From awdavis at qicserv.net Thu Mar 1 03:17:00 2001 From: awdavis at qicserv.net (Andrew W. Davis) Date: Thu, 01 Mar 2001 03:17:00 -0600 Subject: [pptp-server] blank username/password works!? Message-ID: <3A9E138B.AAC586A8@qicserv.net> well, after a long and drawn out battle with my RH7 box, pptp is almost ready to be unvieled to the rest of my compaines corporate drones... I'm having 2 problems that I need to solve and I'm wondering if anyone can help... Problem 1: when logging on with windows vpn clients, if I just leave the username and password fields blank, the pptp server authenticates AOK. This is not good. I'm using the samba password patch on ppp so my /etc/ppp/chap-secrets file looks like this --> # Secrets for authentication using CHAP # client server secret IP addresses * * &/etc/samba/smbpasswd * and my /etc/ppp/options file looks like this --> lock debug auth proxyarp chapms-strip-domain +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless # client settings require-chap ms-dns 192.168.10.1 ms-wins 192.168.10.1 does anyone else with my setup have this problem? I thought it may be a case of the guest user in smbusers, but I'm not sure... Ok, Problem #2: after a while, my vpn connection just stops responding. This ONLY HAPPENS after a certian time of inactivity followed by the message in the log file of "Received PPTP Control Message (type: 5)" a couple of times. Any help would be appreciated! Thanks, Andrew From frederic.soulier at sxb.bsf.alcatel.fr Thu Mar 1 03:22:48 2001 From: frederic.soulier at sxb.bsf.alcatel.fr (Frederic SOULIER) Date: Thu, 01 Mar 2001 10:22:48 +0100 Subject: [pptp-server] EOF or bad error reading ctrl packet length References: <3A444F68.9FE35F29@nwlink.com> Message-ID: <3A9E14E8.12865A4@sxb.bsf.alcatel.fr> Hello there, I use a PPTP client (Win98SE standard MS VPN adapter) and a PPTP server (PoPToP 1.0.1 with Linux 2.2.13 kernel). Sometimes PPTP tunnel is broken and I have the following logs : May 11 01:31:31 myserver pptpd[5606]: MGR: Manager process started May 11 01:31:45 myserver pptpd[5653]: CTRL: Client xxx.xxx.xxx.xxx control connection started May 11 01:31:46 myserver pptpd[5653]: CTRL: Starting call (launching pppd, opening GRE) May 11 02:04:16 myserver pptpd[5653]: CTRL: EOF or bad error reading ctrl packet length. May 11 02:04:16 myserver pptpd[5653]: CTRL: couldn't read packet header (exit) May 11 02:04:16 myserver pptpd[5653]: CTRL: CTRL read failed May 11 02:04:16 myserver pptpd[5653]: CTRL: Client xxx.xxx.xxx.xxx control connection finished (Sometimes is quite variable : tunnel breaking may happen after 10 minutes, one hour, or more...) I saw in this list' archives some errors like this but even with PoPToP 1.2.1 (upgrading was often the solution) I have this kind of problems. Any idea ? Thanks a lot, Frederic From msuencks at marcant.de Thu Mar 1 07:07:56 2001 From: msuencks at marcant.de (Matthias Suencksen) Date: Thu, 1 Mar 2001 14:07:56 +0100 Subject: [pptp-server] EOF or bad error reading ctrl packet length In-Reply-To: <3A9E14E8.12865A4@sxb.bsf.alcatel.fr> Message-ID: Frederic SOULIER wrote: [..] > > (Sometimes is quite variable : tunnel breaking may happen after 10 > minutes, one hour, or more...) > I have the exactly the same problems. Seems that Windows98 is producing garbage packets at times. To make pptpd more robust I have made some patches. You may want to try them out - feedback appreciated. http://www.marcant.net/users/ms/pptp.html The following patches are relevant: pptpgre.c.diff pptpd patch (against 1.0.1 !) ppp_mppe.c.diff MPPE kernel module patch bye, Matthias > I saw in this list' archives some errors like this but even with PoPToP > 1.2.1 (upgrading was often the solution) I have this kind of problems. > > Any idea ? > > Thanks a lot, > > > Frederic > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > > -- Out-of-order Execution (Feature von modernen Microprozessoren) From frederic.soulier at sxb.bsf.alcatel.fr Thu Mar 1 07:24:04 2001 From: frederic.soulier at sxb.bsf.alcatel.fr (Frederic SOULIER) Date: Thu, 01 Mar 2001 14:24:04 +0100 Subject: [pptp-server] EOF or bad error reading ctrl packet length References: Message-ID: <3A9E4D74.3A3FB780@sxb.bsf.alcatel.fr> Matthias Suencksen wrote: > > Frederic SOULIER wrote: > I have the exactly the same problems. Seems that Windows98 is > producing garbage packets at times. Do you mean that using other OS for the client such as W2K will bring better results ? > To make pptpd more robust I have made some patches. You may > want to try them out - feedback appreciated. > > http://www.marcant.net/users/ms/pptp.html Thanks a lot. I'm going to test them. Frederic From jdonahue at agiletech.com Thu Mar 1 08:49:52 2001 From: jdonahue at agiletech.com (jdonahue at agiletech.com) Date: Thu, 1 Mar 2001 09:49:52 -0500 Subject: [pptp-server] Where'd my encryption go?!? Message-ID: I have RH7, and have configured pptp with encryption succesfully (took long enough). Everything was working fine, all boot scripts in place...reboot server everything still works. Then all of a sudden yesterday I lost encryption!....Like it was never there! I connect - requiring encryption, ok....disconnect, 10 mins later reconnect.....ERROR - server does not support encryption level required?!?? So....for giggles I try rebooting, I know the scripts worked ok before- but that doesn't work....WHAT HAPPENED? Can Anyone help me?!? From jfjoly at free.fr Thu Mar 1 09:31:30 2001 From: jfjoly at free.fr (Jean-Francois JOLY) Date: Thu, 1 Mar 2001 16:31:30 +0100 Subject: [pptp-server] Microsoft Client + key + encryption Message-ID: <3880221602.20010301163130@free.fr> Hello, I wonder if it is possible to set up a PoPToP server with windows client using keys for authentification. It went flowly to make a win2k box connect to PoPToP server but the authentification is made with user/password and there is no encryption. I want the clients to connect with key authentification. I've seen that we can authenticate through certificates with win2k but PoPToP does not seem to support it, does it ? If it does, do I still have to use encryption the windows way (by patching pppd) ? If it doesn't, do you have any idea of how I could implement a key authentificated VPN on a Linux FireWall. -- Best regards, Jean-Francois mailto:jfjoly at free.fr From james-p at moving-picture.com Thu Mar 1 11:33:49 2001 From: james-p at moving-picture.com (James Pearson) Date: Thu, 01 Mar 2001 17:33:49 +0000 Subject: [pptp-server] Can't connect on first attempt Message-ID: <3A9E87FD.9D0001DE@moving-picture.com> I have a strange problem when I attempt to connect to my pptpd server (pptpd-1.0.1, ppp-2.3.11+openssl-0.9.5-mppe.patch, Redhat 6.2, 2.2.16-3 based kernel) using any Windows client over a dialup connection: Dial up my ISP, dial up my pptpd server -> fail with a connection failed error (629) Any subsequent attempts to connect, fail with the same error. However, if I then disconnect from my ISP, reconnect to my ISP and dial up my pptpd server - it works fine. I can then disconnect/reconnect to the pptpd server as many times as I like... I've tried a number of different ISPs, various flavours of Windows (95/98/NT4) clients and a complete fresh install of Linux/pptpd/ppp on a different box - but I can only connect to the pptpd server after my second ISP dialup ... The only common element is that the pptpd server is behind a firewall running Firewall-1 - could this be the "problem"? Any help would be appreciated. Thanks James Pearson From rcd at amherst.com Thu Mar 1 11:56:07 2001 From: rcd at amherst.com (Robert Dege) Date: Thu, 01 Mar 2001 12:56:07 -0500 Subject: [pptp-server] Net Neighborhood is misbehavin' References: <90769AF04F76D41186C700A0C90AFC3EE67E@defiant.infohiiway.com> Message-ID: <3A9E8D37.1060309@amherst.com> I apologize for my silence, but I quickly discovered what happens to your linux box when you upgrade to PC133 RAM & your machine goes *yuck* Anways, upon some investigation, I discovered that most of the NT machines here on my Network have a Protocol installed by Novell called 'NWLink NetBIOS'. So in short, almost 60% of the company is using IPX/SPX to communicate NetBIOS. So I switched the binding order on 1 NT machine, so that NetBIOS was bound to the NIC card instead of the IPX protocol, and I could find it under `Find Computer` on the PPTP Client. Thanks for the help on that one. I still need to figure out the Workgroups problem (or if it's inter-related with the above problem). I'll let you know of my findings. -Rob >> -----Original Message----- >> From: robert [mailto:berzerke at swbell.net] >> Sent: Monday, February 26, 2001 10:02 PM >> To: Robert Dege >> Cc: pptp-server >> Subject: Re: [pptp-server] Net Neighborhood is misbehavin' >> >> Yes, and that is the problem. From the 2.4 Kernel PPTPD Howto: >> >> 5.10 Q: Browsing doesn't work. How do I fix it? >> >> >> A: Are *ANY* of the clients running more than one protocol? >> From the Samba docs: "Every NetBIOS machine take part in a >> process of electing the LMB [Local Master Browser] (and DMB >> [Domain Master Browser]) every 15 minutes...The election >> process is "fought out" so to speak over every NetBIOS >> network interface. In the case of a Windows 9x machine that >> has both TCP/IP and IPX installed and has NetBIOS enabled >> over both protocols the election will be decided over both >> protocols. As often happens, if the Windows 9x machine is >> the only one with both protocols then the LMB may be won on >> the NetBIOS interface over the IPX protocol. Samba will then >> lose the LMB role as Windows 9x will insist it knows who the >> LMB is. Samba will then cease to function as an LMB and thus >> browse list operation on all TCP/IP only machines will fail. >> > > I could be way off base here (its been a few years) but I seem to remember > having a similar problem as described above. To make a long story short, I > thought we fixed the problem by changing the binding order of the protocols > to give TCP/IP precedence. > > I just checked the MS site and couldn't find the article I remember reading, > but I seem to remember either editing a registry setting or (on NT) goto > network->properties->bindings and "move-up/move-down" the protocol binding > order. > > Just a thought! > > Steve Cowles > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > > From JaminC at adapt-tele.com Thu Mar 1 12:24:39 2001 From: JaminC at adapt-tele.com (Jamin Collins) Date: Thu, 1 Mar 2001 12:24:39 -0600 Subject: [pptp-server] Microsoft Client + key + encryption Message-ID: I'm not sure on the key portion, but there are patches to allow for 40 and 128 bit encryption on the PPTP connection. I'm using these patches with little to no difficulty of my PoPToP server. As for a Key-based VPN, there are a few different options, but most of these rely on SSH wrapping which could be done around the PPTP tunnel if you so desire. Jamin -----Original Message----- From: Jean-Francois JOLY [mailto:jfjoly at free.fr] Sent: Thursday, March 01, 2001 9:31 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] Microsoft Client + key + encryption Hello, I wonder if it is possible to set up a PoPToP server with windows client using keys for authentification. It went flowly to make a win2k box connect to PoPToP server but the authentification is made with user/password and there is no encryption. I want the clients to connect with key authentification. I've seen that we can authenticate through certificates with win2k but PoPToP does not seem to support it, does it ? If it does, do I still have to use encryption the windows way (by patching pppd) ? If it doesn't, do you have any idea of how I could implement a key authentificated VPN on a Linux FireWall. -- Best regards, Jean-Francois mailto:jfjoly at free.fr _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From rmk at communitytelephone.com Thu Mar 1 14:22:29 2001 From: rmk at communitytelephone.com (Ryan Kremer) Date: Thu, 1 Mar 2001 14:22:29 -0600 Subject: [pptp-server] pptpd exits after last session closes Message-ID: I'm running PoPToP 1.0.1 on Solaris 2.5 w/ PPP 2.3.8. Everytime the last PPTP session closes, pptpd exits. As long as there is an active session, it's runs fine. Has anyone seen this behavior and is there a fix for it. -Ryan ------------------------------------------------ Ryan Kremer rmk at networkwcs.net Phone: (812)456-1224 Fax: (812)461-3363 Cisco Certified Network Professional Cisco Certified Design Associate From scott at scojoh.com Thu Mar 1 15:06:01 2001 From: scott at scojoh.com (Scott Johnston) Date: Thu, 01 Mar 2001 16:06:01 -0500 Subject: [pptp-server] pptpd exits after last session closes References: Message-ID: <3A9EB9B9.54D0B2AB@scojoh.com> I had the same problem on a RedHat 6.2 system until I upgraded to pptpd 1.1.2. Scott Ryan Kremer wrote: > > I'm running PoPToP 1.0.1 on Solaris 2.5 w/ PPP 2.3.8. Everytime the last > PPTP session closes, pptpd exits. As long as there is an active session, > it's runs fine. Has anyone seen this behavior and is there a fix for it. > > -Ryan > > ------------------------------------------------ > Ryan Kremer rmk at networkwcs.net > Phone: (812)456-1224 Fax: (812)461-3363 > Cisco Certified Network Professional > Cisco Certified Design Associate > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From jdonahue at agiletech.com Thu Mar 1 15:45:59 2001 From: jdonahue at agiletech.com (jdonahue at agiletech.com) Date: Thu, 1 Mar 2001 16:45:59 -0500 Subject: [pptp-server] Where'd my encryption go?!? Message-ID: Mar 1 15:36:55 SSTVPN1 pptpd[1478]: CTRL: Client 192.168.1.47 control connection started Mar 1 15:36:55 SSTVPN1 pptpd[1478]: CTRL: Starting call (launching pppd, opening GRE) Mar 1 15:36:55 SSTVPN1 pppd[1479]: pppd 2.3.11 started by root, uid 0 Mar 1 15:36:55 SSTVPN1 pppd[1479]: Using interface ppp0 Mar 1 15:36:55 SSTVPN1 pppd[1479]: Connect: ppp0 <--> /dev/pts/1 Mar 1 15:36:55 SSTVPN1 pptpd[1478]: GRE: Discarding duplicate packet Mar 1 15:36:57 SSTVPN1 pptpd[1478]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 1 15:36:57 SSTVPN1 kernel: PPP BSD Compression module registered Mar 1 15:36:57 SSTVPN1 kernel: PPP MPPE compression module registered Mar 1 15:36:57 SSTVPN1 kernel: PPP Deflate Compression module registered Mar 1 15:36:57 SSTVPN1 pppd[1479]: MSCHAP-v2 peer authentication succeeded for donahuej Mar 1 15:36:57 SSTVPN1 pptpd[1478]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 1 15:36:57 SSTVPN1 pppd[1479]: LCP terminated by peer (JM-iYM-^K^@ cc: Subject: RE: [pptp-server] Where'd my encryption go?!? 03/01/2001 04:14 PM What does the /var/log/messages file say? Any MPPE errors? thanks, George Vieira -----Original Message----- From: jdonahue at agiletech.com [mailto:jdonahue at agiletech.com] Sent: Friday, March 02, 2001 1:50 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] Where'd my encryption go?!? I have RH7, and have configured pptp with encryption succesfully (took long enough). Everything was working fine, all boot scripts in place...reboot server everything still works. Then all of a sudden yesterday I lost encryption!....Like it was never there! I connect - requiring encryption, ok....disconnect, 10 mins later reconnect.....ERROR - server does not support encryption level required?!?? So....for giggles I try rebooting, I know the scripts worked ok before- but that doesn't work....WHAT HAPPENED? Can Anyone help me?!? _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From rmk at communitytelephone.com Thu Mar 1 15:49:49 2001 From: rmk at communitytelephone.com (Ryan Kremer) Date: Thu, 1 Mar 2001 15:49:49 -0600 Subject: [pptp-server] pptpd exits after last session closes In-Reply-To: <3A9EB9B9.54D0B2AB@scojoh.com> Message-ID: Thanks. I just tried that but I'm still having the same problem. Only now, I can't get it to output any debug information to the syslog. ------------------------------------------------ Ryan Kremer rmk at networkwcs.net Phone: (812)456-1224 Fax: (812)461-3363 Cisco Certified Network Professional Cisco Certified Design Associate -----Original Message----- From: Scott Johnston [mailto:scott at scojoh.com] Sent: Thursday, March 01, 2001 3:06 PM To: Ryan Kremer Cc: pptp-server at lists.schulte.org Subject: Re: [pptp-server] pptpd exits after last session closes I had the same problem on a RedHat 6.2 system until I upgraded to pptpd 1.1.2. Scott Ryan Kremer wrote: > > I'm running PoPToP 1.0.1 on Solaris 2.5 w/ PPP 2.3.8. Everytime the last > PPTP session closes, pptpd exits. As long as there is an active session, > it's runs fine. Has anyone seen this behavior and is there a fix for it. > > -Ryan > > ------------------------------------------------ > Ryan Kremer rmk at networkwcs.net > Phone: (812)456-1224 Fax: (812)461-3363 > Cisco Certified Network Professional > Cisco Certified Design Associate > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From jdonahue at agiletech.com Thu Mar 1 16:03:24 2001 From: jdonahue at agiletech.com (jdonahue at agiletech.com) Date: Thu, 1 Mar 2001 17:03:24 -0500 Subject: [pptp-server] Where'd my encryption go?!? Message-ID: Looks like this is a client side issue, just found out others are able to connect, no problem...what should I check? (I am using W2K) George Vieira cc: Subject: RE: [pptp-server] Where'd my encryption go?!? 03/01/2001 04:41 PM MPPE seems to be registering OK but these lines I'm worried about.. Mar 1 15:36:57 SSTVPN1 pppd[1479]: LCP terminated by peer (JM-iYM-^K^@ /dev/pts/1 Mar 1 15:36:55 SSTVPN1 pptpd[1478]: GRE: Discarding duplicate packet Mar 1 15:36:57 SSTVPN1 pptpd[1478]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 1 15:36:57 SSTVPN1 kernel: PPP BSD Compression module registered Mar 1 15:36:57 SSTVPN1 kernel: PPP MPPE compression module registered Mar 1 15:36:57 SSTVPN1 kernel: PPP Deflate Compression module registered Mar 1 15:36:57 SSTVPN1 pppd[1479]: MSCHAP-v2 peer authentication succeeded for donahuej Mar 1 15:36:57 SSTVPN1 pptpd[1478]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 1 15:36:57 SSTVPN1 pppd[1479]: LCP terminated by peer (JM-iYM-^K^@ cc: Subject: RE: [pptp-server] Where'd my encryption go?!? 03/01/2001 04:14 PM What does the /var/log/messages file say? Any MPPE errors? thanks, George Vieira -----Original Message----- From: jdonahue at agiletech.com [mailto:jdonahue at agiletech.com] Sent: Friday, March 02, 2001 1:50 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] Where'd my encryption go?!? I have RH7, and have configured pptp with encryption succesfully (took long enough). Everything was working fine, all boot scripts in place...reboot server everything still works. Then all of a sudden yesterday I lost encryption!....Like it was never there! I connect - requiring encryption, ok....disconnect, 10 mins later reconnect.....ERROR - server does not support encryption level required?!?? So....for giggles I try rebooting, I know the scripts worked ok before- but that doesn't work....WHAT HAPPENED? Can Anyone help me?!? _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From scott at scojoh.com Thu Mar 1 16:05:45 2001 From: scott at scojoh.com (Scott Johnston) Date: Thu, 01 Mar 2001 17:05:45 -0500 Subject: [pptp-server] pptpd exits after last session closes References: Message-ID: <3A9EC7B9.714E2019@scojoh.com> One thing that got me was the 'make install' for 1.1.2 didn't actually put the file in /usr/sbin as expected, so I was still running the old one when I thought I was running the new one. I spent a couple of days pulling my hair out until I found that one. Scott Ryan Kremer wrote: > > Thanks. I just tried that but I'm still having the same problem. Only now, I > can't get it to output any debug information to the syslog. > > ------------------------------------------------ > Ryan Kremer rmk at networkwcs.net > Phone: (812)456-1224 Fax: (812)461-3363 > Cisco Certified Network Professional > Cisco Certified Design Associate > > -----Original Message----- > From: Scott Johnston [mailto:scott at scojoh.com] > Sent: Thursday, March 01, 2001 3:06 PM > To: Ryan Kremer > Cc: pptp-server at lists.schulte.org > Subject: Re: [pptp-server] pptpd exits after last session closes > > I had the same problem on a RedHat 6.2 system until I upgraded to pptpd > 1.1.2. > > Scott > > Ryan Kremer wrote: > > > > I'm running PoPToP 1.0.1 on Solaris 2.5 w/ PPP 2.3.8. Everytime the last > > PPTP session closes, pptpd exits. As long as there is an active session, > > it's runs fine. Has anyone seen this behavior and is there a fix for it. > > > > -Ryan > > > > ------------------------------------------------ > > Ryan Kremer rmk at networkwcs.net > > Phone: (812)456-1224 Fax: (812)461-3363 > > Cisco Certified Network Professional > > Cisco Certified Design Associate > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! From rmk at communitytelephone.com Thu Mar 1 16:04:21 2001 From: rmk at communitytelephone.com (Ryan Kremer) Date: Thu, 1 Mar 2001 16:04:21 -0600 Subject: [pptp-server] pptpd exits after last session closes In-Reply-To: <3A9EC7B9.714E2019@scojoh.com> Message-ID: I had thought about that and did a manual copy to place it there. Still didn't work. Thanks. ------------------------------------------------ Ryan Kremer rmk at networkwcs.net Phone: (812)456-1224 Fax: (812)461-3363 Cisco Certified Network Professional Cisco Certified Design Associate -----Original Message----- From: Scott Johnston [mailto:scott at scojoh.com] Sent: Thursday, March 01, 2001 4:06 PM To: Ryan Kremer Cc: pptp-server at lists.schulte.org Subject: Re: [pptp-server] pptpd exits after last session closes One thing that got me was the 'make install' for 1.1.2 didn't actually put the file in /usr/sbin as expected, so I was still running the old one when I thought I was running the new one. I spent a couple of days pulling my hair out until I found that one. Scott Ryan Kremer wrote: > > Thanks. I just tried that but I'm still having the same problem. Only now, I > can't get it to output any debug information to the syslog. > > ------------------------------------------------ > Ryan Kremer rmk at networkwcs.net > Phone: (812)456-1224 Fax: (812)461-3363 > Cisco Certified Network Professional > Cisco Certified Design Associate > > -----Original Message----- > From: Scott Johnston [mailto:scott at scojoh.com] > Sent: Thursday, March 01, 2001 3:06 PM > To: Ryan Kremer > Cc: pptp-server at lists.schulte.org > Subject: Re: [pptp-server] pptpd exits after last session closes > > I had the same problem on a RedHat 6.2 system until I upgraded to pptpd > 1.1.2. > > Scott > > Ryan Kremer wrote: > > > > I'm running PoPToP 1.0.1 on Solaris 2.5 w/ PPP 2.3.8. Everytime the last > > PPTP session closes, pptpd exits. As long as there is an active session, > > it's runs fine. Has anyone seen this behavior and is there a fix for it. > > > > -Ryan > > > > ------------------------------------------------ > > Ryan Kremer rmk at networkwcs.net > > Phone: (812)456-1224 Fax: (812)461-3363 > > Cisco Certified Network Professional > > Cisco Certified Design Associate > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! From jdonahue at agiletech.com Thu Mar 1 16:24:30 2001 From: jdonahue at agiletech.com (jdonahue at agiletech.com) Date: Thu, 1 Mar 2001 17:24:30 -0500 Subject: [pptp-server] Where'd my encryption go?!? Message-ID: Figured it out. In the 10 mins between pptp connections, I installed MS IE 128bit encryption upgrade....that's what broke. Windows is requireing 128 bit encryption. This WAS my options file: lock debug auth require-chap proxyarp +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless ms-wins 192.168.1.9 I took out the mppe-40, and tried again...got further....verified username/password, then when it got to "Registering your computer on the network", it disconnected with error code 619: The specified port is not connected...how do I get the server working with 128 bit??? George Vieira cc: Subject: RE: [pptp-server] Where'd my encryption go?!? 03/01/2001 04:58 PM Do what I do... Delete the DUN icon which connects and start a new one.. test it. If that fails, start reducing things until it works... if your sure it's MPPE failing then when you turn off encryption then it'll work.. but test anyway.. thanks, George Vieira -----Original Message----- From: jdonahue at agiletech.com [mailto:jdonahue at agiletech.com] Sent: Friday, March 02, 2001 9:03 AM To: George Vieira Cc: pptp-server Subject: RE: [pptp-server] Where'd my encryption go?!? Looks like this is a client side issue, just found out others are able to connect, no problem...what should I check? (I am using W2K) George Vieira cc: Subject: RE: [pptp-server] Where'd my encryption go?!? 03/01/2001 04:41 PM MPPE seems to be registering OK but these lines I'm worried about.. Mar 1 15:36:57 SSTVPN1 pppd[1479]: LCP terminated by peer (JM-iYM-^K^@ /dev/pts/1 Mar 1 15:36:55 SSTVPN1 pptpd[1478]: GRE: Discarding duplicate packet Mar 1 15:36:57 SSTVPN1 pptpd[1478]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 1 15:36:57 SSTVPN1 kernel: PPP BSD Compression module registered Mar 1 15:36:57 SSTVPN1 kernel: PPP MPPE compression module registered Mar 1 15:36:57 SSTVPN1 kernel: PPP Deflate Compression module registered Mar 1 15:36:57 SSTVPN1 pppd[1479]: MSCHAP-v2 peer authentication succeeded for donahuej Mar 1 15:36:57 SSTVPN1 pptpd[1478]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 1 15:36:57 SSTVPN1 pppd[1479]: LCP terminated by peer (JM-iYM-^K^@ cc: Subject: RE: [pptp-server] Where'd my encryption go?!? 03/01/2001 04:14 PM What does the /var/log/messages file say? Any MPPE errors? thanks, George Vieira -----Original Message----- From: jdonahue at agiletech.com [mailto:jdonahue at agiletech.com] Sent: Friday, March 02, 2001 1:50 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] Where'd my encryption go?!? I have RH7, and have configured pptp with encryption succesfully (took long enough). Everything was working fine, all boot scripts in place...reboot server everything still works. Then all of a sudden yesterday I lost encryption!....Like it was never there! I connect - requiring encryption, ok....disconnect, 10 mins later reconnect.....ERROR - server does not support encryption level required?!?? So....for giggles I try rebooting, I know the scripts worked ok before- but that doesn't work....WHAT HAPPENED? Can Anyone help me?!? _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From stuartg at parallelsolutions.com.au Thu Mar 1 15:14:02 2001 From: stuartg at parallelsolutions.com.au (Stuart Green) Date: Fri, 2 Mar 2001 08:14:02 +1100 Subject: [pptp-server] make modules problem!!! Message-ID: <200103012114.f21LE2a31240@ns1.parallelsolutions.com.au> Hi All, Thanks Steve Cowles for the last tip worked well. I still get this error when using the 'make modules SUBDIRS=drivers/net' so if anyone can help... please do ppp.c:188: warning: static declaration for 'ppp_unregister_compressor_R9682e733' follows non-static ppp.c:189: warning: static declaration for 'ppp_unregister_compressor_Ra1b928df' follows non-static {standard input}: Assembler message: {standard input}:9: Warning: Ignoring changed section attributes for .modinfo ppp.c: In function 'rcv_proto_unknown': ppp.c:2563: too few many arguments to function 'kill_fasync_Rc44fbe50' make[1]: *** [ppp.o] Error 1 make[1]: Leaving directory '/usr/src/linux-2.2.16/drivers/net make: *** [_mod_drivers/net] Error 2 Regards Stuart Green (CompTIA A+) Technical Department Manager,PARALLEL SOLUTIONS. Email : stuartg at parallelsolutions.com.au Web: www.parallelsolutions.com.au From anesthes at cisdi.com Thu Mar 1 18:20:37 2001 From: anesthes at cisdi.com (Joey Coco) Date: Thu, 1 Mar 2001 19:20:37 -0500 (EST) Subject: [pptp-server] Connection scripts/daemons In-Reply-To: <200103012114.f21LE2a31240@ns1.parallelsolutions.com.au> Message-ID: Hello, Does anyone have a utility that monitors the pptp tunnel on the client end, and if the tunnel goes down, executes the call script? p.s, I've set up wans with PPTP tunnels using linux <---> linux and found Zebra works more then well for dynamic routing, especially when bringing interfaces up + down. Zebra retains the routes when the interface pops back up, unlike kernel routing. -- Joe From msuencks at marcant.de Thu Mar 1 19:29:29 2001 From: msuencks at marcant.de (Matthias Suencksen) Date: Fri, 2 Mar 2001 02:29:29 +0100 Subject: [pptp-server] EOF or bad error reading ctrl packet length In-Reply-To: <3A9E4D74.3A3FB780@sxb.bsf.alcatel.fr> Message-ID: Frederic SOULIER wrote: > > Matthias Suencksen wrote: > > > > Frederic SOULIER wrote: > > > I have the exactly the same problems. Seems that Windows98 is > > producing garbage packets at times. > > Do you mean that using other OS for the client such as W2K will bring > better results ? that could be the case ( I have no W2k box handy). If you use the patches from my page try to do a "grep" on the message log looking either for "GRE" or "bogus" - with Win98 there should appear messages from time to time about the server ignoring certain packets. If they do not when using W2K consider yourself lucky .. Matthias > > > To make pptpd more robust I have made some patches. You may > > want to try them out - feedback appreciated. > > > > http://www.marcant.net/users/ms/pptp.html > > Thanks a lot. I'm going to test them. > > Frederic > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > -- Out-of-order Execution (Feature von modernen Microprozessoren) From dreadboy at hotmail.com Thu Mar 1 21:42:09 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Thu, 01 Mar 2001 20:42:09 -0700 Subject: [pptp-server] ppp forwarding - more questions... Message-ID: >From: Jerry Vonau >To: Dread Boy >CC: pptp-server at lists.schulte.org >Subject: Re: [pptp-server] ppp forwarding - more questions... >Date: Wed, 28 Feb 2001 21:30:15 -0600 > >Dread Boy: > >This is what I use in ip-up.local: > >/sbin/ipchains -I input -i eth1 -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT >/sbin/ipchains -I output -i eth1 -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT >/sbin/ipchains -I forward -i eth1 -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT >/sbin/ipchains -I input -i ppp+ -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT >/sbin/ipchains -I output -i ppp+ -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT >/sbin/ipchains -I forward -i ppp+ -d 10.0.0.0/8 -s 10.0.0.0/8 -j ACCEPT > >Make sure that there is an entry in the /var/log/messages, when the link is >brought up, that says: > >Feb 2 20:05:59 vvvvvvv pppd[23097]: found interface eth? for proxy arp > >If not you won't see jack past the pptp server. The cause is the remote ip >that is not in the same range as the local lan that it can use for >proxyarp. OK. A few more questions: 1) Which scripts actually run when you connect? ip-up, ip-up.local, or both? 2) How do I drop the ipchains rules after hanging up? 3) Are the "drop" rules to go into ip-down.local? 4) How does ppp know which script to use? > >In pptp.conf are the local and remote ip on the same address range? >ie: >local 192.168.0.1 >remote 192.168.0.111-121 Yes, local 192.168.0.200-215, remote 192.168.0.216-231 > >If not the proxyarp will fail and you'll have to add the arp statement >in ip-up.local. > >You have proxyarp in the options file? Yes. > >Jerry Vonau _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From dreadboy at hotmail.com Thu Mar 1 21:45:20 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Thu, 01 Mar 2001 20:45:20 -0700 Subject: [pptp-server] SMB Authentication Message-ID: OK, the libsmbpw.so library works great to extract SMB username/password combos from /etc/smbpasswd. I really like having the passwords encrypted. My /etc/ppp/chap-secrets is set up as: #username server secret ip * * &/etc/smbpasswd * Works great! Except for one small thing... =( IT ACCEPTS A BLANK USERNAME/PASSWORD COMBO! Talk about lack of security. Does anyone know a way around this? Possibly a script of some sort to validate at least one character for each input? _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From jvonau at home.com Thu Mar 1 22:24:52 2001 From: jvonau at home.com (Jerry Vonau) Date: Thu, 01 Mar 2001 22:24:52 -0600 Subject: [pptp-server] ppp forwarding - more questions... References: Message-ID: <3A9F2093.DA40852F@home.com> Dread Boy: > > > >This is what I use in ip-up.local: > > > >/sbin/ipchains -I input -i eth1 -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT > >/sbin/ipchains -I output -i eth1 -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT > >/sbin/ipchains -I forward -i eth1 -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT > >/sbin/ipchains -I input -i ppp+ -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT > >/sbin/ipchains -I output -i ppp+ -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT > >/sbin/ipchains -I forward -i ppp+ -d 10.0.0.0/8 -s 10.0.0.0/8 -j ACCEPT > > > >Make sure that there is an entry in the /var/log/messages, when the link is > >brought up, that says: > > > >Feb 2 20:05:59 vvvvvvv pppd[23097]: found interface eth? for proxy arp > > > >If not you won't see jack past the pptp server. The cause is the remote ip > >that is not in the same range as the local lan that it can use for > >proxyarp. > > OK. A few more questions: > > 1) Which scripts actually run when you connect? ip-up, ip-up.local, or > both? > Both. ip-up first > > 2) How do I drop the ipchains rules after hanging up? Repeat the rules but replace the -I with -D ie: /sbin/ipchains -D input -i eth1 -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT > > 3) Are the "drop" rules to go into ip-down.local? > Yes > > 4) How does ppp know which script to use? > I not sure if I understand, ip-up and ip-up.local are run on each connection. For each connection a set of the rules are added, you'll have multipule sets for multipule connections. When one disconnects one set of rules should be deleted. Quite frankly I don't run then in ip-up.local unless you need to add route to a remote lan that is on the other end of the ppp link (that is a whole other ball game). I just add the rules to the firewall script and leave ip-up and ip-up.local untouched. Then I use the ip-up.local for the lan to lan stuff only. The rules displayed were modified from my lan to lan rules as an example. > > > > >In pptp.conf are the local and remote ip on the same address range? > >ie: > >local 192.168.0.1 > >remote 192.168.0.111-121 > > Yes, local 192.168.0.200-215, remote 192.168.0.216-231 > > > > >If not the proxyarp will fail and you'll have to add the arp statement > >in ip-up.local. > > > >You have proxyarp in the options file? > > Yes. Jerry Vonau From GeorgeV at citadelcomputer.com.au Thu Mar 1 22:29:53 2001 From: GeorgeV at citadelcomputer.com.au (George Vieira) Date: Fri, 2 Mar 2001 15:29:53 +1100 Subject: [pptp-server] ppp forwarding - more questions... Message-ID: <200FAA488DE0D41194F10010B597610D0A61C1@JUPITER> PPD uses these scripts by default. ip-up.local is called by ip-up (look at the script and see) to kill the chains use the -D option with the complete rule as the one added.. it'll match it and kill it.. put the drop rules in ip-down.local use the ipparam in pppd options and give it a name like ipparam pptp then in ip-up/down.local you can say.. if [ "$6" = "pptp" ];then echo "PPTP script enabled" >> /var/log/mesages ipchains -D ............... fi thanks, George Vieira -----Original Message----- From: Dread Boy [mailto:dreadboy at hotmail.com] Sent: Friday, March 02, 2001 2:42 PM To: jvonau at home.com; pptp-server at lists.schulte.org Subject: Re: [pptp-server] ppp forwarding - more questions... >From: Jerry Vonau >To: Dread Boy >CC: pptp-server at lists.schulte.org >Subject: Re: [pptp-server] ppp forwarding - more questions... >Date: Wed, 28 Feb 2001 21:30:15 -0600 > >Dread Boy: > >This is what I use in ip-up.local: > >/sbin/ipchains -I input -i eth1 -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT >/sbin/ipchains -I output -i eth1 -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT >/sbin/ipchains -I forward -i eth1 -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT >/sbin/ipchains -I input -i ppp+ -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT >/sbin/ipchains -I output -i ppp+ -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT >/sbin/ipchains -I forward -i ppp+ -d 10.0.0.0/8 -s 10.0.0.0/8 -j ACCEPT > >Make sure that there is an entry in the /var/log/messages, when the link is >brought up, that says: > >Feb 2 20:05:59 vvvvvvv pppd[23097]: found interface eth? for proxy arp > >If not you won't see jack past the pptp server. The cause is the remote ip >that is not in the same range as the local lan that it can use for >proxyarp. OK. A few more questions: 1) Which scripts actually run when you connect? ip-up, ip-up.local, or both? 2) How do I drop the ipchains rules after hanging up? 3) Are the "drop" rules to go into ip-down.local? 4) How does ppp know which script to use? > >In pptp.conf are the local and remote ip on the same address range? >ie: >local 192.168.0.1 >remote 192.168.0.111-121 Yes, local 192.168.0.200-215, remote 192.168.0.216-231 > >If not the proxyarp will fail and you'll have to add the arp statement >in ip-up.local. > >You have proxyarp in the options file? Yes. > >Jerry Vonau _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From vgill at technologist.com Fri Mar 2 00:13:06 2001 From: vgill at technologist.com (Gill, Vern) Date: Thu, 1 Mar 2001 22:13:06 -0800 Subject: [pptp-server] blank username/password works!? Message-ID: <8D043DEA73DFD411958A00A0C90AB7607CFD@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Holy Toledo Batman!!!! You are correct!!! I does not appear to be the guest user, either. The log file reads mschap auth succeeded for user This is a SERIOUS problem that I was not previously aware of. Thank you for pointing that out... Wow!!! In testing I found that if you actually specify a USERNAME in chap-secs it will fail on a blank user. I.E. /etc/ppp/chap-secrets; user1 * &/etc/samba/smbpasswd * user2 * &/etc/samba/smbpasswd * user3 * &/etc/samba/smbpasswd * etc etc But it still allows users who are IN the file to work, even if they DON'T exist in smbpasswd. I.E. /etc/smbpasswd; user1:XXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXX:[U ]:LCT-XXXXXXXX: user2:XXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXX:[U ]:LCT-XXXXXXXX: Users 1 2 AND 3 CAN LOGIN SUCCESFULLY!!!!! This is REAL bad... Maybe this is something to seriously look at the code for. Too bad I know NOTHING about coding. I would not be of ANY assitance, but I would LOVE to hear if a "correction" is made to this... Thanks again for pointing this out.... - ---> Running to nearest computer terminal to secure his network against intrusion -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOp85gBeamMdwy9TXEQLmUgCgksF290fkMVzt3P6l0GBfdYCZ+tAAniDo WI3GQspdWQ3YoBhgXY/bPO2y =/Gx7 -----END PGP SIGNATURE----- From dreadboy at hotmail.com Fri Mar 2 01:37:17 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Fri, 02 Mar 2001 00:37:17 -0700 Subject: [pptp-server] Yes, blank username/password works! Message-ID: Yeah, and on top of all this it doesn't seem to matter what I log in as, my username and password don't get carried over to SAMBA for authenticating with server shares. i.e. Whether I use a valid username/password or the blank, I still can not access resources (or possibly ACLs) on the servers even with valid usernames. On my local LAN it's no problem, but remotely, it doesn't seem to know who I am while I'm logged on. For example, when I click a share locally on my SAMBA server, I can get into it and have certain rights based on my username/password. I don't even have to think about it. "security = user" in /etc/smb.conf However, when I log in remotely with Windoze using my PPTPD Linux server, when I even try to access the server itself (let alone the share) it keeps asking me for the IPC$ administration password as if it was an NT server. It doesn't matter what I enter here, I can't get any farther. Does PPTPD know my SMB username but not my password, or vice versa? I thought maybe because it was encrypted using libsmbpw.so that maybe it couldn't figure it out, but then using chap-secrets plain-text passwords don't cut it either. Anyone know what this is all about? Geez, I thought this whole PPTPD Linux server was gonna be at least a weekend of work, but it's turning out to be months worth of work. >Holy Toledo Batman!!!! You are correct!!! I does not appear to be the >guest user, either. The log file reads mschap auth succeeded for user > > > >This is a SERIOUS problem that I was not previously aware of. Thank >you for pointing that out... Wow!!! In testing I found that if you >actually specify a USERNAME in chap-secs it will fail on a blank >user. >I.E. >/etc/ppp/chap-secrets; >user1 * &/etc/samba/smbpasswd * >user2 * &/etc/samba/smbpasswd * >user3 * &/etc/samba/smbpasswd * >etc >etc > >But it still allows users who are IN the file to work, even if they >DON'T exist in smbpasswd. >I.E. >/etc/smbpasswd; >user1:XXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXX >XXXXXXX:[U ]:LCT-XXXXXXXX: >user2:XXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXX >XXXXX:[U ]:LCT-XXXXXXXX: > >Users 1 2 AND 3 CAN LOGIN SUCCESFULLY!!!!! > >This is REAL bad... Maybe this is something to seriously look at the >code for. Too bad I know NOTHING about coding. I would not be of ANY >assitance, but I would LOVE to hear if a "correction" is made to >this... > > >Thanks again for pointing this out.... > > >- ---> Running to nearest computer terminal to secure his network >against intrusion _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From jfjoly at free.fr Fri Mar 2 02:28:00 2001 From: jfjoly at free.fr (Jean-Francois JOLY) Date: Fri, 2 Mar 2001 09:28:00 +0100 Subject: [pptp-server] Microsoft Client + key + encryption In-Reply-To: References: Message-ID: <11054817463.20010302092800@free.fr> Hello Jamin, Thursday, March 01, 2001, 7:24:39 PM, you wrote: JC> I'm not sure on the key portion, but there are patches to allow for 40 and JC> 128 bit encryption on the PPTP connection. I'm using these patches with JC> little to no difficulty of my PoPToP server. As for a Key-based VPN, there JC> are a few different options, but most of these rely on SSH wrapping which JC> could be done around the PPTP tunnel if you so desire. I think SSH wrappers are not available on Windows clients, are they ? JC> Jamin JC> -----Original Message----- JC> From: Jean-Francois JOLY [mailto:jfjoly at free.fr] JC> Sent: Thursday, March 01, 2001 9:31 AM JC> To: pptp-server at lists.schulte.org JC> Subject: [pptp-server] Microsoft Client + key + encryption JC> Hello, JC> I wonder if it is possible to set up a PoPToP server with JC> windows client using keys for authentification. JC> It went flowly to make a win2k box connect to PoPToP server but JC> the authentification is made with user/password and there is no JC> encryption. JC> I want the clients to connect with key authentification. I've seen JC> that we can authenticate through certificates with win2k but JC> PoPToP does not seem to support it, does it ? JC> If it does, do I still have to use encryption the windows way JC> (by patching pppd) ? JC> If it doesn't, do you have any idea of how I could implement JC> a key authentificated VPN on a Linux FireWall. -- Best regards, Jean-Francois mailto:jfjoly at free.fr From jkreger at avidsolutionsinc.com Fri Mar 2 06:04:02 2001 From: jkreger at avidsolutionsinc.com (Justin Kreger) Date: Fri, 2 Mar 2001 07:04:02 -0500 Subject: [pptp-server] blank username/password works!? Message-ID: <6B8A85826C35D31193BD0090278589C81DF035@CIC-EXCHANGE> How it could be fixed: check the lenth of the username and the secret after getting the secret, if both are NULL (they would have to be for MSChap/MSChapV2 to even think about working), write lets say, write an 8 bit random number into the password field, or the username field, this would kill MSChapV2, it would go through the process, and fail with Failed Username or Password. on the subject of such things, is anybody aware of any win2k incompatabilites with pppd? -----Original Message----- From: Gill, Vern [mailto:vgill at technologist.com] Sent: Friday, March 02, 2001 1:13 AM To: 'Andrew W. Davis'; pptp-server at lists.schulte.org Subject: RE: [pptp-server] blank username/password works!? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Holy Toledo Batman!!!! You are correct!!! I does not appear to be the guest user, either. The log file reads mschap auth succeeded for user This is a SERIOUS problem that I was not previously aware of. Thank you for pointing that out... Wow!!! In testing I found that if you actually specify a USERNAME in chap-secs it will fail on a blank user. I.E. /etc/ppp/chap-secrets; user1 * &/etc/samba/smbpasswd * user2 * &/etc/samba/smbpasswd * user3 * &/etc/samba/smbpasswd * etc etc But it still allows users who are IN the file to work, even if they DON'T exist in smbpasswd. I.E. /etc/smbpasswd; user1:XXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXX:[U ]:LCT-XXXXXXXX: user2:XXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXX:[U ]:LCT-XXXXXXXX: Users 1 2 AND 3 CAN LOGIN SUCCESFULLY!!!!! This is REAL bad... Maybe this is something to seriously look at the code for. Too bad I know NOTHING about coding. I would not be of ANY assitance, but I would LOVE to hear if a "correction" is made to this... Thanks again for pointing this out.... - ---> Running to nearest computer terminal to secure his network against intrusion -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOp85gBeamMdwy9TXEQLmUgCgksF290fkMVzt3P6l0GBfdYCZ+tAAniDo WI3GQspdWQ3YoBhgXY/bPO2y =/Gx7 -----END PGP SIGNATURE----- _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From giulioo at pobox.com Fri Mar 2 07:22:58 2001 From: giulioo at pobox.com (Giulio Orsero) Date: Fri, 02 Mar 2001 14:22:58 +0100 Subject: [pptp-server] make modules problem!!! In-Reply-To: <200103012114.f21LE2a31240@ns1.parallelsolutions.com.au> References: <200103012114.f21LE2a31240@ns1.parallelsolutions.com.au> Message-ID: <20010302132340.0DC2C16584@i3.golden.dom> On Fri, 2 Mar 2001 08:14:02 +1100, you wrote: >ppp.c: In function 'rcv_proto_unknown': >ppp.c:2563: too few many arguments to function 'kill_fasync_Rc44fbe50' http://lists.schulte.org/pipermail/pptp-server/2001-February/004594.html -- giulioo at pobox.com From jdonahue at agiletech.com Fri Mar 2 08:38:09 2001 From: jdonahue at agiletech.com (jdonahue at agiletech.com) Date: Fri, 2 Mar 2001 09:38:09 -0500 Subject: [pptp-server] Where'd my encryption go?!? Message-ID: here is the failed connection now: Mar 2 08:30:09 SSTVPN1 pptpd[1265]: CTRL: Client 192.168.1.47 control connection started Mar 2 08:30:09 SSTVPN1 pptpd[1265]: CTRL: Starting call (launching pppd, opening GRE) Mar 2 08:30:09 SSTVPN1 pppd[1266]: pppd 2.3.11 started by root, uid 0 Mar 2 08:30:09 SSTVPN1 pppd[1266]: Using interface ppp0 Mar 2 08:30:09 SSTVPN1 pppd[1266]: Connect: ppp0 <--> /dev/pts/0 Mar 2 08:30:09 SSTVPN1 pptpd[1265]: GRE: Discarding duplicate packet Mar 2 08:30:11 SSTVPN1 pptpd[1265]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 2 08:30:12 SSTVPN1 pppd[1266]: MSCHAP-v2 peer authentication succeeded for donahuej Mar 2 08:30:12 SSTVPN1 pppd[1266]: found interface eth1 for proxy arp Mar 2 08:30:12 SSTVPN1 pppd[1266]: local IP address 192.168.1.202 Mar 2 08:30:12 SSTVPN1 pppd[1266]: remote IP address 192.168.1.207 Mar 2 08:30:18 SSTVPN1 pptpd[1265]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 2 08:30:18 SSTVPN1 pppd[1266]: LCP terminated by peer (WM-mle^@ cc: Subject: RE: [pptp-server] Where'd my encryption go?!? 03/01/2001 05:30 PM Check your /var/log/messages file again.. I've seen so many 619 errors that you'd think it would burn in the back of your brain by now... thanks, George Vieira -----Original Message----- From: jdonahue at agiletech.com [mailto:jdonahue at agiletech.com] Sent: Friday, March 02, 2001 9:25 AM To: George Vieira Cc: pptp-server at lists.schulte.org Subject: RE: [pptp-server] Where'd my encryption go?!? Figured it out. In the 10 mins between pptp connections, I installed MS IE 128bit encryption upgrade....that's what broke. Windows is requireing 128 bit encryption. This WAS my options file: lock debug auth require-chap proxyarp +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless ms-wins 192.168.1.9 I took out the mppe-40, and tried again...got further....verified username/password, then when it got to "Registering your computer on the network", it disconnected with error code 619: The specified port is not connected...how do I get the server working with 128 bit??? George Vieira cc: Subject: RE: [pptp-server] Where'd my encryption go?!? 03/01/2001 04:58 PM Do what I do... Delete the DUN icon which connects and start a new one.. test it. If that fails, start reducing things until it works... if your sure it's MPPE failing then when you turn off encryption then it'll work.. but test anyway.. thanks, George Vieira -----Original Message----- From: jdonahue at agiletech.com [mailto:jdonahue at agiletech.com] Sent: Friday, March 02, 2001 9:03 AM To: George Vieira Cc: pptp-server Subject: RE: [pptp-server] Where'd my encryption go?!? Looks like this is a client side issue, just found out others are able to connect, no problem...what should I check? (I am using W2K) George Vieira cc: Subject: RE: [pptp-server] Where'd my encryption go?!? 03/01/2001 04:41 PM MPPE seems to be registering OK but these lines I'm worried about.. Mar 1 15:36:57 SSTVPN1 pppd[1479]: LCP terminated by peer (JM-iYM-^K^@ /dev/pts/1 Mar 1 15:36:55 SSTVPN1 pptpd[1478]: GRE: Discarding duplicate packet Mar 1 15:36:57 SSTVPN1 pptpd[1478]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 1 15:36:57 SSTVPN1 kernel: PPP BSD Compression module registered Mar 1 15:36:57 SSTVPN1 kernel: PPP MPPE compression module registered Mar 1 15:36:57 SSTVPN1 kernel: PPP Deflate Compression module registered Mar 1 15:36:57 SSTVPN1 pppd[1479]: MSCHAP-v2 peer authentication succeeded for donahuej Mar 1 15:36:57 SSTVPN1 pptpd[1478]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 1 15:36:57 SSTVPN1 pppd[1479]: LCP terminated by peer (JM-iYM-^K^@ cc: Subject: RE: [pptp-server] Where'd my encryption go?!? 03/01/2001 04:14 PM What does the /var/log/messages file say? Any MPPE errors? thanks, George Vieira -----Original Message----- From: jdonahue at agiletech.com [mailto:jdonahue at agiletech.com] Sent: Friday, March 02, 2001 1:50 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] Where'd my encryption go?!? I have RH7, and have configured pptp with encryption succesfully (took long enough). Everything was working fine, all boot scripts in place...reboot server everything still works. Then all of a sudden yesterday I lost encryption!....Like it was never there! I connect - requiring encryption, ok....disconnect, 10 mins later reconnect.....ERROR - server does not support encryption level required?!?? So....for giggles I try rebooting, I know the scripts worked ok before- but that doesn't work....WHAT HAPPENED? Can Anyone help me?!? _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From walterm at Gliatech.com Fri Mar 2 10:08:38 2001 From: walterm at Gliatech.com (Michael Walter) Date: Fri, 2 Mar 2001 11:08:38 -0500 Subject: [pptp-server] blank username/password works!? Message-ID: Is this issue specific to the samba integration? I do not use samba passwords and blank username/password does not allow access to our vpn. Software Versions: Linux Kernel 2.2.16 PPP 2.3.11 PPTPD 1.0.0 Thanks, Michael J. Walter rhce mcdba mcse+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Justin Kreger [mailto:jkreger at avidsolutionsinc.com] Sent: Friday, March 02, 2001 7:04 AM To: 'Gill, Vern'; 'Andrew W. Davis'; pptp-server at lists.schulte.org Subject: RE: [pptp-server] blank username/password works!? How it could be fixed: check the lenth of the username and the secret after getting the secret, if both are NULL (they would have to be for MSChap/MSChapV2 to even think about working), write lets say, write an 8 bit random number into the password field, or the username field, this would kill MSChapV2, it would go through the process, and fail with Failed Username or Password. on the subject of such things, is anybody aware of any win2k incompatabilites with pppd? -----Original Message----- From: Gill, Vern [mailto:vgill at technologist.com] Sent: Friday, March 02, 2001 1:13 AM To: 'Andrew W. Davis'; pptp-server at lists.schulte.org Subject: RE: [pptp-server] blank username/password works!? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Holy Toledo Batman!!!! You are correct!!! I does not appear to be the guest user, either. The log file reads mschap auth succeeded for user This is a SERIOUS problem that I was not previously aware of. Thank you for pointing that out... Wow!!! In testing I found that if you actually specify a USERNAME in chap-secs it will fail on a blank user. I.E. /etc/ppp/chap-secrets; user1 * &/etc/samba/smbpasswd * user2 * &/etc/samba/smbpasswd * user3 * &/etc/samba/smbpasswd * etc etc But it still allows users who are IN the file to work, even if they DON'T exist in smbpasswd. I.E. /etc/smbpasswd; user1:XXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXX:[U ]:LCT-XXXXXXXX: user2:XXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXX:[U ]:LCT-XXXXXXXX: Users 1 2 AND 3 CAN LOGIN SUCCESFULLY!!!!! This is REAL bad... Maybe this is something to seriously look at the code for. Too bad I know NOTHING about coding. I would not be of ANY assitance, but I would LOVE to hear if a "correction" is made to this... Thanks again for pointing this out.... - ---> Running to nearest computer terminal to secure his network against intrusion -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOp85gBeamMdwy9TXEQLmUgCgksF290fkMVzt3P6l0GBfdYCZ+tAAniDo WI3GQspdWQ3YoBhgXY/bPO2y =/Gx7 -----END PGP SIGNATURE----- _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From dreadboy at hotmail.com Fri Mar 2 11:14:42 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Fri, 02 Mar 2001 10:14:42 -0700 Subject: [pptp-server] blank username/password works!? Message-ID: Actually, it only happens when using the /etc/smbpasswd authentication. If you put real usernames and passwords into /etc/ppp/chap-secrets blank entries will be disallowed. > >Is this issue specific to the samba integration? I do not use samba >passwords and blank username/password does not allow access to our vpn. > >Software Versions: >Linux Kernel 2.2.16 >PPP 2.3.11 >PPTPD 1.0.0 > >Thanks, > >Michael J. Walter >rhce mcdba mcse+i a+ >Network Administrator >Gliatech, Inc. >23420 Commerce Park Rd. >Beachwood, Ohio 44122 >Tel: (216) 831-3200 >Email: walterm at gliatech.com > > > > >-----Original Message----- >From: Justin Kreger [mailto:jkreger at avidsolutionsinc.com] >Sent: Friday, March 02, 2001 7:04 AM >To: 'Gill, Vern'; 'Andrew W. Davis'; pptp-server at lists.schulte.org >Subject: RE: [pptp-server] blank username/password works!? > > >How it could be fixed: > >check the lenth of the username and the secret after getting the secret, if >both are NULL (they would have to be for MSChap/MSChapV2 to even think >about >working), write lets say, write an 8 bit random number into the password >field, or the username field, this would kill MSChapV2, it would go through >the process, and fail with Failed Username or Password. > >on the subject of such things, is anybody aware of any win2k >incompatabilites with pppd? > >-----Original Message----- >From: Gill, Vern [mailto:vgill at technologist.com] >Sent: Friday, March 02, 2001 1:13 AM >To: 'Andrew W. Davis'; pptp-server at lists.schulte.org >Subject: RE: [pptp-server] blank username/password works!? > > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Holy Toledo Batman!!!! You are correct!!! I does not appear to be the >guest user, either. The log file reads mschap auth succeeded for user > > > >This is a SERIOUS problem that I was not previously aware of. Thank >you for pointing that out... Wow!!! In testing I found that if you >actually specify a USERNAME in chap-secs it will fail on a blank >user. >I.E. >/etc/ppp/chap-secrets; >user1 * &/etc/samba/smbpasswd * >user2 * &/etc/samba/smbpasswd * >user3 * &/etc/samba/smbpasswd * >etc >etc > >But it still allows users who are IN the file to work, even if they >DON'T exist in smbpasswd. >I.E. >/etc/smbpasswd; >user1:XXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXX >XXXXXXX:[U ]:LCT-XXXXXXXX: >user2:XXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXX >XXXXX:[U ]:LCT-XXXXXXXX: > >Users 1 2 AND 3 CAN LOGIN SUCCESFULLY!!!!! > >This is REAL bad... Maybe this is something to seriously look at the >code for. Too bad I know NOTHING about coding. I would not be of ANY >assitance, but I would LOVE to hear if a "correction" is made to >this... > > >Thanks again for pointing this out.... > > >- ---> Running to nearest computer terminal to secure his network >against intrusion > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 6.5.8 for non-commercial use > >iQA/AwUBOp85gBeamMdwy9TXEQLmUgCgksF290fkMVzt3P6l0GBfdYCZ+tAAniDo >WI3GQspdWQ3YoBhgXY/bPO2y >=/Gx7 >-----END PGP SIGNATURE----- >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From vgill at technologist.com Fri Mar 2 11:15:46 2001 From: vgill at technologist.com (Gill, Vern) Date: Fri, 2 Mar 2001 09:15:46 -0800 Subject: [pptp-server] blank username/password works!? Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D04@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, this is specifically when using a patch to pppd that allows you to use your smbpasswd file for authentication... - -----Original Message----- From: Michael Walter [mailto:walterm at gliatech.com] Sent: Friday, March 02, 2001 8:09 AM To: 'pptp-server at lists.schulte.org' Subject: RE: [pptp-server] blank username/password works!? Is this issue specific to the samba integration? I do not use samba passwords and blank username/password does not allow access to our vpn. Software Versions: Linux Kernel 2.2.16 PPP 2.3.11 PPTPD 1.0.0 Thanks, Michael J. Walter rhce mcdba mcse+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com - -----Original Message----- From: Justin Kreger [mailto:jkreger at avidsolutionsinc.com] Sent: Friday, March 02, 2001 7:04 AM To: 'Gill, Vern'; 'Andrew W. Davis'; pptp-server at lists.schulte.org Subject: RE: [pptp-server] blank username/password works!? How it could be fixed: check the lenth of the username and the secret after getting the secret, if both are NULL (they would have to be for MSChap/MSChapV2 to even think about working), write lets say, write an 8 bit random number into the password field, or the username field, this would kill MSChapV2, it would go through the process, and fail with Failed Username or Password. on the subject of such things, is anybody aware of any win2k incompatabilites with pppd? - -----Original Message----- From: Gill, Vern [mailto:vgill at technologist.com] Sent: Friday, March 02, 2001 1:13 AM To: 'Andrew W. Davis'; pptp-server at lists.schulte.org Subject: RE: [pptp-server] blank username/password works!? - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Holy Toledo Batman!!!! You are correct!!! I does not appear to be the guest user, either. The log file reads mschap auth succeeded for user This is a SERIOUS problem that I was not previously aware of. Thank you for pointing that out... Wow!!! In testing I found that if you actually specify a USERNAME in chap-secs it will fail on a blank user. I.E. /etc/ppp/chap-secrets; user1 * &/etc/samba/smbpasswd * user2 * &/etc/samba/smbpasswd * user3 * &/etc/samba/smbpasswd * etc etc But it still allows users who are IN the file to work, even if they DON'T exist in smbpasswd. I.E. /etc/smbpasswd; user1:XXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXX:[U ]:LCT-XXXXXXXX: user2:XXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXX:[U ]:LCT-XXXXXXXX: Users 1 2 AND 3 CAN LOGIN SUCCESFULLY!!!!! This is REAL bad... Maybe this is something to seriously look at the code for. Too bad I know NOTHING about coding. I would not be of ANY assitance, but I would LOVE to hear if a "correction" is made to this... Thanks again for pointing this out.... - - ---> Running to nearest computer terminal to secure his network against intrusion - -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOp85gBeamMdwy9TXEQLmUgCgksF290fkMVzt3P6l0GBfdYCZ+tAAniDo WI3GQspdWQ3YoBhgXY/bPO2y =/Gx7 - -----END PGP SIGNATURE----- _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOp/UzxeamMdwy9TXEQLWZQCghoNPG6IVGd8ZTDdizIYz+1dqe0oAoPbD FnX9CqvWF9t6SxLrg6IZu5KJ =Cjf0 -----END PGP SIGNATURE----- From Steve at SteveCowles.com Fri Mar 2 11:19:11 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Fri, 2 Mar 2001 11:19:11 -0600 Subject: [pptp-server] Yes, blank username/password works! Message-ID: <90769AF04F76D41186C700A0C90AFC3EE687@defiant.infohiiway.com> > -----Original Message----- > From: Dread Boy [mailto:dreadboy at hotmail.com] > Sent: Friday, March 02, 2001 1:37 AM > To: pptp-server at lists.schulte.org; vgill at technologist.com > Subject: RE: [pptp-server] Yes, blank username/password works! > > > Yeah, and on top of all this it doesn't seem to matter what I > log in as, my username and password don't get carried over to > SAMBA for authenticating with server shares. Lets make sure we are comparing apples to apples here. The username/password that you specify in your windows PPTP dialup profile has NEVER been carried over for share access. Please keep the following in mind... 1) The PPTP tunnel uses the user/pass specified in your PPTP dialup profile to authenticate the tunnel connection ONLY. 2) Share access uses the user/pass that you specified when you turned on your PC and logged in to get to your desktop. FWIW: This same user/pass can be specified in your PPTP dialup profile to be used to authenticate the PPTP tunnel. > > i.e. Whether I use a valid username/password or the blank, I > still can not access resources (or possibly ACLs) on the > servers even with valid usernames. On my local LAN it's no > problem, but remotely, it doesn't seem to know who I am while > I'm logged on. > > For example, when I click a share locally on my SAMBA server, > I can get into it and have certain rights based on my username/ > password. I don't even have to think about it. "security = > user" in /etc/smb.conf. However, when I log in remotely with > Windoze using my PPTPD Linux server, when I even try to access > the server itself (let alone the share) it keeps asking me for > the IPC$ administration password as if it was an NT server. > It doesn't matter what I enter here, I can't get any farther. From JaminC at adapt-tele.com Fri Mar 2 12:10:52 2001 From: JaminC at adapt-tele.com (Jamin Collins) Date: Fri, 2 Mar 2001 12:10:52 -0600 Subject: [pptp-server] Microsoft Client + key + encryption Message-ID: Jean-Francois JOLY [mailto:jfjoly at free.fr] wrote: > I think SSH wrappers are not available on Windows clients, are > they ? Not completely sure. I've just begun looking at SSH for secure remote access to my networks. I'm not satisfied with the encryption level provided my MS's VPN server. However, most of my users are running MS OS's for their systems. So, I too am looking into something of this nature for remote access. Jamin W. Collins From dreadboy at hotmail.com Fri Mar 2 13:12:59 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Fri, 02 Mar 2001 12:12:59 -0700 Subject: [pptp-server] Yes, blank username/password works! Message-ID: You are correct, Steve. I was failing to put in my login username/password. I was assuming (ASS-outta-U-and-Me-ING) that the dial-up name and password would do the trick. It was apples to oranges. And again, that's correct, using chap-secrets is fine - it's only when using libsmbpw that problems arise for the blank user/password deal... Which is a real drag since I hope hoping to keep user list maintenance synced for ease of use. >From: "Cowles, Steve" >To: pptp-server at lists.schulte.org >Subject: RE: [pptp-server] Yes, blank username/password works! >Date: Fri, 2 Mar 2001 11:19:11 -0600 > > > -----Original Message----- > > From: Dread Boy [mailto:dreadboy at hotmail.com] > > Sent: Friday, March 02, 2001 1:37 AM > > To: pptp-server at lists.schulte.org; vgill at technologist.com > > Subject: RE: [pptp-server] Yes, blank username/password works! > > > > > > Yeah, and on top of all this it doesn't seem to matter what I > > log in as, my username and password don't get carried over to > > SAMBA for authenticating with server shares. > >Lets make sure we are comparing apples to apples here. The >username/password >that you specify in your windows PPTP dialup profile has NEVER been carried >over for share access. Please keep the following in mind... > >1) The PPTP tunnel uses the user/pass specified in your PPTP dialup profile >to authenticate the tunnel connection ONLY. > >2) Share access uses the user/pass that you specified when you turned on >your PC and logged in to get to your desktop. FWIW: This same user/pass can >be specified in your PPTP dialup profile to be used to authenticate the >PPTP >tunnel. > > > > > i.e. Whether I use a valid username/password or the blank, I > > still can not access resources (or possibly ACLs) on the > > servers even with valid usernames. On my local LAN it's no > > problem, but remotely, it doesn't seem to know who I am while > > I'm logged on. > > > > For example, when I click a share locally on my SAMBA server, > > I can get into it and have certain rights based on my username/ > > password. I don't even have to think about it. "security = > > user" in /etc/smb.conf. However, when I log in remotely with > > Windoze using my PPTPD Linux server, when I even try to access > > the server itself (let alone the share) it keeps asking me for > > the IPC$ administration password as if it was an NT server. > > It doesn't matter what I enter here, I can't get any farther. > >From the samba docs... > >Some people find browsing fails because they don't have the global >"guest account" set to a valid account. Remember that the IPC$ >connection that lists the shares is done as guest, and thus you must >have a valid guest account. >---------------------------- > >Also, is the PPTP clients WORKGROUP participation set to match what the >clients on the LAN are configured to? > > > > > Does PPTPD know my SMB username but not my password, or vice > > versa? I thought maybe because it was encrypted using > > libsmbpw.so that maybe it couldn't figure it out, but then > > using chap-secrets plain-text passwords don't cut it either. > > > > Anyone know what this is all about? > > > > Geez, I thought this whole PPTPD Linux server was gonna be at > > least a weekend of work, but it's turning out to be months > > worth of work. > > > >With regards to the "subject" line of this thread... lets make sure we are >comparing apples to apples here. I'd hate to see PopTop/PPPD get the >reputation of being insecure without the following clarification being >noted. > >1) If you have configured your PopTop/PPPD system to re-direct PPTP tunnel >authentication to use the libsmbpw.o lib's (smbpasswd), then your system >appears to be vulnerable to the blank user/pass exploit mentioned in this >thread. > >2) Those of you who are still using the chap-secrets file (no re-direct) >for >tunnel authentication are NOT vulnerable to the blank user/pass exploit >mentioned in this thread. I just verified this on my PopTop server! I do >not >use the re-direct to libsmbpw.o > >Steve Cowles >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From lee at booksys.com Fri Mar 2 14:17:14 2001 From: lee at booksys.com (Lee Smith) Date: Fri, 02 Mar 2001 14:17:14 CST Subject: [pptp-server] overrun issue Message-ID: <200103022008.f22K82M03609@mail.booksys.com> Im using pptp on a redhat linux 7.0 box, and im getting a whole lot of overruns on the sl0 interface. I've tried searching the net for some info but nothing. any help would be greatly appreciated. I can send more info if needed (I cant get to the box right at this moment) Thanks Lee From jkreger at avidsolutionsinc.com Fri Mar 2 14:31:27 2001 From: jkreger at avidsolutionsinc.com (Justin Kreger) Date: Fri, 2 Mar 2001 15:31:27 -0500 Subject: [pptp-server] Yes, blank username/password works! Message-ID: <6B8A85826C35D31193BD0090278589C81DF039@CIC-EXCHANGE> It would not be hard to write a patch to fix the smbpasswd authetication. Now that I think about it, It could authenticate with MSChap and MSChapV2 with no login and password. If no secret is found with PAP, it kills the authentication process right then and there, but chap just keeps on going. -----Original Message----- From: Dread Boy [mailto:dreadboy at hotmail.com] Sent: Friday, March 02, 2001 2:13 PM To: pptp-server at lists.schulte.org; Steve at SteveCowles.com Subject: RE: [pptp-server] Yes, blank username/password works! You are correct, Steve. I was failing to put in my login username/password. I was assuming (ASS-outta-U-and-Me-ING) that the dial-up name and password would do the trick. It was apples to oranges. And again, that's correct, using chap-secrets is fine - it's only when using libsmbpw that problems arise for the blank user/password deal... Which is a real drag since I hope hoping to keep user list maintenance synced for ease of use. >From: "Cowles, Steve" >To: pptp-server at lists.schulte.org >Subject: RE: [pptp-server] Yes, blank username/password works! >Date: Fri, 2 Mar 2001 11:19:11 -0600 > > > -----Original Message----- > > From: Dread Boy [mailto:dreadboy at hotmail.com] > > Sent: Friday, March 02, 2001 1:37 AM > > To: pptp-server at lists.schulte.org; vgill at technologist.com > > Subject: RE: [pptp-server] Yes, blank username/password works! > > > > > > Yeah, and on top of all this it doesn't seem to matter what I > > log in as, my username and password don't get carried over to > > SAMBA for authenticating with server shares. > >Lets make sure we are comparing apples to apples here. The >username/password >that you specify in your windows PPTP dialup profile has NEVER been carried >over for share access. Please keep the following in mind... > >1) The PPTP tunnel uses the user/pass specified in your PPTP dialup profile >to authenticate the tunnel connection ONLY. > >2) Share access uses the user/pass that you specified when you turned on >your PC and logged in to get to your desktop. FWIW: This same user/pass can >be specified in your PPTP dialup profile to be used to authenticate the >PPTP >tunnel. > > > > > i.e. Whether I use a valid username/password or the blank, I > > still can not access resources (or possibly ACLs) on the > > servers even with valid usernames. On my local LAN it's no > > problem, but remotely, it doesn't seem to know who I am while > > I'm logged on. > > > > For example, when I click a share locally on my SAMBA server, > > I can get into it and have certain rights based on my username/ > > password. I don't even have to think about it. "security = > > user" in /etc/smb.conf. However, when I log in remotely with > > Windoze using my PPTPD Linux server, when I even try to access > > the server itself (let alone the share) it keeps asking me for > > the IPC$ administration password as if it was an NT server. > > It doesn't matter what I enter here, I can't get any farther. > >From the samba docs... > >Some people find browsing fails because they don't have the global >"guest account" set to a valid account. Remember that the IPC$ >connection that lists the shares is done as guest, and thus you must >have a valid guest account. >---------------------------- > >Also, is the PPTP clients WORKGROUP participation set to match what the >clients on the LAN are configured to? > > > > > Does PPTPD know my SMB username but not my password, or vice > > versa? I thought maybe because it was encrypted using > > libsmbpw.so that maybe it couldn't figure it out, but then > > using chap-secrets plain-text passwords don't cut it either. > > > > Anyone know what this is all about? > > > > Geez, I thought this whole PPTPD Linux server was gonna be at > > least a weekend of work, but it's turning out to be months > > worth of work. > > > >With regards to the "subject" line of this thread... lets make sure we are >comparing apples to apples here. I'd hate to see PopTop/PPPD get the >reputation of being insecure without the following clarification being >noted. > >1) If you have configured your PopTop/PPPD system to re-direct PPTP tunnel >authentication to use the libsmbpw.o lib's (smbpasswd), then your system >appears to be vulnerable to the blank user/pass exploit mentioned in this >thread. > >2) Those of you who are still using the chap-secrets file (no re-direct) >for >tunnel authentication are NOT vulnerable to the blank user/pass exploit >mentioned in this thread. I just verified this on my PopTop server! I do >not >use the re-direct to libsmbpw.o > >Steve Cowles >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From rcd at amherst.com Fri Mar 2 15:26:12 2001 From: rcd at amherst.com (Robert Dege) Date: Fri, 02 Mar 2001 16:26:12 -0500 Subject: [pptp-server] Yes, blank username/password works! References: <6B8A85826C35D31193BD0090278589C81DF039@CIC-EXCHANGE> Message-ID: <3AA00FF4.7030907@amherst.com> Would it be possible to add an entry to chap-secrets, creating a NULL user, and assign a passwd? Just as a temporary workaround? -Rob Justin Kreger wrote: > It would not be hard to write a patch to fix the smbpasswd authetication. > > Now that I think about it, It could authenticate with MSChap and MSChapV2 > with no login and password. If no secret is found with PAP, it kills the > authentication process right then and there, but chap just keeps on going. > > -----Original Message----- > From: Dread Boy [mailto:dreadboy at hotmail.com] > Sent: Friday, March 02, 2001 2:13 PM > To: pptp-server at lists.schulte.org; Steve at SteveCowles.com > Subject: RE: [pptp-server] Yes, blank username/password works! > > > You are correct, Steve. I was failing to put in my login username/password. > > I was assuming (ASS-outta-U-and-Me-ING) that the dial-up name and password > > would do the trick. > > It was apples to oranges. > > And again, that's correct, using chap-secrets is fine - it's only when using > > libsmbpw that problems arise for the blank user/password deal... Which is a > > real drag since I hope hoping to keep user list maintenance synced for ease > of use. > >> From: "Cowles, Steve" >> To: pptp-server at lists.schulte.org >> Subject: RE: [pptp-server] Yes, blank username/password works! >> Date: Fri, 2 Mar 2001 11:19:11 -0600 >> >>> -----Original Message----- >>> From: Dread Boy [mailto:dreadboy at hotmail.com] >>> Sent: Friday, March 02, 2001 1:37 AM >>> To: pptp-server at lists.schulte.org; vgill at technologist.com >>> Subject: RE: [pptp-server] Yes, blank username/password works! >>> >>> >>> Yeah, and on top of all this it doesn't seem to matter what I >>> log in as, my username and password don't get carried over to >>> SAMBA for authenticating with server shares. >> >> Lets make sure we are comparing apples to apples here. The >> username/password >> that you specify in your windows PPTP dialup profile has NEVER been carried >> over for share access. Please keep the following in mind... >> >> 1) The PPTP tunnel uses the user/pass specified in your PPTP dialup profile >> to authenticate the tunnel connection ONLY. >> >> 2) Share access uses the user/pass that you specified when you turned on >> your PC and logged in to get to your desktop. FWIW: This same user/pass can >> be specified in your PPTP dialup profile to be used to authenticate the >> PPTP >> tunnel. >> >>> i.e. Whether I use a valid username/password or the blank, I >>> still can not access resources (or possibly ACLs) on the >>> servers even with valid usernames. On my local LAN it's no >>> problem, but remotely, it doesn't seem to know who I am while >>> I'm logged on. >>> >>> For example, when I click a share locally on my SAMBA server, >>> I can get into it and have certain rights based on my username/ >>> password. I don't even have to think about it. "security = >>> user" in /etc/smb.conf. However, when I log in remotely with >>> Windoze using my PPTPD Linux server, when I even try to access >>> the server itself (let alone the share) it keeps asking me for >>> the IPC$ administration password as if it was an NT server. >>> It doesn't matter what I enter here, I can't get any farther. >> > >From the samba docs... > >> Some people find browsing fails because they don't have the global >> "guest account" set to a valid account. Remember that the IPC$ >> connection that lists the shares is done as guest, and thus you must >> have a valid guest account. >> ---------------------------- >> >> Also, is the PPTP clients WORKGROUP participation set to match what the >> clients on the LAN are configured to? >> >>> Does PPTPD know my SMB username but not my password, or vice >>> versa? I thought maybe because it was encrypted using >>> libsmbpw.so that maybe it couldn't figure it out, but then >>> using chap-secrets plain-text passwords don't cut it either. >>> >>> Anyone know what this is all about? >>> >>> Geez, I thought this whole PPTPD Linux server was gonna be at >>> least a weekend of work, but it's turning out to be months >>> worth of work. >>> >> With regards to the "subject" line of this thread... lets make sure we are >> comparing apples to apples here. I'd hate to see PopTop/PPPD get the >> reputation of being insecure without the following clarification being >> noted. >> >> 1) If you have configured your PopTop/PPPD system to re-direct PPTP tunnel >> authentication to use the libsmbpw.o lib's (smbpasswd), then your system >> appears to be vulnerable to the blank user/pass exploit mentioned in this >> thread. >> >> 2) Those of you who are still using the chap-secrets file (no re-direct) >> for >> tunnel authentication are NOT vulnerable to the blank user/pass exploit >> mentioned in this thread. I just verified this on my PopTop server! I do >> not >> use the re-direct to libsmbpw.o >> >> Steve Cowles >> _______________________________________________ >> pptp-server maillist - pptp-server at lists.schulte.org >> http://lists.schulte.org/mailman/listinfo/pptp-server >> List services provided by www.schulteconsulting.com! > > > _________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > > From jkreger at avidsolutionsinc.com Fri Mar 2 15:30:20 2001 From: jkreger at avidsolutionsinc.com (Justin Kreger) Date: Fri, 2 Mar 2001 16:30:20 -0500 Subject: [pptp-server] pppd authentication stuffs Message-ID: <6B8A85826C35D31193BD0090278589C81DF03B@CIC-EXCHANGE> Ok, I will make a patch for this smbpasswd problem, is ppp-2.3.11 ok? BTW, did anybody ever port my pap smb authentication code to ppp-2.4.0? From adam at morrison-ind.com Fri Mar 2 15:46:04 2001 From: adam at morrison-ind.com (Adam Tauno Williams) Date: Fri, 02 Mar 2001 16:46:04 -0500 (EST) Subject: [pptp-server] Yes, blank username/password works! In-Reply-To: <6B8A85826C35D31193BD0090278589C81DF039@CIC-EXCHANGE> References: <6B8A85826C35D31193BD0090278589C81DF039@CIC-EXCHANGE> Message-ID: <983569564.3aa0149c6d220@barracuda> >1) If you have configured your PopTop/PPPD system to re-direct PPTP >tunnel authentication to use the libsmbpw.o lib's (smbpasswd), then your >system appears to be vulnerable to the blank user/pass exploit mentioned in >this thread. >2) Those of you who are still using the chap-secrets file (no re-direct) >for tunnel authentication are NOT vulnerable to the blank user/pass >exploit mentioned in this thread. I just verified this on my PopTop server! >I do >not use the re-direct to libsmbpw.o FWIW, I've tested my ppp/pptpd modified for LDAP authentication and been unable to duplicate this exploit. Systems and Network Administrator Morrison Industries 1825 Monroe Ave NW. Grand Rapids, MI. 49505 From nick at taxlawyer.co.nz Fri Mar 2 15:50:47 2001 From: nick at taxlawyer.co.nz (Nick Rout) Date: Sat, 03 Mar 2001 10:50:47 +1300 Subject: [pptp-server] Browsing and name resolution Message-ID: <69136736.983616647@[192.168.2.1]> I am sorry if these points have been covered before, but here goes: I am using redhat 7.0 with the pptpd vers 1.0.0 rpm installed from the powertools cd. This is on my office network, which is on an adsl line. I have samba running on that machine and on another machine at the office. One samba machine is set up as a WINS server (but it is the other machine, not the pptpd server). The other machines at work are all win 95B. At home I have a win 98 (original not SE) connecting to the net through a linux nat box - dialup. I can get a connection through to the office network. I have set the ip address on both ends of the tunnel on the same subnet as the office machines, I can ping all the office machines (linux and windows). I have the /etc/ppp/options setup on the pptpd machine to hand out the address of the wins server, and i see it set in winipcfg on the home machine. I can even seem to ping the office machines by netbios name from home. I can connect via the \\officemachine\share mechanism. However I cannot see the office machines in network neighbourhood. Well I can sometimes, but not often, and very unreliably. The workgroup name is set the same at both ends. Short question is then: how do I get network neighbourhood working properly? Should I move the wins service onto the same machine as the pptpd server? Should I put a "browse list = yes " into one of my samba servers, if so which one (or both?). should install dun40 and what are its implications? I have read the howto by Phil Van Baren. Thanks. From berzerke at swbell.net Fri Mar 2 20:24:54 2001 From: berzerke at swbell.net (robert) Date: Fri, 02 Mar 2001 20:24:54 -0600 Subject: [pptp-server] Yes, blank username/password works! In-Reply-To: <90769AF04F76D41186C700A0C90AFC3EE687@defiant.infohiiway.com> References: <90769AF04F76D41186C700A0C90AFC3EE687@defiant.infohiiway.com> Message-ID: <01030220245400.23658@linux> I'm wondering if anyone has considered that if you have a good guest account for samba, then samba will use that if a bad username/password is sent. Blank would definately count as bad. I use blank password to list shares, i.e. smbclient -L somemachine and just hit enter when asked for a password. Logs show guest account is used and I do get the listing. Could someone having this problem try disabling the guest account and seeing if the problem goes away? On Friday 02 March 2001 11:19, Cowles, Steve wrote: > > -----Original Message----- > > From: Dread Boy [mailto:dreadboy at hotmail.com] > > Sent: Friday, March 02, 2001 1:37 AM > > To: pptp-server at lists.schulte.org; vgill at technologist.com > > Subject: RE: [pptp-server] Yes, blank username/password works! > > > > > > Yeah, and on top of all this it doesn't seem to matter what I > > log in as, my username and password don't get carried over to > > SAMBA for authenticating with server shares. > > Lets make sure we are comparing apples to apples here. The > username/password that you specify in your windows PPTP dialup profile has > NEVER been carried over for share access. Please keep the following in > mind... > > 1) The PPTP tunnel uses the user/pass specified in your PPTP dialup profile > to authenticate the tunnel connection ONLY. > > 2) Share access uses the user/pass that you specified when you turned on > your PC and logged in to get to your desktop. FWIW: This same user/pass can > be specified in your PPTP dialup