[pptp-server] Can't Ping a Thing

Michael Ward mward at gwtr.com
Wed Jan 24 13:01:14 CST 2001 

Good news to report -

Thanks to all the help from this group I now can ping (and therefore have
access to) resources on my private network from remotely connected pptp
clients.

I've seen that other folks are having the same trouble so I'm going to tell
you what is in place to make my connection work.  It's basically a
compilation of replies from contributors to this list.  I will not be
detailed, being a beginner with all this, but I think it will be helpful for
other beginners.

1.  I've got the ppptp daemon running (per how-to at poptop.lineo.com,
including pptpd.conf and chap-secrets)
2.  Win98 client configured - tcp/ip properties are set to let server assign
ip address
3.  ipforwarding enabled in linux kernel (it was enabled by default on my
redhat 7.0 box)
	To check if IP_FORWARDING is currently enabled, type (as root):
	cat /proc/sys/net/ipv4/ip_forward
	If it returns 0, then IP_FORWARDING is disabled.
	To enable IP_FORWARDING (without re-booting), type (as root):
	echo "1" >/proc/sys/net/ipv4/ip_forward
	To ensure that IP_FORWARDING will be enabled at system boot-up,
edit:
	/etc/sysconfig/network
	and ensure that the FORWARD_IPV4 variable is set to "yes". 
4. PPTP server's LAN Ethernet interface *MUST* be known as the proxy arp
	check /var/log/messaging for a proxyarp entry.
	check /etc/ppp/options add proxyarp if missing
	(see Steve Cowles post, 1/23/01)
5. IPChains - I have *No* rules setup in my ipchains and my connection works
perfectly.  This is because, in the absence rules, the built-in chains
(input, output & forward) use their respective 'policy' to decide the fate
of any packet.  The default policy for all chains is ACCEPT, therefore all
packets are accepted.  This is obviously not a secure state to leave your
server in.  I personally like to get new services like pptp running without
complication, then add things like encryption and ipchains one at a time to
ease resolution of problems that may occur.
6.  Samba - While trying to figure out how to fix my lack of ping problem it
was suggested to me that Samba would help me out.  It turns out that Samba
is not required at all for pptp clients to access resources on my private
network
7. Default route - This also is not required

In my configuration clients are assigned addresses from the same subnet as
my private network.

BTW - If anyone cares to know, here's what was wrong with my setup that
prevented me from pinging private network resources from a connected pptp
client (if I was the type to get embarrassed this would do it)....

I had initially configured my win98 client to use a particular IP address,
instead of letting the server assign it.  I guess I was thinking I'd know
exactly what IP address I should be able to ping when it connected.  This
was before I understood that an address would be assigned from the
pptpd.conf file.  The first 'localip' address available (per my pptpd.conf
file) was the exact same ip address that I had statically assigned to my
remote win98 client (see where we're going here?) so....

As I followed through on the many suggestions I received from this list, it
turned into a process of elimination.  i.e. ipforwarding was indeed enabled
on my box, proxyarp was in my /etc/ppp/options file.  So as I went through
suggestions I eliminated them as the potential problem UNTIL - I checked
/var/log/messages and saw that both ends of my tunnel had the same ip
address.  I reconfigured my win98 client to let the server assign an address
and that was it.  Lesson learned.

**************************
Michael Ward
Global Water Technologies, Inc.
email: mward at gwtr.com
(303) 215-1100
**************************



-----Original Message-----
From: Jerry Vonau [mailto:jvonau at home.com]
Sent: Tuesday, January 23, 2001 5:44 PM
To: Michael Ward
Subject: Re: [pptp-server] Can't Ping a Thing


Hows the battle going??

Jerry

Jerry Vonau wrote:

> Michael:
> check /var/log/messaging for a proxyarp entry.
> check /etc/ppp/options add proxyarp if missing.
> Are you using the same network addressing on the
> remote client  as on the lan? How about some snips?
>
> Jerry Vonau
>
> Michael Ward wrote:
>
> > Hey all -
> > I installed redhat linux 7 last week for the first time.  Until now I've
> > only known windows.  I'm the IT Manager for a company in Golden, CO and
want
> > to do vpn on a linux box instead of microsoft.
> >
> > I have searched archives of this mailing list and found several
suggestions
> > for fixing the problem I'm having.... Call me a little slow, but it
ain't
> > workin'! (more accurately, I'm not workin' it.)
> >
> > I've got pptp setup and working (I can connect with win98 clients) and
have
> > not setup encryption yet in an effort to keep it simple while I try to
get
> > basic functionality.
> >
> > I have setup Samba and have it running (though I'm not sure if it's
> > required, different sources have pointed me in different directions).
Samba
> > is aware of my WINS server on my internal network (how cool is that? I
bow
> > down to Samba)
> >
> > I just read the ipchains how to.  I've tried specifically allowing
> > forwarding with a rule pulled from the PoPToP faq.
> >
> > The Problem (note capital P): I can not see (browse nor ping) from a
> > connected win98 client *anything* on my network.  I have a connection
but
> > can't play.  Where's the fun?
> >
> > Questions:
> > 1.  What is the total equation to make this whole deal work (clients
should
> > be able to browse to resources on internal servers)?  i.e. Is it pptpd +
> > samba + ipchains?  If these three are configured correctly am I set?  Is
> > there another piece of the puzzle?  I've read about and tried messing
around
> > with default routes/routing tables to no avail.  What's the skinny on
the
> > 'ideal setup', the basics that have to be there?
> >
> > 2.  *If* I leave ipchains with *no rules* set up at all, the default
policy
> > (confirmed with ./ipchains -L) for all rules is ACCEPT.  Should my box
be
> > forwarding all packets in this scenario?  It doesn't, nor can I get it
to
> > forward packets to the private network by using rules pulled from the
poptop
> > faq.
> >
> > 3.  Any specifics in implementing the 'ideal setup' are greatly
appreciated.
> >
> > Anyone feeling really generous is invited to give my dumb ass a call.
I'm
> > sure I could learn a great deal in a few minutes of brain picking.
> >
> > Thank you all for your help (couldn't have gotten this far in a week
without
> > it).
> >
> > Michael Ward
> > mward at gwtr.com
> > (303) 215-1100 (m-f 9-5 mst)
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!

More information about the pptp-server mailing list