From forever at klub.chip.pl Mon Oct 1 03:00:58 2001 From: forever at klub.chip.pl (ForeveR) Date: Mon, 01 Oct 2001 10:00:58 +0200 Subject: [pptp-server] MSCHAPV2 patch to newer versions of ppp? References: Message-ID: <3BB822BA.2080503@klub.chip.pl> I just wanted to ask if somebody plans to update the patch? -- _4ever_ From paul at bsdc.ca Mon Oct 1 04:39:59 2001 From: paul at bsdc.ca (Paul Reed) Date: Mon, 1 Oct 2001 05:39:59 -0400 Subject: [pptp-server] PPP MPPE compression module unregistered Message-ID: <000e01c14a5d$09d4cec0$1c00a8c0@omega> Snipped from my 'dmesg': ----- PPP generic driver version 2.4.1 PPP BSD Compression module registered PPP MPPE compression module registered PPP MPPE compression module unregistered ----- ok, so why does it appear to immediatly unload after loading??? if i 'insmod ppp_mppe' it later, it works just fine ... i just want to know the right way to fix this. here is my modules.conf ... ------- alias ppp-compress-18 ppp_mpe alias /dev/ppp ppp_generic alias char-major-108 ppp_generic alias tty-ldisc-3 ppp_async alias tty-ldisc-14 ppp_synctty alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate alias ppp-compress-26 ppp_deflate ----- Help is greatly appreciated ... Thanks, Paul. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kyleh at istorm.ca Mon Oct 1 07:52:41 2001 From: kyleh at istorm.ca (Kyle Hodgson) Date: Mon, 1 Oct 2001 08:52:41 -0400 Subject: [pptp-server] PPTP as WEP replacement Message-ID: In an environment where one doesn't care about tracking individual users, and where one doesn't care about users having access to the same resources at the other end of a tunnel- is it safe to give them all the same vpn username and password? Is it safe is too vague. What I mean is, if I give 100 people the same username and password, will they be able to easily snoop each other's connections once a tunnel is established? What I'm trying to do is replace the badly broken WEP protocol in a wireless network. I don't mind that everyone can get access to the tunnel, no problem. The only thing on the other end of the tunnel is a DSL connection, one that they could access normally. If I could introduce a reasonable deterrent (better than WEP) against eavesdropping just by installing pptp and having everyone use the same username and password, that would solve certain management issues. Kyle Hodgson Istorm New Media From Josh.Howlett at bristol.ac.uk Mon Oct 1 08:01:03 2001 From: Josh.Howlett at bristol.ac.uk (Josh Howlett) Date: Mon, 1 Oct 2001 14:01:03 +0100 (BST) Subject: [pptp-server] PPTP as WEP replacement In-Reply-To: Message-ID: MS-CHAP-v2 which is used to authenticate for PPTP is vulnerable to a dictionary attack. Use a random alphanumeric password. josh. On Mon, 1 Oct 2001, Kyle Hodgson wrote: > In an environment where one doesn't care about tracking individual users, > and where one doesn't care about users having access to the same resources > at the other end of a tunnel- is it safe to give them all the same vpn > username and password? > > Is it safe is too vague. What I mean is, if I give 100 people the same > username and password, will they be able to easily snoop each other's > connections once a tunnel is established? > > What I'm trying to do is replace the badly broken WEP protocol in a wireless > network. I don't mind that everyone can get access to the tunnel, no > problem. The only thing on the other end of the tunnel is a DSL connection, > one that they could access normally. If I could introduce a reasonable > deterrent (better than WEP) against eavesdropping just by installing pptp > and having everyone use the same username and password, that would solve > certain management issues. > > Kyle Hodgson > Istorm New Media > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > > --------------------------------------- Josh Howlett, Network Supervisor, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 0117 928 7850 | josh.howlett at bris.ac.uk --------------------------------------- From mattgav at tempo.com.au Mon Oct 1 22:42:43 2001 From: mattgav at tempo.com.au (Matthew Gavin) Date: Tue, 2 Oct 2001 13:42:43 +1000 Subject: [pptp-server] Windows 2000 PoPToP connection problems... Message-ID: Hi all, I have a PoPToP (1.0.1-1) server running on a Red Hat 7.1 server. It has been functional for over two years now, I have dozens of Windows NT4/9x PC's successfully connecting daily. But, I am having great difficulty getting a Windows 2000 Professional client to connect. I have checked the FAQ and done a search on the web... with little more than frustration. Can you please help me? ~ Once connected, I can ping the PoPToP Server address 203.x.x.x but when I try to ping my intranet or anything internally 10.x.x.x all I get is Request timed out. Now I know that the IP Address on my LAN Adapter cannot be anything close to the IP Address assigned by PoPToP and I always change it... System Details: Red Hat 7.1 ppp-2.4.0-3mpp 2.4.2-3 #1 SMP Kernel I can successfully connect: CTRL: Client 203.x.x.x control connection started CTRL: Starting call (launching pppd, opening GRE) pppd 2.4.0 started by root, uid 0 Using interface ppp0 Connect: ppp0 <--> /dev/pts/6 GRE: Discarding duplicate packet CTRL: Ignored a SET LINK INFO packet with real ACCMs! MSCHAP-v2 peer authentication succeeded for homer found interface eth0 for proxy arp local IP address 203.41.208.130 remote IP address 203.41.208.192 MPPE 128 bit, stateless compression enabled MPPE 128 bit, stateless compression enabled my /etc/ppp/options.pptp file looks like this: auth debug lock mtu 1490 mru 1490 proxyarp name poptop +chap +chapms +chapms-v2 ms-dns 10.x.x.x ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 mppe-40 mppe-128 mppe-stateless Any help would be much appreciated, surely this is a common problem or someone has had a similar experience? Regards, Matt. From charlieb at e-smith.com Mon Oct 1 22:51:41 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Mon, 1 Oct 2001 23:51:41 -0400 (EDT) Subject: [pptp-server] Windows 2000 PoPToP connection problems... In-Reply-To: Message-ID: On Tue, 2 Oct 2001, Matthew Gavin wrote: > I have a PoPToP (1.0.1-1) server running on a Red Hat 7.1 server. It has 1.1.2 is widely recommended. It copes much better than 1.0.x with packet loss or out of order delivery of packets (both of which are unavoidable on the Internet). > been functional for over two years now, I have dozens of Windows NT4/9x PC's > successfully connecting daily. But, I am having great difficulty getting a > Windows 2000 Professional client to connect. I have checked the FAQ and done > a search on the web... with little more than frustration. Can you please > help me? > > ~ > > Once connected, I can ping the PoPToP Server address 203.x.x.x but when I > try to ping my intranet or anything internally 10.x.x.x all I get is Request > timed out. Have you checked that there is no firewalling in your Windows 2000 Pro box? > Now I know that the IP Address on my LAN Adapter cannot be > anything close to the IP Address assigned by PoPToP and I always change > it... I don't understand what you are saying here. Charlie Brady charlieb at e-smith.com Lead Product Developer Network Server Solutions Group http://www.e-smith.com/ Mitel Networks Corporation http://www.mitel.com/ Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 From neale at lowendale.com.au Tue Oct 2 00:13:36 2001 From: neale at lowendale.com.au (Neale Banks) Date: Tue, 2 Oct 2001 