profile to be used to authenticate the > PPTP tunnel. > > > i.e. Whether I use a valid username/password or the blank, I > > still can not access resources (or possibly ACLs) on the > > servers even with valid usernames. On my local LAN it's no > > problem, but remotely, it doesn't seem to know who I am while > > I'm logged on. > > > > For example, when I click a share locally on my SAMBA server, > > I can get into it and have certain rights based on my username/ > > password. I don't even have to think about it. "security = > > user" in /etc/smb.conf. However, when I log in remotely with > > Windoze using my PPTPD Linux server, when I even try to access > > the server itself (let alone the share) it keeps asking me for > > the IPC$ administration password as if it was an NT server. > > It doesn't matter what I enter here, I can't get any farther. > > From the samba docs... > > Some people find browsing fails because they don't have the global > "guest account" set to a valid account. Remember that the IPC$ > connection that lists the shares is done as guest, and thus you must > have a valid guest account. > ---------------------------- > > Also, is the PPTP clients WORKGROUP participation set to match what the > clients on the LAN are configured to? > > > Does PPTPD know my SMB username but not my password, or vice > > versa? I thought maybe because it was encrypted using > > libsmbpw.so that maybe it couldn't figure it out, but then > > using chap-secrets plain-text passwords don't cut it either. > > > > Anyone know what this is all about? > > > > Geez, I thought this whole PPTPD Linux server was gonna be at > > least a weekend of work, but it's turning out to be months > > worth of work. > > With regards to the "subject" line of this thread... lets make sure we are > comparing apples to apples here. I'd hate to see PopTop/PPPD get the > reputation of being insecure without the following clarification being > noted. > > 1) If you have configured your PopTop/PPPD system to re-direct PPTP tunnel > authentication to use the libsmbpw.o lib's (smbpasswd), then your system > appears to be vulnerable to the blank user/pass exploit mentioned in this > thread. > > 2) Those of you who are still using the chap-secrets file (no re-direct) > for tunnel authentication are NOT vulnerable to the blank user/pass exploit > mentioned in this thread. I just verified this on my PopTop server! I do > not use the re-direct to libsmbpw.o > > Steve Cowles > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From anesthes at cisdi.com Fri Mar 2 21:31:24 2001 From: anesthes at cisdi.com (Joey Coco) Date: Fri, 2 Mar 2001 22:31:24 -0500 (EST) Subject: [pptp-server] Yes, blank username/password works! In-Reply-To: <01030220245400.23658@linux> Message-ID: Hi, I'm curious how it does that. I was under the assumption that the smb patch just looked at the samba password file. I'm curious why it would default to guest on bad login.. I'll have to download the patch and look at the source. I don't use samba enough to justify using this patch, but I find your problem interesting. -- Joe On Fri, 2 Mar 2001, robert wrote: > I'm wondering if anyone has considered that if you have a good guest account > for samba, then samba will use that if a bad username/password is sent. > Blank would definately count as bad. I use blank password to list shares, > i.e. smbclient -L somemachine and just hit enter when asked for a password. > Logs show guest account is used and I do get the listing. Could someone > having this problem try disabling the guest account and seeing if the problem > goes away? > > On Friday 02 March 2001 11:19, Cowles, Steve wrote: > > > -----Original Message----- > > > From: Dread Boy [mailto:dreadboy at hotmail.com] > > > Sent: Friday, March 02, 2001 1:37 AM > > > To: pptp-server at lists.schulte.org; vgill at technologist.com > > > Subject: RE: [pptp-server] Yes, blank username/password works! > > > > > > > > > Yeah, and on top of all this it doesn't seem to matter what I > > > log in as, my username and password don't get carried over to > > > SAMBA for authenticating with server shares. > > > > Lets make sure we are comparing apples to apples here. The > > username/password that you specify in your windows PPTP dialup profile has > > NEVER been carried over for share access. Please keep the following in > > mind... > > > > 1) The PPTP tunnel uses the user/pass specified in your PPTP dialup profile > > to authenticate the tunnel connection ONLY. > > > > 2) Share access uses the user/pass that you specified when you turned on > > your PC and logged in to get to your desktop. FWIW: This same user/pass can > > be specified in your PPTP dialup profile to be used to authenticate the > > PPTP tunnel. > > > > > i.e. Whether I use a valid username/password or the blank, I > > > still can not access resources (or possibly ACLs) on the > > > servers even with valid usernames. On my local LAN it's no > > > problem, but remotely, it doesn't seem to know who I am while > > > I'm logged on. > > > > > > For example, when I click a share locally on my SAMBA server, > > > I can get into it and have certain rights based on my username/ > > > password. I don't even have to think about it. "security = > > > user" in /etc/smb.conf. However, when I log in remotely with > > > Windoze using my PPTPD Linux server, when I even try to access > > > the server itself (let alone the share) it keeps asking me for > > > the IPC$ administration password as if it was an NT server. > > > It doesn't matter what I enter here, I can't get any farther. > > > > From the samba docs... > > > > Some people find browsing fails because they don't have the global > > "guest account" set to a valid account. Remember that the IPC$ > > connection that lists the shares is done as guest, and thus you must > > have a valid guest account. > > ---------------------------- > > > > Also, is the PPTP clients WORKGROUP participation set to match what the > > clients on the LAN are configured to? > > > > > Does PPTPD know my SMB username but not my password, or vice > > > versa? I thought maybe because it was encrypted using > > > libsmbpw.so that maybe it couldn't figure it out, but then > > > using chap-secrets plain-text passwords don't cut it either. > > > > > > Anyone know what this is all about? > > > > > > Geez, I thought this whole PPTPD Linux server was gonna be at > > > least a weekend of work, but it's turning out to be months > > > worth of work. > > > > With regards to the "subject" line of this thread... lets make sure we are > > comparing apples to apples here. I'd hate to see PopTop/PPPD get the > > reputation of being insecure without the following clarification being > > noted. > > > > 1) If you have configured your PopTop/PPPD system to re-direct PPTP tunnel > > authentication to use the libsmbpw.o lib's (smbpasswd), then your system > > appears to be vulnerable to the blank user/pass exploit mentioned in this > > thread. > > > > 2) Those of you who are still using the chap-secrets file (no re-direct) > > for tunnel authentication are NOT vulnerable to the blank user/pass exploit > > mentioned in this thread. I just verified this on my PopTop server! I do > > not use the re-direct to libsmbpw.o > > > > Steve Cowles > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ / "I'd like to think that everything is beautiful, and I'd like to think / \ that everything is fair. I'd like to think that everything is plentiful,\ / and i'd like to think that every body cares. We'd like to thank you.." / \ \ / http://members.cisdi.com/~anesthes/ -=- IM: imd3fc0n / \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ C r e a t i v e I l l u s i o n s S o f t w a r e D e s i g n, I n c. From godfrey at hattaways.com Fri Mar 2 21:27:21 2001 From: godfrey at hattaways.com (Godfrey Livingstone) Date: Sat, 03 Mar 2001 16:27:21 +1300 Subject: [pptp-server] Yes, blank username/password works! References: <90769AF04F76D41186C700A0C90AFC3EE687@defiant.infohiiway.com> <01030220245400.23658@linux> Message-ID: <3AA06499.6ACF31C6@hattaways.com> There is no guest account in my smbpasswd file and as that is all that is used by pptd with smb patches this would not appear to solve the problem. And yes blank name password can log in for me. Godfrey robert wrote: > I'm wondering if anyone has considered that if you have a good guest account > for samba, then samba will use that if a bad username/password is sent. > Blank would definately count as bad. I use blank password to list shares, > i.e. smbclient -L somemachine and just hit enter when asked for a password. > Logs show guest account is used and I do get the listing. Could someone > having this problem try disabling the guest account and seeing if the problem > goes away? > > On Friday 02 March 2001 11:19, Cowles, Steve wrote: > > > -----Original Message----- > > > From: Dread Boy [mailto:dreadboy at hotmail.com] > > > Sent: Friday, March 02, 2001 1:37 AM > > > To: pptp-server at lists.schulte.org; vgill at technologist.com > > > Subject: RE: [pptp-server] Yes, blank username/password works! > > > > > > > > > Yeah, and on top of all this it doesn't seem to matter what I > > > log in as, my username and password don't get carried over to > > > SAMBA for authenticating with server shares. > > > > Lets make sure we are comparing apples to apples here. The > > username/password that you specify in your windows PPTP dialup profile has > > NEVER been carried over for share access. Please keep the following in > > mind... > > > > 1) The PPTP tunnel uses the user/pass specified in your PPTP dialup profile > > to authenticate the tunnel connection ONLY. > > > > 2) Share access uses the user/pass that you specified when you turned on > > your PC and logged in to get to your desktop. FWIW: This same user/pass can > > be specified in your PPTP dialup profile to be used to authenticate the > > PPTP tunnel. > > > > > i.e. Whether I use a valid username/password or the blank, I > > > still can not access resources (or possibly ACLs) on the > > > servers even with valid usernames. On my local LAN it's no > > > problem, but remotely, it doesn't seem to know who I am while > > > I'm logged on. > > > > > > For example, when I click a share locally on my SAMBA server, > > > I can get into it and have certain rights based on my username/ > > > password. I don't even have to think about it. "security = > > > user" in /etc/smb.conf. However, when I log in remotely with > > > Windoze using my PPTPD Linux server, when I even try to access > > > the server itself (let alone the share) it keeps asking me for > > > the IPC$ administration password as if it was an NT server. > > > It doesn't matter what I enter here, I can't get any farther. > > > > From the samba docs... > > > > Some people find browsing fails because they don't have the global > > "guest account" set to a valid account. Remember that the IPC$ > > connection that lists the shares is done as guest, and thus you must > > have a valid guest account. > > ---------------------------- > > > > Also, is the PPTP clients WORKGROUP participation set to match what the > > clients on the LAN are configured to? > > > > > Does PPTPD know my SMB username but not my password, or vice > > > versa? I thought maybe because it was encrypted using > > > libsmbpw.so that maybe it couldn't figure it out, but then > > > using chap-secrets plain-text passwords don't cut it either. > > > > > > Anyone know what this is all about? > > > > > > Geez, I thought this whole PPTPD Linux server was gonna be at > > > least a weekend of work, but it's turning out to be months > > > worth of work. > > > > With regards to the "subject" line of this thread... lets make sure we are > > comparing apples to apples here. I'd hate to see PopTop/PPPD get the > > reputation of being insecure without the following clarification being > > noted. > > > > 1) If you have configured your PopTop/PPPD system to re-direct PPTP tunnel > > authentication to use the libsmbpw.o lib's (smbpasswd), then your system > > appears to be vulnerable to the blank user/pass exploit mentioned in this > > thread. > > > > 2) Those of you who are still using the chap-secrets file (no re-direct) > > for tunnel authentication are NOT vulnerable to the blank user/pass exploit > > mentioned in this thread. I just verified this on my PopTop server! I do > > not use the re-direct to libsmbpw.o > > > > Steve Cowles > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From jkreger at avidsolutionsinc.com Fri Mar 2 21:20:47 2001 From: jkreger at avidsolutionsinc.com (Justin Kreger) Date: Fri, 2 Mar 2001 22:20:47 -0500 Subject: [pptp-server] Yes, blank username/password works! <-- Fix at tached to this email Message-ID: <6B8A85826C35D31193BD0090278589C81DF04A@CIC-EXCHANGE> In short, Diffrent means of authentication. It may use the password file, but it does not interact with samba's daemon processes. As for fixing this problem, I have written a patch. It fixes the two problems, the blank login/password problem, and the unknown user/blankpassword problem. Please TEST this ASAP with win9x, Both my win9x boxen think that they should be only talking in CHAP, not MSCHAP, and I can't seem to find msdun128.exe to fix it. (This patch was tested on linux 2.2.16, with ppp-2.3.11, and tested with Windows NT Server 4, Service Pack 6) -Justin Kreger, MCP MCSE -----Original Message----- From: robert To: Cowles, Steve; pptp-server at lists.schulte.org Sent: 3/2/01 9:24 PM Subject: Re: [pptp-server] Yes, blank username/password works! I'm wondering if anyone has considered that if you have a good guest account for samba, then samba will use that if a bad username/password is sent. Blank would definately count as bad. I use blank password to list shares, i.e. smbclient -L somemachine and just hit enter when asked for a password. Logs show guest account is used and I do get the listing. Could someone having this problem try disabling the guest account and seeing if the problem goes away? On Friday 02 March 2001 11:19, Cowles, Steve wrote: > > -----Original Message----- > > From: Dread Boy [mailto:dreadboy at hotmail.com] > > Sent: Friday, March 02, 2001 1:37 AM > > To: pptp-server at lists.schulte.org; vgill at technologist.com > > Subject: RE: [pptp-server] Yes, blank username/password works! > > > > > > Yeah, and on top of all this it doesn't seem to matter what I > > log in as, my username and password don't get carried over to > > SAMBA for authenticating with server shares. > > Lets make sure we are comparing apples to apples here. The > username/password that you specify in your windows PPTP dialup profile has > NEVER been carried over for share access. Please keep the following in > mind... > > 1) The PPTP tunnel uses the user/pass specified in your PPTP dialup profile > to authenticate the tunnel connection ONLY. > > 2) Share access uses the user/pass that you specified when you turned on > your PC and logged in to get to your desktop. FWIW: This same user/pass can > be specified in your PPTP dialup profile to be used to authenticate the > PPTP tunnel. > > > i.e. Whether I use a valid username/password or the blank, I > > still can not access resources (or possibly ACLs) on the > > servers even with valid usernames. On my local LAN it's no > > problem, but remotely, it doesn't seem to know who I am while > > I'm logged on. > > > > For example, when I click a share locally on my SAMBA server, > > I can get into it and have certain rights based on my username/ > > password. I don't even have to think about it. "security = > > user" in /etc/smb.conf. However, when I log in remotely with > > Windoze using my PPTPD Linux server, when I even try to access > > the server itself (let alone the share) it keeps asking me for > > the IPC$ administration password as if it was an NT server. > > It doesn't matter what I enter here, I can't get any farther. > > From the samba docs... > > Some people find browsing fails because they don't have the global > "guest account" set to a valid account. Remember that the IPC$ > connection that lists the shares is done as guest, and thus you must > have a valid guest account. > ---------------------------- > > Also, is the PPTP clients WORKGROUP participation set to match what the > clients on the LAN are configured to? > > > Does PPTPD know my SMB username but not my password, or vice > > versa? I thought maybe because it was encrypted using > > libsmbpw.so that maybe it couldn't figure it out, but then > > using chap-secrets plain-text passwords don't cut it either. > > > > Anyone know what this is all about? > > > > Geez, I thought this whole PPTPD Linux server was gonna be at > > least a weekend of work, but it's turning out to be months > > worth of work. > > With regards to the "subject" line of this thread... lets make sure we are > comparing apples to apples here. I'd hate to see PopTop/PPPD get the > reputation of being insecure without the following clarification being > noted. > > 1) If you have configured your PopTop/PPPD system to re-direct PPTP tunnel > authentication to use the libsmbpw.o lib's (smbpasswd), then your system > appears to be vulnerable to the blank user/pass exploit mentioned in this > thread. > > 2) Those of you who are still using the chap-secrets file (no re-direct) > for tunnel authentication are NOT vulnerable to the blank user/pass exploit > mentioned in this thread. I just verified this on my PopTop server! I do > not use the re-direct to libsmbpw.o > > Steve Cowles > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! -------------- next part -------------- A non-text attachment was scrubbed... Name: smbpasswdauthfix.patch Type: application/octet-stream Size: 1770 bytes Desc: not available URL: From godfrey at hattaways.com Fri Mar 2 22:15:20 2001 From: godfrey at hattaways.com (Godfrey Livingstone) Date: Sat, 03 Mar 2001 17:15:20 +1300 Subject: [pptp-server] Ppp/pptpd modified for LDAP References: <6B8A85826C35D31193BD0090278589C81DF039@CIC-EXCHANGE> <983569564.3aa0149c6d220@barracuda> Message-ID: <3AA06FD8.27E71487@hattaways.com> Will you make your patch available. Adam Tauno Williams wrote: > >1) If you have configured your PopTop/PPPD system to re-direct PPTP > >tunnel authentication to use the libsmbpw.o lib's (smbpasswd), then your > >system appears to be vulnerable to the blank user/pass exploit mentioned in > >this thread. > >2) Those of you who are still using the chap-secrets file (no re-direct) > >for tunnel authentication are NOT vulnerable to the blank user/pass > >exploit mentioned in this thread. I just verified this on my PopTop server! > >I do >not use the re-direct to libsmbpw.o > > FWIW, I've tested my ppp/pptpd modified for LDAP authentication and been unable > to duplicate this exploit. > > Systems and Network Administrator > Morrison Industries > 1825 Monroe Ave NW. > Grand Rapids, MI. 49505 > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From comm at il.od.ua Sat Mar 3 04:32:47 2001 From: comm at il.od.ua (Oleg Mishagli) Date: Sat, 3 Mar 2001 12:32:47 +0200 Subject: [pptp-server] PoPToP pptp VPN server Message-ID: <001201c0a3cd$4c4223c0$6401a8c0@100> Hello I have a trouble with a PoPToP pptp VPN server. I need you help. How i may assign the particular IP address for the definite user name. For example: username password IP -adres bob bobpass 192.168.10.10 stiv stivpass 192.168.10.11 alf alfpass 192.168.10.12 I attempted to use for it options in file chap-secrets bob servername bobpass 192.168.10.1:192.168.10.10 But it don't working . Please help me. :) P.S. Sorry for my bab english -------------- next part -------------- An HTML attachment was scrubbed... URL: From jkreger at avidsolutionsinc.com Sat Mar 3 05:58:54 2001 From: jkreger at avidsolutionsinc.com (Justin Kreger) Date: Sat, 3 Mar 2001 06:58:54 -0500 Subject: [pptp-server] Yes, blank username/password works! Message-ID: <6B8A85826C35D31193BD0090278589C81DF04C@CIC-EXCHANGE> there is no guest, it just returns no secret if none is found -----Original Message----- From: Joey Coco To: robert Cc: Cowles, Steve; pptp-server at lists.schulte.org Sent: 3/2/01 10:31 PM Subject: Re: [pptp-server] Yes, blank username/password works! Hi, I'm curious how it does that. I was under the assumption that the smb patch just looked at the samba password file. I'm curious why it would default to guest on bad login.. I'll have to download the patch and look at the source. I don't use samba enough to justify using this patch, but I find your problem interesting. -- Joe On Fri, 2 Mar 2001, robert wrote: > I'm wondering if anyone has considered that if you have a good guest account > for samba, then samba will use that if a bad username/password is sent. > Blank would definately count as bad. I use blank password to list shares, > i.e. smbclient -L somemachine and just hit enter when asked for a password. > Logs show guest account is used and I do get the listing. Could someone > having this problem try disabling the guest account and seeing if the problem > goes away? > > On Friday 02 March 2001 11:19, Cowles, Steve wrote: > > > -----Original Message----- > > > From: Dread Boy [mailto:dreadboy at hotmail.com] > > > Sent: Friday, March 02, 2001 1:37 AM > > > To: pptp-server at lists.schulte.org; vgill at technologist.com > > > Subject: RE: [pptp-server] Yes, blank username/password works! > > > > > > > > > Yeah, and on top of all this it doesn't seem to matter what I > > > log in as, my username and password don't get carried over to > > > SAMBA for authenticating with server shares. > > > > Lets make sure we are comparing apples to apples here. The > > username/password that you specify in your windows PPTP dialup profile has > > NEVER been carried over for share access. Please keep the following in > > mind... > > > > 1) The PPTP tunnel uses the user/pass specified in your PPTP dialup profile > > to authenticate the tunnel connection ONLY. > > > > 2) Share access uses the user/pass that you specified when you turned on > > your PC and logged in to get to your desktop. FWIW: This same user/pass can > > be specified in your PPTP dialup profile to be used to authenticate the > > PPTP tunnel. > > > > > i.e. Whether I use a valid username/password or the blank, I > > > still can not access resources (or possibly ACLs) on the > > > servers even with valid usernames. On my local LAN it's no > > > problem, but remotely, it doesn't seem to know who I am while > > > I'm logged on. > > > > > > For example, when I click a share locally on my SAMBA server, > > > I can get into it and have certain rights based on my username/ > > > password. I don't even have to think about it. "security = > > > user" in /etc/smb.conf. However, when I log in remotely with > > > Windoze using my PPTPD Linux server, when I even try to access > > > the server itself (let alone the share) it keeps asking me for > > > the IPC$ administration password as if it was an NT server. > > > It doesn't matter what I enter here, I can't get any farther. > > > > From the samba docs... > > > > Some people find browsing fails because they don't have the global > > "guest account" set to a valid account. Remember that the IPC$ > > connection that lists the shares is done as guest, and thus you must > > have a valid guest account. > > ---------------------------- > > > > Also, is the PPTP clients WORKGROUP participation set to match what the > > clients on the LAN are configured to? > > > > > Does PPTPD know my SMB username but not my password, or vice > > > versa? I thought maybe because it was encrypted using > > > libsmbpw.so that maybe it couldn't figure it out, but then > > > using chap-secrets plain-text passwords don't cut it either. > > > > > > Anyone know what this is all about? > > > > > > Geez, I thought this whole PPTPD Linux server was gonna be at > > > least a weekend of work, but it's turning out to be months > > > worth of work. > > > > With regards to the "subject" line of this thread... lets make sure we are > > comparing apples to apples here. I'd hate to see PopTop/PPPD get the > > reputation of being insecure without the following clarification being > > noted. > > > > 1) If you have configured your PopTop/PPPD system to re-direct PPTP tunnel > > authentication to use the libsmbpw.o lib's (smbpasswd), then your system > > appears to be vulnerable to the blank user/pass exploit mentioned in this > > thread. > > > > 2) Those of you who are still using the chap-secrets file (no re-direct) > > for tunnel authentication are NOT vulnerable to the blank user/pass exploit > > mentioned in this thread. I just verified this on my PopTop server! I do > > not use the re-direct to libsmbpw.o > > > > Steve Cowles > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ /\ / "I'd like to think that everything is beautiful, and I'd like to think / \ that everything is fair. I'd like to think that everything is plentiful,\ / and i'd like to think that every body cares. We'd like to thank you.." / \ \ / http://members.cisdi.com/~anesthes/ -=- IM: imd3fc0n / \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ \/ C r e a t i v e I l l u s i o n s S o f t w a r e D e s i g n, I n c. _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From glaze at nos4-a2.com Sat Mar 3 18:01:41 2001 From: glaze at nos4-a2.com (Doyle Glaze) Date: Sat, 03 Mar 2001 18:01:41 -0600 (CST) Subject: [pptp-server] pptp for rh7.0 smp kernel Message-ID: <983664101.3aa185e589ae2@dglaze.yi.org> HELP...... Has anyone received the error when connecting from a windows 98 computer "/usr/sbin/pppd: This system lacks kernel support for PPP. This could be because the PPP kernel module could not be loaded, or becuase PPP was not included in the kernel configuration. If PPP was included as a module try '/sbin/modprobe -v ppp'. If that fails, check t" This shows on the console but not in the /var/log/messages. I know that the kernel is not set with the ppp but that it is a module. The setup works great when I boot the single processor kernel but not in the smp kernel. Please help.... Also does anyone have just the pptp client for linux? Doyle Glaze glaze at nos4-a2.com From ripley at wsavvy.com Sun Mar 4 04:16:58 2001 From: ripley at wsavvy.com (Shawn Ripley) Date: Sun, 4 Mar 2001 03:16:58 -0700 Subject: [pptp-server] W2K INTERNET SHARING __DSL__PPTP Message-ID: Has anyone implemented a vpn connection from a windows 98 w2k client to their poptop linux box using internet sharing from a dsl? I know the server works well because with a modem it connects every time. From vgill at technologist.com Sun Mar 4 11:17:10 2001 From: vgill at technologist.com (Gill, Vern) Date: Sun, 4 Mar 2001 09:17:10 -0800 Subject: [pptp-server] pppd authentication stuffs Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D0B@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I tried, but I never got it working. I was trying to use ot for my pppoe, but it always failed. I did not investigate too much tho... #define NotA-Programmer #ifdef NotA-Programmer static Patches Will Give Headaches For A Long Time #endif - -----Original Message----- From: Justin Kreger [mailto:jkreger at avidsolutionsinc.com] Sent: Friday, March 02, 2001 1:30 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] pppd authentication stuffs Ok, I will make a patch for this smbpasswd problem, is ppp-2.3.11 ok? BTW, did anybody ever port my pap smb authentication code to ppp-2.4.0? _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOqJ4GxeamMdwy9TXEQJJvwCcCotMnoUfuKGKb024zzhFiueMIXIAoPA1 LqqCyYg3iO1J73kOuRD6ET64 =OAUQ -----END PGP SIGNATURE----- From vgill at technologist.com Sun Mar 4 11:19:57 2001 From: vgill at technologist.com (Gill, Vern) Date: Sun, 4 Mar 2001 09:19:57 -0800 Subject: [pptp-server] W2K INTERNET SHARING __DSL__PPTP Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D0C@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I can connect from my father's Windows ICS shared dsl to my pptpd on linux at home. Can even do so from another box inside his "lan" (2 computers don't REALLY qualify as a lan, do they?) Both systems are w98 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOqJ4wheamMdwy9TXEQIFBQCeNzUIkizQdSFICI5uXk6xD3DdAsYAnRpT 5N9utc0h0RvcuV5Fo6qMNPJO =Fhr1 -----END PGP SIGNATURE----- From godfrey at hattaway-associates.com Sun Mar 4 17:45:45 2001 From: godfrey at hattaway-associates.com (Godfrey Livingstone) Date: Mon, 05 Mar 2001 12:45:45 +1300 Subject: [pptp-server] Patch blank password/username References: <6B8A85826C35D31193BD0090278589C81DF04A@CIC-EXCHANGE> Message-ID: <3AA2D3A9.9F37778E@hattaway-associates.com> Justin your patch does work but the attached patch is tidier as soon as a match is found in smbpasswd then the while loop exits this also saves time if smbpasswd is large. I then check to see if smb == NULL if so then there is no match in smbpasswd file so skip to the next line of chap-secrets. No need to make up a secret which my potentially match ( I know the chance of that is very very small). Godfrey Justin Kreger wrote: > In short, Diffrent means of authentication. It may use the password file, > but it does not interact with samba's daemon processes. > > As for fixing this problem, I have written a patch. > > It fixes the two problems, the blank login/password problem, and the > unknown user/blankpassword problem. > > Please TEST this ASAP with win9x, Both my win9x boxen think that they should > be only talking in CHAP, not MSCHAP, and I can't seem to find msdun128.exe > to fix it. > > (This patch was tested on linux 2.2.16, with ppp-2.3.11, and tested with > Windows NT Server 4, Service Pack 6) > > -Justin Kreger, MCP MCSE > > -----Original Message----- > From: robert > To: Cowles, Steve; pptp-server at lists.schulte.org > Sent: 3/2/01 9:24 PM > Subject: Re: [pptp-server] Yes, blank username/password works! > > I'm wondering if anyone has considered that if you have a good guest > account > for samba, then samba will use that if a bad username/password is sent. > > Blank would definately count as bad. I use blank password to list > shares, > i.e. smbclient -L somemachine and just hit enter when asked for a > password. > Logs show guest account is used and I do get the listing. Could someone > > having this problem try disabling the guest account and seeing if the > problem > goes away? > > On Friday 02 March 2001 11:19, Cowles, Steve wrote: > > > -----Original Message----- > > > From: Dread Boy [mailto:dreadboy at hotmail.com] > > > Sent: Friday, March 02, 2001 1:37 AM > > > To: pptp-server at lists.schulte.org; vgill at technologist.com > > > Subject: RE: [pptp-server] Yes, blank username/password works! > > > > > > > > > Yeah, and on top of all this it doesn't seem to matter what I > > > log in as, my username and password don't get carried over to > > > SAMBA for authenticating with server shares. > > > > Lets make sure we are comparing apples to apples here. The > > username/password that you specify in your windows PPTP dialup profile > has > > NEVER been carried over for share access. Please keep the following in > > mind... > > > > 1) The PPTP tunnel uses the user/pass specified in your PPTP dialup > profile > > to authenticate the tunnel connection ONLY. > > > > 2) Share access uses the user/pass that you specified when you turned > on > > your PC and logged in to get to your desktop. FWIW: This same > user/pass can > > be specified in your PPTP dialup profile to be used to authenticate > the > > PPTP tunnel. > > > > > i.e. Whether I use a valid username/password or the blank, I > > > still can not access resources (or possibly ACLs) on the > > > servers even with valid usernames. On my local LAN it's no > > > problem, but remotely, it doesn't seem to know who I am while > > > I'm logged on. > > > > > > For example, when I click a share locally on my SAMBA server, > > > I can get into it and have certain rights based on my username/ > > > password. I don't even have to think about it. "security = > > > user" in /etc/smb.conf. However, when I log in remotely with > > > Windoze using my PPTPD Linux server, when I even try to access > > > the server itself (let alone the share) it keeps asking me for > > > the IPC$ administration password as if it was an NT server. > > > It doesn't matter what I enter here, I can't get any farther. > > > > From the samba docs... > > > > Some people find browsing fails because they don't have the global > > "guest account" set to a valid account. Remember that the IPC$ > > connection that lists the shares is done as guest, and thus you must > > have a valid guest account. > > ---------------------------- > > > > Also, is the PPTP clients WORKGROUP participation set to match what > the > > clients on the LAN are configured to? > > > > > Does PPTPD know my SMB username but not my password, or vice > > > versa? I thought maybe because it was encrypted using > > > libsmbpw.so that maybe it couldn't figure it out, but then > > > using chap-secrets plain-text passwords don't cut it either. > > > > > > Anyone know what this is all about? > > > > > > Geez, I thought this whole PPTPD Linux server was gonna be at > > > least a weekend of work, but it's turning out to be months > > > worth of work. > > > > With regards to the "subject" line of this thread... lets make sure we > are > > comparing apples to apples here. I'd hate to see PopTop/PPPD get the > > reputation of being insecure without the following clarification being > > noted. > > > > 1) If you have configured your PopTop/PPPD system to re-direct PPTP > tunnel > > authentication to use the libsmbpw.o lib's (smbpasswd), then your > system > > appears to be vulnerable to the blank user/pass exploit mentioned in > this > > thread. > > > > 2) Those of you who are still using the chap-secrets file (no > re-direct) > > for tunnel authentication are NOT vulnerable to the blank user/pass > exploit > > mentioned in this thread. I just verified this on my PopTop server! I > do > > not use the re-direct to libsmbpw.o > > > > Steve Cowles > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > ------------------------------------------------------------------------ > Name: smbpasswdauthfix.patch > smbpasswdauthfix.patch Type: unspecified type (application/octet-stream) > Encoding: quoted-printable -------------- next part -------------- --- ppp-2.3.11/pppd/auth.c.org Mon Mar 5 12:19:41 2001 +++ ppp-2.3.11/pppd/auth.c Mon Mar 5 12:31:54 2001 @@ -1871,10 +1871,15 @@ ) { memcpy(word, smbname, NTPASS); word[NTPASS]='\000'; + break; } } endsmbpwent(); + if (smb == NULL) { + warn("no secret in samba secret file %s", atfile); + continue; + } } #endif if (secret != NULL) From jdonahue at agiletech.com Sun Mar 4 22:14:07 2001 From: jdonahue at agiletech.com (jdonahue at agiletech.com) Date: Sun, 4 Mar 2001 23:14:07 -0500 Subject: [pptp-server] Where'd my encryption go?!? Message-ID: Yes, other clients (W2K) connect fine with 40-bit encryption. Seems that 128-bit is where things get hung up... George Vieira cc: Subject: RE: [pptp-server] Where'd my encryption go?!? 03/04/2001 05:40 PM Sorry for being late and I haven't checked for any other posts from other people bout this one.. Mar 2 08:30:18 SSTVPN1 pppd[1266]: LCP terminated by peer (WM-mle^@ /dev/pts/0 Mar 2 08:30:09 SSTVPN1 pptpd[1265]: GRE: Discarding duplicate packet Mar 2 08:30:11 SSTVPN1 pptpd[1265]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 2 08:30:12 SSTVPN1 pppd[1266]: MSCHAP-v2 peer authentication succeeded for donahuej Mar 2 08:30:12 SSTVPN1 pppd[1266]: found interface eth1 for proxy arp Mar 2 08:30:12 SSTVPN1 pppd[1266]: local IP address 192.168.1.202 Mar 2 08:30:12 SSTVPN1 pppd[1266]: remote IP address 192.168.1.207 Mar 2 08:30:18 SSTVPN1 pptpd[1265]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 2 08:30:18 SSTVPN1 pppd[1266]: LCP terminated by peer (WM-mle^@ cc: Subject: RE: [pptp-server] Where'd my encryption go?!? 03/01/2001 05:30 PM Check your /var/log/messages file again.. I've seen so many 619 errors that you'd think it would burn in the back of your brain by now... thanks, George Vieira -----Original Message----- From: jdonahue at agiletech.com [mailto:jdonahue at agiletech.com] Sent: Friday, March 02, 2001 9:25 AM To: George Vieira Cc: pptp-server at lists.schulte.org Subject: RE: [pptp-server] Where'd my encryption go?!? Figured it out. In the 10 mins between pptp connections, I installed MS IE 128bit encryption upgrade....that's what broke. Windows is requireing 128 bit encryption. This WAS my options file: lock debug auth require-chap proxyarp +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless ms-wins 192.168.1.9 I took out the mppe-40, and tried again...got further....verified username/password, then when it got to "Registering your computer on the network", it disconnected with error code 619: The specified port is not connected...how do I get the server working with 128 bit??? George Vieira cc: Subject: RE: [pptp-server] Where'd my encryption go?!? 03/01/2001 04:58 PM Do what I do... Delete the DUN icon which connects and start a new one.. test it. If that fails, start reducing things until it works... if your sure it's MPPE failing then when you turn off encryption then it'll work.. but test anyway.. thanks, George Vieira -----Original Message----- From: jdonahue at agiletech.com [mailto:jdonahue at agiletech.com] Sent: Friday, March 02, 2001 9:03 AM To: George Vieira Cc: pptp-server Subject: RE: [pptp-server] Where'd my encryption go?!? Looks like this is a client side issue, just found out others are able to connect, no problem...what should I check? (I am using W2K) George Vieira cc: Subject: RE: [pptp-server] Where'd my encryption go?!? 03/01/2001 04:41 PM MPPE seems to be registering OK but these lines I'm worried about.. Mar 1 15:36:57 SSTVPN1 pppd[1479]: LCP terminated by peer (JM-iYM-^K^@ /dev/pts/1 Mar 1 15:36:55 SSTVPN1 pptpd[1478]: GRE: Discarding duplicate packet Mar 1 15:36:57 SSTVPN1 pptpd[1478]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 1 15:36:57 SSTVPN1 kernel: PPP BSD Compression module registered Mar 1 15:36:57 SSTVPN1 kernel: PPP MPPE compression module registered Mar 1 15:36:57 SSTVPN1 kernel: PPP Deflate Compression module registered Mar 1 15:36:57 SSTVPN1 pppd[1479]: MSCHAP-v2 peer authentication succeeded for donahuej Mar 1 15:36:57 SSTVPN1 pptpd[1478]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 1 15:36:57 SSTVPN1 pppd[1479]: LCP terminated by peer (JM-iYM-^K^@ cc: Subject: RE: [pptp-server] Where'd my encryption go?!? 03/01/2001 04:14 PM What does the /var/log/messages file say? Any MPPE errors? thanks, George Vieira -----Original Message----- From: jdonahue at agiletech.com [mailto:jdonahue at agiletech.com] Sent: Friday, March 02, 2001 1:50 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] Where'd my encryption go?!? I have RH7, and have configured pptp with encryption succesfully (took long enough). Everything was working fine, all boot scripts in place...reboot server everything still works. Then all of a sudden yesterday I lost encryption!....Like it was never there! I connect - requiring encryption, ok....disconnect, 10 mins later reconnect.....ERROR - server does not support encryption level required?!?? So....for giggles I try rebooting, I know the scripts worked ok before- but that doesn't work....WHAT HAPPENED? Can Anyone help me?!? _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From awilliam at whitemice.org Sun Mar 4 20:29:08 2001 From: awilliam at whitemice.org (Adam Tauno Williams) Date: Sun, 4 Mar 2001 21:29:08 -0500 Subject: [pptp-server] Ppp/pptpd modified for LDAP In-Reply-To: <3AA06FD8.27E71487@hattaways.com> References: <6B8A85826C35D31193BD0090278589C81DF039@CIC-EXCHANGE> <983569564.3aa0149c6d220@barracuda> <3AA06FD8.27E71487@hattaways.com> Message-ID: <20010304212908.0b31a2ab.awilliam@whitemice.org> > Will you make your patch available. My modified pppd is available at ldapconsole.sourceforge.net. It's not a patch, as I don't know how the make one. I just took pppd, applied all the patches, including smbpasswd, and then changed it to use the LDAP API to get the NT password hash. >>>1) If you have configured your PopTop/PPPD system to re-direct PPTP >>>tunnel authentication to use the libsmbpw.o lib's (smbpasswd), then your >>>system appears to be vulnerable to the blank user/pass exploit mentioned in >>>this thread. >>>2) Those of you who are still using the chap-secrets file (no re-direct) >>>for tunnel authentication are NOT vulnerable to the blank user/pass >>>exploit mentioned in this thread. I just verified this on my PopTop server! >>>I do >not use the re-direct to libsmbpw.o >>FWIW, I've tested my ppp/pptpd modified for LDAP authentication and been unable >>to duplicate this exploit. From jerry_fields_1 at yahoo.com Mon Mar 5 00:01:18 2001 From: jerry_fields_1 at yahoo.com (Jerry Fields) Date: Sun, 4 Mar 2001 22:01:18 -0800 (PST) Subject: [pptp-server] Conection works, but get Protocol-Reject when trying to send packets Message-ID: <20010305060118.32346.qmail@web13104.mail.yahoo.com> Some other people on this list appear to have seen similar problems to this. After some amount of work, I've gotten a connection up via PPTP and the routing tables setup. Everything looks good, but I'm unable to send packets. I sent the debugging messages to a file via syslog.conf and notice the following messages everytime I attempt to send a packet. Mar 4 20:54:14 foo pppd[2719]: rcvd [LCP ProtRej id=0x8 94 e9 14 d5 46 73 50 f7 a0 de 9f 45 7c 25 6b 8d df f1 8a 63 50 b2 c4 06 dc c1 a8 0b 7a 42 81 f0 f0 c5 e0 6e cf 21 d0 fa 2b d9 42 1f 0d ba 0c 38 0c df a4 81 4f 43 97 d1 84 ae 77 8b 48 d4 33 db b3 52 7b 64 5d 91 8a ba bc 98 78 da ac Mar 4 20:54:14 foo pppd[2719]: Protocol-Reject for unsupported protocol 0x94e9 Mar 4 20:54:21 foo pppd[2719]: rcvd [LCP ProtRej id=0x9 ee 7a 4b 43 92 d4 7e c9 df d0 03 a1 3f 91 4a 8e 10 b6 cb df 49 c7 31 5b 00 ab d1 4d 54 6c 25 11 1f 46 8e fb 27 8e 39 4c 1f b8 8a 81 04 b9 3b b7 81 3c 69 2b 9d 4a 75 c5 ef af 94 f8 dd 49 14 b9 4d 0a 2f 3c b6 af da 55 68 84 fd 4f 62 Mar 4 20:54:21 foo pppd[2719]: Protocol-Reject for unsupported protocol 0xee7a I'm pretty sure that my routing table is setup correctly since I've run ethereal on ppp0 and I can see all my outgoing packets. No incoming packets show up. One annying thing is that when I add "record /tmp/foo" to my /etc/ppp/options file, the connection always fails. So I can't capture the raw PPTP packets. I'm behind a Linux Masq firewall and I've applied the GRE patch and I've established a connection to the server from a WinNT client behind the firewall. I've also tried appling the patch to pptp.c suggested in this web page: http://personal.rdu.bellsouth.net/rdu/t/a/tayljl/linux-pptp-client/linux-pptp-client-setup.html I'm running ppp-mppe-2.3.11-10 from a rpm and at first I tried pptp-linux-1.0.2-8 but then re-built pptp-linux from the soruce with the above patch. __Jerry Fields __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ From darbel at techunix.technion.ac.il Mon Mar 5 01:42:47 2001 From: darbel at techunix.technion.ac.il (Dani Arbel) Date: Mon, 5 Mar 2001 09:42:47 +0200 (IST) Subject: [pptp-server] Conection works, but get Protocol-Reject when trying to send packets In-Reply-To: <20010305060118.32346.qmail@web13104.mail.yahoo.com> Message-ID: Hi! to capture all packets use tcpdump with option -w (to write to a file. You can analize the packets with ethereal . Dani On Sun, 4 Mar 2001, Jerry Fields wrote: > Some other people on this list appear to have seen > similar problems to this. > After some amount of work, I've gotten a connection up > via PPTP and the routing tables setup. > Everything looks good, but I'm unable to send packets. > > I sent the debugging messages to a file via > syslog.conf > and notice the following messages everytime I attempt > to send a packet. > > Mar 4 20:54:14 foo pppd[2719]: rcvd [LCP ProtRej > id=0x8 94 e9 14 d5 46 73 50 f7 a0 de 9f 45 7c 25 6b 8d > df f1 8a 63 50 b2 c4 06 dc c1 a8 0b 7a 42 81 f0 f0 c5 > e0 6e cf 21 d0 fa 2b d9 42 1f 0d ba 0c 38 0c df a4 81 > 4f 43 97 d1 84 ae 77 8b 48 d4 33 db b3 52 7b 64 5d 91 > 8a ba bc 98 78 da ac > Mar 4 20:54:14 foo pppd[2719]: Protocol-Reject for > unsupported protocol 0x94e9 > Mar 4 20:54:21 foo pppd[2719]: rcvd [LCP ProtRej > id=0x9 ee 7a 4b 43 92 d4 7e c9 df d0 03 a1 3f 91 4a 8e > 10 b6 cb df 49 c7 31 5b 00 ab d1 4d 54 6c 25 11 1f 46 > 8e fb 27 8e 39 4c 1f b8 8a 81 04 b9 3b b7 81 3c 69 2b > 9d 4a 75 c5 ef af 94 f8 dd 49 14 b9 4d 0a 2f 3c b6 af > da 55 68 84 fd 4f 62 > Mar 4 20:54:21 foo pppd[2719]: Protocol-Reject for > unsupported protocol 0xee7a > > I'm pretty sure that my routing table is setup > correctly since I've run ethereal on ppp0 and I can > see > all my outgoing packets. No incoming packets show up. > > One annying thing is that when I add "record /tmp/foo" > to my /etc/ppp/options file, the connection always > fails. > So I can't capture the raw PPTP packets. > > I'm behind a Linux Masq firewall and I've applied the > GRE patch > and I've established a connection to the server from > a WinNT client behind the firewall. > > I've also tried appling the patch to pptp.c suggested > in this web page: > http://personal.rdu.bellsouth.net/rdu/t/a/tayljl/linux-pptp-client/linux-pptp-client-setup.html > > I'm running ppp-mppe-2.3.11-10 from a rpm and at first > I tried pptp-linux-1.0.2-8 but then re-built > pptp-linux > from the soruce with the above patch. > > __Jerry Fields > > __________________________________________________ > Do You Yahoo!? > Get email at your own domain with Yahoo! Mail. > http://personal.mail.yahoo.com/ > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From james at kyzo.com Mon Mar 5 09:46:25 2001 From: james at kyzo.com (James Stevens) Date: Mon, 05 Mar 2001 15:46:25 +0000 Subject: [pptp-server] Encryption doesn't work when PPP is not a kernel module (i.e. built-in) Message-ID: <3AA3B4D1.8E58EB0F@kyzo.com> Hi All, I'm using Win95/SE + 128Bit upgrade and Linux 2.2.17, PPPD v2.3.11 + MPPE + Require-encryption patches. I could get the PPTP connection to work fine, but could not get encryption to work. I change PPP from being built into the kernel to being a loadable module and, BANG ! it worked. BTW: I'm not on this list. James From berzerke at swbell.net Mon Mar 5 11:16:33 2001 From: berzerke at swbell.net (robert) Date: Mon, 05 Mar 2001 11:16:33 -0600 Subject: [pptp-server] Conection works, but get Protocol-Reject when trying to send packets In-Reply-To: <20010305060118.32346.qmail@web13104.mail.yahoo.com> References: <20010305060118.32346.qmail@web13104.mail.yahoo.com> Message-ID: <01030511163300.07433@linux> Not having played too much with the rpms, I can't say for sure, but it looks like a patch has been missed. The unsupported-protocol leads me to believe this. I know that after you apply the ppp patch, you must do a make kernel and recompile the kernel. I think that's what is missing. On Monday 05 March 2001 00:01, Jerry Fields wrote: > Some other people on this list appear to have seen > similar problems to this. > After some amount of work, I've gotten a connection up > via PPTP and the routing tables setup. > Everything looks good, but I'm unable to send packets. > > I sent the debugging messages to a file via > syslog.conf > and notice the following messages everytime I attempt > to send a packet. > > Mar 4 20:54:14 foo pppd[2719]: rcvd [LCP ProtRej > id=0x8 94 e9 14 d5 46 73 50 f7 a0 de 9f 45 7c 25 6b 8d > df f1 8a 63 50 b2 c4 06 dc c1 a8 0b 7a 42 81 f0 f0 c5 > e0 6e cf 21 d0 fa 2b d9 42 1f 0d ba 0c 38 0c df a4 81 > 4f 43 97 d1 84 ae 77 8b 48 d4 33 db b3 52 7b 64 5d 91 > 8a ba bc 98 78 da ac > Mar 4 20:54:14 foo pppd[2719]: Protocol-Reject for > unsupported protocol 0x94e9 > I'm behind a Linux Masq firewall and I've applied the > GRE patch > and I've established a connection to the server from > a WinNT client behind the firewall. > > I've also tried appling the patch to pptp.c suggested > in this web page: > http://personal.rdu.bellsouth.net/rdu/t/a/tayljl/linux-pptp-client/linux-pp >tp-client-setup.html > > I'm running ppp-mppe-2.3.11-10 from a rpm and at first > I tried pptp-linux-1.0.2-8 but then re-built > pptp-linux > from the soruce with the above patch. > > __Jerry Fields From jerry_fields_1 at yahoo.com Mon Mar 5 19:18:35 2001 From: jerry_fields_1 at yahoo.com (Jerry Fields) Date: Mon, 5 Mar 2001 17:18:35 -0800 (PST) Subject: [pptp-server] Conection works, but get Protocol-Reject when trying to send packets In-Reply-To: <01030511163300.07433@linux> Message-ID: <20010306011835.60671.qmail@web13108.mail.yahoo.com> I tried a bunch of things and finally found that putting mppe-stateless in my /etc/ppp/options file fixes the problem. --- robert wrote: > Not having played too much with the rpms, I can't > say for sure, but it looks > like a patch has been missed. The > unsupported-protocol leads me to believe > this. I know that after you apply the ppp patch, > you must do a make kernel > and recompile the kernel. I think that's what is > missing. > > On Monday 05 March 2001 00:01, Jerry Fields wrote: > > Some other people on this list appear to have seen > > similar problems to this. > > After some amount of work, I've gotten a > connection up > > via PPTP and the routing tables setup. > > Everything looks good, but I'm unable to send > packets. > > > > I sent the debugging messages to a file via > > syslog.conf > > and notice the following messages everytime I > attempt > > to send a packet. > > > > Mar 4 20:54:14 foo pppd[2719]: rcvd [LCP ProtRej > > id=0x8 94 e9 14 d5 46 73 50 f7 a0 de 9f 45 7c 25 > 6b 8d > > df f1 8a 63 50 b2 c4 06 dc c1 a8 0b 7a 42 81 f0 f0 > c5 > > e0 6e cf 21 d0 fa 2b d9 42 1f 0d ba 0c 38 0c df a4 > 81 > > 4f 43 97 d1 84 ae 77 8b 48 d4 33 db b3 52 7b 64 5d > 91 > > 8a ba bc 98 78 da ac > > Mar 4 20:54:14 foo pppd[2719]: Protocol-Reject > for > > unsupported protocol 0x94e9 > > > I'm behind a Linux Masq firewall and I've applied > the > > GRE patch > > and I've established a connection to the server > from > > a WinNT client behind the firewall. > > > > I've also tried appling the patch to pptp.c > suggested > > in this web page: > > > http://personal.rdu.bellsouth.net/rdu/t/a/tayljl/linux-pptp-client/linux-pp > >tp-client-setup.html > > > > I'm running ppp-mppe-2.3.11-10 from a rpm and at > first > > I tried pptp-linux-1.0.2-8 but then re-built > > pptp-linux > > from the soruce with the above patch. > > > > __Jerry Fields > __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ From rcd at amherst.com Tue Mar 6 08:53:27 2001 From: rcd at amherst.com (Robert Dege) Date: Tue, 06 Mar 2001 09:53:27 -0500 Subject: [pptp-server] Patch blank password/username References: <6B8A85826C35D31193BD0090278589C81DF04A@CIC-EXCHANGE> <3AA2D3A9.9F37778E@hattaway-associates.com> Message-ID: <3AA4F9E7.2080307@amherst.com> Not sure if anybody tried this or not, but Livingstone's extra patch doesn't work correctly. I couldn't logon using DUN whether I was suppliying a user/passwd or not. PPP was acting as if my USER field was always NULL. I kept getting an error message in the logs ("no secret in samba secret file /etc/smbpasswd"). Once I replaced auth.c with the original & recompiled, everything worked great. I tried using Justin's patch with my Win98 Laptop, and everything worked as expected. user/pass --> access blank/pass --> deny blank/blank --> deny user/blank --> deny Great job! -Rob Godfrey Livingstone wrote: > Justin your patch does work but the attached patch is tidier as soon as a match is > found in smbpasswd then the while loop exits this also saves time if smbpasswd is > large. > > I then check to see if smb == NULL if so then there is no match in smbpasswd file > so skip to the next line of chap-secrets. No need to make up a secret which my > potentially match ( I know the chance of that is very very small). > > Godfrey > > Justin Kreger wrote: > >> In short, Diffrent means of authentication. It may use the password file, >> but it does not interact with samba's daemon processes. >> >> As for fixing this problem, I have written a patch. >> >> It fixes the two problems, the blank login/password problem, and the >> unknown user/blankpassword problem. >> >> Please TEST this ASAP with win9x, Both my win9x boxen think that they should >> be only talking in CHAP, not MSCHAP, and I can't seem to find msdun128.exe >> to fix it. >> >> (This patch was tested on linux 2.2.16, with ppp-2.3.11, and tested with >> Windows NT Server 4, Service Pack 6) >> >> -Justin Kreger, MCP MCSE >> >> -----Original Message----- >> From: robert >> To: Cowles, Steve; pptp-server at lists.schulte.org >> Sent: 3/2/01 9:24 PM >> Subject: Re: [pptp-server] Yes, blank username/password works! >> >> I'm wondering if anyone has considered that if you have a good guest >> account >> for samba, then samba will use that if a bad username/password is sent. >> >> Blank would definately count as bad. I use blank password to list >> shares, >> i.e. smbclient -L somemachine and just hit enter when asked for a >> password. >> Logs show guest account is used and I do get the listing. Could someone >> >> having this problem try disabling the guest account and seeing if the >> problem >> goes away? >> >> On Friday 02 March 2001 11:19, Cowles, Steve wrote: >> >>>> -----Original Message----- >>>> From: Dread Boy [mailto:dreadboy at hotmail.com] >>>> Sent: Friday, March 02, 2001 1:37 AM >>>> To: pptp-server at lists.schulte.org; vgill at technologist.com >>>> Subject: RE: [pptp-server] Yes, blank username/password works! >>>> >>>> >>>> Yeah, and on top of all this it doesn't seem to matter what I >>>> log in as, my username and password don't get carried over to >>>> SAMBA for authenticating with server shares. >>> >>> Lets make sure we are comparing apples to apples here. The >>> username/password that you specify in your windows PPTP dialup profile >> >> has >> >>> NEVER been carried over for share access. Please keep the following in >>> mind... >>> >>> 1) The PPTP tunnel uses the user/pass specified in your PPTP dialup >> >> profile >> >>> to authenticate the tunnel connection ONLY. >>> >>> 2) Share access uses the user/pass that you specified when you turned >> >> on >> >>> your PC and logged in to get to your desktop. FWIW: This same >> >> user/pass can >> >>> be specified in your PPTP dialup profile to be used to authenticate >> >> the >> >>> PPTP tunnel. >>> >>>> i.e. Whether I use a valid username/password or the blank, I >>>> still can not access resources (or possibly ACLs) on the >>>> servers even with valid usernames. On my local LAN it's no >>>> problem, but remotely, it doesn't seem to know who I am while >>>> I'm logged on. >>>> >>>> For example, when I click a share locally on my SAMBA server, >>>> I can get into it and have certain rights based on my username/ >>>> password. I don't even have to think about it. "security = >>>> user" in /etc/smb.conf. However, when I log in remotely with >>>> Windoze using my PPTPD Linux server, when I even try to access >>>> the server itself (let alone the share) it keeps asking me for >>>> the IPC$ administration password as if it was an NT server. >>>> It doesn't matter what I enter here, I can't get any farther. >>> >>> From the samba docs... >>> >>> Some people find browsing fails because they don't have the global >>> "guest account" set to a valid account. Remember that the IPC$ >>> connection that lists the shares is done as guest, and thus you must >>> have a valid guest account. >>> ---------------------------- >>> >>> Also, is the PPTP clients WORKGROUP participation set to match what >> >> the >> >>> clients on the LAN are configured to? >>> >>>> Does PPTPD know my SMB username but not my password, or vice >>>> versa? I thought maybe because it was encrypted using >>>> libsmbpw.so that maybe it couldn't figure it out, but then >>>> using chap-secrets plain-text passwords don't cut it either. >>>> >>>> Anyone know what this is all about? >>>> >>>> Geez, I thought this whole PPTPD Linux server was gonna be at >>>> least a weekend of work, but it's turning out to be months >>>> worth of work. >>> >>> With regards to the "subject" line of this thread... lets make sure we >> >> are >> >>> comparing apples to apples here. I'd hate to see PopTop/PPPD get the >>> reputation of being insecure without the following clarification being >>> noted. >>> >>> 1) If you have configured your PopTop/PPPD system to re-direct PPTP >> >> tunnel >> >>> authentication to use the libsmbpw.o lib's (smbpasswd), then your >> >> system >> >>> appears to be vulnerable to the blank user/pass exploit mentioned in >> >> this >> >>> thread. >>> >>> 2) Those of you who are still using the chap-secrets file (no >> >> re-direct) >> >>> for tunnel authentication are NOT vulnerable to the blank user/pass >> >> exploit >> >>> mentioned in this thread. I just verified this on my PopTop server! I >> >> do >> >>> not use the re-direct to libsmbpw.o >>> >>> Steve Cowles >>> _______________________________________________ >>> pptp-server maillist - pptp-server at lists.schulte.org >>> http://lists.schulte.org/mailman/listinfo/pptp-server >>> List services provided by www.schulteconsulting.com! >> >> _______________________________________________ >> pptp-server maillist - pptp-server at lists.schulte.org >> http://lists.schulte.org/mailman/listinfo/pptp-server >> List services provided by www.schulteconsulting.com! >> >> ------------------------------------------------------------------------ >> Name: smbpasswdauthfix.patch >> smbpasswdauthfix.patch Type: unspecified type (application/octet-stream) >> Encoding: quoted-printable >> >> >> ------------------------------------------------------------------------ >> >> --- ppp-2.3.11/pppd/auth.c.org Mon Mar 5 12:19:41 2001 >> +++ ppp-2.3.11/pppd/auth.c Mon Mar 5 12:31:54 2001 >> @@ -1871,10 +1871,15 @@ >> ) { >> memcpy(word, smbname, NTPASS); >> word[NTPASS]='\000'; >> + break; >> } >> >> } >> endsmbpwent(); >> + if (smb == NULL) { >> + warn("no secret in samba secret file %s", atfile); >> + continue; >> + } >> } >> #endif >> if (secret != NULL) >> blank_passwd_fix.diff >> >> Content-Type: >> >> text/plain >> Content-Encoding: >> >> 7bit >> >> From rcd at amherst.com Tue Mar 6 09:18:11 2001 From: rcd at amherst.com (Robert Dege) Date: Tue, 06 Mar 2001 10:18:11 -0500 Subject: [pptp-server] interfaces Message-ID: <3AA4FFB3.4090203@amherst.com> Since I have 2 ethernet cards (eth0 for outside internet access -- eth1 for local intranet), I would really prefer that Samba would only listen/broadcast on the local intranet only. For the Samba config, is this all I have to do: interfaces eth1/16 (16 for the Class B network) I just want it so that Samba will not query for any smb/nmb on the internet deivce. Will this cause problems for the PPTP clients though? or will being assigned a remote ip compensate for that? If not interfaces, would hosts allow be a better solution? host allow 172.28. 127.0.0.1 172.28. -- our local intranet first two octets. 127.0.0.1 -- local host Just want to make sure. Thanks. -Rob From ripley at cadvision.com Tue Mar 6 11:15:41 2001 From: ripley at cadvision.com (shawn Ripley) Date: Tue, 6 Mar 2001 09:15:41 -0800 Subject: [pptp-server] WinProxy and PPTP and DSL Message-ID: I have been tying to implemnt a WinProxy connection to the PPTPD at work. The client is a windows lan fired off DSL. PPTP works on laptop that connects though modem so things on the server side are good. Should I even be using win proxy? Has anyone on the list ever used winproxy. From JaminC at adapt-tele.com Tue Mar 6 11:26:15 2001 From: JaminC at adapt-tele.com (Jamin Collins) Date: Tue, 6 Mar 2001 11:26:15 -0600 Subject: [pptp-server] WinProxy and PPTP and DSL Message-ID: shawn Ripley [mailto:ripley at cadvision.com] wrote: > I have been tying to implemnt a WinProxy connection to the > PPTPD at work. > The client is a windows lan fired off DSL. PPTP works on laptop that > connects though modem so things on the server side are good. > Should I even > be using win proxy? Has anyone on the list ever used winproxy. A bit more information seems to be necessary here. Are you attempting to connect your entire home LAN to your work LAN via PPTPD, or are you attempting to make a PPTP connection from one client that is behind a WinProxy firewall? In either case, does the documentation for WinProxy indicate that it will route GRE packets? Jamin W. Collins From Steve at SteveCowles.com Tue Mar 6 13:52:33 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Tue, 6 Mar 2001 13:52:33 -0600 Subject: [pptp-server] interfaces Message-ID: <90769AF04F76D41186C700A0C90AFC3EE68F@defiant.infohiiway.com> > -----Original Message----- > From: Robert Dege [mailto:rcd at amherst.com] > Sent: Tuesday, March 06, 2001 9:18 AM > To: 'pptp-server at lists.schulte.org ' > Subject: [pptp-server] interfaces > > > Since I have 2 ethernet cards (eth0 for outside internet > access -- eth1 for local intranet), I would really prefer > that Samba would only listen/broadcast on the local intranet > only. For the Samba config, is this all I have to do: > > interfaces eth1/16 > > (16 for the Class B network) > > I just want it so that Samba will not query for any smb/nmb > on the internet deivce. The relevant line in my smb.conf file: interfaces = lo eth0 FYI: eth0 is my private interface. > > Will this cause problems for the PPTP clients though? or will being > assigned a remote ip compensate for that? > To answer your question: If your ipchain rules are properly configured, this will not cause a problem. Don't get confused by your requirement to block (DENY) SMB/NMB packets on eth0 (as you should) versus ACCEPTING/FORWARDING PPTP tunnel packets which "could" contain an encapsulated SMB/NMB packets! > If not interfaces, would hosts allow be a better solution? > > host allow 172.28. 127.0.0.1 > > 172.28. -- our local intranet first two octets. > 127.0.0.1 -- local host > > Just want to make sure. > The relevant line in my smb.conf file: hosts allow = 127.0.0.1/255.0.0.0 192.168.9.0/255.255.255.0 FYI: eth0 is my private interface. Steve Cowles From mh at pi.se Tue Mar 6 15:54:09 2001 From: mh at pi.se (Mattias Hansson) Date: Tue, 6 Mar 2001 22:54:09 +0100 (MET) Subject: [pptp-server] encrytion probs, linux server - w2k client Message-ID: Hello. I have been searching through the list-acrhive without finding a working solution, maybe just beeing blind, but didn?t find any solution.. I'm running pptpd on a linux 2.4.2 machine with ppp2.4.0, pptpd 1.1.2 (tried 1.0.1 first, but no luck there either) and these patches from ftp://ftp.binarix.com/pub/ppp-mppe/ ppp-2.4.0-openssl-0.9.6-mppe.patch linux-2.4.0-openssl-0.9.6-mppe.patch Everything works fine when not using any encryption, but as soon as i enable it, my client (w2k server) just connects and sits there not responding to any tcp/ip traffic over the link. The vpn-icon in the systray starts flashing when I try to send data to and from my client, but thats it... Is there a known solutions to these problems or does it require some more debugging to find out what the real problem is? //Mattias Hansson From godfrey at hattaway-associates.com Tue Mar 6 17:29:20 2001 From: godfrey at hattaway-associates.com (Godfrey Livingstone) Date: Wed, 07 Mar 2001 12:29:20 +1300 Subject: [pptp-server] Patch blank password/username References: <6B8A85826C35D31193BD0090278589C81DF04A@CIC-EXCHANGE> <3AA2D3A9.9F37778E@hattaway-associates.com> <3AA4F9E7.2080307@amherst.com> Message-ID: <3AA572D0.5EAC9D76@hattaway-associates.com> Robert the patch works for me the fact that it does not work for you concerns me I have just tried it using win9x and it works I do not get the error messages if there is a match. Did you download it using netscape by chance as netscape mangles patches? Any way if you have time can you try using wget or lynx to get the patch from http://www.hattaway.co.nz/raidpatches/blank_passwd_fix.diff I have also created what I think is a better patch if you would like to try http://www.hattaway.co.nz/raidpatches/blank_passwd_fix2.diff this tidies up the while loop considerably and should be faster. Godfrey Robert Dege wrote: > Not sure if anybody tried this or not, but Livingstone's extra patch > doesn't work correctly. I couldn't logon using DUN whether I was > suppliying a user/passwd or not. PPP was acting as if my USER field was > always NULL. I kept getting an error message in the logs ("no secret in > samba secret file /etc/smbpasswd"). Once I replaced auth.c with the > original & recompiled, everything worked great. > > I tried using Justin's patch with my Win98 Laptop, and everything worked > as expected. > > user/pass --> access > blank/pass --> deny > blank/blank --> deny > user/blank --> deny > > Great job! > > -Rob > > Godfrey Livingstone wrote: > > > Justin your patch does work but the attached patch is tidier as soon as a match is > > found in smbpasswd then the while loop exits this also saves time if smbpasswd is > > large. > > > > I then check to see if smb == NULL if so then there is no match in smbpasswd file > > so skip to the next line of chap-secrets. No need to make up a secret which my > > potentially match ( I know the chance of that is very very small). > > > > Godfrey > > > > Justin Kreger wrote: > > > >> In short, Diffrent means of authentication. It may use the password file, > >> but it does not interact with samba's daemon processes. > >> > >> As for fixing this problem, I have written a patch. > >> > >> It fixes the two problems, the blank login/password problem, and the > >> unknown user/blankpassword problem. > >> > >> Please TEST this ASAP with win9x, Both my win9x boxen think that they should > >> be only talking in CHAP, not MSCHAP, and I can't seem to find msdun128.exe > >> to fix it. > >> > >> (This patch was tested on linux 2.2.16, with ppp-2.3.11, and tested with > >> Windows NT Server 4, Service Pack 6) > >> > >> -Justin Kreger, MCP MCSE > >> > >> -----Original Message----- > >> From: robert > >> To: Cowles, Steve; pptp-server at lists.schulte.org > >> Sent: 3/2/01 9:24 PM > >> Subject: Re: [pptp-server] Yes, blank username/password works! > >> > >> I'm wondering if anyone has considered that if you have a good guest > >> account > >> for samba, then samba will use that if a bad username/password is sent. > >> > >> Blank would definately count as bad. I use blank password to list > >> shares, > >> i.e. smbclient -L somemachine and just hit enter when asked for a > >> password. > >> Logs show guest account is used and I do get the listing. Could someone > >> > >> having this problem try disabling the guest account and seeing if the > >> problem > >> goes away? > >> > >> On Friday 02 March 2001 11:19, Cowles, Steve wrote: > >> > >>>> -----Original Message----- > >>>> From: Dread Boy [mailto:dreadboy at hotmail.com] > >>>> Sent: Friday, March 02, 2001 1:37 AM > >>>> To: pptp-server at lists.schulte.org; vgill at technologist.com > >>>> Subject: RE: [pptp-server] Yes, blank username/password works! > >>>> > >>>> > >>>> Yeah, and on top of all this it doesn't seem to matter what I > >>>> log in as, my username and password don't get carried over to > >>>> SAMBA for authenticating with server shares. > >>> > >>> Lets make sure we are comparing apples to apples here. The > >>> username/password that you specify in your windows PPTP dialup profile > >> > >> has > >> > >>> NEVER been carried over for share access. Please keep the following in > >>> mind... > >>> > >>> 1) The PPTP tunnel uses the user/pass specified in your PPTP dialup > >> > >> profile > >> > >>> to authenticate the tunnel connection ONLY. > >>> > >>> 2) Share access uses the user/pass that you specified when you turned > >> > >> on > >> > >>> your PC and logged in to get to your desktop. FWIW: This same > >> > >> user/pass can > >> > >>> be specified in your PPTP dialup profile to be used to authenticate > >> > >> the > >> > >>> PPTP tunnel. > >>> > >>>> i.e. Whether I use a valid username/password or the blank, I > >>>> still can not access resources (or possibly ACLs) on the > >>>> servers even with valid usernames. On my local LAN it's no > >>>> problem, but remotely, it doesn't seem to know who I am while > >>>> I'm logged on. > >>>> > >>>> For example, when I click a share locally on my SAMBA server, > >>>> I can get into it and have certain rights based on my username/ > >>>> password. I don't even have to think about it. "security = > >>>> user" in /etc/smb.conf. However, when I log in remotely with > >>>> Windoze using my PPTPD Linux server, when I even try to access > >>>> the server itself (let alone the share) it keeps asking me for > >>>> the IPC$ administration password as if it was an NT server. > >>>> It doesn't matter what I enter here, I can't get any farther. > >>> > >>> From the samba docs... > >>> > >>> Some people find browsing fails because they don't have the global > >>> "guest account" set to a valid account. Remember that the IPC$ > >>> connection that lists the shares is done as guest, and thus you must > >>> have a valid guest account. > >>> ---------------------------- > >>> > >>> Also, is the PPTP clients WORKGROUP participation set to match what > >> > >> the > >> > >>> clients on the LAN are configured to? > >>> > >>>> Does PPTPD know my SMB username but not my password, or vice > >>>> versa? I thought maybe because it was encrypted using > >>>> libsmbpw.so that maybe it couldn't figure it out, but then > >>>> using chap-secrets plain-text passwords don't cut it either. > >>>> > >>>> Anyone know what this is all about? > >>>> > >>>> Geez, I thought this whole PPTPD Linux server was gonna be at > >>>> least a weekend of work, but it's turning out to be months > >>>> worth of work. > >>> > >>> With regards to the "subject" line of this thread... lets make sure we > >> > >> are > >> > >>> comparing apples to apples here. I'd hate to see PopTop/PPPD get the > >>> reputation of being insecure without the following clarification being > >>> noted. > >>> > >>> 1) If you have configured your PopTop/PPPD system to re-direct PPTP > >> > >> tunnel > >> > >>> authentication to use the libsmbpw.o lib's (smbpasswd), then your > >> > >> system > >> > >>> appears to be vulnerable to the blank user/pass exploit mentioned in > >> > >> this > >> > >>> thread. > >>> > >>> 2) Those of you who are still using the chap-secrets file (no > >> > >> re-direct) > >> > >>> for tunnel authentication are NOT vulnerable to the blank user/pass > >> > >> exploit > >> > >>> mentioned in this thread. I just verified this on my PopTop server! I > >> > >> do > >> > >>> not use the re-direct to libsmbpw.o > >>> > >>> Steve Cowles > >>> _______________________________________________ > >>> pptp-server maillist - pptp-server at lists.schulte.org > >>> http://lists.schulte.org/mailman/listinfo/pptp-server > >>> List services provided by www.schulteconsulting.com! > >> > >> _______________________________________________ > >> pptp-server maillist - pptp-server at lists.schulte.org > >> http://lists.schulte.org/mailman/listinfo/pptp-server > >> List services provided by www.schulteconsulting.com! > >> > >> ------------------------------------------------------------------------ > >> Name: smbpasswdauthfix.patch > >> smbpasswdauthfix.patch Type: unspecified type (application/octet-stream) > >> Encoding: quoted-printable > >> > >> > >> ------------------------------------------------------------------------ > >> > >> --- ppp-2.3.11/pppd/auth.c.org Mon Mar 5 12:19:41 2001 > >> +++ ppp-2.3.11/pppd/auth.c Mon Mar 5 12:31:54 2001 > >> @@ -1871,10 +1871,15 @@ > >> ) { > >> memcpy(word, smbname, NTPASS); > >> word[NTPASS]='\000'; > >> + break; > >> } > >> > >> } > >> endsmbpwent(); > >> + if (smb == NULL) { > >> + warn("no secret in samba secret file %s", atfile); > >> + continue; > >> + } > >> } > >> #endif > >> if (secret != NULL) > >> blank_passwd_fix.diff > >> > >> Content-Type: > >> > >> text/plain > >> Content-Encoding: > >> > >> 7bit > >> > >> > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From jkreger at avidsolutionsinc.com Tue Mar 6 18:28:19 2001 From: jkreger at avidsolutionsinc.com (Justin Kreger) Date: Tue, 6 Mar 2001 19:28:19 -0500 Subject: [pptp-server] Patch blank password/username Message-ID: <6B8A85826C35D31193BD0090278589C81DF05C@CIC-EXCHANGE> My entire view on this issue is to just check to see if no password was returned by get_secret, or if there is no lenth to the username. (I think i check more in the patch I wrote), I have not tried livingstone's patch, and to be to the point, aslong as my patch works, I'm happy. I really think this whole issue is a combonation of bugs. The fact pppd never seems to block null user and passwords in the first place disturbs me. I think that the modification of the smbpasswd handling code is not where the change should have been, It works just fine. After reading Livingstone's code, it appears that he writes something static into the returned password, causing it to fail, but that could be guessed, and an attacker could use that against pppd. I think this error could show its head again. The smbpasswd code only broguht it up to the surface, but it was really there for a long time, aslong as get_secret returns an empty password in any case, this can continue. As a whole, this is a pppd problem, not a smbpasswd reading problem. Justin Kreger, MCP MCSE Network Administrator Avid Solutions, Inc. -----Original Message----- From: Godfrey Livingstone [mailto:godfrey at hattaway-associates.com] Sent: Tuesday, March 06, 2001 6:29 PM To: Robert Dege; pptp-server at lists.schulte.org Subject: Re: [pptp-server] Patch blank password/username Robert the patch works for me the fact that it does not work for you concerns me I have just tried it using win9x and it works I do not get the error messages if there is a match. Did you download it using netscape by chance as netscape mangles patches? Any way if you have time can you try using wget or lynx to get the patch from http://www.hattaway.co.nz/raidpatches/blank_passwd_fix.diff I have also created what I think is a better patch if you would like to try http://www.hattaway.co.nz/raidpatches/blank_passwd_fix2.diff this tidies up the while loop considerably and should be faster. Godfrey Robert Dege wrote: > Not sure if anybody tried this or not, but Livingstone's extra patch > doesn't work correctly. I couldn't logon using DUN whether I was > suppliying a user/passwd or not. PPP was acting as if my USER field was > always NULL. I kept getting an error message in the logs ("no secret in > samba secret file /etc/smbpasswd"). Once I replaced auth.c with the > original & recompiled, everything worked great. > > I tried using Justin's patch with my Win98 Laptop, and everything worked > as expected. > > user/pass --> access > blank/pass --> deny > blank/blank --> deny > user/blank --> deny > > Great job! > > -Rob > > Godfrey Livingstone wrote: > > > Justin your patch does work but the attached patch is tidier as soon as a match is > > found in smbpasswd then the while loop exits this also saves time if smbpasswd is > > large. > > > > I then check to see if smb == NULL if so then there is no match in smbpasswd file > > so skip to the next line of chap-secrets. No need to make up a secret which my > > potentially match ( I know the chance of that is very very small). > > > > Godfrey > > > > Justin Kreger wrote: > > > >> In short, Diffrent means of authentication. It may use the password file, > >> but it does not interact with samba's daemon processes. > >> > >> As for fixing this problem, I have written a patch. > >> > >> It fixes the two problems, the blank login/password problem, and the > >> unknown user/blankpassword problem. > >> > >> Please TEST this ASAP with win9x, Both my win9x boxen think that they should > >> be only talking in CHAP, not MSCHAP, and I can't seem to find msdun128.exe > >> to fix it. > >> > >> (This patch was tested on linux 2.2.16, with ppp-2.3.11, and tested with > >> Windows NT Server 4, Service Pack 6) > >> > >> -Justin Kreger, MCP MCSE > >> > >> -----Original Message----- > >> From: robert > >> To: Cowles, Steve; pptp-server at lists.schulte.org > >> Sent: 3/2/01 9:24 PM > >> Subject: Re: [pptp-server] Yes, blank username/password works! > >> > >> I'm wondering if anyone has considered that if you have a good guest > >> account > >> for samba, then samba will use that if a bad username/password is sent. > >> > >> Blank would definately count as bad. I use blank password to list > >> shares, > >> i.e. smbclient -L somemachine and just hit enter when asked for a > >> password. > >> Logs show guest account is used and I do get the listing. Could someone > >> > >> having this problem try disabling the guest account and seeing if the > >> problem > >> goes away? > >> > >> On Friday 02 March 2001 11:19, Cowles, Steve wrote: > >> > >>>> -----Original Message----- > >>>> From: Dread Boy [mailto:dreadboy at hotmail.com] > >>>> Sent: Friday, March 02, 2001 1:37 AM > >>>> To: pptp-server at lists.schulte.org; vgill at technologist.com > >>>> Subject: RE: [pptp-server] Yes, blank username/password works! > >>>> > >>>> > >>>> Yeah, and on top of all this it doesn't seem to matter what I > >>>> log in as, my username and password don't get carried over to > >>>> SAMBA for authenticating with server shares. > >>> > >>> Lets make sure we are comparing apples to apples here. The > >>> username/password that you specify in your windows PPTP dialup profile > >> > >> has > >> > >>> NEVER been carried over for share access. Please keep the following in > >>> mind... > >>> > >>> 1) The PPTP tunnel uses the user/pass specified in your PPTP dialup > >> > >> profile > >> > >>> to authenticate the tunnel connection ONLY. > >>> > >>> 2) Share access uses the user/pass that you specified when you turned > >> > >> on > >> > >>> your PC and logged in to get to your desktop. FWIW: This same > >> > >> user/pass can > >> > >>> be specified in your PPTP dialup profile to be used to authenticate > >> > >> the > >> > >>> PPTP tunnel. > >>> > >>>> i.e. Whether I use a valid username/password or the blank, I > >>>> still can not access resources (or possibly ACLs) on the > >>>> servers even with valid usernames. On my local LAN it's no > >>>> problem, but remotely, it doesn't seem to know who I am while > >>>> I'm logged on. > >>>> > >>>> For example, when I click a share locally on my SAMBA server, > >>>> I can get into it and have certain rights based on my username/ > >>>> password. I don't even have to think about it. "security = > >>>> user" in /etc/smb.conf. However, when I log in remotely with > >>>> Windoze using my PPTPD Linux server, when I even try to access > >>>> the server itself (let alone the share) it keeps asking me for > >>>> the IPC$ administration password as if it was an NT server. > >>>> It doesn't matter what I enter here, I can't get any farther. > >>> > >>> From the samba docs... > >>> > >>> Some people find browsing fails because they don't have the global > >>> "guest account" set to a valid account. Remember that the IPC$ > >>> connection that lists the shares is done as guest, and thus you must > >>> have a valid guest account. > >>> ---------------------------- > >>> > >>> Also, is the PPTP clients WORKGROUP participation set to match what > >> > >> the > >> > >>> clients on the LAN are configured to? > >>> > >>>> Does PPTPD know my SMB username but not my password, or vice > >>>> versa? I thought maybe because it was encrypted using > >>>> libsmbpw.so that maybe it couldn't figure it out, but then > >>>> using chap-secrets plain-text passwords don't cut it either. > >>>> > >>>> Anyone know what this is all about? > >>>> > >>>> Geez, I thought this whole PPTPD Linux server was gonna be at > >>>> least a weekend of work, but it's turning out to be months > >>>> worth of work. > >>> > >>> With regards to the "subject" line of this thread... lets make sure we > >> > >> are > >> > >>> comparing apples to apples here. I'd hate to see PopTop/PPPD get the > >>> reputation of being insecure without the following clarification being > >>> noted. > >>> > >>> 1) If you have configured your PopTop/PPPD system to re-direct PPTP > >> > >> tunnel > >> > >>> authentication to use the libsmbpw.o lib's (smbpasswd), then your > >> > >> system > >> > >>> appears to be vulnerable to the blank user/pass exploit mentioned in > >> > >> this > >> > >>> thread. > >>> > >>> 2) Those of you who are still using the chap-secrets file (no > >> > >> re-direct) > >> > >>> for tunnel authentication are NOT vulnerable to the blank user/pass > >> > >> exploit > >> > >>> mentioned in this thread. I just verified this on my PopTop server! I > >> > >> do > >> > >>> not use the re-direct to libsmbpw.o > >>> > >>> Steve Cowles > >>> _______________________________________________ > >>> pptp-server maillist - pptp-server at lists.schulte.org > >>> http://lists.schulte.org/mailman/listinfo/pptp-server > >>> List services provided by www.schulteconsulting.com! > >> > >> _______________________________________________ > >> pptp-server maillist - pptp-server at lists.schulte.org > >> http://lists.schulte.org/mailman/listinfo/pptp-server > >> List services provided by www.schulteconsulting.com! > >> > >> ------------------------------------------------------------------------ > >> Name: smbpasswdauthfix.patch > >> smbpasswdauthfix.patch Type: unspecified type (application/octet-stream) > >> Encoding: quoted-printable > >> > >> > >> ------------------------------------------------------------------------ > >> > >> --- ppp-2.3.11/pppd/auth.c.org Mon Mar 5 12:19:41 2001 > >> +++ ppp-2.3.11/pppd/auth.c Mon Mar 5 12:31:54 2001 > >> @@ -1871,10 +1871,15 @@ > >> ) { > >> memcpy(word, smbname, NTPASS); > >> word[NTPASS]='\000'; > >> + break; > >> } > >> > >> } > >> endsmbpwent(); > >> + if (smb == NULL) { > >> + warn("no secret in samba secret file %s", atfile); > >> + continue; > >> + } > >> } > >> #endif > >> if (secret != NULL) > >> blank_passwd_fix.diff > >> > >> Content-Type: > >> > >> text/plain > >> Content-Encoding: > >> > >> 7bit > >> > >> > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From godfrey at hattaway-associates.com Tue Mar 6 19:36:27 2001 From: godfrey at hattaway-associates.com (Godfrey Livingstone) Date: Wed, 07 Mar 2001 14:36:27 +1300 Subject: [pptp-server] Patch blank password/username References: <6B8A85826C35D31193BD0090278589C81DF05C@CIC-EXCHANGE> Message-ID: <3AA5909B.ABFBDE1@hattaway-associates.com> Justin Kreger wrote: > My entire view on this issue is to just check to see if no password was > returned by get_secret, or if there is no lenth to the username. (I think i > check more in the patch I wrote), I have not tried livingstone's patch, and > to be to the point, aslong as my patch works, I'm happy. I really think > this whole issue is a combonation of bugs. The fact pppd never seems to > block null user and passwords in the first place disturbs me. > I am glad that you are happy with your fix. But it is not the correct solution as all you do is disallow password less than 3 characters long what if you wanted a password to be three characters long? Also people may want to use * as a password which means an actual * and not a blank in any case (try it and see). As for @@ -574,7 +573,19 @@ if (!get_secret(cstate->unit, (explicit_remote? remote_name: rhostname), cstate->chal_name, secret, &secret_len, 1)) warn("No CHAP secret found for authenticating %q", rhostname); + for (i = 0; i < 8; i++) + secret[i] = (char) (drand48() * 0xff); + secret_len = 8; your extra code does nothing because the chap code would not let a