[pptp-server] poptop and win2k client...

Varghese, Amith amith.varghese at tallan.com
Thu Jan 4 10:11:17 CST 2001 

Jerry:

Thanks for your help.  All of my comments will be shown by ++ next to the
text

-----Original Message-----
From: Jerry Vonau
Sent: Thursday, January 04, 2001 10:13 AM
To: Varghese, Amith
Subject: Re: [pptp-server] poptop and win2k client...


Amith:

>> I'll deal with the local access issues, I'm not total sure about the
other issues.


I'm having some problems getting my VPN set up with poptop.  sometimes i
can
connect and sometimes i can't.  here is my information:

I'm running poptop on a red hat 6.1 machine with the kernel version
2.2.18.
I'm running poptop version 1.1.2 and pppd version 2.3.11.  My internal
IP of
the VPN server is 192.168.4.244 and i have a network mask of
255.255.254.0
(to reach the 192.168.5.x subnet does not require me to go through a
router).

>> How does it reach it, muti-networks on the same wire??
>> Can you ping 192.168.5.x from the pptp server?
>> If you can't, add a route for it

++ From the pptp server I can ping addresses on 192.168.5.x.
++ In fact if I do a traceroute to 192.168.5.221, I get

++ 1	192.168.5.221 (192.168.5.221)	0.664ms	0.319ms	0.293ms

++ I know its strange, but thats the way our IT has set it up.  
++ The default gateway of the anything on 192.168.4.x and 192.168.5.x
++ is 192.168.4.1


The pool of available address that i have to give out to clients
is 192.168.5.230-240.  I followed the configuration details in
http://www.vibrationresearch.com/pptpd/example.html and got everything
up
and running.  However, when I try to connect from my ISP (outside the
network), I can only connect intermittently.  At the bottom of my
message is
my debug log.  When I try to connect (and when it fails) I get errors
that
can be found in debug log #1.  However if I keep trying, eventually I
will
connect.  However, then I start getting errors in debug log #2.  Once I
do
connect, however, I can not ping anything except for the IP that the VPN

server gave me.


I'm not sure if this has anything to do with the fact that
my VPN server is on a different subnet then my client IP pool.

>> yes,  may be an ipchains and/or arp issue

>> What are your ipchain rules?
>> Most problems are caused by them.

>> proxyarp works but only for the local lan. 192.168.4.x
>> Could you do a     arp -an
>> Could you do a     cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
>> Could you do a     cat /proc/sys/net/ipv4/conf/all/proxy_arp
>> and tell me the output
>> A small drawing of your layout can help to understand your network.
>>eth0=192.168.4.244  goes to PIX firewall ??
>>eth1=192.168.5.x  goes to LAN ??

++ /sbin/ipchains -P forward DENY
++ /sbin/ipchains -P output DENY
++ /sbin/ipchains -P input DENY
++ 
++ /sbin/ipchains -A input -i eth0 -s 192.168.1.0/255.255.252.0 -j ACCEPT
++ /sbin/ipchains -A input -i eth0 -s 192.168.4.0/255.255.254.0 -j ACCEPT
++ /sbin/ipchains -A input -i eth0 -p TCP -d 0.0.0.0/0 22 -j ACCEPT
++ /sbin/ipchains -A input -i lo -j ACCEPT
++ /sbin/ipchains -A input -i eth0 -p TCP ! -y -j ACCEPT
++ /sbin/ipchains -A input -i eth0 -s 172.16.0.0/255.255.0.0 -j ACCEPT
++ /sbin/ipchains -A output -i eth0 -s 192.168.1.0/255.255.252.0 -d
0.0.0.0/0 -j ACCEPT
++ /sbin/ipchains -A output -i eth0 -s 192.168.4.0/255.255.254.0 -d
0.0.0.0/0 -j ACCEPT
++ /sbin/ipchains -A output -i lo -j ACCEPT
++ /sbin/ipchains -A forward -i eth0 -s 192.168.5.230/255.255.255.240 -j
MASQ
++ 
++ # VPN stuff
++ /sbin/ipchains -A input -i eth0 -p udp -d 192.168.4.244/255.255.255.255
500 -j ACCEPT
++ /sbin/ipchains -A input -i eth0 -p 50 -d 192.168.4.244/255.255.255.255 -j
ACCEPT
++ /sbin/ipchains -A input -i eth0 -p tcp -d 192.168.4.244/255.255.255.255
1723 -j ACCEPT
++ /sbin/ipchains -A input -i eth0 -p 47 -d 192.168.4.244/255.255.255.255 -j
ACCEPT

++ arp -an
++ ? (192.168.4.247) at 00:B0:D0:59:EA:2E [ether] on eth0 

++ why is 4.247 here and not 4.244?  That seems strange

++ cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
++ 0

++ cat /proc/sys/net/ipv4/conf/all/proxy_arp
++ 0

++ 192.168.4.244 is the pptp server and goes to the gateway which is
192.168.4.1.
++ To reach a machine on 192.168.5.x from the 4.x network it doesn't have to
goto
++ the router.  The gateway machine is a cisco router.  I don't know offhand
what



++ -----------------		 --------------
----------------------
++ | 192.168.4.244 |  ----     | 192.168.4.1 | -------- | Internal IP of PIX
|
++ -----------------		 --------------
----------------------
++ pptp server			   router

++ there is a DMZ zone on the pix (don't know what the IP is either)
++ and then there is an outside address of the pix which is connected to the
internet


Also, one of
the other things about my setup is that the public IP address that I
connect
to from my ISP is actually an address that a PIX firewall NATs to my
internal machine (the PIX allows everything through- including GRE and
any
needed PPTP control packets).  I am attaching all of my relevant
configuration files.  Any help would be appreciated.

++ Please let me know if there is any additional information you need

Thanks
Amith

>>Jerry Vonau

More information about the pptp-server mailing list