[pptp-server] poptop and win2k client...

Varghese, Amith amith.varghese at tallan.com
Thu Jan 4 20:48:27 CST 2001 

Jerry:

comments are denoted by %%

Thanks
Amith

-----Original Message-----
From: Jerry Vonau
Sent: Thursday, January 04, 2001 9:18 PM
To: Varghese, Amith
Subject: Re: [pptp-server] poptop and win2k client...


Amith:


##So let me get this straight only 1 nic right??

%%Yes only one ethernet card

>> How does it reach it, muti-networks on the same wire??

## OK the 255.255.254.0 joins the to 192.168.4-5. together
##that is how the 2 sets of addresses talk to each other I think.

%%Yest this is correct

>> Can you ping 192.168.5.x from the pptp server?
>> If you can't, add a route for it

++ From the pptp server I can ping addresses on 192.168.5.x.
++ In fact if I do a traceroute to 192.168.5.221, I get

++ 1    192.168.5.221 (192.168.5.221)   0.664ms 0.319ms 0.293ms

++ I know its strange, but thats the way our IT has set it up.
++ The default gateway of the anything on 192.168.4.x and 192.168.5.x
++ is 192.168.4.1


The pool of available address that i have to give out to clients
is 192.168.5.230-240.  I followed the configuration details in
http://www.vibrationresearch.com/pptpd/example.html and got everything
up
and running.  However, when I try to connect from my ISP (outside the
network), I can only connect intermittently.  At the bottom of my
message is
my debug log.  When I try to connect (and when it fails) I get errors
that
can be found in debug log #1.  However if I keep trying, eventually I
will
connect.  However, then I start getting errors in debug log #2.

Once I do connect, however, I can not ping anything
except for the IP that the VPN server gave me.
## see ipchains below

I'm not sure if this has anything to do with the fact that
my VPN server is on a different subnet then my client IP pool.

>> yes,  may be an ipchains and/or arp issue

>> What are your ipchain rules?
>> Most problems are caused by them.

>> proxyarp works but only for the local lan. 192.168.4.x
## incorrect it should with the subnet mask that you have

>> Could you do a     arp -an
>> Could you do a     cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
>> Could you do a     cat /proc/sys/net/ipv4/conf/all/proxy_arp
>> and tell me the output
>> A small drawing of your layout can help to understand your network.

>>eth0=192.168.4.244  goes to PIX firewall ??
>>eth1=192.168.5.x  goes to LAN ??

++ /sbin/ipchains -P forward DENY
++ /sbin/ipchains -P output DENY
++ /sbin/ipchains -P input DENY
++
++ /sbin/ipchains -A input -i eth0 -s 192.168.1.0/255.255.252.0 -j
ACCEPT
## do you use this for ipsec??
%% I do not use IPSEC since my outside address is NATed.
%% but i have holes open for it.  I guess i should really 
%% close them.  If you are referring to why i have 
%% 192.168.1.0 in the above rule it is because 192.168.1.x
%% is another subnet on our network.  however this network
%% can only be reached by going to the 192.168.4.1 router.

++ /sbin/ipchains -A input -i eth0 -s 192.168.4.0/255.255.254.0 -j
ACCEPT

++ /sbin/ipchains -A input -i eth0 -p TCP -d 0.0.0.0/0 22 -j ACCEPT
## what is this for ssh??
## I think you need a matching output rule.

%% I don't think I need an output rule because I allow anything
%% out that comes from the 192.168.4.x network (including the
%% ssh machine which is 192.168.4.244.  I use ssh on the outside
%% address and it seems to work

++ /sbin/ipchains -A input -i lo -j ACCEPT
++ /sbin/ipchains -A input -i eth0 -p TCP ! -y -j ACCEPT

++ /sbin/ipchains -A input -i eth0 -s 172.16.0.0/255.255.0.0 -j ACCEPT
++ /sbin/ipchains -A output -i eth0 -s 192.168.1.0/255.255.252.0 -d
0.0.0.0/0 -j ACCEPT
## do you use this for ipsec??

%% the 172.16.0.0 rule is for a vpn that we have set up on another pix
%% - fun stuff right :).  Its a vpn to our production environment.  That
%% vpn is using the PIX firewall (hardware on both ends) and is completely
%% transparent to the PPTP server

++ /sbin/ipchains -A output -i eth0 -s 192.168.4.0/255.255.254.0 -d
0.0.0.0/0 -j ACCEPT
++ /sbin/ipchains -A output -i lo -j ACCEPT

##add:
##sbin/ipchains -A forward -i eth0 -s 192.168.4.0/255.255.254.0 -j
ACCEPT
##sbin/ipchains -A forward -i ppp+ -s 192.168.4.0/255.255.254.0 -j
ACCEPT
##you need this to forward the ppp connections, must load before any
masq statements.

%% The other two statements make complete sense.  I don't see
%% why i left them out.  thank you for pointing that out.


++ /sbin/ipchains -A forward -i eth0 -s 192.168.5.230/255.255.255.240 -j
MASQ
## Why the different netmask??
## What are you trying to masq??

%% i will remove the MASQ statement... that was left over from an old
%% test.  

++
++ # VPN stuff
++ /sbin/ipchains -A input -i eth0 -p udp -d
192.168.4.244/255.255.255.255 500 -j ACCEPT
++ /sbin/ipchains -A input -i eth0 -p 50 -d
192.168.4.244/255.255.255.255 -j ACCEPT
##are you doing ipsec stuff??

%% again i'm not using ipsec, i'll take it out

++ /sbin/ipchains -A input -i eth0 -p tcp -d
192.168.4.244/255.255.255.255 1723 -j ACCEPT
++ /sbin/ipchains -A input -i eth0 -p 47 -d
192.168.4.244/255.255.255.255 -j ACCEPT

++ arp -an
++ ? (192.168.4.247) at 00:B0:D0:59:EA:2E [ether] on eth0

++ why is 4.247 here and not 4.244?  That seems strange

## You should not see your stuff just other machines.
## arp runs a cache it expires after a while.
##ping a few hosts on the 4and5 networks and rerun the arp -na
##you should see the ip's of the pinged hosts

++ cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
++ 0

++ cat /proc/sys/net/ipv4/conf/all/proxy_arp
++ 0

++ 192.168.4.244 is the pptp server and goes to the gateway which is
192.168.4.1.
++ To reach a machine on 192.168.5.x from the 4.x network it doesn't
have to goto
++ the router.  The gateway machine is a cisco router.  I don't know
offhand what



++ -----------------             --------------
----------------------
++ | 192.168.4.244 |  ----     | 192.168.4.1 | -------- | Internal IP of
PIX
|
++ -----------------             --------------
----------------------
++ pptp server                     router

++ there is a DMZ zone on the pix (don't know what the IP is either)
++ and then there is an outside address of the pix which is connected to
the internet


Also, one of
the other things about my setup is that the public IP address that I
connect
to from my ISP is actually an address that a PIX firewall NATs to my
internal machine (the PIX allows everything through- including GRE and
any
needed PPTP control packets).  I am attaching all of my relevant
configuration files.  Any help would be appreciated.

++ Please let me know if there is any additional information you need
## Eth0 is the only nic right??

%% yes

##Jerry Vonau

More information about the pptp-server mailing list