user login in any case if no password was returned. > > I think that the modification of the smbpasswd handling code is not where > the change should have been. I disagree it does not work fine it is the smbpasswd handling code that causes the problem. > It works just fine. After reading > Livingstone's code, it appears that he writes something static into the > returned password, causing it to fail, but that could be guessed, and an > attacker could use that against pppd. > Sorry you are wrong I do not write anything into the returned password if user is not found in /etc/smbpasswd the original allows a blank string to be returned as the password and thus the problem. > > I think this error could show its head again. The smbpasswd code only > broguht it up to the surface, but it was really there for a long time, > aslong as get_secret returns an empty password in any case, this can > continue. As a whole, this is a pppd problem, not a smbpasswd reading > problem. > No in this case it is a problem with the smbpasswd. > > Justin Kreger, MCP MCSE > Network Administrator > Avid Solutions, Inc. > > -----Original Message----- > From: Godfrey Livingstone [mailto:godfrey at hattaway-associates.com] > Sent: Tuesday, March 06, 2001 6:29 PM > To: Robert Dege; pptp-server at lists.schulte.org > Subject: Re: [pptp-server] Patch blank password/username > > Robert the patch works for me the fact that it does not work for you > concerns me I have > just tried it using win9x and it works I do not get the error messages if > there is a > match. > > Did you download it using netscape by chance as netscape mangles patches? > > Any way if you have time can you try using wget or lynx to get the patch > from > > http://www.hattaway.co.nz/raidpatches/blank_passwd_fix.diff > > I have also created what I think is a better patch if you would like to try > > http://www.hattaway.co.nz/raidpatches/blank_passwd_fix2.diff > > this tidies up the while loop considerably and should be faster. > > Godfrey > > Robert Dege wrote: > > > Not sure if anybody tried this or not, but Livingstone's extra patch > > doesn't work correctly. I couldn't logon using DUN whether I was > > suppliying a user/passwd or not. PPP was acting as if my USER field was > > always NULL. I kept getting an error message in the logs ("no secret in > > samba secret file /etc/smbpasswd"). Once I replaced auth.c with the > > original & recompiled, everything worked great. > > > > I tried using Justin's patch with my Win98 Laptop, and everything worked > > as expected. > > > > user/pass --> access > > blank/pass --> deny > > blank/blank --> deny > > user/blank --> deny > > > > Great job! > > > > -Rob > > > > Godfrey Livingstone wrote: > > > > > Justin your patch does work but the attached patch is tidier as soon as > a match is > > > found in smbpasswd then the while loop exits this also saves time if > smbpasswd is > > > large. > > > > > > I then check to see if smb == NULL if so then there is no match in > smbpasswd file > > > so skip to the next line of chap-secrets. No need to make up a secret > which my > > > potentially match ( I know the chance of that is very very small). > > > > > > Godfrey > > > > > > Justin Kreger wrote: > > > > > >> In short, Diffrent means of authentication. It may use the password > file, > > >> but it does not interact with samba's daemon processes. > > >> > > >> As for fixing this problem, I have written a patch. > > >> > > >> It fixes the two problems, the blank login/password problem, and the > > >> unknown user/blankpassword problem. > > >> > > >> Please TEST this ASAP with win9x, Both my win9x boxen think that they > should > > >> be only talking in CHAP, not MSCHAP, and I can't seem to find > msdun128.exe > > >> to fix it. > > >> > > >> (This patch was tested on linux 2.2.16, with ppp-2.3.11, and tested > with > > >> Windows NT Server 4, Service Pack 6) > > >> > > >> -Justin Kreger, MCP MCSE > > >> > > >> -----Original Message----- > > >> From: robert > > >> To: Cowles, Steve; pptp-server at lists.schulte.org > > >> Sent: 3/2/01 9:24 PM > > >> Subject: Re: [pptp-server] Yes, blank username/password works! > > >> > > >> I'm wondering if anyone has considered that if you have a good guest > > >> account > > >> for samba, then samba will use that if a bad username/password is sent. > > >> > > >> Blank would definately count as bad. I use blank password to list > > >> shares, > > >> i.e. smbclient -L somemachine and just hit enter when asked for a > > >> password. > > >> Logs show guest account is used and I do get the listing. Could > someone > > >> > > >> having this problem try disabling the guest account and seeing if the > > >> problem > > >> goes away? > > >> > > >> On Friday 02 March 2001 11:19, Cowles, Steve wrote: > > >> > > >>>> -----Original Message----- > > >>>> From: Dread Boy [mailto:dreadboy at hotmail.com] > > >>>> Sent: Friday, March 02, 2001 1:37 AM > > >>>> To: pptp-server at lists.schulte.org; vgill at technologist.com > > >>>> Subject: RE: [pptp-server] Yes, blank username/password works! > > >>>> > > >>>> > > >>>> Yeah, and on top of all this it doesn't seem to matter what I > > >>>> log in as, my username and password don't get carried over to > > >>>> SAMBA for authenticating with server shares. > > >>> > > >>> Lets make sure we are comparing apples to apples here. The > > >>> username/password that you specify in your windows PPTP dialup profile > > >> > > >> has > > >> > > >>> NEVER been carried over for share access. Please keep the following in > > >>> mind... > > >>> > > >>> 1) The PPTP tunnel uses the user/pass specified in your PPTP dialup > > >> > > >> profile > > >> > > >>> to authenticate the tunnel connection ONLY. > > >>> > > >>> 2) Share access uses the user/pass that you specified when you turned > > >> > > >> on > > >> > > >>> your PC and logged in to get to your desktop. FWIW: This same > > >> > > >> user/pass can > > >> > > >>> be specified in your PPTP dialup profile to be used to authenticate > > >> > > >> the > > >> > > >>> PPTP tunnel. > > >>> > > >>>> i.e. Whether I use a valid username/password or the blank, I > > >>>> still can not access resources (or possibly ACLs) on the > > >>>> servers even with valid usernames. On my local LAN it's no > > >>>> problem, but remotely, it doesn't seem to know who I am while > > >>>> I'm logged on. > > >>>> > > >>>> For example, when I click a share locally on my SAMBA server, > > >>>> I can get into it and have certain rights based on my username/ > > >>>> password. I don't even have to think about it. "security = > > >>>> user" in /etc/smb.conf. However, when I log in remotely with > > >>>> Windoze using my PPTPD Linux server, when I even try to access > > >>>> the server itself (let alone the share) it keeps asking me for > > >>>> the IPC$ administration password as if it was an NT server. > > >>>> It doesn't matter what I enter here, I can't get any farther. > > >>> > > >>> From the samba docs... > > >>> > > >>> Some people find browsing fails because they don't have the global > > >>> "guest account" set to a valid account. Remember that the IPC$ > > >>> connection that lists the shares is done as guest, and thus you must > > >>> have a valid guest account. > > >>> ---------------------------- > > >>> > > >>> Also, is the PPTP clients WORKGROUP participation set to match what > > >> > > >> the > > >> > > >>> clients on the LAN are configured to? > > >>> > > >>>> Does PPTPD know my SMB username but not my password, or vice > > >>>> versa? I thought maybe because it was encrypted using > > >>>> libsmbpw.so that maybe it couldn't figure it out, but then > > >>>> using chap-secrets plain-text passwords don't cut it either. > > >>>> > > >>>> Anyone know what this is all about? > > >>>> > > >>>> Geez, I thought this whole PPTPD Linux server was gonna be at > > >>>> least a weekend of work, but it's turning out to be months > > >>>> worth of work. > > >>> > > >>> With regards to the "subject" line of this thread... lets make sure we > > >> > > >> are > > >> > > >>> comparing apples to apples here. I'd hate to see PopTop/PPPD get the > > >>> reputation of being insecure without the following clarification being > > >>> noted. > > >>> > > >>> 1) If you have configured your PopTop/PPPD system to re-direct PPTP > > >> > > >> tunnel > > >> > > >>> authentication to use the libsmbpw.o lib's (smbpasswd), then your > > >> > > >> system > > >> > > >>> appears to be vulnerable to the blank user/pass exploit mentioned in > > >> > > >> this > > >> > > >>> thread. > > >>> > > >>> 2) Those of you who are still using the chap-secrets file (no > > >> > > >> re-direct) > > >> > > >>> for tunnel authentication are NOT vulnerable to the blank user/pass > > >> > > >> exploit > > >> > > >>> mentioned in this thread. I just verified this on my PopTop server! I > > >> > > >> do > > >> > > >>> not use the re-direct to libsmbpw.o > > >>> > > >>> Steve Cowles > > >>> _______________________________________________ > > >>> pptp-server maillist - pptp-server at lists.schulte.org > > >>> http://lists.schulte.org/mailman/listinfo/pptp-server > > >>> List services provided by www.schulteconsulting.com! > > >> > > >> _______________________________________________ > > >> pptp-server maillist - pptp-server at lists.schulte.org > > >> http://lists.schulte.org/mailman/listinfo/pptp-server > > >> List services provided by www.schulteconsulting.com! > > >> > > >> > ------------------------------------------------------------------------ > > >> Name: smbpasswdauthfix.patch > > >> smbpasswdauthfix.patch Type: unspecified type > (application/octet-stream) > > >> Encoding: quoted-printable > > >> > > >> > > >> > ------------------------------------------------------------------------ > > >> > > >> --- ppp-2.3.11/pppd/auth.c.org Mon Mar 5 12:19:41 2001 > > >> +++ ppp-2.3.11/pppd/auth.c Mon Mar 5 12:31:54 2001 > > >> @@ -1871,10 +1871,15 @@ > > >> ) { > > >> memcpy(word, smbname, NTPASS); > > >> word[NTPASS]='\000'; > > >> + break; > > >> } > > >> > > >> } > > >> endsmbpwent(); > > >> + if (smb == NULL) { > > >> + warn("no secret in samba secret file %s", atfile); > > >> + continue; > > >> + } > > >> } > > >> #endif > > >> if (secret != NULL) > > >> blank_passwd_fix.diff > > >> > > >> Content-Type: > > >> > > >> text/plain > > >> Content-Encoding: > > >> > > >> 7bit > > >> > > >> > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From berzerke at swbell.net Tue Mar 6 19:00:17 2001 From: berzerke at swbell.net (robert) Date: Tue, 06 Mar 2001 19:00:17 -0600 Subject: [pptp-server] encrytion probs, linux server - w2k client In-Reply-To: References: Message-ID: <01030619001700.09747@linux> Two ideas. Is ppp a module or compiled into the kernel? Others have reported problems when it is compiled directly into the kernel. Second, what do your pptpd/ppp logs show? On Tuesday 06 March 2001 15:54, Mattias Hansson wrote: > Hello. > > I have been searching through the list-acrhive without finding a working > solution, maybe just beeing blind, but didn?t find any solution.. > > I'm running pptpd on a linux 2.4.2 machine with ppp2.4.0, pptpd 1.1.2 > (tried 1.0.1 first, but no luck there either) and these patches from > ftp://ftp.binarix.com/pub/ppp-mppe/ > ppp-2.4.0-openssl-0.9.6-mppe.patch > linux-2.4.0-openssl-0.9.6-mppe.patch > > Everything works fine when not using any encryption, but as soon as i > enable it, my client (w2k server) just connects and sits there not > responding to any tcp/ip traffic over the link. > The vpn-icon in the systray starts flashing when I try to send data to and > from my client, but thats it... > > > Is there a known solutions to these problems or does it require some > more debugging to find out what the real problem is? > > > //Mattias Hansson > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From dreadboy at hotmail.com Tue Mar 6 20:11:29 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Tue, 06 Mar 2001 19:11:29 -0700 Subject: [pptp-server] ppp-filtering - Ready to smash this thing! lol. Message-ID: OK, even though I've asked these questions before, I'm gonna try again in an attempt to get my PPTPD Linux server working perfectly. I'm one step away, here, I'm sure of it. Prior to obtaining the ipchains rules listed below in ip-up and ip-down, I was completely unable to see any machines on my VPN remotely. Now, with everyone's help, I have indeed gotten further. Thx to everyone so far. Too many to list, but you know who you are. =) Now I can indeed see a list of Windoze/SMB server machine names on my remote Windoze system. However, I can still only browse or use shares on either the SMB server I'm dialing into, or the remote workstation I'm using to dial-up. I can not access anything else (or even ping by name or IP number) the other machines listed by the WINS server in my Network Neighborhood browse list. I feel for sure, something is being blocked. I know that SMB sharing definitely uses port 139, but I've also noticed that ports 137 and 138 are also used. I don't know if this is it, but does anyone know why I would not even be able to ping other machines on the network? - My network is 192.168.0.0/255.255.255.0 - localip is 88-95 - remoteip is 96-103 OK, so I've also noticed that although the remoteip shows up on ppp0 on the route table (192.168.0.96) the localip doesn't seem to be here... Does anyone know for sure whether this is a routing problem? ipchains is still Greek to me, somewhat, and I don't even really understand the concept of connecting on eth1 and having it turn into a ppp* interface, and how all three interfaces (including eth0) have to be configured to pass traffic along properly. Thx. Craig. >route 255.255.255.255 * 255.255.255.255 UH 0 0 0 eth0 192.168.0.96 * 255.255.255.255 UH 0 0 0 ppp0 192.168.0.2 * 255.255.255.255 UH 0 0 0 eth0 * 255.255.255.255 UH 0 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 * 255.255.252.0 U 0 0 0 eth1 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 0.0.0.0 UG 0 0 0 eth1 --- /etc/ppp/ip-up --- #!/bin/bash # This file should not be modified -- make local changes to # /etc/ppp/ip-up.local instead LOGDEVICE=$6 REALDEVICE=$1 /sbin/ipchains -A input -i $REALDEVICE -j ACCEPT /sbin/ipchains -A output -i $REALDEVICE -j ACCEPT /sbin/ipchains -A forward -i $REALDEVICE -j ACCEPT [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local $* # Used for clustering heartbeat monitoring stuff. [ -x /etc/ppp/ip-up.heart ] && /etc/ppp/ip-up.heart $* /etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE} exit 0 --- /etc/ppp/ip-down --- #!/bin/bash # This file should not be modified -- make local changes to # /etc/ppp/ip-down.local instead LOGDEVICE=$6 REALDEVICE=$1 /sbin/ipchains -D input -i $REALDEVICE -j ACCEPT /sbin/ipchains -D output -i $REALDEVICE -j ACCEPT /sbin/ipchains -D forward -i $REALDEVICE -j ACCEPT [ -x /etc/ppp/ip-down.local ] && /etc/ppp/ip-down.local $* /etc/sysconfig/network-scripts/ifdown-post ifcfg-${LOGDEVICE} exit 0 _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From dreadboy at hotmail.com Tue Mar 6 20:25:12 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Tue, 06 Mar 2001 19:25:12 -0700 Subject: [pptp-server] RE: interfaces Message-ID: Just a piece of trivia regarding "interface = ..." in your Samba configuration file. I found out the hard way that unless you also add the line "bind interfaces only = yes" underneath of the "interface" line, SMB will still be bound to all interfaces. To test your external interface, you should visit "www.grc.com" and use "Shields Up" and click on "Probe My Ports" to find out if indeed your SMB port 139 ass is hanging out to dry with your SMB Linux server. "bind interfaces only = yes" is not listed as a remarked comment anywhere in the default smb.conf file. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From dreadboy at hotmail.com Wed Mar 7 02:12:54 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Wed, 07 Mar 2001 01:12:54 -0700 Subject: [pptp-server] ppp-filtering - Ready to smash this thing! lol . Message-ID: >Don't give up.... > >Do you have IP forwarding turned on? using `echo 1 > >/proc/sys/net/ipv4/ip_forward` ???? Yeah, man. It is a gateway server. eth0 = LAN, eth1 = ISP. All routing seems to work just fine, and the only TCP/IP ports I have open on the external interface are 22 (SSH) and 80 (HTTP). > >can you try using tcpdump and filter packets going through the PPTPD server >to see where it's stopping? How does one use these utilities effectively? > > >thanks, >George Vieira > > >-----Original Message----- >From: Dread Boy [mailto:dreadboy at hotmail.com] >Sent: Wednesday, March 07, 2001 1:11 PM >To: pptp-server at lists.schulte.org >Subject: [pptp-server] ppp-filtering - Ready to smash this thing! lol. > > >OK, even though I've asked these questions before, I'm gonna try again in >an > >attempt to get my PPTPD Linux server working perfectly. > >I'm one step away, here, I'm sure of it. Prior to obtaining the ipchains >rules listed below in ip-up and ip-down, I was completely unable to see any >machines on my VPN remotely. > >Now, with everyone's help, I have indeed gotten further. Thx to everyone >so > >far. Too many to list, but you know who you are. =) > >Now I can indeed see a list of Windoze/SMB server machine names on my >remote > >Windoze system. However, I can still only browse or use shares on either >the SMB server I'm dialing into, or the remote workstation I'm using to >dial-up. I can not access anything else (or even ping by name or IP >number) > >the other machines listed by the WINS server in my Network Neighborhood >browse list. > >I feel for sure, something is being blocked. I know that SMB sharing >definitely uses port 139, but I've also noticed that ports 137 and 138 are >also used. I don't know if this is it, but does anyone know why I would >not > >even be able to ping other machines on the network? > >- My network is 192.168.0.0/255.255.255.0 >- localip is 88-95 >- remoteip is 96-103 > >OK, so I've also noticed that although the remoteip shows up on ppp0 on the >route table (192.168.0.96) the localip doesn't seem to be here... > >Does anyone know for sure whether this is a routing problem? ipchains is >still Greek to me, somewhat, and I don't even really understand the concept >of connecting on eth1 and having it turn into a ppp* interface, and how all >three interfaces (including eth0) have to be configured to pass traffic >along properly. > >Thx. Craig. > > >route >255.255.255.255 * 255.255.255.255 UH 0 0 0 >eth0 >192.168.0.96 * 255.255.255.255 UH 0 0 0 >ppp0 >192.168.0.2 * 255.255.255.255 UH 0 0 0 >eth0 > * 255.255.255.255 UH 0 0 0 >eth1 >192.168.0.0 * 255.255.255.0 U 0 0 0 >eth0 > * 255.255.252.0 U 0 0 0 >eth1 >127.0.0.0 * 255.0.0.0 U 0 0 0 lo >default 0.0.0.0 UG 0 0 0 >eth1 > >--- /etc/ppp/ip-up --- >#!/bin/bash ># This file should not be modified -- make local changes to ># /etc/ppp/ip-up.local instead >LOGDEVICE=$6 >REALDEVICE=$1 >/sbin/ipchains -A input -i $REALDEVICE -j ACCEPT >/sbin/ipchains -A output -i $REALDEVICE -j ACCEPT >/sbin/ipchains -A forward -i $REALDEVICE -j ACCEPT >[ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local $* ># Used for clustering heartbeat monitoring stuff. >[ -x /etc/ppp/ip-up.heart ] && /etc/ppp/ip-up.heart $* >/etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE} >exit 0 > >--- /etc/ppp/ip-down --- >#!/bin/bash ># This file should not be modified -- make local changes to ># /etc/ppp/ip-down.local instead >LOGDEVICE=$6 >REALDEVICE=$1 >/sbin/ipchains -D input -i $REALDEVICE -j ACCEPT >/sbin/ipchains -D output -i $REALDEVICE -j ACCEPT >/sbin/ipchains -D forward -i $REALDEVICE -j ACCEPT >[ -x /etc/ppp/ip-down.local ] && /etc/ppp/ip-down.local $* >/etc/sysconfig/network-scripts/ifdown-post ifcfg-${LOGDEVICE} >exit 0 > >_________________________________________________________________________ >Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From n.jouanin at regie-france.com Wed Mar 7 02:17:35 2001 From: n.jouanin at regie-france.com (Nicolas Jouanin) Date: Wed, 7 Mar 2001 09:17:35 +0100 Subject: [pptp-server] pptpd on 2.4.1 kernel Message-ID: Hi, Is pptpd compatible with 2.4.1 kernel ? I used previously on a 2.2.x kernel without any problems, but now I get the following messages in syslog: ---------------------------------------------------------------------------- --------------- Mar 6 17:03:06 onyx pptpd[7136]: CTRL: Starting call (launching pppd, opening GRE) Mar 6 17:03:06 onyx modprobe: modprobe: Can't locate module char-major-108 Mar 6 17:03:06 onyx modprobe: modprobe: Can't locate module ppp0 Mar 6 17:03:06 onyx modprobe: modprobe: Can't locate module tty-ldisc-3 Mar 6 17:03:06 onyx pppd[7137]: ioctl(TIOCSETD(PPP)): Invalid argument(22) Mar 6 17:03:06 onyx pptpd[7136]: GRE: read(fd=4,buffer=804da00,len=8196) from PTY failed: status = -1 error = Input/output error Mar 6 17:03:06 onyx pptpd[7136]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) ---------------------------------------------------------------------------- --------------- Where does this problem come from ? - bad kernel configuration, so that some modules are missing (char-major-108, ppp0, tty-ldisc-3). - pptpd / kernel 2.4.1 incompatibility - some patch missing in my kernel sources - something else .... Can anyone help me with this problem ? Thanks, Nicolas JOUANIN. From dreadboy at hotmail.com Wed Mar 7 02:29:41 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Wed, 07 Mar 2001 01:29:41 -0700 Subject: [pptp-server] ppp-filtering - Ready to smash this thing! lol. Message-ID: >From: Jerry Vonau >To: Dread Boy >Subject: Re: [pptp-server] ppp-filtering - Ready to smash this thing! lol. >Date: Tue, 06 Mar 2001 21:06:01 -0600 > >Craig: > >You may need a forward rule from the internal interface. >From your earlier post of rc.firewall Hmmm... I do have these lines. The last three lines are at the the very end of my script. # Setup input policy # local interface, local machines, going anywhere is valid ipchains -A input -i $intif -s $intnet -d $any -j ACCEPT # Setup forwarding policy # Masquerade local net traffic to anywhere ipchains -A forward -i $extif -s $intnet -d $any -j MASQ No. Can't even ping. When I browse the machine list (i.e. NetHood) using "NET VIEW", I can see all of the names, however, I can not reference by NetBIOS name with "NET VIEW \\PAININTHEASSMACHINE", although I can access shares and view with "NET VIEW \\PPTPDSERVER" and "NET VIEW \\REMOTEMACHINE" It seems an NMB request can't be made to the eth0 LAN to access the other machines. Even if I know what the IP number of these rogue machines are, I still get "Request timed out." while trying to ping. Again, the PPTPD server and the remote machines shares can be used, and both can be pinged, remotely. Conversely, when a remote machine is connected, I can access its shares from the PPTPD server. But, even though it appears in Windoze NetHood on all of the workstations, servers, SMB machines, etc, I can not access the ACL, and thus can not view its shares. Again, even though the machine shows up in the browse list (I assume this is Linux SMB's WINS server generating the list), the remotely-connected machine can not be accessed from other nodes on the network, although it shows up with a NetBIOS machine name, and having File Sharing enabled. (Which of course, is enabled on the remote machine so I can test things like that.) How can I be in two places at once you ask? I'm not, really. I just happen to have two IP addresses on my cable modem which are quite different and are in completely different subnets. I always use one for sharing my Internet connection on my Linux server as a gateway / pptpd server / WINS / DHCP, etc server. The other IP lets me simulate connecting via the Internet for testing the pptp connection. Therefore I can be sitting at one workstation logged into Linux with SSH or TridiaVNC, and be logged into the remote test machine, via IP forwarding thru the Linux server, going out to the Internet address of the remote machine controlling it with PC Anywhere or TridiaVNC. This way, I can test all kinds of scenarios at once without physically standing if front of each of the three machines or running home to test another failed pptp session to work, etc. Help! Maybe I'll just have to give in and try out that Seawall thing. I wasn't able to get it installed due to a bunch of compatibility libraries version 4 required, etc. The home page for Seawall seems to be quite a mess. Trouble enough just actually finding the downloads, let alone trying to decipher their wildly documented run-on instructions. > ># Masquerade local net traffic to anywhere >ipchains -A forward -i $extif -s $intnet -d $any -j MASQ > >add BEFORE it: >ipchains -A forward -i $intif -s $intnet -d $intnet -j ACCEPT > >should look like: >ipchains -A forward -i $intif -s $intnet -d $intnet -j ACCEPT >ipchains -A forward -i $extif -s $intnet -d $any -j MASQ > >In order for traffic to leave a interface it must be forwarded. >Your on the same lan, using the same range. >You might be able to ping by no traffic will pass. Incoming >traffic is accepted but return traffic is not forwarded back. >You have no rule to allow traffic to pass from the lan go to >the lan from the internal interface, use must state it for traffic to pass. > > >Let me know how you make out. > >Jerry Vonau > > >Dread Boy wrote: > > > OK, even though I've asked these questions before, I'm gonna try again >in an > > attempt to get my PPTPD Linux server working perfectly. > > > > I'm one step away, here, I'm sure of it. Prior to obtaining the >ipchains > > rules listed below in ip-up and ip-down, I was completely unable to see >any > > machines on my VPN remotely. > > > > Now, with everyone's help, I have indeed gotten further. Thx to >everyone so > > far. Too many to list, but you know who you are. =) > > > > Now I can indeed see a list of Windoze/SMB server machine names on my >remote > > Windoze system. However, I can still only browse or use shares on >either > > the SMB server I'm dialing into, or the remote workstation I'm using to > > dial-up. I can not access anything else (or even ping by name or IP >number) > > the other machines listed by the WINS server in my Network Neighborhood > > browse list. > > > > I feel for sure, something is being blocked. I know that SMB sharing > > definitely uses port 139, but I've also noticed that ports 137 and 138 >are > > also used. I don't know if this is it, but does anyone know why I would >not > > even be able to ping other machines on the network? > > > > - My network is 192.168.0.0/255.255.255.0 > > - localip is 88-95 > > - remoteip is 96-103 > > > > OK, so I've also noticed that although the remoteip shows up on ppp0 on >the > > route table (192.168.0.96) the localip doesn't seem to be here... > > > > Does anyone know for sure whether this is a routing problem? ipchains >is > > still Greek to me, somewhat, and I don't even really understand the >concept > > of connecting on eth1 and having it turn into a ppp* interface, and how >all > > three interfaces (including eth0) have to be configured to pass traffic > > along properly. > > > > Thx. Craig. > > > > >route > > 255.255.255.255 * 255.255.255.255 UH 0 0 0 >eth0 > > 192.168.0.96 * 255.255.255.255 UH 0 0 0 >ppp0 > > 192.168.0.2 * 255.255.255.255 UH 0 0 0 >eth0 > > * 255.255.255.255 UH 0 0 0 >eth1 > > 192.168.0.0 * 255.255.255.0 U 0 0 0 >eth0 > > * 255.255.252.0 U 0 0 0 >eth1 > > 127.0.0.0 * 255.0.0.0 U 0 0 0 >lo > > default 0.0.0.0 UG 0 0 0 >eth1 > > > > --- /etc/ppp/ip-up --- > > #!/bin/bash > > # This file should not be modified -- make local changes to > > # /etc/ppp/ip-up.local instead > > LOGDEVICE=$6 > > REALDEVICE=$1 > > /sbin/ipchains -A input -i $REALDEVICE -j ACCEPT > > /sbin/ipchains -A output -i $REALDEVICE -j ACCEPT > > /sbin/ipchains -A forward -i $REALDEVICE -j ACCEPT > > [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local $* > > # Used for clustering heartbeat monitoring stuff. > > [ -x /etc/ppp/ip-up.heart ] && /etc/ppp/ip-up.heart $* > > /etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE} > > exit 0 > > > > --- /etc/ppp/ip-down --- > > #!/bin/bash > > # This file should not be modified -- make local changes to > > # /etc/ppp/ip-down.local instead > > LOGDEVICE=$6 > > REALDEVICE=$1 > > /sbin/ipchains -D input -i $REALDEVICE -j ACCEPT > > /sbin/ipchains -D output -i $REALDEVICE -j ACCEPT > > /sbin/ipchains -D forward -i $REALDEVICE -j ACCEPT > > [ -x /etc/ppp/ip-down.local ] && /etc/ppp/ip-down.local $* > > /etc/sysconfig/network-scripts/ifdown-post ifcfg-${LOGDEVICE} > > exit 0 > > > > >_________________________________________________________________________ > > Get Your Private, Free E-mail from MSN Hotmail at >http://www.hotmail.com. > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From nick at taxlawyer.co.nz Wed Mar 7 02:36:41 2001 From: nick at taxlawyer.co.nz (Nick Rout) Date: Wed, 07 Mar 2001 21:36:41 +1300 Subject: [pptp-server] ppp-filtering - Ready to smash this thing! lol. In-Reply-To: Message-ID: <453491006.984001001@[192.168.2.1]> do you have ip-forwarding enabled in the server machine? cat /proc/sys/net/ipv4/ip_forward if its zero, thats your problem. It needs to be one to forward traffic from your lan (ethx) to your pptpd tunnel (ethx). echo "1" > /proc/sys/net/ipv4/ip_forward is the fix --On Tuesday, 6 March 2001 19:11 -0700 Dread Boy wrote: > OK, even though I've asked these questions before, I'm gonna try again in > an attempt to get my PPTPD Linux server working perfectly. > > I'm one step away, here, I'm sure of it. Prior to obtaining the ipchains > rules listed below in ip-up and ip-down, I was completely unable to see > any machines on my VPN remotely. > > Now, with everyone's help, I have indeed gotten further. Thx to everyone > so far. Too many to list, but you know who you are. =) > > Now I can indeed see a list of Windoze/SMB server machine names on my > remote Windoze system. However, I can still only browse or use shares on > either the SMB server I'm dialing into, or the remote workstation I'm > using to dial-up. I can not access anything else (or even ping by name > or IP number) the other machines listed by the WINS server in my Network > Neighborhood browse list. > > I feel for sure, something is being blocked. I know that SMB sharing > definitely uses port 139, but I've also noticed that ports 137 and 138 > are also used. I don't know if this is it, but does anyone know why I > would not even be able to ping other machines on the network? > > - My network is 192.168.0.0/255.255.255.0 > - localip is 88-95 > - remoteip is 96-103 > > OK, so I've also noticed that although the remoteip shows up on ppp0 on > the route table (192.168.0.96) the localip doesn't seem to be here... > > Does anyone know for sure whether this is a routing problem? ipchains is > still Greek to me, somewhat, and I don't even really understand the > concept of connecting on eth1 and having it turn into a ppp* interface, > and how all three interfaces (including eth0) have to be configured to > pass traffic along properly. > > Thx. Craig. > >> route > 255.255.255.255 * 255.255.255.255 UH 0 0 0 > eth0 192.168.0.96 * 255.255.255.255 UH 0 0 > 0 ppp0 192.168.0.2 * 255.255.255.255 UH 0 0 > 0 eth0 * 255.255.255.255 UH 0 0 > 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 > 0 eth0 * 255.255.252.0 U 0 0 > 0 eth1 127.0.0.0 * 255.0.0.0 U 0 0 > 0 lo default 0.0.0.0 UG 0 0 > 0 eth1 > > --- /etc/ppp/ip-up --- > #!/bin/bash > # This file should not be modified -- make local changes to > # /etc/ppp/ip-up.local instead > LOGDEVICE=$6 > REALDEVICE=$1 > /sbin/ipchains -A input -i $REALDEVICE -j ACCEPT > /sbin/ipchains -A output -i $REALDEVICE -j ACCEPT > /sbin/ipchains -A forward -i $REALDEVICE -j ACCEPT > [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local $* > # Used for clustering heartbeat monitoring stuff. > [ -x /etc/ppp/ip-up.heart ] && /etc/ppp/ip-up.heart $* > /etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE} > exit 0 > > --- /etc/ppp/ip-down --- > #!/bin/bash > # This file should not be modified -- make local changes to > # /etc/ppp/ip-down.local instead > LOGDEVICE=$6 > REALDEVICE=$1 > /sbin/ipchains -D input -i $REALDEVICE -j ACCEPT > /sbin/ipchains -D output -i $REALDEVICE -j ACCEPT > /sbin/ipchains -D forward -i $REALDEVICE -j ACCEPT > [ -x /etc/ppp/ip-down.local ] && /etc/ppp/ip-down.local $* > /etc/sysconfig/network-scripts/ifdown-post ifcfg-${LOGDEVICE} > exit 0 > > _________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From jvonau at home.com Wed Mar 7 03:01:16 2001 From: jvonau at home.com (Jerry Vonau) Date: Wed, 07 Mar 2001 03:01:16 -0600 Subject: [pptp-server] ppp-filtering - Ready to smash this thing! lol. References: Message-ID: <3AA5F8DC.3B537792@home.com> Craig: Your missing the point, ipchains -A input -i $intif -s $intnet -d $any -j ACCEPT is fine, you need a matching one for output and forward also. I see the output rule but no forward rule. The other way is to load to it through ip-up.local but use -I, to insert the rule before the masq rule, in the chains. Jerry Vonau Dread Boy wrote: > >From: Jerry Vonau > >To: Dread Boy > >Subject: Re: [pptp-server] ppp-filtering - Ready to smash this thing! lol. > >Date: Tue, 06 Mar 2001 21:06:01 -0600 > > > >Craig: > > > >You may need a forward rule from the internal interface. > >From your earlier post of rc.firewall > > Hmmm... I do have these lines. The last three lines are at the the very end > of my script. > > # Setup input policy > # local interface, local machines, going anywhere is valid > ipchains -A input -i $intif -s $intnet -d $any -j ACCEPT > > # Setup forwarding policy > # Masquerade local net traffic to anywhere > ipchains -A forward -i $extif -s $intnet -d $any -j MASQ > > No. Can't even ping. When I browse the machine list (i.e. NetHood) using > "NET VIEW", I can see all of the names, however, I can not reference by > NetBIOS name with "NET VIEW \\PAININTHEASSMACHINE", although I can access > shares and view with "NET VIEW \\PPTPDSERVER" and "NET VIEW \\REMOTEMACHINE" > > It seems an NMB request can't be made to the eth0 LAN to access the other > machines. Even if I know what the IP number of these rogue machines are, I > still get "Request timed out." while trying to ping. Again, the PPTPD > server and the remote machines shares can be used, and both can be pinged, > remotely. > > Conversely, when a remote machine is connected, I can access its shares from > the PPTPD server. But, even though it appears in Windoze NetHood on all of > the workstations, servers, SMB machines, etc, I can not access the ACL, and > thus can not view its shares. Again, even though the machine shows up in > the browse list (I assume this is Linux SMB's WINS server generating the > list), the remotely-connected machine can not be accessed from other nodes > on the network, although it shows up with a NetBIOS machine name, and having > File Sharing enabled. (Which of course, is enabled on the remote machine so > I can test things like that.) > > How can I be in two places at once you ask? I'm not, really. I just happen > to have two IP addresses on my cable modem which are quite different and are > in completely different subnets. I always use one for sharing my Internet > connection on my Linux server as a gateway / pptpd server / WINS / DHCP, etc > server. The other IP lets me simulate connecting via the Internet for > testing the pptp connection. Therefore I can be sitting at one workstation > logged into Linux with SSH or TridiaVNC, and be logged into the remote test > machine, via IP forwarding thru the Linux server, going out to the Internet > address of the remote machine controlling it with PC Anywhere or TridiaVNC. > > This way, I can test all kinds of scenarios at once without physically > standing if front of each of the three machines or running home to test > another failed pptp session to work, etc. > > Help! Maybe I'll just have to give in and try out that Seawall thing. I > wasn't able to get it installed due to a bunch of compatibility libraries > version 4 required, etc. The home page for Seawall seems to be quite a > mess. Trouble enough just actually finding the downloads, let alone trying > to decipher their wildly documented run-on instructions. > > > > ># Masquerade local net traffic to anywhere > >ipchains -A forward -i $extif -s $intnet -d $any -j MASQ > > > >add BEFORE it: > >ipchains -A forward -i $intif -s $intnet -d $intnet -j ACCEPT > > > >should look like: > >ipchains -A forward -i $intif -s $intnet -d $intnet -j ACCEPT > >ipchains -A forward -i $extif -s $intnet -d $any -j MASQ > > > >In order for traffic to leave a interface it must be forwarded. > >Your on the same lan, using the same range. > >You might be able to ping by no traffic will pass. Incoming > >traffic is accepted but return traffic is not forwarded back. > >You have no rule to allow traffic to pass from the lan go to > >the lan from the internal interface, use must state it for traffic to pass. > > > > > >Let me know how you make out. > > > >Jerry Vonau > > > > > >Dread Boy wrote: > > > > > OK, even though I've asked these questions before, I'm gonna try again > >in an > > > attempt to get my PPTPD Linux server working perfectly. > > > > > > I'm one step away, here, I'm sure of it. Prior to obtaining the > >ipchains > > > rules listed below in ip-up and ip-down, I was completely unable to see > >any > > > machines on my VPN remotely. > > > > > > Now, with everyone's help, I have indeed gotten further. Thx to > >everyone so > > > far. Too many to list, but you know who you are. =) > > > > > > Now I can indeed see a list of Windoze/SMB server machine names on my > >remote > > > Windoze system. However, I can still only browse or use shares on > >either > > > the SMB server I'm dialing into, or the remote workstation I'm using to > > > dial-up. I can not access anything else (or even ping by name or IP > >number) > > > the other machines listed by the WINS server in my Network Neighborhood > > > browse list. > > > > > > I feel for sure, something is being blocked. I know that SMB sharing > > > definitely uses port 139, but I've also noticed that ports 137 and 138 > >are > > > also used. I don't know if this is it, but does anyone know why I would > >not > > > even be able to ping other machines on the network? > > > > > > - My network is 192.168.0.0/255.255.255.0 > > > - localip is 88-95 > > > - remoteip is 96-103 > > > > > > OK, so I've also noticed that although the remoteip shows up on ppp0 on > >the > > > route table (192.168.0.96) the localip doesn't seem to be here... > > > > > > Does anyone know for sure whether this is a routing problem? ipchains > >is > > > still Greek to me, somewhat, and I don't even really understand the > >concept > > > of connecting on eth1 and having it turn into a ppp* interface, and how > >all > > > three interfaces (including eth0) have to be configured to pass traffic > > > along properly. > > > > > > Thx. Craig. > > > > > > >route > > > 255.255.255.255 * 255.255.255.255 UH 0 0 0 > >eth0 > > > 192.168.0.96 * 255.255.255.255 UH 0 0 0 > >ppp0 > > > 192.168.0.2 * 255.255.255.255 UH 0 0 0 > >eth0 > > > * 255.255.255.255 UH 0 0 0 > >eth1 > > > 192.168.0.0 * 255.255.255.0 U 0 0 0 > >eth0 > > > * 255.255.252.0 U 0 0 0 > >eth1 > > > 127.0.0.0 * 255.0.0.0 U 0 0 0 > >lo > > > default 0.0.0.0 UG 0 0 0 > >eth1 > > > > > > --- /etc/ppp/ip-up --- > > > #!/bin/bash > > > # This file should not be modified -- make local changes to > > > # /etc/ppp/ip-up.local instead > > > LOGDEVICE=$6 > > > REALDEVICE=$1 > > > /sbin/ipchains -A input -i $REALDEVICE -j ACCEPT > > > /sbin/ipchains -A output -i $REALDEVICE -j ACCEPT > > > /sbin/ipchains -A forward -i $REALDEVICE -j ACCEPT > > > [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local $* > > > # Used for clustering heartbeat monitoring stuff. > > > [ -x /etc/ppp/ip-up.heart ] && /etc/ppp/ip-up.heart $* > > > /etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE} > > > exit 0 > > > > > > --- /etc/ppp/ip-down --- > > > #!/bin/bash > > > # This file should not be modified -- make local changes to > > > # /etc/ppp/ip-down.local instead > > > LOGDEVICE=$6 > > > REALDEVICE=$1 > > > /sbin/ipchains -D input -i $REALDEVICE -j ACCEPT > > > /sbin/ipchains -D output -i $REALDEVICE -j ACCEPT > > > /sbin/ipchains -D forward -i $REALDEVICE -j ACCEPT > > > [ -x /etc/ppp/ip-down.local ] && /etc/ppp/ip-down.local $* > > > /etc/sysconfig/network-scripts/ifdown-post ifcfg-${LOGDEVICE} > > > exit 0 > > > > > > > >_________________________________________________________________________ > > > Get Your Private, Free E-mail from MSN Hotmail at > >http://www.hotmail.com. > > > > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > List services provided by www.schulteconsulting.com! > > > > _________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From dreadboy at hotmail.com Wed Mar 7 03:18:31 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Wed, 07 Mar 2001 02:18:31 -0700 Subject: [pptp-server] ppp-filtering - Ready to smash this thing! lol. Message-ID: So, Jerry, should I be using the following 5 lines in ip-up? ipchains -I input -i $REALDEVICE -j ACCEPT ipchains -I output -i $REALDEVICE -j ACCEPT ipchains -I forward -i $REALDEVICE -j MASQ ipchains -I forward -i $intif -s $intnet -d $intnet -j ACCEPT ipchains -I forward -i $extif -s $intnet -d $any -j MASQ (And of course -D inverse rules for ip-down?) Right now in /etc/ppp/ip-up I have: ipchains -A input -i $REALDEVICE -j ACCEPT ipchains -A output -i $REALDEVICE -j ACCEPT ipchains -A forward -i $REALDEVICE -j MASQ Also, you say I should only have one single localip instead of a matching number of entries for the remoteip range? Thx. Craig. =) >From: Jerry Vonau >To: Dread Boy , "pptp-server at lists.schulte.org" > >Subject: Re: [pptp-server] ppp-filtering - Ready to smash this thing! lol. >Date: Wed, 07 Mar 2001 03:01:16 -0600 > >Craig: > >Your missing the point, >ipchains -A input -i $intif -s $intnet -d $any -j ACCEPT >is fine, you need a matching one for output and forward also. >I see the output rule but no forward rule. > >The other way is to load to it through ip-up.local >but use -I, to insert the rule before the masq rule, in the chains. > >Jerry Vonau > > >Dread Boy wrote: > > > >From: Jerry Vonau > > >To: Dread Boy > > >Subject: Re: [pptp-server] ppp-filtering - Ready to smash this thing! >lol. > > >Date: Tue, 06 Mar 2001 21:06:01 -0600 > > > > > >Craig: > > > > > >You may need a forward rule from the internal interface. > > >From your earlier post of rc.firewall > > > > Hmmm... I do have these lines. The last three lines are at the the very >end > > of my script. > > > > # Setup input policy > > # local interface, local machines, going anywhere is valid > > ipchains -A input -i $intif -s $intnet -d $any -j ACCEPT > > > > # Setup forwarding policy > > # Masquerade local net traffic to anywhere > > ipchains -A forward -i $extif -s $intnet -d $any -j MASQ > > > > No. Can't even ping. When I browse the machine list (i.e. NetHood) >using > > "NET VIEW", I can see all of the names, however, I can not reference by > > NetBIOS name with "NET VIEW \\PAININTHEASSMACHINE", although I can >access > > shares and view with "NET VIEW \\PPTPDSERVER" and "NET VIEW >\\REMOTEMACHINE" > > > > It seems an NMB request can't be made to the eth0 LAN to access the >other > > machines. Even if I know what the IP number of these rogue machines >are, I > > still get "Request timed out." while trying to ping. Again, the PPTPD > > server and the remote machines shares can be used, and both can be >pinged, > > remotely. > > > > Conversely, when a remote machine is connected, I can access its shares >from > > the PPTPD server. But, even though it appears in Windoze NetHood on all >of > > the workstations, servers, SMB machines, etc, I can not access the ACL, >and > > thus can not view its shares. Again, even though the machine shows up >in > > the browse list (I assume this is Linux SMB's WINS server generating the > > list), the remotely-connected machine can not be accessed from other >nodes > > on the network, although it shows up with a NetBIOS machine name, and >having > > File Sharing enabled. (Which of course, is enabled on the remote >machine so > > I can test things like that.) > > > > How can I be in two places at once you ask? I'm not, really. I just >happen > > to have two IP addresses on my cable modem which are quite different and >are > > in completely different subnets. I always use one for sharing my >Internet > > connection on my Linux server as a gateway / pptpd server / WINS / DHCP, >etc > > server. The other IP lets me simulate connecting via the Internet for > > testing the pptp connection. Therefore I can be sitting at one >workstation > > logged into Linux with SSH or TridiaVNC, and be logged into the remote >test > > machine, via IP forwarding thru the Linux server, going out to the >Internet > > address of the remote machine controlling it with PC Anywhere or >TridiaVNC. > > > > This way, I can test all kinds of scenarios at once without physically > > standing if front of each of the three machines or running home to test > > another failed pptp session to work, etc. > > > > Help! Maybe I'll just have to give in and try out that Seawall thing. >I > > wasn't able to get it installed due to a bunch of compatibility >libraries > > version 4 required, etc. The home page for Seawall seems to be quite a > > mess. Trouble enough just actually finding the downloads, let alone >trying > > to decipher their wildly documented run-on instructions. > > > > > > > ># Masquerade local net traffic to anywhere > > >ipchains -A forward -i $extif -s $intnet -d $any -j MASQ > > > > > >add BEFORE it: > > >ipchains -A forward -i $intif -s $intnet -d $intnet -j ACCEPT > > > > > >should look like: > > >ipchains -A forward -i $intif -s $intnet -d $intnet -j ACCEPT > > >ipchains -A forward -i $extif -s $intnet -d $any -j MASQ > > > > > >In order for traffic to leave a interface it must be forwarded. > > >Your on the same lan, using the same range. > > >You might be able to ping by no traffic will pass. Incoming > > >traffic is accepted but return traffic is not forwarded back. > > >You have no rule to allow traffic to pass from the lan go to > > >the lan from the internal interface, use must state it for traffic to >pass. > > > > > > > > >Let me know how you make out. > > > > > >Jerry Vonau > > > > > > > > >Dread Boy wrote: > > > > > > > OK, even though I've asked these questions before, I'm gonna try >again > > >in an > > > > attempt to get my PPTPD Linux server working perfectly. > > > > > > > > I'm one step away, here, I'm sure of it. Prior to obtaining the > > >ipchains > > > > rules listed below in ip-up and ip-down, I was completely unable to >see > > >any > > > > machines on my VPN remotely. > > > > > > > > Now, with everyone's help, I have indeed gotten further. Thx to > > >everyone so > > > > far. Too many to list, but you know who you are. =) > > > > > > > > Now I can indeed see a list of Windoze/SMB server machine names on >my > > >remote > > > > Windoze system. However, I can still only browse or use shares on > > >either > > > > the SMB server I'm dialing into, or the remote workstation I'm using >to > > > > dial-up. I can not access anything else (or even ping by name or IP > > >number) > > > > the other machines listed by the WINS server in my Network >Neighborhood > > > > browse list. > > > > > > > > I feel for sure, something is being blocked. I know that SMB >sharing > > > > definitely uses port 139, but I've also noticed that ports 137 and >138 > > >are > > > > also used. I don't know if this is it, but does anyone know why I >would > > >not > > > > even be able to ping other machines on the network? > > > > > > > > - My network is 192.168.0.0/255.255.255.0 > > > > - localip is 88-95 > > > > - remoteip is 96-103 > > > > > > > > OK, so I've also noticed that although the remoteip shows up on ppp0 >on > > >the > > > > route table (192.168.0.96) the localip doesn't seem to be here... > > > > > > > > Does anyone know for sure whether this is a routing problem? >ipchains > > >is > > > > still Greek to me, somewhat, and I don't even really understand the > > >concept > > > > of connecting on eth1 and having it turn into a ppp* interface, and >how > > >all > > > > three interfaces (including eth0) have to be configured to pass >traffic > > > > along properly. > > > > > > > > Thx. Craig. > > > > > > > > >route > > > > 255.255.255.255 * 255.255.255.255 UH 0 0 > 0 > > >eth0 > > > > 192.168.0.96 * 255.255.255.255 UH 0 0 > 0 > > >ppp0 > > > > 192.168.0.2 * 255.255.255.255 UH 0 0 > 0 > > >eth0 > > > > * 255.255.255.255 UH 0 0 > 0 > > >eth1 > > > > 192.168.0.0 * 255.255.255.0 U 0 0 > 0 > > >eth0 > > > > * 255.255.252.0 U 0 0 > 0 > > >eth1 > > > > 127.0.0.0 * 255.0.0.0 U 0 0 > 0 > > >lo > > > > default 0.0.0.0 UG 0 0 > 0 > > >eth1 > > > > > > > > --- /etc/ppp/ip-up --- > > > > #!/bin/bash > > > > # This file should not be modified -- make local changes to > > > > # /etc/ppp/ip-up.local instead > > > > LOGDEVICE=$6 > > > > REALDEVICE=$1 > > > > /sbin/ipchains -A input -i $REALDEVICE -j ACCEPT > > > > /sbin/ipchains -A output -i $REALDEVICE -j ACCEPT > > > > /sbin/ipchains -A forward -i $REALDEVICE -j ACCEPT > > > > [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local $* > > > > # Used for clustering heartbeat monitoring stuff. > > > > [ -x /etc/ppp/ip-up.heart ] && /etc/ppp/ip-up.heart $* > > > > /etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE} > > > > exit 0 > > > > > > > > --- /etc/ppp/ip-down --- > > > > #!/bin/bash > > > > # This file should not be modified -- make local changes to > > > > # /etc/ppp/ip-down.local instead > > > > LOGDEVICE=$6 > > > > REALDEVICE=$1 > > > > /sbin/ipchains -D input -i $REALDEVICE -j ACCEPT > > > > /sbin/ipchains -D output -i $REALDEVICE -j ACCEPT > > > > /sbin/ipchains -D forward -i $REALDEVICE -j ACCEPT > > > > [ -x /etc/ppp/ip-down.local ] && /etc/ppp/ip-down.local $* > > > > /etc/sysconfig/network-scripts/ifdown-post ifcfg-${LOGDEVICE} > > > > exit 0 > > > > > > > > > > > >_________________________________________________________________________ > > > > Get Your Private, Free E-mail from MSN Hotmail at > > >http://www.hotmail.com. > > > > > > > > _______________________________________________ > > > > pptp-server maillist - pptp-server at lists.schulte.org > > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > > List services provided by www.schulteconsulting.com! > > > > > > > >_________________________________________________________________________ > > Get Your Private, Free E-mail from MSN Hotmail at >http://www.hotmail.com. > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From dreadboy at hotmail.com Wed Mar 7 03:39:31 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Wed, 07 Mar 2001 02:39:31 -0700 Subject: [pptp-server] ppp-filtering - Ready to smash this thing! lol. Message-ID: Forgive me for being an ipchains idiot who can't find a lot of helpful docs. They all seem to be written by gurus who assume you already know how the theory of ipchains filtering works. These things I believe I'm starting to understand... (correct me if I'm wrong, which I probably am.) 1) The rules apply one at a time, if a packet makes it through the first rule, it then must make it through the second, etc, etc. Like hoops for yours truly to master. 2) The names of the chains are irrelevant, instead of "input/output/forward" I could simply make new ones and label them "tom/dick/harry". In fact, I think I'm able just to make one chain name if I really wanted to make things complicated. 3) What's important is the interface, the source address/net/port, destination address/net/port, and what to do with it (i.e. DENY, REJECT, MASQ, REDIRECT, etc.) I tried implementing some of these rules to my existing script, with no luck, really. For example, I block out port 139 on eth1 (the external ethernet) by simply un-binding it in smb.conf where: interfaces = eth0 lo ppp+ bind interfaces only = yes I am careful not to include eth1 for outside NetBIOS attacks. Now, when I remark both of these statements, of course NetBIOS is bound to all interfaces by default; and indeed port 139 is hanging out wide on the Internet. So to compensate I made a rule and placed it in several places in my firewall script (start, middle, end, garbage) trying to get it to work. extif="eth1" extip= any=0.0.0.0/0 ipchains -A input -i $extif -p TCP -s $any 139 -d $extip -j REJECT or ipchains -A input -i $extif -p TCP -s $any 137:139 -d $extip -j DENY ipchains -A output -i $extif -p TCP -s $extip 137:139 -d $any -j DENY and many other variants of the same type as above. None had any effect on blocking out the dreaded port 139 from the Internet interface on eth1. Although these rules look they should make perfect sense based on what I know about ipchains, they had no effect. What exactly would be wrong with these statements? They don't cause any errors, and they show up just fine with ipchains -L looking as if they should block the ports I've specified. Are there any good books on this? I remember I saw one once that was great, but when I went to buy it the other day, the book store's computer system said it wasn't in publication anymore. I believe the book was simply called "IPCHAINS". And that's all the book covered. It was a big black paperback thicker than "Gone With The Wind", but that's exactly what I needed. Thx. Any ipchains guys out there that can explain a simple example of about 8 lines in layman terms? >From: Jerry Vonau >To: Dread Boy , >"pptp-server at lists.schulte.org" >Subject: Re: [pptp-server] ppp-filtering - Ready to smash this thing! lol. >Date: Wed, 07 Mar 2001 03:01:16 -0600 > >Craig: > >Your missing the point, >ipchains -A input -i $intif -s $intnet -d $any -j ACCEPT >is fine, you need a matching one for output and forward also. >I see the output rule but no forward rule. > >The other way is to load to it through ip-up.local >but use -I, to insert the rule before the masq rule, in the chains. > >Jerry Vonau > > >Dread Boy wrote: > > > >From: Jerry Vonau > > >To: Dread Boy > > >Subject: Re: [pptp-server] ppp-filtering - Ready to smash this thing! >lol. > > >Date: Tue, 06 Mar 2001 21:06:01 -0600 > > > > > >Craig: > > > > > >You may need a forward rule from the internal interface. > > >From your earlier post of rc.firewall > > > > Hmmm... I do have these lines. The last three lines are at the the very >end > > of my script. > > > > # Setup input policy > > # local interface, local machines, going anywhere is valid > > ipchains -A input -i $intif -s $intnet -d $any -j ACCEPT > > > > # Setup forwarding policy > > # Masquerade local net traffic to anywhere > > ipchains -A forward -i $extif -s $intnet -d $any -j MASQ > > > > No. Can't even ping. When I browse the machine list (i.e. NetHood) >using > > "NET VIEW", I can see all of the names, however, I can not reference by > > NetBIOS name with "NET VIEW \\PAININTHEASSMACHINE", although I can >access > > shares and view with "NET VIEW \\PPTPDSERVER" and "NET VIEW >\\REMOTEMACHINE" > > > > It seems an NMB request can't be made to the eth0 LAN to access the >other > > machines. Even if I know what the IP number of these rogue machines >are, I > > still get "Request timed out." while trying to ping. Again, the PPTPD > > server and the remote machines shares can be used, and both can be >pinged, > > remotely. > > > > Conversely, when a remote machine is connected, I can access its shares >from > > the PPTPD server. But, even though it appears in Windoze NetHood on all >of > > the workstations, servers, SMB machines, etc, I can not access the ACL, >and > > thus can not view its shares. Again, even though the machine shows up >in > > the browse list (I assume this is Linux SMB's WINS server generating the > > list), the remotely-connected machine can not be accessed from other >nodes > > on the network, although it shows up with a NetBIOS machine name, and >having > > File Sharing enabled. (Which of course, is enabled on the remote >machine so > > I can test things like that.) > > > > How can I be in two places at once you ask? I'm not, really. I just >happen > > to have two IP addresses on my cable modem which are quite different and >are > > in completely different subnets. I always use one for sharing my >Internet > > connection on my Linux server as a gateway / pptpd server / WINS / DHCP, >etc > > server. The other IP lets me simulate connecting via the Internet for > > testing the pptp connection. Therefore I can be sitting at one >workstation > > logged into Linux with SSH or TridiaVNC, and be logged into the remote >test > > machine, via IP forwarding thru the Linux server, going out to the >Internet > > address of the remote machine controlling it with PC Anywhere or >TridiaVNC. > > > > This way, I can test all kinds of scenarios at once without physically > > standing if front of each of the three machines or running home to test > > another failed pptp session to work, etc. > > > > Help! Maybe I'll just have to give in and try out that Seawall thing. >I > > wasn't able to get it installed due to a bunch of compatibility >libraries > > version 4 required, etc. The home page for Seawall seems to be quite a > > mess. Trouble enough just actually finding the downloads, let alone >trying > > to decipher their wildly documented run-on instructions. > > > > > > > ># Masquerade local net traffic to anywhere > > >ipchains -A forward -i $extif -s $intnet -d $any -j MASQ > > > > > >add BEFORE it: > > >ipchains -A forward -i $intif -s $intnet -d $intnet -j ACCEPT > > > > > >should look like: > > >ipchains -A forward -i $intif -s $intnet -d $intnet -j ACCEPT > > >ipchains -A forward -i $extif -s $intnet -d $any -j MASQ > > > > > >In order for traffic to leave a interface it must be forwarded. > > >Your on the same lan, using the same range. > > >You might be able to ping by no traffic will pass. Incoming > > >traffic is accepted but return traffic is not forwarded back. > > >You have no rule to allow traffic to pass from the lan go to > > >the lan from the internal interface, use must state it for traffic to >pass. > > > > > > > > >Let me know how you make out. > > > > > >Jerry Vonau > > > > > > > > >Dread Boy wrote: > > > > > > > OK, even though I've asked these questions before, I'm gonna try >again > > >in an > > > > attempt to get my PPTPD Linux server working perfectly. > > > > > > > > I'm one step away, here, I'm sure of it. Prior to obtaining the > > >ipchains > > > > rules listed below in ip-up and ip-down, I was completely unable to >see > > >any > > > > machines on my VPN remotely. > > > > > > > > Now, with everyone's help, I have indeed gotten further. Thx to > > >everyone so > > > > far. Too many to list, but you know who you are. =) > > > > > > > > Now I can indeed see a list of Windoze/SMB server machine names on >my > > >remote > > > > Windoze system. However, I can still only browse or use shares on > > >either > > > > the SMB server I'm dialing into, or the remote workstation I'm using >to > > > > dial-up. I can not access anything else (or even ping by name or IP > > >number) > > > > the other machines listed by the WINS server in my Network >Neighborhood > > > > browse list. > > > > > > > > I feel for sure, something is being blocked. I know that SMB >sharing > > > > definitely uses port 139, but I've also noticed that ports 137 and >138 > > >are > > > > also used. I don't know if this is it, but does anyone know why I >would > > >not > > > > even be able to ping other machines on the network? > > > > > > > > - My network is 192.168.0.0/255.255.255.0 > > > > - localip is 88-95 > > > > - remoteip is 96-103 > > > > > > > > OK, so I've also noticed that although the remoteip shows up on ppp0 >on > > >the > > > > route table (192.168.0.96) the localip doesn't seem to be here... > > > > > > > > Does anyone know for sure whether this is a routing problem? >ipchains > > >is > > > > still Greek to me, somewhat, and I don't even really understand the > > >concept > > > > of connecting on eth1 and having it turn into a ppp* interface, and >how > > >all > > > > three interfaces (including eth0) have to be configured to pass >traffic > > > > along properly. > > > > > > > > Thx. Craig. > > > > > > > > >route > > > > 255.255.255.255 * 255.255.255.255 UH 0 0 > 0 > > >eth0 > > > > 192.168.0.96 * 255.255.255.255 UH 0 0 > 0 > > >ppp0 > > > > 192.168.0.2 * 255.255.255.255 UH 0 0 > 0 > > >eth0 > > > > * 255.255.255.255 UH 0 0 > 0 > > >eth1 > > > > 192.168.0.0 * 255.255.255.0 U 0 0 > 0 > > >eth0 > > > > * 255.255.252.0 U 0 0 > 0 > > >eth1 > > > > 127.0.0.0 * 255.0.0.0 U 0 0 > 0 > > >lo > > > > default 0.0.0.0 UG 0 0 > 0 > > >eth1 > > > > > > > > --- /etc/ppp/ip-up --- > > > > #!/bin/bash > > > > # This file should not be modified -- make local changes to > > > > # /etc/ppp/ip-up.local instead > > > > LOGDEVICE=$6 > > > > REALDEVICE=$1 > > > > /sbin/ipchains -A input -i $REALDEVICE -j ACCEPT > > > > /sbin/ipchains -A output -i $REALDEVICE -j ACCEPT > > > > /sbin/ipchains -A forward -i $REALDEVICE -j ACCEPT > > > > [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local $* > > > > # Used for clustering heartbeat monitoring stuff. > > > > [ -x /etc/ppp/ip-up.heart ] && /etc/ppp/ip-up.heart $* > > > > /etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE} > > > > exit 0 > > > > > > > > --- /etc/ppp/ip-down --- > > > > #!/bin/bash > > > > # This file should not be modified -- make local changes to > > > > # /etc/ppp/ip-down.local instead > > > > LOGDEVICE=$6 > > > > REALDEVICE=$1 > > > > /sbin/ipchains -D input -i $REALDEVICE -j ACCEPT > > > > /sbin/ipchains -D output -i $REALDEVICE -j ACCEPT > > > > /sbin/ipchains -D forward -i $REALDEVICE -j ACCEPT > > > > [ -x /etc/ppp/ip-down.local ] && /etc/ppp/ip-down.local $* > > > > /etc/sysconfig/network-scripts/ifdown-post ifcfg-${LOGDEVICE} > > > > exit 0 > > > > > > > > > > > >_________________________________________________________________________ > > > > Get Your Private, Free E-mail from MSN Hotmail at > > >http://www.hotmail.com. > > > > > > > > _______________________________________________ > > > > pptp-server maillist - pptp-server at lists.schulte.org > > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > > List services provided by www.schulteconsulting.com! > > > > > > > >_________________________________________________________________________ > > Get Your Private, Free E-mail from MSN Hotmail at >http://www.hotmail.com. > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From dreadboy at hotmail.com Wed Mar 7 03:44:24 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Wed, 07 Mar 2001 02:44:24 -0700 Subject: [pptp-server] ppp-filtering - Ready to smash this thing! lol. Message-ID: Thx for the advice. Will try again tomorrow. It looks like it makes sense. I would never have thought that one would have to forward packets along the same interface since Samba doesn't require this to see other machines locally. I figured that as soon as you acquire a localip address and since the machine name shows up in NetHood that you were into the LAN. Also, what confused me was that the pptpd server was ok to access. Thx. >From: Jerry Vonau >To: Dread Boy >Subject: Re: [pptp-server] ppp-filtering - Ready to smash this thing! lol. >Date: Wed, 07 Mar 2001 03:31:51 -0600 > >Craig: > >try: > >ipchains -I input -i $REALDEVICE -j ACCEPT >ipchains -I output -i $REALDEVICE -j ACCEPT >ipchains -I forward -i $REALDEVICE -j ACCEPT >ipchains -I forward -i eth0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT > >reverse then in the down file. > > >To grab some quick debug logging, to the bottom of your rc.firewall add: >ipchains -A input deny -l >ipchains -A output deny -l >ipchains -A forward deny -l > >This will cause all the deny hits to be recorded in /var/log/messages > > >Jerry > > >Dread Boy wrote: > > > So, Jerry, should I be using the following 5 lines in ip-up? > > > > ipchains -I input -i $REALDEVICE -j ACCEPT > > ipchains -I output -i $REALDEVICE -j ACCEPT > > ipchains -I forward -i $REALDEVICE -j MASQ > > ipchains -I forward -i $intif -s $intnet -d $intnet -j ACCEPT > > ipchains -I forward -i $extif -s $intnet -d $any -j MASQ > > > > (And of course -D inverse rules for ip-down?) > > > > Right now in /etc/ppp/ip-up I have: > > > > ipchains -A input -i $REALDEVICE -j ACCEPT > > ipchains -A output -i $REALDEVICE -j ACCEPT > > ipchains -A forward -i $REALDEVICE -j MASQ > > > > Also, you say I should only have one single localip instead of a >matching > > number of entries for the remoteip range? > > > > Thx. Craig. =) > > > _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From berzerke at swbell.net Wed Mar 7 09:43:44 2001 From: berzerke at swbell.net (robert) Date: Wed, 07 Mar 2001 09:43:44 -0600 Subject: [pptp-server] pptpd on 2.4.1 kernel In-Reply-To: References: Message-ID: <01030709434400.13806@linux> Yes, it does work with 2.4.1 kernel (and 2.4.2; I tested it yesterday). I have written a howto on pptpd and the 2.4 kernel series. It is at http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt (mirroring permitted and encouraged). As a quick answer, it looks like your modules.conf needs updating. alias char-major-108 ppp_generic alias tty-ldisc-3 ppp_async alias tty-ldisc-14 ppp_synctty alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate alias ppp-compress-26 ppp_deflate But see the howto for complete instructions. You may have other problems as well. On Wednesday 07 March 2001 02:17, Nicolas Jouanin wrote: > Hi, > > Is pptpd compatible with 2.4.1 kernel ? > I used previously on a 2.2.x kernel without any problems, but now I get the > following messages in syslog: > > --------------------------------------------------------------------------- >- --------------- > Mar 6 17:03:06 onyx pptpd[7136]: CTRL: Starting call (launching pppd, > opening GRE) > Mar 6 17:03:06 onyx modprobe: modprobe: Can't locate module char-major-108 > Mar 6 17:03:06 onyx modprobe: modprobe: Can't locate module ppp0 > Mar 6 17:03:06 onyx modprobe: modprobe: Can't locate module tty-ldisc-3 > Mar 6 17:03:06 onyx pppd[7137]: ioctl(TIOCSETD(PPP)): Invalid argument(22) > Mar 6 17:03:06 onyx pptpd[7136]: GRE: read(fd=4,buffer=804da00,len=8196) > from PTY failed: status = -1 error = Input/output error > Mar 6 17:03:06 onyx pptpd[7136]: CTRL: PTY read or GRE write failed > (pty,gre)=(4,5) > --------------------------------------------------------------------------- >- --------------- > > Where does this problem come from ? > - bad kernel configuration, so that some modules are missing > (char-major-108, ppp0, tty-ldisc-3). > - pptpd / kernel 2.4.1 incompatibility > - some patch missing in my kernel sources > - something else .... > > > Can anyone help me with this problem ? > > Thanks, > > Nicolas JOUANIN. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From dreadboy at hotmail.com Wed Mar 7 10:08:44 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Wed, 07 Mar 2001 09:08:44 -0700 Subject: [pptp-server] Whoo-hoo! Complete routing success! Message-ID: Whoo-hoo! Thx, Jerry. =) This rule was the saving grace: ipchains -A forward -i $intif -s $intnet -d $intnet -j ACCEPT I stuck it into my firewall script as the second last line and BANG-O! It worked perfectly for accessing all the other machines, instantly, without messing up the gateway routing, Samba, etc. Right on, buddy! I owe you a beer or twelve. Lemme know if you live near Calgary and I'll be happy to provide. Thx. Craig. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From rcd at amherst.com Wed Mar 7 10:14:36 2001 From: rcd at amherst.com (Robert Dege) Date: Wed, 07 Mar 2001 11:14:36 -0500 Subject: [pptp-server] Patch blank password/username References: <6B8A85826C35D31193BD0090278589C81DF04A@CIC-EXCHANGE> <3AA2D3A9.9F37778E@hattaway-associates.com> <3AA4F9E7.2080307@amherst.com> <3AA572D0.5EAC9D76@hattaway-associates.com> Message-ID: <3AA65E6C.7010207@amherst.com> Godfrey, I used pine to extract the patch from your email to the pptp list. I then executed `patch -p0 < pptp.diff`. The patch was successful. It didn't complain at all about the integration of the code. Neither did the recompiling & installation. But for the sake of curiousity, I'll try the other 2 sites you listed & see what the results are. If the problem happens again, I'll even include the logs for your viewing pleasure :) Don't worry, I'll use lynx. I'm already aware of Netscape & it's "attempt" to help me by gunzipping my files & corrupting them. Oh, how convenient. -Rob Godfrey Livingstone wrote: > Robert the patch works for me the fact that it does not work for you concerns me I have > just tried it using win9x and it works I do not get the error messages if there is a > match. > > Did you download it using netscape by chance as netscape mangles patches? > > Any way if you have time can you try using wget or lynx to get the patch from > > http://www.hattaway.co.nz/raidpatches/blank_passwd_fix.diff > > I have also created what I think is a better patch if you would like to try > > http://www.hattaway.co.nz/raidpatches/blank_passwd_fix2.diff > > this tidies up the while loop considerably and should be faster. > > Godfrey > > Robert Dege wrote: > >> Not sure if anybody tried this or not, but Livingstone's extra patch >> doesn't work correctly. I couldn't logon using DUN whether I was >> suppliying a user/passwd or not. PPP was acting as if my USER field was >> always NULL. I kept getting an error message in the logs ("no secret in >> samba secret file /etc/smbpasswd"). Once I replaced auth.c with the >> original & recompiled, everything worked great. >> >> I tried using Justin's patch with my Win98 Laptop, and everything worked >> as expected. >> >> user/pass --> access >> blank/pass --> deny >> blank/blank --> deny >> user/blank --> deny >> >> Great job! >> >> -Rob >> >> Godfrey Livingstone wrote: >> >>> Justin your patch does work but the attached patch is tidier as soon as a match is >>> found in smbpasswd then the while loop exits this also saves time if smbpasswd is >>> large. >>> >>> I then check to see if smb == NULL if so then there is no match in smbpasswd file >>> so skip to the next line of chap-secrets. No need to make up a secret which my >>> potentially match ( I know the chance of that is very very small). >>> >>> Godfrey >>> >>> Justin Kreger wrote: >>> >>>> In short, Diffrent means of authentication. It may use the password file, >>>> but it does not interact with samba's daemon processes. >>>> >>>> As for fixing this problem, I have written a patch. >>>> >>>> It fixes the two problems, the blank login/password problem, and the >>>> unknown user/blankpassword problem. >>>> >>>> Please TEST this ASAP with win9x, Both my win9x boxen think that they should >>>> be only talking in CHAP, not MSCHAP, and I can't seem to find msdun128.exe >>>> to fix it. >>>> >>>> (This patch was tested on linux 2.2.16, with ppp-2.3.11, and tested with >>>> Windows NT Server 4, Service Pack 6) >>>> >>>> -Justin Kreger, MCP MCSE >>>> >>>> -----Original Message----- >>>> From: robert >>>> To: Cowles, Steve; pptp-server at lists.schulte.org >>>> Sent: 3/2/01 9:24 PM >>>> Subject: Re: [pptp-server] Yes, blank username/password works! >>>> >>>> I'm wondering if anyone has considered that if you have a good guest >>>> account >>>> for samba, then samba will use that if a bad username/password is sent. >>>> >>>> Blank would definately count as bad. I use blank password to list >>>> shares, >>>> i.e. smbclient -L somemachine and just hit enter when asked for a >>>> password. >>>> Logs show guest account is used and I do get the listing. Could someone >>>> >>>> having this problem try disabling the guest account and seeing if the >>>> problem >>>> goes away? >>>> >>>> On Friday 02 March 2001 11:19, Cowles, Steve wrote: >>>> >>>>>> -----Original Message----- >>>>>> From: Dread Boy [mailto:dreadboy at hotmail.com] >>>>>> Sent: Friday, March 02, 2001 1:37 AM >>>>>> To: pptp-server at lists.schulte.org; vgill at technologist.com >>>>>> Subject: RE: [pptp-server] Yes, blank username/password works! >>>>>> >>>>>> >>>>>> Yeah, and on top of all this it doesn't seem to matter what I >>>>>> log in as, my username and password don't get carried over to >>>>>> SAMBA for authenticating with server shares. >>>>> >>>>> Lets make sure we are comparing apples to apples here. The >>>>> username/password that you specify in your windows PPTP dialup profile >>>> >>>> has >>>> >>>>> NEVER been carried over for share access. Please keep the following in >>>>> mind... >>>>> >>>>> 1) The PPTP tunnel uses the user/pass specified in your PPTP dialup >>>> >>>> profile >>>> >>>>> to authenticate the tunnel connection ONLY. >>>>> >>>>> 2) Share access uses the user/pass that you specified when you turned >>>> >>>> on >>>> >>>>> your PC and logged in to get to your desktop. FWIW: This same >>>> >>>> user/pass can >>>> >>>>> be specified in your PPTP dialup profile to be used to authenticate >>>> >>>> the >>>> >>>>> PPTP tunnel. >>>>> >>>>>> i.e. Whether I use a valid username/password or the blank, I >>>>>> still can not access resources (or possibly ACLs) on the >>>>>> servers even with valid usernames. On my local LAN it's no >>>>>> problem, but remotely, it doesn't seem to know who I am while >>>>>> I'm logged on. >>>>>> >>>>>> For example, when I click a share locally on my SAMBA server, >>>>>> I can get into it and have certain rights based on my username/ >>>>>> password. I don't even have to think about it. "security = >>>>>> user" in /etc/smb.conf. However, when I log in remotely with >>>>>> Windoze using my PPTPD Linux server, when I even try to access >>>>>> the server itself (let alone the share) it keeps asking me for >>>>>> the IPC$ administration password as if it was an NT server. >>>>>> It doesn't matter what I enter here, I can't get any farther. >>>>> >>>>> From the samba docs... >>>>> >>>>> Some people find browsing fails because they don't have the global >>>>> "guest account" set to a valid account. Remember that the IPC$ >>>>> connection that lists the shares is done as guest, and thus you must >>>>> have a valid guest account. >>>>> ---------------------------- >>>>> >>>>> Also, is the PPTP clients WORKGROUP participation set to match what >>>> >>>> the >>>> >>>>> clients on the LAN are configured to? >>>>> >>>>>> Does PPTPD know my SMB username but not my password, or vice >>>>>> versa? I thought maybe because it was encrypted using >>>>>> libsmbpw.so that maybe it couldn't figure it out, but then >>>>>> using chap-secrets plain-text passwords don't cut it either. >>>>>> >>>>>> Anyone know what this is all about? >>>>>> >>>>>> Geez, I thought this whole PPTPD Linux server was gonna be at >>>>>> least a weekend of work, but it's turning out to be months >>>>>> worth of work. >>>>> >>>>> With regards to the "subject" line of this thread... lets make sure we >>>> >>>> are >>>> >>>>> comparing apples to apples here. I'd hate to see PopTop/PPPD get the >>>>> reputation of being insecure without the following clarification being >>>>> noted. >>>>> >>>>> 1) If you have configured your PopTop/PPPD system to re-direct PPTP >>>> >>>> tunnel >>>> >>>>> authentication to use the libsmbpw.o lib's (smbpasswd), then your >>>> >>>> system >>>> >>>>> appears to be vulnerable to the blank user/pass exploit mentioned in >>>> >>>> this >>>> >>>>> thread. >>>>> >>>>> 2) Those of you who are still using the chap-secrets file (no >>>> >>>> re-direct) >>>> >>>>> for tunnel authentication are NOT vulnerable to the blank user/pass >>>> >>>> exploit >>>> >>>>> mentioned in this thread. I just verified this on my PopTop server! I >>>> >>>> do >>>> >>>>> not use the re-direct to libsmbpw.o >>>>> >>>>> Steve Cowles >>>>> _______________________________________________ >>>>> pptp-server maillist - pptp-server at lists.schulte.org >>>>> http://lists.schulte.org/mailman/listinfo/pptp-server >>>>> List services provided by www.schulteconsulting.com! >>>> >>>> _______________________________________________ >>>> pptp-server maillist - pptp-server at lists.schulte.org >>>> http://lists.schulte.org/mailman/listinfo/pptp-server >>>> List services provided by www.schulteconsulting.com! >>>> >>>> ------------------------------------------------------------------------ >>>> Name: smbpasswdauthfix.patch >>>> smbpasswdauthfix.patch Type: unspecified type (application/octet-stream) >>>> Encoding: quoted-printable >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> --- ppp-2.3.11/pppd/auth.c.org Mon Mar 5 12:19:41 2001 >>>> +++ ppp-2.3.11/pppd/auth.c Mon Mar 5 12:31:54 2001 >>>> @@ -1871,10 +1871,15 @@ >>>> ) { >>>> memcpy(word, smbname, NTPASS); >>>> word[NTPASS]='\000'; >>>> + break; >>>> } >>>> >>>> } >>>> endsmbpwent(); >>>> + if (smb == NULL) { >>>> + warn("no secret in samba secret file %s", atfile); >>>> + continue; >>>> + } >>>> } >>>> #endif >>>> if (secret != NULL) >>>> blank_passwd_fix.diff >>>> >>>> Content-Type: >>>> >>>> text/plain >>>> Content-Encoding: >>>> >>>> 7bit >>>> >>>> >> _______________________________________________ >> pptp-server maillist - pptp-server at lists.schulte.org >> http://lists.schulte.org/mailman/listinfo/pptp-server >> List services provided by www.schulteconsulting.com! > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > > From rcd at amherst.com Wed Mar 7 11:07:36 2001 From: rcd at amherst.com (Robert Dege) Date: Wed, 07 Mar 2001 12:07:36 -0500 Subject: [pptp-server] Patch blank password/username References: <6B8A85826C35D31193BD0090278589C81DF04A@CIC-EXCHANGE> <3AA2D3A9.9F37778E@hattaway-associates.com> <3AA4F9E7.2080307@amherst.com> <3AA572D0.5EAC9D76@hattaway-associates.com> Message-ID: <3AA66AD8.7090504@amherst.com> Okay, Here are the results of the 2 patches (btw, neither of them worked). The header of each log chunk shows what user/pass was used. I will say this, the DUN connection exited extremely quickly. It didn't feel like it had gotten to the username/password lookup query. 1st Patch used =========================================================================== blank/blank Mar 7 11:27:52 warf pptpd[3009]: CTRL: Client 1.2.3.4 control connection started Mar 7 11:27:52 warf pptpd[3009]: CTRL: Starting call (launching pppd, opening GRE) Mar 7 11:27:52 warf pppd[3010]: no secret in samba secret file /etc/smbpasswd Mar 7 11:27:52 warf pptpd[3009]: Buffering out-of-order packet; got 1 after 4294967295 Mar 7 11:27:52 warf pptpd[3009]: Error reading from pppd: Input/output error Mar 7 11:27:52 warf pptpd[3009]: CTRL: GRE read or PTY write failed (gre,pty)=(6,5) Mar 7 11:27:52 warf pptpd[3009]: CTRL: Client 1.2.3.4 control connection finished rcd/mypass Mar 7 11:28:10 warf pptpd[3011]: CTRL: Client 1.2.3.4 control connection started Mar 7 11:28:10 warf pptpd[3011]: CTRL: Starting call (launching pppd, opening GRE) Mar 7 11:28:10 warf pppd[3012]: no secret in samba secret file /etc/smbpasswd Mar 7 11:28:10 warf pptpd[3011]: Error reading from pppd: Input/output error Mar 7 11:28:10 warf pptpd[3011]: CTRL: GRE read or PTY write failed (gre,pty)=(6,5) Mar 7 11:28:10 warf pptpd[3011]: CTRL: Client 1.2.3.4 control connection finished attic/storage Mar 7 11:28:35 warf pptpd[3013]: CTRL: Client 1.2.3.4 control connection started Mar 7 11:28:35 warf pptpd[3013]: CTRL: Starting call (launching pppd, opening GRE) Mar 7 11:28:35 warf pppd[3014]: no secret in samba secret file /etc/smbpasswd Mar 7 11:28:35 warf pptpd[3013]: Error reading from pppd: Input/output error Mar 7 11:28:35 warf pptpd[3013]: CTRL: GRE read or PTY write failed (gre,pty)=(6,5) Mar 7 11:28:35 warf pptpd[3013]: CTRL: Client 1.2.3.4 control connection finished 2nd Patch used =========================================================================== rcd/mypass Mar 7 11:32:35 warf pptpd[3247]: CTRL: Client 1.2.3.4 control connection started Mar 7 11:32:35 warf pptpd[3247]: CTRL: Starting call (launching pppd, opening GRE) Mar 7 11:32:35 warf pppd[3248]: no secret in samba secret file /etc/smbpasswd Mar 7 11:32:35 warf pptpd[3247]: Error reading from pppd: Input/output error Mar 7 11:32:35 warf pptpd[3247]: CTRL: GRE read or PTY write failed (gre,pty)=(6,5) Mar 7 11:32:35 warf pptpd[3247]: CTRL: Client 1.2.3.4 control connection finished blank/blank Mar 7 11:32:57 warf pptpd[3249]: CTRL: Client 1.2.3.4 control connection started Mar 7 11:32:57 warf pptpd[3249]: CTRL: Starting call (launching pppd, opening GRE) Mar 7 11:32:57 warf pppd[3250]: no secret in samba secret file /etc/smbpasswd Mar 7 11:32:57 warf pptpd[3249]: Error reading from pppd: Input/output error Mar 7 11:32:57 warf pptpd[3249]: CTRL: GRE read or PTY write failed (gre,pty)=(6,5) Mar 7 11:32:57 warf pptpd[3249]: CTRL: Client 1.2.3.4 control connection finished attic/storage Mar 7 11:33:13 warf pptpd[3251]: CTRL: Client 1.2.3.4 control connection started Mar 7 11:33:13 warf pptpd[3251]: CTRL: Starting call (launching pppd, opening GRE) Mar 7 11:33:13 warf pppd[3252]: no secret in samba secret file /etc/smbpasswd Mar 7 11:33:13 warf pptpd[3251]: Buffering out-of-order packet; got 1 after 4294967295 Mar 7 11:33:13 warf pptpd[3251]: Error reading from pppd: Input/output error Mar 7 11:33:13 warf pptpd[3251]: CTRL: GRE read or PTY write failed (gre,pty)=(6,5) Mar 7 11:33:13 warf pptpd[3251]: CTRL: Client 1.2.3.4 control connection finished No Patch used (Only Justin's Patch implemented here) =========================================================================== blank/blank Mar 7 11:35:39 warf pptpd[3478]: CTRL: Client 1.2.3.4 control connection started Mar 7 11:35:39 warf pptpd[3478]: CTRL: Starting call (launching pppd, opening GRE) Mar 7 11:35:39 warf pppd[3479]: pppd 2.3.11 started by root, uid 0 Mar 7 11:35:39 warf pppd[3479]: Using interface ppp0 Mar 7 11:35:39 warf pppd[3479]: Connect: ppp0 <--> /dev/pts/3 Mar 7 11:35:39 warf pptpd[3478]: Buffering out-of-order packet; got 1 after 4294967295 Mar 7 11:35:39 warf pptpd[3478]: Packet reorder timeout waiting for 0 Mar 7 11:35:39 warf pptpd[3478]: Buffering out-of-order packet; got 2 after 0 Mar 7 11:35:39 warf pppd[3479]: Blank Password Detected -- Forcing Authentication Failure for Mar 7 11:35:39 warf pppd[3479]: MSCHAP-v2 peer authentication failed for remote host Mar 7 11:35:39 warf pppd[3479]: Connection terminated. Mar 7 11:35:39 warf pppd[3479]: Exit. Mar 7 11:35:39 warf pptpd[3478]: Error reading from pppd: Input/output error Mar 7 11:35:39 warf pptpd[3478]: CTRL: GRE read or PTY write failed (gre,pty)=(6,5) Mar 7 11:35:39 warf pptpd[3478]: CTRL: Client 1.2.3.4 control connection finished rcd/mypass Mar 7 11:36:07 warf pptpd[3481]: CTRL: Client 1.2.3.4 control connection started Mar 7 11:36:07 warf pptpd[3481]: CTRL: Starting call (launching pppd, opening GRE) Mar 7 11:36:07 warf pppd[3482]: pppd 2.3.11 started by root, uid 0 Mar 7 11:36:07 warf pppd[3482]: Using interface ppp0 Mar 7 11:36:07 warf pppd[3482]: Connect: ppp0 <--> /dev/pts/3 Mar 7 11:36:07 warf pptpd[3481]: Buffering out-of-order packet; got 1 after 4294967295 Mar 7 11:36:10 warf pptpd[3481]: Packet reorder timeout waiting for 0 Mar 7 11:36:10 warf pptpd[3481]: Buffering out-of-order packet; got 2 after 0 Mar 7 11:36:10 warf kernel: PPP BSD Compression module registered Mar 7 11:36:10 warf kernel: PPP MPPE compression module registered Mar 7 11:36:10 warf kernel: PPP Deflate Compression module registered Mar 7 11:36:10 warf pppd[3482]: MSCHAP-v2 peer authentication succeeded for rcd Mar 7 11:36:10 warf pppd[3482]: found interface eth0 for proxy arp Mar 7 11:36:10 warf pppd[3482]: local IP address 172.28.254.46 Mar 7 11:36:10 warf pppd[3482]: remote IP address 172.28.141.41 Mar 7 11:36:10 warf pppd[3482]: MPPE 40 bit, stateless compression enabled Mar 7 11:36:10 warf pppd[3482]: stateless MPPE enforced attic/storage Mar 7 11:36:53 warf pptpd[3529]: CTRL: Client 1.2.3.4 control connection started Mar 7 11:36:53 warf pptpd[3529]: CTRL: Starting call (launching pppd, opening GRE) Mar 7 11:36:53 warf pppd[3530]: pppd 2.3.11 started by root, uid 0 Mar 7 11:36:53 warf pppd[3530]: Using interface ppp0 Mar 7 11:36:53 warf pppd[3530]: Connect: ppp0 <--> /dev/pts/3 Mar 7 11:36:53 warf pptpd[3529]: Buffering out-of-order packet; got 1 after 4294967295 Mar 7 11:36:56 warf pptpd[3529]: Packet reorder timeout waiting for 0 Mar 7 11:36:56 warf pptpd[3529]: Buffering out-of-order packet; got 2 after 0 Mar 7 11:36:56 warf pppd[3530]: MSCHAP-v2 peer authentication succeeded for attic Mar 7 11:36:57 warf pppd[3530]: found interface eth0 for proxy arp Mar 7 11:36:57 warf pppd[3530]: local IP address 172.28.254.46 Mar 7 11:36:57 warf pppd[3530]: remote IP address 172.28.141.40 Mar 7 11:36:57 warf pppd[3530]: MPPE 40 bit, stateless compression enabled Mar 7 11:36:57 warf pppd[3530]: stateless MPPE enforced Sorry for the lengthy post. Hope this helps though -Rob Godfrey Livingstone wrote: > Robert the patch works for me the fact that it does not work for you concerns me I have > just tried it using win9x and it works I do not get the error messages if there is a > match. > > Did you download it using netscape by chance as netscape mangles patches? > > Any way if you have time can you try using wget or lynx to get the patch from > > http://www.hattaway.co.nz/raidpatches/blank_passwd_fix.diff > > I have also created what I think is a better patch if you would like to try > > http://www.hattaway.co.nz/raidpatches/blank_passwd_fix2.diff > > this tidies up the while loop considerably and should be faster. > > Godfrey > > Robert Dege wrote: > From allanc at sco.com Wed Mar 7 11:45:47 2001 From: allanc at sco.com (Allan Clark) Date: Wed, 07 Mar 2001 12:45:47 -0500 Subject: [pptp-server] Whoo-hoo! Complete routing success! References: Message-ID: <3AA673CB.3C8C2F7B@sco.com> Craig; Is there a place you can post the details of your config (IPs changed to protect the innocent)? Someone will try to implement a similar config... Allan Dread Boy wrote: > > Whoo-hoo! > > Thx, Jerry. =) > > This rule was the saving grace: > ipchains -A forward -i $intif -s $intnet -d $intnet -j ACCEPT > > I stuck it into my firewall script as the second last line and BANG-O! It > worked perfectly for accessing all the other machines, instantly, without > messing up the gateway routing, Samba, etc. > > Right on, buddy! I owe you a beer or twelve. Lemme know if you live near > Calgary and I'll be happy to provide. > > Thx. Craig. > _________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From dreadboy at hotmail.com Wed Mar 7 12:11:41 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Wed, 07 Mar 2001 11:11:41 -0700 Subject: [pptp-server] Ready to help pptpd newbies Message-ID: OK, now that everything's working great, I've documented the entire pptpd server setup from A-Z including, all files required, compilation, configuration of all files, routing & gateway setup, and Windows client setup. This is meant for the Linux newbie, and everything is written in layman's terms in an easy step-by-step format without skipping any of them out of assumption. Does anyone have room for this new FAQ and its complete set of files? I need 20K for the Text HOWTO, and about 23MB for the files (including 2.2.17 kernel, and all MS Client updates) so they can all be downloaded from one location, rather than scouring 10 different sites to get all of the patches, files, etc. Thx. Craig. