry, you were completly right. With this option it works really fine. I'v tested it with three accounts, on three interfaces and no problem. He always seams to use the local IP in the same subnet as the remote IP. (The remote IP's I have configured in the chap-secrets file). And I can connect to all the machines behind each interface. Kurt -----Original Message----- From: Jerry Vonau [mailto:jvonau at home.com] Sent: zaterdag 28 april 2001 17:25 To: Kurt Glazemakers Cc: pptp-server at lists.schulte.org Subject: Re: [pptp-server] Proxy arp on multiple interfaces Kurt: If you compile pptp with ./configure --with-pppd-ip-alloc, then ip's will be assigned from the chap-secrects file, based on the user log in name. The proxyarp option should pick up the required internal interface. Then comes the ipchains fun to make it all work right, but should be do-able. Jerry Vonau Kurt Glazemakers wrote: > Hi, > > I want a to use the pptp server as followed: > > internet > | > |eth0 > [.....pptp-server......] > | | | | > |eth1 |eth2 |eth3 |eth4 > 10.0.x.x/24 1.1/24 2.1/24 3.1/24 4.1/24 > > I have 4 pptp-accounts and I want to client A to have a proxy arped > IP-address 10.0.1.1/24 on eth1, client B a proy arped on eth2 > (10.0.2.1/24) , etc ... just depending on the logon and password they > use. > > I'm already aware that this probably needs some reprogramming, unless > someone needed this feature before. Does anyone of you can give me some > tips to start ? I assume you need the change the ipcp.c file, and > somewere add some features to the parse code for the configuration file. > Or is there something else that need to be changed as well ? > > many thanks already in advanced, > > Kurt > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From Tbenson at associatedbp.com Mon Apr 30 18:03:13 2001 From: Tbenson at associatedbp.com (Trevor Benson) Date: Mon, 30 Apr 2001 16:03:13 -0700 Subject: [pptp-server] Scripts Message-ID: <378253B6F337D411BB0B009027C3F0432CE657@EMAILSERVER> Depends on the login I would say. For the NT or samba network logins you can create a batch file in the NETLOGON directory and usually it runs. As long are your user logins to the workstation as the user and password of the NT account they need. I am not quite sure why it doesn't always execute login scripts though. Strangely enough from my main laptop I configured for vpn connection I almost always get a login script, but if I move to another station and attempt it, even with my own account it only works part of the time. I have checked and both systems are configured identically. Another way to run scripts would deffinately be useful, although does anyone know why this might be intermittent on the NT scripts? Thanks, Trevor -----Original Message----- From: Jan Karlsson [mailto:janne at vicetech.se] Sent: Monday, April 30, 2001 11:59 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] Scripts Hello i wounder if there?s a possibility to make scrpits when you log in to pptpd server. Like net use scripts and stufff like that.. Best regards Janne -------------- next part -------------- An HTML attachment was scrubbed... URL: From berzerke at swbell.net Mon Apr 30 18:20:03 2001 From: berzerke at swbell.net (robert) Date: Mon, 30 Apr 2001 18:20:03 -0500 Subject: [pptp-server] Samba 2.2 & nt auth solution? In-Reply-To: <20010430124645.A724@falcon.waretec.com> References: <20010430124645.A724@falcon.waretec.com> Message-ID: <01043018200300.11603@linux> 2.4 howto is at http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt On Monday 30 April 2001 12:46, Andrew W. Davis wrote: > finally samba 2.2 is here! it should now be possible to authenticate > connecting vpn users against a nt domain controller. if anyone has tried > this yet, please let me know your success/horror stories. I'll be getting > into the thick of things this next week with this project. all input would > be appreciated. It's my understanding that full functionality is only > possible with a 2.4 kernel. I haven't had a huge amount of success with > the new kernel, but has anyone compiled it to work with poptop and running > a functional vpn server w/it? > > all inquerries/replies/input welcome... > > Andrew > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From Tbenson at associatedbp.com Mon Apr 30 18:40:52 2001 From: Tbenson at associatedbp.com (Trevor Benson) Date: Mon, 30 Apr 2001 16:40:52 -0700 Subject: FW: [pptp-server] Samba 2.2 & nt auth solution? Message-ID: <378253B6F337D411BB0B009027C3F0432CE65A@EMAILSERVER> Im in the middle of a rebuild right now of RedHat 7.1 and configuring samba 2.2.0 on it. I suppose I could toss poptop on it and see if they work well with the new kernal. I am as well interested in domain authentication for VPN accounts. Although im not sure if I can even put them on the same system, but I will give it a try, and I have another system I could configure for other domain logins if it is needed. I would also love to hear any stories regarding vpn auth from domains. Thanks, Trevor -----Original Message----- From: Andrew W. Davis [mailto:awdavis at waretec.com] Sent: Monday, April 30, 2001 10:47 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] Samba 2.2 & nt auth solution? finally samba 2.2 is here! it should now be possible to authenticate connecting vpn users against a nt domain controller. if anyone has tried this yet, please let me know your success/horror stories. I'll be getting into the thick of things this next week with this project. all input would be appreciated. It's my understanding that full functionality is only possible with a 2.4 kernel. I haven't had a huge amount of success with the new kernel, but has anyone compiled it to work with poptop and running a functional vpn server w/it? all inquerries/replies/input welcome... Andrew _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba From lists at earthling.2y.net Mon Apr 30 22:46:58 2001 From: lists at earthling.2y.net (Justin Kreger) Date: Mon, 30 Apr 2001 23:46:58 -0400 (EDT) Subject: [pptp-server] Samba 2.2 & nt auth solution? In-Reply-To: <20010430124645.A724@falcon.waretec.com> Message-ID: Unless somebody has written some brand new spankin code to proxy MSCHAPv2 authentcation to a PDC and/or a BDC, It can't be done as of yet. You can set it up/hack it to use PAP and then authenticate, but only in clear text, with two domain controlers. I have some info... In my mailspool, and in my head (most of it is here), on how it could be done. I'm sure with a little programing and some sleepless nights, it could be written...... My new boss has expressed intrest in it making it proxy authentcation, but I do not have the time at the moment to sit down and write the code to do it. I will probilly start work on the code to do it in three to four weeks. (I graduate from hell... errr I mean high school at the end of may.. So I will have the time soon, and I will write it barring half the servers having hardware failures at the office.) Justin Kreger, MCP MCSE CCNA jkreger at earthling.2y.net jwkreger at uncg.edu On Mon, 30 Apr 2001, Andrew W. Davis wrote: > finally samba 2.2 is here! it should now be possible to authenticate > connecting vpn users against a nt domain controller. if anyone has tried this > yet, please let me know your success/horror stories. I'll be getting into > the thick of things this next week with this project. all input would be > appreciated. It's my understanding that full functionality is only possible > with a 2.4 kernel. I haven't had a huge amount of success with the new kernel, > but has anyone compiled it to work with poptop and running a functional vpn > server w/it? > > all inquerries/replies/input welcome... > > Andrew > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! >