15:13:36 +1000 (EST) Subject: [pptp-server] silent pppd death in LCP negs Message-ID: I build a patched ppp for my Debian potato system, without to much trouble, using the 2.3.11 patches from http://miror.binarix.com/ppp-mppe However, on trying to connect to a Win2k "server" with Linux pptp client, pppd dies like this: Oct 2 12:48:13 gull pppd[672]: sent [LCP ConfReq id=0x1 ] Oct 2 12:48:13 gull pppd[672]: Timeout 0x80519ec:0x80840c0 in 3 seconds. Oct 2 12:48:15 gull pppd[672]: rcvd [LCP ConfReq id=0x0 < 11 04 06 4e> < 13 17 01 de cb 9e 46 b1 73 49 6d bb 70 9a 55 60 b7 57 7d 00 00 00 00> < 17 04 01 fd>] That's all it says {:-( Yes, I am passing "debug" as a ppp option. Yes, if I use the stock pppd and the Win2k machine has "require encryption" turned off then things work just fine. Any ideas on how to coax a "Good Error Message" out of this? Thanks, Neale. From MarekButas at seznam.cz Tue Oct 2 03:04:03 2001 From: MarekButas at seznam.cz (=?iso-8859-2?Q?Marek=20Butas?=) Date: Tue, 02 Oct 2001 10:04:03 +0200 (CEST) Subject: [pptp-server] =?iso-8859-2?Q?NETBIOS=20is=20not=20supported=3F?= Message-ID: <13223.11838-3779-1377933965-1002009843@seznam.cz> Hi, I'm trying to set VPN using PoPToP. After few tries I got this message in the logs ... Unsupported protocol 'NETBIOS Framing Control Protocol' received. Is this correct or do I have some errors in the configuration? I'm using RH 7.1 and my /etc/ppp/otpions/contains lock debug auth +chap proxyarp ms-wins=10.0.1.2 I tried to find what this error message means, but I was not succesfull. So before I go into deeper analysis, I would like to know if this protocol is supported or not. Thanks a lot MB ______________________________________________________________________ WWW stranky zdarma na http://www.sweb.cz From neale at lowendale.com.au Tue Oct 2 04:00:36 2001 From: neale at lowendale.com.au (Neale Banks) Date: Tue, 2 Oct 2001 19:00:36 +1000 (EST) Subject: [pptp-server] Fatal Signal 11 (was: silent pppd death in LCP negs) In-Reply-To: Message-ID: On Tue, 2 Oct 2001, Neale Banks wrote: > > I build a patched ppp for my Debian potato system, without to much > trouble, using the 2.3.11 patches from http://miror.binarix.com/ppp-mppe > > However, on trying to connect to a Win2k "server" with Linux pptp client, > pppd dies like this: Looking in syslog (which, surprisingly, has more information than debug) I find: Oct 2 18:36:05 gull pppd[2258]: Connect: ppp0 <--> /dev/pts/0 Oct 2 18:36:05 gull pppd[2258]: sent [LCP ConfReq id=0x1 ] Oct 2 18:36:05 gull pppd[2258]: Timeout 0x80519ec:0x80840c0 in 3 seconds. Oct 2 18:36:07 gull pppd[2258]: rcvd [LCP ConfReq id=0x0 < 11 04 06 4e> < 13 17 01 de cb 9e 46 b1 73 49 6d bb 70 9a 55 60 b7 57 7d 00 00 00 00> < 17 04 02 0a>] Oct 2 18:36:07 gull pppd[2258]: Fatal signal 11 Oct 2 18:36:08 gull pppd[2258]: Exit. Which isn't very comforting, but at least could be a lead on where the problem might be. Any ideas on how to track this critter down? Thanks, Neale. From tim at tim.brody.btinternet.co.uk Tue Oct 2 06:12:05 2001 From: tim at tim.brody.btinternet.co.uk (Tim Brody) Date: Tue, 2 Oct 2001 12:12:05 +0100 Subject: [pptp-server] Trouble with MASQ, maybe Message-ID: <001501c14b33$11c14a60$0100a8c0@Advocate> I hope someone can help as this is beginning to go beyond annoying! :-) I am trying to establish a pptp connection to my Linux box (running pptpd) on an ADSL line from a Win2k box (both with real IPs). I am receiving the error listed in the FAQ 7.3.5.: Get "pptpd[24120]: GRE: read(fd=5,buffer=804d9c0,len=8196) from PTY failed: status = -1 error = Input/output error" "pptpd[24120]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6)" "pptpd[24120]: CTRL: Client 12.72.37.31 control connection finished" errors in your log file when the pptpd program is running on a machine behind a masq'ed firewall. Although I am running MASQ for the machines sitting behind the Linux box, I still get this error when I completely flush my firewall tables (iptables -t nat -F PREROUTING etc.). I can connect no problem from a machine connected to the Linux box across ethernet (another Win2k box). Linux box: lo interface eth0 192.168.0.