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: howto.txt URL: From Steve at SteveCowles.com Wed Mar 7 12:33:40 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Wed, 7 Mar 2001 12:33:40 -0600 Subject: [pptp-server] Whoo-hoo! Complete routing success! Message-ID: <90769AF04F76D41186C700A0C90AFC3EE696@defiant.infohiiway.com> > -----Original Message----- > From: Dread Boy [mailto:dreadboy at hotmail.com] > Sent: Wednesday, March 07, 2001 10:09 AM > To: jvonau at home.com; pptp-server at lists.schulte.org > Subject: [pptp-server] Whoo-hoo! Complete routing success! > > > Whoo-hoo! > > Thx, Jerry. =) > > This rule was the saving grace: > ipchains -A forward -i $intif -s $intnet -d $intnet -j ACCEPT > > I stuck it into my firewall script as the second last line > and BANG-O! It worked perfectly for accessing all the other > machines, instantly, without messing up the gateway routing, > Samba, etc. > > Right on, buddy! I owe you a beer or twelve. Lemme know if > you live near Calgary and I'll be happy to provide. > > Thx. Craig. Congratulations on your success - It's about time!!! FWIW: You mentioned in an earlier post wanting to buy and/or read a book to better your understanding of tcp/ip and ipchains. If I could suggest, checkout a book called "Linux Firewalls" by Robert L. Ziegler. I own it and have read it. Checkout: http://www.linux-firewall-tools.com/linux Besides being able to order this book (which is also available at most bookstores I've been to), there is also a boatload of other related information at his website. You can even create your own "custom" firewall script. Steve Cowles From JaminC at adapt-tele.com Wed Mar 7 13:01:07 2001 From: JaminC at adapt-tele.com (Jamin Collins) Date: Wed, 7 Mar 2001 13:01:07 -0600 Subject: [pptp-server] Ready to help pptpd newbies Message-ID: I think I can arrange a few locations for this bad boy. Are you looking for HTTP links or is FTP access alright with you? Jamin W. Collins > -----Original Message----- > From: Dread Boy [mailto:dreadboy at hotmail.com] > Sent: Wednesday, March 07, 2001 12:12 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Ready to help pptpd newbies > > > OK, now that everything's working great, I've documented the > entire pptpd > server setup from A-Z including, all files required, compilation, > configuration of all files, routing & gateway setup, and > Windows client > setup. > > This is meant for the Linux newbie, and everything is written > in layman's > terms in an easy step-by-step format without skipping any of > them out of > assumption. > > Does anyone have room for this new FAQ and its complete set of files? > > I need 20K for the Text HOWTO, and about 23MB for the files > (including > 2.2.17 kernel, and all MS Client updates) so they can all be > downloaded from > one location, rather than scouring 10 different sites to get > all of the > patches, files, etc. > > Thx. Craig. > > > > ______________________________________________________________ > ___________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From dreadboy at hotmail.com Wed Mar 7 13:00:00 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Wed, 07 Mar 2001 12:00:00 -0700 Subject: [pptp-server] Ready to help pptpd newbies Message-ID: Either or would be fine, Jamin. Thx. I don't have a fixed server address or a domain, so it's not logical for me to host it myself when the address changes on a constant basis. >From: Jamin Collins >To: 'Dread Boy' , pptp-server at lists.schulte.org >Subject: RE: [pptp-server] Ready to help pptpd newbies >Date: Wed, 7 Mar 2001 13:01:07 -0600 > >I think I can arrange a few locations for this bad boy. Are you looking >for >HTTP links or is FTP access alright with you? > >Jamin W. Collins > > > -----Original Message----- > > From: Dread Boy [mailto:dreadboy at hotmail.com] > > Sent: Wednesday, March 07, 2001 12:12 PM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] Ready to help pptpd newbies > > > > > > OK, now that everything's working great, I've documented the > > entire pptpd > > server setup from A-Z including, all files required, compilation, > > configuration of all files, routing & gateway setup, and > > Windows client > > setup. > > > > This is meant for the Linux newbie, and everything is written > > in layman's > > terms in an easy step-by-step format without skipping any of > > them out of > > assumption. > > > > Does anyone have room for this new FAQ and its complete set of files? > > > > I need 20K for the Text HOWTO, and about 23MB for the files > > (including > > 2.2.17 kernel, and all MS Client updates) so they can all be > > downloaded from > > one location, rather than scouring 10 different sites to get > > all of the > > patches, files, etc. > > > > Thx. Craig. > > > > > > > > ______________________________________________________________ > > ___________ > > Get Your Private, Free E-mail from MSN Hotmail at >http://www.hotmail.com. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From torbin at vonhoffmann.com Wed Mar 7 15:00:24 2001 From: torbin at vonhoffmann.com (Pace, Torbin S.) Date: Wed, 7 Mar 2001 15:00:24 -0600 Subject: [pptp-server] Ready to help pptpd newbies Message-ID: <1FBBB6A12712D411AD0C00D0B73E999971B2A3@neo.vhowensville.com> I was wondering where to find the patch for removing Domain names. Could someone tell me where it is located? From gustavo at liubob.com.ar Wed Mar 7 15:20:59 2001 From: gustavo at liubob.com.ar (Gustavo Martin Ortega) Date: Wed, 7 Mar 2001 18:20:59 -0300 Subject: [pptp-server] First question Message-ID: <020001c0a74c$823ddfa0$04c129c8@liubob.com.ar> hello, my name is Gustavo and i am from Argentina. I have some problems trying to configure the pptpd on my Red Hat Linux 6.2. I read very care the howto and i was doing the steps but, i cant found the file pptpd.init (in the how to says yhat i must download but i don't know where i can found it) and in the inittab file there isnt nothing about pptpd. If someone can help me please do it .... sorry about my awful english .. Thanks a lot. Gustavo Mart?n Ortega. Administrador de Redes. Liubob Informatica S.R.L. Av. Belgrano 845 7?A - Capital Federal. Tel: +54-11-4-331-6722/5782 email: gustavo at liubob.com.ar -------------- next part -------------- An HTML attachment was scrubbed... URL: From glaze at nos4-a2.com Wed Mar 7 16:13:37 2001 From: glaze at nos4-a2.com (Doyle Glaze) Date: Wed, 07 Mar 2001 16:13:37 -0600 (CST) Subject: [pptp-server] First question In-Reply-To: <020001c0a74c$823ddfa0$04c129c8@liubob.com.ar> References: <020001c0a74c$823ddfa0$04c129c8@liubob.com.ar> Message-ID: <984003217.3aa6b2910678d@dglaze.yi.org> http://www.moretonbay.com/vpn/help.html Quoting Gustavo Martin Ortega : > hello, my name is Gustavo and i am from Argentina. > I have some problems trying to configure the pptpd on my Red Hat Linux > 6.2. > I read very care the howto and i was doing the steps but, i cant found > the > file pptpd.init (in the how to says yhat i must download but i don't > know > where i can found it) and in the inittab file there isnt nothing about > pptpd. > > If someone can help me please do it .... sorry about my awful english > .. > > Thanks a lot. > Gustavo Mart?n Ortega. > Administrador de Redes. > Liubob Informatica S.R.L. > Av. Belgrano 845 7?A - Capital Federal. > Tel: +54-11-4-331-6722/5782 > email: gustavo at liubob.com.ar > > > > From rcd at amherst.com Wed Mar 7 16:35:22 2001 From: rcd at amherst.com (Robert Dege) Date: Wed, 07 Mar 2001 17:35:22 -0500 Subject: [pptp-server] First question References: <020001c0a74c$823ddfa0$04c129c8@liubob.com.ar> Message-ID: <3AA6B7AA.9030208@amherst.com> The link that it points to in the HOW-TO doesn't exist anymore. I believe it's under another name though. Anyways, here's what I use. I even modified it so that you get the pretty Green [OK]'s for startup & shutdown of the program :) Enjoy -Rob Gustavo Martin Ortega wrote: > hello, my name is Gustavo and i am from Argentina. > > I have some problems trying to configure the pptpd on my Red Hat Linux > 6.2. > > I read very care the howto and i was doing the steps but, i cant found > the file pptpd.init (in the how to says yhat i must download but i > don't know where i can found it) and in the inittab file there isnt > nothing about pptpd. > > > > If someone can help me please do it .... sorry about my awful english .. > > > > Thanks a lot. > > *Gustavo Mart?n Ortega. > */Administrador de Redes. > Liubob Informatica S.R.L. > Av. Belgrano 845 7?A - Capital Federal. > Tel: +54-11-4-331-6722/5782 > email: gustavo at liubob.com.ar > / > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: pptp Type: application/octet-stream Size: 1212 bytes Desc: not available URL: From iharris at quadtel.com Wed Mar 7 17:07:36 2001 From: iharris at quadtel.com (Ian Harris) Date: Thu, 8 Mar 2001 10:07:36 +1100 Subject: [pptp-server] SMBpasswd security breach patch Message-ID: Problem : Blank password allows people to access pptp connection See auth.c, line 1859 and following. Note the by default 'word' is memcpy'd a blank string (actually \0 plus whatever ever else is hanging around after the \0 due to the '2', but that's beside the point). And so, if the username is not discovered in the smbpasswd file, the password is compared with the blank 'word', which of course, results in access being granted. Quick fix is to whack something else in word that isn't likely to match, see below. Someone with more time could write this a little better, but this fixes the hole. regards Ian. #ifdef JES else if (word[0] == '&') { struct smb_passwd *smb; char smbname[MAXWORDLEN]; strlcpy(atfile, word+1, sizeof(atfile)); setsmbfilepath(atfile); // memcpy(word, "", 2); strcpy(word, "crapcrap"); setsmbpwent(); while ( (smb = getsmbpwent()) !=NULL){ sethexpwd(smbname, smb->smb_nt_passwd); smbname[NTPASS]='\000'; /*notice ("name: %s, client: %s", smb->smb_name, client);*/ if((client != NULL && strcmp(client, smb->smb_name) == 0) || (server != NULL && strcmp(server, smb->smb_name) == 0) ) { memcpy(word, smbname, NTPASS); word[NTPASS]='\000'; } } endsmbpwent(); } #endif From GeorgeV at citadelcomputer.com.au Wed Mar 7 17:12:36 2001 From: GeorgeV at citadelcomputer.com.au (George Vieira) Date: Thu, 8 Mar 2001 10:12:36 +1100 Subject: [pptp-server] First question Message-ID: <200FAA488DE0D41194F10010B597610D0A63D1@JUPITER> That sites crap and old.. I followed this site and it works (Though I deleted my source and downloaded 2.2.17 kernel) http://www.vibres.com/pptpd/example.html thanks, George Vieira -----Original Message----- From: Doyle Glaze [mailto:glaze at nos4-a2.com] Sent: Thursday, March 08, 2001 9:14 AM To: Gustavo Martin Ortega Cc: pptp-server Subject: Re: [pptp-server] First question http://www.moretonbay.com/vpn/help.html Quoting Gustavo Martin Ortega : > hello, my name is Gustavo and i am from Argentina. > I have some problems trying to configure the pptpd on my Red Hat Linux > 6.2. > I read very care the howto and i was doing the steps but, i cant found > the > file pptpd.init (in the how to says yhat i must download but i don't > know > where i can found it) and in the inittab file there isnt nothing about > pptpd. > > If someone can help me please do it .... sorry about my awful english > .. > > Thanks a lot. > Gustavo Mart?n Ortega. > Administrador de Redes. > Liubob Informatica S.R.L. > Av. Belgrano 845 7?A - Capital Federal. > Tel: +54-11-4-331-6722/5782 > email: gustavo at liubob.com.ar > > > > _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From macleajb at EDnet.NS.CA Wed Mar 7 19:22:51 2001 From: macleajb at EDnet.NS.CA (James MacLean) Date: Wed, 7 Mar 2001 21:22:51 -0400 (AST) Subject: [pptp-server] SMBpasswd security breach patch In-Reply-To: Message-ID: Hi Ian et al, It is I who passed in the original offending pppsmb.pat patch that allowed this security breach to occur :(. It has been some time since I made that patch and did not recently even have an environement setup to test what folks were seeing :(, but I managed to finally get a little testing done from NT and Win98. On Thu, 8 Mar 2001, Ian Harris wrote: > Problem : Blank password allows people to access pptp connection > See auth.c, line 1859 and following. After applying the patch ;-). Thanks to Vern for getting the original patch updated for the ppp-2.4.0 code. > Note the by default 'word' is memcpy'd a blank string (actually \0 plus > whatever ever else is hanging around after the \0 due to the '2', but that's > beside the point). /JES hides head. At that time I was testing " \000" and then settled on "\000", but did not correct the copy. Ug :(. > And so, if the username is not discovered in the > smbpasswd file, the password is compared with the blank 'word', which of > course, results in access being granted. I see this as happening because my code was allowing further testing to occur further down in the code, when in fact the testing should have stopped for that input line in chap-secrets when this part failed. You can see in the section above for getting password from an @// how it had been done correctly before (using continue;). > Quick fix is to whack something else in word that isn't likely to match, see > below. > Someone with more time could write this a little better, but this fixes the > hole That is one way ;-), but if someone new the special word copied in, it might open another hole. Another would be as Godfrey Livingstone has offered. The jist of that patch is to not go through any further tests, and just go back to the top of the loop (continue;) once no match is found and looking through the smbpasswd file is exhausted. As a fix for the original patch submitted I favor Godfrey's patch because it fixes the hole that I made ;-/. Hope I am not sounding too picky :). Justin also has some patches which have an effect, but Godfrey's hit the nail on the head by fixing _my_ code :). > regards > Ian. Great to see the OpenSource folks so quick to provide solutions to problems that occur. Sorry for trouble my hack caused, hope it still is usefull, JES -- James B. MacLean macleajb at ednet.ns.ca Department of Education http://www.ednet.ns.ca/~macleajb Nova Scotia, Canada B3M 4B2 From dreadboy at hotmail.com Wed Mar 7 21:51:24 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Wed, 07 Mar 2001 20:51:24 -0700 Subject: [pptp-server] Source, patches, simple howto for Redhat 6.2 pptpd under one roof (almost) Message-ID: DISCLAIMER: OK, first off - no warranties, no guarantees. Don't bitch at me if something breaks on your machine. If you're unfamiliar with kernel building, module compiling, or boot sector management with lilo, then this is probably not for you. Due to a number of requests I have posted all required files (except for the kernel source) for building pppd 2.3.11 and pptpd 1.0.1 running on kernel 2.2.17 on a RedHat 6.2 system, even though Redhat 7.0 should also work, etc. However, kernel 2.2.17 source is NOT included because this particular web space account is limited to 5MB. You should pick up that at somewhere like www.kernel.org. Read @readme at .txt before you get started, then download howto.txt and print it up. It's about 10 pages worth of text. The remainder is outlined in the howto.txt file. If you get really stuck or have some errata I should fix, then just e-mail me: dreadboy at hotmail.com OK, here it is... for now. http://members.home.net/dont-bug-me/pptpd/ _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From darbel at techunix.technion.ac.il Thu Mar 8 00:06:02 2001 From: darbel at techunix.technion.ac.il (Dani Arbel) Date: Thu, 8 Mar 2001 08:06:02 +0200 (IST) Subject: [pptp-server] a question about pap-secrets file Message-ID: Hi! I have a pptp server installed and operating ok. The authentication is done using RADIUS server: in /etc/ppp/options I have added the login option I have installed PAM module for RADIUS authentication (pam_radius_auth.so) in /etc/ppp/pap-secrets i have: # Secrets for authentication using PAP # client server secret IP addresses * pop "" * My question: is there a way to bypass the need to have an /etc/passwd entry for each user that will have to use the vpn ? Thanks, Dani From david_luyer at pacific.net.au Thu Mar 8 01:04:43 2001 From: david_luyer at pacific.net.au (David Luyer) Date: Thu, 08 Mar 2001 18:04:43 +1100 Subject: [pptp-server] a question about pap-secrets file In-Reply-To: Message from Dani Arbel of "Thu, 08 Mar 2001 08:06:02 +0200." References: Message-ID: <200103080704.f2874hT00934@typhaon.pacific.net.au> > Hi! > I have a pptp server installed and operating ok. The authentication is > done using RADIUS server: > in /etc/ppp/options I have added the login option > I have installed PAM module for RADIUS authentication (pam_radius_auth.so) > in /etc/ppp/pap-secrets i have: > > # Secrets for authentication using PAP > # client server secret IP addresses > * pop "" * > > My question: is there a way to bypass the need to have an /etc/passwd > entry for each user that will have to use the vpn ? I have successfully set up a server using PoPToP, portslave and zebra but there was a lot of manual coding involved. If you need the other benefits (such as RADIUS usage accounting) it may be worth the effort. I ended up using portslave-1.2.0pre12, pptpd-1.0.1, zebra-0.86 and applying many patches based on portslave-2.0A1 as well as local patches and adding a local script to remove duplicate pptpd logins from the one IP before the system was completely stable and reliable for a all the users it was supporting. That was mostly done mid-late last year so there may be some improvements to portslave around by now so that it would take less effort, but last I checked the project was forked into 2-3 branches and not getting along well at all. David. -- David Luyer Phone: +61 3 9674 7525 Engineering Projects Manager P A C I F I C Fax: +61 3 9699 8693 Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 2983 http://www.pacific.net.au/ NASDAQ: PCNTF From gustavo at liubob.com.ar Thu Mar 8 08:29:29 2001 From: gustavo at liubob.com.ar (Gustavo Martin Ortega) Date: Thu, 8 Mar 2001 11:29:29 -0300 Subject: [pptp-server] RV: ppp Message-ID: <004a01c0a7dc$2fe081a0$04c129c8@liubob.com.ar> When y try to connect to my vpnn server,appears at the linux console the following message: No free connection slots or IPs available - no more clients can connect! /usr/sbin/pppd: The remote system is required to authenticate itself /usr/sbin/pppd: but I couldn't find any suitable secret (password) for it to use to do so. ===== Can somebody help me ? Thanks a lot. Gustavo Martin Ortega _________________________________________________________ ?Lo probaste? Correo gratis y para toda la vida en http://correo.yahoo.com.ar From berzerke at swbell.net Thu Mar 8 10:36:18 2001 From: berzerke at swbell.net (robert) Date: Thu, 08 Mar 2001 10:36:18 -0600 Subject: [pptp-server] RV: ppp In-Reply-To: <004a01c0a7dc$2fe081a0$04c129c8@liubob.com.ar> References: <004a01c0a7dc$2fe081a0$04c129c8@liubob.com.ar> Message-ID: <01030810361801.14539@linux> The first message is normal and isn't something to really worry about, unless you have multiple clients trying to connect all at once. It merely means all the assigned IP numbers for a VPN connection are in use. Increase the number of remote IP numbers in pptpd.conf if want to get rid of this message. As for the second method, does your /etc/ppp/options file have a line "auth"? If so, try changing it to "noauth". Let me know if this works. On Thursday 08 March 2001 08:29, Gustavo Martin Ortega wrote: > When y try to connect to my vpnn server,appears at the linux console the > following message: > > > No free connection slots or IPs available - no more > clients can connect! > /usr/sbin/pppd: The remote system is required to > authenticate itself > /usr/sbin/pppd: but I couldn't > find any suitable secret (password) for it to use to > do so. > > ===== > > Can somebody help me ? > > Thanks a lot. > > > Gustavo Martin Ortega > From vgill at technologist.com Thu Mar 8 19:06:46 2001 From: vgill at technologist.com (Gill, Vern) Date: Thu, 8 Mar 2001 17:06:46 -0800 Subject: [pptp-server] SMBpasswd security breach patch Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D11@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 By no means did your patch cause ME any trouble. I was just alarmed by the discovery, and wanted to disseminate the information as quickly as possible to prevent any "would-be'ers" who might monitor this or other lists from utilizing the information. As far as whether or not it is useful, let me assure you that it is indeed. It keeps me from having plain text passwords laying around my system. Although I cannot use a single-entry in my smbpasswd file as of yet, it is still better than the default... Thank you for taking the time to create the patch in the first place, and for taking the time to investigate this situation. I for one appreciate it, as I am sure many others on this list do as well. P.S. Justin, I again tried your pap/smbpasswd patch, and had no success. It compiled no problems, (after converting it to ppp-2.4.x) but when trying to use it with pppoe, it fails to transmit the password, or the correct password. I have not actually tried tcpdumping to see what's happening, but I thought you might like to know... P.S.S. Justin has made a patch for using smbpasswd with pap. I have "ported" that patch to ppp-2.4.x. If anyone would like it, let me know. I intend to put it up on my site, just haven't had time yet. P.S.S.S. Just in case anyone hasn't heard, I have a site up for PPP with instructions on how to make it ppp-2.4.x work with various patches. If you are interested, please go to http://linus.yi.org, and click the PPP tab at the top... The information will be expanded soon to include more patches for ppp and accompanying howtos, pptpd and pptp client information, as well as linux-2.4.x, and how to make it all work together. You can check out the Masq page also, to see where my system is at as far as what software is being used for ip filtering. I am successfully running kernel 2.4.2 and ppp-2.4.0 with pptpd 1.1.2. I am also using iptables, which is the "future" of ip filtering/forwarding/masquerading/mangling/blah/blah/blah... Please check out the site... -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOqgr8xeamMdwy9TXEQIUjgCgzuL9WB2OKBigDicThIsHW5HcX8QAoLRA UM6rcHiwj8pvCqsF8UgPyU1A =yShP -----END PGP SIGNATURE----- From tomryan at camlaw.rutgers.edu Thu Mar 8 19:10:11 2001 From: tomryan at camlaw.rutgers.edu (Tom Ryan) Date: Thu, 8 Mar 2001 20:10:11 -0500 (EST) Subject: [pptp-server] question.. Message-ID: I have a cisco 802 idsl "modem" connecting to my pptp server on the network. When I test it at remote, all is well. Locally though it doesn't connect. I get the LCP timeout messages. Could it be that they are blocking (they meaning DSL provider) is blocking proto 47? (gre) thanx! tom From danlevy at island.liu.se Sat Mar 17 05:47:54 2001 From: danlevy at island.liu.se (Dan Levy) Date: Sat, 17 Mar 2001 12:47:54 +0100 Subject: [pptp-server] Authentication with YP Message-ID: Hi, I'm running a pptpd on solaris 8 with slirp instead of pppd. I would like to authenticate my users via yp/NIS. My users are running win2k clients chap-v2 128 bit bla bla. Have anyone done this? Do anyone have any ideas? Have anyone used slirp together with smbpasswd? This could be a valid option... /Dan From rcd at amherst.com Fri Mar 9 09:02:12 2001 From: rcd at amherst.com (Robert Dege) Date: Fri, 09 Mar 2001 10:02:12 -0500 Subject: [pptp-server] Authentication with YP References: Message-ID: <3AA8F074.2030405@amherst.com> I've had no experience with SLIRP, either client or server wise. However, I have PPTP working via NIS/Samba/pppd if that helps. Works fine for me. Don't know if that means anything to you or not. -Rob Dan Levy wrote: > Hi, > > I'm running a pptpd on solaris 8 with slirp instead of pppd. I would like to > authenticate my users via yp/NIS. My users are running win2k clients chap-v2 > 128 bit bla bla. Have anyone done this? Do anyone have any ideas? > > Have anyone used slirp together with smbpasswd? This could be a valid > option... > > /Dan > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > > From lee at booksys.com Fri Mar 9 10:04:24 2001 From: lee at booksys.com (Lee Smith) Date: Fri, 09 Mar 2001 10:04:24 CST Subject: [pptp-server] Overruns on sl0 Message-ID: <200103091554.f29Fs8p21158@mail.booksys.com> I'm having some problems with pptp...On sl0 im getting way too many overruns, causing the connection to be horribly unstable. Any insight as to what would cause this kind of behavior? sl0 Link encap:VJ Serial Line IP inet addr:192.168.10.91 P-t-P:192.168.66.10 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:5079670 errors:0 dropped:0 overruns:5037627 frame:0 compressed:0 TX packets:5961307 errors:0 dropped:0 overruns:5910933 carrier:0 collisions:1007 compressed:0 txqueuelen:10 -- This our world now....the world of the electron and the switch...the beauty of the baud From ctresco at mit.edu Fri Mar 9 15:37:42 2001 From: ctresco at mit.edu (Chris Tresco) Date: Fri, 9 Mar 2001 16:37:42 -0500 Subject: [pptp-server] nt client routing tables Message-ID: <009101c0a8e1$3c37c610$b201a8c0@snpc.net> Hi, I am wondering how to solve a certain problem. I have my vpn box w/ eth1 as my external/routable ip address and eth0 as my internal lan that I am tunneling clients to. I am able to authenticate and login via an NT4 box without a problem. I am also able to successfully access machines on the lan. The problem is that after the NT box connects, the routing tables are changed and the VPN routing takes precidence. I don't want this to be the case. I would like to keep the current routing tables and add the VPN tables as a HIGHER metric number (lower precidence). I can do it manually now, but I don't think my clients will want to mess with the route command in NT themselves. : ) I have the following options in my ppp/options file: debug name foo auth require-chap netmask 255.255.255.255 proxyarp logfile /var/log/vpn.ppp ms-dns 192.168.1.2 ms-dns 192.168.1.4 I have the following in my pptpd.conf file: speed 115200 localip 192.168.1.130-132 remoteip 192.168.1.133-135 Thanks in advance for the help, Chris Tresco From Daniel.Curry at tsola.com Fri Mar 9 15:45:14 2001 From: Daniel.Curry at tsola.com (Daniel.Curry at tsola.com) Date: Fri, 9 Mar 2001 13:45:14 -0800 Subject: [pptp-server] Need PPTP or IPSec software Message-ID: Hello all, I need to know where to get the latest and greatest PPTP and or Insect stuff for a Red Hat 7.X install. Can someone please direct me to packages and easy to follow install instructions? Thanks Daniel Curry Sr. Systems Engineer daniel.curry at tsola.com Tsola, Inc. 650.486.2624 Fax:650.486.2650 From Steve at SteveCowles.com Fri Mar 9 16:40:21 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Fri, 9 Mar 2001 16:40:21 -0600 Subject: [pptp-server] nt client routing tables Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6A1@defiant.infohiiway.com> > -----Original Message----- > From: Chris Tresco [mailto:ctresco at mit.edu] > Sent: Friday, March 09, 2001 3:38 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] nt client routing tables > > > Hi, > > I am wondering how to solve a certain problem. > > I have my vpn box w/ eth1 as my external/routable ip address > and eth0 as my internal lan that I am tunneling clients to. > > I am able to authenticate and login via an NT4 box without a > problem. I am also able to successfully access machines on > the lan. > > The problem is that after the NT box connects, the routing > tables are changed and the VPN routing takes precidence. > I don't want this to be the case. I would like to keep the > current routing tables and add the VPN tables as a HIGHER > metric number (lower precidence). I can do it manually > now, but I don't think my clients will want to mess with the > route command in NT themselves. : ) > > I have the following options in my ppp/options file: > > debug > name foo > auth > require-chap > netmask 255.255.255.255 > proxyarp > logfile /var/log/vpn.ppp > ms-dns 192.168.1.2 > ms-dns 192.168.1.4 > > I have the following in my pptpd.conf file: > > speed 115200 > localip 192.168.1.130-132 > remoteip 192.168.1.133-135 > > > Thanks in advance for the help, > > Chris Tresco Sounds like you need to un-check the "Use default gateway on remote network" option in your Windows PPTP dialup profile settings. By doing so, Windows will only add the LAN route (192.168.1.0/24 via the tunnel) instead of adding both the LAN route and a new default route (with a metric of 1), which then bumps the previous default route to a metric of 2 until the tunnel is torn down. Steve Cowles From Steve at SteveCowles.com Fri Mar 9 16:50:07 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Fri, 9 Mar 2001 16:50:07 -0600 Subject: [pptp-server] Need PPTP or IPSec software Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6A2@defiant.infohiiway.com> > -----Original Message----- > From: Daniel.Curry at tsola.com [mailto:Daniel.Curry at tsola.com] > Sent: Friday, March 09, 2001 3:45 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Need PPTP or IPSec software > > > Hello all, > > I need to know where to get the latest and greatest PPTP and > or Insect stuff for a Red Hat 7.X install. Can someone please > direct me to packages and easy to follow install instructions? > > Thanks Linux PPTP (PoPToP) = http://poptop.lineo.com Linux IPSEC (FreeS/WAN) = http://www.freeswan.org Steve Cowles From Daniel.Curry at tsola.com Fri Mar 9 16:52:44 2001 From: Daniel.Curry at tsola.com (Daniel.Curry at tsola.com) Date: Fri, 9 Mar 2001 14:52:44 -0800 Subject: [pptp-server] Need PPTP or IPSec software Message-ID: Does anyone know which will work best with a Ravlin VPN box? Daniel Curry Tsola, Inc. daniel.curry at tsola.com 650.486.2624 -----Original Message----- From: Cowles, Steve [mailto:Steve at SteveCowles.com] Sent: Friday, March 09, 2001 2:50 PM To: 'Daniel.Curry at tsola.com'; pptp-server at lists.schulte.org Subject: RE: [pptp-server] Need PPTP or IPSec software > -----Original Message----- > From: Daniel.Curry at tsola.com [mailto:Daniel.Curry at tsola.com] > Sent: Friday, March 09, 2001 3:45 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Need PPTP or IPSec software > > > Hello all, > > I need to know where to get the latest and greatest PPTP and > or Insect stuff for a Red Hat 7.X install. Can someone please > direct me to packages and easy to follow install instructions? > > Thanks Linux PPTP (PoPToP) = http://poptop.lineo.com Linux IPSEC (FreeS/WAN) = http://www.freeswan.org Steve Cowles _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From zlowry at home.com Fri Mar 9 17:35:47 2001 From: zlowry at home.com (Zach Lowry) Date: Fri, 9 Mar 2001 17:35:47 -0600 Subject: [pptp-server] Can't compile mppe modules on RedHat 7.0 Message-ID: <000201c0a8f1$abe3ed80$0200000a@ruthfd1.tn.home.com> Anyone have any ideas why I can't seem to compile these modules on RH7? I followed the instructions from the poptop website almost exactly, except that I'm running a SMP kernel so I specified a different kernel configuration file... I get a screen full of errors, mostly from a call called PPP_MAGIC. Any help would be greatly appreciated! Zach Lowry From glaze at nos4-a2.com Fri Mar 9 18:43:30 2001 From: glaze at nos4-a2.com (Doyle Glaze) Date: Fri, 09 Mar 2001 18:43:30 -0600 (CST) Subject: [pptp-server] Can't compile mppe modules on RedHat 7.0 In-Reply-To: <000201c0a8f1$abe3ed80$0200000a@ruthfd1.tn.home.com> References: <000201c0a8f1$abe3ed80$0200000a@ruthfd1.tn.home.com> Message-ID: <984185010.3aa978b212adc@dglaze.yi.org> I have the same problem with the smp kernal for rh7. If you find the answer please let me know. I have been working on the problem and the only responce I get is htat it should work. If it was the single processor kernel it work get but not for the smp kernel. Doyle Glaze glaze at nos4-a2.com Quoting Zach Lowry : > Anyone have any ideas why I can't seem to compile these modules on RH7? > I > followed the instructions from the poptop website almost exactly, > except > that I'm running a SMP kernel so I specified a different kernel > configuration file... I get a screen full of errors, mostly from a call > called PPP_MAGIC. Any help would be greatly appreciated! > > Zach Lowry > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > From nh at fgb.ch Fri Mar 9 18:57:46 2001 From: nh at fgb.ch (Niklaus Hug) Date: Sat, 10 Mar 2001 01:57:46 +0100 (CET) Subject: [pptp-server] working with the howto Version 0.5 from berzerke@swbell.net - but no success Message-ID: <20010310005746.7DBAB3F3D1@imap.fgb.ch> Hello, I'm trying to run pptpd on my SuSe Linux with Kernel 2.4.2 and did all the patching and configuration exactly according the howto. But with encryption enabled on win98 clients there comes the error 742 (and some additional M$-bla bla) (without encryption everything is working fine - also encrypted passwords, and compression) I saw that there have been some others on the maillist with this error - but for me it was not clear how the managed to get around it finally. If you need additional information about my system (config-files etc..) just let me know. (I'm an absolut newbie with kernel compiling - I started two weeks ago because of the pptpd stuff - please forgive me when I'm doing silly mistakes) Thanx! Niklaus Hug Freies Gymnasium Bern - Switzerland From dusty at doris.cc Fri Mar 9 19:11:09 2001 From: dusty at doris.cc (Dustin Doris) Date: Fri, 9 Mar 2001 20:11:09 -0500 (EST) Subject: [pptp-server] patch for ppp 2.4 In-Reply-To: <000201c0a8f1$abe3ed80$0200000a@ruthfd1.tn.home.com> Message-ID: Are there any MSCHAPv2 and MPPE patches for ppp 2.4? Or should the 2.3.11 work for it? Thanks Dustin Doris From ctresco at mit.edu Fri Mar 9 20:21:28 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Fri, 9 Mar 2001 21:21:28 -0500 Subject: [pptp-server] nt client routing tables In-Reply-To: <90769AF04F76D41186C700A0C90AFC3EE6A1@defiant.infohiiway.com> Message-ID: Thanks a lot Steve, that did work. How I have another problem. When I try to connect to the VPN from a client that is behind a masqeraded firewall, I get an error saying: Error 619: The specified port is not connected. I would assume I need to add some rules to my ipchains. Do you know off-hand what they are?? Thanks, ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Cowles, Steve Sent: Friday, March 09, 2001 5:40 PM To: 'Chris Tresco'; pptp-server at lists.schulte.org Subject: RE: [pptp-server] nt client routing tables > -----Original Message----- > From: Chris Tresco [mailto:ctresco at mit.edu] > Sent: Friday, March 09, 2001 3:38 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] nt client routing tables > > > Hi, > > I am wondering how to solve a certain problem. > > I have my vpn box w/ eth1 as my external/routable ip address > and eth0 as my internal lan that I am tunneling clients to. > > I am able to authenticate and login via an NT4 box without a > problem. I am also able to successfully access machines on > the lan. > > The problem is that after the NT box connects, the routing > tables are changed and the VPN routing takes precidence. > I don't want this to be the case. I would like to keep the > current routing tables and add the VPN tables as a HIGHER > metric number (lower precidence). I can do it manually > now, but I don't think my clients will want to mess with the > route command in NT themselves. : ) > > I have the following options in my ppp/options file: > > debug > name foo > auth > require-chap > netmask 255.255.255.255 > proxyarp > logfile /var/log/vpn.ppp > ms-dns 192.168.1.2 > ms-dns 192.168.1.4 > > I have the following in my pptpd.conf file: > > speed 115200 > localip 192.168.1.130-132 > remoteip 192.168.1.133-135 > > > Thanks in advance for the help, > > Chris Tresco Sounds like you need to un-check the "Use default gateway on remote network" option in your Windows PPTP dialup profile settings. By doing so, Windows will only add the LAN route (192.168.1.0/24 via the tunnel) instead of adding both the LAN route and a new default route (with a metric of 1), which then bumps the previous default route to a metric of 2 until the tunnel is torn down. Steve Cowles _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From Steve at SteveCowles.com Fri Mar 9 21:31:46 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Fri, 9 Mar 2001 21:31:46 -0600 Subject: [pptp-server] nt client routing tables Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6A4@defiant.infohiiway.com> > -----Original Message----- > From: Christopher Tresco [mailto:ctresco at mit.edu] > Sent: Friday, March 09, 2001 8:21 PM > To: Cowles, Steve; pptp-server at lists.schulte.org > Subject: RE: [pptp-server] nt client routing tables > > > Thanks a lot Steve, that did work. How I have another problem. > > When I try to connect to the VPN from a client that is behind > a masqeraded firewall, I get an error saying: > > Error 619: The specified port is not connected. > > I would assume I need to add some rules to my ipchains. Do you know > off-hand what they are?? > > Thanks, > I can think of a couple of things to check: 1) Your firewalls kernel must be patched to support masq'd PPTP connections. Checkout: http://www.impsec.org/linux/masquerade/ip_masq_vpn.html 2) Since your already able to establish inbound tunnels to your PPTP server, you're ipchain rules are probably OK. For reference: PPTP tunnels require the following ports/protocols be ACCEPTED. * Initial PPTP Control Channel - TCP Port 1723 * Generic Routing Encapsulation (GRE) Data - Protocol 47 Steve Cowles From vgill at technologist.com Fri Mar 9 22:43:06 2001 From: vgill at technologist.com (Gill, Vern) Date: Fri, 9 Mar 2001 20:43:06 -0800 Subject: [pptp-server] patch for ppp 2.4 Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D14@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sure are... You can get my patch http://linus.yi.org, if you like. Click on the PPP tab at the top. Or go to ftp://ftp.binarix.com/pub/ppp-mppe/ - -----Original Message----- From: Dustin Doris [mailto:dusty at doris.cc] Sent: Friday, March 09, 2001 5:11 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] patch for ppp 2.4 Are there any MSCHAPv2 and MPPE patches for ppp 2.4? Or should the 2.3.11 work for it? Thanks Dustin Doris _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOqmwTReamMdwy9TXEQLupgCeLTeFa7R89r2dybXglIffGFaGWsMAoOXZ HFpypDQy1T4r7/8ruXrDQ6US =6Tq3 -----END PGP SIGNATURE----- From john at netdirect.ca Sat Mar 10 07:49:28 2001 From: john at netdirect.ca (John Van Ostrand) Date: Sat, 10 Mar 2001 08:49:28 -0500 Subject: [pptp-server] Can't compile mppe modules on RedHat 7.0 Message-ID: <915FE25D5E61D3119CD80080C8E2E7090854DA@enterprise.NetDirect.CA> Hi, I just did this one last week. Although I have not yet put PPTP through extensiev use (or even first time testing) here is the resolution that I found: In the /usr/linux/src/include/linux directory you'll find a file called if_pppvar.old.h and a file called if_pppvar.h. Simply copy the if_pppvar.old.h over the if_pppvar.h file and it should work fine. Good Luck. John. -----Original Message----- From: Zach Lowry [mailto:zlowry at home.com] Sent: Friday, March 09, 2001 6:36 PM To: Pptp-Server (E-mail) Subject: [pptp-server] Can't compile mppe modules on RedHat 7.0 Anyone have any ideas why I can't seem to compile these modules on RH7? I followed the instructions from the poptop website almost exactly, except that I'm running a SMP kernel so I specified a different kernel configuration file... I get a screen full of errors, mostly from a call called PPP_MAGIC. Any help would be greatly appreciated! Zach Lowry _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From bjudson at benjudson.com Sat Mar 10 16:55:59 2001 From: bjudson at benjudson.com (Benjamin J. Judson) Date: Sat, 10 Mar 2001 16:55:59 -0600 Subject: [pptp-server] Linux 2.4.x Problems with pptpd Message-ID: <001f01c0a9b5$48e955c0$698c24d8@bsun> Hi there, Im having a problem with poptop 1.1.2 and ppp-2.4.0. I was previously running pptpd under 2.2.x and I didnt have any problems, but once I upgraded to linux 2.4.x I started getting error messages indicating that ppp support hasnt been compiled into the kernel. It is however, and I have also said yes to async, and sync ppp support. I am wondering if one of the new options in 2.4.x might be causing the problems. I have also said yes to GRE, and other tunneling support. Is anyone else having problems like this? Or can you point me to some documentation that I be able to use to fix this problem? Benjamin J. Judson Systems Manager The Brandon Sun From ctresco at mit.edu Sat Mar 10 18:48:57 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Sat, 10 Mar 2001 19:48:57 -0500 Subject: [pptp-server] Linux 2.4.x Problems with pptpd In-Reply-To: <001f01c0a9b5$48e955c0$698c24d8@bsun> Message-ID: Oddly enough, I just had the same problem 10 minutes ago. It must be something simple, as I patched my kernel for mppe and I saw the ppp stuff being compiled. I think it might stem from NOT having a /dev/ppp. I am looking into it now and will post something when I find it. ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Benjamin J. Judson Sent: Saturday, March 10, 2001 5:56 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] Linux 2.4.x Problems with pptpd Hi there, Im having a problem with poptop 1.1.2 and ppp-2.4.0. I was previously running pptpd under 2.2.x and I didnt have any problems, but once I upgraded to linux 2.4.x I started getting error messages indicating that ppp support hasnt been compiled into the kernel. It is however, and I have also said yes to async, and sync ppp support. I am wondering if one of the new options in 2.4.x might be causing the problems. I have also said yes to GRE, and other tunneling support. Is anyone else having problems like this? Or can you point me to some documentation that I be able to use to fix this problem? Benjamin J. Judson Systems Manager The Brandon Sun _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From ctresco at mit.edu Sat Mar 10 18:53:34 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Sat, 10 Mar 2001 19:53:34 -0500 Subject: [pptp-server] Linux 2.4.x Problems with pptpd In-Reply-To: <001f01c0a9b5$48e955c0$698c24d8@bsun> Message-ID: I was right Do this: mknod /dev/ppp c 108 0 chmod 600 /dev/ppp ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Benjamin J. Judson Sent: Saturday, March 10, 2001 5:56 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] Linux 2.4.x Problems with pptpd Hi there, Im having a problem with poptop 1.1.2 and ppp-2.4.0. I was previously running pptpd under 2.2.x and I didnt have any problems, but once I upgraded to linux 2.4.x I started getting error messages indicating that ppp support hasnt been compiled into the kernel. It is however, and I have also said yes to async, and sync ppp support. I am wondering if one of the new options in 2.4.x might be causing the problems. I have also said yes to GRE, and other tunneling support. Is anyone else having problems like this? Or can you point me to some documentation that I be able to use to fix this problem? Benjamin J. Judson Systems Manager The Brandon Sun _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From joost at havers.nl Sat Mar 10 19:40:05 2001 From: joost at havers.nl (Joost Havers) Date: Sun, 11 Mar 2001 02:40:05 +0100 Subject: [pptp-server] Browsing Network Neighborhood Message-ID: <5.0.1.4.2.20010311021202.00a56cf8@dutwmail.wbmt.tudelft.nl> Hi, does anybody knows how to get browsing to work. Logging in is no problem, i can connect to shares, print and find computers but the browsing part just won't work. I simply used the 2 pptpd-rpm's to setup the pptp-server. I'm using CHAP authentication for now. My connections look like this: ------------------------------------------- eth0 to the internet eth1 to the local network 192.168.1.0 and when a client connects to pptp it gets: ppp0 Link encap:Point-to-Point Protocol inet addr:192.168.1.1 P-t-P:192.168.1.52 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1450 Metric:1 RX packets:159 errors:0 dropped:0 overruns:0 frame:0 TX packets:126 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 My Samba server gives me the following: ----------------------------------------------------------- [root at kvz150 /root]# cat /var/adm/wins.dat VERSION 1 58496 "__MSBROWSE__#01" 984790794 255.255.255.255 e4R "JOASTER#00" 984791751 192.168.1.150 46R SERVER "JOASTER#03" 984791751 192.168.1.150 46R "JOASTER#20" 984791751 192.168.1.150 46R "JOOST#00" 984791985 192.168.1.156 64R LOCAL-CLIENT "JOOST#03" 984791985 192.168.1.156 64R "JOOST#20" 984791985 192.168.1.156 192.168.1.56 64R "KARLIJN#00" 984790704 192.168.1.52 4R VPN-CLIENT "KARLIJN#03" 984790703 192.168.1.52 4R "KARLIJN#20" 984790703 192.168.1.52 4R "KORVEZEE#00" 984790704 255.255.255.255 84R VPN-WORKGROUP "KORVEZEE#1e" 984790704 255.255.255.255 84R "KTV#00" 984791985 255.255.255.255 c4R LOCAL-WORKGROUP "KTV#1b" 984791751 192.168.1.150 44R "KTV#1c" 984791751 192.168.1.150 c4R "KTV#1e" 984791751 255.255.255.255 c4R [root at kvz150 /root]# cat /var/adm/browse.dat "KTV" c0001000 "JOASTER" "KTV" "JOASTER" 400d9b2b "Pentium II 233 (joost at havers.nl)" "KTV" "KORVEZEE" c0001000 "KARLIJN" "KORVEZEE" "JOOST" 40011003 "" "KTV" Why is KARLIJN not in the browse list ???? I hope somebody can help me with this, i tried many of the suggestions on the internet but none of them was right for me. Bye, Joost Havers. ps. Is there a patch for the 2.2.18 kernel, so i can start using encryption ??? From ctresco at mit.edu Sat Mar 10 22:41:25 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Sat, 10 Mar 2001 23:41:25 -0500 Subject: [pptp-server] Full encryption?? In-Reply-To: Message-ID: Is it actually possible to negotiate a fully encrypted tunnel?? Im using 2.4.0 kernel w/ the mppe/openssl patch and ppp-2.4.0 w/ the same patch. Both acquired from following the directions here: ftp://ftp.binarix.com/pub/ppp-mppe/README.ASC I compiled everything into the kernel (no modules at all) and set my ipchains rules appropriatly. I get to the point where it says "Registering your computer on the network" meaning I have a PPP connection establisted, but I am never able to finally connect (negotiate encryption??) unless I don't implicitly require encryption at the client, which is odd since my ppp/options file requires it. Any ideas? ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu From penso at linuxfr.org Sun Mar 11 11:08:16 2001 From: penso at linuxfr.org (Fabien Penso) Date: 11 Mar 2001 18:08:16 +0100 Subject: [pptp-server] Input/Output error Message-ID: Hi everybody, I try to install a pptp vpn between my ADSL connexion at home, and my work. I followed the docs but it doesn't work at all. Here are some details about what I've done so far to make it work. The network looks like: [Windows PPTP Client] <-- private network --> [Linux 2.2 ADSL Firewall] ^^^^ || vvvv [PPTP Server at Work] which is a common network for people who try to put vpn as what I did read in the doc. I configured the firewall as explained in the vpn-masquerade howto, and I verified it was working. In the log I got: Mar 11 15:58:51 X kernel: ip_masq_pptp_tcp(): OUT_CALL_REQUEST 192.168.1.10 -> XXX.XXX.XX.XX CID=8000 MCID=EE66 Mar 11 15:58:52 X kernel: ip_demasq_pptp_tcp(): OUT_CALL_REPLY 192.168.1.10 -> XXX.XXX.XX.XX CID=8000 MCID=EE66 192.168.1.10 is the local IP for the windows client. So it seems it goes out well. But on the server is still see: ---- Mar 11 17:50:51 pptp_server pptpd[7341]: MGR: Launching /usr/sbin/pptpctrl to handle client Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: local address = 192.168.2.1 Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: remote address = 192.168.2.11 Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: pppd speed = 115200 Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: pppd options file = /etc/ppp/pptpd-options Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: Client 193.253.182.224 control connection started Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: Received PPTP Control Message (type: 1) Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: Made a START CTRL CONN RPLY packet Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: I wrote 156 bytes to the client. Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: Sent packet to client Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: Received PPTP Control Message (type: 7) Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: Set parameters to 152 maxbps, 3 window size Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: Made a OUT CALL RPLY packet Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: Starting call (launching pppd, opening GRE) Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: pty_fd = 5 Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: tty_fd = 6 Mar 11 17:50:52 pptp_server pptpd[7342]: CTRL (PPPD Launcher): Connection speed = 115200 Mar 11 17:50:52 pptp_server pptpd[7342]: CTRL (PPPD Launcher): local address = 192.168.2.1 Mar 11 17:50:52 pptp_server pptpd[7342]: CTRL (PPPD Launcher): remote address = 192.168.2.11 Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: I wrote 32 bytes to the client. Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: Sent packet to client Mar 11 17:50:52 pptp_server pptpd[7341]: GRE: read(fd=5,buffer=804d9c0,len=8196) from PTY failed: status = -1 error = Input/output error Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6) Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: Client XXX.XXX.XXX.XXX control connection finished Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: Exiting now Mar 11 17:50:52 pptp_server pptpd[6431]: MGR: Reaped child 7341 ---- Input/output error should be because I don't have the right config on the linux firewall, but I do. Anyone has an idea ? I run Debian with 1.0.0 pptpd version on the server for information. I tried something else, I grabed pptp client for Linux, I installed it on my Linux Firewall, and I ran it. Still doesn't work. I have the same error message from my server, and on the linux firewall I have: ---- Mar 11 18:03:10 fifo (unknown)[2257]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:531]: Client connection established. Mar 11 18:03:11 fifo (unknown)[2257]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:637]: Outgoing call established. Mar 11 18:03:30 fifo (unknown)[2249]: log[pptp_read_some:pptp_ctrl.c:368]: read error: Broken pipe ---- Thanks for helping. From drankin at cox-internet.com Sun Mar 11 14:28:39 2001 From: drankin at cox-internet.com (David Rankin) Date: Sun, 11 Mar 2001 14:28:39 -0600 Subject: [pptp-server] PoPToP localip/remoteip DHCP Question Message-ID: <3AABDFF7.DCD99FC7@cox-internet.com> I have a question concerning the settings for localip and remoteip in pptpd.conf My setup: Work (pptpd server): Linux Mandrake 7.2 Samba 2.07 (WINS server) pptpd-init-1_0_1-1_i386.rpm (installed) Cable Modem Linksys cable/dsl router (Forwarded port 1723 to server) DHCP valid client IP ranges 192.168.7.20-100 Home (client) Windows 98SE Cable Modem First, I don't understand what I should set localip to. Should it be set to my server DHCP IP range 192.168.7.20-100? I have read the pptpctrl page and it indicates that setting the value to 0 will force pppd to use default IPs. Is this what I want? Second, what should I set remoteip to? I assume the remote IP is for my Win98 box at home. Shouldn't DHCP take care of this? I'm lost... I have also read the pptpctrl page and it indicates that setting the value to 0 will force pppd to use default IPs. Again, is this what I want? As you can tell I'm fumbling around with this one. Any help will be greatly appreciated David Rankin Nacogdoches, Texas From ajennamo at uncc.edu Sun Mar 11 14:40:08 2001 From: ajennamo at uncc.edu (Andy Ennamorato) Date: Sun, 11 Mar 2001 15:40:08 -0500 (EST) Subject: [pptp-server] Poptop works...almost. In-Reply-To: <3AABDFF7.DCD99FC7@cox-internet.com> Message-ID: After messaging the list last week and getting some great ideas (thanks to all), I got poptop semi working. However, I'm still having a major problem. Here's my setup: Win98 box->hub->linux(eth1). linux(eth0)->ppp0->ADSL (bellsouth). the linux box acts as a firewall/gateway. eth1 and the win98 box are setup on the 192.168.x.x network. if i disconnect the ADSL, and attempt to connect to poptop on eth1/192.168.0.1, i get in fine. i get assigned a 10.0.x.x IP, and the pptp server gets 10.x.x.x assigned to ppp0. (I've got the 10.x.x.x network specified in pptpd.conf). so i've essentially got a dummy vpn working. i can telnet to the linux box on 10.0.69.1, etc. (no network neighborhood yet, but that's another story). however, as soon as i sign on to ADSL w/ eth0 and ppp0 connecting to ADSL, i can't connect to poptop (which would be using ppp1 now). i get an error along the lines of "remote client not authorized to use the specified address" in the pptpd.log file, and the win98 client says it authenticates/connects, but immediately disconnects. does anyone have a poptop vpn working with ADSL (specifically pppoe)? i'm missing something that allows poptop to work on ppp1/ppp2/ppp3/etc - anyone have an idea? i can post my config files if needed...but when i contacted the list last week or so, most people said those look fine. and the fact that it works w/ ADSL not working seems to reinforce that fact. any help much appreciated... Andy ajennamo at uncc.edu From ctresco at mit.edu Sun Mar 11 14:55:21 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Sun, 11 Mar 2001 15:55:21 -0500 Subject: [pptp-server] Input/Output error In-Reply-To: Message-ID: In order to get help, you should probably paste your config files, /etc/ppp/options and /etc/pptpd.conf and your ipchains configuration on server and client side. ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Fabien Penso Sent: Sunday, March 11, 2001 12:08 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] Input/Output error Hi everybody, I try to install a pptp vpn between my ADSL connexion at home, and my work. I followed the docs but it doesn't work at all. Here are some details about what I've done so far to make it work. The network looks like: [Windows PPTP Client] <-- private network --> [Linux 2.2 ADSL Firewall] ^^^^ || vvvv [PPTP Server at Work] which is a common network for people who try to put vpn as what I did read in the doc. I configured the firewall as explained in the vpn-masquerade howto, and I verified it was working. In the log I got: Mar 11 15:58:51 X kernel: ip_masq_pptp_tcp(): OUT_CALL_REQUEST 192.168.1.10 -> XXX.XXX.XX.XX CID=8000 MCID=EE66 Mar 11 15:58:52 X kernel: ip_demasq_pptp_tcp(): OUT_CALL_REPLY 192.168.1.10 -> XXX.XXX.XX.XX CID=8000 MCID=EE66 192.168.1.10 is the local IP for the windows client. So it seems it goes out well. But on the server is still see: ---- Mar 11 17:50:51 pptp_server pptpd[7341]: MGR: Launching /usr/sbin/pptpctrl to handle client Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: local address = 192.168.2.1 Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: remote address = 192.168.2.11 Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: pppd speed = 115200 Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: pppd options file = /etc/ppp/pptpd-options Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: Client 193.253.182.224 control connection started Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: Received PPTP Control Message (type: 1) Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: Made a START CTRL CONN RPLY packet Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: I wrote 156 bytes to the client. Mar 11 17:50:51 pptp_server pptpd[7341]: CTRL: Sent packet to client Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: Received PPTP Control Message (type: 7) Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: Set parameters to 152 maxbps, 3 window size Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: Made a OUT CALL RPLY packet Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: Starting call (launching pppd, opening GRE) Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: pty_fd = 5 Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: tty_fd = 6 Mar 11 17:50:52 pptp_server pptpd[7342]: CTRL (PPPD Launcher): Connection speed = 115200 Mar 11 17:50:52 pptp_server pptpd[7342]: CTRL (PPPD Launcher): local address = 192.168.2.1 Mar 11 17:50:52 pptp_server pptpd[7342]: CTRL (PPPD Launcher): remote address = 192.168.2.11 Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: I wrote 32 bytes to the client. Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: Sent packet to client Mar 11 17:50:52 pptp_server pptpd[7341]: GRE: read(fd=5,buffer=804d9c0,len=8196) from PTY failed: status = -1 error = Input/output error Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6) Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: Client XXX.XXX.XXX.XXX control connection finished Mar 11 17:50:52 pptp_server pptpd[7341]: CTRL: Exiting now Mar 11 17:50:52 pptp_server pptpd[6431]: MGR: Reaped child 7341 ---- Input/output error should be because I don't have the right config on the linux firewall, but I do. Anyone has an idea ? I run Debian with 1.0.0 pptpd version on the server for information. I tried something else, I grabed pptp client for Linux, I installed it on my Linux Firewall, and I ran it. Still doesn't work. I have the same error message from my server, and on the linux firewall I have: ---- Mar 11 18:03:10 fifo (unknown)[2257]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:531]: Client connection established. Mar 11 18:03:11 fifo (unknown)[2257]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:637]: Outgoing call established. Mar 11 18:03:30 fifo (unknown)[2249]: log[pptp_read_some:pptp_ctrl.c:368]: read error: Broken pipe ---- Thanks for helping. _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From ctresco at mit.edu Sun Mar 11 15:04:44 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Sun, 11 Mar 2001 16:04:44 -0500 Subject: [pptp-server] PoPToP localip/remoteip DHCP Question In-Reply-To: <3AABDFF7.DCD99FC7@cox-internet.com> Message-ID: ppp (pptp) requires 2 ips. One one the server (one point) and one on your client (another point). When pptp starts pppd on the server after connceting, pppd gives your server another ip bound to ppp0 (remoteip) and an ip to the client (localip). This is the point-to-point communtication 'wire'. Basically, I made my DHCP server exclude a range of 6 ips from its pool that I can use for pptp. I used 3 of those for remote and 3 for local.....configured in pptpd.conf So when I start the client on my win2k box, it connects to the remote box through pptp. pptpd on the server fires up pppd. pppd gives the server another ip based on 'remoteip' and my win2k client box an ip based on 'localip'. Then they talk via those 2 ips. Hope that helped. ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of David Rankin Sent: Sunday, March 11, 2001 3:29 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] PoPToP localip/remoteip DHCP Question I have a question concerning the settings for localip and remoteip in pptpd.conf My setup: Work (pptpd server): Linux Mandrake 7.2 Samba 2.07 (WINS server) pptpd-init-1_0_1-1_i386.rpm (installed) Cable Modem Linksys cable/dsl router (Forwarded port 1723 to server) DHCP valid client IP ranges 192.168.7.20-100 Home (client) Windows 98SE Cable Modem First, I don't understand what I should set localip to. Should it be set to my server DHCP IP range 192.168.7.20-100? I have read the pptpctrl page and it indicates that setting the value to 0 will force pppd to use default IPs. Is this what I want? Second, what should I set remoteip to? I assume the remote IP is for my Win98 box at home. Shouldn't DHCP take care of this? I'm lost... I have also read the pptpctrl page and it indicates that setting the value to 0 will force pppd to use default IPs. Again, is this what I want? As you can tell I'm fumbling around with this one. Any help will be greatly appreciated David Rankin Nacogdoches, Texas _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From penso at linuxfr.org Sun Mar 11 15:07:41 2001 From: penso at linuxfr.org (Fabien Penso) Date: 11 Mar 2001 22:07:41 +0100 Subject: [pptp-server] Input/Output error In-Reply-To: References: Message-ID: "Christopher Tresco" a ?crit: > In order to get help, you should probably paste your config files, > > /etc/ppp/options and /etc/pptpd.conf and your ipchains configuration on > server and client side. > Sure. I have no /etc/ppp/options files on my linux firewall from which I tried to launch pptp as client. The ipchains rulez are completly open (for me to be sure it wasn't the trouble) for input, output and masq. The /etc/pptpd.conf on the server is: --- speed 115200 option /etc/ppp/pptpd-options debug localip 192.168.2.1 remoteip 192.168.2.10-100 --- And the /etc/ppp/pptpd-opions is: --- debug name (changed it) domain (changed it) auth +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless nodefaultroute proxyarp lock netmask 255.255.255.0 --- From berzerke at swbell.net Sun Mar 11 22:01:26 2001 From: berzerke at swbell.net (robert) Date: Sun, 11 Mar 2001 22:01:26 -0600 Subject: [pptp-server] Full encryption?? In-Reply-To: References: Message-ID: <01031122012600.15092@linux> On Saturday 10 March 2001 22:41, Christopher Tresco wrote: > Is it actually possible to negotiate a fully encrypted tunnel?? > > Im using 2.4.0 kernel w/ the mppe/openssl patch and ppp-2.4.0 w/ the same > patch. > Both acquired from following the directions here: > ftp://ftp.binarix.com/pub/ppp-mppe/README.ASC Try following the instructions here: http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt They are a bit more detailed. > > I compiled everything into the kernel (no modules at all) and set my > ipchains rules appropriatly. > I get to the point where it says "Registering your computer on the network" > meaning I have a PPP connection establisted, but I am never able to finally > connect (negotiate encryption??) unless I don't implicitly require > encryption at the client, which is odd since my ppp/options file requires > it. > > Any ideas? > > > > ^_^_^_^_^_^_^_^_^_^_^_^ > > Christopher Tresco > Head Systems Administrator > MIT Dept of Economics > ctresco at mit.edu > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From berzerke at swbell.net Sun Mar 11 22:07:14 2001 From: berzerke at swbell.net (robert) Date: Sun, 11 Mar 2001 22:07:14 -0600 Subject: [pptp-server] Poptop works...almost. In-Reply-To: References: Message-ID: <01031122071401.15092@linux> It sounds like a routing problem to me. Look at your routing tables before and after you connect. I suspect when you connect to ADSL, you default route is messing up the poptop connection. On Sunday 11 March 2001 14:40, Andy Ennamorato wrote: > After messaging the list last week and getting some great ideas (thanks to > all), I got poptop semi working. However, I'm still having a major > problem. > > Here's my setup: Win98 box->hub->linux(eth1). > linux(eth0)->ppp0->ADSL (bellsouth). > > the linux box acts as a firewall/gateway. eth1 and the win98 box are setup > on the 192.168.x.x network. if i disconnect the ADSL, and attempt to > connect to poptop on eth1/192.168.0.1, i get in fine. i get assigned a > 10.0.x.x IP, and the pptp server gets 10.x.x.x assigned to ppp0. (I've got > the 10.x.x.x network specified in pptpd.conf). so i've essentially got a > dummy vpn working. i can telnet to the linux box on 10.0.69.1, etc. (no > network neighborhood yet, but that's another story). > > however, as soon as i sign on to ADSL w/ eth0 and ppp0 connecting to ADSL, > i can't connect to poptop (which would be using ppp1 now). i get an error > along the lines of "remote client not authorized to use the specified > address" in the pptpd.log file, and the win98 client says it > authenticates/connects, but immediately disconnects. does anyone have a > poptop vpn working with ADSL (specifically pppoe)? i'm missing something > that allows poptop to work on ppp1/ppp2/ppp3/etc - anyone have an idea? > > i can post my config files if needed...but when i contacted the list last > week or so, most people said those look fine. and the fact that it works > w/ ADSL not working seems to reinforce that fact. > > any help much appreciated... > > Andy > ajennamo at uncc.edu > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From berzerke at swbell.net Sun Mar 11 22:09:39 2001 From: berzerke at swbell.net (robert) Date: Sun, 11 Mar 2001 22:09:39 -0600 Subject: [pptp-server] PoPToP localip/remoteip DHCP Question In-Reply-To: References: Message-ID: <01031122093902.15092@linux> On Sunday 11 March 2001 15:04, Christopher Tresco wrote: > ppp (pptp) requires 2 ips. One one the server (one point) and one on your > client (another point). > > When pptp starts pppd on the server after connceting, pppd gives your > server another ip bound to ppp0 (remoteip) and an ip to the client > (localip). This is the point-to-point communtication 'wire'. > > Basically, I made my DHCP server exclude a range of 6 ips from its pool > that I can use for pptp. I used 3 of those for remote and 3 for > local.....configured in pptpd.conf Actually, you only need one localip number. From marte at xmn-berlin.de Mon Mar 12 03:02:52 2001 From: marte at xmn-berlin.de (Martin Tettke) Date: Mon, 12 Mar 2001 10:02:52 +0100 Subject: [pptp-server] another browsing problem Message-ID: <200103121002520968.220CDB90@orion.xmn-berlin.de> Hi ! I've got the following setup: Firewall => VPN-Server => Firewall => internal net my problem is, that all computers that has to be accessed through the VPN have to be natted through the firewall in another subnet: example: VPN-IPs: 192.168.1.50-100/24 internal-Net: 10.100.100.0/24 so all internal stations, that should be accessed, are NATted from the internal net to the VPN-net, a.e. 10.100.100.10 => 192.168.1.110 The can only be accessed from a VPN-user using those IPs. ping and access using IPs is working, all required ports for browsing are allowed, nothing needed is blocked through the FW. But how can I setup windows-browsing ? I can't see any shares when I'm connected. I'm not really wondering why, cause all windows stations are on the 10.100 subnet. What can I do to allow browsing ? Setup a samba-server on the VPN-server ? But how can I map the IPs ? Till now I really had'nt anything to do with samba ... Can anyone help me or does anyone at least understand my problem ? Excuse my bad english ... Martin -- software is like sex it's better when it's free --linus torvalds From ralphw at cnet.com Mon Mar 12 05:11:33 2001 From: ralphw at cnet.com (Ralph Winslow) Date: Mon, 12 Mar 2001 06:11:33 -0500 (EST) Subject: [pptp-server] Poptop works...almost. In-Reply-To: <01031122071401.15092@linux> Message-ID: On Sun, 11 Mar 2001, robert wrote: I'm trying to make a connection as a Linux client to a NT vpn server at work that I'm assured is compatable with pptp. My pppoe connection to my ISP (Verizon) is working nicely now that I borrewed a Windze CD and installed it on an old pentium machine just to make the connection to Verizon (the only instructions they had for installation were "Run this .exe...). Do instructions exist on how to get pptp working with an existing pppoe connection? I don't even know how to determine my Verizon assigned IP. TIA for any light you can shed on this. > Date: Sun, 11 Mar 2001 22:07:14 -0600 > From: robert > To: Andy Ennamorato , pptp-server at lists.schulte.org > Subject: Re: [pptp-server] Poptop works...almost. > > It sounds like a routing problem to me. Look at your routing tables before > and after you connect. I suspect when you connect to ADSL, you default route > is messing up the poptop connection. > > On Sunday 11 March 2001 14:40, Andy Ennamorato wrote: > > After messaging the list last week and getting some great ideas (thanks to > > all), I got poptop semi working. However, I'm still having a major > > problem. > > > > Here's my setup: Win98 box->hub->linux(eth1). > > linux(eth0)->ppp0->ADSL (bellsouth). > > > > the linux box acts as a firewall/gateway. eth1 and the win98 box are setup > > on the 192.168.x.x network. if i disconnect the ADSL, and attempt to > > connect to poptop on eth1/192.168.0.1, i get in fine. i get assigned a > > 10.0.x.x IP, and the pptp server gets 10.x.x.x assigned to ppp0. (I've got > > the 10.x.x.x network specified in pptpd.conf). so i've essentially got a > > dummy vpn working. i can telnet to the linux box on 10.0.69.1, etc. (no > > network neighborhood yet, but that's another story). > > > > however, as soon as i sign on to ADSL w/ eth0 and ppp0 connecting to ADSL, > > i can't connect to poptop (which would be using ppp1 now). i get an error > > along the lines of "remote client not authorized to use the specified > > address" in the pptpd.log file, and the win98 client says it > > authenticates/connects, but immediately disconnects. does anyone have a > > poptop vpn working with ADSL (specifically pppoe)? i'm missing something > > that allows poptop to work on ppp1/ppp2/ppp3/etc - anyone have an idea? > > > > i can post my config files if needed...but when i contacted the list last > > week or so, most people said those look fine. and the fact that it works > > w/ ADSL not working seems to reinforce that fact. > > > > any help much appreciated... > > > > Andy > > ajennamo at uncc.edu > > > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > ---- Ralph Winslow Operations/Support/Tools (908)575-8567 x276 From geir at sunnkom.no Mon Mar 12 05:31:34 2001 From: geir at sunnkom.no (=?iso-8859-1?Q?Geir_N=F8stdahl?=) Date: Mon, 12 Mar 2001 12:31:34 +0100 Subject: [pptp-server] Newbie Question Message-ID: <01c001c0aae7$fe5f2730$0f01a8c0@Geir> Hello! In my newbie atemts to get pptpd working on my RedHat7 distro, i have come so far. Used: pptpd-init-1.0.1-1.i386.rpm ppp-2.3.11-7.i386.rpm And a newly kompiled 2.4.2 kernel with ppp built in as modules. This is what i read from my log: Mar 12 12:43:25 cs pptpd[570]: MGR: Max connections reached, extra IP addresses ignored Mar 12 12:43:25 cs pptpd[571]: MGR: Manager process started Mar 12 12:43:29 cs pptpd[572]: CTRL: Client 192.168.1.15 control connection started Mar 12 12:43:32 cs pptpd[572]: CTRL: Starting call (launching pppd, opening GRE) Mar 12 12:43:32 cs pppd[573]: pppd 2.3.11 started by root, uid 0 Mar 12 12:43:32 cs pppd[573]: ioctl(PPPIOCGFLAGS): Invalid argument Mar 12 12:43:32 cs pppd[573]: tcsetattr: Invalid argument Mar 12 12:43:32 cs pppd[573]: Exit. Mar 12 12:43:32 cs pptpd[572]: GRE: read(fd=4,buffer=804d8c0,len=8196) from PTY failed: status = -1 error = Input/output error Mar 12 12:43:32 cs pptpd[572]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Mar 12 12:43:32 cs pptpd[572]: CTRL: Client 192.168.1.15 control connection finished Sorry for posting this newbie message. Hope to get some tips. regards Geir N?stdahl -------------- next part -------------- An HTML attachment was scrubbed... URL: From james at kyzo.com Mon Mar 12 07:55:44 2001 From: james at kyzo.com (James Stevens) Date: Mon, 12 Mar 2001 13:55:44 +0000 Subject: [pptp-server] Maxiumu simultaneous connections... on Linux Message-ID: <3AACD560.F1A68707@kyzo.com> Hi Guys, Great piece of s/w - real easy to get going. Quick question - what is the maximum number of simultaneous connections on Linux, what's the limiting factor and what can I do about it. I'm thinking of a server in the region of 500 simultaneous users for a University Campus of about 4000 students. Any thoughts ? P.S please cc: me as I'm not on this list. James From jsg at newlix.com Mon Mar 12 09:43:53 2001 From: jsg at newlix.com (Jean-Serge Gagnon) Date: Mon, 12 Mar 2001 10:43:53 -0500 Subject: [pptp-server] another browsing problem In-Reply-To: <200103121002520968.220CDB90@orion.xmn-berlin.de> Message-ID: We've researched a lot of this stuff and if I'm not mistaking, the problem is that Windows browsing will only work in this scenario with a WINS server. NetBIOS browsing works with broadcast on the local LAN, so the 10.100.100.x machines broadcast their existence to each other, but the 192.168.1.x machines can't receive those broadcasts because of the firewall. An other problem is that machines on the remote end of a ppp connection can not broadcast between each other so your NetBIOS broadcast looks like this (resize to view): ----- | PC | -bcast-| 1 | ------ ------ ------ / ok ---- |vpn |- no - |vpn | - no -| fw |/ |client| bcast |server| bcast | |\ ---- ------ ------ ------ \ bcast | PC | -- ok --| 2 | ---- So, PC1, PC2 and fw can all see each other (if fw has NetBIOS), but they can't see vpn server or vpn client and vise-versa. There are two ways to solve this: 1- Add a WINS server to the network (can be on vpn server, fw, one of the PCs or a new machine) and set up all clients to point to the wins server. Entire network browsing will only work for all machines if they use the same workgroup, otherwise, you need to use the machine's name directly (\\pc1) 2- Find a way of forwarding broadcast packets across all subnets. We have not found any public domains tools for this. Hope this helps a bit... Jean-Serge Gagnon - Applications Director Newlix Corporation - jsg at newlix.com http://www.newlix.com (613) 225-0516 fax: (613) 225-5625 > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Martin Tettke > Sent: Monday, March 12, 2001 4:03 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] another browsing problem > > > Hi ! > > I've got the following setup: > > Firewall => VPN-Server => Firewall => internal net > > my problem is, that all computers that has to be accessed through the VPN > have to be natted through the firewall in another subnet: > > example: > VPN-IPs: 192.168.1.50-100/24 > internal-Net: 10.100.100.0/24 > so all internal stations, that should be accessed, are NATted > from the internal > net to the VPN-net, a.e. > 10.100.100.10 => 192.168.1.110 > > The can only be accessed from a VPN-user using those IPs. > ping and access using IPs is working, all required ports for > browsing are allowed, > nothing needed is blocked through the FW. > > But how can I setup windows-browsing ? I can't see any shares > when I'm connected. > I'm not really wondering why, cause all windows stations are on > the 10.100 subnet. > What can I do to allow browsing ? Setup a samba-server on the > VPN-server ? But how > can I map the IPs ? > Till now I really had'nt anything to do with samba ... > > Can anyone help me or does anyone at least understand my problem ? > > Excuse my bad english ... > > Martin > -- > software is like sex > it's better when it's free > --linus torvalds > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From gmoreau at arrista.com Mon Mar 12 10:00:11 2001 From: gmoreau at arrista.com (Gene Moreau) Date: Mon, 12 Mar 2001 10:00:11 -0600 Subject: [pptp-server] pptpd vs. free swan Message-ID: <7DDAB2BD153ED4118D4600D0B774BB800DF1C1@silver.arrista.com> I know this isn't exactly the SWAN list, but has any one tried out both of these and have any recomendataions? my particular application is allowing our road warriors to connect back into the our LAN. Gene Moreau IT Specialist Arrista Technologies - http://www.arrista.com v: 204.489.3200 f: 204.489.8300 e: gmoreau at arrista.com PGP pub key: http://www3.mb.sympatico.ca/~moreaug/pgp.html From walterm at Gliatech.com Mon Mar 12 10:42:47 2001 From: walterm at Gliatech.com (Michael Walter) Date: Mon, 12 Mar 2001 11:42:47 -0500 Subject: [pptp-server] pptpd vs. free swan Message-ID: It's been a while, so my information may be dated. I did work with using free S/Wan's ipsec implementation(server) against that in windows 2000(client). Due to some type of incompatibility I wasn't able to get it to work though. I have heard that a patch is available to repair the incompatibility(on the free s/wan side) but I have not experimented with it. Hope that helps a little... Michael J. Walter rhce mcdba mcse+i a+ Network Administrator Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm at gliatech.com -----Original Message----- From: Gene Moreau [mailto:gmoreau at arrista.com] Sent: Monday, March 12, 2001 11:00 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] pptpd vs. free swan I know this isn't exactly the SWAN list, but has any one tried out both of these and have any recomendataions? my particular application is allowing our road warriors to connect back into the our LAN. Gene Moreau IT Specialist Arrista Technologies - http://www.arrista.com v: 204.489.3200 f: 204.489.8300 e: gmoreau at arrista.com PGP pub key: http://www3.mb.sympatico.ca/~moreaug/pgp.html _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From berzerke at swbell.net Mon Mar 12 11:21:49 2001 From: berzerke at swbell.net (robert) Date: Mon, 12 Mar 2001 11:21:49 -0600 Subject: [pptp-server] Newbie Question In-Reply-To: <01c001c0aae7$fe5f2730$0f01a8c0@Geir> References: <01c001c0aae7$fe5f2730$0f01a8c0@Geir> Message-ID: <01031211214900.16920@linux> On Monday 12 March 2001 05:31, Geir N?stdahl wrote: > Hello! > > In my newbie atemts to get pptpd working on my RedHat7 distro, i have come > so far. > > Used: > > pptpd-init-1.0.1-1.i386.rpm > ppp-2.3.11-7.i386.rpm > > And a newly kompiled 2.4.2 kernel with ppp built in as modules. > > This is what i read from my log: Don't try to use ppp-2.3.x with the 2.4.x kernels. You must use at least ppp-2.4.0. Instructions for pptpd for the 2.4 kernels are at http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt From rmk at communitytelephone.com Mon Mar 12 11:33:18 2001 From: rmk at communitytelephone.com (Ryan Kremer) Date: Mon, 12 Mar 2001 11:33:18 -0600 Subject: [pptp-server] PPTP server requirement Message-ID: We will be setting up a new Linux server which will be running pptp. We will have anywhere from 15-20 tunnels running w/ encryption over broadband Internet connections (ISDN, DSL, Cable). I wanted to see if anyone could give me an idea of what requirements I would need for this server (ie, speed, memory, etc.) Thanks. -Ryan ------------------------------------------------ Ryan Kremer Phone: (812)456-1224 rmk at communitytelephone.com Fax: (812)461-3363 Cisco Certified Network Professional Cisco Certified Design Associate From berzerke at swbell.net Mon Mar 12 11:27:40 2001 From: berzerke at swbell.net (robert) Date: Mon, 12 Mar 2001 11:27:40 -0600 Subject: [pptp-server] another browsing problem In-Reply-To: References: Message-ID: <01031211274001.16920@linux> On Monday 12 March 2001 09:43, Jean-Serge Gagnon wrote: > We've researched a lot of this stuff and if I'm not mistaking, the problem > is that Windows browsing will only work in this scenario with a WINS > server. NetBIOS browsing works with broadcast on the local LAN, so the > 10.100.100.x machines broadcast their existence to each other, but the > 192.168.1.x machines can't receive those broadcasts because of the > firewall. An other problem is that machines on the remote end of a ppp > connection can not broadcast between each other so your NetBIOS broadcast > looks like this (resize to view): > > ----- > > | PC | > > -bcast-| 1 | > ------ ------ ------ / ok ---- > > |vpn |- no - |vpn | - no -| fw |/ > |client| bcast |server| bcast | |\ ---- > > ------ ------ ------ \ bcast | PC | > -- ok --| 2 | > ---- > > So, PC1, PC2 and fw can all see each other (if fw has NetBIOS), but they > can't see vpn server or vpn client and vise-versa. There are two ways to > solve this: > > 1- Add a WINS server to the network (can be on vpn server, fw, one of the > PCs or a new machine) and set up all clients to point to the wins server. > Entire network browsing will only work for all machines if they use the > same workgroup, otherwise, you need to use the machine's name directly > (\\pc1) > > 2- Find a way of forwarding broadcast packets across all subnets. We have > not found any public domains tools for this. > > Hope this helps a bit... There is a third option: the lmhosts file. However, the Wins server is by far the easiest and least troublesome option. As for option 2 above, although I've never had the need or urge to try, I've seen another system where the routing tables (and firewall) were adjusted to allow broadcasts to pass. Don't remember how he did it though, but it is possible. From lee at booksys.com Mon Mar 12 11:48:11 2001 From: lee at booksys.com (Lee Smith) Date: Mon, 12 Mar 2001 11:48:11 CST Subject: [pptp-server] Overruns on sl0/1 causing major network issues! Message-ID: <200103121737.f2CHbRp15429@mail.booksys.com> I'm having some problems with pptp...On sl0 im getting way too many overruns, causing the connection to be horribly unstable. Any insight as to what would cause this kind of behavior? or even better, maybe a fix? ;) sl0 Link encap:VJ Serial Line IP inet addr:192.168.10.91 P-t-P:192.168.66.10 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:5086011 errors:0 dropped:0 overruns:5043102 frame:0 compressed:0 TX packets:5966257 errors:0 dropped:0 overruns:5915216 carrier:0 collisions:1059 compressed:0 txqueuelen:10 sl1 Link encap:VJ Serial Line IP inet addr:192.168.10.28 P-t-P:192.168.65.14 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:245253 errors:0 dropped:0 overruns:240600 frame:0 compressed:0 TX packets:327206 errors:0 dropped:0 overruns:312041 carrier:0 collisions:73 compressed:0 txqueuelen:10 -- This our world now....the world of the electron and the switch...the beauty of the baud From john at netdirect.ca Mon Mar 12 11:56:06 2001 From: john at netdirect.ca (John Van Ostrand) Date: Mon, 12 Mar 2001 12:56:06 -0500 Subject: [pptp-server] pptpd vs. free swan Message-ID: <915FE25D5E61D3119CD80080C8E2E7090854DC@enterprise.NetDirect.CA> Hi, I have installed both, but used them for different purposes. I find FreeS/WAN to be a fantastic VPN method for network-to-network fixed IP connections. I have used PPTP for road-warriors and have found it a little weak. Some cases a PPTP connect will "hang" because it doesn't handle dropped packets very well. In cases of dropped packets, PPTP's performance will drop significantly. PPTP also has other issues. PoPToP does not yet support multiple clients from the same address (i.e. from behind a firewall.) But PPTP is generally supported by more routers than FreeS/WAN (IPSEC.) I have not yet used FreeS/WAN for road warrier use but I have looked into it a bit. The main compatibility problem is in the key exchange. Normally one would prefer RSA keys but in some cases a fixed shared secret it required. John. -----Original Message----- From: Gene Moreau [mailto:gmoreau at arrista.com] Sent: Monday, March 12, 2001 11:00 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] pptpd vs. free swan I know this isn't exactly the SWAN list, but has any one tried out both of these and have any recomendataions? my particular application is allowing our road warriors to connect back into the our LAN. Gene Moreau IT Specialist Arrista Technologies - http://www.arrista.com v: 204.489.3200 f: 204.489.8300 e: gmoreau at arrista.com PGP pub key: http://www3.mb.sympatico.ca/~moreaug/pgp.html _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From ctresco at mit.edu Mon Mar 12 12:15:33 2001 From: ctresco at mit.edu (Chris Tresco) Date: Mon, 12 Mar 2001 13:15:33 -0500 Subject: [pptp-server] Required encryption is broken References: <915FE25D5E61D3119CD80080C8E2E7090854DC@enterprise.NetDirect.CA> Message-ID: <006901c0ab20$72b48430$b201a8c0@snpc.net> I cannot for the life of me get data encryption to work. ppp-2.4.0 patched, kernel-2.4.2 patched. Any ideas? I compiled ppp as modules. They are loaded. For some reason, the ppp_mppe modules is never used, and it definately should be. I really don't want to revert back to 2.2.x kernel. Any ideas? ----- Original Message ----- From: "John Van Ostrand" To: "'Gene Moreau'" ; Sent: Monday, March 12, 2001 12:56 PM Subject: RE: [pptp-server] pptpd vs. free swan > Hi, > > I have installed both, but used them for different purposes. I find > FreeS/WAN to be a fantastic VPN method for network-to-network fixed IP > connections. I have used PPTP for road-warriors and have found it a little > weak. Some cases a PPTP connect will "hang" because it doesn't handle > dropped packets very well. In cases of dropped packets, PPTP's performance > will drop significantly. > > PPTP also has other issues. PoPToP does not yet support multiple clients > from the same address (i.e. from behind a firewall.) But PPTP is generally > supported by more routers than FreeS/WAN (IPSEC.) > > I have not yet used FreeS/WAN for road warrier use but I have looked into it > a bit. The main compatibility problem is in the key exchange. Normally one > would prefer RSA keys but in some cases a fixed shared secret it required. > > John. > > > > -----Original Message----- > From: Gene Moreau [mailto:gmoreau at arrista.com] > Sent: Monday, March 12, 2001 11:00 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] pptpd vs. free swan > > > > I know this isn't exactly the SWAN list, but has any one tried out both of > these and have any recomendataions? my particular application is allowing > our road warriors to connect back into the our LAN. > > Gene Moreau > IT Specialist > Arrista Technologies - http://www.arrista.com > > v: 204.489.3200 > f: 204.489.8300 > e: gmoreau at arrista.com > PGP pub key: http://www3.mb.sympatico.ca/~moreaug/pgp.html > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From jsg at newlix.com Mon Mar 12 12:43:52 2001 From: jsg at newlix.com (Jean-Serge Gagnon) Date: Mon, 12 Mar 2001 13:43:52 -0500 Subject: [pptp-server] another browsing problem In-Reply-To: <01031211274001.16920@linux> Message-ID: Yes, forgot the lmhosts option. We've never really considered it since it involves setting the lmhosts file to match on all systems and we needed a scalable solution. You could do stuff like have the lmhosts on a shared network machine, so then it may become a chicken-and-egg problem... We also looked at forwarding of broadcast packets by adding firewall rules and such, but decided to go the WINS route even though there are workgroup problems with it (vpn-client can't be seen if it's the master of it's workgroup, for example)... Jean-Serge Gagnon - Applications Director Newlix Corporation - jsg at newlix.com http://www.newlix.com (613) 225-0516 fax: (613) 225-5625 > -----Original Message----- > From: robert [mailto:berzerke at swbell.net] > Sent: Monday, March 12, 2001 12:28 PM > To: Jean-Serge Gagnon; Martin Tettke; pptp-server at lists.schulte.org > Cc: Alex Vandenham (newlix) > Subject: Re: [pptp-server] another browsing problem > > > On Monday 12 March 2001 09:43, Jean-Serge Gagnon wrote: > > We've researched a lot of this stuff and if I'm not mistaking, > the problem > > is that Windows browsing will only work in this scenario with a WINS > > server. NetBIOS browsing works with broadcast on the local LAN, so the > > 10.100.100.x machines broadcast their existence to each other, but the > > 192.168.1.x machines can't receive those broadcasts because of the > > firewall. An other problem is that machines on the remote end of a ppp > > connection can not broadcast between each other so your NetBIOS > broadcast > > looks like this (resize to view): > > > > ----- > > > > | PC | > > > > -bcast-| 1 | > > ------ ------ ------ / ok ---- > > > > |vpn |- no - |vpn | - no -| fw |/ > > |client| bcast |server| bcast | |\ ---- > > > > ------ ------ ------ \ bcast | PC | > > -- ok --| 2 | > > ---- > > > > So, PC1, PC2 and fw can all see each other (if fw has NetBIOS), but they > > can't see vpn server or vpn client and vise-versa. There are two ways to > > solve this: > > > > 1- Add a WINS server to the network (can be on vpn server, fw, > one of the > > PCs or a new machine) and set up all clients to point to the > wins server. > > Entire network browsing will only work for all machines if they use the > > same workgroup, otherwise, you need to use the machine's name directly > > (\\pc1) > > > > 2- Find a way of forwarding broadcast packets across all > subnets. We have > > not found any public domains tools for this. > > > > Hope this helps a bit... > > > There is a third option: the lmhosts file. However, the Wins > server is by > far the easiest and least troublesome option. > > As for option 2 above, although I've never had the need or urge > to try, I've > seen another system where the routing tables (and firewall) were > adjusted to > allow broadcasts to pass. Don't remember how he did it though, but it is > possible. > From Steve at SteveCowles.com Mon Mar 12 12:52:11 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Mon, 12 Mar 2001 12:52:11 -0600 Subject: [pptp-server] pptpd vs. free swan Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6AA@defiant.infohiiway.com> > -----Original Message----- > From: Gene Moreau [mailto:gmoreau at arrista.com] > Sent: Monday, March 12, 2001 10:00 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] pptpd vs. free swan > > > > I know this isn't exactly the SWAN list, but has any one > tried out both of these and have any recomendataions? my > particular application is allowing our road warriors to > connect back into the our LAN. > > Gene Moreau > IT Specialist I currently use both PPTP and IPSEC based tunnels. As far as recommendations, thats a tuff question to answer without understanding your requirements. At a 30,000 foot level, I have found IPSEC seems better suited for LAN-to-LAN tunnels. i.e. linking one or more office LAN's together into a corporate LAN (star topology), while PPTP is better suited for (dialup) Windows 9x based clients. i.e. HOST-to-LAN. FWIW: I have also been successful in implementing W2K -> FreeS/WAN road warriors using IPSEC (instead of PPTP). Microsoft actually did a pretty good job at implementing the IPSEC protocol. As usual though, Microsoft failed in how you configure IPSEC. There are just way way way way way to many dialog boxes. If you have home users that are wanting to establish a tunnel into your LAN *AND* are also using DSL (no dialup), then I would recommend using IPSEC over PPTP. Mainly because IPSEC is brought up directly after the TCP/IP stack. i.e. Before the W2K login prompt. If the W2K client is configured to login to a MS Domain controller, they will not get the initial "Unable to find Domain Controller" message that is typical with PPTP connections because you have to login to your desktop *first* before you can establish a PPTP tunnel so that the Domain Controller can be located. Steve Cowles From berzerke at swbell.net Mon Mar 12 12:48:45 2001 From: berzerke at swbell.net (robert) Date: Mon, 12 Mar 2001 12:48:45 -0600 Subject: [pptp-server] Required encryption is broken In-Reply-To: <006901c0ab20$72b48430$b201a8c0@snpc.net> References: <915FE25D5E61D3119CD80080C8E2E7090854DC@enterprise.NetDirect.CA> <006901c0ab20$72b48430$b201a8c0@snpc.net> Message-ID: <01031212484502.16920@linux> Encryption does work for me with the setup you describe. A really big shot in the dark: You must have the correct network options picked when you did a make on the kernel. A configuration set that does work can be found at http://home.swbell.net/berzerke/linux241 (It was originally designed for the 2.4.1 kernel, but works fine with 2.4.2.) You should definately check the processor type and change that if needed. It is set for AMD k6-2. Leave everything else alone and recompile the kernel and see if this kernel works. If so, you know where the problem lies. Don't delete your current kernel however, unless you are sure you want to. On Monday 12 March 2001 12:15, Chris Tresco wrote: > I cannot for the life of me get data encryption to work. > > ppp-2.4.0 patched, kernel-2.4.2 patched. > > > Any ideas? > > I compiled ppp as modules. They are loaded. For some reason, the ppp_mppe > modules is never used, and it definately should be. > > I really don't want to revert back to 2.2.x kernel. Any ideas? > > > ----- Original Message ----- > From: "John Van Ostrand" > To: "'Gene Moreau'" ; > Sent: Monday, March 12, 2001 12:56 PM > Subject: RE: [pptp-server] pptpd vs. free swan > > > Hi, > > > > I have installed both, but used them for different purposes. I find > > FreeS/WAN to be a fantastic VPN method for network-to-network fixed IP > > connections. I have used PPTP for road-warriors and have found it a > > little > > > weak. Some cases a PPTP connect will "hang" because it doesn't handle > > dropped packets very well. In cases of dropped packets, PPTP's > > performance will drop significantly. > > > > PPTP also has other issues. PoPToP does not yet support multiple clients > > from the same address (i.e. from behind a firewall.) But PPTP is > > generally supported by more routers than FreeS/WAN (IPSEC.) > > > > I have not yet used FreeS/WAN for road warrier use but I have looked into > > it > > > a bit. The main compatibility problem is in the key exchange. Normally > > one would prefer RSA keys but in some cases a fixed shared secret it > > required. > > > > John. > > > > > > > > -----Original Message----- > > From: Gene Moreau [mailto:gmoreau at arrista.com] > > Sent: Monday, March 12, 2001 11:00 AM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] pptpd vs. free swan > > > > > > > > I know this isn't exactly the SWAN list, but has any one tried out both > > of these and have any recomendataions? my particular application is > > allowing our road warriors to connect back into the our LAN. > > > > Gene Moreau > > IT Specialist > > Arrista Technologies - http://www.arrista.com > > > > v: 204.489.3200 > > f: 204.489.8300 > > e: gmoreau at arrista.com > > PGP pub key: http://www3.mb.sympatico.ca/~moreaug/pgp.html > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From drankin at cox-internet.com Mon Mar 12 20:49:05 2001 From: drankin at cox-internet.com (David Rankin) Date: Mon, 12 Mar 2001 20:49:05 -0600 Subject: [pptp-server] PoPToP localip/remoteip DHCP Question References: <01031122093902.15092@linux> <3AAC4D25.EDCF60B7@cox-internet.com> <01031202243400.16215@linux> Message-ID: <3AAD8AA1.DBF3F24B@cox-internet.com> Thanks Robert, I use encrypted passwords with samba already. Have patched all Win95 machines to send encrypted and all users have Unix accounts and encrypted smbpasswd passwords. Everything works like a champ on the lan side. Samba is also my wins server and DHCP passes the wins information for all lan clients. However, since pptpd uses an IP range above the lan DHCP block, I don't know if my pptp client in getting wins resolution or not. With pptp, I come in from the internet through my router and I have port forwarded 1723 to the pptpd server to make it work. I will have to check to see if wins requires another port. I am not sure how I would hardcode the wins server address for the pptp clients because the pptpd server is behind my router. I suppose I could pass the client the router address and if wins uses the port 1723 it would be forwarded to the samba/wins server. What are your thoughts - am I out in deep left field here? David robert wrote: > On Sunday 11 March 2001 22:14, David Rankin wrote: > > Robert & Christopher -- HELP!!! > > > > I took Christopher's advice and now I can log into my server at work and I > > can see all of > > the machines on my network. However, when I try to access the shares on my > > server I get an IPC$ password error. When I try to access any of the other > > machines I get a \\computername is not accessable. I did a tcpdump of port > > 1723 and the following is what I received. Any ideas on what I am doing > > wrong? > > > > David Rankin > > Nacogdoches, Texas > > > > I find dumps with just the ip numbers more readable, but maybe that's just me. > > It sounds like two separate problems. The IPC$ problem generally is an > encrypted/not encrypted password problem. Depending on the client you are > using, you may have to add "encrypt passwords = yes" to your smb.conf file > and restart samba, or comment it out if it already there and restart samba. > Probably the first is the fix. This may or may not break access to the other > machines, assuming you could access them. > > The second issue is probably a browsing problem. Do you have a wins server? > Does the poptop client know about the wins server? From zlowry at home.com Sun Mar 11 21:52:17 2001 From: zlowry at home.com (Zach Lowry) Date: Sun, 11 Mar 2001 21:52:17 -0600 Subject: [pptp-server] IPX over PPTP Message-ID: <000001c0aaa7$d59efa40$0a00000a@ruthfd1.tn.home.com> Howdy, I'm runnint pptp and ipxd, and can't seem to get any IPX traffic to route over the connections. The clients connect and use ipx, as I can see them using IPX in ifconfig, but nothing happens. I get these messages in ipxripd.log: Sun Mar 11 21:49:52 2001 00001001:000053F853ED 00001001:000053F853ED Sun Mar 11 21:49:52 2001 RIP from non-local net on ifc 00001000 00001001 (ignored) Sun Mar 11 21:49:52 2001 RIP from non-local net on ifc 00001000 00001001 (ignored) Sun Mar 11 21:49:52 2001 SAP from non-local net 00001001 (ignored) Sun Mar 11 21:50:52 2001 RIP from non-local net on ifc 00001000 00001001 (ignored) Anyone an IPX expert that can help me out? Zach Lowry From Steve at SteveCowles.com Mon Mar 12 23:14:38 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Mon, 12 Mar 2001 23:14:38 -0600 Subject: [pptp-server] PoPToP localip/remoteip DHCP Question Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6AC@defiant.infohiiway.com> > -----Original Message----- > From: David Rankin [mailto:drankin at cox-internet.com] > Sent: Monday, March 12, 2001 8:49 PM > To: robert; pptp-server at lists.schulte.org > Subject: Re: [pptp-server] PoPToP localip/remoteip DHCP Question > > > Thanks Robert, > > I use encrypted passwords with samba already. Have patched all Win95 machines > to send encrypted and all users have Unix accounts and encrypted smbpasswd > passwords. Everything works like a champ on the lan side. > > Samba is also my wins server and DHCP passes the wins information for all lan > clients. However, since pptpd uses an IP range above the lan DHCP block, I > don't know if my pptp client in getting wins resolution or not. On Win9x clients... use "winipcfg" to verify if the WINS server address has been properly set after the PPTP tunnel has been established. On NT/W2K clients... use "ipconfig /all" Also, the netbios node type (of the client) should indicate "hybrid" instead of "broadcast" when a using a WINS server. From anesthes at cisdi.com Mon Mar 12 21:59:31 2001 From: anesthes at cisdi.com (Joey Coco) Date: Mon, 12 Mar 2001 22:59:31 -0500 (EST) Subject: [pptp-server] IPX over PPTP In-Reply-To: <000001c0aaa7$d59efa40$0a00000a@ruthfd1.tn.home.com> Message-ID: Hi, I have a working IPX rip/sap setup using pptp. I need to check what software I'm running before giving you more details, if you still need help. I've only used this setup in a few places, but it seems to work ok. IPX over T1 links with PPTP were a little slower than expected, but not much. -- Joe On Sun, 11 Mar 2001, Zach Lowry wrote: > Howdy, > > I'm runnint pptp and ipxd, and can't seem to get any IPX traffic to route > over the connections. The clients connect and use ipx, as I can see them > using IPX in ifconfig, but nothing happens. I get these messages in > ipxripd.log: > > Sun Mar 11 21:49:52 2001 > 00001001:000053F853ED > 00001001:000053F853ED > > Sun Mar 11 21:49:52 2001 > RIP from non-local net on ifc 00001000 > 00001001 (ignored) > > Sun Mar 11 21:49:52 2001 > RIP from non-local net on ifc 00001000 > 00001001 (ignored) > > Sun Mar 11 21:49:52 2001 > SAP from non-local net 00001001 (ignored) > > Sun Mar 11 21:50:52 2001 > RIP from non-local net on ifc 00001000 > 00001001 (ignored) > > Anyone an IPX expert that can help me out? > > Zach Lowry > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ / "I'd like to think that everything is beautiful, and I'd like to think / \ that everything is fair. I'd like to think that everything is plentiful,\ / and i'd like to think that every body cares. We'd like to thank you.." / \ \ / http://members.cisdi.com/~anesthes/ -=- IM: imd3fc0n / \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ C r e a t i v e I l l u s i o n s S o f t w a r e D e s i g n, I n c. From rcd at amherst.com Tue Mar 13 08:20:47 2001 From: rcd at amherst.com (Robert Dege) Date: Tue, 13 Mar 2001 09:20:47 -0500 Subject: [pptp-server] IPX over PPTP References: <000001c0aaa7$d59efa40$0a00000a@ruthfd1.tn.home.com> Message-ID: <3AAE2CBF.7050506@amherst.com> Zach, Have you enable IPX support in the kernel? If not, you will need to (located under Networking). You also need to have ipx entries in your pppd options file so that ppp knows how to handle the protocol. There are also 2 rpms that you need to install. I don't remember them exactly (ie: ipx-utils, and ripd(?)), but if you search the pptp mail archive, you'll find that someone posted an IPX/PPTP Howto. There is also a IPX HOWTO on www.linuxdoc.org that you can read. It gives much better insight about using the protocol. Hope this helps. -Rob Zach Lowry wrote: > Howdy, > > I'm runnint pptp and ipxd, and can't seem to get any IPX traffic to route > over the connections. The clients connect and use ipx, as I can see them > using IPX in ifconfig, but nothing happens. I get these messages in > ipxripd.log: > > Sun Mar 11 21:49:52 2001 > 00001001:000053F853ED > 00001001:000053F853ED > > Sun Mar 11 21:49:52 2001 > RIP from non-local net on ifc 00001000 > 00001001 (ignored) > > Sun Mar 11 21:49:52 2001 > RIP from non-local net on ifc 00001000 > 00001001 (ignored) > > Sun Mar 11 21:49:52 2001 > SAP from non-local net 00001001 (ignored) > > Sun Mar 11 21:50:52 2001 > RIP from non-local net on ifc 00001000 > 00001001 (ignored) > > Anyone an IPX expert that can help me out? > > Zach Lowry > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > > From kristianl at oslo.kvalito.no Tue Mar 13 09:37:10 2001 From: kristianl at oslo.kvalito.no (=?iso-8859-1?Q?Kristian_Lyngst=F8l?=) Date: Tue, 13 Mar 2001 16:37:10 +0100 Subject: [pptp-server] More or less weird error-message... "Unknown protocol..." Message-ID: <20010313163709.A27785@lyngstol.net> I'm haveing a little bit of a problem with my VPN solution. When I use encryption with the mppe module, I am able to connect to the server, but the moment I try to use the connection, these error messages pop up: Mar 13 15:41:46 lyngstol pppd[27680]: Unsupported protocol 0x10f0 received Mar 13 15:41:47 lyngstol pppd[27680]: Unsupported protocol 0x4ca8 received Mar 13 15:41:47 lyngstol pppd[27680]: Unsupported protocol 0xc636 received I am positive that I patched the pppd. I might have done something "bad" when I compiled, since I had some difficulties getting the mppe_ppp.o module and ppp.o module to compile, but it works and they both insert into the kernel. Does anyone have any clue of what the cause of my difficulties might be? I'm running Linux 2.2.17 (debian 2.1/0 (two diffrent machines)), pptpd 1.0.1, pppd 2.3.11 (ppp-2.3.11-openssl-norc4-mppe). Please help ... -- Med vennlig hilsen ---------------------------------+------------------------- Kristian Lyngst?l | Kvalito IT AS avd. Oslo tlf: 90 84 24 35 | 21 00 99 00 mail: kristianl at oslo.kvalito.no | oslo at kvalito.no ---------------------------------+------------------------- From zlowry at home.com Mon Mar 12 09:25:32 2001 From: zlowry at home.com (Zach Lowry) Date: Mon, 12 Mar 2001 09:25:32 -0600 Subject: [pptp-server] New question about ppp 2.4 Message-ID: <000201c0ab08$ae47c100$0200000a@ruthfd1.tn.home.com> Has anyone got any information for compiling drivers for the 2.4.2 kernel? When I installed the RPM, I had to install ppp 2.4 and it screwed up all my modules for 2.2.17. I guess I can just go and recompile those modules, unless anyone has a better fix. It just dosen't load the modules when I connect, so mppe dosen't work. But, I guess if I knew how to compile them on kernel 2.4 with ppp 2.4 I'd just do that. Thanks, Zach From ctresco at mit.edu Tue Mar 13 09:41:12 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Tue, 13 Mar 2001 10:41:12 -0500 Subject: [pptp-server] New question about ppp 2.4 In-Reply-To: <000201c0ab08$ae47c100$0200000a@ruthfd1.tn.home.com> Message-ID: When you upgrade to the 2.4 kernel series, you have to upgrade a few packages in your distribution. Read the kernel Changes in th Documentation dir in your kernel source tree. You will need to patch your 2.4 kernel with the mppe patch and recompile as well. Chris > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Zach Lowry > Sent: Monday, March 12, 2001 10:26 AM > To: Pptp-Server (E-mail) > Subject: [pptp-server] New question about ppp 2.4 > > > Has anyone got any information for compiling drivers for the 2.4.2 kernel? > When I installed the RPM, I had to install ppp 2.4 and it screwed > up all my > modules for 2.2.17. I guess I can just go and recompile those modules, > unless anyone has a better fix. It just dosen't load the modules when I > connect, so mppe dosen't work. But, I guess if I knew how to > compile them on > kernel 2.4 with ppp 2.4 I'd just do that. > > Thanks, > > Zach > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From mckendry at mediaone.net Tue Mar 13 12:15:44 2001 From: mckendry at mediaone.net (John McKendry) Date: Tue, 13 Mar 2001 13:15:44 -0500 Subject: [pptp-server] error-message... "Unknown protocol..." References: <20010313163709.A27785@lyngstol.net> Message-ID: <3AAE63D0.8EDDCF1A@mediaone.net> Kristian Lyngst?l wrote: > > I'm haveing a little bit of a problem with my VPN solution. > When I use encryption with the mppe module, I am able to connect > to the server, but the moment I try to use the connection, these > error messages pop up: > > Mar 13 15:41:46 lyngstol pppd[27680]: Unsupported protocol 0x10f0 received > Mar 13 15:41:47 lyngstol pppd[27680]: Unsupported protocol 0x4ca8 received > Mar 13 15:41:47 lyngstol pppd[27680]: Unsupported protocol 0xc636 received > I have been having a similar problem with the PPTP client, and I finally made it go away last night. First take a look at this from the list archive: http://lists.schulte.org/pipermail/pptp-server/2000-October/003887.html, which explains the problem and gives a patch. If you try to apply the patch and find it's already been applied, then you may have the same problem I had. Are you seeing any "discarding out-of-order" or "discarding duplicate packet" messages when you start up? (This would be in your system error log, and assumes you have error logging enabled.) I had the problem with PPTP client, not pptpd, but it looks to me like my fix would apply equally to pptpd. What happens is that right at startup it receives a packet with sequence number zero, and since it has initialized its seq_recv counter to zero it thinks it's already received this packet and discards it, and the loss of a real packet messes up the encryption algorithm. To fix it for pptpd, try this (bearing in mind I'm translating what I did for PPTP client): Save a copy of pptpgre.c as pptpgre.c.orig. In pptpgre.c, find the function decaps_gre(). Find the comment /* check for out-of-order sequence number */. Comment out the line if (seq_greater(seq, gre.seq_recv)){ and replace it with if ( (seq_greater(seq, gre.seq_recv)) || ((seq == 0) && (gre.seq_recv == 0)) ){ Add comments here and at the top of the file to remind yourself you've changed the code; save, make clean, make. (Usual disclaimers here.) In the client code they make a big deal of handling wraparound, which is not mentioned in the pptpd code, and I'm not sure how this change will work with wraparound, but it's a step in the right direction. Also if you really do get a duplicate packet 0 it will probably foul you up, but so far that hasn't happened to me. John From berzerke at swbell.net Tue Mar 13 12:16:17 2001 From: berzerke at swbell.net (robert) Date: Tue, 13 Mar 2001 12:16:17 -0600 Subject: [pptp-server] New question about ppp 2.4 In-Reply-To: <000201c0ab08$ae47c100$0200000a@ruthfd1.tn.home.com> References: <000201c0ab08$ae47c100$0200000a@ruthfd1.tn.home.com> Message-ID: <01031312161700.23652@linux> On Monday 12 March 2001 09:25, Zach Lowry wrote: > Has anyone got any information for compiling drivers for the 2.4.2 kernel? > When I installed the RPM, I had to install ppp 2.4 and it screwed up all my > modules for 2.2.17. I guess I can just go and recompile those modules, > unless anyone has a better fix. It just dosen't load the modules when I > connect, so mppe dosen't work. But, I guess if I knew how to compile them > on kernel 2.4 with ppp 2.4 I'd just do that. > > Thanks, > > Zach > A howto is at http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt I had nothing but headaches with the rpms, BTW. Wound up going with the tarballs. From berzerke at swbell.net Tue Mar 13 12:20:08 2001 From: berzerke at swbell.net (robert) Date: Tue, 13 Mar 2001 12:20:08 -0600 Subject: [pptp-server] More or less weird error-message... "Unknown protocol..." In-Reply-To: <20010313163709.A27785@lyngstol.net> References: <20010313163709.A27785@lyngstol.net> Message-ID: <01031312200801.23652@linux> On Tuesday 13 March 2001 09:37, Kristian Lyngst?l wrote: > I'm haveing a little bit of a problem with my VPN solution. > When I use encryption with the mppe module, I am able to connect > to the server, but the moment I try to use the connection, these > error messages pop up: > > Mar 13 15:41:46 lyngstol pppd[27680]: Unsupported protocol 0x10f0 received > Mar 13 15:41:47 lyngstol pppd[27680]: Unsupported protocol 0x4ca8 received > Mar 13 15:41:47 lyngstol pppd[27680]: Unsupported protocol 0xc636 received > > I am positive that I patched the pppd. I might have done something "bad" > when I compiled, since I had some difficulties getting the mppe_ppp.o > module and ppp.o module to compile, but it works and they both insert into > the kernel. > > Does anyone have any clue of what the cause of my difficulties might be? > I'm running Linux 2.2.17 (debian 2.1/0 (two diffrent machines)), pptpd > 1.0.1, pppd 2.3.11 (ppp-2.3.11-openssl-norc4-mppe). > > Please help ... Two ideas: 1) Do you have the line mppe-stateless in your ppp options file? 2) According to the patch above, you might be missing the rc4 files. It is better to get the patch that already includes those files. That might be source of your compile problems. From ctresco at mit.edu Tue Mar 13 12:45:20 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Tue, 13 Mar 2001 13:45:20 -0500 Subject: [pptp-server] New question about ppp 2.4 In-Reply-To: <01031312161700.23652@linux> Message-ID: I also didnt fiddle with the rpms. Use the tarballs. > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of robert > Sent: Tuesday, March 13, 2001 1:16 PM > To: Zach Lowry; Pptp-Server (E-mail) > Subject: Re: [pptp-server] New question about ppp 2.4 > > > On Monday 12 March 2001 09:25, Zach Lowry wrote: > > Has anyone got any information for compiling drivers for the > 2.4.2 kernel? > > When I installed the RPM, I had to install ppp 2.4 and it > screwed up all my > > modules for 2.2.17. I guess I can just go and recompile those modules, > > unless anyone has a better fix. It just dosen't load the modules when I > > connect, so mppe dosen't work. But, I guess if I knew how to > compile them > > on kernel 2.4 with ppp 2.4 I'd just do that. > > > > Thanks, > > > > Zach > > > > A howto is at http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt > > I had nothing but headaches with the rpms, BTW. Wound up going with the > tarballs. > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From claudio at chilesat.net Tue Mar 13 12:53:46 2001 From: claudio at chilesat.net (Claudio) Date: Tue, 13 Mar 2001 14:53:46 -0400 Subject: [pptp-server] unsuscribe Message-ID: <005801c0abee$f2d3b220$dec61cc8@tie.cl> unsuscribe -------------- next part -------------- An HTML attachment was scrubbed... URL: From mckendry at mediaone.net Tue Mar 13 16:12:25 2001 From: mckendry at mediaone.net (John McKendry) Date: Tue, 13 Mar 2001 17:12:25 -0500 Subject: [pptp-server] error-message... "Unknown protocol..." References: <20010313163709.A27785@lyngstol.net> <3AAE63D0.8EDDCF1A@mediaone.net> Message-ID: <3AAE9B49.E1190630@mediaone.net> John McKendry wrote: > > > Mar 13 15:41:47 lyngstol pppd[27680]: Unsupported protocol 0xc636 received > > > I have been having a similar problem with the PPTP client, and I finally > made it go away last night. Sadly I must retract this claim - apparently I was making some other mistake that masked the "unsupported protocol" errors. They are still happening. So I add myself to the list of those who would like an answer. My configuration is kernel 2.2.14, pptp client 1.0.2, pppd 2.3.8 with patch ppp2.3.8-mppe-others-norc4_TH7; I am calling out to a corporate Microsoft server through a pptp-masquerading Linux firewall. I can connect to the same server through the firewall with a Windows 2000 laptop, so I don't think masquerading is an issue. I am sure the connection is negotiated to mppe-40, not stateless. My rc4 files are from SSLeay-0.6.6. Sorry to get anyone's hopes up prematurely. John From Glenn.Swonk at tais.com Tue Mar 13 18:29:46 2001 From: Glenn.Swonk at tais.com (Glenn.Swonk at tais.com) Date: Tue, 13 Mar 2001 16:29:46 -0800 Subject: [pptp-server] Domain name prepended for authentication Message-ID: When are user is being authenticated, the NT domain name is prepended to the user name for authentication. Since we don't know the domain name when the client is configured for access, how do we specify to the authentication to ignore the domain name part of the user? I did apply the smb patch to use the /etc/smbpasswd file for authentication. thanks, glenn From drankin at cox-internet.com Tue Mar 13 21:20:54 2001 From: drankin at cox-internet.com (David Rankin) Date: Tue, 13 Mar 2001 21:20:54 -0600 Subject: [pptp-server] Can access shares on poptop server but nothing else! Message-ID: <3AAEE395.61705297@cox-internet.com> Chris, George, Steve, Robert & everyone else --- HELP.... Thanks for all the prior help, and know I have to beg for a little more. My setup: Work (pptpd server): Linux Mandrake 7.2 Samba 2.07 (WINS server) pptpd-init-1_0_1-1_i386.rpm (installed) Cable Modem Linksys cable/dsl router (Forwarded port 1723 to server) Lan DHCP valid client IP ranges 192.168.7.20-100 /etc/pptpd.conf localip 192.168.7.106-110 remoteip 192.168.7.101-105 /etc/ppp/options lock auth +chap proxyarp #ms-dns 192.168.7.14 #ms-wins 192.168.7.14 #noipdefault #usepeerdns /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses david * realpasswd * jennie * realpasswd * admin * realpasswd * darren * realpasswd * amy * realpasswd * Home (client): Windows 98SE Cable Modem After making a VPN connection to my Linux box at work from my Win98 box at home, I can access my samba file shares, I can see but not use the printers shared by samba, and I can see all of my other machines on the lan in Network Neighborhood, but I still can't access any of the other machines or printers. Winipcfg seems to reflect everything is getting passed and authinticated OK. (see below) I have tried with ms-dns and ms-wins enabled and disabled in the options file (thus the # comments above) and it doesn't seem to make any difference. With ms-dns or ms-wins set it just seems to take longer before I get the "machine not accessable" error when trying to browse the other machines on my lan. Windows 98 IP Configuration (ms-wins and ms-dns NOT set) Host Name . . . . . . . . . : SKYLINE.tyler.netDEST DNS Servers . . . . . . . . : 205.218.118.1 208.180.0.2 Node Type . . . . . . . . . : Hybrid NetBIOS Scope ID. . . . . . : IP Routing Enabled. . . . . : No WINS Proxy Enabled. . . . . : No NetBIOS Resolution Uses DNS : No 0 Ethernet adapter : Description . . . . . . . . : PPP Adapter. Physical Address. . . . . . : 44-45-53-54-00-00 DHCP Enabled. . . . . . . . : Yes IP Address. . . . . . . . . : 192.168.7.102 Subnet Mask . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . : 192.168.7.102 DHCP Server . . . . . . . . : 255.255.255.255 Primary WINS Server . . . . : Secondary WINS Server . . . : Lease Obtained. . . . . . . : 01 01 80 12:00:00 AM Lease Expires . . . . . . . : 01 01 80 12:00:00 AM Windows 98 IP Configuration (ms-wins and ms-dns set) Host Name . . . . . . . . . : 3111 SKYLINE.tyler.net DNS Servers . . . . . . . . : 192.168.7.14 (my Linux DNS caching only) 205.218.118.1 208.180.0.2 Node Type . . . . . . . . . : Hybrid NetBIOS Scope ID. . . . . . : IP Routing Enabled. . . . . : No WINS Proxy Enabled. . . . . : No NetBIOS Resolution Uses DNS : No 0 Ethernet adapter : Description . . . . . . . . : PPP Adapter. Physical Address. . . . . . : 44-45-53-54-00-00 DHCP Enabled. . . . . . . . : Yes IP Address. . . . . . . . . : 192.168.7.101 Subnet Mask . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . : 192.168.7.101 DHCP Server . . . . . . . . : 255.255.255.255 Primary WINS Server . . . . : 192.168.7.14 (Samba WINS server IP) Secondary WINS Server . . . : 192.168.7.14 Lease Obtained. . . . . . . : 01 01 80 12:00:00 AM Lease Expires . . . . . . . : 01 01 80 12:00:00 AM Bottom line, I can't figure out what I am doing wrong. I have read all the documentation that comes with poptop (some of the text files in usr/doc seem wrong - suggesting machine name instead of user name in chap-secrets) (I tried that too ;-) and I still can't get access to anything other than my samba file shares. I can see my printer that is shared through samba, but can't use it because it is attached to my secretary's WinME box. I have really about run out of things to try and really need some more thoughts and advise from you guys. If you can spare the time, it will be greatly appreciated. Thanks David Rankin Nacogdoches, Texas From ctresco at mit.edu Tue Mar 13 22:04:07 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Tue, 13 Mar 2001 23:04:07 -0500 Subject: [pptp-server] Domain name prepended for authentication In-Reply-To: Message-ID: Try to put this in your ppp options file: chapms-strip-domain You need to have the respective patch installed as well. ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Glenn.Swonk at tais.com Sent: Tuesday, March 13, 2001 7:30 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] Domain name prepended for authentication When are user is being authenticated, the NT domain name is prepended to the user name for authentication. Since we don't know the domain name when the client is configured for access, how do we specify to the authentication to ignore the domain name part of the user? I did apply the smb patch to use the /etc/smbpasswd file for authentication. thanks, glenn _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From ctresco at mit.edu Tue Mar 13 22:11:20 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Tue, 13 Mar 2001 23:11:20 -0500 Subject: [pptp-server] Can access shares on poptop server but nothing else! In-Reply-To: <3AAEE395.61705297@cox-internet.com> Message-ID: Seems like you aren't authorized as a user to connect to those shares. You login to the VPN connect as someone in your chap-secrets. Those users in that file aren't necessarily allowed to connect to shares on other windows machines. What is telling those machines that you are authorized? Nothing. You need to authenticate via some central server. Set samba up as a master browser (Domain Controller) and authenticate all your machines through it and your vpn clients through the smbpasswd file. Once all the user accounts are kept in a central place, all authentication mechanisms will be in sync and you will be a happy camper. Hope this helps. ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of David Rankin Sent: Tuesday, March 13, 2001 10:21 PM To: Steve Cowles; George Vieira; Robert; poptop; Christopher Tresco Subject: [pptp-server] Can access shares on poptop server but nothing else! Chris, George, Steve, Robert & everyone else --- HELP.... Thanks for all the prior help, and know I have to beg for a little more. My setup: Work (pptpd server): Linux Mandrake 7.2 Samba 2.07 (WINS server) pptpd-init-1_0_1-1_i386.rpm (installed) Cable Modem Linksys cable/dsl router (Forwarded port 1723 to server) Lan DHCP valid client IP ranges 192.168.7.20-100 /etc/pptpd.conf localip 192.168.7.106-110 remoteip 192.168.7.101-105 /etc/ppp/options lock auth +chap proxyarp #ms-dns 192.168.7.14 #ms-wins 192.168.7.14 #noipdefault #usepeerdns /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses david * realpasswd * jennie * realpasswd * admin * realpasswd * darren * realpasswd * amy * realpasswd * Home (client): Windows 98SE Cable Modem After making a VPN connection to my Linux box at work from my Win98 box at home, I can access my samba file shares, I can see but not use the printers shared by samba, and I can see all of my other machines on the lan in Network Neighborhood, but I still can't access any of the other machines or printers. Winipcfg seems to reflect everything is getting passed and authinticated OK. (see below) I have tried with ms-dns and ms-wins enabled and disabled in the options file (thus the # comments above) and it doesn't seem to make any difference. With ms-dns or ms-wins set it just seems to take longer before I get the "machine not accessable" error when trying to browse the other machines on my lan. Windows 98 IP Configuration (ms-wins and ms-dns NOT set) Host Name . . . . . . . . . : SKYLINE.tyler.netDEST DNS Servers . . . . . . . . : 205.218.118.1 208.180.0.2 Node Type . . . . . . . . . : Hybrid NetBIOS Scope ID. . . . . . : IP Routing Enabled. . . . . : No WINS Proxy Enabled. . . . . : No NetBIOS Resolution Uses DNS : No 0 Ethernet adapter : Description . . . . . . . . : PPP Adapter. Physical Address. . . . . . : 44-45-53-54-00-00 DHCP Enabled. . . . . . . . : Yes IP Address. . . . . . . . . : 192.168.7.102 Subnet Mask . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . : 192.168.7.102 DHCP Server . . . . . . . . : 255.255.255.255 Primary WINS Server . . . . : Secondary WINS Server . . . : Lease Obtained. . . . . . . : 01 01 80 12:00:00 AM Lease Expires . . . . . . . : 01 01 80 12:00:00 AM Windows 98 IP Configuration (ms-wins and ms-dns set) Host Name . . . . . . . . . : 3111 SKYLINE.tyler.net DNS Servers . . . . . . . . : 192.168.7.14 (my Linux DNS caching only) 205.218.118.1 208.180.0.2 Node Type . . . . . . . . . : Hybrid NetBIOS Scope ID. . . . . . : IP Routing Enabled. . . . . : No WINS Proxy Enabled. . . . . : No NetBIOS Resolution Uses DNS : No 0 Ethernet adapter : Description . . . . . . . . : PPP Adapter. Physical Address. . . . . . : 44-45-53-54-00-00 DHCP Enabled. . . . . . . . : Yes IP Address. . . . . . . . . : 192.168.7.101 Subnet Mask . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . : 192.168.7.101 DHCP Server . . . . . . . . : 255.255.255.255 Primary WINS Server . . . . : 192.168.7.14 (Samba WINS server IP) Secondary WINS Server . . . : 192.168.7.14 Lease Obtained. . . . . . . : 01 01 80 12:00:00 AM Lease Expires . . . . . . . : 01 01 80 12:00:00 AM Bottom line, I can't figure out what I am doing wrong. I have read all the documentation that comes with poptop (some of the text files in usr/doc seem wrong - suggesting machine name instead of user name in chap-secrets) (I tried that too ;-) and I still can't get access to anything other than my samba file shares. I can see my printer that is shared through samba, but can't use it because it is attached to my secretary's WinME box. I have really about run out of things to try and really need some more thoughts and advise from you guys. If you can spare the time, it will be greatly appreciated. Thanks David Rankin Nacogdoches, Texas _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From drankin at cox-internet.com Tue Mar 13 22:17:44 2001 From: drankin at cox-internet.com (David Rankin) Date: Tue, 13 Mar 2001 22:17:44 -0600 Subject: [pptp-server] Re: Can access shares on poptop server but nothing else! References: <200FAA488DE0D41194F10010B597610D0A66C9@JUPITER> Message-ID: <3AAEF0E8.A5A0EE7B@cox-internet.com> George Vieira wrote: > Can you view the shares using IP addresses. eg. > > net view \\192.168.7.xx > > if this fails then it's probably because you can't get throught the network > (ipchains problem). > George, net view /WORKGROUP:RB_LAW /yes returns the following when run from my Win98 box at home. NEMESIS is the Linux/Samba/PopTop server at work (aptly named), SKYLINE is home, the rest are the remainder of the machines in my office (don't ask how TRIPOD got its name). Everything seems OK, no name resolution problems at all. Servers available in workgroup RB_LAW. Server name Remark \\BERTIN Darren's Crippled Maching \\NEMESIS RB_LAW Samba Server 2.0.7 \\RANKIN DAVID C. RANKIN \\SECRETARY PIII 866 20G \\SKYLINE Home 233MHz 20G \\TRIPOD P233MMX 20G The command was completed successfully. > > Have you got the vpn PPP link totally free of ipchains firewall rules? Yes. I don't use ipchains, I'm behind a cable/dsl router that provides NAT. Router port 1723 is forwarded to NEMESIS. > > Have you got ip forwarding enabled on your pptpd server? Uhh, I think so? All of my IP traffic goes through NEMESIS. It is my internal DNS and gateway and handles all of the traffic from the router and forwards it to the right machines in the office. All of the machines have no problem accessing the net through NEMESIS. I guess a picture would help [SKYLINE] => [internet] => [Linksys cable/dsl router] => [NEMESIS] =>[others on lan] On the lan side all machines can talk to each other. However, the windows to windows may be getting done by peer-to-peer. They all access the server and use the internet as shown above, but on the lan side I don't have to go through NEMESIS to get to the other windows machines. I just don't know. Do you have any additional thoughts after the latest information? Thanks David Rankin Nacogdoches, Texas From drankin at cox-internet.com Tue Mar 13 22:37:16 2001 From: drankin at cox-internet.com (David Rankin) Date: Tue, 13 Mar 2001 22:37:16 -0600 Subject: [pptp-server] Can access shares on poptop server but nothing else! References: Message-ID: <3AAEF57B.53D5BD36@cox-internet.com> Christopher Tresco wrote: > Seems like you aren't authorized as a user to connect to those shares. You > login to the VPN connect as someone in your chap-secrets. Those users in > that file aren't necessarily allowed to connect to shares on other windows > machines. What is telling those machines that you are authorized? Nothing. > > You need to authenticate via some central server. Set samba up as a master > browser (Domain Controller) and authenticate all your machines through it > and your vpn clients through the smbpasswd file. Once all the user accounts > are kept in a central place, all authentication mechanisms will be in sync > and you will be a happy camper. > Chris, I am not sure I understand. I have samba set up as a master browser and PDC providing domain logins for my clients at work. All users and myself have unix accounts and smbpasswd entries and we all use it for authentication. When I log in via VPN from home as "david" I am authenticating against chap-secrets for pptp access and against smbpasswd for access to my samba shares (there is no guest account or guest privileges on my samba server) When I log in, I can access all of my samba file shares just fine, I just can't use the print share or access any of the other WinXX boxes. I know why I can't access my print shares. That's because my printers that are shared are attached to my secretary's WinME box that I can't access through VPN. I don't know, something smells fishy and I have an uncanny nack for overlooking the obvious resulting in unnecessary self inflicted pain. (I am beginning to feel sever discomfort) What else could I be missing? Thanks, David Rankin Nacogdoches, Texas From Steve at SteveCowles.com Tue Mar 13 22:49:13 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Tue, 13 Mar 2001 22:49:13 -0600 Subject: [pptp-server] RE: Can access shares on poptop server but nothing else! Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6AE@defiant.infohiiway.com> > -----Original Message----- > From: David Rankin [mailto:drankin at cox-internet.com] > Sent: Tuesday, March 13, 2001 10:18 PM > To: George Vieira; Christopher Tresco; Robert; Cowles, Steve; poptop > Subject: Re: Can access shares on poptop server but nothing else! > > > George Vieira wrote: > > > Can you view the shares using IP addresses. eg. > > > > net view \\192.168.7.xx > > > > if this fails then it's probably because you can't get > > throught the network (ipchains problem). > > > > George, > > net view /WORKGROUP:RB_LAW /yes returns the following when > run from my Win98 box at home. NEMESIS is the Linux/Samba/ > PopTop server at work (aptly named), SKYLINE is home, the > rest are the remainder of the machines in my office (don't > ask how TRIPOD got its name). Everything seems OK, no name > resolution problems > at all. > > Servers available in workgroup RB_LAW. > Server name Remark > > \\BERTIN Darren's Crippled Maching > \\NEMESIS RB_LAW Samba Server 2.0.7 > \\RANKIN DAVID C. RANKIN > \\SECRETARY PIII 866 20G > \\SKYLINE Home 233MHz 20G > \\TRIPOD P233MMX 20G > The command was completed successfully. > Based on your prior posts... your WINS server is running on your PPTP server, so the above "could" actually work because the browse request (from the client) does not have to be routed past the PPTP server. > > > > Have you got the vpn PPP link totally free of ipchains > > firewall rules? > > Yes. I don't use ipchains, I'm behind a cable/dsl router that > provides NAT. Router port 1723 is forwarded to NEMESIS. Since you are able to establish a PPTP tunnel and at least "talk" to the PPTP server, I will leave the above alone. Although, I still think you have a routing and/or arp related problem. > > > > > Have you got ip forwarding enabled on your pptpd server? > > Uhh, I think so? All of my IP traffic goes through NEMESIS. > It is my internal DNS and gateway and handles all of the > traffic from the router and forwards it to the right machines > in the office. All of the machines have no problem accessing > the net through NEMESIS. I guess a picture would help > > [SKYLINE] => [internet] => [Linksys cable/dsl router] => > [NEMESIS] =>[others on lan] What is the value of /proc/sys/net/ipv4/ip_forward ?? It needs to be one (1) To check value, type: cat /proc/sys/net/ipv4/ip_forward Also, when the PPTP client connects - does /var/log/messages show the ethernet interface (like eth0) being set as proxy arp for the PPTP client? i.e. Mar 12 16:53:52 excelsior pppd[767]: found interface eth0 for proxy arp If not, you will only be able to talk to the PPTP server (from the client) and no further. Steve Cowles From drankin at cox-internet.com Tue Mar 13 22:57:34 2001 From: drankin at cox-internet.com (David Rankin) Date: Tue, 13 Mar 2001 22:57:34 -0600 Subject: [pptp-server] Re: Can access shares on poptop server but nothing else! References: <200FAA488DE0D41194F10010B597610D0A66D0@JUPITER> Message-ID: <3AAEFA3D.DAF45246@cox-internet.com> George Vieira wrote: > Yes but what about IP addresses. I need to know if you can try to view the > LAN workstation shares if you know their IP address? > > If this works then it's just a mere name resolution problem, if it's fails > with an error (which I'd need) then then pinging thoses IP addresses would > fails too (probably but we need to establish that you can reach the lan > workstations and they can reach you!!!!)... > can you try that and get back to me.. > > thanks, > George Vieira > George what evey you are thinking, I think you are on the right track and on to something. I ran the tests you suggested and tried to ping the machines on the lan by IP address. I can only ping NEMESIS the server and I cannot get a response from any of the other machines on my lan. Here are the results: C:\>ping 192.168.7.14 (THIS IS NEMESIS - the server) Pinging 192.168.7.14 with 32 bytes of data: Reply from 192.168.7.14: bytes=32 time=60ms TTL=255 Reply from 192.168.7.14: bytes=32 time=64ms TTL=255 Reply from 192.168.7.14: bytes=32 time=64ms TTL=255 Reply from 192.168.7.14: bytes=32 time=59ms TTL=255 Ping statistics for 192.168.7.14: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 59ms, Maximum = 64ms, Average = 61ms It works great!!!! All of the others timed out and I never got a response. C:\>ping 192.168.7.99 (or 100 or 98 or 97) Pinging 192.168.7.99 with 32 bytes of data: Request timed out. Request timed out. Ping statistics for 192.168.7.99: Packets: Sent = 2, Received = 0, Lost = 2 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Control-C What does this mean? I have noticed that sometimes I have to dial in twice (1st connect no go/2nd connect I can browse server OK) to be able to browse the server. Your thoughts? From GeorgeV at citadelcomputer.com.au Tue Mar 13 23:00:52 2001 From: GeorgeV at citadelcomputer.com.au (George Vieira) Date: Wed, 14 Mar 2001 16:00:52 +1100 Subject: [pptp-server] RE: Can access shares on poptop server but nothing else! Message-ID: <200FAA488DE0D41194F10010B597610D0A66DA@JUPITER> OK.. put proxyarp in your /etc/ppp/options file so your NEMENIS machine will respond to the LAN workstations when they try to contact your VPN machine.. at the moment, your LAN can't ping your VPN machine because proxyarp isn't used. Proxyarp will make the pptpd server pass the packets over to the VPN box.. try that thanks, George Vieira -----Original Message----- From: David Rankin [mailto:drankin at cox-internet.com] Sent: Wednesday, March 14, 2001 3:58 PM To: poptop; Christopher Tresco; George Vieira; Robert; Steve Cowles Subject: Re: Can access shares on poptop server but nothing else! George Vieira wrote: > Yes but what about IP addresses. I need to know if you can try to view the > LAN workstation shares if you know their IP address? > > If this works then it's just a mere name resolution problem, if it's fails > with an error (which I'd need) then then pinging thoses IP addresses would > fails too (probably but we need to establish that you can reach the lan > workstations and they can reach you!!!!)... > can you try that and get back to me.. > > thanks, > George Vieira > George what evey you are thinking, I think you are on the right track and on to something. I ran the tests you suggested and tried to ping the machines on the lan by IP address. I can only ping NEMESIS the server and I cannot get a response from any of the other machines on my lan. Here are the results: C:\>ping 192.168.7.14 (THIS IS NEMESIS - the server) Pinging 192.168.7.14 with 32 bytes of data: Reply from 192.168.7.14: bytes=32 time=60ms TTL=255 Reply from 192.168.7.14: bytes=32 time=64ms TTL=255 Reply from 192.168.7.14: bytes=32 time=64ms TTL=255 Reply from 192.168.7.14: bytes=32 time=59ms TTL=255 Ping statistics for 192.168.7.14: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 59ms, Maximum = 64ms, Average = 61ms It works great!!!! All of the others timed out and I never got a response. C:\>ping 192.168.7.99 (or 100 or 98 or 97) Pinging 192.168.7.99 with 32 bytes of data: Request timed out. Request timed out. Ping statistics for 192.168.7.99: Packets: Sent = 2, Received = 0, Lost = 2 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Control-C What does this mean? I have noticed that sometimes I have to dial in twice (1st connect no go/2nd connect I can browse server OK) to be able to browse the server. Your thoughts? From drankin at cox-internet.com Tue Mar 13 23:23:10 2001 From: drankin at cox-internet.com (David Rankin) Date: Tue, 13 Mar 2001 23:23:10 -0600 Subject: [pptp-server] Re: Can access shares on poptop server but nothing else! References: <90769AF04F76D41186C700A0C90AFC3EE6AE@defiant.infohiiway.com> Message-ID: <3AAF003E.56581DB6@cox-internet.com> "Cowles, Steve" wrote: > > Based on your prior posts... your WINS server is running on your PPTP > server, so the above "could" actually work because the browse request (from > the client) does not have to be routed past the PPTP server. > > > > Have you got ip forwarding enabled on your pptpd server? > > > > Uhh, I think so? All of my IP traffic goes through NEMESIS. > > It is my internal DNS and gateway and handles all of the > > traffic from the router and forwards it to the right machines > > in the office. All of the machines have no problem accessing > > the net through NEMESIS. I guess a picture would help > > > > What is the value of /proc/sys/net/ipv4/ip_forward ?? It needs to be one > (1) > > To check value, type: cat /proc/sys/net/ipv4/ip_forward > This may be a problem... ip_forward is set to 0. How do I fix this? See response below: [david at Nemesis ipv4]$ cat ip_forward 0 > > Also, when the PPTP client connects - does /var/log/messages show the > ethernet interface (like eth0) being set as proxy arp for the PPTP client? > i.e. > > Mar 12 16:53:52 excelsior pppd[767]: found interface eth0 for proxy arp > > If not, you will only be able to talk to the PPTP server (from the client) > and no further. > Here is the latest log from my session (proxy arp looks fine): Mar 13 22:46:55 Nemesis pptpd[30016]: CTRL: Client 208.180.113.40 control connec Mar 13 22:46:55 Nemesis pptpd[30016]: CTRL: Starting call (launching pppd, openi Mar 13 22:46:55 Nemesis modprobe: modprobe: Can't locate module char-major-108 Mar 13 22:46:55 Nemesis pppd[30017]: pppd 2.4.0 started by root, uid 0 Mar 13 22:46:55 Nemesis pppd[30017]: Using interface ppp0 Mar 13 22:46:55 Nemesis pppd[30017]: Connect: ppp0 <--> /dev/pts/0 Mar 13 22:46:55 Nemesis pppd[30017]: CHAP peer authentication succeeded for davi Mar 13 22:46:55 Nemesis pppd[30017]: found interface eth0 for proxy arp Mar 13 22:46:55 Nemesis pppd[30017]: local IP address 192.168.7.106 Mar 13 22:46:55 Nemesis pppd[30017]: remote IP address 192.168.7.101 Mar 13 22:46:55 Nemesis pppd[30017]: CCP terminated by peer Mar 13 22:46:55 Nemesis pppd[30017]: Compression disabled by peer. Mar 13 22:50:00 Nemesis CROND[30048]: (root) CMD ( /sbin/rmmod -as) Mar 13 22:56:06 Nemesis pppd[30017]: LCP terminated by peer Mar 13 22:56:06 Nemesis pptpd[30016]: CTRL: Error with select(), quitting Mar 13 22:56:06 Nemesis pptpd[30016]: CTRL: Client 208.180.113.40 control connec Mar 13 22:56:06 Nemesis pppd[30017]: Modem hangup Mar 13 22:56:06 Nemesis pppd[30017]: Connection terminated. Mar 13 22:56:06 Nemesis pppd[30017]: Connect time 9.2 minutes. Mar 13 22:56:06 Nemesis pppd[30017]: Sent 4630 bytes, received 28672 bytes. Mar 13 22:56:06 Nemesis pppd[30017]: Exit. What in the world do you think I'm dealing with? Thanks -- David From jvonau at home.com Tue Mar 13 23:32:05 2001 From: jvonau at home.com (Jerry Vonau) Date: Tue, 13 Mar 2001 23:32:05 -0600 Subject: [pptp-server] RE: Can access shares on poptop server but nothing else! References: <90769AF04F76D41186C700A0C90AFC3EE6AE@defiant.infohiiway.com> Message-ID: <3AAF0255.F89F91A1@home.com> David: I agree with Steve, you don't have any traffic past the server. The pinging failing proves that in the post to George. This suggests that it is a forwarding/arp issue. check the points that Steve made and post it. Without ipchains how to control access to you machine? netfilter? Jerry Vonau "Cowles, Steve" wrote: > > -----Original Message----- > > From: David Rankin [mailto:drankin at cox-internet.com] > > Sent: Tuesday, March 13, 2001 10:18 PM > > To: George Vieira; Christopher Tresco; Robert; Cowles, Steve; poptop > > Subject: Re: Can access shares on poptop server but nothing else! > > > > > > George Vieira wrote: > > > > > Can you view the shares using IP addresses. eg. > > > > > > net view \\192.168.7.xx > > > > > > if this fails then it's probably because you can't get > > > throught the network (ipchains problem). > > > > > > > George, > > > > net view /WORKGROUP:RB_LAW /yes returns the following when > > run from my Win98 box at home. NEMESIS is the Linux/Samba/ > > PopTop server at work (aptly named), SKYLINE is home, the > > rest are the remainder of the machines in my office (don't > > ask how TRIPOD got its name). Everything seems OK, no name > > resolution problems > > at all. > > > > Servers available in workgroup RB_LAW. > > Server name Remark > > > > \\BERTIN Darren's Crippled Maching > > \\NEMESIS RB_LAW Samba Server 2.0.7 > > \\RANKIN DAVID C. RANKIN > > \\SECRETARY PIII 866 20G > > \\SKYLINE Home 233MHz 20G > > \\TRIPOD P233MMX 20G > > The command was completed successfully. > > > > Based on your prior posts... your WINS server is running on your PPTP > server, so the above "could" actually work because the browse request (from > the client) does not have to be routed past the PPTP server. > > > > > > > Have you got the vpn PPP link totally free of ipchains > > > firewall rules? > > > > Yes. I don't use ipchains, I'm behind a cable/dsl router that > > provides NAT. Router port 1723 is forwarded to NEMESIS. > Since you are able to establish a PPTP tunnel and at least "talk" to the > PPTP server, I will leave the above alone. Although, I still think you have > a routing and/or arp related problem. > > > > > > > > > Have you got ip forwarding enabled on your pptpd server? > > > > Uhh, I think so? All of my IP traffic goes through NEMESIS. > > It is my internal DNS and gateway and handles all of the > > traffic from the router and forwards it to the right machines > > in the office. All of the machines have no problem accessing > > the net through NEMESIS. I guess a picture would help > > > > [SKYLINE] => [internet] => [Linksys cable/dsl router] => > > [NEMESIS] =>[others on lan] > > What is the value of /proc/sys/net/ipv4/ip_forward ?? It needs to be one > (1) > > To check value, type: cat /proc/sys/net/ipv4/ip_forward > > Also, when the PPTP client connects - does /var/log/messages show the > ethernet interface (like eth0) being set as proxy arp for the PPTP client? > i.e. > > Mar 12 16:53:52 excelsior pppd[767]: found interface eth0 for proxy arp > > If not, you will only be able to talk to the PPTP server (from the client) > and no further. > > Steve Cowles > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From Steve at SteveCowles.com Tue Mar 13 23:50:15 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Tue, 13 Mar 2001 23:50:15 -0600 Subject: [pptp-server] RE: Can access shares on poptop server but nothing else! Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6AF@defiant.infohiiway.com> > -----Original Message----- > From: David Rankin [mailto:drankin at cox-internet.com] > Sent: Tuesday, March 13, 2001 11:23 PM > To: poptop; Christopher Tresco; George Vieira; Robert; Cowles, Steve > Subject: Re: Can access shares on poptop server but nothing else! > > > "Cowles, Steve" wrote: > > > > > Based on your prior posts... your WINS server is running on > > your PPTP server, so the above "could" actually work because > > the browse request (from the client) does not have to be routed > > past the PPTP server. > > > > > > Have you got ip forwarding enabled on your pptpd server? > > > > > > Uhh, I think so? All of my IP traffic goes through NEMESIS. > > > It is my internal DNS and gateway and handles all of the > > > traffic from the router and forwards it to the right machines > > > in the office. All of the machines have no problem accessing > > > the net through NEMESIS. I guess a picture would help > > > > > > > What is the value of /proc/sys/net/ipv4/ip_forward ?? It > > needs to be one (1) > > > > To check value, type: cat /proc/sys/net/ipv4/ip_forward > > > > This may be a problem... ip_forward is set to 0. How do I fix > this? See response below: > > [david at Nemesis ipv4]$ cat ip_forward > 0 > Without ip_forwarding enabled, packets of data arriving from the PPTP client will not be routed from ppp0 to eth0 and vice-versa. To temporarily enable ip forwarding, type: echo "1" >/proc/sys/net/ipv4/ip_forward NOTE: The above will not live through a reboot, but at least you can check if this will fix your problem. If your using a redhat 7 distro and wanting to permanently enable ip forwarding at boot-up edit /etc/sysctl.conf and change the following line from: net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1 It your using any other redhat distro like 6.0, 6.1, 6.2 then edit /etc/sysconfig/network and change and/or add the following line: FORWARD_IPV4=yes > > > > Also, when the PPTP client connects - does /var/log/messages > > show the ethernet interface (like eth0) being set as proxy > > arp for the PPTP client? > > i.e. > > > > Mar 12 16:53:52 excelsior pppd[767]: found interface eth0 > > for proxy arp > > > > If not, you will only be able to talk to the PPTP server > > (from the client) and no further. > > > > Here is the latest log from my session (proxy arp looks fine): > > Mar 13 22:46:55 Nemesis pptpd[30016]: CTRL: Client > 208.180.113.40 control > connec > Mar 13 22:46:55 Nemesis pptpd[30016]: CTRL: Starting call > (launching pppd, > openi > Mar 13 22:46:55 Nemesis modprobe: modprobe: Can't locate > module char-major-108 > Mar 13 22:46:55 Nemesis pppd[30017]: pppd 2.4.0 started by root, uid 0 > Mar 13 22:46:55 Nemesis pppd[30017]: Using interface ppp0 > Mar 13 22:46:55 Nemesis pppd[30017]: Connect: ppp0 <--> /dev/pts/0 > Mar 13 22:46:55 Nemesis pppd[30017]: CHAP peer authentication > succeeded for > davi > Mar 13 22:46:55 Nemesis pppd[30017]: found interface eth0 for > proxy arp This is good.... eth0 is acting as proxy arp for PPTP client. If your interested, I wrote a document about what a proxy arp does and how important it is to PPTP connections. It's still work in progress, but it should give you an idea of how packets of data make it from/to the PPTP client. Checkout: http://www.infohiiway.com/pptp/proxyarp.html > Mar 13 22:46:55 Nemesis pppd[30017]: local IP address 192.168.7.106 > Mar 13 22:46:55 Nemesis pppd[30017]: remote IP address 192.168.7.101 > Mar 13 22:46:55 Nemesis pppd[30017]: CCP terminated by peer > Mar 13 22:46:55 Nemesis pppd[30017]: Compression disabled by peer. Odd entry (CCP terminated), I have never seen this before, but if its working.... Steve Cowles From drankin at cox-internet.com Wed Mar 14 00:25:05 2001 From: drankin at cox-internet.com (David Rankin) Date: Wed, 14 Mar 2001 00:25:05 -0600 Subject: [pptp-server] Re: Can access shares on poptop server but nothing else! References: <200FAA488DE0D41194F10010B597610D0A66E3@JUPITER> Message-ID: <3AAF0EC0.99648FFB@cox-internet.com> George Vieira wrote: > echo 1 > /proc/sys/net/ipv4/ip_forward > > that enables IP forwarding.. you might want to put it into your > /etc/rc.d/rc.local or firewall rules so it's done on every reboot. > > thanks, > George Vieira > > IT WORKS!, IT WORKS!, IT WORKS! I can now browse all of the machines at work!! Once I got ip_forward set to 1, I still couldn't browse but I could ping everything by IP address. I then set ms-dns in the options file, restarted pptpd and could then ping all my machines by name and IP. I still couldn't browse. So I set ms-dns in the options file and restarted and YES, I COULD BROWSE ALL THE MACHINES. Accomplishment is such sweet self-satisfaction. OK, I still can't print through the secretary's machine, but I think that is a CUPS issue since I have never tried to print through NEMESIS before. NEMESIS can print to the printer on the secretary's machine, but I believe all of the others use peer-to-peer to access the printer and don't go through NEMESIS. I'll dig a little more into that, unless one of you has any ideas. Oh well, that is a problem for tomorrow. I've got a hearing tomorrow morining and is 0018 my time so I better go get some rest. If you guys have any other suggestions on the printing issue, send them on, I'll check back at 0700 CST or 1300 UTC (zulu). I'll see if we can't tackle that problem tomorrow. YOU GUYS ARE AWSOME!!! If I can ever return the favor, I will do everything I can to help! I have included the final sequence of events below just for the sake of completeness and just in case these threads end up in a list archive somewhere. Hopefully someone else may benefit from everyones knowledge and suggestions. Thanks, David Rankin, Nacogdoches, Texas George, I set ip_forward to 1 and confirmed that it did get set, and I CAN PING ALL OF THE OTHER MACHINES -- YEAH! (see below) C:\>ping 192.168.7.14 (NEMESIS - Server) Pinging 192.168.7.14 with 32 bytes of data: Reply from 192.168.7.14: bytes=32 time=83ms TTL=255 Reply from 192.168.7.14: bytes=32 time=90ms TTL=255 Reply from 192.168.7.14: bytes=32 time=64ms TTL=255 Reply from 192.168.7.14: bytes=32 time=64ms TTL=255 Ping statistics for 192.168.7.14: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 64ms, Maximum = 90ms, Average = 75ms C:\>ping 192.168.7.100 Pinging 192.168.7.100 with 32 bytes of data: (RANKIN at work) Reply from 192.168.7.100: bytes=32 time=110ms TTL=63 Reply from 192.168.7.100: bytes=32 time=75ms TTL=63 Reply from 192.168.7.100: bytes=32 time=75ms TTL=63 Reply from 192.168.7.100: bytes=32 time=130ms TTL=63 Ping statistics for 192.168.7.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 75ms, Maximum = 130ms, Average = 97ms C:\>ping 192.168.7.98 (SECRETARY at work) Pinging 192.168.7.98 with 32 bytes of data: Reply from 192.168.7.98: bytes=32 time=177ms TTL=127 Reply from 192.168.7.98: bytes=32 time=80ms TTL=127 Reply from 192.168.7.98: bytes=32 time=75ms TTL=127 Reply from 192.168.7.98: bytes=32 time=75ms TTL=127 Ping statistics for 192.168.7.98: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 75ms, Maximum = 177ms, Average = 101ms I enabled ms-dns in the options file and now I can ping the office computes by name (See below) C:\>ping nemesis.rbpllc.com Pinging nemesis.rbpllc.com [192.168.7.14] with 32 bytes of data: Reply from 192.168.7.14: bytes=32 time=58ms TTL=255 Reply from 192.168.7.14: bytes=32 time=60ms TTL=255 Reply from 192.168.7.14: bytes=32 time=85ms TTL=255 Reply from 192.168.7.14: bytes=32 time=60ms TTL=255 Ping statistics for 192.168.7.14: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 58ms, Maximum = 85ms, Average = 65ms C:\>ping secretary.rbpllc.com Pinging secretary.rbpllc.com [192.168.7.98] with 32 bytes of data: Reply from 192.168.7.98: bytes=32 time=200ms TTL=127 Reply from 192.168.7.98: bytes=32 time=70ms TTL=127 Reply from 192.168.7.98: bytes=32 time=75ms TTL=127 Reply from 192.168.7.98: bytes=32 time=75ms TTL=127 Ping statistics for 192.168.7.98: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 70ms, Maximum = 200ms, Average = 105ms Set ms-dns to server address and, I CAN BROWSE!!!!!!!!!!!!! > Thanks -- David From vgill at technologist.com Wed Mar 14 01:13:18 2001 From: vgill at technologist.com (Gill, Vern) Date: Tue, 13 Mar 2001 23:13:18 -0800 Subject: [pptp-server] New question about ppp 2.4 Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D26@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There is also a "howto" for ppp-2.4.x with various patches at http://linus.yi.org. Click on the PPP tab at the top... -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOq8YUReamMdwy9TXEQKOkACg5DiVAC6YQI7MRWuOPZePN6eP0CwAoIQ5 z6lFZ0rsAVcFiUI9aIEugyht =348D -----END PGP SIGNATURE----- From berzerke at swbell.net Wed Mar 14 10:10:44 2001 From: berzerke at swbell.net (robert) Date: Wed, 14 Mar 2001 10:10:44 -0600 Subject: [pptp-server] Re: Can access shares on poptop server but nothing else! In-Reply-To: <3AAEF0E8.A5A0EE7B@cox-internet.com> References: <200FAA488DE0D41194F10010B597610D0A66C9@JUPITER> <3AAEF0E8.A5A0EE7B@cox-internet.com> Message-ID: <01031410104400.27351@linux> On Tuesday 13 March 2001 22:17, David Rankin wrote: > George Vieira wrote: Here is probably the key to your problem: > > Have you got ip forwarding enabled on your pptpd server? > > Uhh, I think so? All of my IP traffic goes through NEMESIS. It is my > internal DNS and gateway and handles all of the traffic from the router and > forwards it to the right machines in the office. All of the machines have > no problem accessing the net through NEMESIS. I guess a picture would help > > [SKYLINE] => [internet] => [Linksys cable/dsl router] => [NEMESIS] > =>[others on lan] > > On the lan side all machines can talk to each other. However, the windows > to windows may be getting done by peer-to-peer. They all access the server > and use the internet as shown above, but on the lan side I don't have to go > through NEMESIS to get to the other windows machines. I just don't know. Do > you have any additional thoughts after the latest information? > > Thanks > David Rankin > Nacogdoches, Texas Poptop connection is a ppp connection, not an eth connection. Therefore your pptpd server *MUST* forward the packets to the rest of the network (and vice versa) in order for you to connect with the rest of the network. At *minimum*, you have to have forwarding enabled ("echo 1 >/proc/sys/net/ipv4/ip_forward" as root). If you were running a firewall, that would have to allow the forwarding as well. From lee at booksys.com Wed Mar 14 11:24:53 2001 From: lee at booksys.com (Lee Smith) Date: Wed, 14 Mar 2001 11:24:53 CST Subject: [pptp-server] Overruns on sl0/1 causing major network issues! Message-ID: <200103141724.f2EHOAY13806@mail.booksys.com> I'm having some problems with pptp...On sl0 im getting way too many overruns, causing the connection to be horribly unstable. Any insight as to what would cause this kind of behavior? or even better, maybe a fix? ;) sl0 Link encap:VJ Serial Line IP inet addr:192.168.10.91 P-t-P:192.168.66.10 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:5086011 errors:0 dropped:0 overruns:5043102 frame:0 compressed:0 TX packets:5966257 errors:0 dropped:0 overruns:5915216 carrier:0 collisions:1059 compressed:0 txqueuelen:10 sl1 Link encap:VJ Serial Line IP inet addr:192.168.10.28 P-t-P:192.168.65.14 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:245253 errors:0 dropped:0 overruns:240600 frame:0 compressed:0 TX packets:327206 errors:0 dropped:0 overruns:312041 carrier:0 collisions:73 compressed:0 txqueuelen:10 -- This our world now....the world of the electron and the switch...the beauty of the baud From dale at bewley.net Wed Mar 14 11:47:54 2001 From: dale at bewley.net (Dale Bewley) Date: Wed, 14 Mar 2001 09:47:54 -0800 (PST) Subject: [pptp-server] Domain name prepended for authentication In-Reply-To: Message-ID: Win2k users login like: user at domain I was going to make a patch to strip both the nt style and the win2k style, but has that already been done? Glad to find out about this chapms-strip-domain. I've been temporarily adding usernames with the domain prepended. On Tue, 13 Mar 2001, Christopher Tresco wrote: > Try to put this in your ppp options file: > > chapms-strip-domain > > You need to have the respective patch installed as well. > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of > Glenn.Swonk at tais.com > Sent: Tuesday, March 13, 2001 7:30 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Domain name prepended for authentication > > > When are user is being authenticated, the NT domain name is prepended to > the user name > for authentication. Since we don't know the domain name when the client is > configured for access, > how do we specify to the authentication to ignore the domain name part of > the user? > > I did apply the smb patch to use the /etc/smbpasswd file for > authentication. > > thanks, > glenn -- Dale Bewley - Bewley Internet Solutions Inc. http://bewley.net/ From jward at cem.msu.edu Wed Mar 14 12:34:21 2001 From: jward at cem.msu.edu (Joe Ward) Date: Wed, 14 Mar 2001 13:34:21 -0500 Subject: [pptp-server] GRE Errors. Message-ID: <5.0.2.1.2.20010314125602.00b0d470@pop3.norton.antivirus> I have pptpd setup on my redhat 6.2 box everything works just fine (browsing, forwarding,etc.) my problem is that I am getting some major GRE errors here is just a snippet: Mar 14 10:06:22 liquid pptpd[11833]: CTRL: Starting call (launching pppd, opening GRE) Mar 14 10:06:22 liquid pptpd[11833]: GRE: Discarding duplicate packet Mar 14 10:06:58 liquid pptpd[11833]: GRE: Discarding out of order packet and this is just from sending a single e-mail message. I can go back and dig up logs were I get like 30 or 40 of them in a row when I try to transfer a file or get a web page. obviously discarding packets is going to slow down my connection. But I don't know if it's bad enough to have to worry about it. or is this just something that happens. there are 16 hops between the two 1/2 of them are campus routers for the fiber optic backbone and such. for background: Server: Pptpd 1.0.1 patched for mschap pppd 2.3.11 patched for encryption redhat 6.2 kernel 2.2.16-3 Trinity OS firewall modified to allow for the pptp traffic to be forwarded and such. Cable modem (@home) Workstation: Toshiba Laptop Win2k SP1 IE5.5 SP1 on Standard Ethernet on MSU campus From ctresco at mit.edu Wed Mar 14 12:36:23 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Wed, 14 Mar 2001 13:36:23 -0500 Subject: [pptp-server] GRE Errors. In-Reply-To: <5.0.2.1.2.20010314125602.00b0d470@pop3.norton.antivirus> Message-ID: Hi, The devel version of pptp from poptop.lineo.com supports out of order packets. I have heard that this version of pptpd is stable. Try it. > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Joe Ward > Sent: Wednesday, March 14, 2001 1:34 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] GRE Errors. > > > I have pptpd setup on my redhat 6.2 box > > everything works just fine (browsing, forwarding,etc.) my problem > is that I > am getting some major GRE errors > > here is just a snippet: > > Mar 14 10:06:22 liquid pptpd[11833]: CTRL: Starting call (launching pppd, > opening > GRE) > Mar 14 10:06:22 liquid pptpd[11833]: GRE: Discarding duplicate packet > Mar 14 10:06:58 liquid pptpd[11833]: GRE: Discarding out of order packet > > and this is just from sending a single e-mail message. I can go back and > dig up logs were I get like 30 or 40 of them in a row when I try to > transfer a file or get a web page. obviously discarding packets is going > to slow down my connection. But I don't know if it's bad enough > to have to > worry about it. or is this just something that happens. > > there are 16 hops between the two 1/2 of them are campus routers for the > fiber optic backbone and such. > > for background: > > Server: > Pptpd 1.0.1 patched for mschap > pppd 2.3.11 patched for encryption > redhat 6.2 kernel 2.2.16-3 > Trinity OS firewall modified to allow for the pptp traffic to be > forwarded > and such. > Cable modem (@home) > > Workstation: > Toshiba Laptop > Win2k SP1 > IE5.5 SP1 > on Standard Ethernet on MSU campus > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From jward at cem.msu.edu Wed Mar 14 12:45:11 2001 From: jward at cem.msu.edu (Joe Ward) Date: Wed, 14 Mar 2001 13:45:11 -0500 Subject: [pptp-server] GRE Errors. In-Reply-To: References: <5.0.2.1.2.20010314125602.00b0d470@pop3.norton.antivirus> Message-ID: <5.0.2.1.2.20010314134452.00b16008@pop3.norton.antivirus> do I need to recompile pppd or anything like that or just the pptpd? -Joe At 3/14/2001 01:36 PM, Christopher Tresco wrote: >Hi, > >The devel version of pptp from poptop.lineo.com supports out of order >packets. I have heard that this version of pptpd is stable. Try it. > > > > > -----Original Message----- > > From: pptp-server-admin at lists.schulte.org > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Joe Ward > > Sent: Wednesday, March 14, 2001 1:34 PM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] GRE Errors. > > > > > > I have pptpd setup on my redhat 6.2 box > > > > everything works just fine (browsing, forwarding,etc.) my problem > > is that I > > am getting some major GRE errors > > > > here is just a snippet: > > > > Mar 14 10:06:22 liquid pptpd[11833]: CTRL: Starting call (launching pppd, > > opening > > GRE) > > Mar 14 10:06:22 liquid pptpd[11833]: GRE: Discarding duplicate packet > > Mar 14 10:06:58 liquid pptpd[11833]: GRE: Discarding out of order packet > > > > and this is just from sending a single e-mail message. I can go back and > > dig up logs were I get like 30 or 40 of them in a row when I try to > > transfer a file or get a web page. obviously discarding packets is going > > to slow down my connection. But I don't know if it's bad enough > > to have to > > worry about it. or is this just something that happens. > > > > there are 16 hops between the two 1/2 of them are campus routers for the > > fiber optic backbone and such. > > > > for background: > > > > Server: > > Pptpd 1.0.1 patched for mschap > > pppd 2.3.11 patched for encryption > > redhat 6.2 kernel 2.2.16-3 > > Trinity OS firewall modified to allow for the pptp traffic to be > > forwarded > > and such. > > Cable modem (@home) > > > > Workstation: > > Toshiba Laptop > > Win2k SP1 > > IE5.5 SP1 > > on Standard Ethernet on MSU campus > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! From ctresco at mit.edu Wed Mar 14 12:43:28 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Wed, 14 Mar 2001 13:43:28 -0500 Subject: [pptp-server] GRE Errors. In-Reply-To: <5.0.2.1.2.20010314134452.00b16008@pop3.norton.antivirus> Message-ID: Just pptpd. > -----Original Message----- > From: Joe Ward [mailto:jward at cem.msu.edu] > Sent: Wednesday, March 14, 2001 1:45 PM > To: Christopher Tresco; pptp-server at lists.schulte.org > Subject: RE: [pptp-server] GRE Errors. > > > do I need to recompile pppd or anything like that or just the pptpd? > > -Joe > > At 3/14/2001 01:36 PM, Christopher Tresco wrote: > >Hi, > > > >The devel version of pptp from poptop.lineo.com supports out of order > >packets. I have heard that this version of pptpd is stable. Try it. > > > > > > > > > -----Original Message----- > > > From: pptp-server-admin at lists.schulte.org > > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Joe Ward > > > Sent: Wednesday, March 14, 2001 1:34 PM > > > To: pptp-server at lists.schulte.org > > > Subject: [pptp-server] GRE Errors. > > > > > > > > > I have pptpd setup on my redhat 6.2 box > > > > > > everything works just fine (browsing, forwarding,etc.) my problem > > > is that I > > > am getting some major GRE errors > > > > > > here is just a snippet: > > > > > > Mar 14 10:06:22 liquid pptpd[11833]: CTRL: Starting call > (launching pppd, > > > opening > > > GRE) > > > Mar 14 10:06:22 liquid pptpd[11833]: GRE: Discarding duplicate packet > > > Mar 14 10:06:58 liquid pptpd[11833]: GRE: Discarding out of > order packet > > > > > > and this is just from sending a single e-mail message. I can > go back and > > > dig up logs were I get like 30 or 40 of them in a row when I try to > > > transfer a file or get a web page. obviously discarding > packets is going > > > to slow down my connection. But I don't know if it's bad enough > > > to have to > > > worry about it. or is this just something that happens. > > > > > > there are 16 hops between the two 1/2 of them are campus > routers for the > > > fiber optic backbone and such. > > > > > > for background: > > > > > > Server: > > > Pptpd 1.0.1 patched for mschap > > > pppd 2.3.11 patched for encryption > > > redhat 6.2 kernel 2.2.16-3 > > > Trinity OS firewall modified to allow for the pptp traffic to be > > > forwarded > > > and such. > > > Cable modem (@home) > > > > > > Workstation: > > > Toshiba Laptop > > > Win2k SP1 > > > IE5.5 SP1 > > > on Standard Ethernet on MSU campus > > > > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > List services provided by www.schulteconsulting.com! > From jacob at iensemble.com Wed Mar 14 13:38:19 2001 From: jacob at iensemble.com (Jacob Walcik) Date: Wed, 14 Mar 2001 13:38:19 -0600 Subject: [pptp-server] poptop on openbsd with encryption Message-ID: <1227523796-155191736@mail.iensemble.com> i've found several documents outlining how to get poptop working on free/openbsd, but none of them outline how to do so with encrypted tunnels. has anyone had any luck with this? From jacob at iensemble.com Wed Mar 14 13:38:19 2001 From: jacob at iensemble.com (Jacob Walcik) Date: Wed, 14 Mar 2001 13:38:19 -0600 Subject: [pptp-server] poptop on openbsd with encryption Message-ID: <1227523796-155191736@mail.iensemble.com> i've found several documents outlining how to get poptop working on free/openbsd, but none of them outline how to do so with encrypted tunnels. has anyone had any luck with this? From christopher at schulte.org Wed Mar 14 14:02:41 2001 From: christopher at schulte.org (Christopher Schulte) Date: Wed, 14 Mar 2001 14:02:41 -0600 Subject: [pptp-server] administrivia Message-ID: <5.0.2.1.0.20010314135825.00ab91b0@pop.schulte.org> I've just installed MAPS rbl, dul, and rss[1] on the mail server that handles this list. It may help to curb spam to the list. The mailing list software[2] itself has also been upgraded to 2.0.3 [1] http://www.mail-abuse.org/ [2] http://www.list.org/ From dolivier at bondedcollections.com Wed Mar 14 14:40:46 2001 From: dolivier at bondedcollections.com (Douglas J. Olivier) Date: Wed, 14 Mar 2001 13:40:46 -0700 (US Mountain Standard Time) Subject: [pptp-server] pptpd error Message-ID: <3AAFD74E.000018.72673@bonded.dakotanet.com> I've compiled pptpd-1.0.1 ppp-2.3.11 and the kernel 2.2.17, following Dread Boys HowTo. During the compile of the modules I got an ppp_compressor error but they apparently compiled. Now I get the following error: pptpd -d Long config line ignored pptpd.conf option /etc/ppp/options debug localip 199.29.166.50-59 remoteip 199.29.166.70-79 /etc/ppp/options lock debug name pptpsrv1 proxyarp netmask 255.255.255.0 auth mru 1450 mtu 1450 require-chap require-chapms +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless I've recompiled fresh sources several times but continue to get same errors any help would be appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsmith at atsworld.com Wed Mar 14 15:13:20 2001 From: rsmith at atsworld.com (Smith, Rick) Date: Wed, 14 Mar 2001 16:13:20 -0500 Subject: [pptp-server] FreeBSD 3.2 Problems Message-ID: <88786160BFD1D211B10800A0C9EC744EAB7AA4@corp.atsworld.com> Hi all, trying to run PopTop 1.0.1 on FreeBSD 3.2 RELEASE. I can get ONE connection up and running, but every additional connection attempt closes immediately upon trying with a "620" error from Microsoft. Using PPTPD with Windows 2000 client in PAP only mode. Never did seem to get standard Microsoft CHAP working properly. If anyone has suggestions there, I'd love to hear them. Thanks Rick From jmoore at sailnet.com Wed Mar 14 15:50:29 2001 From: jmoore at sailnet.com (Jay Moore) Date: Wed, 14 Mar 2001 21:50:29 GMT Subject: [pptp-server] mppe patch compile error Message-ID: <20010314.21502900@merlin.sailnet.com> I have linux 2.2.17 ppp-2.3.11 and the ppp-2.3.11-openssl-norc4-mppe.patch patch tar -zxvf ppp-2.3.11.tar.gz cd ppp.2.3.11 patch -p1 <../ppp-2.3.11-openssl-norc4-mppe.patch ./configure make make kernel install cd /usr/src/linux make dep; make bzimage; make[3]: Entering directory `/usr/src/linux/drivers/net' cc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-strict-aliasing -pipe -fno-strength-reduce -m486 -malign-loops=2 -malign-jumps=2 -malign-functions=2 -DCPU=686 -DEXPORT_SYMTAB -c ppp.c ppp.c:100: warning: static declaration for `ppp_unregister_compressor' follows non-static ppp.c:174: `PPP_VERSION' undeclared here (not in a function) ppp.c: In function `ppp_tty_open': ppp.c:418: `PPP_MAGIC' undeclared (first use in this function) ppp.c:418: (Each undeclared identifier is reported only once ppp.c:418: for each function it appears in.) ppp.c: In function `ppp_tty_close': ppp.c:463: `PPP_MAGIC' undeclared (first use in this function) ppp.c: In function `ppp_tty_read': ppp.c:511: `PPP_MAGIC' undeclared (first use in this function) ppp.c: In function `ppp_tty_write': ppp.c:600: `PPP_MAGIC' undeclared (first use in this function) ppp.c: In function `ppp_tty_ioctl': ppp.c:659: `PPP_MAGIC' undeclared (first use in this function) ppp.c: In function `ppp_tty_poll': ppp.c:817: `PPP_MAGIC' undeclared (first use in this function) ppp.c: In function `ppp_tty_wakeup': ppp.c:845: `PPP_MAGIC' undeclared (first use in this function) ppp.c: In function `ppp_sync_send': ppp.c:869: `PPP_MAGIC' undeclared (first use in this function) ppp.c: In function `ppp_tty_sync_push': ppp.c:922: `PPP_MAGIC' undeclared (first use in this function) ppp.c: In function `ppp_async_send': ppp.c:978: `PPP_MAGIC' undeclared (first use in this function) ppp.c: In function `ppp_tty_push': ppp.c:1004: `PPP_MAGIC' undeclared (first use in this function) ppp.c: In function `ppp_async_encode': ppp.c:1073: `PPP_MAGIC' undeclared (first use in this function) ppp.c: In function `ppp_tty_receive': ppp.c:1207: `PPP_MAGIC' undeclared (first use in this function) ppp.c: In function `ppp_dev_close': ppp.c:1560: `PPP_MAGIC' undeclared (first use in this function) ppp.c: In function `ppp_dev_ioctl': ppp.c:1594: `PPP_MAGIC' undeclared (first use in this function) ppp.c: In function `ppp_ioctl': ppp.c:1642: `PPP_MAGIC' undeclared (first use in this function) ppp.c: In function `ppp_receive_error': ppp.c:2235: `PPP_MAGIC' undeclared (first use in this function) ppp.c: In function `rcv_proto_ip': ppp.c: In function `ppp_alloc': ppp.c:2847: `PPP_MAGIC' undeclared (first use in this function) ppp.c: In function `ppp_release': ppp.c:2933: `PPP_MAGIC' undeclared (first use in this function) make[3]: *** [ppp.o] Error 1 make[3]: Leaving directory `/usr/src/linux/drivers/net' make[2]: *** [first_rule] Error 2 make[2]: Leaving directory `/usr/src/linux/drivers/net' make[1]: *** [_subdir_net] Error 2 make[1]: Leaving directory `/usr/src/linux/drivers' make: *** [_dir_drivers] Error 2 what am I doing wrong. Jay From JaminC at adapt-tele.com Wed Mar 14 18:41:48 2001 From: JaminC at adapt-tele.com (Jamin Collins) Date: Wed, 14 Mar 2001 18:41:48 -0600 Subject: [pptp-server] mppe patch compile error Message-ID: Jay Moore [mailto:jmoore at sailnet.com] wrote: > ppp.c: In function `ppp_tty_read': > ppp.c:511: `PPP_MAGIC' undeclared (first use in this function) (snip) > what am I doing wrong. The answer to this problem is in the FAQ http://www.vibrationresearch.com/pptpd/pptpd-FAQ.txt: 7.4.1. Get PPP_VERSION or PPP_MAGIC undefined error message while compiling ppp kernel modules Solution: add the following lines to /usr/src/linux/include/linux/if_ppp.h #define PPP_VERSION "2.3.11" #define PPP_MAGIC 0x5002 /* Magic value for the ppp structure */ I'm not a big fan of telling people to RTFM, but sometimes it doesn't hurt. Also, I found similiar documentation by simply searching for "ppp_magic poptop" at http://www.hotbot.com. Jamin W. Collins From ckhui at school.net.hk Thu Mar 15 11:05:34 2001 From: ckhui at school.net.hk (Hui Chun Kit) Date: Fri, 16 Mar 2001 01:05:34 +0800 Subject: [pptp-server] Using ppp with PAM to authenticate against a NT PDC Message-ID: <3AB0F65D.8636EF03@school.net.hk> Dear all, I am running RH7 so I do love to use PAM since the pppd coming with RH7 is PAM-enabled. However, I cannot find any doc telling me how to authenticate with PAM and in fact, can I setup a PPTP server such that: - all clients are WinME/Win98 - uses MCHAP and encryption - authenticate against a NT PDC or sth like this with PAM Do any have any exp? Please shares.. I have tried to setup the PPTP server tonite but not yet tested it with Win98/ME but I will do it later. I failed to connect to this PPTP server from a linux box running pptp-linux. No clues at the moment..... Any guidelines will highly be appreciated. thx -- Best Rgds, Jacky Hui Hong Kong From ctresco at mit.edu Fri Mar 16 10:39:01 2001 From: ctresco at mit.edu (Chris Tresco) Date: Fri, 16 Mar 2001 11:39:01 -0500 Subject: [pptp-server] Packets wont pass between localip and remoteip References: <3AB0F65D.8636EF03@school.net.hk> Message-ID: <008d01c0ae37$9db5de30$b201a8c0@snpc.net> Kernel 2.4.2 , ppp 2.4.0 I have no idea why. Here are my files: options: logfile /var/log/pppd.log debug netmask 255.255.255.255 name tvgrid ##lock noauth proxyarp defaultroute +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless require-mppe require-mppe-stateless ms-dns 192.168.1.2 ms-dns 192.168.1.4 #require-chap pptpd.conf: debug speed 115200 localip 192.168.1.130-132 remoteip 192.168.1.133-135 ipchains allows everything.... Thanks. ----- Original Message ----- From: "Hui Chun Kit" To: Sent: Thursday, March 15, 2001 12:05 PM Subject: [pptp-server] Using ppp with PAM to authenticate against a NT PDC > Dear all, > > I am running RH7 so I do love to use PAM since the pppd coming with > RH7 > is PAM-enabled. However, I cannot find any doc telling me how to > authenticate > with PAM and in fact, can I setup a PPTP server such that: > > - all clients are WinME/Win98 > - uses MCHAP and encryption > - authenticate against a NT PDC or sth like this with PAM > > Do any have any exp? Please shares.. I have tried to setup the PPTP > server tonite but not yet tested it with Win98/ME but I will do it > later. I failed > to connect to this PPTP server from a linux box running pptp-linux. No > clues > at the moment..... > Any guidelines will highly be appreciated. > thx > > -- > Best Rgds, > > Jacky Hui > Hong Kong > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From kathee at mindiq.com Thu Mar 15 11:04:34 2001 From: kathee at mindiq.com (kat) Date: Thu, 15 Mar 2001 12:04:34 -0500 Subject: [pptp-server] win98 - authentication issues In-Reply-To: References: <001f01c0a9b5$48e955c0$698c24d8@bsun> Message-ID: <5.0.2.1.2.20010315120221.00c20ca8@mail.mindiq.com> No matter what I try, I can not get windows 98 to send a username correctly to my samba servers so the users can map the drives. Any tips on this? In my samba logs, it always shows up as "." as the user. Even though the username for VPN access is exactly the same as the domain username. Of course with NT and 2000 it works perfectly, since usernames are sent correctly... I guess I could just tell them I will not support 98 (which I want to do) but I thought I would try one more time... thanks Kathee From GeorgeV at citadelcomputer.com.au Mon Mar 19 15:36:55 2001 From: GeorgeV at citadelcomputer.com.au (George Vieira) Date: Tue, 20 Mar 2001 08:36:55 +1100 Subject: [pptp-server] win98 - authentication issues Message-ID: <200FAA488DE0D41194F10010B597610D0A68CD@JUPITER> Is your Win98 user the same user on Win2K and NT? Have you updated their login in /etc/smbpasswd file? Is the Win98 machine using encrypted passwords? thanks, George Vieira -----Original Message----- From: kat [mailto:kathee at mindiq.com] Sent: Friday, March 16, 2001 4:05 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] win98 - authentication issues No matter what I try, I can not get windows 98 to send a username correctly to my samba servers so the users can map the drives. Any tips on this? In my samba logs, it always shows up as "." as the user. Even though the username for VPN access is exactly the same as the domain username. Of course with NT and 2000 it works perfectly, since usernames are sent correctly... I guess I could just tell them I will not support 98 (which I want to do) but I thought I would try one more time... thanks Kathee _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From drankin at cox-internet.com Wed Mar 14 23:03:38 2001 From: drankin at cox-internet.com (David Rankin) Date: Wed, 14 Mar 2001 23:03:38 -0600 Subject: [pptp-server] IT WORKS (WAS: Can access shares on poptop server but nothing else!) Message-ID: <3AB04D2A.8B901CF5@cox-internet.com> Allright guys, its WORKING! I solved the problem of not being able to print to the laserjet 4 that is attached to my secretary's WinME box as sec_hplj4. This doesn't make any sense, but this is what fixed it. First, through the VPN connection and Network Neighborhood, I would double-click the printer and windoze would prompt me to set-up the printer. I would go through the setup (existing driver already installed) and I would give the printer a logical name (RB HP Laserjet 4) -- (RB for Rankin*Bertin) This is the way I have always done it and never had a problem. Well, as you know, I was having fits trying to print, even after we had solved my ip_forward problem and I could access all machines on my lan via pptpd. Since samba shares the printer as sec_hplj4, I decided, what the heck, let's just try giving the printer the illogical name of sec_hplj4, which shouldn't matter because the local path on the printer shows the correct path of \\Secretary\sec_hplj4 and the name you give it in windoze is just for your convenience. Well, when I did this exercise, gave a name for the printer as sec_hplj4 and hit 'print test page', BINGO, it printed to the secretary's printer like magic. What this tells me is that the remote windows printer name has to match the smb share name of the printer in order for the printer to work -- at least through CUPS. This really makes NO sense, since the printer path should control. However, for what ever reason, samba wants the windoze printer name to match the printcaps printer designation to allow remote printing over vpn. I just thought I would let everyone know what I found and hopefully contribute to the growing body of knowledge regarding PoPToP. Thanks once again for all your wonderful and much needed assistance. David Rankin Nacogdoches, Texas From frederic.soulier at sxb.bsf.alcatel.fr Thu Mar 15 04:32:41 2001 From: frederic.soulier at sxb.bsf.alcatel.fr (Frederic SOULIER) Date: Thu, 15 Mar 2001 11:32:41 +0100 Subject: [pptp-server] Contacting a PPTP Server behind a Linux box w/o ip_masq_vpn ? References: <000a01bf7306$3565b840$8400000a@reamined.on.ca> Message-ID: <3AB09A49.AFF8F8A6@sxb.bsf.alcatel.fr> Hello there, I have to do a very common thing : Configure a Linux Box to allow access from an external PPTP client (W98,WNT,W2K) to a internal (on the LAN) PPTP server (PoPToP, ...). My problem is that I have only a linux 2.2.13 kernel and cannot patch it ! I have portforwarding (TCP 1723) installed on the linux box. PPTP/CTRL connection is ok. How can I handle GRE packets ? ipfwd works well from the client to the server but since Linux masquerading (on my 2.2.13 kernel) doesn't handle the GRE protocol (47) no answer is given to the client. So, I'm looking for an alternative to ipfwd (another application), something like a PPTP/GRE proxy (maybe transparent proxying). Any idea ? Frederic From penso at linuxfr.org Thu Mar 15 06:02:20 2001 From: penso at linuxfr.org (Fabien Penso) Date: 15 Mar 2001 13:02:20 +0100 Subject: [pptp-server] Cisco firewall rules Message-ID: Hi, I do setup a pptp server inside a network. The Cisco has an access list which prevent everything to get in. I added: access-list 110 permit tcp any 213.XX.XX.XX 0.0.0.0 eq 1723 so people outside can get into the pptp. It looks to works but then the GRE doesn't go through. I thought GRE was open by default, I guess the last line: access-list 110 deny ip any any stop that. It the following line correct if I want to let GRE as input ? access-list 110 permit 47 any 213.XX.XX.XX 0.0.0.0 As far as I have read the FAQ, I need to open GRE which is protocol 47, but I'm not really good for cisco firewall rules, so I would prefer a confirm from someone here. Thanks. From doc at docwardo.net Sat Mar 17 07:38:40 2001 From: doc at docwardo.net (Joe Ward) Date: Sat, 17 Mar 2001 08:38:40 -0500 Subject: [pptp-server] Packets wont pass between localip and remoteip In-Reply-To: <008d01c0ae37$9db5de30$b201a8c0@snpc.net> References: <3AB0F65D.8636EF03@school.net.hk> Message-ID: <5.1.0.10.2.20010317083155.00af7b48@argus.cem.msu.edu> I had this when I first started and I was missing one of these two ipchains: /sbin/ipchains -A forward -j ACCEPT -i ppp+ -s $INTLAN -d $INTLAN /sbin/ipchains -A forward -j ACCEPT -i $INTIF -s $INTLAN -d $INTLAN I think if you have an inherently open FW setup then you just have to have the second one. -Joe Ward At 3/16/2001 11:39 AM, Chris Tresco wrote: >Kernel 2.4.2 , ppp 2.4.0 > > >I have no idea why. > >Here are my files: > >options: > >logfile /var/log/pppd.log >debug >netmask 255.255.255.255 >name tvgrid >##lock >noauth >proxyarp >defaultroute >+chap >+chapms >+chapms-v2 >mppe-40 >mppe-128 >mppe-stateless >require-mppe >require-mppe-stateless >ms-dns 192.168.1.2 >ms-dns 192.168.1.4 >#require-chap > >pptpd.conf: > >debug >speed 115200 >localip 192.168.1.130-132 >remoteip 192.168.1.133-135 > >ipchains allows everything.... > > >Thanks. > > >----- Original Message ----- >From: "Hui Chun Kit" >To: >Sent: Thursday, March 15, 2001 12:05 PM >Subject: [pptp-server] Using ppp with PAM to authenticate against a NT PDC > > > > Dear all, > > > > I am running RH7 so I do love to use PAM since the pppd coming with > > RH7 > > is PAM-enabled. However, I cannot find any doc telling me how to > > authenticate > > with PAM and in fact, can I setup a PPTP server such that: > > > > - all clients are WinME/Win98 > > - uses MCHAP and encryption > > - authenticate against a NT PDC or sth like this with PAM > > > > Do any have any exp? Please shares.. I have tried to setup the PPTP > > server tonite but not yet tested it with Win98/ME but I will do it > > later. I failed > > to connect to this PPTP server from a linux box running pptp-linux. No > > clues > > at the moment..... > > Any guidelines will highly be appreciated. > > thx > > > > -- > > Best Rgds, > > > > Jacky Hui > > Hong Kong > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! From doc at docwardo.net Sat Mar 17 07:45:42 2001 From: doc at docwardo.net (Joe Ward) Date: Sat, 17 Mar 2001 08:45:42 -0500 Subject: [pptp-server] Authentication In-Reply-To: <008d01c0ae37$9db5de30$b201a8c0@snpc.net> References: <3AB0F65D.8636EF03@school.net.hk> Message-ID: <5.1.0.10.2.20010317084417.00aa6050@netmail.home.com> I just reread this message, I have been tasked with a very similar project. I need to authenticate a linux based VPN with either a domain controler or an yppass server. any ideas on how to patch pptpd to do so? -Joe Ward >----- Original Message ----- >From: "Hui Chun Kit" >To: >Sent: Thursday, March 15, 2001 12:05 PM >Subject: [pptp-server] Using ppp with PAM to authenticate against a NT PDC > > > > Dear all, > > > > I am running RH7 so I do love to use PAM since the pppd coming with > > RH7 > > is PAM-enabled. However, I cannot find any doc telling me how to > > authenticate > > with PAM and in fact, can I setup a PPTP server such that: > > > > - all clients are WinME/Win98 > > - uses MCHAP and encryption > > - authenticate against a NT PDC or sth like this with PAM > > > > Do any have any exp? Please shares.. I have tried to setup the PPTP > > server tonite but not yet tested it with Win98/ME but I will do it > > later. I failed > > to connect to this PPTP server from a linux box running pptp-linux. No > > clues > > at the moment..... > > Any guidelines will highly be appreciated. > > thx > > > > -- > > Best Rgds, > > > > Jacky Hui > > Hong Kong > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > >_______________________________________________ >pptp-server maillist - pptp-server at lists.schulte.org >http://lists.schulte.org/mailman/listinfo/pptp-server >List services provided by www.schulteconsulting.com! From anesthes at cisdi.com Mon Mar 19 18:36:59 2001 From: anesthes at cisdi.com (Joey Coco) Date: Mon, 19 Mar 2001 19:36:59 -0500 (EST) Subject: [pptp-server] PPTP masq patches for 2.4.x Message-ID: Hi, Anyone write masq/nat patches for 2.4.x yet?? I'm having problems running VPN servers behind my firewalls.. :( -- Joe From djolivier at bigfoot.com Fri Mar 16 11:05:34 2001 From: djolivier at bigfoot.com (Douglas J. Olivier) Date: Fri, 16 Mar 2001 10:05:34 -0700 (US Mountain Standard Time) Subject: [pptp-server] Fw: pptpd error Message-ID: <3AB247DE.00000F.19039@bonded.dakotanet.com> -------Original Message------- From: Douglas J. Olivier Date: Wednesday, March 14, 2001 01:40:46 PM To: pptp-server at lists.schulte.org Subject: pptpd error I've compiled pptpd-1.0.1 ppp-2.3.11 and the kernel 2.2.17, following Dread Boys HowTo. During the compile of the modules I got an ppp_compressor error but they apparently compiled. Now I get the following error: pptpd -d Long config line ignored pptpd.conf option /etc/ppp/options debug localip 199.29.166.50-59 remoteip 199.29.166.70-79 /etc/ppp/options lock debug name pptpsrv1 proxyarp netmask 255.255.255.0 auth mru 1450 mtu 1450 require-chap require-chapms +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless I've recompiled fresh sources several times but continue to get same errors any help would be appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ctresco at mit.edu Fri Mar 16 13:09:01 2001 From: ctresco at mit.edu (Chris Tresco) Date: Fri, 16 Mar 2001 14:09:01 -0500 Subject: [pptp-server] forwarding between interfaces References: <3AAFD74E.000018.72673@bonded.dakotanet.com> Message-ID: <00eb01c0ae4c$960a0340$b201a8c0@snpc.net> I just upgraded to kernel 2.4.2 and ppp 2.4.0 and applied the necessary patches. For some reason...after successfully negotiating a tunnel and whatnot, packets are not being forwarded correctly between ppp0 and eth0. For example. from the VPN client. I ping something through the tunnel. I get "request timed out" which means there is a route, just the reply isn't getting to me. Also, if I run tcpdump -i ppp0 on the server, I can see the pings going to the correct box I am pinging and getting replied to, just the replies aren't getting back through to the client. This means that packets arent being forwarded from eth0 -> ppp0 correctly. What iptables rule will make this happen?? I believed I have tried most of them. THanks in advance, Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From percyp at versa-valves.com Fri Mar 16 13:48:03 2001 From: percyp at versa-valves.com (Percy E Perez) Date: Fri, 16 Mar 2001 14:48:03 -0500 Subject: [pptp-server] New installation Message-ID: <000501c0ae52$03d92e50$2587cbd0@versavalves.com> Hello all, I have just installed pptpd ( stable version), and something rather unusual just happened... My entire netwok, actually mostly workstations frozed... I downloaded ppptpd just today, installed it under a Redhat 6.1 distribution, supplied by DELL. When thru the redhat-howto... a bit outdated, but does the trick, read the FAQ, got the server to work,, tested it wirh an NT Workstation 4.0, i get connected no problem... BTW, i am not using any private IPS... my simple conf. for testing purposes is: /etc/pptpd.conf debug option /etc/ppp/options.pptp From percyp at versa-valves.com Fri Mar 16 13:57:59 2001 From: percyp at versa-valves.com (Percy E Perez) Date: Fri, 16 Mar 2001 14:57:59 -0500 Subject: [pptp-server] Apologies... New installation Message-ID: <000601c0ae53$6792dad0$2587cbd0@versavalves.com> FIRST OF ALL I am sorry about sending the previous message without being completed... damn outlook... Here it is the whole message: ------------------------- Hello all, I have just installed pptpd ( stable version), and something rather unusual just happened... My entire netwok, actually mostly workstations frozed... I downloaded ppptpd just today, installed it under a Redhat 6.1 distribution, supplied by DELL. When thru the redhat-howto... , read the FAQ, got the server to work,, tested it wirh an NT Workstation 4.0, i get connected no problem... BTW, i am not using any private IPS... my simple conf. for testing purposes is: /etc/pptpd.conf debug localip 208.203.135.254 remoteip 208.203.135.253 (i only wanted to tested first... ) /etc/ppp/options.pptp lock debug auth +chap proxyarp Of course i made 2 more changes: echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp that was it, it worked beautyfull... until an hour later... :) just for reference: system has 2 nics, both with 208.203.135.X numbers. One more thging I noticed under my /var/adm/messages I see this in the log... ( note I was out during this period so I was not playing with the system...) Thanks for the help... Percy E Perez Mar 16 12:22:42 versa36 pppd[6360]: pppd 2.3.10 started by root, uid 0 Mar 16 12:22:42 versa36 pppd[6360]: Using interface ppp0 Mar 16 12:22:42 versa36 pppd[6360]: Connect: ppp0 <--> /dev/pts/3 Mar 16 12:22:43 versa36 pptpd[6359]: CTRL: Ignored a SET LINK INFO packet with r eal ACCMs! Mar 16 12:22:43 versa36 pppd[6360]: CHAP peer authentication succeeded for percy p Mar 16 12:22:43 versa36 pppd[6360]: found interface eth0 for proxy arp Mar 16 12:22:43 versa36 pppd[6360]: local IP address 208.203.135.254 Mar 16 12:22:43 versa36 pppd[6360]: remote IP address 208.203.135.253 Mar 16 12:23:26 versa36 pptpd[6359]: CTRL: Error with select(), quitting Mar 16 12:23:26 versa36 pptpd[6359]: CTRL: Client 208.203.135.37 control connect ion finished Mar 16 12:23:26 versa36 pppd[6360]: Modem hangup Mar 16 12:23:26 versa36 pppd[6360]: Connection terminated. Mar 16 12:23:26 versa36 pppd[6360]: Connect time 0.8 minutes. Mar 16 12:23:26 versa36 pppd[6360]: Sent 607 bytes, received 1050 bytes. Mar 16 12:23:26 versa36 pppd[6360]: Exit. Mar 16 12:25:01 versa36 pptpd[5832]: MGR: No free connection slots or IPs - no m ore clients can connect! Mar 16 13:19:02 versa36 pptpd[5832]: MGR: No free connection slots or IPs - no m ore clients can connect! Mar 16 13:19:02 versa36 pptpd[6493]: CTRL: Client 208.203.135.37 control connect ion started Mar 16 13:19:02 versa36 pptpd[6493]: CTRL: Starting call (launching pppd, openin g GRE) Mar 16 13:19:02 versa36 kernel: CSLIP: code copyright 1989 Regents of the Univer sity of California Mar 16 13:19:02 versa36 kernel: PPP: version 2.3.7 (demand dialling) Mar 16 13:19:02 versa36 kernel: PPP line discipline registered. From dale at bewley.net Mon Mar 19 21:33:17 2001 From: dale at bewley.net (Dale Bewley) Date: Mon, 19 Mar 2001 19:33:17 -0800 (PST) Subject: [pptp-server] Cisco firewall rules In-Reply-To: Message-ID: Yes that is right. remark - pptp control permit tcp any 1.1.1.1 0.0.0.0 eq 1723 remark - pptp data permit gre any 1.1.1.1 0.0.0.1 On 15 Mar 2001, Fabien Penso wrote: > Hi, > I do setup a pptp server inside a network. The Cisco has an access list > which prevent everything to get in. I added: > > access-list 110 permit tcp any 213.XX.XX.XX 0.0.0.0 eq 1723 > > so people outside can get into the pptp. It looks to works but then the > GRE doesn't go through. I thought GRE was open by default, I guess the > last line: > > access-list 110 deny ip any any > > stop that. It the following line correct if I want to let GRE as input ? > > access-list 110 permit 47 any 213.XX.XX.XX 0.0.0.0 > > As far as I have read the FAQ, I need to open GRE which is protocol 47, > but I'm not really good for cisco firewall rules, so I would prefer a > confirm from someone here. > > Thanks. > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > -- Dale Bewley - Bewley Internet Solutions Inc. http://bewley.net/ From tife.chan at adsociety.com Mon Mar 19 21:46:26 2001 From: tife.chan at adsociety.com (Tife Chan) Date: Tue, 20 Mar 2001 11:46:26 +0800 Subject: [pptp-server] Authentication In-Reply-To: <5.1.0.10.2.20010317084417.00aa6050@netmail.home.com> Message-ID: The authentication is done on the pppd rather than pptpd. I'm not sure about other distribution, Redhat has default ppp authentication over PAM. You may get the pam_smb module from http://www.csn.ul.ie/~airlied/pam_smb/ Regards, Tife Chan > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Joe Ward > Sent: Saturday, March 17, 2001 9:46 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Authentication > > > I just reread this message, I have been tasked with a very similar > project. I need to authenticate a linux based VPN with either a domain > controler or an yppass server. any ideas on how to patch pptpd to do so? > > -Joe Ward > > > > >----- Original Message ----- > >From: "Hui Chun Kit" > >To: > >Sent: Thursday, March 15, 2001 12:05 PM > >Subject: [pptp-server] Using ppp with PAM to authenticate > against a NT PDC > > > > > > > Dear all, > > > > > > I am running RH7 so I do love to use PAM since the pppd > coming with > > > RH7 > > > is PAM-enabled. However, I cannot find any doc telling me how to > > > authenticate > > > with PAM and in fact, can I setup a PPTP server such that: > > > > > > - all clients are WinME/Win98 > > > - uses MCHAP and encryption > > > - authenticate against a NT PDC or sth like this with PAM > > > > > > Do any have any exp? Please shares.. I have tried to > setup the PPTP > > > server tonite but not yet tested it with Win98/ME but I will do it > > > later. I failed > > > to connect to this PPTP server from a linux box running pptp-linux. No > > > clues > > > at the moment..... > > > Any guidelines will highly be appreciated. > > > thx > > > > > > -- > > > Best Rgds, > > > > > > Jacky Hui > > > Hong Kong > > > > > > > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > List services provided by www.schulteconsulting.com! > > > >_______________________________________________ > >pptp-server maillist - pptp-server at lists.schulte.org > >http://lists.schulte.org/mailman/listinfo/pptp-server > >List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From seth at calculon.northrops.com Fri Mar 16 14:16:03 2001 From: seth at calculon.northrops.com (Seth Northrop) Date: Fri, 16 Mar 2001 12:16:03 -0800 (PST) Subject: [pptp-server] 2.4.0 blank username/passwd patch? Message-ID: Does a patch exist for the 2.4.x pppd tree for stopping blank usernames and passwords from gaining access with the smbpasswd patch? I tried applying the 2.3.11 patch, but, it failed. Thanks for any info! From tife.chan at adsociety.com Mon Mar 19 23:03:08 2001 From: tife.chan at adsociety.com (Tife Chan) Date: Tue, 20 Mar 2001 13:03:08 +0800 Subject: [pptp-server] Authentication In-Reply-To: Message-ID: You may post your configuration files (like pppd options) here for better understanding your situation. Regards, Tife Chan > -----Original Message----- > From: Hui Chun Kit [mailto:ckhui at carmelss.edu.hk] > Sent: Tuesday, March 20, 2001 12:46 PM > To: Tife Chan > Cc: pptp-server at lists.schulte.org; Joe Ward > Subject: RE: [pptp-server] Authentication > > > Dear, > > I have set up pppd (ppp.rpm) and pptpd but it seems that > I failed to authenticate against PAM. Are there any docs about that? > > > Jacky Hui > > On Tue, 20 Mar 2001, Tife Chan wrote: > > > The authentication is done on the pppd rather than pptpd. > > I'm not sure about other distribution, Redhat has default ppp > authentication over PAM. > > You may get the pam_smb module from > http://www.csn.ul.ie/~airlied/pam_smb/ > > > > > > Regards, > > Tife Chan > > > > > > > -----Original Message----- > > > From: pptp-server-admin at lists.schulte.org > > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Joe Ward > > > Sent: Saturday, March 17, 2001 9:46 PM > > > To: pptp-server at lists.schulte.org > > > Subject: [pptp-server] Authentication > > > > > > > > > I just reread this message, I have been tasked with a very similar > > > project. I need to authenticate a linux based VPN with > either a domain > > > controler or an yppass server. any ideas on how to patch > pptpd to do so? > > > > > > -Joe Ward > > > > > > > > > > > > >----- Original Message ----- > > > >From: "Hui Chun Kit" > > > >To: > > > >Sent: Thursday, March 15, 2001 12:05 PM > > > >Subject: [pptp-server] Using ppp with PAM to authenticate > > > against a NT PDC > > > > > > > > > > > > > Dear all, > > > > > > > > > > I am running RH7 so I do love to use PAM since the pppd > > > coming with > > > > > RH7 > > > > > is PAM-enabled. However, I cannot find any doc telling me how to > > > > > authenticate > > > > > with PAM and in fact, can I setup a PPTP server such that: > > > > > > > > > > - all clients are WinME/Win98 > > > > > - uses MCHAP and encryption > > > > > - authenticate against a NT PDC or sth like this with PAM > > > > > > > > > > Do any have any exp? Please shares.. I have tried to > > > setup the PPTP > > > > > server tonite but not yet tested it with Win98/ME but I will do it > > > > > later. I failed > > > > > to connect to this PPTP server from a linux box running > pptp-linux. No > > > > > clues > > > > > at the moment..... > > > > > Any guidelines will highly be appreciated. > > > > > thx > > > > > > > > > > -- > > > > > Best Rgds, > > > > > > > > > > Jacky Hui > > > > > Hong Kong > > > > > > > > > > > > > > > _______________________________________________ > > > > > pptp-server maillist - pptp-server at lists.schulte.org > > > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > > > List services provided by www.schulteconsulting.com! > > > > > > > >_______________________________________________ > > > >pptp-server maillist - pptp-server at lists.schulte.org > > > >http://lists.schulte.org/mailman/listinfo/pptp-server > > > >List services provided by www.schulteconsulting.com! > > > > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > List services provided by www.schulteconsulting.com! > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > > > From vgill at technologist.com Mon Mar 19 23:25:35 2001 From: vgill at technologist.com (Gill, Vern) Date: Mon, 19 Mar 2001 21:25:35 -0800 Subject: [pptp-server] Authentication Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D48@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you have an NT server running your authentication, you can use pam_smb, maybe. If you are using samba as an nt domain controller, a better solution is to use the smbpasswd patch. Go to http://linus.yi.org and click on the PPP tab at the top... Good luck. - -----Original Message----- From: Tife Chan [mailto:tife.chan at adsociety.com] Sent: Monday, March 19, 2001 7:46 PM To: pptp-server at lists.schulte.org Cc: Joe Ward Subject: RE: [pptp-server] Authentication The authentication is done on the pppd rather than pptpd. I'm not sure about other distribution, Redhat has default ppp authentication over PAM. You may get the pam_smb module from http://www.csn.ul.ie/~airlied/pam_smb/ Regards, Tife Chan > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Joe Ward > Sent: Saturday, March 17, 2001 9:46 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Authentication > > > I just reread this message, I have been tasked with a very similar > project. I need to authenticate a linux based VPN with either a > domain controler or an yppass server. any ideas on how to patch > pptpd to do so? > > -Joe Ward > > > > >----- Original Message ----- > >From: "Hui Chun Kit" > >To: > >Sent: Thursday, March 15, 2001 12:05 PM > >Subject: [pptp-server] Using ppp with PAM to authenticate > against a NT PDC > > > > > > > Dear all, > > > > > > I am running RH7 so I do love to use PAM since the pppd > coming with > > > RH7 > > > is PAM-enabled. However, I cannot find any doc telling me how > > > to authenticate > > > with PAM and in fact, can I setup a PPTP server such that: > > > > > > - all clients are WinME/Win98 > > > - uses MCHAP and encryption > > > - authenticate against a NT PDC or sth like this with PAM > > > > > > Do any have any exp? Please shares.. I have tried to > setup the PPTP > > > server tonite but not yet tested it with Win98/ME but I will do > > > it later. I failed > > > to connect to this PPTP server from a linux box running > > > pptp-linux. No clues > > > at the moment..... > > > Any guidelines will highly be appreciated. > > > thx > > > > > > -- > > > Best Rgds, > > > > > > Jacky Hui > > > Hong Kong > > > > > > > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > List services provided by www.schulteconsulting.com! > > > >_______________________________________________ > >pptp-server maillist - pptp-server at lists.schulte.org > >http://lists.schulte.org/mailman/listinfo/pptp-server > >List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOrbpIxeamMdwy9TXEQKFQwCgqR8TwnOkCFGMbCoyRoYc6fiCD0sAnRV0 Bo2Iqm5G4ONhAYrPs6fHUobi =66F9 -----END PGP SIGNATURE----- From godfrey at hattaway-associates.com Tue Mar 20 00:12:58 2001 From: godfrey at hattaway-associates.com (Godfrey Livingstone) Date: Tue, 20 Mar 2001 18:12:58 +1200 Subject: [pptp-server] 2.4.0 blank username/passwd patch? References: Message-ID: <3AB6F4EA.47811A24@hattaway-associates.com> You could try applying http://www.hattaway.co.nz/patches/pppsmb2.4.patch this includes my fix for the smbpasswd problem. Godfrey Seth Northrop wrote: > Does a patch exist for the 2.4.x pppd tree for stopping blank usernames > and passwords from gaining access with the smbpasswd patch? > > I tried applying the 2.3.11 patch, but, it failed. > > Thanks for any info! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From vgill at technologist.com Mon Mar 19 23:52:57 2001 From: vgill at technologist.com (Gill, Vern) Date: Mon, 19 Mar 2001 21:52:57 -0800 Subject: [pptp-server] Authentication Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D4B@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One more thing. I am pretty sure that you can NOT do chap auth with pam. I may be wrong tho. It happened once before... - -----Original Message----- From: Tife Chan [mailto:tife.chan at adsociety.com] Sent: Monday, March 19, 2001 9:03 PM To: pptp-server at lists.schulte.org Cc: Hui Chun Kit Subject: RE: [pptp-server] Authentication You may post your configuration files (like pppd options) here for better understanding your situation. Regards, Tife Chan > -----Original Message----- > From: Hui Chun Kit [mailto:ckhui at carmelss.edu.hk] > Sent: Tuesday, March 20, 2001 12:46 PM > To: Tife Chan > Cc: pptp-server at lists.schulte.org; Joe Ward > Subject: RE: [pptp-server] Authentication > > > Dear, > > I have set up pppd (ppp.rpm) and pptpd but it seems that > I failed to authenticate against PAM. Are there any docs about > that? > > > Jacky Hui > > On Tue, 20 Mar 2001, Tife Chan wrote: > > > The authentication is done on the pppd rather than pptpd. > > I'm not sure about other distribution, Redhat has default ppp > authentication over PAM. > > You may get the pam_smb module from > http://www.csn.ul.ie/~airlied/pam_smb/ > > > > > > Regards, > > Tife Chan > > > > > > > -----Original Message----- > > > From: pptp-server-admin at lists.schulte.org > > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Joe > > > Ward Sent: Saturday, March 17, 2001 9:46 PM > > > To: pptp-server at lists.schulte.org > > > Subject: [pptp-server] Authentication > > > > > > > > > I just reread this message, I have been tasked with a very > > > similar project. I need to authenticate a linux based VPN with > either a domain > > > controler or an yppass server. any ideas on how to patch > pptpd to do so? > > > > > > -Joe Ward > > > > > > > > > > > > >----- Original Message ----- > > > >From: "Hui Chun Kit" > > > >To: > > > >Sent: Thursday, March 15, 2001 12:05 PM > > > >Subject: [pptp-server] Using ppp with PAM to authenticate > > > against a NT PDC > > > > > > > > > > > > > Dear all, > > > > > > > > > > I am running RH7 so I do love to use PAM since the pppd > > > coming with > > > > > RH7 > > > > > is PAM-enabled. However, I cannot find any doc telling me > > > > > how to authenticate > > > > > with PAM and in fact, can I setup a PPTP server such that: > > > > > > > > > > - all clients are WinME/Win98 > > > > > - uses MCHAP and encryption > > > > > - authenticate against a NT PDC or sth like this with PAM > > > > > > > > > > Do any have any exp? Please shares.. I have tried to > > > setup the PPTP > > > > > server tonite but not yet tested it with Win98/ME but I > > > > > will do it later. I failed > > > > > to connect to this PPTP server from a linux box running > pptp-linux. No > > > > > clues > > > > > at the moment..... > > > > > Any guidelines will highly be appreciated. > > > > > thx > > > > > > > > > > -- > > > > > Best Rgds, > > > > > > > > > > Jacky Hui > > > > > Hong Kong > > > > > > > > > > > > > > > _______________________________________________ > > > > > pptp-server maillist - pptp-server at lists.schulte.org > > > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > > > List services provided by www.schulteconsulting.com! > > > > > > > >_______________________________________________ > > > >pptp-server maillist - pptp-server at lists.schulte.org > > > >http://lists.schulte.org/mailman/listinfo/pptp-server > > > >List services provided by www.schulteconsulting.com! > > > > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > List services provided by www.schulteconsulting.com! > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > > > _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOrbvjReamMdwy9TXEQJa5ACgnI/oDnf1/tn6xtU2Pe7MWszVX3YAnRU4 3yNYw0NcGr189N0FJLUSQlo4 =28f6 -----END PGP SIGNATURE----- From jward at cem.msu.edu Fri Mar 16 16:31:15 2001 From: jward at cem.msu.edu (Joe Ward) Date: Fri, 16 Mar 2001 17:31:15 -0500 Subject: [pptp-server] GRE Errors. In-Reply-To: References: <5.0.2.1.2.20010314125602.00b0d470@pop3.norton.antivirus> Message-ID: <5.0.2.1.2.20010316172821.00afa5a0@pop3.norton.antivirus> Okay so I downloaded 1.1.2 and compiled and installed it. it seems a little faster on the file transfers using smb than it was before and the e-mail sending is better too my question is. any way to turn off the Buffering packet messages? I really don't care to fill the logs up with packet reordering stuff. my net sucks and I have lots of reordering (heck it still can't reorder all the packets) and I know it. so the server doesn't need to tell me this ;) I hope you can help ;) -Joe Ward At 3/14/2001 01:36 PM, Christopher Tresco wrote: >Hi, > >The devel version of pptp from poptop.lineo.com supports out of order >packets. I have heard that this version of pptpd is stable. Try it. > > > > > -----Original Message----- > > From: pptp-server-admin at lists.schulte.org > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Joe Ward > > Sent: Wednesday, March 14, 2001 1:34 PM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] GRE Errors. > > > > > > I have pptpd setup on my redhat 6.2 box > > > > everything works just fine (browsing, forwarding,etc.) my problem > > is that I > > am getting some major GRE errors > > > > here is just a snippet: > > > > Mar 14 10:06:22 liquid pptpd[11833]: CTRL: Starting call (launching pppd, > > opening > > GRE) > > Mar 14 10:06:22 liquid pptpd[11833]: GRE: Discarding duplicate packet > > Mar 14 10:06:58 liquid pptpd[11833]: GRE: Discarding out of order packet > > > > and this is just from sending a single e-mail message. I can go back and > > dig up logs were I get like 30 or 40 of them in a row when I try to > > transfer a file or get a web page. obviously discarding packets is going > > to slow down my connection. But I don't know if it's bad enough > > to have to > > worry about it. or is this just something that happens. > > > > there are 16 hops between the two 1/2 of them are campus routers for the > > fiber optic backbone and such. > > > > for background: > > > > Server: > > Pptpd 1.0.1 patched for mschap > > pppd 2.3.11 patched for encryption > > redhat 6.2 kernel 2.2.16-3 > > Trinity OS firewall modified to allow for the pptp traffic to be > > forwarded > > and such. > > Cable modem (@home) > > > > Workstation: > > Toshiba Laptop > > Win2k SP1 > > IE5.5 SP1 > > on Standard Ethernet on MSU campus > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! From berzerke at swbell.net Sat Mar 17 09:42:23 2001 From: berzerke at swbell.net (robert) Date: Sat, 17 Mar 2001 09:42:23 -0600 Subject: [pptp-server] Packets wont pass between localip and remoteip In-Reply-To: <008d01c0ae37$9db5de30$b201a8c0@snpc.net> References: <3AB0F65D.8636EF03@school.net.hk> <008d01c0ae37$9db5de30$b201a8c0@snpc.net> Message-ID: <01031709422300.20543@linux> Can you ping the other end of the connection? Is forwarding enabled (echo 1 >/proc/sys/net/ipv4/ip_forward)? BTW, it's not the source of your problem, but you only need one localip number. On Friday 16 March 2001 10:39, Chris Tresco wrote: > Kernel 2.4.2 , ppp 2.4.0 > > > I have no idea why. > > Here are my files: > > options: > > logfile /var/log/pppd.log > debug > netmask 255.255.255.255 > name tvgrid > ##lock > noauth > proxyarp > defaultroute > +chap > +chapms > +chapms-v2 > mppe-40 > mppe-128 > mppe-stateless > require-mppe > require-mppe-stateless > ms-dns 192.168.1.2 > ms-dns 192.168.1.4 > #require-chap > > pptpd.conf: > > debug > speed 115200 > localip 192.168.1.130-132 > remoteip 192.168.1.133-135 > > ipchains allows everything.... > > > Thanks. From tife.chan at adsociety.com Sun Mar 18 21:58:58 2001 From: tife.chan at adsociety.com (Tife Chan) Date: Mon, 19 Mar 2001 11:58:58 +0800 Subject: [pptp-server] Packets wont pass between localip and remoteip In-Reply-To: <008d01c0ae37$9db5de30$b201a8c0@snpc.net> Message-ID: I guest your netmask is wrong. Should it be 255.255.255.0? Tife > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Chris Tresco > Sent: Saturday, March 17, 2001 12:39 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Packets wont pass between localip and remoteip > > > Kernel 2.4.2 , ppp 2.4.0 > > > I have no idea why. > > Here are my files: > > options: > > logfile /var/log/pppd.log > debug > netmask 255.255.255.255 > name tvgrid > ##lock > noauth > proxyarp > defaultroute > +chap > +chapms > +chapms-v2 > mppe-40 > mppe-128 > mppe-stateless > require-mppe > require-mppe-stateless > ms-dns 192.168.1.2 > ms-dns 192.168.1.4 > #require-chap > > pptpd.conf: > > debug > speed 115200 > localip 192.168.1.130-132 > remoteip 192.168.1.133-135 > > ipchains allows everything.... > > > Thanks. > > > ----- Original Message ----- > From: "Hui Chun Kit" > To: > Sent: Thursday, March 15, 2001 12:05 PM > Subject: [pptp-server] Using ppp with PAM to authenticate against a NT PDC > > > > Dear all, > > > > I am running RH7 so I do love to use PAM since the pppd coming with > > RH7 > > is PAM-enabled. However, I cannot find any doc telling me how to > > authenticate > > with PAM and in fact, can I setup a PPTP server such that: > > > > - all clients are WinME/Win98 > > - uses MCHAP and encryption > > - authenticate against a NT PDC or sth like this with PAM > > > > Do any have any exp? Please shares.. I have tried to setup the PPTP > > server tonite but not yet tested it with Win98/ME but I will do it > > later. I failed > > to connect to this PPTP server from a linux box running pptp-linux. No > > clues > > at the moment..... > > Any guidelines will highly be appreciated. > > thx > > > > -- > > Best Rgds, > > > > Jacky Hui > > Hong Kong > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > From tife.chan at adsociety.com Sun Mar 18 22:06:37 2001 From: tife.chan at adsociety.com (Tife Chan) Date: Mon, 19 Mar 2001 12:06:37 +0800 Subject: [pptp-server] Using ppp with PAM to authenticate against a NT PDC In-Reply-To: <3AB0F65D.8636EF03@school.net.hk> Message-ID: This configuration should be fine as I'm running this setting in our network without problem. However instead of using MCHAP, I use pap and "required encrypted password" enabled on client setting. Regards, Tife > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Hui Chun Kit > Sent: Friday, March 16, 2001 1:06 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Using ppp with PAM to authenticate against a NT PDC > > > Dear all, > > I am running RH7 so I do love to use PAM since the pppd coming with > RH7 > is PAM-enabled. However, I cannot find any doc telling me how to > authenticate > with PAM and in fact, can I setup a PPTP server such that: > > - all clients are WinME/Win98 > - uses MCHAP and encryption > - authenticate against a NT PDC or sth like this with PAM > > Do any have any exp? Please shares.. I have tried to setup the PPTP > server tonite but not yet tested it with Win98/ME but I will do it > later. I failed > to connect to this PPTP server from a linux box running pptp-linux. No > clues > at the moment..... > Any guidelines will highly be appreciated. > thx > > -- > Best Rgds, > > Jacky Hui > Hong Kong > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > From matthew.keay at Phones4u.co.uk Mon Mar 19 04:03:35 2001 From: matthew.keay at Phones4u.co.uk (matthew.keay at Phones4u.co.uk) Date: Mon, 19 Mar 2001 10:03:35 -0000 Subject: [pptp-server] Off off/off list Informative Post: new Lug - UK Message-ID: <74326A051EAFD411AE8600508B3029A3F29B37@WASHINGTON> This is a one off post aimed at all Linux Users in the UK. The LUG's website is http://www.uk-lug.org.uk/ Please check it out of you get a spare few minutes! -- matthew at keay.uk.net http://www.uk-lug.org.uk/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From frederic.soulier at sxb.bsf.alcatel.fr Mon Mar 19 04:40:37 2001 From: frederic.soulier at sxb.bsf.alcatel.fr (Frederic SOULIER) Date: Mon, 19 Mar 2001 11:40:37 +0100 Subject: [pptp-server] Contacting a PPTP Server behind a Linux box w/o ip_masq_vpn ? Message-ID: <3AB5E225.F08AC8D0@sxb.bsf.alcatel.fr> Hello there, I have to do a very common thing : Configure a Linux Box to allow access from an external PPTP client (W98,WNT,W2K) to a internal (on the LAN) PPTP server (PoPToP, ...). My problem is that I have only a linux 2.2.13 kernel and cannot patch it ! I have portforwarding (TCP 1723) installed on the linux box. PPTP/CTRL connection is ok. How can I handle GRE packets ? ipfwd works well from the client to the server but since Linux masquerading (on my 2.2.13 kernel) doesn't handle the GRE protocol (47) no answer is given to the client. So, I'm looking for an alternative to ipfwd (another application), something like a PPTP/GRE proxy (maybe transparent proxying). Any idea ? Frederic From hans at tropic.net Mon Mar 19 04:59:22 2001 From: hans at tropic.net (Hans E. Kristiansen) Date: Mon, 19 Mar 2001 18:59:22 +0800 Subject: [pptp-server] Another one: Packets wont pass between localip and remoteip References: <3AB0F65D.8636EF03@school.net.hk> <008d01c0ae37$9db5de30$b201a8c0@snpc.net> Message-ID: <00c701c0b063$ad8d8dc0$e710020a@tropic.net> Similar problem here. I am using windows 2K as a client, the setup did work with 2.2.17, but 2.4.2 fails. The funny thing is that I can see the packet ( in this case the ping packet ) return, but the ping just says "timeout", since w2k has this cute network activity LED. Once, I was trying to set up a link when the network was really busy, I got a working pptp link, but I have not been able to re-produce this later. Working once is good, but I would have preferred for it to work every time. It is almost like the pptp packets have the wrong sequence numbers? Which does not make any sense, BTW. Thanks, Hans E. ----- Original Message ----- From: "Chris Tresco" To: Sent: Saturday, March 17, 2001 00:39 Subject: [pptp-server] Packets wont pass between localip and remoteip > Kernel 2.4.2 , ppp 2.4.0 > > > I have no idea why. > > Here are my files: > > options: > > logfile /var/log/pppd.log > debug > netmask 255.255.255.255 > name tvgrid > ##lock > noauth > proxyarp > defaultroute > +chap > +chapms > +chapms-v2 > mppe-40 > mppe-128 > mppe-stateless > require-mppe > require-mppe-stateless > ms-dns 192.168.1.2 > ms-dns 192.168.1.4 > #require-chap > > pptpd.conf: > > debug > speed 115200 > localip 192.168.1.130-132 > remoteip 192.168.1.133-135 > > ipchains allows everything.... > > > Thanks. > > > ----- Original Message ----- > From: "Hui Chun Kit" > To: > Sent: Thursday, March 15, 2001 12:05 PM > Subject: [pptp-server] Using ppp with PAM to authenticate against a NT PDC > > > > Dear all, > > > > I am running RH7 so I do love to use PAM since the pppd coming with > > RH7 > > is PAM-enabled. However, I cannot find any doc telling me how to > > authenticate > > with PAM and in fact, can I setup a PPTP server such that: > > > > - all clients are WinME/Win98 > > - uses MCHAP and encryption > > - authenticate against a NT PDC or sth like this with PAM > > > > Do any have any exp? Please shares.. I have tried to setup the PPTP > > server tonite but not yet tested it with Win98/ME but I will do it > > later. I failed > > to connect to this PPTP server from a linux box running pptp-linux. No > > clues > > at the moment..... > > Any guidelines will highly be appreciated. > > thx > > > > -- > > Best Rgds, > > > > Jacky Hui > > Hong Kong > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > From jpej at jose.junior.nom.br Mon Mar 19 08:12:48 2001 From: jpej at jose.junior.nom.br (Jose de Paula E. Junior) Date: Mon, 19 Mar 2001 11:12:48 -0300 Subject: [pptp-server] Problem: Fowarding PPTP Message-ID: <3AB613E0.6040109@jose.junior.nom.br> I have 2 nets. 1 of then is the 10.0.0.x network where the 10.0.0.1 machine is a pptp server, and is too a NAT that conects the people to the internet. (the people connects in the VPN server and then can go to the internet) The other is a network in a building, This network uses the net 10.0.40.x. There's a Linux 2.4.2 box acting like server to this building, it uses a ethernet card(eth0 - 10.0.40.1) to connect to the 10.0.40.x net and a wireless card(eth1 - 10.0.0.17) to connect to the 10.0.0.x network. From the server I can make a VPN connection to 10.0.0.1 The problem is: there's a way to make the machines in the 10.0.40.x network (mostly windows) access the PPTP server in 10.0.0.1 and navigate? A little schematic: --------------- | 10.0.40.x network | --------------- | | ------------------- | eth0 = 10.0.40.1 | Server on the building | eth1 = 10.0.0.17 | ------------------- | | ------------------ -------- | 10.0.0.1 |-------| Internet | | VPN Server | --------- ------------------ This is more visible in a HTML/JPEG @ http://www.jose.junior.nom.br/problem/serverp6.html If somebody can help me... []s Jose de Paula E. Junior Geo-rede Wireless Internet www.geo-rede.com.br www.jose.junior.nom.br From tlecarpe at degetel.com Mon Mar 19 08:34:50 2001 From: tlecarpe at degetel.com (Thomas Lecarpentier) Date: Mon, 19 Mar 2001 15:34:50 +0100 Subject: [pptp-server] HOW TO ATTRIB ONE IP ADDRESS FOR ONE USER LOGIN ? Message-ID: <3AB6190A.78204DFC@degetel.com> Hi I don't know how to fix one IP address for one client, according to them login ThanX Sorry for my poor english... :( From Steve at SteveCowles.com Mon Mar 19 15:47:59 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Mon, 19 Mar 2001 15:47:59 -0600 Subject: [pptp-server] win98 - authentication issues Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6B5@defiant.infohiiway.com> Tunnel authentication and share authentication are two differnet worlds. Tunnels are authenticated with the username/password specified in your PPTP dialup profile. Share authentication is specified using the "login" username/password that was specified when you turned on your PC to get to your desktop. Are your Win9x clients logging in??? Steve Cowles > -----Original Message----- > From: kat [mailto:kathee at mindiq.com] > Sent: Thursday, March 15, 2001 11:05 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] win98 - authentication issues > > > No matter what I try, I can not get windows 98 to send a username > correctly to my samba servers so the users can map the drives. > > Any tips on this? In my samba logs, it always shows up as "." as > the user. Even though the username for VPN access is exactly the > same as the domain username. > > Of course with NT and 2000 it works perfectly, since usernames are > sent correctly... I guess I could just tell them I will not > support 98 (which I want to do) but I thought I would try one more > time... > > thanks > Kathee > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From penso at linuxfr.org Tue Mar 20 03:19:57 2001 From: penso at linuxfr.org (Fabien Penso) Date: 20 Mar 2001 10:19:57 +0100 Subject: [pptp-server] Cisco firewall rules In-Reply-To: References: Message-ID: Dale Bewley a ?crit: > Yes that is right. > > remark - pptp control > permit tcp any 1.1.1.1 0.0.0.0 eq 1723 > remark - pptp data > permit gre any 1.1.1.1 0.0.0.1 Thanks, worked perfect. From aaa at netman.dk Tue Mar 20 03:19:26 2001 From: aaa at netman.dk (Alaa AlAmood) Date: Tue, 20 Mar 2001 10:19:26 +0100 Subject: [pptp-server] Cisco firewall rules References: Message-ID: <3AB7209E.3F93B420@netman.dk> Hi I defined two rules in my firewall access-list 110 permit gre any host SERVER_IP_ADDRESS access-list 110 permit tcp any host SERVER_IP_ADDRESS eq 1723 they should solve the problem have fun regards Alaa Dale Bewley wrote: > Yes that is right. > > remark - pptp control > permit tcp any 1.1.1.1 0.0.0.0 eq 1723 > remark - pptp data > permit gre any 1.1.1.1 0.0.0.1 > > On 15 Mar 2001, Fabien Penso wrote: > > Hi, > > I do setup a pptp server inside a network. The Cisco has an access list > > which prevent everything to get in. I added: > > > > access-list 110 permit tcp any 213.XX.XX.XX 0.0.0.0 eq 1723 > > > > so people outside can get into the pptp. It looks to works but then the > > GRE doesn't go through. I thought GRE was open by default, I guess the > > last line: > > > > access-list 110 deny ip any any > > > > stop that. It the following line correct if I want to let GRE as input ? > > > > access-list 110 permit 47 any 213.XX.XX.XX 0.0.0.0 > > > > As far as I have read the FAQ, I need to open GRE which is protocol 47, > > but I'm not really good for cisco firewall rules, so I would prefer a > > confirm from someone here. > > > > Thanks. > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > > > -- > Dale Bewley - Bewley Internet Solutions Inc. http://bewley.net/ > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From clive at candl.com.au Tue Mar 20 03:41:25 2001 From: clive at candl.com.au (Clive Small) Date: Tue, 20 Mar 2001 20:41:25 +1100 Subject: [pptp-server] pptp and Redhat 7.0 Message-ID: <3AB725C5.595658BB@candl.com.au> Hello all I have pptp working unencrypted using Redhat 7.0 but get compiler error messages when trying the sequence to compile ppp and modules in the Howto from the pptp home site. If I don't apply the patch to the ppp code the compile works but does'nt generate all the modules required. (ppp_mppe.o) Can someone help or point me to a FAQ or Howto for compiling for encrypted pptp and Redhat 7.0 Regards Clive From jkreger at avidsolutionsinc.com Tue Mar 20 05:50:37 2001 From: jkreger at avidsolutionsinc.com (Justin Kreger) Date: Tue, 20 Mar 2001 06:50:37 -0500 Subject: [pptp-server] Packets wont pass between localip and remoteip Message-ID: <6B8A85826C35D31193BD0090278589C81DF083@CIC-EXCHANGE> Speaking of packets not being passed, I have a win2k server on a high delay link (800-3000ms), and it just ignores my network after about a minute or two of being connected. I can ping a machine on the pptp server's lan, I can't ping it, or anything on it's lan from my lan, but, i can ping stuff on my lan, from its lan. weird huh -----Original Message----- From: robert To: Chris Tresco; pptp-server at lists.schulte.org Sent: 3/17/01 10:42 AM Subject: Re: [pptp-server] Packets wont pass between localip and remoteip Can you ping the other end of the connection? Is forwarding enabled (echo 1 >/proc/sys/net/ipv4/ip_forward)? BTW, it's not the source of your problem, but you only need one localip number. On Friday 16 March 2001 10:39, Chris Tresco wrote: > Kernel 2.4.2 , ppp 2.4.0 > > > I have no idea why. > > Here are my files: > > options: > > logfile /var/log/pppd.log > debug > netmask 255.255.255.255 > name tvgrid > ##lock > noauth > proxyarp > defaultroute > +chap > +chapms > +chapms-v2 > mppe-40 > mppe-128 > mppe-stateless > require-mppe > require-mppe-stateless > ms-dns 192.168.1.2 > ms-dns 192.168.1.4 > #require-chap > > pptpd.conf: > > debug > speed 115200 > localip 192.168.1.130-132 > remoteip 192.168.1.133-135 > > ipchains allows everything.... > > > Thanks. _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From jkreger at avidsolutionsinc.com Tue Mar 20 06:05:02 2001 From: jkreger at avidsolutionsinc.com (Justin Kreger) Date: Tue, 20 Mar 2001 07:05:02 -0500 Subject: [pptp-server] Using ppp with PAM to authenticate against a NT PDC Message-ID: <6B8A85826C35D31193BD0090278589C81DF085@CIC-EXCHANGE> You cannot do any sort of encrypted Authentication using the PAM_SMB mod. I have talked with one of the people on the samba-tng team, and it is possible to take pppd, and go beoynd what i did with intergrating libvalid. We could write a patch that passes the authentication on in a sence. (I was going to do this, but it's on the back burner at the moment) Also, microsoft wrote an RFC detailing how to do MSChap with RADIUS. -----Original Message----- From: Tife Chan To: ckhui at school.net.hk; pptp-server at lists.schulte.org Sent: 3/18/01 11:06 PM Subject: RE: [pptp-server] Using ppp with PAM to authenticate against a NT PDC This configuration should be fine as I'm running this setting in our network without problem. However instead of using MCHAP, I use pap and "required encrypted password" enabled on client setting. Regards, Tife > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Hui Chun Kit > Sent: Friday, March 16, 2001 1:06 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Using ppp with PAM to authenticate against a NT PDC > > > Dear all, > > I am running RH7 so I do love to use PAM since the pppd coming with > RH7 > is PAM-enabled. However, I cannot find any doc telling me how to > authenticate > with PAM and in fact, can I setup a PPTP server such that: > > - all clients are WinME/Win98 > - uses MCHAP and encryption > - authenticate against a NT PDC or sth like this with PAM > > Do any have any exp? Please shares.. I have tried to setup the PPTP > server tonite but not yet tested it with Win98/ME but I will do it > later. I failed > to connect to this PPTP server from a linux box running pptp-linux. No > clues > at the moment..... > Any guidelines will highly be appreciated. > thx > > -- > Best Rgds, > > Jacky Hui > Hong Kong > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From jkreger at avidsolutionsinc.com Tue Mar 20 06:06:39 2001 From: jkreger at avidsolutionsinc.com (Justin Kreger) Date: Tue, 20 Mar 2001 07:06:39 -0500 Subject: [pptp-server] HOW TO ATTRIB ONE IP ADDRESS FOR ONE USER LOGIN ? Message-ID: <6B8A85826C35D31193BD0090278589C81DF086@CIC-EXCHANGE> if you are authenticating using the smbpasswd patch, you can do the fallowing in chap-secrets login * &/etc/smbpasswd ip.addr.here -----Original Message----- From: Thomas Lecarpentier To: pptp-server at lists.schulte.org Sent: 3/19/01 9:34 AM Subject: [pptp-server] HOW TO ATTRIB ONE IP ADDRESS FOR ONE USER LOGIN ? Hi I don't know how to fix one IP address for one client, according to them login ThanX Sorry for my poor english... :( _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From percyp at versa-valves.com Tue Mar 20 07:23:30 2001 From: percyp at versa-valves.com (Percy E Perez) Date: Tue, 20 Mar 2001 08:23:30 -0500 Subject: [pptp-server] New installation and network problems Message-ID: <002f01c0b140$f553ff80$2587cbd0@versavalves.com> Hello all, I have just installed pptpd ( stable version), and something rather unusual just happened... My entire netwok, actually mostly workstations frozed... I downloaded ppptpd just today, installed it under a Redhat 6.1 distribution, supplied by DELL. When thru the redhat-howto... , read the FAQ, got the server to work,, tested it wirh an NT Workstation 4.0, i get connected no problem... BTW, i am not using any private IPS... my simple conf. for testing purposes is: /etc/pptpd.conf debug localip 208.203.135.254 remoteip 208.203.135.253 (i only wanted to tested first... ) /etc/ppp/options.pptp lock debug auth +chap proxyarp Of course i made 2 more changes: echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp that was it, it worked greatl... until an hour later... :) just for reference: system has 2 nics, both with 208.203.135.X numbers. One also I noticed under my /var/adm/messages the following: Any help would be greatly appreciated. PS: This server also provides DNS services... Percy E Perez Mar 16 12:22:42 versa36 pppd[6360]: pppd 2.3.10 started by root, uid 0 Mar 16 12:22:42 versa36 pppd[6360]: Using interface ppp0 Mar 16 12:22:42 versa36 pppd[6360]: Connect: ppp0 <--> /dev/pts/3 Mar 16 12:22:43 versa36 pptpd[6359]: CTRL: Ignored a SET LINK INFO packet with r eal ACCMs! Mar 16 12:22:43 versa36 pppd[6360]: CHAP peer authentication succeeded for percy p Mar 16 12:22:43 versa36 pppd[6360]: found interface eth0 for proxy arp Mar 16 12:22:43 versa36 pppd[6360]: local IP address 208.203.135.254 Mar 16 12:22:43 versa36 pppd[6360]: remote IP address 208.203.135.253 Mar 16 12:23:26 versa36 pptpd[6359]: CTRL: Error with select(), quitting Mar 16 12:23:26 versa36 pptpd[6359]: CTRL: Client 208.203.135.37 control connect ion finished Mar 16 12:23:26 versa36 pppd[6360]: Modem hangup Mar 16 12:23:26 versa36 pppd[6360]: Connection terminated. Mar 16 12:23:26 versa36 pppd[6360]: Connect time 0.8 minutes. Mar 16 12:23:26 versa36 pppd[6360]: Sent 607 bytes, received 1050 bytes. Mar 16 12:23:26 versa36 pppd[6360]: Exit. Mar 16 12:25:01 versa36 pptpd[5832]: MGR: No free connection slots or IPs - no m ore clients can connect! Mar 16 13:19:02 versa36 pptpd[5832]: MGR: No free connection slots or IPs - no m ore clients can connect! Mar 16 13:19:02 versa36 pptpd[6493]: CTRL: Client 208.203.135.37 control connect ion started Mar 16 13:19:02 versa36 pptpd[6493]: CTRL: Starting call (launching pppd, openin g GRE) Mar 16 13:19:02 versa36 kernel: CSLIP: code copyright 1989 Regents of the Univer sity of California Mar 16 13:19:02 versa36 kernel: PPP: version 2.3.7 (demand dialling) Mar 16 13:19:02 versa36 kernel: PPP line discipline registered. From ckhui at school.net.hk Tue Mar 20 07:47:56 2001 From: ckhui at school.net.hk (Hui Chun Kit) Date: Tue, 20 Mar 2001 21:47:56 +0800 Subject: [pptp-server] Using ppp with PAM to authenticate against a NT PDC References: Message-ID: <3AB75F8C.B192A6D9@school.net.hk> Do you use encryption on the connection (aka mppe) ? Jacky Tife Chan wrote: > This configuration should be fine as I'm running this setting in our network without problem. > However instead of using MCHAP, I use pap and "required encrypted password" enabled on client setting. > > Regards, > Tife > > > -----Original Message----- > > From: pptp-server-admin at lists.schulte.org > > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Hui Chun Kit > > Sent: Friday, March 16, 2001 1:06 AM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] Using ppp with PAM to authenticate against a NT PDC > > > > > > Dear all, > > > > I am running RH7 so I do love to use PAM since the pppd coming with > > RH7 > > is PAM-enabled. However, I cannot find any doc telling me how to > > authenticate > > with PAM and in fact, can I setup a PPTP server such that: > > > > - all clients are WinME/Win98 > > - uses MCHAP and encryption > > - authenticate against a NT PDC or sth like this with PAM > > > > Do any have any exp? Please shares.. I have tried to setup the PPTP > > server tonite but not yet tested it with Win98/ME but I will do it > > later. I failed > > to connect to this PPTP server from a linux box running pptp-linux. No > > clues > > at the moment..... > > Any guidelines will highly be appreciated. > > thx > > > > -- > > Best Rgds, > > > > Jacky Hui > > Hong Kong > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! -- Best Rgds, Jacky Hui Hong Kong From phil at barasoft.cz Tue Mar 20 08:42:11 2001 From: phil at barasoft.cz (Phil Curtis) Date: Tue, 20 Mar 2001 15:42:11 +0100 Subject: [pptp-server] Problems Message-ID: Dear All, I am having big problems with getting MS VPN to work. I am running SuSE 7.0. (2.2.16). By default the kernal is not configured for ip tunneling or gre so I have recompiled the kernel. I have installed ToPPoP and set the configuration files as laid out in the many readme documents, but it still won't work. I am trying to connect my w2k laptop to my linux server with a direct cable connection. I do not have a firewall installed or configured. I also do not connect through a firewall, but the errors that I get (according to the documentation) indicate a firewall problem. HELP ME PLEASE Thanks Phil. Mar 20 15:38:51 linux pptpd[5637]: CTRL: local address = 192.168.10.100 Mar 20 15:38:51 linux pptpd[5637]: CTRL: remote address = 192.168.20.100 Mar 20 15:38:51 linux pptpd[5637]: CTRL: pppd speed = 115200 Mar 20 15:38:51 linux pptpd[5637]: CTRL: pppd options file = /etc/ppp/options.ppp0 Mar 20 15:38:51 linux pptpd[5637]: CTRL: Client 192.168.1.40 control connection started Mar 20 15:38:51 linux pptpd[5637]: CTRL: Received PPTP Control Message (type: 1) Mar 20 15:38:51 linux pptpd[5637]: CTRL: Made a START CTRL CONN RPLY packet Mar 20 15:38:51 linux pptpd[5637]: CTRL: I wrote 156 bytes to the client. Mar 20 15:38:51 linux pptpd[5637]: CTRL: Sent packet to client Mar 20 15:38:53 linux pptpd[5637]: CTRL: Received PPTP Control Message (type: 7) Mar 20 15:38:53 linux pptpd[5637]: CTRL: Set parameters to 1525 maxbps, 64 window size Mar 20 15:38:53 linux pptpd[5637]: CTRL: Made a OUT CALL RPLY packet Mar 20 15:38:53 linux pptpd[5637]: CTRL: Starting call (launching pppd, opening GRE) Mar 20 15:38:53 linux pptpd[5637]: CTRL: pty_fd = 5 Mar 20 15:38:53 linux pptpd[5637]: CTRL: tty_fd = 6 Mar 20 15:38:53 linux pptpd[5638]: CTRL (PPPD Launcher): Connection speed = 115200 Mar 20 15:38:53 linux pptpd[5638]: CTRL (PPPD Launcher): local address = 192.168.10.100 Mar 20 15:38:53 linux pptpd[5638]: CTRL (PPPD Launcher): remote address = 192.168.20.100 Mar 20 15:38:53 linux pptpd[5637]: CTRL: I wrote 32 bytes to the client. Mar 20 15:38:53 linux pptpd[5637]: CTRL: Sent packet to client Mar 20 15:38:53 linux pptpd[5637]: CTRL: Received PPTP Control Message (type: 15) Mar 20 15:38:53 linux pptpd[5637]: CTRL: Got a SET LINK INFO packet with standard ACCMs Mar 20 15:38:54 linux kernel: registered device ppp0 Mar 20 15:38:54 linux pppd[5638]: pppd 2.3.11 started by root, uid 0 Mar 20 15:38:54 linux pppd[5638]: Perms of /dev/pts/4 are ok, no 'mesg n' neccesary. Mar 20 15:38:54 linux pppd[5638]: Using interface ppp0 Mar 20 15:38:54 linux pppd[5638]: Connect: ppp0 <--> /dev/pts/4 Mar 20 15:38:54 linux pppd[5638]: sent [LCP ConfReq id=0x1 ] Mar 20 15:38:54 linux pppd[5638]: Timeout 0x8050ba0:0x807a580 in 3 seconds. Mar 20 15:38:54 linux pptpd[5637]: GRE: Discarding duplicate packet Mar 20 15:38:54 linux pppd[5638]: rcvd [LCP ConfAck id=0x1 ] Mar 20 15:38:56 linux pppd[5638]: rcvd [LCP ConfReq id=0x1 < 11 04 06 4e> < 13 17 01 2e 91 98 34 fd bc 42 d7 8b c6 a4 75 f0 56 d2 c1 00 00 00 01>] Mar 20 15:38:56 linux pppd[5638]: Fatal signal 11 Mar 20 15:38:56 linux pppd[5638]: Exit. Mar 20 15:38:56 linux pptpd[5637]: GRE: read(fd=5,buffer=804dac0,len=8196) from PTY failed: status = -1 error = Input/output error Mar 20 15:38:56 linux pptpd[5637]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6) Mar 20 15:38:56 linux pptpd[5637]: CTRL: Client 192.168.1.40 control connection finished Mar 20 15:38:56 linux pptpd[5637]: CTRL: Exiting now Mar 20 15:38:56 linux pptpd[193]: MGR: Reaped child 5637 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 07-Mar-01 From berzerke at swbell.net Tue Mar 20 09:03:02 2001 From: berzerke at swbell.net (robert) Date: Tue, 20 Mar 2001 09:03:02 -0600 Subject: [pptp-server] Packets wont pass between localip and remoteip In-Reply-To: <5.1.0.10.2.20010317083155.00af7b48@argus.cem.msu.edu> References: <3AB0F65D.8636EF03@school.net.hk> <5.1.0.10.2.20010317083155.00af7b48@argus.cem.msu.edu> Message-ID: <01032009030200.07763@linux> For those wanting to run iptables/netfilter (the new linux firewalling code), I have a sample script at http://home.swbell.net/berzerke that includes (tested sucessfully) the ability to run a pptpd server with the firewall. I haven't tested it yet as a client. I am working on masquerading a pptpd connection with iptables, but that is not complete yet. On Saturday 17 March 2001 07:38, Joe Ward wrote: > I had this when I first started and I was missing one of these two > ipchains: > > /sbin/ipchains -A forward -j ACCEPT -i ppp+ -s $INTLAN -d $INTLAN > /sbin/ipchains -A forward -j ACCEPT -i $INTIF -s $INTLAN -d $INTLAN > > I think if you have an inherently open FW setup then you just have to have > the second one. > > -Joe Ward > > At 3/16/2001 11:39 AM, Chris Tresco wrote: > >Kernel 2.4.2 , ppp 2.4.0 From jpej at geo-rede.com.br Tue Mar 20 12:25:28 2001 From: jpej at geo-rede.com.br (Jose de Paula E. Junior) Date: Tue, 20 Mar 2001 15:25:28 -0300 Subject: [pptp-server] Only one connection per ip? Message-ID: <3AB7A098.5080406@geo-rede.com.br> Hi I'm using poptop in my server, and I made a masquerade gateway to attend a second building of my work. But, from the machines behind the masquerade server, I can connect, but just with one client. The others clients that connects to the server can't navigate, at all. In the VPN-Masquerade-HOWTO says that it can happen with servers that permits just one control connection per IP. PopTop uses this limitation? There's a workaround for it? I have to put more than 30 clients connecting using this "masquerated" server. []s Jose de Paula E. Junior Geo-rede Wireless Internet From nhouben at hotmail.com Tue Mar 20 15:23:31 2001 From: nhouben at hotmail.com (Nico Houben) Date: Tue, 20 Mar 2001 22:23:31 +0100 Subject: [pptp-server] routing problem.... both sides have cable internet + masq Message-ID: Hello everybody, I've got a little problem with my routing. Server1: 192.168.1.0/255.255.255.0 + 123.123.123.123/255.255.255.255 server2: 192.168.3.0/255.255.255.0 + DHCP now a client(win98) on server2 connects to server1 using pptp and recieve ipnumber 192.168.1.101 ... now comes the problem. The internet connection goes over the pptp and not anymore over local net :( How can i solve this problem ??? Greetings Nico -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steve at SteveCowles.com Tue Mar 20 15:50:03 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Tue, 20 Mar 2001 15:50:03 -0600 Subject: [pptp-server] routing problem.... both sides have cable inter net + masq Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6B9@defiant.infohiiway.com> > -----Original Message----- > From: Nico Houben [mailto:nhouben at hotmail.com] > Sent: Tuesday, March 20, 2001 3:24 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] routing problem.... > both sides have cable internet + masq > > Hello everybody, > > I've got a little problem with my routing. > > Server1: 192.168.1.0/255.255.255.0 + 123.123.123.123/255.255.255.255 > Server2: 192.168.3.0/255.255.255.0 + DHCP > > now a client(win98) on server2 connects to server1 using pptp > and recieve ipnumber 192.168.1.101 ... now comes the problem. > The internet connection goes over the pptp and not anymore over > local net :( > > How can i solve this problem ??? > > Greetings Nico If I understand your post correctly, it sounds like you need to "un-check" the "Use default gateway on remote network" option in your Windows PPTP dialup profile settings. Steve Cowles From berzerke at swbell.net Tue Mar 20 17:31:41 2001 From: berzerke at swbell.net (robert) Date: Tue, 20 Mar 2001 17:31:41 -0600 Subject: [pptp-server] routing problem.... both sides have cable internet + masq In-Reply-To: References: Message-ID: <01032017314100.08650@linux> On Tuesday 20 March 2001 15:23, Nico Houben wrote: > Hello everybody, > > I've got a little problem with my routing. > > Server1: 192.168.1.0/255.255.255.0 + 123.123.123.123/255.255.255.255 > > server2: 192.168.3.0/255.255.255.0 + DHCP > > now a client(win98) on server2 connects to server1 using pptp and recieve > ipnumber 192.168.1.101 ... now comes the problem. > The internet connection goes over the pptp and not anymore over local net > :( > > How can i solve this problem ??? > > Greetings Nico In the client configuration, under TCP settings, there is a check box use default gateway on remote network. Uncheck that. From dreadboy at hotmail.com Wed Mar 21 00:45:21 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Tue, 20 Mar 2001 23:45:21 -0700 Subject: [pptp-server] libsmbpw.so vs chap-secrets Message-ID: OK, quick authentication questions... Are the following statements true or false: 1) Using libsmbpw.so in conjunction with pppsmb.pat patch will force a client to send their password encrypted. 2) Using only chap-secrets without authenticating from smbpasswd will force a client to send their password plain-text. 3) Forcing an encrypted password from the client will force pptpd to decrypt it before authenticating with chap-secrets. 4) My password flies across the vast Internet cloud plain text when I use chap-secrets vs SMB password-encryption authentication. I do like plugging up that libsmbpw blank username/password thing by using chap-secrets instead - but not at the expense of sending my passwords plain-text for others to snag. Should I be worried? Thx. Dreadly. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From jkreger at avidsolutionsinc.com Wed Mar 21 04:22:15 2001 From: jkreger at avidsolutionsinc.com (Justin Kreger) Date: Wed, 21 Mar 2001 05:22:15 -0500 Subject: [pptp-server] libsmbpw.so vs chap-secrets Message-ID: <6B8A85826C35D31193BD0090278589C81DF089@CIC-EXCHANGE> >1) Using libsmbpw.so in conjunction with pppsmb.pat patch will force a >client to send their password encrypted. No such thing in the code, so False >2) Using only chap-secrets without authenticating from smbpasswd will force >a client to send their password plain-text. False, you have it backwards, Chap is encrypted >3) Forcing an encrypted password from the client will force pptpd to decrypt >it before authenticating with chap-secrets. False, PPTPD is just a carrier, it takes a packet off the GRE tunnel, and hands it to pppd, then it gets packets from pppd, and sends them across the tunnel. >4) My password flies across the vast Internet cloud plain text when I use >chap-secrets vs SMB password-encryption authentication. False, Its in a hash Justin Kreger, MCP MCSE Network Administrator Avid Solutions, Inc. Work E-Mail: jkreger at avidsolutionsinc.com Home E-Mail: jkreger at earthling.2y.net From heg at linpro.no Wed Mar 21 07:17:32 2001 From: heg at linpro.no (Hans Einar Gautun) Date: Wed, 21 Mar 2001 14:17:32 +0100 Subject: [pptp-server] vpn-trouble with w2k Message-ID: <20010321141732.A32675@beth> Hello everyone! I have a weird problem with w2k proffesional as a vpn-client and a rh70 with pptpd 1.0.1 as a vpn-server. Here it goes: The client get authenticated, and a connetcion is made. all with 128-bit crypt. The client gets an ip, and the serverside if the tunnel gets another ip. Make a ping on the w2k to its own ip is ok, but ping to the serverside ip is NOT. The packets are sendt, and packets are coming back, but the client don't pick them up!? Any idea ? It worked fine on winME btw. Thanks for the help Hans Einar Gautun heg at linpro.no From khaight at firespout.com Wed Mar 21 07:27:19 2001 From: khaight at firespout.com (Kris Haight) Date: Wed, 21 Mar 2001 08:27:19 -0500 Subject: [pptp-server] Almost Done... Stupid Microsoft Networking Problem Message-ID: <37E1E2BB9C28D311AB390008C707D2A60BAD1044@nycexis01.mi8.com> Okay- I've finally got everything up and working and it works beautifully. However I have one problem left to resolve. I've got a Windows NT Server acting as a PDC called "Altar", which is also our WINS Server. Well, when I connect in via ANY Operating System (95, 98, 2k), I cannot access this machine via Net Neighborhood or \\Altar. I get an error that states: "\\Altar is not accessible. The Network Path Not Found". I can however access it if I do a \\my.ip.address and it pops right up. I can also access any other machines on my network without a hitch. I am stumped. Any ideas would be greatly appreciated. -- Kris From diederik at future-web.com Wed Mar 21 12:53:44 2001 From: diederik at future-web.com (Diederik) Date: Wed, 21 Mar 2001 19:53:44 +0100 Subject: [pptp-server] Re: pptp-server digest, Vol 1 #188 - 10 msgs References: <200103211806.MAA60655@poontang.schulte.org> Message-ID: <001901c0b238$414f6990$bd8d8418@gloriel> ----- Original Message ----- From: To: Sent: Wednesday, March 21, 2001 7:06 PM Subject: pptp-server digest, Vol 1 #188 - 10 msgs > Send pptp-server mailing list submissions to > pptp-server at lists.schulte.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.schulte.org/mailman/listinfo/pptp-server > or, via email, send a message with subject or body 'help' to > pptp-server-request at lists.schulte.org > > You can reach the person managing the list at > pptp-server-admin at lists.schulte.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of pptp-server digest..." > > > Today's Topics: > > 1. Only one connection per ip? (Jose de Paula E. Junior) > 2. routing problem.... both sides have cable internet + masq (Nico Houben) > 3. RE: routing problem.... both sides have cable inter > net + masq (Cowles, Steve) > 4. Re: routing problem.... both sides have cable internet + > masq (robert) > 5. libsmbpw.so vs chap-secrets (Dread Boy) > 6. RE: libsmbpw.so vs chap-secrets (Justin Kreger) > 7. vpn-trouble with w2k (Hans Einar Gautun) > 8. Almost Done... Stupid Microsoft Networking Problem (Kris Haight) > > --__--__-- > > Message: 1 > Date: Tue, 20 Mar 2001 15:25:28 -0300 > From: "Jose de Paula E. Junior" > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Only one connection per ip? > > Hi > > I'm using poptop in my server, and I made a masquerade gateway to attend > a second building of my work. > > But, from the machines behind the masquerade server, I can connect, but > just with one client. The others clients that connects to the server > can't navigate, at all. > > In the VPN-Masquerade-HOWTO says that it can happen with servers that > permits just one control connection per IP. > > PopTop uses this limitation? There's a workaround for it? I have to put > more than 30 clients connecting using this "masquerated" server. > > []s > Jose de Paula E. Junior > Geo-rede Wireless Internet > > > --__--__-- > > Message: 2 > From: "Nico Houben" > To: > Date: Tue, 20 Mar 2001 22:23:31 +0100 > Subject: [pptp-server] routing problem.... both sides have cable internet + masq > > This is a multi-part message in MIME format. > > ------=_NextPart_000_0013_01C0B18C.64F9BC80 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > Hello everybody, > > I've got a little problem with my routing. > > Server1: 192.168.1.0/255.255.255.0 + 123.123.123.123/255.255.255.255 > > server2: 192.168.3.0/255.255.255.0 + DHCP > > now a client(win98) on server2 connects to server1 using pptp and = > recieve ipnumber 192.168.1.101 ...=20 > now comes the problem. > The internet connection goes over the pptp and not anymore over local = > net :( > > How can i solve this problem ??? > > Greetings Nico > > > > ------=_NextPart_000_0013_01C0B18C.64F9BC80 > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > > > charset=3Diso-8859-1"> > > > > >
Hello everybody,
>
 
>
I've got a little problem with my=20 > routing.
>
 
>
Server1: 192.168.1.0/255.255.255.0 +=20 > 123.123.123.123/255.255.255.255
>
 
>
server2: 192.168.3.0/255.255.255.0 +=20 > DHCP
>
 
>
now a client(win98) on server2 connects = > to server1=20 > using pptp and recieve ipnumber 192.168.1.101 ...
>
now comes the problem.
>
The internet connection goes over the = > pptp and not=20 > anymore over local net :(
>
 
>
How can i solve this problem = > ???