* (to other MASQed LAN machines) ppp0 215.* (ADSL connection to Internet) Windows box: lo interface eth0 217.* (LAN connection to Internet, behind a firewall so I can't tunnel _to_ this machine) I've used tcpdump to watch vpn traffic and I can see GRE packets going to and from the Linux box. Any pointers greatly appreciated! All the best, Tim. From berzerke at swbell.net Tue Oct 2 08:58:20 2001 From: berzerke at swbell.net (robert) Date: Tue, 02 Oct 2001 08:58:20 -0500 Subject: [pptp-server] NETBIOS is not supported? In-Reply-To: <13223.11838-3779-1377933965-1002009843@seznam.cz> References: <13223.11838-3779-1377933965-1002009843@seznam.cz> Message-ID: <0GKK00EKLZY1QU@mta5.rcsntx.swbell.net> I don't have the full context of the message, so I may be a little off, but here's my thoughts. No, Linux (and hence pptp) does not, directly, support netbios. However, netbios can be encapsulated inside TCP/IP. In your case, check the configuration of your client. Make sure, under protocols, only TCP/IP is checked. My experience has shown it is better to run only one protocol. TCP/IP is the universal one. There are browsing issues with more than one protocol, and I have seen other problems. With IPX flying around the network, I've seen Linux machines (and maybe Windows too; I didn't have a packet sniffer on those) drop TCP/IP packets. On Tuesday 02 October 2001 03:04 am, Marek Butas wrote: > Hi, > > I'm trying to set VPN using PoPToP. After few tries I got this > message in the logs ... > > Unsupported protocol 'NETBIOS Framing Control Protocol' received. > > Is this correct or do I have some errors in the configuration? > I'm using RH 7.1 and my /etc/ppp/otpions/contains > > lock > debug > auth > +chap > proxyarp > ms-wins=10.0.1.2 > > I tried to find what this error message means, but I was not > succesfull. So before I go into deeper analysis, I would like to know > if this protocol is supported or not. > > Thanks a lot > > MB > > ______________________________________________________________________ > WWW stranky zdarma na http://www.sweb.cz > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From mikes at hartwellcorp.com Tue Oct 2 12:31:08 2001 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Tue, 2 Oct 2001 10:31:08 -0700 Subject: [pptp-server] Is any development being done? Message-ID: <91A5926EFF44D3118B1200104B7276EB01084EF1@hart-exchange.hartwellcorp.com> I went to the http://poptop.lineo.com web page yesterday to see if I should be updating to the latest version. It looks like no development has been done for almost a year now. Is this correct? From alex at episteme.co.uk Tue Oct 2 17:04:03 2001 From: alex at episteme.co.uk (Alex Richards) Date: Tue, 2 Oct 2001 23:04:03 +0100 Subject: [pptp-server] PTY Please help!! Message-ID: Hi, I am having trouble getting the pptp daemon working. Hope its ok to mail this here. Once pptpd is running, if a client connects it comes up with the following: Oct 2 22:52:19 router pptpd[2608]: MGR: Manager process started Oct 2 22:52:39 router pptpd[2610]: CTRL: Client 192.168.0.2 control connection started Oct 2 22:52:39 router pptpd[2610]: CTRL: Starting call (launching pppd, opening GRE) Oct 2 22:52:39 router pppd[2611]: pppd 2.4.0 started by root, uid 0 Oct 2 22:52:39 router modprobe: modprobe: Can't locate module tty-ldisc-3 