>
 
>
Greetings Nico
>
 
>
 
> > ------=_NextPart_000_0013_01C0B18C.64F9BC80-- > > --__--__-- > > Message: 3 > From: "Cowles, Steve" > To: "'pptp-server at lists.schulte.org'" > Subject: RE: [pptp-server] routing problem.... both sides have cable inter > net + masq > Date: Tue, 20 Mar 2001 15:50:03 -0600 > > > -----Original Message----- > > From: Nico Houben [mailto:nhouben at hotmail.com] > > Sent: Tuesday, March 20, 2001 3:24 PM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] routing problem.... > > both sides have cable internet + masq > > > > Hello everybody, > > > > I've got a little problem with my routing. > > > > Server1: 192.168.1.0/255.255.255.0 + 123.123.123.123/255.255.255.255 > > Server2: 192.168.3.0/255.255.255.0 + DHCP > > > > now a client(win98) on server2 connects to server1 using pptp > > and recieve ipnumber 192.168.1.101 ... now comes the problem. > > The internet connection goes over the pptp and not anymore over > > local net :( > > > > How can i solve this problem ??? > > > > Greetings Nico > > If I understand your post correctly, it sounds like you need to "un-check" > the "Use default gateway on remote network" option in your Windows PPTP > dialup profile settings. > > Steve Cowles > > --__--__-- > > Message: 4 > Date: Tue, 20 Mar 2001 17:31:41 -0600 > From: robert > Subject: Re: [pptp-server] routing problem.... both sides have cable internet + > masq > To: Nico Houben , pptp-server at lists.schulte.org > > On Tuesday 20 March 2001 15:23, Nico Houben wrote: > > Hello everybody, > > > > I've got a little problem with my routing. > > > > Server1: 192.168.1.0/255.255.255.0 + 123.123.123.123/255.255.255.255 > > > > server2: 192.168.3.0/255.255.255.0 + DHCP > > > > now a client(win98) on server2 connects to server1 using pptp and recieve > > ipnumber 192.168.1.101 ... now comes the problem. > > The internet connection goes over the pptp and not anymore over local net > > :( > > > > How can i solve this problem ??? > > > > Greetings Nico > > In the client configuration, under TCP settings, there is a check box use > default gateway on remote network. Uncheck that. > > --__--__-- > > Message: 5 > From: "Dread Boy" > To: pptp-server at lists.schulte.org > Date: Tue, 20 Mar 2001 23:45:21 -0700 > Subject: [pptp-server] libsmbpw.so vs chap-secrets > > OK, quick authentication questions... > > Are the following statements true or false: > > 1) Using libsmbpw.so in conjunction with pppsmb.pat patch will force a > client to send their password encrypted. > > 2) Using only chap-secrets without authenticating from smbpasswd will force > a client to send their password plain-text. > > 3) Forcing an encrypted password from the client will force pptpd to decrypt > it before authenticating with chap-secrets. > > 4) My password flies across the vast Internet cloud plain text when I use > chap-secrets vs SMB password-encryption authentication. > > I do like plugging up that libsmbpw blank username/password thing by using > chap-secrets instead - but not at the expense of sending my passwords > plain-text for others to snag. Should I be worried? > > Thx. Dreadly. > > _________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > > --__--__-- > > Message: 6 > From: Justin Kreger > To: "'Dread Boy'" , pptp-server at lists.schulte.org > Subject: RE: [pptp-server] libsmbpw.so vs chap-secrets > Date: Wed, 21 Mar 2001 05:22:15 -0500 > > > > > >1) Using libsmbpw.so in conjunction with pppsmb.pat patch will force a > >client to send their password encrypted. > > No such thing in the code, so False > > >2) Using only chap-secrets without authenticating from smbpasswd will force > > >a client to send their password plain-text. > > False, you have it backwards, Chap is encrypted > > >3) Forcing an encrypted password from the client will force pptpd to > decrypt > >it before authenticating with chap-secrets. > > False, PPTPD is just a carrier, it takes a packet off the GRE tunnel, and > hands it to pppd, then it gets packets from pppd, and sends them across the > tunnel. > > >4) My password flies across the vast Internet cloud plain text when I use > >chap-secrets vs SMB password-encryption authentication. > > False, Its in a hash > > Justin Kreger, MCP MCSE > Network Administrator > Avid Solutions, Inc. > Work E-Mail: jkreger at avidsolutionsinc.com > Home E-Mail: jkreger at earthling.2y.net > > > > --__--__-- > > Message: 7 > Date: Wed, 21 Mar 2001 14:17:32 +0100 > From: Hans Einar Gautun > To: pptp-server at lists.schulte.org > Subject: [pptp-server] vpn-trouble with w2k > > Hello everyone! > I have a weird problem with w2k proffesional as a vpn-client and a rh70 > with pptpd 1.0.1 as a vpn-server. > Here it goes: The client get authenticated, and a connetcion is made. all > with 128-bit crypt. The client gets an ip, and the serverside if the tunnel > gets another ip. Make a ping on the w2k to its own ip is ok, but ping to > the serverside ip is NOT. The packets are sendt, and packets are coming > back, but the client don't pick them up!? Any idea ? It worked fine on > winME btw. > > Thanks for the help > > Hans Einar Gautun > heg at linpro.no > > --__--__-- > > Message: 8 > From: Kris Haight > To: pptp-server at lists.schulte.org > Date: Wed, 21 Mar 2001 08:27:19 -0500 > Subject: [pptp-server] Almost Done... Stupid Microsoft Networking Problem > > > Okay- > > I've finally got everything up and working and it works beautifully. However > I have one problem left to resolve. > > I've got a Windows NT Server acting as a PDC called "Altar", which is also > our WINS Server. Well, when I connect in via ANY Operating System (95, 98, > 2k), I cannot access this machine via Net Neighborhood or \\Altar. I get an > error that states: "\\Altar is not accessible. The Network Path Not Found". > I can however access it if I do a \\my.ip.address and it pops right up. I > can also access any other machines on my network without a hitch. I am > stumped. > > Any ideas would be greatly appreciated. > > -- Kris > > > --__--__-- > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > End of pptp-server Digest From dreadboy at hotmail.com Wed Mar 21 15:41:12 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Wed, 21 Mar 2001 14:41:12 -0700 Subject: [pptp-server] Re: NetBIOS Message-ID: Actaully, Rob, it was a routing problem from ppp+ interface to eth0. I needed another rule in my gateway script to route traffic from eth0 to eth0. I wrote an entirely new HOWTO in this March archive. The post is titled: "[pptp-server] Source, patches, simple howto for Redhat 6.2 pptpd under one roof (almost)" It has a link to all the docs and files you'll need for compilation, routing, etc. Hope it helps. >Dread, > >I remember sometime ealier in the past month that you realized that >NetBIOS was being blocked when making a PPTP connection. You even had a >log from some sniffer program to show you this (you posted the log >info). I think I'm still suffering from a similar case, and was >wondering what steps you took to determine that the port(s) were being >blocked through PPTP > >Thanks. > >-Rob > _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From lukekalemyers at yahoo.com Wed Mar 21 21:10:14 2001 From: lukekalemyers at yahoo.com (Luke Myers) Date: Wed, 21 Mar 2001 19:10:14 -0800 Subject: [pptp-server] Clogged Tunnel! Message-ID: <002c01c0b27d$a0667820$ce67a4d0@luke> Hi Folks, I have a three exellent looking PPTP tunnels between one Redhat 7.0 box and three different Win98 clients. However, one tunnel will not pass any data, not even a ping! I am using: -- PoPToP v1.0.0 -- Linux 2.2.16-22 -- pppd 2.3.11 -- 128bit stateless encryption -- 128bit Dial-up Networking upgrades -- Windows 98 Following is the log output for a good connection: Mar 21 21:40:42 ds pptpd[30394]: CTRL: Client 208.164.103.206 control connection started Mar 21 21:40:45 ds pptpd[30394]: CTRL: Starting call (launching pppd, opening GRE) Mar 21 21:40:45 ds pppd[30395]: pppd 2.3.11 started by root, uid 0 Mar 21 21:40:45 ds pppd[30395]: Using interface ppp2 Mar 21 21:40:45 ds pppd[30395]: Connect: ppp2 <--> /dev/pts/1 Mar 21 21:40:46 ds pppd[30395]: MSCHAP-v2 peer authentication succeeded for OUR-WORKGROUP\\luke Mar 21 21:40:47 ds pppd[30395]: Cannot determine ethernet address for proxy ARP Mar 21 21:40:47 ds pppd[30395]: local IP address 192.168.1.1 Mar 21 21:40:47 ds pppd[30395]: remote IP address 192.168.1.5 Mar 21 21:40:47 ds pppd[30395]: MPPE 128 bit, stateless compression enabled Mar 21 21:44:45 ds pppd[29457]: LCP terminated by peer Mar 21 21:44:47 ds pptpd[29456]: CTRL: Error with select(), quitting Mar 21 21:44:47 ds pptpd[29456]: CTRL: Client 24.48.231.141 control connection finished Mar 21 21:44:47 ds pppd[29457]: Modem hangup Mar 21 21:44:47 ds pppd[29457]: Connection terminated. Mar 21 21:44:47 ds pppd[29457]: Connect time 286.0 minutes. Mar 21 21:44:47 ds pppd[29457]: Sent 4307228 bytes, received 1957577 bytes. Mar 21 21:44:47 ds pppd[29457]: Exit. Following is the first part of the log output for a connection that looks sucessful but cannot move any data: Mar 21 20:32:21 ds pptpd[30114]: CTRL: Client 24.48.139.165 control connection started Mar 21 20:32:21 ds pptpd[30114]: CTRL: Starting call (launching pppd, opening GRE) Mar 21 20:32:21 ds pppd[30115]: pppd 2.3.11 started by root, uid 0 Mar 21 20:32:21 ds pppd[30115]: Using interface ppp0 Mar 21 20:32:21 ds pppd[30115]: Connect: ppp0 <--> /dev/pts/0 Mar 21 20:32:22 ds pppd[30115]: MSCHAP-v2 peer authentication succeeded for our-workgroup\\ldke$%^* Mar 21 20:32:22 ds pppd[30115]: Cannot determine ethernet address for proxy ARP Mar 21 20:32:22 ds pppd[30115]: local IP address 192.168.1.1 Mar 21 20:32:22 ds pppd[30115]: remote IP address 192.168.1.3 Mar 21 20:32:22 ds pppd[30115]: MPPE 128 bit, stateless compression enabled Here is my /etc/ppp/options.pptp file: auth lock debug proxyarp +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless ms-wins 192.168.1.1 Here are the essentials from my /etc/pptpd.conf file: option /etc/ppp/options.pptp debug localip 192.168.1.1 remoteip 192.168.1.2-254 This problem is mystifying because: I can ping fine directly between the affected Win98 box and the Linux server, Win98 connection shows nothing wrong or abnormal about the connection, The Linux log files show no difference between the good connections and the bad connection, and Disabling compression and encryption though Windows does not help. From Steve at SteveCowles.com Wed Mar 21 23:16:50 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Wed, 21 Mar 2001 23:16:50 -0600 Subject: [pptp-server] Clogged Tunnel! Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6BC@defiant.infohiiway.com> > -----Original Message----- > From: Luke Myers [mailto:lukekalemyers at yahoo.com] > Sent: Wednesday, March 21, 2001 9:10 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Clogged Tunnel! > > > Hi Folks, > > I have a three exellent looking PPTP tunnels between one Redhat 7.0 > box and three different Win98 clients. However, one tunnel will not > pass any data, not even a ping! I am using: > > -- PoPToP v1.0.0 > -- Linux 2.2.16-22 > -- pppd 2.3.11 > -- 128bit stateless encryption > -- 128bit Dial-up Networking upgrades > -- Windows 98 > > Following is the log output for a good connection: > > Mar 21 21:40:42 ds pptpd[30394]: CTRL: Client 208.164.103.206 control > connection started > Mar 21 21:40:45 ds pptpd[30394]: CTRL: Starting call (launching pppd, > opening GRE) > Mar 21 21:40:45 ds pppd[30395]: pppd 2.3.11 started by root, uid 0 > Mar 21 21:40:45 ds pppd[30395]: Using interface ppp2 > Mar 21 21:40:45 ds pppd[30395]: Connect: ppp2 <--> /dev/pts/1 > Mar 21 21:40:46 ds pppd[30395]: MSCHAP-v2 peer authentication > succeeded for OUR-WORKGROUP\\luke > Mar 21 21:40:47 ds pppd[30395]: Cannot determine ethernet address for proxy ARP Although the above error is not the source of the problem you describe, you really need to resolve the proxy ARP error listed above. On a properly configured PPTP server, you should see an entry like: Mar 12 16:53:52 excelsior pppd[767]: found interface eth0 for proxy arp in your log files. > Mar 21 21:40:47 ds pppd[30395]: local IP address 192.168.1.1 > Mar 21 21:40:47 ds pppd[30395]: remote IP address 192.168.1.5 > Mar 21 21:40:47 ds pppd[30395]: MPPE 128 bit, stateless compression enabled > Mar 21 21:44:45 ds pppd[29457]: LCP terminated by peer > Mar 21 21:44:47 ds pptpd[29456]: CTRL: Error with select(), quitting > Mar 21 21:44:47 ds pptpd[29456]: CTRL: Client 24.48.231.141 control > connection finished > Mar 21 21:44:47 ds pppd[29457]: Modem hangup > Mar 21 21:44:47 ds pppd[29457]: Connection terminated. > Mar 21 21:44:47 ds pppd[29457]: Connect time 286.0 minutes. > Mar 21 21:44:47 ds pppd[29457]: Sent 4307228 bytes, received 1957577 bytes. > Mar 21 21:44:47 ds pppd[29457]: Exit. > > > Following is the first part of the log output for a connection that > looks successful but cannot move any data: > > Mar 21 20:32:21 ds pptpd[30114]: CTRL: Client 24.48.139.165 control > connection started > Mar 21 20:32:21 ds pptpd[30114]: CTRL: Starting call (launching pppd, > opening GRE) > Mar 21 20:32:21 ds pppd[30115]: pppd 2.3.11 started by root, uid 0 > Mar 21 20:32:21 ds pppd[30115]: Using interface ppp0 > Mar 21 20:32:21 ds pppd[30115]: Connect: ppp0 <--> /dev/pts/0 > Mar 21 20:32:22 ds pppd[30115]: MSCHAP-v2 peer authentication > succeeded for our-workgroup\\ldke$%^* > Mar 21 20:32:22 ds pppd[30115]: Cannot determine ethernet address for proxy ARP Same comment as above. > Mar 21 20:32:22 ds pppd[30115]: local IP address 192.168.1.1 > Mar 21 20:32:22 ds pppd[30115]: remote IP address 192.168.1.3 > Mar 21 20:32:22 ds pppd[30115]: MPPE 128 bit, stateless > compression enabled > > Here is my /etc/ppp/options.pptp file: > > auth > lock > debug > proxyarp > +chap > +chapms > +chapms-v2 > mppe-40 > mppe-128 > mppe-stateless > ms-wins 192.168.1.1 > > Here are the essentials from my /etc/pptpd.conf file: > > option /etc/ppp/options.pptp > debug > localip 192.168.1.1 > remoteip 192.168.1.2-254 > > This problem is mystifying because: > > I can ping fine directly between the affected Win98 box and the Linux > server, Huh!! Now I'm mystified. Earlier you stated that this system could not pass any data through the tunnel. Now your stating that you can ping the PPTP server. Am I missing something? > > Win98 connection shows nothing wrong or abnormal about the connection, > > The Linux log files show no difference between the good connections > and the bad connection, and > > Disabling compression and encryption though Windows does not help. > Your config files look OK with the exception of the proxy arp error. The proxy arp errors can usually be fixed by assigning IP addresses in pptpd.conf (local/remote) that are within the network address range of the PPTP servers LAN (like eth0 or eth1). If thats not an option, then consider using ip aliasing to bind the 192.168.1.0/24 LAN to either eth0 or eth1 interface. Checkout the kernel source documentation directory /usr/src/linux/Documentation/alias.txt for info on ip aliasing. As for the Win98 system that is unable to send/receive data, consider reloading Microsoft's Dialup Networking. FWIW: Other list members have reported that reloading DUN fixed strange problems. Check this lists archives for the link @ Microsoft to download the latest DUN package. Good Luck! Steve Cowles From dreadboy at hotmail.com Thu Mar 22 00:28:05 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Wed, 21 Mar 2001 23:28:05 -0700 Subject: [pptp-server] GRE Problems? Message-ID: OK, now that my pptpd server is working swell, how do I add a rule to my ipchains script on my gateway to allow me to connect to other VPN servers outside of my network? Packets seem to be rejected after negotiating with remote VPN servers after a few seconds and then I get disconnected. I remember seeing rules to do this somewhere, does anyone know what they are by any chance? I remember that protocol was a number vs tcp, udp, etc. Thx. Dread. This is one of the messages I get after trying to connect to a remote VPN server from a node on my LAN: Mar 21 23:20:03 wl2 kernel: Packet log: output REJECT eth1 PROTO=1 192.168.1.1:3 192.168.0.211:3 L=144 S=0xC0 I=48388 F=0x0000 T=255 (#3) _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From dreadboy at hotmail.com Thu Mar 22 00:42:19 2001 From: dreadboy at hotmail.com (Dread Boy) Date: Wed, 21 Mar 2001 23:42:19 -0700 Subject: [pptp-server] Port Forwarding Message-ID: On the topic of ipchains, I downloaded the document http://www.monmouth.demon.co.uk/ipsubs/portfw-2.2.html which refers to ipmasqadm port forwarding. I downloaded the ipmasqadm RPM and installed it, but of course, my kernel doesn't have port forwarding compiled in. It did, however, have it compiled in with the default RH 6.2 installation, but since I built a new kernel to accomodate the MS-CHAP pptpd server, it does not have the module ip_masq_portfw.o in the new /lib/modules/2.2.17 directory heirarchy. When I use make menuconfig or make xconfig, I can't find anything that gives me an option to enable port forwarding anywhere. In the document noted above, it reads to: "include the following options: CONFIG_EXPERIMENTAL CONFIG_IP_MASQUERADE CONFIG_IP_MASQUERADE_IPPORTFW" Where exactly do I include these? Is there a configuration file under the enormous Linux kernel source tree I'm to change by hand? Also, how does one force a module to permanently stay after rebooting? I use insmod to pop it into a list somewhere, it's in modules.conf, how come it won't stay? Do I need to use modprobe instead? My apologies for the lack of knowledge here. Thx. Dreadly. =) _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From lars at jeppesen.nu Thu Mar 22 02:01:40 2001 From: lars at jeppesen.nu (Spock) Date: Thu, 22 Mar 2001 09:01:40 +0100 Subject: [pptp-server] connection error Message-ID: <003001c0b2a6$53d3f950$1f082a0a@spock> Hi, - I'm trying to set up my Linux firewall with PopTop so that my clients can call from their home xDSL connections and be on the local area network. I've set up everything, but when I try to initiate a connection from my VPN client, I get the following logfile entries - ... Can someone point me to what's going wrong here???? Many thanx in advance... Lars Jeppesen lars at jeppesen.nu ############################################################################### Mar 22 08:59:58 gw pppd[11362]: pppd 2.4.0 started by root, uid 0 Mar 22 08:59:58 gw pppd[11362]: Using interface ppp0 Mar 22 08:59:58 gw pppd[11362]: Connect: ppp0 <--> /dev/pts/1 Mar 22 08:59:58 gw pppd[11362]: sent [LCP ConfReq id=0x1 ] Mar 22 08:59:58 gw pptpd[11361]: GRE: Discarding duplicate packet Mar 22 09:00:00 gw pppd[11362]: rcvd [LCP ConfReq id=0x1 ] Mar 22 09:00:00 gw pppd[11362]: sent [LCP ConfRej id=0x1 ] Mar 22 09:00:00 gw pppd[11362]: rcvd [LCP ConfReq id=0x2 ] Mar 22 09:00:00 gw pppd[11362]: sent [LCP ConfAck id=0x2 ] Mar 22 09:00:01 gw pppd[11362]: sent [LCP ConfReq id=0x1 ] Mar 22 09:00:01 gw pptpd[11361]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 22 09:00:01 gw pppd[11362]: rcvd [LCP ConfAck id=0x1 ] Mar 22 09:00:01 gw pppd[11362]: sent [CHAP Challenge id=0x1 <1b523e2596cdcab5573443bbca18549b29c9f761b6b304>, name = "gw"] Mar 22 09:00:01 gw pppd[11362]: rcvd [LCP code=0xc id=0x3 49 18 38 9c 4d 53 52 41 53 56 35 2e 30 30] Mar 22 09:00:01 gw pppd[11362]: sent [LCP CodeRej id=0x2 0c 03 00 12 49 18 38 9c 4d 53 52 41 53 56 35 2e 30 30] Mar 22 09:00:01 gw pppd[11362]: rcvd [LCP code=0xc id=0x4 49 18 38 9c 4d 53 52 41 53 2d 31 2d 53 50 4f 43 4b] Mar 22 09:00:01 gw pppd[11362]: sent [LCP CodeRej id=0x3 0c 04 00 15 49 18 38 9c 4d 53 52 41 53 2d 31 2d 53 50 4f 43 4b] Mar 22 09:00:01 gw pppd[11362]: rcvd [CHAP Response id=0x1 <23d82b8e23c393c05d58236e665c4a88>, name = "spock"] Mar 22 09:00:01 gw pppd[11362]: sent [CHAP Success id=0x1 "Welcome to gw."] Mar 22 09:00:01 gw pppd[11362]: sent [IPCP ConfReq id=0x1 ] Mar 22 09:00:01 gw pppd[11362]: sent [CCP ConfReq id=0x1 ] Mar 22 09:00:01 gw pppd[11362]: CHAP peer authentication succeeded for spock Mar 22 09:00:01 gw pppd[11362]: rcvd [CCP ConfReq id=0x5 < 12 06 01 00 00 01>] Mar 22 09:00:01 gw pppd[11362]: sent [CCP ConfRej id=0x5 < 12 06 01 00 00 01>] Mar 22 09:00:01 gw pppd[11362]: rcvd [IPCP ConfReq id=0x6 ] Mar 22 09:00:01 gw pppd[11362]: sent [IPCP ConfRej id=0x6 ] Mar 22 09:00:01 gw pppd[11362]: rcvd [IPCP ConfRej id=0x1 ] Mar 22 09:00:01 gw pppd[11362]: sent [IPCP ConfReq id=0x2 ] Mar 22 09:00:01 gw pppd[11362]: rcvd [CCP ConfRej id=0x1 ] Mar 22 09:00:02 gw pppd[11362]: sent [CCP ConfReq id=0x2] Mar 22 09:00:02 gw pppd[11362]: rcvd [CCP TermReq id=0x7"I\0308\37777777634\000<\37777777715t\000\000\002\37777777734"] Mar 22 09:00:02 gw pppd[11362]: sent [CCP TermAck id=0x7] Mar 22 09:00:02 gw pppd[11362]: rcvd [IPCP ConfReq id=0x8 ] Mar 22 09:00:02 gw pppd[11362]: sent [IPCP ConfNak id=0x8 ] Mar 22 09:00:02 gw pppd[11362]: rcvd [IPCP ConfAck id=0x2 ] Mar 22 09:00:02 gw pppd[11362]: rcvd [IPCP TermReq id=0x9 "I\0308\37777777634\000<\37777777715t\000\000\002\37777777737"] Mar 22 09:00:02 gw pppd[11362]: sent [IPCP TermAck id=0x9] Mar 22 09:00:02 gw pptpd[11361]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 22 09:00:02 gw pptpd[11361]: CTRL: Error with select(), quitting Mar 22 09:00:02 gw pptpd[11361]: CTRL: Client 10.42.8.31 control connection finished Mar 22 09:00:02 gw pppd[11362]: Modem hangup Mar 22 09:00:02 gw pppd[11362]: Connection terminated. Mar 22 09:00:02 gw pppd[11362]: Connect time 0.1 minutes. Mar 22 09:00:02 gw pppd[11362]: Sent 603 bytes, received 563 bytes. Mar 22 09:00:02 gw pppd[11362]: Exit. Mar 22 09:00:09 gw sshd[709]: log: RSA key generation complete. Mar 22 09:00:13 gw dhcpd: DHCPINFORM from 10.42.8.42 ------------------------------------------------------- Lars Jeppesen http://lars.jeppesen.nu lars at jeppesen.nu aldrig-tabt at bordfodbold.org ICQ: spock at home spock at laptop spock at work -------------------------------------------------------------- Bomb Attack Echelon Iraq Kosovo Islam Terrorist Murder CIA NSA Slashdot Robbery Secret Serbia Nuclear Laser Alien Spaceprobe FBI SDI Gadaffi Waco Unabomber McVeigh Microsoft Kidnapped Ransom Barak Bush Osama Bin-Laden -------------- next part -------------- An HTML attachment was scrubbed... URL: From siddharth at egujarat.net Thu Mar 22 02:22:07 2001 From: siddharth at egujarat.net (Siddharth) Date: Thu, 22 Mar 2001 13:52:07 +0530 Subject: [pptp-server] kernel not compiling Message-ID: <200103220822.f2M8M3k08334@mail.ishwarn.com> Hello everyone, My problem may be something already solved but here goes... when i compile the 2.2.14 kernel source after patchng pp-2.3.11 and doing a make kernel in its directory, i get the following errors and the ppp.c etc files do not compile. ppp.c:188: warning: static declaration for `ppp_register_compressor_R9682e733' follows non-static ppp.c:189: warning: static declaration for `ppp_unregister_compressor_Ra1b928df' follows non-static ppp.c: In function `rcv_proto_unknown': ppp.c:2563: too few arguments to function `kill_fasync_R5e73d35d' make[1]: *** [ppp.o] Error 1 make: *** [_mod_drivers/net] Error 2 and no .o files are added to /lib/modules/2.2.14.5/net siddharth sysad ecomm -->> FREE Perl CGI scripts add WEB ACCESS to your -->> POP E-Mail accounts! Download today!! http://www.adjeweb.com From mjo at pbj.dk Thu Mar 22 02:27:18 2001 From: mjo at pbj.dk (Mikael Johnsen) Date: Thu, 22 Mar 2001 09:27:18 +0100 Subject: [pptp-server] Time Outs Message-ID: <1DA605F7E2EAD411B7A9009027DDD2C35AB3@PBJ-EXCHG> Hi Guys A quick question: is there some kind of time out, when an user has been idle for 5 minutes or so? Med venlig hilsen / Best regards Mikael Johnsen Systemadministrator / System Administrator PBJ Consult A/S Phone: +45 43 62 74 00 Roholmsvej 10 G Fax: +45 43 62 74 24 DK-2620 Albertslund Email: mailto:mjo at pbj.dk Homepage: www.pbj.dk From hatnet at free.fr Thu Mar 22 02:29:04 2001 From: hatnet at free.fr (hatim) Date: Thu, 22 Mar 2001 09:29:04 +0100 Subject: [pptp-server] vpn and network place References: Message-ID: <00c401c0b2aa$28156890$3601a8c0@hatimsf> hi all i m trying to setp up a vpn between two network with linux and win LINUX 1 IP 192.168.0.1 & 192.168.200.1(ppp0) for vpn LINUX 2 IP 192.168.1.1 & 192.168.200.2 (ppp0) for vpn WIN 1 192.168.0.2 WIN 2 192.168.1.2 LINUX 1 LINUX 2 -------- --------- | | | | | |_____VPN______ | | | | | | --------- --------- || || -------- --------- | | | | | | | | | | | | --------- --------- WIN 1 WIN 2 From rnaujack at wave-ag.de Thu Mar 22 02:29:19 2001 From: rnaujack at wave-ag.de (Rudolf Naujack) Date: Thu, 22 Mar 2001 09:29:19 +0100 Subject: [pptp-server] Win98-client dies after idle-time Message-ID: Hello, i've a problem with one win98-client (SE) and pptp: i use (in ppp/options) idle 180 for disconnecting idle clients. This win98-pc reboots, if pptp kills the connection after 3min idle-time. If the client is activ all the time, there are no problems. As first workaround, i've set idle to 1800 instead, but that's no real solution... thanks Rudolf Naujack Wave Management AG Tel: 040-611 856 60 Fax: -90 From Steve at SteveCowles.com Thu Mar 22 07:48:29 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Thu, 22 Mar 2001 07:48:29 -0600 Subject: [pptp-server] GRE Problems? Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6BD@defiant.infohiiway.com> > -----Original Message----- > From: Dread Boy [mailto:dreadboy at hotmail.com] > Sent: Thursday, March 22, 2001 12:28 AM > To: pptp-server at lists.schulte.org; vgill at technologist.com > Subject: [pptp-server] GRE Problems? > > > OK, now that my pptpd server is working swell, how do I add a > rule to my ipchains script on my gateway to allow me to connect > to other VPN servers outside of my network? > > Packets seem to be rejected after negotiating with remote VPN > servers after a few seconds and then I get disconnected. > > I remember seeing rules to do this somewhere, does anyone know > what they are by any chance? I remember that protocol was a > number vs tcp, udp, etc. > > Thx. Dread. > > This is one of the messages I get after trying to connect to > a remote VPN server from a node on my LAN: > > Mar 21 23:20:03 wl2 kernel: Packet log: output REJECT eth1 PROTO=1 > 192.168.1.1:3 192.168.0.211:3 L=144 S=0xC0 I=48388 F=0x0000 T=255 (#3) On your firewall/gateway - Have you patched the kernel to support MASQ'd PPTP connections??? i.e. ip_masq_pptp.o Checkout: http://www.impsec.org/linux/masquerade/ip_masq_vpn.html Also, PPTP based VPN's use Protocol 47 (GRE) and TCP port 1723. Steve Cowles From wwwandi at aon.at Thu Mar 22 07:58:59 2001 From: wwwandi at aon.at (Andreas Sussitz (privat)) Date: Thu, 22 Mar 2001 14:58:59 +0100 Subject: [pptp-server] PPTP Client and Server running at the same time? Message-ID: <001501c0b2d8$3ea6c210$0900a8c0@Datenbank> Please, could anybody help me? I'm trying to run them at the same time ... my ADSL-Provider uses VPN to connect throug the ADSL-Modem (Alcatel Speed Touch Home) to the Internet. So my OpenBSD Server runs once the pptp -> getting the ip to the ppp0 device ... When trying to Log in: Mar 22 15:56:02 server pppd[29934]: pppd 2.3.5 started by root, uid 0 Mar 22 15:56:02 server pppd[29934]: Connect: ppp1 <--> /dev/ttyp2 Mar 22 15:56:33 server pppd[29934]: LCP: timeout sending Config-Requests Mar 22 15:56:33 server pppd[29934]: Connection terminated. Mar 22 15:56:33 server pptpd[32486]: GRE: read(fd=4,buffer=654c,len=8196) from PTY failed: status = 0 error = No error Mar 22 15:56:33 server pptpd[32486]: GRE: read(fd=4,buffer=654c,len=8196) from PTY failed: status = 0 error = No error Mar 22 15:56:33 server pptpd[32486]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Mar 22 15:56:33 server pptpd[32486]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) maybe it's the problem that both pptp and pptpd are running, don't know :( -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steve at SteveCowles.com Thu Mar 22 08:13:19 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Thu, 22 Mar 2001 08:13:19 -0600 Subject: [pptp-server] Port Forwarding Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6BE@defiant.infohiiway.com> > -----Original Message----- > From: Dread Boy [mailto:dreadboy at hotmail.com] > Sent: Thursday, March 22, 2001 12:42 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Port Forwarding > > > On the topic of ipchains, I downloaded the document > http://www.monmouth.demon.co.uk/ipsubs/portfw-2.2.html which > refers to ipmasqadm port forwarding. > > I downloaded the ipmasqadm RPM and installed it, but of > course, my kernel doesn't have port forwarding compiled in. > It did, however, have it compiled in with the default RH 6.2 > installation, but since I built a new kernel to accomodate > the MS-CHAP pptpd server, it does not have the module > ip_masq_portfw.o in the new /lib/modules/2.2.17 directory > heirarchy. > > When I use make menuconfig or make xconfig, I can't find > anything that gives me an option to enable port forwarding > anywhere. > > In the document noted above, it reads to: > > "include the following options: > > CONFIG_EXPERIMENTAL > CONFIG_IP_MASQUERADE > CONFIG_IP_MASQUERADE_IPPORTFW" > > Where exactly do I include these? > > Is there a configuration file under the enormous Linux kernel > source tree I'm to change by hand? > > Also, how does one force a module to permanently stay after > rebooting? I use insmod to pop it into a list somewhere, it's in > modules.conf, how come it won't stay? Do I need to use modprobe > instead? > > My apologies for the lack of knowledge here. > > Thx. Dreadly. =) The following .config entries are the relevant kernel networking options that need to be enabled to create/support port forwarding (ipmasqadm). Also, I included the masq'd PPTP options that will be required to support masq'd PPTP tunnels from your previous post. FYI: The masq'd PPTP options will be available once you patch your kernel. The port forwarding options (ip masquerade) are standard equipment with any 2.2.x kernel. Steve Cowles ----------------------------------- CONFIG_IP_FIREWALL=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_MASQUERADE=y CONFIG_IP_MASQUERADE_ICMP=y CONFIG_IP_MASQUERADE_MOD=y CONFIG_IP_MASQUERADE_IPAUTOFW=m CONFIG_IP_MASQUERADE_IPPORTFW=m CONFIG_IP_MASQUERADE_MFW=m CONFIG_IP_MASQUERADE_PPTP=m CONFIG_IP_MASQUERADE_IPSEC=m CONFIG_IP_MASQUERADE_IPSEC_EXPIRE=30 From Steve at SteveCowles.com Thu Mar 22 08:43:14 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Thu, 22 Mar 2001 08:43:14 -0600 Subject: [pptp-server] vpn and network place Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6BF@defiant.infohiiway.com> > -----Original Message----- > From: hatim [mailto:hatnet at free.fr] > Sent: Thursday, March 22, 2001 2:29 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] vpn and network place > > > hi all > i m trying to setp up a vpn between two network with linux and win > > > > LINUX 1 IP 192.168.0.1 & 192.168.200.1(ppp0) for vpn > LINUX 2 IP 192.168.1.1 & 192.168.200.2 (ppp0) for vpn > > WIN 1 192.168.0.2 > WIN 2 192.168.1.2 > > From WIN 1 , i can ping and traceroute linux 2 and win 2 > I installed samba in linux 1 and linux 2 to view all PC in > the network place of win 1 and win 2 but i see in Network > place of win 1 : linux 1 linux 2 and NOT win 2 , i can > not find it ? > is there any thing to specifie in samba for vpn support ??i > changed that interfaces = 192.168.1.0/24 192.168.0.0/24 > 192.168.200.1 192.168.200.2 > but no result > > thanks for your help > > hatim ( redhat 6.2) If I understand your post correctly, you are creating a single (lan-to-lan) VPN between linux1 and linux2 boxes so that clients on either LAN can route data between each other. If thats the case... When you configured Samba: 1) Did you enable "wins support" ? i.e. WINS server 2) Are the Windows systems configured to register with that WINS server. i.e. Did you specify the address of the WINS servers in network->tcp/ip->properties 3) Have you enabled "remote browse sync" between the two WINS servers? Type: man smb.conf for further info Steve Cowles From littlekuke at hotmail.com Thu Mar 22 08:45:48 2001 From: littlekuke at hotmail.com (Darren Kuik) Date: Thu, 22 Mar 2001 08:45:48 -0600 Subject: [pptp-server] masquerading VPN server (NT) Message-ID: Hi list, I am trying to masquerade an NT server behind my linux firewall gateway (RH7 kernel 2.2.17). I have installed the vpn masq patch and ipmasadm and ipfwd. I can masquerade clients going out from my LAN but I can't seem to forward inbound connections to my server on the same LAN. Someone suggested that I needed to install ms-chap and mppe. Is this true? If so it's not in the VPN masquerade HOWTO. So does anyone know what additional setup is required to masquerade a VPN server other than setting up ipfwd and ipmasqadm and setting up the appropriate filters using ipchains? Thanks a lot, dk _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From Steve at SteveCowles.com Thu Mar 22 09:39:00 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Thu, 22 Mar 2001 09:39:00 -0600 Subject: [pptp-server] masquerading VPN server (NT) Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6C0@defiant.infohiiway.com> > -----Original Message----- > From: Darren Kuik [mailto:littlekuke at hotmail.com] > Sent: Thursday, March 22, 2001 8:46 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] masquerading VPN server (NT) > > > Hi list, > > I am trying to masquerade an NT server behind my linux > firewall gateway (RH7 kernel 2.2.17). I have installed > the vpn masq patch and ipmasadm and ipfwd. > > I can masquerade clients going out from my LAN but I can't > seem to forward inbound connections to my server on the same LAN. > > Someone suggested that I needed to install ms-chap and mppe. Is this true? No! Since you are trying to establish a VPN to a (masq'd) MS based PPTP server and not a linux based PPTP server, then you do not need to worry about adding ms-chap/mppe support. Microsoft's PPTP server already supports mschap/mppe. > If so it's not in the VPN masquerade HOWTO. So > does anyone know what additional setup is required to masquerade > a VPN server other than setting up ipfwd and ipmasqadm and setting > up the appropriate filters using ipchains? Sounds like you have taken care of the necessary prerequisites. i.e. vpn masq patch, ipmasqadm and ipfwd. If you are still not able to establish an inbound tunnel to your (masq'd) MS PPTP server, then one of the above is not properly configured. Since I run a masq'd PPTP server behind my linux firewall, I can only offer the following examples. For the purpose of this post... My masq'd pptp servers ip address is 192.168.9.3 and the external ip address of my firewall is 1.2.3.4 ---- ipfwd ----- ipfwd --masq 192.168.9.3 47 & to verify that ipfwd is running... # ps auwx | grep ipfwd root 1788 0.0 0.1 788 40 ? S Mar 7 0:00 ipfwd --masq 192.168.9.3 47 ---- ipmasqadm ----- ipmasqadm -a -P tcp -L 1.2.3.4 1723 -R 192.168.9.3 1723 to verify that ipmasqadm is properly configured # ipmasqadm portfw -ln prot localaddr rediraddr lport rport pcnt pref TCP 1.2.3.4 192.168.9.3 1723 1723 10 10 Since I use Seawall ( http://seawall.sourceforge.net ) to setup my ipchain rules for my firewall, the following rules are relevant for running a masq'd PPTP server. # ipchains -L -n | grep gre ACCEPT gre ------ 0.0.0.0/0 1.2.3.4 n/a # ipchains -L -n | grep 1723 ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1723 ... and the relevant modules # lsmod Module Pages Used by ip_masq_pptp 4032 2 ip_masq_mfw 3040 0 (unused) ip_masq_portfw 2328 6 Steve Cowles From vgill at technologist.com Thu Mar 22 11:53:49 2001 From: vgill at technologist.com (Gill, Vern) Date: Thu, 22 Mar 2001 09:53:49 -0800 Subject: [pptp-server] GRE Problems? Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D58@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >I remember seeing rules to do this somewhere, does anyone know > what they are by any chance? I remember that protocol was a > number vs tcp, udp, etc. logger -t masq-firewall -s "Allow PPTP Server Connections on port 1723" $IPCHAINS -A input -j ACCEPT -p tcp -s $ALLADDR 1723 -d $ALLADDR -v $IPCHAINS -A output -j ACCEPT -p tcp -s $ALLADDR -d $ALLADDR 1723 -v logger -t masq-firewall -s "Allow PPTP Server Connections on port 47" $IPCHAINS -A input -p 47 -j ACCEPT -v $IPCHAINS -A output -p 47 -j ACCEPT -v That should fix you up. These are not neccessarily the BEST rules to use, but they worked for me for about 8 months with no problems. Now I use iptables. BTW, you REALLY should consider moving up to kernel 2.4.x. Check out my site... http://linus.yi.org. Got a page for the Masq stuff, and one for the ppp/pptp stuff. Check it out. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOro7eReamMdwy9TXEQJTigCgsAprsWxsVwYVrbUhmjvoYRso/xEAnigv XEa8i157iI26a0WxGAUh5km2 =1j91 -----END PGP SIGNATURE----- From vgill at technologist.com Thu Mar 22 11:59:54 2001 From: vgill at technologist.com (Gill, Vern) Date: Thu, 22 Mar 2001 09:59:54 -0800 Subject: [pptp-server] Port Forwarding Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D59@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >Also, how does one force a module to permanently stay after >rebooting? I use insmod to pop it into a list somewhere, it's in >modules.conf, how come it won't stay? Do I need to use modprobe >instead? Put this in the top of your ipchains script and it will make sure all the neccessary modules get loaded everytime you run it. Any that it doesn't need will "autoclean" themselves" logger -t masq-firewall -s "Loading Masquerading Modules" for x in ` find /lib/modules/$(uname -r)/ -iname ip_\* | cut -d"/" - -f6 | cut -d"." -f1 | grep -v raudio \ | grep -v ip_masq_pptp ` ; do ` /sbin/modprobe -a -k -s -v $x ` ; | done # Do RealAudio separately /sbin/modprobe -a -k -s -v ip_masq_raudio ports=554,7070,7071,6970,6971 # Do PPTP Masq seperately /sbin/modprobe -a -s -v ip_masq_pptp # Do Quake Module seperately /sbin/modprobe -a -k -s -v ip_masq_quake 26000,27000,27910,27960 logger -t masq-firewall -s "Loading Masquerdaing Modules Done!" Again, not neccessarily the BEST way to skin a cat, but certainly works. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOro85xeamMdwy9TXEQLAhwCgiW5ds1cuSfBeWMB4O3oEDU1oJMsAoOL/ Yts7PwjLjIWj/lA9rhbZmYWi =acyo -----END PGP SIGNATURE----- From berzerke at swbell.net Thu Mar 22 15:43:34 2001 From: berzerke at swbell.net (robert) Date: Thu, 22 Mar 2001 15:43:34 -0600 Subject: [pptp-server] connection error In-Reply-To: <003001c0b2a6$53d3f950$1f082a0a@spock> References: <003001c0b2a6$53d3f950$1f082a0a@spock> Message-ID: <01032215433400.21286@linux> What kernel are you using? What patches did you apply? Any errors applying those patches? What does your modules.conf look like? On Thursday 22 March 2001 02:01, Spock wrote: > Hi, > - I'm trying to set up my Linux firewall with PopTop so that my clients can > call from their home xDSL connections and be on the local area network. > > I've set up everything, but when I try to initiate a connection from my VPN > client, I get the following logfile entries - ... > > Can someone point me to what's going wrong here???? > > Many thanx in advance... > > Lars Jeppesen > lars at jeppesen.nu > ########################################################################### >#### > > Mar 22 08:59:58 gw pppd[11362]: pppd 2.4.0 started by root, uid 0 > Mar 22 08:59:58 gw pppd[11362]: Using interface ppp0 > Mar 22 08:59:58 gw pppd[11362]: Connect: ppp0 <--> /dev/pts/1 > Mar 22 08:59:58 gw pppd[11362]: sent [LCP ConfReq id=0x1 > ] Mar 22 08:59:58 gw > pptpd[11361]: GRE: Discarding duplicate packet > Mar 22 09:00:00 gw pppd[11362]: rcvd [LCP ConfReq id=0x1 > [local:a4.6b.1d.88.12.0c.4b.df.aa.d6.e7.50.65.a8.51.59.00.00.00.02]>] Mar > 22 09:00:00 gw pppd[11362]: sent [LCP ConfRej id=0x1 1614>] Mar 22 09:00:00 gw pppd[11362]: rcvd [LCP ConfReq id=0x2 0x4918389c> .4b.df.aa.d6.e7.50.65.a8.51.59.00.00.00.02]>] > Mar 22 09:00:00 gw pppd[11362]: sent [LCP ConfAck id=0x2 > .4b.df.aa.d6.e7.50.65.a8.51.59.00.00.00.02]>] > Mar 22 09:00:01 gw pppd[11362]: sent [LCP ConfReq id=0x1 > ] Mar 22 09:00:01 gw > pptpd[11361]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 22 > 09:00:01 gw pppd[11362]: rcvd [LCP ConfAck id=0x1 MD5> ] Mar 22 09:00:01 gw pppd[11362]: > sent [CHAP Challenge id=0x1 > <1b523e2596cdcab5573443bbca18549b29c9f761b6b304>, name = "gw"] Mar 22 > 09:00:01 gw pppd[11362]: rcvd [LCP code=0xc id=0x3 49 18 38 9c 4d 53 52 41 > 53 56 35 2e 30 30] Mar 22 09:00:01 gw pppd[11362]: sent [LCP CodeRej id=0x2 > 0c 03 00 12 49 18 38 9c 4d 53 52 41 53 56 35 2e 30 30] Mar 22 09:00:01 gw > pppd[11362]: rcvd [LCP code=0xc id=0x4 49 18 38 9c 4d 53 52 41 53 2d 31 2d > 53 50 4f 43 4b] Mar 22 09:00:01 gw pppd[11362]: sent [LCP CodeRej id=0x3 0c > 04 00 15 49 18 38 9c 4d 53 52 41 53 2d 31 2d 53 50 4f 43 4b] Mar 22 > 09:00:01 gw pppd[11362]: rcvd [CHAP Response id=0x1 > <23d82b8e23c393c05d58236e665c4a88>, name = "spock"] Mar 22 09:00:01 gw > pppd[11362]: sent [CHAP Success id=0x1 "Welcome to gw."] Mar 22 09:00:01 gw > pppd[11362]: sent [IPCP ConfReq id=0x1 01>] Mar 22 09:00:01 gw pppd[11362]: sent [CCP ConfReq id=0x1 > ] Mar 22 09:00:01 gw pppd[11362]: CHAP peer > authentication succeeded for spock Mar 22 09:00:01 gw pppd[11362]: rcvd > [CCP ConfReq id=0x5 < 12 06 01 00 00 01>] Mar 22 09:00:01 gw pppd[11362]: > sent [CCP ConfRej id=0x5 < 12 06 01 00 00 01>] Mar 22 09:00:01 gw > pppd[11362]: rcvd [IPCP ConfReq id=0x6 > ] > Mar 22 09:00:01 gw pppd[11362]: sent [IPCP ConfRej id=0x6 > ] > Mar 22 09:00:01 gw pppd[11362]: rcvd [IPCP ConfRej id=0x1 01>] Mar 22 09:00:01 gw pppd[11362]: sent [IPCP ConfReq id=0x2 10.42.8.51>] Mar 22 09:00:01 gw pppd[11362]: rcvd [CCP ConfRej id=0x1 > ] Mar 22 09:00:02 gw > pppd[11362]: sent [CCP ConfReq id=0x2] > Mar 22 09:00:02 gw pppd[11362]: rcvd [CCP TermReq > id=0x7"I\0308\37777777634\000<\37777777715t\000\000\002\37777777734"] Mar > 22 09:00:02 gw pppd[11362]: sent [CCP TermAck id=0x7] > Mar 22 09:00:02 gw pppd[11362]: rcvd [IPCP ConfReq id=0x8 10.42.8.69>] Mar 22 09:00:02 gw pppd[11362]: sent [IPCP ConfNak id=0x8 > ] Mar 22 09:00:02 gw pppd[11362]: rcvd [IPCP ConfAck > id=0x2 ] Mar 22 09:00:02 gw pppd[11362]: rcvd [IPCP > TermReq id=0x9 > "I\0308\37777777634\000<\37777777715t\000\000\002\37777777737"] Mar 22 > 09:00:02 gw pppd[11362]: sent [IPCP TermAck id=0x9] > Mar 22 09:00:02 gw pptpd[11361]: CTRL: Ignored a SET LINK INFO packet with > real ACCMs! Mar 22 09:00:02 gw pptpd[11361]: CTRL: Error with select(), > quitting Mar 22 09:00:02 gw pptpd[11361]: CTRL: Client 10.42.8.31 control > connection finished Mar 22 09:00:02 gw pppd[11362]: Modem hangup > Mar 22 09:00:02 gw pppd[11362]: Connection terminated. > Mar 22 09:00:02 gw pppd[11362]: Connect time 0.1 minutes. > Mar 22 09:00:02 gw pppd[11362]: Sent 603 bytes, received 563 bytes. > Mar 22 09:00:02 gw pppd[11362]: Exit. > Mar 22 09:00:09 gw sshd[709]: log: RSA key generation complete. > Mar 22 09:00:13 gw dhcpd: DHCPINFORM from 10.42.8.42 > ------------------------------------------------------- > > > Lars Jeppesen > http://lars.jeppesen.nu > lars at jeppesen.nu > aldrig-tabt at bordfodbold.org > ICQ: spock at home spock at laptop spock at work > > -------------------------------------------------------------- > Bomb Attack Echelon Iraq Kosovo Islam Terrorist Murder CIA NSA Slashdot > Robbery Secret Serbia Nuclear Laser Alien Spaceprobe FBI SDI Gadaffi Waco > Unabomber McVeigh Microsoft Kidnapped Ransom Barak Bush Osama Bin-Laden ---------------------------------------- Content-Type: text/html; charset="iso-8859-1"; name="Attachment: 1" Content-Transfer-Encoding: quoted-printable Content-Description: ---------------------------------------- From berzerke at swbell.net Thu Mar 22 15:47:34 2001 From: berzerke at swbell.net (robert) Date: Thu, 22 Mar 2001 15:47:34 -0600 Subject: [pptp-server] kernel not compiling In-Reply-To: <200103220822.f2M8M3k08334@mail.ishwarn.com> References: <200103220822.f2M8M3k08334@mail.ishwarn.com> Message-ID: <01032215473401.21286@linux> I had the same error messages and was never really able to resolve them. I finally went the the 2.4.x kernels and didn't have any problems. (Instructions are at http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt) On Thursday 22 March 2001 02:22, Siddharth wrote: > Hello everyone, > > My problem may be something already solved but here goes... > when i compile the 2.2.14 kernel source after patchng pp-2.3.11 and > doing a make kernel in its directory, i get the following errors and > the ppp.c etc files do not compile. > > ppp.c:188: warning: static declaration for > `ppp_register_compressor_R9682e733' follows non-static > ppp.c:189: warning: static declaration for > `ppp_unregister_compressor_Ra1b928df' follows non-static > ppp.c: In function `rcv_proto_unknown': > ppp.c:2563: too few arguments to function `kill_fasync_R5e73d35d' > make[1]: *** [ppp.o] Error 1 > make: *** [_mod_drivers/net] Error 2 > > and no .o files are added to /lib/modules/2.2.14.5/net > > > siddharth > sysad ecomm > From siddharth at egujarat.net Thu Mar 22 20:21:31 2001 From: siddharth at egujarat.net (Siddharth) Date: Fri, 23 Mar 2001 07:51:31 +0530 Subject: [pptp-server] kernel not compiling Message-ID: <200103230221.f2N2LBk11074@mail.ishwarn.com> i managed to do it...i commented out the line 2563 in ppp.c and it works. But when i sniff, i can still see all packets in plain text even though the log says MPPE 40, stateless compression. Is there a problem or is pptp never encrypted? I've ticked the "Require Data Encryption" in my winx client. siddharth sysad ecomm >-------- ORIGINAL MESSAGE BELOW -------- >I had the same error messages and was never really able to resolve them. I >finally went the the 2.4.x kernels and didn't have any problems. >(Instructions are at >http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt) > >On Thursday 22 March 2001 02:22, Siddharth wrote: >> Hello everyone, >> >> My problem may be something already solved but here goes... >> when i compile the 2.2.14 kernel source after patchng pp-2.3.11 and >> doing a make kernel in its directory, i get the following errors and >> the ppp.c etc files do not compile. >> >> ppp.c:188: warning: static declaration for >> `ppp_register_compressor_R9682e733' follows non-static >> ppp.c:189: warning: static declaration for >> `ppp_unregister_compressor_Ra1b928df' follows non-static >> ppp.c: In function `rcv_proto_unknown': >> ppp.c:2563: too few arguments to function `kill_fasync_R5e73d35d' >> make[1]: *** [ppp.o] Error 1 >> make: *** [_mod_drivers/net] Error 2 >> >> and no .o files are added to /lib/modules/2.2.14.5/net >> >> >> siddharth >> sysad ecomm >> -->> FREE Perl CGI scripts add WEB ACCESS to your -->> POP E-Mail accounts! Download today!! http://www.adjeweb.com From neale at lowendale.com.au Thu Mar 22 21:13:35 2001 From: neale at lowendale.com.au (Neale Banks) Date: Fri, 23 Mar 2001 14:13:35 +1100 (EST) Subject: [pptp-server] Debian source: GRE-patched traceroute_1.4a12 Message-ID: This is the GRE(PPTP) patch from http://www.impsec.org/linux/masquerade/ip_masq_vpn.html hacked into traceroute_1.4a12 from unstable (builds happily on stable). The .dsc and .diff.gz are at http://www.planet.net.au/~neale/debian/traceroute-GRE/ (you'll need traceroute_1.4a12.orig.tar.gz from a Debian mirror plus the usual tools to build the .deb). The README-GRE: ========================================================================== GRE (PPTP) patched traceroute. ============================== This version of traceroute incorporates a patch to provide an option to use GRE packets (with PPTP-like payload). This functionality is useful for debugging internetworking that has the dubious feature of blocking GRE packets, and thus breaking GRE tunneling such as used by PPTP. The original patch is at: ftp://ftp.rubyriver.com/pub/jhardin/masquerade/pptp-traceroute.patch.gz It was hacked into the Debian package traceroute_1.4a12-3 by Neale Banks IMPORTANT: Please do not worry Herbert Xu (maintainer of the official Debian traceroute package) about this hacked package. Neale Banks March 2001 ========================================================================== As goes with this kind of thing: no warranties of any kind (express, implied or otherwise) - this is offered in the hopes that (a) somebody might find it useful and (b) somebody might find something I've overlooked. Regards, Neale. From hatnet at free.fr Fri Mar 23 04:05:53 2001 From: hatnet at free.fr (hatim) Date: Fri, 23 Mar 2001 11:05:53 +0100 Subject: [pptp-server] win client References: Message-ID: <00da01c0b380$db850e90$3601a8c0@hatimsf> hello i m looking for a windows client to connect to my linux server vpn (redhat 6.2) any idea ? i find some .gz in http://poptop.lineo.com/releases/ but i can not open them thanks hatim From hatnet at free.fr Fri Mar 23 08:48:47 2001 From: hatnet at free.fr (hatim) Date: Fri, 23 Mar 2001 15:48:47 +0100 Subject: [pptp-server] vpn and network place References: <90769AF04F76D41186C700A0C90AFC3EE6C3@defiant.infohiiway.com> Message-ID: <00c901c0b3a8$5e25ff40$3601a8c0@hatimsf> hello i have a little probleme if you have some minutes . i can connect from any PC windows to any PC in all networks but when i m trying to connecte from a pc linux1 to a windows2 PC white SMBCLIENT : it s failed LINUX 1 LINUX 2 -------- --------- | | | | | |_____VPN______ | | | | | | --------- --------- || || -------- --------- | | | | | | | | | | | | --------- --------- WIN 1 WIN 2 if i connect from Linux 1 to WIN1 (win2000) it s work fine if i connect from LINUX 2 to WIN 1 it is not work [root at hatim /root]# smbclient -L WIN1 -N added interface ip=192.168.0.1 bcast=192.168.0.255 nmask=255.255.255.0 added interface ip=X.X.X.217 bcast=X.X.X.255 nmask=255.255.255.0 timeout connecting to 192.168.1.54:139 Connection to WIN1 failed 192.168.0.1 is a internal ip of LINUX 2 x.x.x.217 is external ip of LINUX2 and with windows explorer i can do that :( ! i have redhat6.2 with Samba 2.0.7 thank you Hatim From berzerke at swbell.net Fri Mar 23 09:33:20 2001 From: berzerke at swbell.net (robert) Date: Fri, 23 Mar 2001 09:33:20 -0600 Subject: [pptp-server] Debian source: GRE-patched traceroute_1.4a12 In-Reply-To: References: Message-ID: <01032309332003.21788@linux> There is a rpm gre patched traceroute at http://home.swbell.net/berzerke On Thursday 22 March 2001 21:13, Neale Banks wrote: > This is the GRE(PPTP) patch from > > http://www.impsec.org/linux/masquerade/ip_masq_vpn.html > > hacked into traceroute_1.4a12 from unstable (builds happily on stable). > > The .dsc and .diff.gz are at > > http://www.planet.net.au/~neale/debian/traceroute-GRE/ > > (you'll need traceroute_1.4a12.orig.tar.gz from a Debian mirror plus the > usual tools to build the .deb). > > The README-GRE: > > ========================================================================== > GRE (PPTP) patched traceroute. > ============================== > > This version of traceroute incorporates a patch to provide an option to > use GRE packets (with PPTP-like payload). > > This functionality is useful for debugging internetworking that has the > dubious feature of blocking GRE packets, and thus breaking GRE tunneling > such as used by PPTP. > > The original patch is at: > > ftp://ftp.rubyriver.com/pub/jhardin/masquerade/pptp-traceroute.patch.gz > > It was hacked into the Debian package traceroute_1.4a12-3 by Neale > Banks > > IMPORTANT: Please do not worry Herbert Xu (maintainer of the official > Debian traceroute package) about this hacked package. > > Neale Banks > March 2001 > ========================================================================== > > As goes with this kind of thing: no warranties of any kind (express, > implied or otherwise) - this is offered in the hopes that (a) somebody > might find it useful and (b) somebody might find something I've > overlooked. > > Regards, > Neale. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From ctresco at mit.edu Fri Mar 23 10:57:02 2001 From: ctresco at mit.edu (Chris Tresco) Date: Fri, 23 Mar 2001 11:57:02 -0500 Subject: [pptp-server] PAM oddity References: <01032309332003.21788@linux> Message-ID: <019201c0b3ba$48826d10$b201a8c0@snpc.net> I would think that if pppd were compiled to use PAM, then pam_smb would work without a hitch. Am I wrong? From charlieb at e-smith.com Fri Mar 23 11:16:33 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Fri, 23 Mar 2001 12:16:33 -0500 (EST) Subject: [pptp-server] PAM oddity In-Reply-To: <019201c0b3ba$48826d10$b201a8c0@snpc.net> Message-ID: On Fri, 23 Mar 2001, Chris Tresco wrote: > I would think that if pppd were compiled to use PAM, then pam_smb would work > without a hitch. Am I wrong? My understanding is that ppp only uses PAM for PAP authentication. Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From sinergy at xiles.org Fri Mar 23 14:35:44 2001 From: sinergy at xiles.org (Dustin W) Date: Fri, 23 Mar 2001 12:35:44 -0800 Subject: [pptp-server] unsubscribe sinergy@xiles.org avatar Message-ID: From sinergy at xiles.org Fri Mar 23 14:36:00 2001 From: sinergy at xiles.org (Dustin W) Date: Fri, 23 Mar 2001 12:36:00 -0800 Subject: [pptp-server] unsubscrice avatar sinergy@xiles.org Message-ID: From ctresco at mit.edu Fri Mar 23 11:51:50 2001 From: ctresco at mit.edu (Chris Tresco) Date: Fri, 23 Mar 2001 12:51:50 -0500 Subject: [pptp-server] PAM oddity References: Message-ID: <01ba01c0b3c1$f28004b0$b201a8c0@snpc.net> So.... Is there a compilation option for ppp-2.4.0 to enable pam? I can't find it anywhere. ----- Original Message ----- From: "Charlie Brady" To: "Chris Tresco" Cc: Sent: Friday, March 23, 2001 12:16 PM Subject: Re: [pptp-server] PAM oddity > > On Fri, 23 Mar 2001, Chris Tresco wrote: > > > I would think that if pppd were compiled to use PAM, then pam_smb would work > > without a hitch. Am I wrong? > > My understanding is that ppp only uses PAM for PAP authentication. > > Charlie Brady charlieb at e-smith.com > http://www.e-smith.org (development) http://www.e-smith.com (corporate) > Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 > e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From vgill at technologist.com Fri Mar 23 12:33:36 2001 From: vgill at technologist.com (Gill, Vern) Date: Fri, 23 Mar 2001 10:33:36 -0800 Subject: [pptp-server] libsmbpw.so vs chap-secrets Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D5D@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Are the following statements true or false: 1) Using libsmbpw.so in conjunction with pppsmb.pat patch will force a client to send their password encrypted. False. You would need to have the mschap auth in your options to force the client to send encrypted password. The smbpasswd patch and co only allow you to not store plain text passwords on your system. 2) Using only chap-secrets without authenticating from smbpasswd will force a client to send their password plain-text. False. See above... 3) Forcing an encrypted password from the client will force pptpd to decrypt it before authenticating with chap-secrets. I don't think so. This may be dependant upon your "password backend" Anyone else wanna pipe in here... 4) My password flies across the vast Internet cloud plain text when I use chap-secrets vs SMB password-encryption authentication. Again, I think it is not SENT plain text, just stored locally plain text... I do like plugging up that libsmbpw blank username/password thing by using chap-secrets instead - but not at the expense of sending my passwords plain-text for others to snag. Should I be worried? I think you are fine with using the smbpasswd patch. But, if you don't feel comfortable with it then I think you are still fine. I don't think the password is transmitted plain text, only stored as such. Anyone else wanna back me up, or shoot me down? -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOruWSReamMdwy9TXEQLFlwCfZ5+x+Ri51aNTBdDkOnbciJwF7rkAoOBl LubMcCHmwtQdXkZ5EIut54lA =KcfA -----END PGP SIGNATURE----- From vgill at technologist.com Fri Mar 23 12:37:36 2001 From: vgill at technologist.com (Gill, Vern) Date: Fri, 23 Mar 2001 10:37:36 -0800 Subject: [pptp-server] PAM oddity Message-ID: <8D043DEA73DFD411958A00A0C90AB7607D5E@ftp.gillnet.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The option to make ppp use pam is -DUSE_PAM in the makefile, I think. But, this will NOT make ppp use pam_smb for auth. ppp will ONLY use pam for pap auth. - -----Original Message----- From: Chris Tresco [mailto:ctresco at mit.edu] Sent: Friday, March 23, 2001 9:52 AM To: pptp-server at lists.schulte.org Subject: Re: [pptp-server] PAM oddity So.... Is there a compilation option for ppp-2.4.0 to enable pam? I can't find it anywhere. - ----- Original Message ----- From: "Charlie Brady" To: "Chris Tresco" Cc: Sent: Friday, March 23, 2001 12:16 PM Subject: Re: [pptp-server] PAM oddity > > On Fri, 23 Mar 2001, Chris Tresco wrote: > > > I would think that if pppd were compiled to use PAM, then pam_smb > > would work > > without a hitch. Am I wrong? > > My understanding is that ppp only uses PAM for PAP authentication. > > Charlie Brady charlieb at e-smith.com > http://www.e-smith.org (development) http://www.e-smith.com > (corporate) > Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 > e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOruXOBeamMdwy9TXEQLvLwCgy8KKq/wspfcS3YLr97sltrsZ6nwAnR5n BuEuLGhSNm6grHolalMnF/Xf =cC0p -----END PGP SIGNATURE----- From mikes at hartwellcorp.com Fri Mar 23 12:59:29 2001 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Fri, 23 Mar 2001 10:59:29 -0800 Subject: [pptp-server] pppd failing with nothing logged Message-ID: <91A5926EFF44D3118B1200104B7276EB654F91@hart-exchange.hartwellcorp.com> I'm running PoPToP version 1.1.2 on RedHat 7.0. During call initiation everything seems to go fine until it reaches the point of launching pppd. Actually, that _seems_ to go fine as well as the launch code reports success. However, communication through the socket just doesn't happen and the pppd process does not log anything. I know that the correct pppd binary is being used as I replaced it with a little script that logged the arguments being used and then executes the original binary. I'm at a loss at this point. Below is the relevant part of the logfile (note: the one line tagged as pppd is from the script I wrote, not the daemon itself): Mar 23 10:40:11 guardian pptpd[4019]: MGR: Launching /usr/sbin/pptpctrl to handle client Mar 23 10:40:11 guardian pptpd[4019]: CTRL: local address = 10.127.10.1 Mar 23 10:40:11 guardian pptpd[4019]: CTRL: remote address = 10.127.20.1 Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Client 209.245.72.166 control connection started Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Received PPTP Control Message (type: 1) Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Made a START CTRL CONN RPLY packet Mar 23 10:40:11 guardian pptpd[4019]: CTRL: I wrote 156 bytes to the client. Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Sent packet to client Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Received PPTP Control Message (type: 7) Mar 23 10:40:11 guardian pptpd[4019]: CTRL: 0 min_bps, 0 max_bps, 32 window size Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Made a OUT CALL RPLY packet Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Starting call (launching pppd, opening GRE) Mar 23 10:40:11 guardian pptpd[4019]: CTRL: pty_fd = 4 Mar 23 10:40:11 guardian pptpd[4019]: CTRL: tty_fd = 5 Mar 23 10:40:11 guardian pptpd[4020]: CTRL (PPPD Launcher): Connection speed = 115200 Mar 23 10:40:11 guardian pptpd[4020]: CTRL (PPPD Launcher): local address = 10.127.10.1 Mar 23 10:40:11 guardian pptpd[4020]: CTRL (PPPD Launcher): remote address = 10.127.20.1 Mar 23 10:40:11 guardian pptpd[4019]: CTRL: I wrote 32 bytes to the client. Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Sent packet to client Mar 23 10:40:11 guardian pppd: pppd called with arguments: local 115200 10.127.10.1:10.127.20.1 Mar 23 10:40:11 guardian pptpd[4019]: Error reading from pppd: Input/output error Mar 23 10:40:11 guardian pptpd[4019]: CTRL: GRE read or PTY write failed (gre,pty)=(5,4) Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Client 209.245.72.166 control connection finished Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Exiting now Mar 23 10:40:11 guardian pptpd[3871]: MGR: Reaped child 4019 -------------------- Michael St. Laurent Hartwell Corporation From mikes at hartwellcorp.com Fri Mar 23 15:53:11 2001 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Fri, 23 Mar 2001 13:53:11 -0800 Subject: [pptp-server] pppd failing with nothing logged Message-ID: <91A5926EFF44D3118B1200104B7276EB654F94@hart-exchange.hartwellcorp.com> The server system _is_ a firewall. I've already opened up the ports 1723 & protocols 47 on the external interface and permit forwarding between the ppp0 and internal interfaces. Did I miss something? -------------------- Michael St. Laurent Hartwell Corporation > -----Original Message----- > From: robert [mailto:berzerke at swbell.net] > Sent: Friday, March 23, 2001 1:23 PM > To: Michael St. Laurent; 'pptp-server at lists.schulte.org' > Subject: Re: [pptp-server] pppd failing with nothing logged > > > ?= > <91A5926EFF44D3118B1200104B7276EB654F91 at hart-exchange.hartwell > corp.com> > MIME-Version: 1.0 > Message-Id: <01032315232104.21788 at linux> > Content-Transfer-Encoding: 8bit > > By chance, is there a firewall on either end? > > On Friday 23 March 2001 12:59, Michael St. Laurent wrote: > > I'm running PoPToP version 1.1.2 on RedHat 7.0. During > call initiation > > everything seems to go fine until it reaches the point of > launching pppd. > > Actually, that _seems_ to go fine as well as the launch code reports > > success. However, communication through the socket just > doesn't happen and > > the pppd process does not log anything. I know that the > correct pppd > > binary is being used as I replaced it with a little script > that logged the > > arguments being used and then executes the original binary. > > > > I'm at a loss at this point. > > > > Below is the relevant part of the logfile (note: the one > line tagged as > > pppd is from the script I wrote, not the daemon itself): > > > > Mar 23 10:40:11 guardian pptpd[4019]: MGR: Launching > /usr/sbin/pptpctrl to > > handle client > > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: local address = > 10.127.10.1 > > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: remote address > = 10.127.20.1 > > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Client > 209.245.72.166 control > > connection started > > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Received PPTP > Control Message > > (type: 1) > > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Made a START > CTRL CONN RPLY > > packet > > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: I wrote 156 bytes to the > > client. Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Sent > packet to client > > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Received PPTP > Control Message > > (type: 7) > > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: 0 min_bps, 0 > max_bps, 32 window > > size > > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Made a OUT CALL > RPLY packet > > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Starting call > (launching pppd, > > opening GRE) > > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: pty_fd = 4 > > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: tty_fd = 5 > > Mar 23 10:40:11 guardian pptpd[4020]: CTRL (PPPD Launcher): > Connection > > speed = 115200 > > Mar 23 10:40:11 guardian pptpd[4020]: CTRL (PPPD Launcher): > local address = > > 10.127.10.1 > > Mar 23 10:40:11 guardian pptpd[4020]: CTRL (PPPD Launcher): > remote address > > = 10.127.20.1 > > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: I wrote 32 > bytes to the client. > > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Sent packet to client > > Mar 23 10:40:11 guardian pppd: pppd called with arguments: > local 115200 > > 10.127.10.1:10.127.20.1 > > Mar 23 10:40:11 guardian pptpd[4019]: Error reading from > pppd: Input/output > > error > > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: GRE read or PTY > write failed > > (gre,pty)=(5,4) > > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Client > 209.245.72.166 control > > connection finished > > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Exiting now > > Mar 23 10:40:11 guardian pptpd[3871]: MGR: Reaped child 4019 > > > > > > -------------------- > > Michael St. Laurent > > Hartwell Corporation > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > From berzerke at swbell.net Fri Mar 23 15:23:21 2001 From: berzerke at swbell.net (robert) Date: Fri, 23 Mar 2001 15:23:21 -0600 Subject: [pptp-server] pppd failing with nothing logged In-Reply-To: <=?utf-8?q?@mta4.rcsntx.swbell.net> References: <91A5926EFF44D3118B1200104B7276EB654F91@hart-exchange.hartwellcorp.com> Message-ID: <0GAO0027W5VLO6@mta4.rcsntx.swbell.net> ?= <91A5926EFF44D3118B1200104B7276EB654F91 at hart-exchange.hartwellcorp.com> MIME-Version: 1.0 Message-Id: <01032315232104.21788 at linux> Content-Transfer-Encoding: 8bit By chance, is there a firewall on either end? On Friday 23 March 2001 12:59, Michael St. Laurent wrote: > I'm running PoPToP version 1.1.2 on RedHat 7.0. During call initiation > everything seems to go fine until it reaches the point of launching pppd. > Actually, that _seems_ to go fine as well as the launch code reports > success. However, communication through the socket just doesn't happen and > the pppd process does not log anything. I know that the correct pppd > binary is being used as I replaced it with a little script that logged the > arguments being used and then executes the original binary. > > I'm at a loss at this point. > > Below is the relevant part of the logfile (note: the one line tagged as > pppd is from the script I wrote, not the daemon itself): > > Mar 23 10:40:11 guardian pptpd[4019]: MGR: Launching /usr/sbin/pptpctrl to > handle client > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: local address = 10.127.10.1 > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: remote address = 10.127.20.1 > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Client 209.245.72.166 control > connection started > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Received PPTP Control Message > (type: 1) > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Made a START CTRL CONN RPLY > packet > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: I wrote 156 bytes to the > client. Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Sent packet to client > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Received PPTP Control Message > (type: 7) > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: 0 min_bps, 0 max_bps, 32 window > size > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Made a OUT CALL RPLY packet > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Starting call (launching pppd, > opening GRE) > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: pty_fd = 4 > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: tty_fd = 5 > Mar 23 10:40:11 guardian pptpd[4020]: CTRL (PPPD Launcher): Connection > speed = 115200 > Mar 23 10:40:11 guardian pptpd[4020]: CTRL (PPPD Launcher): local address = > 10.127.10.1 > Mar 23 10:40:11 guardian pptpd[4020]: CTRL (PPPD Launcher): remote address > = 10.127.20.1 > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: I wrote 32 bytes to the client. > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Sent packet to client > Mar 23 10:40:11 guardian pppd: pppd called with arguments: local 115200 > 10.127.10.1:10.127.20.1 > Mar 23 10:40:11 guardian pptpd[4019]: Error reading from pppd: Input/output > error > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: GRE read or PTY write failed > (gre,pty)=(5,4) > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Client 209.245.72.166 control > connection finished > Mar 23 10:40:11 guardian pptpd[4019]: CTRL: Exiting now > Mar 23 10:40:11 guardian pptpd[3871]: MGR: Reaped child 4019 > > > -------------------- > Michael St. Laurent > Hartwell Corporation > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From hatnet at free.fr Mon Mar 26 09:53:44 2001 From: hatnet at free.fr (hatim) Date: Mon, 26 Mar 2001 17:53:44 +0200 Subject: [pptp-server] win client References: <00da01c0b380$db850e90$3601a8c0@hatimsf> <007401c0b3ca$d2ca1a80$6e00a8c0@prepar.lan> Message-ID: <004701c0b60c$f005ab20$0300a8c0@jeanne> ok thank you and how o use pptp server to make a linux client ? i want to connect two linux box ! thanks hatim ----- Original Message ----- From: "Marc Charbonneau" To: "hatim" Sent: Friday, March 23, 2001 8:55 PM Subject: Re: [pptp-server] win client > You just have to install VPN support on your windows machine. It's part of > windows. Just install the VPN adapter and there you go. > > Except if it's Win95, I think you have to download something from M$ > > Hope this helps > > ----- Original Message ----- > From: "hatim" > To: > Sent: Friday, March 23, 2001 5:05 AM > Subject: [pptp-server] win client > > > > hello > > > > i m looking for a windows client to connect to my linux server vpn (redhat > > 6.2) > > any idea ? > > i find some .gz in http://poptop.lineo.com/releases/ but i can not open > them > > > > thanks > > > > hatim > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > From patrickl at steltor.com Mon Mar 26 05:46:45 2001 From: patrickl at steltor.com (Patrick Lin) Date: Mon, 26 Mar 2001 06:46:45 -0500 Subject: [pptp-server] pptpd doesn't release then IP Message-ID: <3ABF2C25.A4A7535B@steltor.com> hi, i am running pptp on my ifconfig listing i have : ppp0 Link encap:Point-to-Point Protocol inet addr:192.168.6.62 P-t-P:192.168.6.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:10698 errors:9 dropped:0 overruns:0 frame:0 TX packets:15397 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 ppp1 Link encap:Point-to-Point Protocol inet addr:192.168.6.62 P-t-P:192.168.6.3 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:2201 errors:0 dropped:0 overruns:0 frame:0 TX packets:1764 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 ppp2 Link encap:Point-to-Point Protocol inet addr:192.168.6.62 P-t-P:192.168.6.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:9213 errors:9 dropped:0 overruns:0 frame:0 TX packets:9459 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 on my ps -auxww |grep pptp i have root 21089 0.1 0.3 1180 504 ? S 09:06 0:14 pptpd [xxx.xxx.xxx.xxx] root 21090 0.0 0.7 1560 944 ? S 09:06 0:00 /usr/sbin/pppd local 115200 192.168.6.62:192.168.6.1 root 20664 0.0 0.5 1336 660 ? S Mar16 0:00 /usr/local/sbin/pptpd but before in the day someone connect to vpn and use the ppp1 and ppp2 after disconection this intefaces is still up and of course in the route table i have this IP so when someone elese try to connect , the connection work Well the new connection have : ppp3 Link encap:Point-to-Point Protocol inet addr:192.168.6.62 P-t-P:192.168.6.3 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:2201 errors:0 dropped:0 overruns:0 frame:0 TX packets:1764 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 and of course nothing work to acces any network any help or tips on how to fixe that thanks regards, patrick -- ____________ __________________________________( / ________| | / \ | This message is transmitted by | \ \ | 100 % recycled electrons |___________\ / |__________________________________( /__________) From peters at inisoft.com Mon Mar 26 11:35:28 2001 From: peters at inisoft.com (Peter Sprokkelenburg) Date: Mon, 26 Mar 2001 12:35:28 -0500 Subject: [pptp-server] firewall setting for clients Message-ID: <3ABF3790.5023.62A10A@localhost> All, I know you need to set port 1723 and protocol 47 in the firewall... anything else? running RH7 Krnl: 2.2.16 and ipchains.... does someone have a basic config that works for connecting to an MS VPN server? any help would be much appreciated! Peter Sprokkelenburg IT Manager Inisoft Corporation P: 416.242.4333 ext 230 F: 416.242.9170 peters at inisoft.com From ctresco at mit.edu Mon Mar 26 12:27:27 2001 From: ctresco at mit.edu (Chris Tresco) Date: Mon, 26 Mar 2001 13:27:27 -0500 Subject: [pptp-server] Script after login?? References: <3ABF3790.5023.62A10A@localhost> Message-ID: <005701c0b622$6c8988f0$b201a8c0@snpc.net> Is there anyway to get a batch file to run after i successfully initiate the vpn?? I have samba running on the vpm server so I can browse and such, but I have an NT server on another box running as the PDC. When I connect to the linux box, I would like to map a drive on the client. Is this possible? From Steve at SteveCowles.com Mon Mar 26 13:56:07 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Mon, 26 Mar 2001 13:56:07 -0600 Subject: [pptp-server] firewall setting for clients Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6D7@defiant.infohiiway.com> > -----Original Message----- > From: Peter Sprokkelenburg [mailto:peters at inisoft.com] > Sent: Monday, March 26, 2001 11:35 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] firewall setting for clients > > > All, > > I know you need to set port 1723 and protocol 47 in the > firewall... anything else? > > running RH7 Krnl: 2.2.16 and ipchains.... > > does someone have a basic config that works for connecting to > an MS VPN server? > > any help would be much appreciated! > Are you trying to connect to an external MS PPTP server from behind your firewall or are you trying to configure your firewall to accept AND forward inbound PPTP connections to an internal "masq'd" MS pptp server? Steve Cowles From angelbracket at yahoo.com Mon Mar 26 14:47:49 2001 From: angelbracket at yahoo.com (angelbracket) Date: Mon, 26 Mar 2001 22:47:49 +0200 Subject: [pptp-server] more questions about the win2k "619 error" & "742 error" Message-ID: <002101c0b636$05822b80$3600a8c0@trinity> Hello, I have some problems with my windows 2000 client (high encryption pack/128bit) to connect on pptpd. I went the archive and I think that my probles may lay with the kernel and modules [ I'm new to kernel operations etc, there will be "stupid" questions, but if you want to explain some questions in this posting, pls :) ] Included below is the problem, mysetup, the problems I encoutered and tried solutions, my questions and a log from my system. I would really appreciate if someone could help me with this problem. I feel I'm close in finishing this setup on my box, but there are some gaps that need to be cleared up in my working knowledge of linux... Sincerely, Stijn H. This is the problem : - username en password are verified - windows tries to "register the pc to the remote network" - then I get the "619 error = specified port is not connected" [ note: something odd: when I keep the redial option active, I get sometimes the 742 error, or "the remote computer does not support the required data encryption type] For the setup I used : - the pptpd how to on http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt - kernel 2.4.2 - rh 7.0 - patches: linux-2.4.0-openssl-0.9.6-mppe.patch.gz, ppp-2.4.0-openssl-0.9.6-mppe.patch.gz - ppp-2.4.0.tar.gz - pptpd 1.1.2 - local lan, win2k & linux - only one eth card (don't have a second available on this moment) I followed the manual, and as far as I noted, everything went fine. I used the config file on http://home.swbell.net with modified cpu etc to compile my patched kernel. Solutions I tried: - I got an error on ppp, I applied the solution from the how to: mknod /dev/ppp c 108 0 chmod 600 /dev/ppp -> the problem was solved - then I tried to connect with the win2k client and got the 619 error; I found in the mailinglist history the same problem with the same log mssg and with the solutions concerning applying ipchains rules for the GRE etc: - I tried to apply some iptables lines with the info I found on http://home.swbell.net/berzerke for binding those GRE and specific ports that pptp needed: I got : (for any iptable line) e.g.: [root at upuaut log]# /sbin/iptables -P INPUT DROP iptables v1.1.1: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. so I did an insmod on iptables: [root at upuaut log]# insmod iptables insmod: iptables: no module by that name found and tried some ipchains rules: e.g. :[root at upuaut log]# /sbin/ipchains -A input -p 47 -j ACCEPT I got: ipchains: Protocol not available [ note : I compiled the 2.4.2 kernel with "network packet filtering (replaces ipchains)" .., but why does it connect & with the config script mentionned in the how to file, but what's the problem if the client authenticates but can't bind a port ?] Questions : - how do I know that all the modules are working ? - why does ipchais does not know that certain protocol ? - how to implement GRE with iptables ? what's wrong with it ? - why does my iptable mod fail and how can I solve this ? - (ev.) could someone post here me his kernel script how to compile everything correct with the 2.4.2 kernel ? - (ev.) could someone help me with the iptables rules needed ? paste of /var/log/messages Mar 26 19:56:07 upuaut pppd[905]: pppd 2.4.0 started by root, uid 0 Mar 26 19:56:07 upuaut pppd[905]: Using interface ppp0 Mar 26 19:56:07 upuaut pppd[905]: Connect: ppp0 <--> /dev/pts/2 Mar 26 19:56:09 upuaut pptpd[904]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 26 19:56:09 upuaut modprobe: modprobe: Can't locate module ppp-compress-18 Mar 26 19:56:09 upuaut modprobe: modprobe: Can't locate module ppp-compress-18 Mar 26 19:56:09 upuaut pppd[905]: MSCHAP-v2 peer authentication succeeded for test Mar 26 19:56:09 upuaut modprobe: modprobe: Can't locate module ppp-compress-18 Mar 26 19:56:09 upuaut pppd[905]: found interface eth0 for proxy arp Mar 26 19:56:09 upuaut pppd[905]: local IP address 192.168.0.70 Mar 26 19:56:09 upuaut pppd[905]: remote IP address 192.168.0.80 Mar 26 19:56:15 upuaut pptpd[904]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 26 19:56:15 upuaut pppd[905]: LCP terminated by peer (=^T,M-}^@ /dev/pts/2 Mar 26 19:57:20 upuaut pptpd[928]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 26 19:57:20 upuaut modprobe: modprobe: Can't locate module ppp-compress-18 Mar 26 19:57:20 upuaut modprobe: modprobe: Can't locate module ppp-compress-18 Mar 26 19:57:20 upuaut pppd[929]: MSCHAP-v2 peer authentication succeeded for test Mar 26 19:57:20 upuaut modprobe: modprobe: Can't locate module ppp-compress-18 Mar 26 19:57:20 upuaut pppd[929]: found interface eth0 for proxy arp Mar 26 19:57:20 upuaut pppd[929]: local IP address 192.168.0.71 Mar 26 19:57:20 upuaut pppd[929]: remote IP address 192.168.0.81 Mar 26 19:57:26 upuaut pptpd[928]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 26 19:57:26 upuaut pppd[929]: LCP terminated by peer (KM->.M-Y^@ From GeorgeV at citadelcomputer.com.au Mon Mar 26 16:12:17 2001 From: GeorgeV at citadelcomputer.com.au (George Vieira) Date: Tue, 27 Mar 2001 08:12:17 +1000 Subject: [pptp-server] Script after login?? Message-ID: <200FAA488DE0D41194F10010B597610D0A6B99@JUPITER> Are you saying you want to map a drive on the Windows pptp client from the linux box or do you mean you want to map from the pptp client? linux scripts are /etc/ppp/ip-up.local on NT in DUN there are scripts sections for pre dialing and post dialing.. thanks, George Vieira -----Original Message----- From: Chris Tresco [mailto:ctresco at mit.edu] Sent: Tuesday, March 27, 2001 4:27 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] Script after login?? Is there anyway to get a batch file to run after i successfully initiate the vpn?? I have samba running on the vpm server so I can browse and such, but I have an NT server on another box running as the PDC. When I connect to the linux box, I would like to map a drive on the client. Is this possible? _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From berzerke at swbell.net Tue Mar 27 00:03:20 2001 From: berzerke at swbell.net (robert) Date: Tue, 27 Mar 2001 00:03:20 -0600 Subject: [pptp-server] more questions about the win2k "619 error" & "742 error" In-Reply-To: <002101c0b636$05822b80$3600a8c0@trinity> References: <002101c0b636$05822b80$3600a8c0@trinity> Message-ID: <01032700032001.04749@linux> At least some answers are below: On Monday 26 March 2001 14:47, angelbracket wrote: > Hello, > > I have some problems with my windows 2000 client (high encryption > pack/128bit) to connect on pptpd. I went the archive and I think that my > probles may lay with the kernel and modules [ I'm new to kernel operations > etc, there will be "stupid" questions, but if you want to explain some > questions in this posting, pls :) ] > > Included below is the problem, mysetup, the problems I encoutered and > tried solutions, my questions and a log from my system. > > I would really appreciate if someone could help me with this problem. I > feel I'm close in finishing this setup on my box, but there are some gaps > that need to be cleared up in my working knowledge of linux... > > Sincerely, > Stijn H. > > > This is the problem : > - username en password are verified > - windows tries to "register the pc to the remote network" > - then I get the "619 error = specified port is not connected" > [ note: something odd: when I keep the redial > option active, I get sometimes the 742 error, or "the remote computer does > not support the required data encryption type] > > For the setup I used : > - the pptpd how to on > http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt - kernel 2.4.2 > - rh 7.0 Be careful doing kernel compiles with rh7.0! The default compiler is not supported for doing kernel compiles. I used gcc 2.95.3 just fine. I believe rh included a second gcc just for doing kernel compiles called kgcc. > - patches: linux-2.4.0-openssl-0.9.6-mppe.patch.gz, > ppp-2.4.0-openssl-0.9.6-mppe.patch.gz - ppp-2.4.0.tar.gz > - pptpd 1.1.2 > - local lan, win2k & linux > - only one eth card (don't have a second available on this > moment) > > I followed the manual, and as far as I noted, everything went > fine. I used the config file on http://home.swbell.net with modified cpu > etc to compile my patched kernel. > > Solutions I tried: > - I got an error on ppp, I applied the solution from the how > to: > > mknod /dev/ppp c 108 0 > chmod 600 /dev/ppp > > -> the problem was solved > > - then I tried to connect with the win2k client and got the 619 > error; I found in the mailinglist history the same problem with the same > log mssg and with the solutions concerning applying ipchains rules for the > GRE etc: > > - I tried to apply some iptables lines with the info I > found on http://home.swbell.net/berzerke for binding those GRE and specific > ports that pptp needed: > I got : (for any iptable line) > e.g.: > [root at upuaut log]# /sbin/iptables -P INPUT > DROP iptables v1.1.1: can't initialize iptables table `filter': iptables > who? (do you need to insmod?) Perhaps iptables or your kernel needs to be > upgraded. so I did an insmod on iptables: This means the modules for iptables aren't loaded. > [root at upuaut log]# insmod iptables > insmod: iptables: no module by that name > found The ipchains modules and the iptables modules are not compatible. You *MUST* unload the ipchains modules before you can load any of the iptables modules. Do a lsmod to see what modules are loaded. BTW, an updated iptables script is on the site. This script has been tested on a pptpd server, but not a masqueraded one or on a client. (Damn addiction to sleep...) > > and tried some ipchains rules: > e.g. :[root at upuaut log]# /sbin/ipchains -A input > -p 47 -j ACCEPT I got: ipchains: Protocol not available > > [ note : I compiled the 2.4.2 kernel with > "network packet filtering (replaces ipchains)" .., but why does it connect > & with the config > script mentionned in the how to file, but what's the problem if the client > authenticates but can't bind a port ?] > > Questions : > > - how do I know that all the modules are > working ? - why does ipchais does not know that certain protocol ? - how to > implement GRE with iptables ? what's wrong with it ? - why does my iptable > mod fail and how can I solve this ? - (ev.) could someone post here me his > kernel script how to compile everything correct with the 2.4.2 kernel ? - > (ev.) could someone help me with the iptables rules needed ? > > > > paste of /var/log/messages > > Mar 26 19:56:07 upuaut pppd[905]: pppd 2.4.0 started by root, uid 0 > Mar 26 19:56:07 upuaut pppd[905]: Using interface ppp0 > Mar 26 19:56:07 upuaut pppd[905]: Connect: ppp0 <--> /dev/pts/2 > Mar 26 19:56:09 upuaut pptpd[904]: CTRL: Ignored a SET LINK INFO packet > with real ACCMs! Mar 26 19:56:09 upuaut modprobe: modprobe: Can't locate > module ppp-compress-18 Mar 26 19:56:09 upuaut modprobe: modprobe: Can't > locate module ppp-compress-18 This "can't locate module ppp-compress-18" probably means that you didn't update your modules.conf. This could be causing alot of your problems. Mar 26 19:56:09 upuaut pppd[905]: MSCHAP-v2 > peer authentication succeeded for test Mar 26 19:56:09 upuaut modprobe: > modprobe: Can't locate module ppp-compress-18 Mar 26 19:56:09 upuaut > pppd[905]: found interface eth0 for proxy arp Mar 26 19:56:09 upuaut > pppd[905]: local IP address 192.168.0.70 > Mar 26 19:56:09 upuaut pppd[905]: remote IP address 192.168.0.80 > Mar 26 19:56:15 upuaut pptpd[904]: CTRL: Ignored a SET LINK INFO packet > with real ACCMs! Mar 26 19:56:15 upuaut pppd[905]: LCP terminated by peer > (=^T,M-}^@ terminated. > Mar 26 19:56:18 upuaut pppd[905]: Connect time 0.2 minutes. > Mar 26 19:56:18 upuaut pppd[905]: Sent 143 bytes, received 1505 bytes. > Mar 26 19:56:18 upuaut pppd[905]: Exit. > Mar 26 19:56:18 upuaut pptpd[904]: Error reading from pppd: Input/output > error Mar 26 19:56:18 upuaut pptpd[904]: CTRL: GRE read or PTY write failed > (gre,pty)=(5,4) Mar 26 19:56:18 upuaut pptpd[904]: CTRL: Client > 192.168.0.54 control connection finished Mar 26 19:57:18 upuaut pptpd[928]: > CTRL: Client 192.168.0.54 control connection started Mar 26 19:57:18 upuaut > pptpd[928]: CTRL: Starting call (launching pppd, opening GRE) Mar 26 > 19:57:18 upuaut pppd[929]: pppd 2.4.0 started by root, uid 0 Mar 26 > 19:57:18 upuaut pppd[929]: Using interface ppp0 From werner.hofer at igs.at Tue Mar 27 06:25:01 2001 From: werner.hofer at igs.at (werner.hofer at igs.at) Date: Tue, 27 Mar 2001 14:25:01 +0200 Subject: [pptp-server] pptp connection with encryption and kernel 2.4.0 Message-ID: Hi! On my positiv list: pptp 2.4.0 runs with kernel 2.4.0 suse 7.1 "kernel" patch linux-2.4.0-openssl-0.9.6-mppe.patch.gz is installed ppp is compiled as module pppd is patched with ppp-2.4.0-openssl-0.9.6-mppe.patch without encryption everything runs fine. On my negativ list: when I turn on encryption my win2000 system connects, but i can?t get a ping through to the other side. I have read the howto on: http://home.swbell.net/berzerke/2.4_kernel_PPTPD-HOWTO.txt at 5.13 it is mentioned to compile ppp as module - but since i have done this - what else can it be? the only error message i can find in /var/log/messages is: cannot determine ethernet address for proxy ARP I turned it on with echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp but still i do have this error message. Since without any encryption I get this message too but pinging ... works. Does anybody have a clue? Thanks in advance Werner ____________________________________________________ IGS Systemmanagement Dr. Weginger GesmbH Dorfplatz 5 - Piberbach A-4531 Kematen/Krems phone: +43 7228 6451 0 home: http://www.igs.at fax: +43 7228 6451 30 eMail: igs at igs.at hotline: fax: +43 7228 6451 20 eMail: hotline at igs.at ____________________________________________________ NEWSFLASH___________________________________________ - Erfolgreich mit der IGS e-commerce-L?sung! - ?nderung in den ?? 131 und 132 Abs.3 BAO bzgl. "Zurverf?gungstellung von Datentr?gern an Betriebspr?fer"! n?heres unter http://www.igs.at/archiv/news.html NEWSFLASH___________________________________________ From berzerke at swbell.net Tue Mar 27 08:27:24 2001 From: berzerke at swbell.net (robert) Date: Tue, 27 Mar 2001 08:27:24 -0600 Subject: [pptp-server] pptp connection with encryption and kernel 2.4.0 In-Reply-To: References: Message-ID: <01032708272400.07050@linux> Do you have the line proxyarp in you ppp options file? On Tuesday 27 March 2001 06:25, werner.hofer at igs.at wrote: > Hi! > > On my positiv list: > > pptp 2.4.0 runs with kernel 2.4.0 suse 7.1 > "kernel" patch linux-2.4.0-openssl-0.9.6-mppe.patch.gz is installed > ppp is compiled as module > > pppd is patched with ppp-2.4.0-openssl-0.9.6-mppe.patch > > without encryption everything runs fine. > > On my negativ list: > > when I turn on encryption my win2000 system connects, but i can?t get a > ping through to the other side. > > I have read the howto on: > http://home.swbell.net/berzerke/2.4_kernel_PPTPD-HOWTO.txt > at 5.13 it is mentioned to compile ppp as module - but since i have done > this - what else can it be? > > the only error message i can find in /var/log/messages is: > cannot determine ethernet address for proxy ARP > I turned it on with > echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp > but still i do have this error message. > Since without any encryption I get this message too but pinging ... works. > > Does anybody have a clue? > > Thanks in advance > Werner > > ____________________________________________________ > IGS Systemmanagement > Dr. Weginger GesmbH > Dorfplatz 5 - Piberbach > A-4531 Kematen/Krems > phone: +43 7228 6451 0 home: http://www.igs.at > fax: +43 7228 6451 30 eMail: igs at igs.at > hotline: > fax: +43 7228 6451 20 eMail: hotline at igs.at > ____________________________________________________ > > NEWSFLASH___________________________________________ > > - Erfolgreich mit der IGS e-commerce-L?sung! > - ?nderung in den ?? 131 und 132 Abs.3 BAO bzgl. > "Zurverf?gungstellung von Datentr?gern an > Betriebspr?fer"! > n?heres unter http://www.igs.at/archiv/news.html > > NEWSFLASH___________________________________________ > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From pptplist at mail.doris.cc Tue Mar 27 09:10:15 2001 From: pptplist at mail.doris.cc (pptplist at mail.doris.cc) Date: Tue, 27 Mar 2001 10:10:15 -0500 (EST) Subject: [pptp-server] NAT? In-Reply-To: <90769AF04F76D41186C700A0C90AFC3EE6D7@defiant.infohiiway.com> Message-ID: I am running pptp on a linux box and connecting with a win2000 client over the internet and having problems with NAT. Here is what I have in my options file. lock auth debug proxyarp require-chap +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless name pptpd When my Windows 2000 Client connects from a static IP address everything works fine. When my Windows 2000 client tries to connect from a NAT'd connection, I get a error 619, specified port is not connected. Here is what I see in my log files. Mar 27 10:02:01 mail pptpd[4027]: CTRL: Client xxx.xxx.xxx.xxx control connection started Mar 27 10:02:01 mail pptpd[4027]: CTRL: Starting call (launching pppd, opening GRE) Mar 27 10:02:01 mail kernel: CSLIP: code copyright 1989 Regents of the University of California Mar 27 10:02:01 mail kernel: PPP: version 2.3.7 (demand dialling) Mar 27 10:02:01 mail kernel: PPP line discipline registered. Mar 27 10:02:01 mail kernel: registered device ppp0 Mar 27 10:02:01 mail pppd[4028]: pppd 2.3.11 started by root, uid 0 Mar 27 10:02:01 mail pppd[4028]: Using interface ppp0 Mar 27 10:02:01 mail pppd[4028]: Connect: ppp0 <--> /dev/pts/3 Mar 27 10:02:01 mail pptpd[4027]: GRE: Discarding duplicate packet Mar 27 10:02:31 mail pppd[4028]: LCP: timeout sending Config-Requests Mar 27 10:02:31 mail pppd[4028]: Connection terminated. Mar 27 10:02:31 mail pppd[4028]: Exit. Mar 27 10:02:31 mail pptpd[4027]: GRE: read(fd=5,buffer=804d8c0,len=8196) from PTY failed: status = -1 error = Input/output error Mar 27 10:02:31 mail pptpd[4027]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6) Mar 27 10:02:31 mail pptpd[4027]: CTRL: Client xxx.xxx.xxx.xxx control connection finished I have the following set up in my ipchains table ipchains -A forward -i eth0 -s 192.168.100.0/24 -d 192.168.100.0/24 -j MASQ ipchains -A output -s 192.168.100.0/24 -d 192.168.100.0/24 -j ACCEPT ipchains -A input -s 192.168.100.0/24 -d 192.168.100.0/24 -j ACCEPT I have this set up in pptp.conf localip 192.168.100.210-214 remoteip 192.168.100.215-218 Everything seems to work when the client has a static IP, just not when NAT'd. Any ideas? I know I am missing something somewhere. Thanks, Dustin Doris From werner.hofer at igs.at Tue Mar 27 10:08:59 2001 From: werner.hofer at igs.at (werner.hofer at igs.at) Date: Tue, 27 Mar 2001 18:08:59 +0200 Subject: [pptp-server] pptp connection with encryption and kernel 2.4.0 Message-ID: Thanks for your reply Robert! Yes I do have the line proxyarp in my options-file my options.ppp0 file does have the following entries: proxyarp lock debug auth +chap +chapms +chapms-v2 mppe 40 mppe 128 mppe-stateless name poseidon my pptpd.conf file has the following entries: speed 115200 option /etc/ppp/options.ppp0 debug localip 192.168.1.2-50 remoteip 192.168.1.102-150 pidfile /var/run/pptpd.pid My local Ethernet is in the Segment192.168.0.0/24 the eth0 device has the ip 192.168.0.1/32 I have 4 CIPE - Interfaces wich are all on other Segments - not 192.168.1.0/24 I do have a start/stop script there I placed the following statements: ..... echo 1 > /proc/sys/net/ipv4/ip_forward echo 1> /proc/sys/net/ipv4/conf/all/proxy_arp .... modprobe ppp_mppe ..... startproc /usr/sbin/pptpd || ......, I placed the necessary iptables statements in my firewall (tcp port 1723 and ip protocol 47) what else can it be? Werner ----- Weitergeleitet von Werner Hofer/igs am 27.03.2001 17:07 ----- |--------+-----------------------------------> | | robert | | | | | | Gesendet von: | | | pptp-server-admin at lists.s| | | chulte.org | | | | | | | | | 27.03.2001 16:27 | | | | |--------+-----------------------------------> >-----------------------------------------------------------------------------------------------------------| | | | An: werner.hofer at igs.at, pptp-server at lists.schulte.org | | Kopie: | | Thema: Re: [pptp-server] pptp connection with encryption and kernel 2.4.0 | >-----------------------------------------------------------------------------------------------------------| Do you have the line proxyarp in you ppp options file? On Tuesday 27 March 2001 06:25, werner.hofer at igs.at wrote: > Hi! > > On my positiv list: > > pptp 2.4.0 runs with kernel 2.4.0 suse 7.1 > "kernel" patch linux-2.4.0-openssl-0.9.6-mppe.patch.gz is installed > ppp is compiled as module > > pppd is patched with ppp-2.4.0-openssl-0.9.6-mppe.patch > > without encryption everything runs fine. > > On my negativ list: > > when I turn on encryption my win2000 system connects, but i can?t get a > ping through to the other side. > > I have read the howto on: > http://home.swbell.net/berzerke/2.4_kernel_PPTPD-HOWTO.txt > at 5.13 it is mentioned to compile ppp as module - but since i have done > this - what else can it be? > > the only error message i can find in /var/log/messages is: > cannot determine ethernet address for proxy ARP > I turned it on with > echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp > but still i do have this error message. > Since without any encryption I get this message too but pinging ... works. > > Does anybody have a clue? > > Thanks in advance > Werner > > ____________________________________________________ > IGS Systemmanagement > Dr. Weginger GesmbH > Dorfplatz 5 - Piberbach > A-4531 Kematen/Krems > phone: +43 7228 6451 0 home: http://www.igs.at > fax: +43 7228 6451 30 eMail: igs at igs.at > hotline: > fax: +43 7228 6451 20 eMail: hotline at igs.at > ____________________________________________________ > > NEWSFLASH___________________________________________ > > - Erfolgreich mit der IGS e-commerce-L?sung! > - ?nderung in den ?? 