Oct 2 22:52:39 router pppd[2611]: Couldn't set tty to PPP discipline: Invalid argument Oct 2 22:52:39 router pppd[2611]: Exit. Oct 2 22:52:39 router pptpd[2610]: GRE: read(fd=4,buffer=804da20,len=8196) from PTY failed: status = -1 error = Input/output error Oct 2 22:52:39 router pptpd[2610]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Oct 2 22:52:39 router pptpd[2610]: CTRL: Client 192.168.0.2 control connection finished Oct 2 22:54:54 router modprobe: modprobe: Can't locate module unused Oct 2 22:54:54 router noip[1132]: Can't get status for unused. (19) Oct 2 22:59:54 router modprobe: modprobe: Can't locate module unused Oct 2 22:59:54 router noip[1132]: Can't get status for unused. (19) Oct 2 23:04:54 router modprobe: modprobe: Can't locate module unused Oct 2 23:04:54 router noip[1132]: Can't get status for unused. (19) I have looked around on the web/newsgroups for information on installing these modules and enabling pty's in the kernel with no luck. Does anyone know what options should be enabled in the kernel (2.4.9) to get this running? Thankyou in advance, Alex Richards From bs at altavista.net Tue Oct 2 17:12:27 2001 From: bs at altavista.net (Bas) Date: Wed, 3 Oct 2001 00:12:27 +0200 Subject: [pptp-server] trying to get pptp to work Message-ID: <006e01c14b8f$52c19770$0100a8c0@bas> Hello I hope someone can help me I'm trying to get the PPTP to work I have Suse 7.2 linux, with pptp 1.1.2 en pppd 2.4.0 And also does someone know whether it is possible to get the authentication to an LDAP server - or through radius? Thanks very much (as you can probably guess I still have a lot to learn here - hope someone can help me) Bas Smit -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at bsdc.ca Tue Oct 2 18:02:10 2001 From: paul at bsdc.ca (Paul Reed) Date: Tue, 2 Oct 2001 19:02:10 -0400 Subject: [pptp-server] Success! :) mostly .... and some questions ... Message-ID: <002001c14b96$44dac490$1e6ea8c0@omega> RedHat 7.1 i386 kernels 2.4.4 and 2.4.9 w/patch: - linux-2.4.4-openssl-0.9.6a-mppe.patch.gz ppp-2.4.1 w/patches: - ppp-2.4.1-MSCHAPv2-fix.patch.gz - ppp-2.4.1-openssl-0.9.6-mppe-patch.gz pptpd-1.0.1 pptp-linux-1.0.2 NOTE: - Had problems getting ppp_mppe.o to compile with kernel. - FIX: in kernel configuration, make sure ppp is tagged as a module '(M)' -- NOT staticly linked '(*)'. ########################### # my options.pptpd: name * lock mtu 1490 mru 1490 proxyarp auth +chap #+chapms #This one is optional and my be omitted. +chapms-v2 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 mppe-128 mppe-40 mppe-stateless ########################### # IPTABLES VPN connect allow (allows vpn connect on all interfaces): iptables -A INPUT -p tcp --dport 1723 ! --syn -j ACCEPT iptables -A INPUT -p tcp --dport 1723 --syn -m limit --limit 2/s -j ACCEPT iptables -A INPUT -p 47 -j ACCEPT ########################### # Script to connect from another linux box (my internal network is 192.168.1.0/24, remote network is 192.168.0.0/24): pptp $VPNSERVERIP name $VPNUSERNAME +chapms +chapms-v2 mppe-128 mppe-stateless -deflate noauth route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.254 ppp1 ########################### # IPTABLES rules to masq to the vpn network. iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT ########################### Client VPN Connections tested using mppe-128 from: - Windows ME - Windows XP - RedHat-7.1 using pptp-linux (connect script above) (RH7.1 tested with static ip and through a pppoe connection) ########################### Possible Issues .. and wierd things .. :) - Cannot connect using windows networking from one net to the other using linux 2.4.4 kernel I.e. 192.168.1.6 --> //192.168.0.253/) It works in the 2.4.9 kernel for me though .. I think there was a new IP to IP tunnel option or something, maybe that was it...) can anyone confirm? - Cannot connect to remote vpn server from behind an IPTALBLES Firewall/Masqueade gateway... netstat on both boxes reveils a non-priviliged connection from the vpn server to the client that isn't making it in though the NAT/FW gateway. The gateway itself can connect using pptp-linux, but any box behind it can't. As a temporary solution, i've just routed through the nat/fw gateway's pptp vpn connection to the vpn server. (see above scripts) I would rather connect from my windows box that is behind the gw. Any ideas? Iptables rules maybe? ########################### About to test with 2.4.10 (although i forsee no new issues .. :) Anyways ... thanks for the help list! :) I'm up and running... :) Paul Reed paul at bsdc.ca -------------- next part -------------- An HTML attachment was scrubbed... URL: From neale at lowendale.com.au Wed Oct 3 00:05:29 2001 From: neale at lowendale.com.au (Neale Banks) Date: Wed, 3 Oct 2001 15:05:29 +1000 (EST) Subject: [pptp-server] Solved: Fatal Signal 11 In-Reply-To: Message-ID: 'twas in the archives: On Thu, 7 Dec 2000, Tony Lill wrote: > > Date: Thu, 07 Dec 2000 01:36:34 EST > From: Tony Lill > Reply-To: Tony.Lill at ajlc.waterloo.on.ca > To: Martin Feeney > Cc: pptp-server at lists.schulte.org > Subject: Re: [pptp-server] Connecting problem Caught signal 11 > > That's caused by a bug in the ppp daemon. There is a call to lcpdebug > with the incorrect numbero of arguments in lcp.c where it handles one > of the callback messages: > > Index: pppd/lcp.c > =================================================================== > RCS file: /CVSROOT/network/daemons/ppp/pppd/lcp.c,v > retrieving revision 1.1.1.1 > diff -c -r1.1.1.1 lcp.c > *** pppd/lcp.c 2000/09/07 03:38:37 1.1.1.1 > --- pppd/lcp.c 2000/12/07 06:35:23 > *************** > *** 1538,1544 **** > > #ifdef CBCP_SUPPORT > case CI_CALLBACK: > ! LCPDEBUG((LOG_INFO, "lcp_reqci: rcvd CBCP")); > if (!ao->neg_cbcp || > cilen != CILEN_CHAR) { > orc = CONFREJ; > --- 1538,1544 ---- > > #ifdef CBCP_SUPPORT > case CI_CALLBACK: > ! LCPDEBUG(("lcp_reqci: rcvd CBCP")); > if (!ao->neg_cbcp || > cilen != CILEN_CHAR) { > orc = CONFREJ; > [snip] All's fine now :-) Neale. From muralivemuri at multitech.co.in Wed Oct 3 06:53:48 2001 From: muralivemuri at multitech.co.in (Murali K. Vemuri) Date: Wed, 03 Oct 2001 17:23:48 +0530 Subject: [pptp-server] authentication through PAM Message-ID: <3BBAFC4B.4AE32F93@multitech.co.in> hi all, i am using PPP server 2.4.1 on my LINUX 7.0 kernel 2.2.16. as of now, i am able to get through with PAP & CHAP. can some one please tell me how i can make my BOX authenticate the users through PAM.....? regards and thanks in advance murali krishna vemuri From marklanglite at hotmail.com Wed Oct 3 07:14:46 2001 From: marklanglite at hotmail.com (Mark Langlite) Date: Wed, 03 Oct 2001 05:14:46 -0700 Subject: [pptp-server] Version of Linux that PoPToP runs on? Message-ID: What is the newest version of Redhat Linux, or else the newest kernel version, that PoPToP runs successfully on? Secondly, what is the newest version of Redhat Linux or the kernel that PoPToP with the MSCHAPV2 patch works successfully on? Thanks, Mark _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp From muralivemuri at multitech.co.in Wed Oct 3 07:25:36 2001 From: muralivemuri at multitech.co.in (Murali K. Vemuri) Date: Wed, 03 Oct 2001 17:55:36 +0530 Subject: [pptp-server] Version of Linux that PoPToP runs on? References: Message-ID: <3BBB03C0.F9A03282@multitech.co.in> AFAIK, PoPToP 1.1.2 should work on redhat 6.x onwards and kernel version 2.0.x upwards same with MSCHAPV2 murali Mark Langlite wrote: > What is the