131 und 132 Abs.3 BAO bzgl. > "Zurverf?gungstellung von Datentr?gern an > Betriebspr?fer"! > n?heres unter http://www.igs.at/archiv/news.html > > NEWSFLASH___________________________________________ > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! ____________________________________________________ IGS Systemmanagement Dr. Weginger GesmbH Dorfplatz 5 - Piberbach A-4531 Kematen/Krems phone: +43 7228 6451 0 home: http://www.igs.at fax: +43 7228 6451 30 eMail: igs at igs.at hotline: fax: +43 7228 6451 20 eMail: hotline at igs.at ____________________________________________________ NEWSFLASH___________________________________________ - Erfolgreich mit der IGS e-commerce-L?sung! - ?nderung in den ?? 131 und 132 Abs.3 BAO bzgl. "Zurverf?gungstellung von Datentr?gern an Betriebspr?fer"! n?heres unter http://www.igs.at/archiv/news.html NEWSFLASH___________________________________________ From Steve at SteveCowles.com Tue Mar 27 09:11:32 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Tue, 27 Mar 2001 09:11:32 -0600 Subject: [pptp-server] pptp connection with encryption and kernel 2.4. 0 Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6DA@defiant.infohiiway.com> > -----Original Message----- > From: werner.hofer at igs.at [mailto:werner.hofer at igs.at] > Sent: Tuesday, March 27, 2001 6:25 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] pptp connection with encryption and > kernel 2.4.0 > > > Hi! > > On my positiv list: > > pptp 2.4.0 runs with kernel 2.4.0 suse 7.1 "kernel" patch > linux-2.4.0-openssl-0.9.6-mppe.patch.gz is installed > ppp is compiled as module > > pppd is patched with ppp-2.4.0-openssl-0.9.6-mppe.patch > > without encryption everything runs fine. > > On my negativ list: > > when I turn on encryption my win2000 system connects, but i > can?t get a ping through to the other side. > > I have read the howto on: > http://home.swbell.net/berzerke/2.4_kernel_PPTPD-HOWTO.txt > at 5.13 it is mentioned to compile ppp as module - but since > i have done this - what else can it be? > > the only error message i can find in /var/log/messages is: > cannot determine ethernet address for proxy ARP > I turned it on with > echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp > but still i do have this error message. > Since without any encryption I get this message too but > pinging ... works. > > Does anybody have a clue? > > Thanks in advance > Werner You really need to fix the proxyarp problem first. Without it, you will only be able to "ping" your PPTP server, nothing past it. The proxy arp errors can usually be fixed by assigning IP addresses in pptpd.conf (local/remote) that are within the network address range of the PPTP servers LAN interface (like eth0 or eth1). If thats not an option, then consider using ip aliasing to bind the network addresses to what is specified in your pptpd.conf to your PPTP servers LAN interface. Checkout the kernel source documentation directory /usr/src/linux/Documentation/networking/alias.txt for info on ip aliasing. Also, since "ping" works without encryption, then I would think there is a problem with your MPPE patch implementation. i.e. The encapsulated GRE packet cannot be de-encapsulated and handed off to the TCP/IP stack to be routed. Do you have module ppp_mppe.o and does /etc/modules.conf contain: alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate alias ppp-compress-26 ppp_deflate Steve Cowles From ctresco at mit.edu Tue Mar 27 09:07:46 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Tue, 27 Mar 2001 10:07:46 -0500 Subject: [pptp-server] pptp connection with encryption and kernel 2.4.0 In-Reply-To: Message-ID: Does this only happen in WIndows 2000? > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of > werner.hofer at igs.at > Sent: Tuesday, March 27, 2001 11:09 AM > To: pptp-server at lists.schulte.org; berzerke at swbell.net > Subject: Re: [pptp-server] pptp connection with encryption and kernel > 2.4.0 > > > Thanks for your reply Robert! > > Yes I do have the line proxyarp in my options-file > > my options.ppp0 file does have the following entries: > > proxyarp > lock > debug > auth > +chap > +chapms > +chapms-v2 > mppe 40 > mppe 128 > mppe-stateless > name poseidon > > my pptpd.conf file has the following entries: > > speed 115200 > option /etc/ppp/options.ppp0 > debug > localip 192.168.1.2-50 > remoteip 192.168.1.102-150 > pidfile /var/run/pptpd.pid > > My local Ethernet is in the Segment192.168.0.0/24 > the eth0 device has the ip 192.168.0.1/32 > I have 4 CIPE - Interfaces wich are all on other Segments - not > 192.168.1.0/24 > > I do have a start/stop script there I placed the following statements: > > ..... > echo 1 > /proc/sys/net/ipv4/ip_forward > echo 1> /proc/sys/net/ipv4/conf/all/proxy_arp > .... > modprobe ppp_mppe > ..... > startproc /usr/sbin/pptpd || ......, > > I placed the necessary iptables statements in my firewall (tcp port 1723 > and ip protocol 47) > > what else can it be? > > Werner > > ----- Weitergeleitet von Werner Hofer/igs am 27.03.2001 17:07 ----- > |--------+-----------------------------------> > | | robert | > | | | > | | Gesendet von: | > | | pptp-server-admin at lists.s| > | | chulte.org | > | | | > | | | > | | 27.03.2001 16:27 | > | | | > |--------+-----------------------------------> > > >----------------------------------------------------------------- > ------------------------------------------| > | > | > | An: werner.hofer at igs.at, > pptp-server at lists.schulte.org | > | Kopie: > | > | Thema: Re: [pptp-server] pptp connection with > encryption and kernel 2.4.0 | > > >----------------------------------------------------------------- > ------------------------------------------| > > > > Do you have the line proxyarp in you ppp options file? > > On Tuesday 27 March 2001 06:25, werner.hofer at igs.at wrote: > > Hi! > > > > On my positiv list: > > > > pptp 2.4.0 runs with kernel 2.4.0 suse 7.1 > > "kernel" patch linux-2.4.0-openssl-0.9.6-mppe.patch.gz is installed > > ppp is compiled as module > > > > pppd is patched with ppp-2.4.0-openssl-0.9.6-mppe.patch > > > > without encryption everything runs fine. > > > > On my negativ list: > > > > when I turn on encryption my win2000 system connects, but i can?t get a > > ping through to the other side. > > > > I have read the howto on: > > http://home.swbell.net/berzerke/2.4_kernel_PPTPD-HOWTO.txt > > at 5.13 it is mentioned to compile ppp as module - but since i have done > > this - what else can it be? > > > > the only error message i can find in /var/log/messages is: > > cannot determine ethernet address for proxy ARP > > I turned it on with > > echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp > > but still i do have this error message. > > Since without any encryption I get this message too but pinging ... > works. > > > > Does anybody have a clue? > > > > Thanks in advance > > Werner > > > > ____________________________________________________ > > IGS Systemmanagement > > Dr. Weginger GesmbH > > Dorfplatz 5 - Piberbach > > A-4531 Kematen/Krems > > phone: +43 7228 6451 0 home: http://www.igs.at > > fax: +43 7228 6451 30 eMail: igs at igs.at > > hotline: > > fax: +43 7228 6451 20 eMail: hotline at igs.at > > ____________________________________________________ > > > > NEWSFLASH___________________________________________ > > > > - Erfolgreich mit der IGS e-commerce-L?sung! > > - ?nderung in den ?? 131 und 132 Abs.3 BAO bzgl. > > "Zurverf?gungstellung von Datentr?gern an > > Betriebspr?fer"! > > n?heres unter http://www.igs.at/archiv/news.html > > > > NEWSFLASH___________________________________________ > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > > > ____________________________________________________ > IGS Systemmanagement > Dr. Weginger GesmbH > Dorfplatz 5 - Piberbach > A-4531 Kematen/Krems > phone: +43 7228 6451 0 home: http://www.igs.at > fax: +43 7228 6451 30 eMail: igs at igs.at > hotline: > fax: +43 7228 6451 20 eMail: hotline at igs.at > ____________________________________________________ > > NEWSFLASH___________________________________________ > > - Erfolgreich mit der IGS e-commerce-L?sung! > - ?nderung in den ?? 131 und 132 Abs.3 BAO bzgl. > "Zurverf?gungstellung von Datentr?gern an > Betriebspr?fer"! > n?heres unter http://www.igs.at/archiv/news.html > > NEWSFLASH___________________________________________ > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From werner.hofer at igs.at Tue Mar 27 10:39:25 2001 From: werner.hofer at igs.at (werner.hofer at igs.at) Date: Tue, 27 Mar 2001 18:39:25 +0200 Subject: Antwort: RE: [pptp-server] pptp connection with encryption and kernel 2.4. 0 Message-ID: Dear Steve! When I turn on encryption it?s even impossible to ping the PPTP-servers ip adress at the ppp0 interface . The ip-address of the eth0 interface (192.168.0.1) and the ip-address of the ppp0 interface (192.168.1.x) are not in the same network - should I be able to ping the ppp0 Interface? Or is even this impossible if I don?t fix the proxyarp problem. What do you think, does this clearly indicate a problem with the MPPE encryption? thanks Werner "Cowles, Steve" An: "'werner.hofer at igs.at'" , pptp-server at lists.schulte.org Thema: RE: [pptp-server] pptp connection with encryption and kernel 2.4. 0 27.03.2001 17:11 > -----Original Message----- > From: werner.hofer at igs.at [mailto:werner.hofer at igs.at] > Sent: Tuesday, March 27, 2001 6:25 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] pptp connection with encryption and > kernel 2.4.0 > > > Hi! > > On my positiv list: > > pptp 2.4.0 runs with kernel 2.4.0 suse 7.1 "kernel" patch > linux-2.4.0-openssl-0.9.6-mppe.patch.gz is installed > ppp is compiled as module > > pppd is patched with ppp-2.4.0-openssl-0.9.6-mppe.patch > > without encryption everything runs fine. > > On my negativ list: > > when I turn on encryption my win2000 system connects, but i > can?t get a ping through to the other side. > > I have read the howto on: > http://home.swbell.net/berzerke/2.4_kernel_PPTPD-HOWTO.txt > at 5.13 it is mentioned to compile ppp as module - but since > i have done this - what else can it be? > > the only error message i can find in /var/log/messages is: > cannot determine ethernet address for proxy ARP > I turned it on with > echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp > but still i do have this error message. > Since without any encryption I get this message too but > pinging ... works. > > Does anybody have a clue? > > Thanks in advance > Werner You really need to fix the proxyarp problem first. Without it, you will only be able to "ping" your PPTP server, nothing past it. The proxy arp errors can usually be fixed by assigning IP addresses in pptpd.conf (local/remote) that are within the network address range of the PPTP servers LAN interface (like eth0 or eth1). If thats not an option, then consider using ip aliasing to bind the network addresses to what is specified in your pptpd.conf to your PPTP servers LAN interface. Checkout the kernel source documentation directory /usr/src/linux/Documentation/networking/alias.txt for info on ip aliasing. Also, since "ping" works without encryption, then I would think there is a problem with your MPPE patch implementation. i.e. The encapsulated GRE packet cannot be de-encapsulated and handed off to the TCP/IP stack to be routed. Do you have module ppp_mppe.o and does /etc/modules.conf contain: alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate alias ppp-compress-26 ppp_deflate Steve Cowles ____________________________________________________ IGS Systemmanagement Dr. Weginger GesmbH Dorfplatz 5 - Piberbach A-4531 Kematen/Krems phone: +43 7228 6451 0 home: http://www.igs.at fax: +43 7228 6451 30 eMail: igs at igs.at hotline: fax: +43 7228 6451 20 eMail: hotline at igs.at ____________________________________________________ NEWSFLASH___________________________________________ - Erfolgreich mit der IGS e-commerce-L?sung! - ?nderung in den ?? 131 und 132 Abs.3 BAO bzgl. "Zurverf?gungstellung von Datentr?gern an Betriebspr?fer"! n?heres unter http://www.igs.at/archiv/news.html NEWSFLASH___________________________________________ From marc.charbonneau at prepar.com Tue Mar 27 09:42:59 2001 From: marc.charbonneau at prepar.com (Marc Charbonneau) Date: Tue, 27 Mar 2001 10:42:59 -0500 Subject: [pptp-server] NAT? References: Message-ID: <001601c0b6d4$9a3a2e00$6e00a8c0@prepar.lan> Your NAT doesn't seem to handle the GRE protocol correctly. What is you NAT ? if it's a Linux-box, you have to apply a patch to your kernel for it to handle-it correctly. HTH ----- Original Message ----- From: To: Sent: Tuesday, March 27, 2001 10:10 AM Subject: [pptp-server] NAT? > I am running pptp on a linux box and connecting with a win2000 client over > the internet and having problems with NAT. > > Here is what I have in my options file. > > lock > auth > debug > proxyarp > require-chap > +chap > +chapms > +chapms-v2 > mppe-40 > mppe-128 > mppe-stateless > name pptpd > > When my Windows 2000 Client connects from a static IP address everything > works fine. When my Windows 2000 client tries to connect from a NAT'd > connection, I get a error 619, specified port is not connected. > > Here is what I see in my log files. > > Mar 27 10:02:01 mail pptpd[4027]: CTRL: Client xxx.xxx.xxx.xxx control connection started > Mar 27 10:02:01 mail pptpd[4027]: CTRL: Starting call (launching pppd, opening GRE) > Mar 27 10:02:01 mail kernel: CSLIP: code copyright 1989 Regents of the > University of California > Mar 27 10:02:01 mail kernel: PPP: version 2.3.7 (demand dialling) > Mar 27 10:02:01 mail kernel: PPP line discipline registered. > Mar 27 10:02:01 mail kernel: registered device ppp0 > Mar 27 10:02:01 mail pppd[4028]: pppd 2.3.11 started by root, uid 0 > Mar 27 10:02:01 mail pppd[4028]: Using interface ppp0 > Mar 27 10:02:01 mail pppd[4028]: Connect: ppp0 <--> /dev/pts/3 > Mar 27 10:02:01 mail pptpd[4027]: GRE: Discarding duplicate packet > Mar 27 10:02:31 mail pppd[4028]: LCP: timeout sending Config-Requests > Mar 27 10:02:31 mail pppd[4028]: Connection terminated. > Mar 27 10:02:31 mail pppd[4028]: Exit. > Mar 27 10:02:31 mail pptpd[4027]: GRE: read(fd=5,buffer=804d8c0,len=8196) > from PTY failed: status = -1 error = Input/output error > Mar 27 10:02:31 mail pptpd[4027]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6) > Mar 27 10:02:31 mail pptpd[4027]: CTRL: Client xxx.xxx.xxx.xxx control connection finished > > I have the following set up in my ipchains table > > ipchains -A forward -i eth0 -s 192.168.100.0/24 -d 192.168.100.0/24 -j MASQ > ipchains -A output -s 192.168.100.0/24 -d 192.168.100.0/24 -j ACCEPT > ipchains -A input -s 192.168.100.0/24 -d 192.168.100.0/24 -j ACCEPT > > I have this set up in pptp.conf > > localip 192.168.100.210-214 > remoteip 192.168.100.215-218 > > > Everything seems to work when the client has a static IP, just not when > NAT'd. Any ideas? I know I am missing something somewhere. > > Thanks, > > Dustin Doris > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From martin at tuatha.org Tue Mar 27 10:07:31 2001 From: martin at tuatha.org (Martin Feeney) Date: Tue, 27 Mar 2001 17:07:31 +0100 Subject: [pptp-server] windows routing Message-ID: <20010327170731.O24850@greenspot.nwcgroup.com> Anyone know if there is an equivalent to ip-up scripts under windows? There's some extra routing I'd like to autorun on the windows side after the connection comes up. Martin. From Steve at SteveCowles.com Tue Mar 27 10:20:24 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Tue, 27 Mar 2001 10:20:24 -0600 Subject: Antwort: RE: [pptp-server] pptp connection with encryption an d kernel 2.4. 0 Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6DB@defiant.infohiiway.com> > -----Original Message----- > From: werner.hofer at igs.at [mailto:werner.hofer at igs.at] > Sent: Tuesday, March 27, 2001 10:39 AM > To: Cowles, Steve; pptp-server at lists.schulte.org > Subject: Antwort: RE: [pptp-server] pptp connection with > encryption and > kernel 2.4. 0 > > > Dear Steve! > > When I turn on encryption it?s even impossible to ping the > PPTP-servers ip adress at the ppp0 interface. I'm going by my understanding of your post. You stated that when you disabled "data encryption" you were able to ping the PPTP server, but when you enabled data encryption, you were not. Correct?? > The ip-address of the eth0 interface (192.168.0.1) and the > ip-address of the ppp0 interface (192.168.1.x) are not in > the same network - should I be able to ping the ppp0 Interface? > Or is even this impossible if I don?t fix the proxyarp problem. Based on my understanding of your post and the current state of your PPTP server. If data encryption is disabled... then you should still be able to ping the ppp0 interface, just nothing past it until you fix your proxyarp problems. If your interested, I wrote a document that explains how important the proxyarp statement is to PPTP connections. Its written at a 30,000 foot view, but should help your understanding of how packets of data traverse VPN's. Checkout: http://www.infohiiway.com/pptp/proxyarp.html > What do you think, does this clearly indicate a problem with > the MPPE encryption? With regards to enabling data encryption, yes. If I were in your shoes, I would focus my efforts on: 1) fixing the proxy arp problems 2) your mppe implementation to fix the data encryption problem FWIW: I run W2K here and have no problems connecting to my PopTop server with data encryption enabled. Although, I am still running on the 2.2.x kernels. Steve Cowles From werner.hofer at igs.at Tue Mar 27 11:21:54 2001 From: werner.hofer at igs.at (werner.hofer at igs.at) Date: Tue, 27 Mar 2001 19:21:54 +0200 Subject: Antwort: RE: [pptp-server] pptp connection with encryption and kernel 2.4. 0 Message-ID: After I made an alias on my eth0 interface (192.168.1.1) proxyarp should work since i can find an entry in the arp table for my pptp client. Thanks for your advise Steve. But still I can?t get a ping through the pptp tunnel. I even can?t ping the Server?s end of the tunnel. I did the iptables entries mentioned at the pptp-howto below and I do have the entries in my modules.conf. Even my module ppp_mppe loads without any error. I can watch traffic with tcpdump on both the ip protocol 47 and the port 1723 at the external Interface eth1. I?m very clueless at the moment. What else can it be? Werner ----- Weitergeleitet von Werner Hofer/igs am 27.03.2001 18:08 ----- |--------+-----------------------------------> | | werner.hofer at igs.at | | | Gesendet von: | | | pptp-server-admin at lists.s| | | chulte.org | | | | | | | | | 27.03.2001 18:39 | | | | |--------+-----------------------------------> >-----------------------------------------------------------------------------------------------------------| | | | An: "Cowles, Steve" , pptp-server at lists.schulte.org | | Kopie: | | Thema: Antwort: RE: [pptp-server] pptp connection with encryption and kernel 2.4. 0 | >-----------------------------------------------------------------------------------------------------------| Dear Steve! When I turn on encryption it?s even impossible to ping the PPTP-servers ip adress at the ppp0 interface . The ip-address of the eth0 interface (192.168.0.1) and the ip-address of the ppp0 interface (192.168.1.x) are not in the same network - should I be able to ping the ppp0 Interface? Or is even this impossible if I don?t fix the proxyarp problem. What do you think, does this clearly indicate a problem with the MPPE encryption? thanks Werner "Cowles, Steve" An: "'werner.hofer at igs.at'" , pptp-server at lists.schulte.org Thema: RE: [pptp-server] pptp connection with encryption and kernel 2.4. 0 27.03.2001 17:11 > -----Original Message----- > From: werner.hofer at igs.at [mailto:werner.hofer at igs.at] > Sent: Tuesday, March 27, 2001 6:25 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] pptp connection with encryption and > kernel 2.4.0 > > > Hi! > > On my positiv list: > > pptp 2.4.0 runs with kernel 2.4.0 suse 7.1 "kernel" patch > linux-2.4.0-openssl-0.9.6-mppe.patch.gz is installed > ppp is compiled as module > > pppd is patched with ppp-2.4.0-openssl-0.9.6-mppe.patch > > without encryption everything runs fine. > > On my negativ list: > > when I turn on encryption my win2000 system connects, but i > can?t get a ping through to the other side. > > I have read the howto on: > http://home.swbell.net/berzerke/2.4_kernel_PPTPD-HOWTO.txt > at 5.13 it is mentioned to compile ppp as module - but since > i have done this - what else can it be? > > the only error message i can find in /var/log/messages is: > cannot determine ethernet address for proxy ARP > I turned it on with > echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp > but still i do have this error message. > Since without any encryption I get this message too but > pinging ... works. > > Does anybody have a clue? > > Thanks in advance > Werner You really need to fix the proxyarp problem first. Without it, you will only be able to "ping" your PPTP server, nothing past it. The proxy arp errors can usually be fixed by assigning IP addresses in pptpd.conf (local/remote) that are within the network address range of the PPTP servers LAN interface (like eth0 or eth1). If thats not an option, then consider using ip aliasing to bind the network addresses to what is specified in your pptpd.conf to your PPTP servers LAN interface. Checkout the kernel source documentation directory /usr/src/linux/Documentation/networking/alias.txt for info on ip aliasing. Also, since "ping" works without encryption, then I would think there is a problem with your MPPE patch implementation. i.e. The encapsulated GRE packet cannot be de-encapsulated and handed off to the TCP/IP stack to be routed. Do you have module ppp_mppe.o and does /etc/modules.conf contain: alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate alias ppp-compress-26 ppp_deflate Steve Cowles ____________________________________________________ IGS Systemmanagement Dr. Weginger GesmbH Dorfplatz 5 - Piberbach A-4531 Kematen/Krems phone: +43 7228 6451 0 home: http://www.igs.at fax: +43 7228 6451 30 eMail: igs at igs.at hotline: fax: +43 7228 6451 20 eMail: hotline at igs.at ____________________________________________________ NEWSFLASH___________________________________________ - Erfolgreich mit der IGS e-commerce-L?sung! - ?nderung in den ?? 131 und 132 Abs.3 BAO bzgl. "Zurverf?gungstellung von Datentr?gern an Betriebspr?fer"! n?heres unter http://www.igs.at/archiv/news.html NEWSFLASH___________________________________________ _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! ____________________________________________________ IGS Systemmanagement Dr. Weginger GesmbH Dorfplatz 5 - Piberbach A-4531 Kematen/Krems phone: +43 7228 6451 0 home: http://www.igs.at fax: +43 7228 6451 30 eMail: igs at igs.at hotline: fax: +43 7228 6451 20 eMail: hotline at igs.at ____________________________________________________ NEWSFLASH___________________________________________ - Erfolgreich mit der IGS e-commerce-L?sung! - ?nderung in den ?? 131 und 132 Abs.3 BAO bzgl. "Zurverf?gungstellung von Datentr?gern an Betriebspr?fer"! n?heres unter http://www.igs.at/archiv/news.html NEWSFLASH___________________________________________ From Steve at SteveCowles.com Tue Mar 27 10:43:08 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Tue, 27 Mar 2001 10:43:08 -0600 Subject: Antwort: RE: [pptp-server] pptp connection with encryption an d kernel 2.4. 0 Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6DC@defiant.infohiiway.com> > -----Original Message----- > From: werner.hofer at igs.at [mailto:werner.hofer at igs.at] > Sent: Tuesday, March 27, 2001 11:22 AM > To: Cowles, Steve; pptp-server at lists.schulte.org > Subject: Antwort: RE: [pptp-server] pptp connection with > encryption and > kernel 2.4. 0 > > > After I made an alias on my eth0 interface (192.168.1.1) > proxyarp should work since i can find an entry in the arp > table for my pptp client. Thanks for your advise Steve. You should see a similar entry in your log files when your PPTP server can successfuly set (determine) the proxyarp device for your connection. Mar 26 12:11:59 firewall pppd[5226]: found interface eth0 for proxy arp > > But still I can?t get a ping through the pptp tunnel. I even > can?t ping the Server?s end of the tunnel. If you are unable to ping the PPTP server (with data encryption disabled) then I would think this is a routing/iptables problem. If you are unable able to ping the PPTP server (with "just" data encryption enabled) then I would think your problem is with MPPE. > > I did the iptables entries mentioned at the pptp-howto below > and I do have the entries in my modules.conf. Even my module > ppp_mppe loads without any error. Unfortunately (due to my requirements), I have not converted to the 2.4.x kernels and iptables, so I cannot offer much help in this area. My main reason for NOT using the new kernels/iptables is: From chuddles at coin.org Tue Mar 27 12:01:01 2001 From: chuddles at coin.org (Chris W) Date: Tue, 27 Mar 2001 12:01:01 -0600 (CST) Subject: [pptp-server] windows routing In-Reply-To: <20010327170731.O24850@greenspot.nwcgroup.com> References: <20010327170731.O24850@greenspot.nwcgroup.com> Message-ID: <985716061.3ac0d55d5574d@c104343-a.clmba1.mo.home.com> I used to run a utility back in the good ol' modem dialup days that would wait for a 'net connection, then run whatever program you wanted (like to fire up your ICQ, etc). It could easily run a bat file when a PPTP connection comes up, I would believe. Sorry, I think it was called NetLaunch, but I'm not sure. Quoting Martin Feeney : > Anyone know if there is an equivalent to ip-up scripts under > windows? > There's some extra routing I'd like to autorun on the windows > side after > the connection comes up. > > Martin. > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From berzerke at swbell.net Tue Mar 27 11:57:16 2001 From: berzerke at swbell.net (robert) Date: Tue, 27 Mar 2001 11:57:16 -0600 Subject: [pptp-server] NAT? In-Reply-To: <001601c0b6d4$9a3a2e00$6e00a8c0@prepar.lan> References: <001601c0b6d4$9a3a2e00$6e00a8c0@prepar.lan> Message-ID: <01032711571600.08376@linux> To get ipchains and pptpd to work together with NAT, you must patch your kernel (and in do so, you also patch ipchains). Standard ipchains will fail when used with NAT. On Tuesday 27 March 2001 09:42, Marc Charbonneau wrote: > Your NAT doesn't seem to handle the GRE protocol correctly. > > What is you NAT ? if it's a Linux-box, you have to apply a patch to your > kernel for it to handle-it correctly. > > HTH > ----- Original Message ----- > From: > To: > Sent: Tuesday, March 27, 2001 10:10 AM > Subject: [pptp-server] NAT? > > > I am running pptp on a linux box and connecting with a win2000 client > > over the internet and having problems with NAT. > > > > Here is what I have in my options file. > > > > lock > > auth > > debug > > proxyarp > > require-chap > > +chap > > +chapms > > +chapms-v2 > > mppe-40 > > mppe-128 > > mppe-stateless > > name pptpd > > > > When my Windows 2000 Client connects from a static IP address everything > > works fine. When my Windows 2000 client tries to connect from a NAT'd > > connection, I get a error 619, specified port is not connected. > > > > Here is what I see in my log files. > > > > Mar 27 10:02:01 mail pptpd[4027]: CTRL: Client xxx.xxx.xxx.xxx control > > connection started > > > Mar 27 10:02:01 mail pptpd[4027]: CTRL: Starting call (launching pppd, > > opening GRE) > > > Mar 27 10:02:01 mail kernel: CSLIP: code copyright 1989 Regents of the > > University of California > > Mar 27 10:02:01 mail kernel: PPP: version 2.3.7 (demand dialling) > > Mar 27 10:02:01 mail kernel: PPP line discipline registered. > > Mar 27 10:02:01 mail kernel: registered device ppp0 > > Mar 27 10:02:01 mail pppd[4028]: pppd 2.3.11 started by root, uid 0 > > Mar 27 10:02:01 mail pppd[4028]: Using interface ppp0 > > Mar 27 10:02:01 mail pppd[4028]: Connect: ppp0 <--> /dev/pts/3 > > Mar 27 10:02:01 mail pptpd[4027]: GRE: Discarding duplicate packet > > Mar 27 10:02:31 mail pppd[4028]: LCP: timeout sending Config-Requests > > Mar 27 10:02:31 mail pppd[4028]: Connection terminated. > > Mar 27 10:02:31 mail pppd[4028]: Exit. > > Mar 27 10:02:31 mail pptpd[4027]: GRE: read(fd=5,buffer=804d8c0,len=8196) > > from PTY failed: status = -1 error = Input/output error > > Mar 27 10:02:31 mail pptpd[4027]: CTRL: PTY read or GRE write failed > > (pty,gre)=(5,6) > > > Mar 27 10:02:31 mail pptpd[4027]: CTRL: Client xxx.xxx.xxx.xxx control > > connection finished > > > I have the following set up in my ipchains table > > > > ipchains -A forward -i eth0 -s 192.168.100.0/24 -d 192.168.100.0/24 -j > > MASQ > > > ipchains -A output -s 192.168.100.0/24 -d 192.168.100.0/24 -j ACCEPT > > ipchains -A input -s 192.168.100.0/24 -d 192.168.100.0/24 -j ACCEPT > > > > I have this set up in pptp.conf > > > > localip 192.168.100.210-214 > > remoteip 192.168.100.215-218 > > > > > > Everything seems to work when the client has a static IP, just not when > > NAT'd. Any ideas? I know I am missing something somewhere. > > > > Thanks, > > > > Dustin Doris > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From berzerke at swbell.net Tue Mar 27 12:09:39 2001 From: berzerke at swbell.net (robert) Date: Tue, 27 Mar 2001 12:09:39 -0600 Subject: Antwort: RE: [pptp-server] pptp connection with encryption and kernel 2.4. 0 In-Reply-To: References: Message-ID: <01032712093901.08376@linux> On Tuesday 27 March 2001 11:21, werner.hofer at igs.at wrote: > After I made an alias on my eth0 interface (192.168.1.1) proxyarp should > work since i can find an entry in the arp table for my pptp client. Thanks > for your advise Steve. > > But still I can?t get a ping through the pptp tunnel. I even can?t ping the > Server?s end of the tunnel. Is this both with and without encryption, or just with encryption? > > I did the iptables entries mentioned at the pptp-howto below and I do have > the entries in my modules.conf. Even my module ppp_mppe loads without any > error. Did you change the constants in the script to values appropriate for your network configuration? Also, the sample script in the howto does not allow pings anyway. Use the bigger sample script at http://home.swbell/berzerke which does allow for pinging only from the server on the external interface. The rules are easy to adjust for a pptpd interface. Just copy the ping section, paste right below the existing ping section, and change all $EXTINT to ppp+ (or optionally ppp0, but the + covers all possible ppp interfaces). It won't respond to incoming pings, although it will log them. > I can watch traffic with tcpdump on both the ip protocol 47 and the port > 1723 at the external Interface eth1. > > I?m very clueless at the moment. What else can it be? > > Werner > ----- Weitergeleitet von Werner Hofer/igs am 27.03.2001 18:08 ----- > > |--------+-----------------------------------> > | > | | werner.hofer at igs.at | > | | Gesendet von: | > | | pptp-server-admin at lists.s| > | | chulte.org | > | | > | | > | | 27.03.2001 18:39 | > | > |--------+-----------------------------------> > | > >------------------------------------------------------------------------ > >-----------------------------------| > > > | An: "Cowles, Steve" , > | pptp-server at lists.schulte.org | Kopie: > | > | | Thema: Antwort: RE: [pptp-server] pptp connection with > | encryption and kernel 2.4. 0 | > | > >------------------------------------------------------------------------ > >-----------------------------------| > > Dear Steve! > > When I turn on encryption it?s even impossible to ping the PPTP-servers ip > adress at the ppp0 interface . > The ip-address of the eth0 interface (192.168.0.1) and the ip-address of > the ppp0 interface (192.168.1.x) are not in the same network - should I be > able to ping the ppp0 Interface? > Or is even this impossible if I don?t fix the proxyarp problem. > What do you think, does this clearly indicate a problem with the MPPE > encryption? > > thanks > Werner > > > > "Cowles, > > Steve" An: "'werner.hofer at igs.at'" > , pptp-server at lists.schulte.org > > owles.com> Thema: RE: [pptp-server] pptp > connection with encryption and kernel 2.4. 0 > > 27.03.2001 > > 17:11 > > > -----Original Message----- > > From: werner.hofer at igs.at [mailto:werner.hofer at igs.at] > > Sent: Tuesday, March 27, 2001 6:25 AM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] pptp connection with encryption and > > kernel 2.4.0 > > > > > > Hi! > > > > On my positiv list: > > > > pptp 2.4.0 runs with kernel 2.4.0 suse 7.1 "kernel" patch > > linux-2.4.0-openssl-0.9.6-mppe.patch.gz is installed > > ppp is compiled as module > > > > pppd is patched with ppp-2.4.0-openssl-0.9.6-mppe.patch > > > > without encryption everything runs fine. > > > > On my negativ list: > > > > when I turn on encryption my win2000 system connects, but i > > can?t get a ping through to the other side. > > > > I have read the howto on: > > http://home.swbell.net/berzerke/2.4_kernel_PPTPD-HOWTO.txt > > at 5.13 it is mentioned to compile ppp as module - but since > > i have done this - what else can it be? > > > > the only error message i can find in /var/log/messages is: > > cannot determine ethernet address for proxy ARP > > I turned it on with > > echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp > > but still i do have this error message. > > Since without any encryption I get this message too but > > pinging ... works. > > > > Does anybody have a clue? > > > > Thanks in advance > > Werner > > You really need to fix the proxyarp problem first. Without it, you will > only > be able to "ping" your PPTP server, nothing past it. The proxy arp errors > can usually be fixed by assigning IP addresses in pptpd.conf (local/remote) > that are within the network address range of the PPTP servers LAN interface > (like eth0 or eth1). If thats not an option, then consider using ip > aliasing > to bind the network addresses to what is specified in your pptpd.conf to > your PPTP servers LAN interface. Checkout the kernel source documentation > directory /usr/src/linux/Documentation/networking/alias.txt for info on ip > aliasing. > > Also, since "ping" works without encryption, then I would think there is a > problem with your MPPE patch implementation. i.e. The encapsulated GRE > packet cannot be de-encapsulated and handed off to the TCP/IP stack to be > routed. > > Do you have module ppp_mppe.o and does /etc/modules.conf contain: > alias ppp-compress-18 ppp_mppe > alias ppp-compress-21 bsd_comp > alias ppp-compress-24 ppp_deflate > alias ppp-compress-26 ppp_deflate > > Steve Cowles > > > > > ____________________________________________________ > IGS Systemmanagement > Dr. Weginger GesmbH > Dorfplatz 5 - Piberbach > A-4531 Kematen/Krems > phone: +43 7228 6451 0 home: http://www.igs.at > fax: +43 7228 6451 30 eMail: igs at igs.at > hotline: > fax: +43 7228 6451 20 eMail: hotline at igs.at > ____________________________________________________ > > NEWSFLASH___________________________________________ > > - Erfolgreich mit der IGS e-commerce-L?sung! > - ?nderung in den ?? 131 und 132 Abs.3 BAO bzgl. > "Zurverf?gungstellung von Datentr?gern an > Betriebspr?fer"! > n?heres unter http://www.igs.at/archiv/news.html > > NEWSFLASH___________________________________________ > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > > > > ____________________________________________________ > IGS Systemmanagement > Dr. Weginger GesmbH > Dorfplatz 5 - Piberbach > A-4531 Kematen/Krems > phone: +43 7228 6451 0 home: http://www.igs.at > fax: +43 7228 6451 30 eMail: igs at igs.at > hotline: > fax: +43 7228 6451 20 eMail: hotline at igs.at > ____________________________________________________ > > NEWSFLASH___________________________________________ > > - Erfolgreich mit der IGS e-commerce-L?sung! > - ?nderung in den ?? 131 und 132 Abs.3 BAO bzgl. > "Zurverf?gungstellung von Datentr?gern an > Betriebspr?fer"! > n?heres unter http://www.igs.at/archiv/news.html > > NEWSFLASH___________________________________________ > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From jake.pierson at openwave.com Tue Mar 27 14:00:09 2001 From: jake.pierson at openwave.com (Jake Pierson) Date: Tue, 27 Mar 2001 12:00:09 -0800 Subject: [pptp-server] Win2k Connection probs. Message-ID: All, I get the following errors in /var/log/pptpd.log when I try to connect via Win2k. Is my pppd to old? Win 98 seems to have connected allright. Thanks for looking at this -Jake Mar 26 11:50:10 jake pppd[6995]: pppd 2.3.5 started by root, uid 0 Mar 26 11:50:10 jake pppd[6995]: Using interface ppp0 Mar 26 11:50:10 jake pppd[6995]: Connect: ppp0 <--> /dev/ttyp2 Mar 26 11:50:10 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:10 jake pppd[6995]: rcvd [LCP ConfReq id=0x0 ] Mar 26 11:50:10 jake pppd[6995]: sent [LCP ConfAck id=0x0 ] Mar 26 11:50:12 jake pppd[6995]: rcvd [LCP ConfReq id=0x1 ] Mar 26 11:50:12 jake pppd[6995]: sent [LCP ConfAck id=0x1 ] Mar 26 11:50:13 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:15 jake pppd[6995]: rcvd [LCP ConfReq id=0x2 ] Mar 26 11:50:15 jake pppd[6995]: sent [LCP ConfAck id=0x2 ] Mar 26 11:50:16 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:19 jake pppd[6995]: rcvd [LCP ConfReq id=0x3 ] Mar 26 11:50:19 jake pppd[6995]: sent [LCP ConfAck id=0x3 ] Mar 26 11:50:19 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:22 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:23 jake pppd[6995]: rcvd [LCP ConfReq id=0x4 ] Mar 26 11:50:23 jake pppd[6995]: sent [LCP ConfAck id=0x4 ] Mar 26 11:50:25 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:27 jake pppd[6995]: rcvd [LCP ConfReq id=0x5 ] Mar 26 11:50:27 jake pppd[6995]: sent [LCP ConfAck id=0x5 ] Mar 26 11:50:28 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:31 jake pppd[6995]: rcvd [LCP ConfReq id=0x6 ] Mar 26 11:50:31 jake pppd[6995]: sent [LCP ConfAck id=0x6 ] Mar 26 11:50:31 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:34 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:35 jake pppd[6995]: rcvd [LCP ConfReq id=0x7 ] Mar 26 11:50:35 jake pppd[6995]: sent [LCP ConfAck id=0x7 ] Mar 26 11:50:37 jake pppd[6995]: sent [LCP ConfReq id=0x1 ] Mar 26 11:50:39 jake pppd[6995]: rcvd [LCP ConfReq id=0x8 ] Mar 26 11:50:39 jake pppd[6995]: sent [LCP ConfAck id=0x8 ] Mar 26 11:50:40 jake pppd[6995]: LCP: timeout sending Config-Requests Mar 26 11:50:40 jake pppd[6995]: Connection terminated. Mar 26 11:50:40 jake pppd[6995]: Exit. From teastep at seattlefirewall.dyndns.org Tue Mar 27 14:13:08 2001 From: teastep at seattlefirewall.dyndns.org (Tom Eastep) Date: Tue, 27 Mar 2001 12:13:08 -0800 (PST) Subject: Antwort: RE: [pptp-server] pptp connection with encryption an d kernel 2.4. 0 In-Reply-To: <90769AF04F76D41186C700A0C90AFC3EE6DC@defiant.infohiiway.com> Message-ID: Thus spoke Cowles, Steve: > > -----Original Message----- > > From: werner.hofer at igs.at [mailto:werner.hofer at igs.at] > > Sent: Tuesday, March 27, 2001 11:22 AM > > To: Cowles, Steve; pptp-server at lists.schulte.org > > Subject: Antwort: RE: [pptp-server] pptp connection with > > encryption and > > kernel 2.4. 0 > > > > > > After I made an alias on my eth0 interface (192.168.1.1) > > proxyarp should work since i can find an entry in the arp > > table for my pptp client. Thanks for your advise Steve. > > You should see a similar entry in your log files when your PPTP server can > successfuly set (determine) the proxyarp device for your connection. > > Mar 26 12:11:59 firewall pppd[5226]: found interface eth0 for proxy arp > > > > > But still I can?t get a ping through the pptp tunnel. I even > > can?t ping the Server?s end of the tunnel. > > If you are unable to ping the PPTP server (with data encryption disabled) > then I would think this is a routing/iptables problem. If you are unable > able to ping the PPTP server (with "just" data encryption enabled) then I > would think your problem is with MPPE. > I've reproduced the problem here. With encryption enabled, traffic outbound through the tunnel to the Win2k host seems to go in the bit bucket. tcpdump shows outbound traffic on ppp0 but it doesn't seem to reach the w2k box. With encryption disabled, everything works ok... Kernel -- 2.4.3-pre8 with mppe & FreeSwan pptpd -- 1.1.2 ppp -- 2.4.0 -Tom -- Tom Eastep \ Alt Email: tom at seattlefirewall.dyndns.org ICQ #60745924 \ Websites: http://seawall.sourceforge.net teastep at evergo.net \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_________________________________________ From pptplist at mail.doris.cc Tue Mar 27 17:50:06 2001 From: pptplist at mail.doris.cc (pptplist at mail.doris.cc) Date: Tue, 27 Mar 2001 18:50:06 -0500 (EST) Subject: [pptp-server] NAT? In-Reply-To: <001601c0b6d4$9a3a2e00$6e00a8c0@prepar.lan> Message-ID: The NAT is a Cisco Aironet Access Point. On Tue, 27 Mar 2001, Marc Charbonneau wrote: > Your NAT doesn't seem to handle the GRE protocol correctly. > > What is you NAT ? if it's a Linux-box, you have to apply a patch to your > kernel for it to handle-it correctly. > > HTH > ----- Original Message ----- > From: > To: > Sent: Tuesday, March 27, 2001 10:10 AM > Subject: [pptp-server] NAT? > > > > I am running pptp on a linux box and connecting with a win2000 client over > > the internet and having problems with NAT. > > > > Here is what I have in my options file. > > > > lock > > auth > > debug > > proxyarp > > require-chap > > +chap > > +chapms > > +chapms-v2 > > mppe-40 > > mppe-128 > > mppe-stateless > > name pptpd > > > > When my Windows 2000 Client connects from a static IP address everything > > works fine. When my Windows 2000 client tries to connect from a NAT'd > > connection, I get a error 619, specified port is not connected. > > > > Here is what I see in my log files. > > > > Mar 27 10:02:01 mail pptpd[4027]: CTRL: Client xxx.xxx.xxx.xxx control > connection started > > Mar 27 10:02:01 mail pptpd[4027]: CTRL: Starting call (launching pppd, > opening GRE) > > Mar 27 10:02:01 mail kernel: CSLIP: code copyright 1989 Regents of the > > University of California > > Mar 27 10:02:01 mail kernel: PPP: version 2.3.7 (demand dialling) > > Mar 27 10:02:01 mail kernel: PPP line discipline registered. > > Mar 27 10:02:01 mail kernel: registered device ppp0 > > Mar 27 10:02:01 mail pppd[4028]: pppd 2.3.11 started by root, uid 0 > > Mar 27 10:02:01 mail pppd[4028]: Using interface ppp0 > > Mar 27 10:02:01 mail pppd[4028]: Connect: ppp0 <--> /dev/pts/3 > > Mar 27 10:02:01 mail pptpd[4027]: GRE: Discarding duplicate packet > > Mar 27 10:02:31 mail pppd[4028]: LCP: timeout sending Config-Requests > > Mar 27 10:02:31 mail pppd[4028]: Connection terminated. > > Mar 27 10:02:31 mail pppd[4028]: Exit. > > Mar 27 10:02:31 mail pptpd[4027]: GRE: read(fd=5,buffer=804d8c0,len=8196) > > from PTY failed: status = -1 error = Input/output error > > Mar 27 10:02:31 mail pptpd[4027]: CTRL: PTY read or GRE write failed > (pty,gre)=(5,6) > > Mar 27 10:02:31 mail pptpd[4027]: CTRL: Client xxx.xxx.xxx.xxx control > connection finished > > > > I have the following set up in my ipchains table > > > > ipchains -A forward -i eth0 -s 192.168.100.0/24 -d 192.168.100.0/24 -j > MASQ > > ipchains -A output -s 192.168.100.0/24 -d 192.168.100.0/24 -j ACCEPT > > ipchains -A input -s 192.168.100.0/24 -d 192.168.100.0/24 -j ACCEPT > > > > I have this set up in pptp.conf > > > > localip 192.168.100.210-214 > > remoteip 192.168.100.215-218 > > > > > > Everything seems to work when the client has a static IP, just not when > > NAT'd. Any ideas? I know I am missing something somewhere. > > > > Thanks, > > > > Dustin Doris > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > From berzerke at swbell.net Tue Mar 27 17:37:25 2001 From: berzerke at swbell.net (robert) Date: Tue, 27 Mar 2001 17:37:25 -0600 Subject: Antwort: RE: [pptp-server] pptp connection with encryption an d kernel 2.4. 0 In-Reply-To: <=?utf-8?q?@mta4.rcsntx.swbell.net> References: Message-ID: <0GAV00GM0QVWEP@mta4.rcsntx.swbell.net> ?= MIME-Version: 1.0 Message-Id: <01032717372500.11158 at linux> Content-Transfer-Encoding: 8bit This is a real shot in the dark, but I have seen a cryptic message about the pptpd interface (whichever adapter that physically is) on the W2K box has to be listed first when you look at your adapters in the properties of My Network Places. Let me know if this solves the problem. For the message below about tcpdump showing the packets leaving, this is starting to look like a W2K problem. Come to think of it, I do see a lot of W2K problems on this list...Hmmm... On Tuesday 27 March 2001 14:13, Tom Eastep wrote: > Thus spoke Cowles, Steve: > > > -----Original Message----- > > > From: werner.hofer at igs.at [mailto:werner.hofer at igs.at] > > > Sent: Tuesday, March 27, 2001 11:22 AM > > > To: Cowles, Steve; pptp-server at lists.schulte.org > > > Subject: Antwort: RE: [pptp-server] pptp connection with > > > encryption and > > > kernel 2.4. 0 > > > > > > > > > After I made an alias on my eth0 interface (192.168.1.1) > > > proxyarp should work since i can find an entry in the arp > > > table for my pptp client. Thanks for your advise Steve. > > > > You should see a similar entry in your log files when your PPTP server > > can successfuly set (determine) the proxyarp device for your connection. > > > > Mar 26 12:11:59 firewall pppd[5226]: found interface eth0 for proxy arp > > > > > But still I can?t get a ping through the pptp tunnel. I even > > > can?t ping the Server?s end of the tunnel. > > > > If you are unable to ping the PPTP server (with data encryption disabled) > > then I would think this is a routing/iptables problem. If you are unable > > able to ping the PPTP server (with "just" data encryption enabled) then I > > would think your problem is with MPPE. > > I've reproduced the problem here. With encryption enabled, traffic > outbound through the tunnel to the Win2k host seems to go in the bit > bucket. tcpdump shows outbound traffic on ppp0 but it doesn't seem to > reach the w2k box. With encryption disabled, everything works ok... > > Kernel -- 2.4.3-pre8 with mppe & FreeSwan > pptpd -- 1.1.2 > ppp -- 2.4.0 > > -Tom From Steve at SteveCowles.com Tue Mar 27 18:22:36 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Tue, 27 Mar 2001 18:22:36 -0600 Subject: Antwort: RE: [pptp-server] pptp connection with encryption an d kernel 2.4. 0 Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6E3@defiant.infohiiway.com> > -----Original Message----- > From: robert [mailto:berzerke at swbell.net] > Sent: Tuesday, March 27, 2001 5:37 PM > To: Eastep, Tom; Cowles, Steve > Cc: 'werner.hofer at igs.at'; pptp-server at lists.schulte.org > Subject: Re: Antwort: RE: [pptp-server] pptp connection with > encryption and kernel 2.4. 0 > > > This is a real shot in the dark, but I have seen a cryptic > message about the pptpd interface (whichever adapter that > physically is) on the W2K box has to be listed first when > you look at your adapters in the properties of My Network > Places. > > Let me know if this solves the problem. For the message > below about tcpdump showing the packets leaving, this is > starting to look like a W2K problem. Come to think of it, > I do see a lot of W2K problems on this list...Hmmm... Are you sure your not referring to the "protocol" binding order? Steve Cowles From teastep at seattlefirewall.dyndns.org Tue Mar 27 18:25:55 2001 From: teastep at seattlefirewall.dyndns.org (Tom Eastep) Date: Tue, 27 Mar 2001 16:25:55 -0800 (PST) Subject: Antwort: RE: [pptp-server] pptp connection with encryption an d kernel 2.4. 0 In-Reply-To: <0GAV00GM0QVWEP@mta4.rcsntx.swbell.net> Message-ID: Thus spoke robert: > ?= > MIME-Version: 1.0 > Message-Id: <01032717372500.11158 at linux> > Content-Transfer-Encoding: 8bit > > This is a real shot in the dark, but I have seen a cryptic message about the > pptpd interface (whichever adapter that physically is) on the W2K box has > to be listed first when you look at your adapters in the properties of My > Network Places. Hmmm - I renamed the connection so that it came first it the list; no change in the symptoms. > > Let me know if this solves the problem. For the message below about tcpdump > showing the packets leaving, this is starting to look like a W2K problem. > Come to think of it, I do see a lot of W2K problems on this list...Hmmm... I have no way of testing whether it's Win2k-related since I only have a single (W2K) MS box to test with... -Tom -- Tom Eastep \ Alt Email: tom at seattlefirewall.dyndns.org ICQ #60745924 \ Websites: http://seawall.sourceforge.net teastep at evergo.net \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_________________________________________ From berzerke at swbell.net Tue Mar 27 19:19:33 2001 From: berzerke at swbell.net (robert) Date: Tue, 27 Mar 2001 19:19:33 -0600 Subject: Antwort: RE: [pptp-server] pptp connection with encryption an d kernel 2.4. 0 In-Reply-To: <90769AF04F76D41186C700A0C90AFC3EE6E3@defiant.infohiiway.com> References: <90769AF04F76D41186C700A0C90AFC3EE6E3@defiant.infohiiway.com> Message-ID: <01032719193300.11707@linux> On Tuesday 27 March 2001 18:22, Cowles, Steve wrote: Could be. Since I don't have W2K, I didn't really understand the message. It's some sort of bug that does affect Win98 clients and W2K pptpd servers. > > -----Original Message----- > > From: robert [mailto:berzerke at swbell.net] > > Sent: Tuesday, March 27, 2001 5:37 PM > > To: Eastep, Tom; Cowles, Steve > > Cc: 'werner.hofer at igs.at'; pptp-server at lists.schulte.org > > Subject: Re: Antwort: RE: [pptp-server] pptp connection with > > encryption and kernel 2.4. 0 > > > > > > This is a real shot in the dark, but I have seen a cryptic > > message about the pptpd interface (whichever adapter that > > physically is) on the W2K box has to be listed first when > > you look at your adapters in the properties of My Network > > Places. > > > > Let me know if this solves the problem. For the message > > below about tcpdump showing the packets leaving, this is > > starting to look like a W2K problem. Come to think of it, > > I do see a lot of W2K problems on this list...Hmmm... > > Are you sure your not referring to the "protocol" binding order? > > Steve Cowles From werner.hofer at igs.at Wed Mar 28 09:56:48 2001 From: werner.hofer at igs.at (werner.hofer at igs.at) Date: Wed, 28 Mar 2001 17:56:48 +0200 Subject: Antwort: Re: Antwort: RE: [pptp-server] pptp connection with encryption an d kernel 2.4. 0 Message-ID: My Investigations so far: From hatnet at free.fr Wed Mar 28 10:13:02 2001 From: hatnet at free.fr (hatim) Date: Wed, 28 Mar 2001 18:13:02 +0200 Subject: [pptp-server] proxy arp References: Message-ID: <003101c0b7a1$f7101d60$615829d5@hatimsf> Hy when i started pptpd -d i have this error pppd[4079]: Cannot determine ethernet address for proxy ARP i dont know how to add an entry to thesystem's ARP but what i wiew is that : even if i note in the /etc/ppp/options netmask 255.255.0.0 , the win2000 client had a netmask 255.255.255.255 when i do ipconfig PPP adapter Virtual Private Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.0.234 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : thanks a lot Hatim From berzerke at swbell.net Wed Mar 28 15:26:59 2001 From: berzerke at swbell.net (robert) Date: Wed, 28 Mar 2001 15:26:59 -0600 Subject: [pptp-server] proxy arp In-Reply-To: <003101c0b7a1$f7101d60$615829d5@hatimsf> References: <003101c0b7a1$f7101d60$615829d5@hatimsf> Message-ID: <01032815265900.02987@linux> Add the line proxyarp in your ppp options file. On Wednesday 28 March 2001 10:13, hatim wrote: > Hy > when i started pptpd -d > i have this error > > pppd[4079]: Cannot determine ethernet address for proxy ARP > > i dont know how to add an entry to thesystem's ARP > > but what i wiew is that : even if i note in the /etc/ppp/options netmask > 255.255.0.0 , the win2000 client had a netmask 255.255.255.255 when i do > ipconfig > PPP adapter Virtual Private Connection: > > Connection-specific DNS Suffix . : > IP Address. . . . . . . . . . . . : 192.168.0.234 > Subnet Mask . . . . . . . . . . . : 255.255.255.255 > Default Gateway . . . . . . . . . : > > thanks a lot > > Hatim > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From jkreger at avidsolutionsinc.com Wed Mar 28 16:22:52 2001 From: jkreger at avidsolutionsinc.com (Justin Kreger) Date: Wed, 28 Mar 2001 17:22:52 -0500 Subject: [pptp-server] *sigh* Message-ID: <6B8A85826C35D31193BD0090278589C81DF08E@CIC-EXCHANGE> Well, I was going to write pass through authentication for MSCHAP/MSChapV2 to a NT server, but I had to put that on the back burner, and now my employer is putting me on the back shelf in a sence. I will be quitting/being laid off very soon, so I will be leaving this listserv because I will soon no longer have this email address. It was nice helping you guys, I hope you make good use of the code I wrote that goes and asks a NT server if a user is valid for PAP authentication skipping Pluggable Authentication Modules (PAM). Well, it wasen't much code, Really it was creative merging of allready written code, with some slight adaptation. I wish you all the best, and good luck with future installs, patches, and features. -Justin Kreger, MCP MCSE & Nearly CCNA (Cisco is being a pain) jkreger at earthling.2y.net From Steve at SteveCowles.com Wed Mar 28 17:31:36 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Wed, 28 Mar 2001 17:31:36 -0600 Subject: [pptp-server] proxy arp Message-ID: <90769AF04F76D41186C700A0C90AFC3EE6F0@defiant.infohiiway.com> > -----Original Message----- > From: hatim [mailto:hatnet at free.fr] > Sent: Wednesday, March 28, 2001 10:13 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] proxy arp > > > Hy > when i started pptpd -d > i have this error > > pppd[4079]: Cannot determine ethernet address for proxy ARP > > i dont know how to add an entry to thesystem's ARP > > but what i wiew is that : even if i note in the > /etc/ppp/options netmask > 255.255.0.0 , the win2000 client had a netmask > 255.255.255.255 when i do > ipconfig > PPP adapter Virtual Private Connection: > > Connection-specific DNS Suffix . : > IP Address. . . . . . . . . . . . : 192.168.0.234 > Subnet Mask . . . . . . . . . . . : 255.255.255.255 > Default Gateway . . . . . . . . . : > > thanks a lot With regards to the 32 bit netmask, your trying to compare apples to oranges. i.e. Your comparing a LAN to a VPN tunnel. The netmask of 255.255.255.255 is CORRECT for a tunnel. The proxy arp errors can usually be fixed by assigning IP addresses in pptpd.conf (local/remote) that are within the network address range of the PPTP servers LAN interface (like eth0 or eth1). If thats not an option (due to your network design), then consider using ip aliasing to bind the network addresses to what is specified in your pptpd.conf to your PPTP servers LAN interface. Checkout the kernel source documentation directory /usr/src/linux/Documentation/networking/alias.txt for info on ip aliasing. Also, make sure "proxyarp" is listed in your /etc/ppp/options file. Steve Cowles From eradicator58 at hotmail.com Thu Mar 29 03:18:29 2001 From: eradicator58 at hotmail.com (Jaime R.) Date: Thu, 29 Mar 2001 03:18:29 Subject: [pptp-server] ioctl Message-ID: Hi I had dsl running on Mandrake 7.2 and then the dsl crashed on my isps end its back up now but when I try and connect using linux it times out. I ran the debug mode on it and I noticed the following error ioctl(SIOCGIFHWADDR): No such device write: warning: Input/output error (5) everything else is normal except that. Does anyone know whats wrong? my network card is listed if I do an ifconfig and its the same as when my dsl was working. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From mjo at pbj.dk Thu Mar 29 00:45:48 2001 From: mjo at pbj.dk (Mikael Johnsen) Date: Thu, 29 Mar 2001 08:45:48 +0200 Subject: [pptp-server] Time Outs Message-ID: <1DA605F7E2EAD411B7A9009027DDD2C35AD0@PBJ-EXCHG> Hi Guys A quick question: is there some kind of time out, when an user has been idle for 5 minutes or so? Med venlig hilsen / Best regards Mikael Johnsen Systemadministrator / System Administrator PBJ Consult A/S Phone: +45 43 62 74 00 Roholmsvej 10 G Fax: +45 43 62 74 24 DK-2620 Albertslund Email: mailto:mjo at pbj.dk Homepage: www.pbj.dk From GeorgeV at citadelcomputer.com.au Thu Mar 29 01:07:34 2001 From: GeorgeV at citadelcomputer.com.au (George Vieira) Date: Thu, 29 Mar 2001 17:07:34 +1000 Subject: [pptp-server] Time Outs Message-ID: <200FAA488DE0D41194F10010B597610D0A6D06@JUPITER> idle 300 Sets the IDLE time if the PPPD connection is idle for more than 5 minutes then it drops the link. thanks, George Vieira -----Original Message----- From: Mikael Johnsen [mailto:mjo at pbj.dk] Sent: Thursday, March 29, 2001 4:46 PM To: pptp-server at lists.schulte.org Subject: [pptp-server] Time Outs Hi Guys A quick question: is there some kind of time out, when an user has been idle for 5 minutes or so? Med venlig hilsen / Best regards Mikael Johnsen Systemadministrator / System Administrator PBJ Consult A/S Phone: +45 43 62 74 00 Roholmsvej 10 G Fax: +45 43 62 74 24 DK-2620 Albertslund Email: mailto:mjo at pbj.dk Homepage: www.pbj.dk _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From ralphw at cnet.com Thu Mar 29 06:55:00 2001 From: ralphw at cnet.com (Ralph Winslow) Date: Thu, 29 Mar 2001 07:55:00 -0500 (EST) Subject: [pptp-server] *sigh* In-Reply-To: <6B8A85826C35D31193BD0090278589C81DF08E@CIC-EXCHANGE> Message-ID: On Wed, 28 Mar 2001, Justin Kreger wrote: Thanks for your contributions, Justin. I read somewhere that "bread cast upon the waters, will return manifold" or something along those lines ;-) so I'm sure that avidsolutionsincs loss will soon be some other lucky employers gain. Though not mine, as we're in a hiring freeze, post downsizing, too. > Date: Wed, 28 Mar 2001 17:22:52 -0500 > From: Justin Kreger > To: pptp-server at lists.schulte.org > Subject: [pptp-server] *sigh* > > Well, I was going to write pass through authentication for MSCHAP/MSChapV2 > to a NT server, but I had to put that on the back burner, and now my > employer is putting me on the back shelf in a sence. I will be > quitting/being laid off very soon, so I will be leaving this listserv > because I will soon no longer have this email address. > > It was nice helping you guys, I hope you make good use of the code I wrote > that goes and asks a NT server if a user is valid for PAP authentication > skipping Pluggable Authentication Modules (PAM). Well, it wasen't much > code, Really it was creative merging of allready written code, with some > slight adaptation. > > I wish you all the best, and good luck with future installs, patches, and > features. > > -Justin Kreger, MCP MCSE & Nearly CCNA (Cisco is being a pain) > jkreger at earthling.2y.net > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > ---- Ralph Winslow From tife.chan at adsociety.com Thu Mar 29 21:43:39 2001 From: tife.chan at adsociety.com (Tife Chan) Date: Fri, 30 Mar 2001 11:43:39 +0800 Subject: [pptp-server] Performance difference between TCPIP and SMB traffic Message-ID: Hi all, I found that passing SMB traffic through the pptp link is much slower than TCPIP. I have network A and network B and they are connected together with two linux servers using pptp. When ftp a file from network A to network B, the speed is fine. But when I try to copy the same file from network A to network B through Windows Explorer, the speed is much much slower. Any idea? Thanks. Regards, Tife Chan From tife.chan at adsociety.com Fri Mar 30 00:08:50 2001 From: tife.chan at adsociety.com (Tife Chan) Date: Fri, 30 Mar 2001 14:08:50 +0800 Subject: [pptp-server] Performance difference between TCPIP and SMB traffic References: <200FAA488DE0D41194F10010B597610D0A6D5A@JUPITER> Message-ID: <3AC422F2.8330E1A@adsociety.com> Hi George, I have already set the option "speed 115200" in pptpd.conf. And if I run pppstats to analyse the traffic, the IN/OUT shows that ftp is about 10 times faster than copying file through smb. Thanks. Regards, Tife George Vieira wrote: > > try packet sniffing or use pppstats on linux if they are both on PPP > devices.. > > pppstats -c 1000000 -w 1 ppp1 # Eg. > > What have you set in the options file for "speed" > > put > > speed 115200 > > in your options file and/or pptpd.conf file > > thanks, > George Vieira > > -----Original Message----- > From: Tife Chan [mailto:tife.chan at adsociety.com] > Sent: Friday, March 30, 2001 1:44 PM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Performance difference between TCPIP and SMB > traffic > > Hi all, > > I found that passing SMB traffic through the pptp link is much slower than > TCPIP. > I have network A and network B and they are connected together with two > linux servers using pptp. > When ftp a file from network A to network B, the speed is fine. > But when I try to copy the same file from network A to network B through > Windows Explorer, > the speed is much much slower. > > Any idea? > > Thanks. > > Regards, > Tife Chan > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From tife.chan at adsociety.com Fri Mar 30 00:27:16 2001 From: tife.chan at adsociety.com (Tife Chan) Date: Fri, 30 Mar 2001 14:27:16 +0800 Subject: [pptp-server] Performance difference between TCPIP and SMB traffic References: <200FAA488DE0D41194F10010B597610D0A6D66@JUPITER> Message-ID: <3AC42744.1248EE03@adsociety.com> I tried to put a "speed" option in /etc/ppp/options, but when the linux client connect, the pppd on server complains "Unregonized option "speed"" Thanks, Tife George Vieira wrote: > > what about pppd? It may have something else there..??? > I usually remove most settings in pptpd.conf and use /etc/ppp/options to > configure what I want... > > thanks, > George Vieira > > -----Original Message----- > From: Tife Chan [mailto:tife.chan at adsociety.com] > Sent: Friday, March 30, 2001 4:09 PM > To: George Vieira; pptp-server at lists.schulte.org > Subject: Re: [pptp-server] Performance difference between TCPIP and SMB > traffic > > Hi George, > > I have already set the option "speed 115200" in pptpd.conf. > And if I run pppstats to analyse the traffic, the IN/OUT shows that > ftp is about 10 times faster than copying file through smb. > > Thanks. > > Regards, > Tife > > George Vieira wrote: > > > > try packet sniffing or use pppstats on linux if they are both on PPP > > devices.. > > > > pppstats -c 1000000 -w 1 ppp1 # Eg. > > > > What have you set in the options file for "speed" > > > > put > > > > speed 115200 > > > > in your options file and/or pptpd.conf file > > > > thanks, > > George Vieira > > > > -----Original Message----- > > From: Tife Chan [mailto:tife.chan at adsociety.com] > > Sent: Friday, March 30, 2001 1:44 PM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] Performance difference between TCPIP and SMB > > traffic > > > > Hi all, > > > > I found that passing SMB traffic through the pptp link is much slower than > > TCPIP. > > I have network A and network B and they are connected together with two > > linux servers using pptp. > > When ftp a file from network A to network B, the speed is fine. > > But when I try to copy the same file from network A to network B through > > Windows Explorer, > > the speed is much much slower. > > > > Any idea? > > > > Thanks. > > > > Regards, > > Tife Chan > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! From tife.chan at adsociety.com Fri Mar 30 01:40:37 2001 From: tife.chan at adsociety.com (Tife Chan) Date: Fri, 30 Mar 2001 15:40:37 +0800 Subject: [pptp-server] Performance difference between TCPIP and SMB traffic In-Reply-To: <200FAA488DE0D41194F10010B597610D0A6D6A@JUPITER> Message-ID: Sorry George, i'm confusing :( Which ppp options file should I modify? Client side or Server side? Thanks. Tife -----Original Message----- From: George Vieira [mailto:GeorgeV at citadelcomputer.com.au] Sent: Friday, March 30, 2001 2:32 PM To: Tife Chan Subject: RE: [pptp-server] Performance difference between TCPIP and SMB traffic Sorry sorry. my mistake... speed is replaced by the actualy speed...eg. -detach modem 115200 <----speed!!! thanks, George Vieira -----Original Message----- From: Tife Chan [mailto:tife.chan at adsociety.com] Sent: Friday, March 30, 2001 4:27 PM To: George Vieira; pptp-server at lists.schulte.org Subject: Re: [pptp-server] Performance difference between TCPIP and SMB traffic I tried to put a "speed" option in /etc/ppp/options, but when the linux client connect, the pppd on server complains "Unregonized option "speed"" Thanks, Tife George Vieira wrote: > > what about pppd? It may have something else there..??? > I usually remove most settings in pptpd.conf and use /etc/ppp/options to > configure what I want... > > thanks, > George Vieira > > -----Original Message----- > From: Tife Chan [mailto:tife.chan at adsociety.com] > Sent: Friday, March 30, 2001 4:09 PM > To: George Vieira; pptp-server at lists.schulte.org > Subject: Re: [pptp-server] Performance difference between TCPIP and SMB > traffic > > Hi George, > > I have already set the option "speed 115200" in pptpd.conf. > And if I run pppstats to analyse the traffic, the IN/OUT shows that > ftp is about 10 times faster than copying file through smb. > > Thanks. > > Regards, > Tife > > George Vieira wrote: > > > > try packet sniffing or use pppstats on linux if they are both on PPP > > devices.. > > > > pppstats -c 1000000 -w 1 ppp1 # Eg. > > > > What have you set in the options file for "speed" > > > > put > > > > speed 115200 > > > > in your options file and/or pptpd.conf file > > > > thanks, > > George Vieira > > > > -----Original Message----- > > From: Tife Chan [mailto:tife.chan at adsociety.com] > > Sent: Friday, March 30, 2001 1:44 PM > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] Performance difference between TCPIP and SMB > > traffic > > > > Hi all, > > > > I found that passing SMB traffic through the pptp link is much slower than > > TCPIP. > > I have network A and network B and they are connected together with two > > linux servers using pptp. > > When ftp a file from network A to network B, the speed is fine. > > But when I try to copy the same file from network A to network B through > > Windows Explorer, > > the speed is much much slower. > > > > Any idea? > > > > Thanks. > > > > Regards, > > Tife Chan > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! From hatnet at free.fr Fri Mar 30 05:55:05 2001 From: hatnet at free.fr (hatim) Date: Fri, 30 Mar 2001 13:55:05 +0200 Subject: [pptp-server] ip MAC adress and PPTPd References: <200FAA488DE0D41194F10010B597610D0A6D5A@JUPITER> <3AC422F2.8330E1A@adsociety.com> Message-ID: <001801c0b910$42d7fb40$615829d5@hatimsf> hy all i m running pptpd and in the /etc/pptpd.conf i have specified that remoteip 192.168.1.234-238 it s possible to specifie each ip to a specific Mac adress ?? like 192.168.1.234 LA:la:45d.... 192.168.1.235 ..... thanks hatim From n.jouanin at regie-france.com Fri Mar 30 06:12:46 2001 From: n.jouanin at regie-france.com (Nicolas Jouanin) Date: Fri, 30 Mar 2001 14:12:46 +0200 Subject: [pptp-server] VPN with WinME clients Message-ID: Hi, I manage to compile, install, and run pptd on a Linus 2.4.1 box using the howto. Thanks. But I still have a problem. I've got some WinME clients that can't connect to my VPN server whereas Win9x can without any problems. I've check the connection parameters, they are the same. Is the a in-compatibility between pptpd and win ME ? From ralphw at cnet.com Fri Mar 30 07:13:32 2001 From: ralphw at cnet.com (Ralph Winslow) Date: Fri, 30 Mar 2001 08:13:32 -0500 (EST) Subject: [pptp-server] VPN with WinME clients In-Reply-To: Message-ID: On Fri, 30 Mar 2001, Nicolas Jouanin wrote: Which 2.4.1 howto was that? TIA > Date: Fri, 30 Mar 2001 14:12:46 +0200 > From: Nicolas Jouanin > To: pptp-server at lists.schulte.org > Subject: [pptp-server] VPN with WinME clients > > Hi, > > I manage to compile, install, and run pptd on a Linus 2.4.1 box using the > howto. Thanks. > But I still have a problem. I've got some WinME clients that can't connect > to my VPN server whereas Win9x can without any problems. I've check the > connection parameters, they are the same. Is the a in-compatibility between > pptpd and win ME ? > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > ---- Ralph Winslow Operations/Support/Tools (908)575-8567 x276 From n.jouanin at regie-france.eu.org Fri Mar 30 07:19:02 2001 From: n.jouanin at regie-france.eu.org (Nicolas Jouanin) Date: Fri, 30 Mar 2001 15:19:02 +0200 Subject: [pptp-server] VPN with WinME clients In-Reply-To: Message-ID: oohhh ..... A how-to that someone from this mailing-list has posted, .... but unfortunatelly I deleted the message from my mail archives .... > -----Message d'origine----- > De : Ralph Winslow [mailto:ralphw at cnet.com] > Envoy? : vendredi 30 mars 2001 15:14 > ? : Nicolas Jouanin > Cc : pptp-server at lists.schulte.org > Objet : Re: [pptp-server] VPN with WinME clients > > > On Fri, 30 Mar 2001, Nicolas Jouanin wrote: > > Which 2.4.1 howto was that? TIA > > > Date: Fri, 30 Mar 2001 14:12:46 +0200 > > From: Nicolas Jouanin > > To: pptp-server at lists.schulte.org > > Subject: [pptp-server] VPN with WinME clients > > > > Hi, > > > > I manage to compile, install, and run pptd on a Linus 2.4.1 box > using the > > howto. Thanks. > > But I still have a problem. I've got some WinME clients that > can't connect > > to my VPN server whereas Win9x can without any problems. I've check the > > connection parameters, they are the same. Is the a > in-compatibility between > > pptpd and win ME ? > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > List services provided by www.schulteconsulting.com! > > > > ---- > Ralph Winslow Operations/Support/Tools > (908)575-8567 x276 > > From berzerke at swbell.net Fri Mar 30 09:06:51 2001 From: berzerke at swbell.net (robert) Date: Fri, 30 Mar 2001 09:06:51 -0600 Subject: [pptp-server] Performance difference between TCPIP and SMB traffic In-Reply-To: References: Message-ID: <01033009065100.08495@linux> Understand that *some* slowness is normal. Think what has to happen to those little packets. (This order may be wrong..) First they are encrypted, then encapsulated, then the routing is changed, then they are sent over the wire, were the process is reversed. These changes take time, although not much for each packet. None of these steps occur with ftp, so there is less overhead. Now how much slowness is normal I don't know. I'll have to do some tests myself and post the results here later. On Thursday 29 March 2001 21:43, Tife Chan wrote: > Hi all, > > I found that passing SMB traffic through the pptp link is much slower than > TCPIP. I have network A and network B and they are connected together with > two linux servers using pptp. When ftp a file from network A to network B, > the speed is fine. > But when I try to copy the same file from network A to network B through > Windows Explorer, the speed is much much slower. > > Any idea? > > Thanks. > > Regards, > Tife Chan From berzerke at swbell.net Fri Mar 30 09:09:06 2001 From: berzerke at swbell.net (robert) Date: Fri, 30 Mar 2001 09:09:06 -0600 Subject: [pptp-server] VPN with WinME clients In-Reply-To: References: Message-ID: <01033009090601.08495@linux> More help can be given if you post detailed error messages and perhaps your conf files. It could be something as simple as a mistyped configuration line. On Friday 30 March 2001 06:12, Nicolas Jouanin wrote: > Hi, > > I manage to compile, install, and run pptd on a Linus 2.4.1 box using the > howto. Thanks. > But I still have a problem. I've got some WinME clients that can't connect > to my VPN server whereas Win9x can without any problems. I've check the > connection parameters, they are the same. Is the a in-compatibility between > pptpd and win ME ? > From anesthes at cisdi.com Fri Mar 30 16:48:07 2001 From: anesthes at cisdi.com (Joey Coco) Date: Fri, 30 Mar 2001 17:48:07 -0500 (EST) Subject: [pptp-server] ip MAC adress and PPTPd In-Reply-To: <001801c0b910$42d7fb40$615829d5@hatimsf> Message-ID: Hi, That would be an interesting feature. You can specify IP based on chap username. Thats how I get my end nodes over public cable links to connect to a central location. -- Joe On Fri, 30 Mar 2001, hatim wrote: > hy all > i m running pptpd > and in the /etc/pptpd.conf i have specified that remoteip 192.168.1.234-238 > it s possible to specifie each ip to a specific Mac adress ?? like > 192.168.1.234 LA:la:45d.... > 192.168.1.235 ..... > > thanks > > hatim > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! > /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ / "I'd like to think that everything is beautiful, and I'd like to think / \ that everything is fair. I'd like to think that everything is plentiful,\ / and i'd like to think that every body cares. We'd like to thank you.." / \ \ / http://members.cisdi.com/~anesthes/ -=- IM: imd3fc0n / \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ C r e a t i v e I l l u s i o n s S o f t w a r e D e s i g n, I n c. From kgarner at kgarner.com Fri Mar 30 18:55:20 2001 From: kgarner at kgarner.com (Keith T. Garner) Date: Fri, 30 Mar 2001 18:55:20 -0600 Subject: [pptp-server] win2k, pptpd 1.2.2, pppd 2.4.0 and Linux 2.4.2 Message-ID: <20010330185520.B31233@nickel.kgarner.com> I just setup and got running pptpd 1.2.2 on a machine with the 2.4.2 kernel. I followed the HOWTO at http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt. It was a great amount of help, thanks to whomever threw it together. After digging through the past two months worth of archives on this mailing list, it looks like I've hit what has become a common problem. Using win2k with encryption off, it works flawlessly. Packets go back and forth with easy, giving me access to our private networks. However, using win2k as a client against the server with encryption on (128 bit stateless) all packages between ppp0 on the server and the win2k client seem to just disappear into the void. As others have said, packets appears to be going over the line thanks to the blinky lights on win2k, and I do see "ACCEPTS" being matched in the iptables. I just wanted to toss out that "yes, this is a real problem, and it appears to be an issue with mppe and win2k." I haven't had a chance to test it with other clients yet, and I plan on doing it either this weekend or on Monday. Actually, my coworker had a win98 box up that I could test with quickly. Doing both encyrpted and non-encrypted connections, the win98 box can connect and work flawlessly as a pptp client. So, to sum up, win98 works well both encrypted and nonencrypted. win2k only works well unecrypted. Adding more logs to the fire of "win2k isn't working encypted with the stone soup in the subject." Anything I can do to help, send logs to the list or whatever, let me know. (I'm too mentally fried this week to dig into it further at this point.) Keith -- Keith T. Garner kgarner at kgarner.com The Net Squad, Internet Solutions Architect garner at thenetsquad.com "Yea though I walk through the valley of point-and-click, I will fear no command line: for UNIX art with me; thy kernel and thy shell they comfort me." From berzerke at swbell.net Fri Mar 30 20:00:54 2001 From: berzerke at swbell.net (robert) Date: Fri, 30 Mar 2001 20:00:54 -0600 Subject: [pptp-server] win2k, pptpd 1.2.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: <20010330185520.B31233@nickel.kgarner.com> References: <20010330185520.B31233@nickel.kgarner.com> Message-ID: <01033020005400.10542@linux> Has anyone gotten W2K with encryption working on a pptpd setup running 2.2 kernel series and/or pppd 2.3 series? To answer your question, the setup works fine with both windows 98 and 95 clients. I don't have access to w2k or me clients to test. Out of curiosity, is the w2k using NAT? According to M$: If the Virtual Private Network (VPN) client is behind any network device performing Network Address Translation (NAT), the L2TP session fails because encrypted IPSec Encapsulating Security Payload (ESP) packets become corrupted. The problem *seems* to be w2k, not pptpd. I know M$ purposely created incompatibilties with bind and kerbos (sp?). I wonder if we have hit upon another incompatibilty...or a bug???? On Friday 30 March 2001 18:55, Keith T. Garner wrote: > I just setup and got running pptpd 1.2.2 on a > machine with the 2.4.2 kernel. I followed the HOWTO at > http://home.swbell.net/berzerke/2.4_Kernel_PPTPD-HOWTO.txt. It was a > great amount of help, thanks to whomever threw it together. > > After digging through the past two months worth of archives on this > mailing list, it looks like I've hit what has become a common problem. > > Using win2k with encryption off, it works flawlessly. Packets go back > and forth with easy, giving me access to our private networks. > > However, using win2k as a client against the server with encryption on > (128 bit stateless) all packages between ppp0 on the server and the > win2k client seem to just disappear into the void. As others have said, > packets appears to be going over the line thanks to the blinky lights > on win2k, and I do see "ACCEPTS" being matched in the iptables. > > I just wanted to toss out that "yes, this is a real problem, and it > appears to be an issue with mppe and win2k." I haven't had a chance > to test it with other clients yet, and I plan on doing it either this > weekend or on Monday. > > Actually, my coworker had a win98 box up that I could test with quickly. > Doing both encyrpted and non-encrypted connections, the win98 box can > connect and work flawlessly as a pptp client. > > So, to sum up, win98 works well both encrypted and nonencrypted. > win2k only works well unecrypted. Adding more logs to the fire of > "win2k isn't working encypted with the stone soup in the subject." > > Anything I can do to help, send logs to the list or whatever, let me know. > (I'm too mentally fried this week to dig into it further at this point.) > > Keith From teastep at seattlefirewall.dyndns.org Fri Mar 30 20:33:59 2001 From: teastep at seattlefirewall.dyndns.org (Tom Eastep) Date: Fri, 30 Mar 2001 18:33:59 -0800 (PST) Subject: [pptp-server] win2k, pptpd 1.2.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: <01033020005400.10542@linux> Message-ID: Robert, Thus spoke robert: > Has anyone gotten W2K with encryption working on a pptpd setup running 2.2 > kernel series and/or pppd 2.3 series? > > To answer your question, the setup works fine with both windows 98 and 95 > clients. I don't have access to w2k or me clients to test. > > Out of curiosity, is the w2k using NAT? According to M$: If the Virtual > Private Network (VPN) client is behind any network device performing Network > Address Translation (NAT), the L2TP session fails because encrypted IPSec > Encapsulating Security Payload (ESP) packets become corrupted. > That's an acknowledged limitation with IPSEC/ESP and NAT. See John Hardin's VPN MASQ site (http://www.impsec.org/linux/masquerade/ip_masq_vpn.html). It has to do with the ESP checksum including not only the payload but also the IP header; rewriting the header (NAT) makes it impossible to generate the correct checksum since that checksum is generated prior to encryption. That is not an M$-specific issue and it can be worked around by terminating the IPSec tunnel on your Linux Gateway rather than on a masqueraded system behind that gateway. > The problem *seems* to be w2k, not pptpd. I know M$ purposely created > incompatibilties with bind and kerbos (sp?). I wonder if we have hit upon > another incompatibilty...or a bug???? > Regarding PPTP (as opposed to IPSEC), the problem we're all seeing does seem to be Win2k-specific. I've drawn my own conclusions... -Tom -- Tom Eastep \ Alt Email: tom at seattlefirewall.dyndns.org ICQ #60745924 \ Websites: http://seawall.sourceforge.net teastep at evergo.net \ http://seattlefirewall.dyndns.org Shoreline, Washington USA \ http://shorewall.sourceforge.net \_________________________________________ From charlieb at e-smith.com Fri Mar 30 21:08:53 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Fri, 30 Mar 2001 22:08:53 -0500 (EST) Subject: [pptp-server] win2k, pptpd 1.2.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: <01033020005400.10542@linux> Message-ID: On Fri, 30 Mar 2001, robert wrote: > Has anyone gotten W2K with encryption working on a pptpd setup running 2.2 > kernel series and/or pppd 2.3 series? > > To answer your question, the setup works fine with both windows 98 and 95 > clients. I don't have access to w2k or me clients to test. > > Out of curiosity, is the w2k using NAT? According to M$: If the Virtual > Private Network (VPN) client is behind any network device performing Network > Address Translation (NAT), the L2TP session fails because encrypted IPSec > Encapsulating Security Payload (ESP) packets become corrupted. Perhaps they mean that Authentication Header (AH) packets include an IP component in the hash, and can't be masqueraded. AH packets are another type of IP packet, as are GRE (used by PPTP) and ESP. AH and ESP are part of the IPSec architecture, and may be used by IPSec clients. They could also be wrapped around GRE packets, I guess. Are you use that the M$ posting concerned PPTP VPN, and not IPSEC? Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From kgarner at kgarner.com Fri Mar 30 23:05:51 2001 From: kgarner at kgarner.com (Keith T. Garner) Date: Fri, 30 Mar 2001 23:05:51 -0600 Subject: [pptp-server] win2k, pptpd 1.2.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: ; from charlieb@e-smith.com on Fri, Mar 30, 2001 at 10:08:53PM -0500 References: <01033020005400.10542@linux> Message-ID: <20010330230551.A31898@nickel.kgarner.com> For the record, in the case of my experiments I was doing earlier today, the win2k box was not behind any type of firewall. Nothing should have been blocking any packets. Keith -- Keith T. Garner kgarner at kgarner.com The Net Squad, Internet Solutions Architect garner at thenetsquad.com "Yea though I walk through the valley of point-and-click, I will fear no command line: for UNIX art with me; thy kernel and thy shell they comfort me." From kgarner at kgarner.com Fri Mar 30 23:12:07 2001 From: kgarner at kgarner.com (Keith T. Garner) Date: Fri, 30 Mar 2001 23:12:07 -0600 Subject: [pptp-server] win2k, pptpd 1.2.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: ; from charlieb@e-smith.com on Fri, Mar 30, 2001 at 10:08:53PM -0500 References: <01033020005400.10542@linux> Message-ID: <20010330231207.A31952@nickel.kgarner.com> On Fri, Mar 30, 2001 at 10:08:53, Charlie Brady said: > Are you use that the M$ posting concerned PPTP VPN, and not IPSEC? Yep, I made sure I was doing straight PPTP. In fact, I played with the options in the win2k client software to make sure that was the only thing that could be done. Keith -- Keith T. Garner kgarner at kgarner.com The Net Squad, Internet Solutions Architect garner at thenetsquad.com "Yea though I walk through the valley of point-and-click, I will fear no command line: for UNIX art with me; thy kernel and thy shell they comfort me." From charlieb at e-smith.com Sat Mar 31 08:25:59 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Sat, 31 Mar 2001 09:25:59 -0500 (EST) Subject: [pptp-server] win2k, pptpd 1.2.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: <20010330231207.A31952@nickel.kgarner.com> Message-ID: On Fri, 30 Mar 2001, Keith T. Garner wrote: > On Fri, Mar 30, 2001 at 10:08:53, Charlie Brady said: > > Are you use that the M$ posting concerned PPTP VPN, and not IPSEC? > > Yep, I made sure I was doing straight PPTP. In fact, I played with > the options in the win2k client software to make sure that was the only > thing that could be done. My question concerned not what you were doing, but the relevance of the posting from Microsoft's website. If you were doing PPTP, then ESP (and anything Microsoft says about it) has nothing to do with it. If I'm not seriously mistaken, that is. Charlie Brady charlieb at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From berzerke at swbell.net Sat Mar 31 11:10:44 2001 From: berzerke at swbell.net (robert) Date: Sat, 31 Mar 2001 11:10:44 -0600 Subject: [pptp-server] win2k, pptpd 1.2.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: <=?utf-8?q?@mta5.rcsntx.swbell.net> References: Message-ID: <0GB200MB2NLS5O@mta5.rcsntx.swbell.net> ?= MIME-Version: 1.0 Message-Id: <01033111104400.11294 at linux> Content-Transfer-Encoding: 8bit On Friday 30 March 2001 21:08, Charlie Brady wrote: > On Fri, 30 Mar 2001, robert wrote: > > Has anyone gotten W2K with encryption working on a pptpd setup running > > 2.2 kernel series and/or pppd 2.3 series? > > > > To answer your question, the setup works fine with both windows 98 and 95 > > clients. I don't have access to w2k or me clients to test. > > > > Out of curiosity, is the w2k using NAT? According to M$: If the Virtual > > Private Network (VPN) client is behind any network device performing > > Network Address Translation (NAT), the L2TP session fails because > > encrypted IPSec Encapsulating Security Payload (ESP) packets become > > corrupted. > > Perhaps they mean that Authentication Header (AH) packets include an IP > component in the hash, and can't be masqueraded. AH packets are another > type of IP packet, as are GRE (used by PPTP) and ESP. AH and ESP are part > of the IPSec architecture, and may be used by IPSec clients. They could > also be wrapped around GRE packets, I guess. > > Are you use that the M$ posting concerned PPTP VPN, and not IPSEC? > > Charlie Brady charlieb at e-smith.com Probably yes. However, since noone seems to know how to fix the problem, I figured I take a shot or two into the dark. Sometimes you get lucky ;) In any case, since IPSec and PPTP serve pretty much the same purpose, a solution to a problem with one *MIGHT* be a solution to the other. From ctresco at mit.edu Sat Mar 31 11:31:03 2001 From: ctresco at mit.edu (Christopher Tresco) Date: Sat, 31 Mar 2001 12:31:03 -0500 Subject: [pptp-server] win2k, pptpd 1.2.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: <0GB200MB2NLS5O@mta5.rcsntx.swbell.net> Message-ID: I'm having the exact same problem. All clients work except Win2K, which completely sucks since that is all I use. There must be a work around that doesn't involve losing the encryption. My pptpd server is right out infront, not behind any NATing firewall....although the boxes I am accessing through the tunnel are using behind a MASQing firewall. Should matter really, since all the VPN routing is done in the internal interfaces. ^_^_^_^_^_^_^_^_^_^_^_^ Christopher Tresco Head Systems Administrator MIT Dept of Economics ctresco at mit.edu -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of robert Sent: Saturday, March 31, 2001 12:11 PM To: Charlie Brady Cc: Keith T. Garner; pptp-server at lists.schulte.org Subject: Re: [pptp-server] win2k, pptpd 1.2.2, pppd 2.4.0 and Linux 2.4.2 ?= MIME-Version: 1.0 Message-Id: <01033111104400.11294 at linux> Content-Transfer-Encoding: 8bit On Friday 30 March 2001 21:08, Charlie Brady wrote: > On Fri, 30 Mar 2001, robert wrote: > > Has anyone gotten W2K with encryption working on a pptpd setup running > > 2.2 kernel series and/or pppd 2.3 series? > > > > To answer your question, the setup works fine with both windows 98 and 95 > > clients. I don't have access to w2k or me clients to test. > > > > Out of curiosity, is the w2k using NAT? According to M$: If the Virtual > > Private Network (VPN) client is behind any network device performing > > Network Address Translation (NAT), the L2TP session fails because > > encrypted IPSec Encapsulating Security Payload (ESP) packets become > > corrupted. > > Perhaps they mean that Authentication Header (AH) packets include an IP > component in the hash, and can't be masqueraded. AH packets are another > type of IP packet, as are GRE (used by PPTP) and ESP. AH and ESP are part > of the IPSec architecture, and may be used by IPSec clients. They could > also be wrapped around GRE packets, I guess. > > Are you use that the M$ posting concerned PPTP VPN, and not IPSEC? > > Charlie Brady charlieb at e-smith.com Probably yes. However, since noone seems to know how to fix the problem, I figured I take a shot or two into the dark. Sometimes you get lucky ;) In any case, since IPSec and PPTP serve pretty much the same purpose, a solution to a problem with one *MIGHT* be a solution to the other. _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server List services provided by www.schulteconsulting.com! From berzerke at swbell.net Sat Mar 31 17:46:53 2001 From: berzerke at swbell.net (robert) Date: Sat, 31 Mar 2001 17:46:53 -0600 Subject: [pptp-server] win2k, pptpd 1.1.2, pppd 2.4.0 and Linux 2.4.2 In-Reply-To: References: Message-ID: <01033117465301.12576@linux> Could some try pptpd 1.01 version rather than 1.1.2 and see if that fixes the problem? On Saturday 31 March 2001 11:31, Christopher Tresco wrote: > I'm having the exact same problem. All clients work except Win2K, which > completely sucks since that is all I use. There must be a work around that > doesn't involve losing the encryption. > > My pptpd server is right out infront, not behind any NATing > firewall....although the boxes I am accessing through the tunnel are using > behind a MASQing firewall. Should matter really, since all the VPN routing > is done in the internal interfaces. > > > ^_^_^_^_^_^_^_^_^_^_^_^ > > Christopher Tresco > Head Systems Administrator > MIT Dept of Economics > ctresco at mit.edu > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of robert > Sent: Saturday, March 31, 2001 12:11 PM > To: Charlie Brady > Cc: Keith T. Garner; pptp-server at lists.schulte.org > Subject: Re: [pptp-server] win2k, pptpd 1.2.2, pppd 2.4.0 and Linux > 2.4.2 > > > ?= > MIME-Version: 1.0 > Message-Id: <01033111104400.11294 at linux> > Content-Transfer-Encoding: 8bit > > On Friday 30 March 2001 21:08, Charlie Brady wrote: > > On Fri, 30 Mar 2001, robert wrote: > > > Has anyone gotten W2K with encryption working on a pptpd setup running > > > 2.2 kernel series and/or pppd 2.3 series? > > > > > > To answer your question, the setup works fine with both windows 98 and > > 95 > > > > clients. I don't have access to w2k or me clients to test. > > > > > > Out of curiosity, is the w2k using NAT? According to M$: If the > > > Virtual Private Network (VPN) client is behind any network device > > > performing Network Address Translation (NAT), the L2TP session fails > > > because encrypted IPSec Encapsulating Security Payload (ESP) packets > > > become corrupted. > > > > Perhaps they mean that Authentication Header (AH) packets include an IP > > component in the hash, and can't be masqueraded. AH packets are another > > type of IP packet, as are GRE (used by PPTP) and ESP. AH and ESP are part > > of the IPSec architecture, and may be used by IPSec clients. They could > > also be wrapped around GRE packets, I guess. > > > > Are you use that the M$ posting concerned PPTP VPN, and not IPSEC? > > > > Charlie Brady charlieb at e-smith.com > > > > Probably yes. However, since noone seems to know how to fix the problem, I > figured I take a shot or two into the dark. Sometimes you get lucky ;) In > any case, since IPSec and PPTP serve pretty much the same purpose, a > solution > to a problem with one *MIGHT* be a solution to the other. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! From jam at McQuil.com Sat Mar 31 23:35:03 2001 From: jam at McQuil.com (Jim McQuillan) Date: Sun, 01 Apr 2001 00:35:03 -0500 Subject: [pptp-server] Looking for the 128-bit Win98 patch Message-ID: <3AC6BE07.68F1B573@McQuil.com> I'm looking for the 128-bit encryption patch for Win98. I followed the link in the instructions to go to http://support.microsoft.com/Support/NTServer/128Eula.asp There is a message saying that it has been pulled, and will return 'Shortly'. Anybody have another link? Thanks, Jim McQuillan jam at ltsp.org