newest version of Redhat Linux, or else the newest kernel > version, that PoPToP runs successfully on? > > Secondly, what is the newest version of Redhat Linux or the kernel that > PoPToP with the MSCHAPV2 patch works successfully on? > > Thanks, > Mark > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From Mgoins at waddell.com Wed Oct 3 07:27:51 2001 From: Mgoins at waddell.com (Michael Goins) Date: Wed, 03 Oct 2001 07:27:51 -0500 Subject: [pptp-server] How-to Message-ID: Does anyone have a good how-to for redhat 7.1? Michael Goins, MCSE, CNA Unix Administrator Waddell & Reed 6300 Lamar Ave. Shawnee Mission, KS 66201 913.236.1615 From hellhound at linugen.com Wed Oct 3 07:50:35 2001 From: hellhound at linugen.com (hellhound at linugen.com) Date: Wed, 3 Oct 2001 14:50:35 +0200 Subject: [pptp-server] GRE Message-ID: <20011003145035.A11499@cacofonix.realroot.be> Hi all, got some problems with pptpd 1.0.1 (and same with 1.1.2) and Win2k: using Virtual Private Connection under win2k, I get: Error 619: The specified port is not connected on the server side, from messages logfile: Oct 3 12:25:48 blabla pptpd[8561]: CTRL: Starting call (launching pppd, opening GRE) Oct 3 12:25:48 blabla pppd[8562]: pppd 2.4.1 started by root, uid 0 Oct 3 12:25:48 blabla pppd[8562]: Using interface ppp0 Oct 3 12:25:48 blabla pppd[8562]: Connect: ppp0 <--> /dev/pts/3 Oct 3 12:25:48 blabla pptpd[8561]: GRE: read error: Protocol not available Oct 3 12:25:48 blabla pptpd[8561]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Oct 3 12:25:48 blabla pptpd[8561]: CTRL: Client 134.58.253.193 control connection finished Oct 3 12:25:48 blabla pppd[8562]: Modem hangup Oct 3 12:25:48 blabla pppd[8562]: Connection terminated. Oct 3 12:25:48 blabla pppd[8562]: Exit. I compiled IP: tunneling IP: GRE tunnels over IP as modules for my kernel 2.4.9, and loaded the module What else do i need to get it working ? thanks in advance From charlieb at e-smith.com Wed Oct 3 09:06:35 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Wed, 3 Oct 2001 10:06:35 -0400 (EDT) Subject: [pptp-server] authentication through PAM In-Reply-To: <3BBAFC4B.4AE32F93@multitech.co.in> Message-ID: On Wed, 3 Oct 2001, Murali K. Vemuri wrote: > i am using PPP server 2.4.1 on my LINUX 7.0 kernel 2.2.16. > as of now, i am able to get through with PAP & CHAP. > can some one please tell me how i can make my BOX authenticate the users > through PAM.....? AFAIK, you cannot authenticate using CHAP and PAM at the same time. In order to authenticate using PAM, the application needs to have the cleartext password, which it doesn't have using CHAP. Charlie Brady charlieb at e-smith.com Lead Product Developer Network Server Solutions Group http://www.e-smith.com/ Mitel Networks Corporation http://www.mitel.com/ Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 From hellhound at linugen.com Wed Oct 3 11:27:47 2001 From: hellhound at linugen.com (hellhound at linugen.com) Date: Wed, 3 Oct 2001 18:27:47 +0200 Subject: [pptp-server] GRE In-Reply-To: <20011003145035.A11499@cacofonix.realroot.be>; from hellhound@linugen.com on Wed, Oct 03, 2001 at 02:50:35PM +0200 References: <20011003145035.A11499@cacofonix.realroot.be> Message-ID: <20011003182747.A17259@cacofonix.realroot.be> Disregard that last mail, found it myself.. those nasty GRE packets :) I was working on my workstation behind a masquerading firewall.. so the GRE packets didn't get forwarded by the gateway. Works now.. thanks anyway From ckalos at gothambroadband.com Wed Oct 3 11:47:31 2001 From: ckalos at gothambroadband.com (Christopher Kalos) Date: Wed, 3 Oct 2001 12:47:31 -0400 Subject: [pptp-server] NT Domain Logon via VPN Message-ID: I know I've seen this under some implementation of the VPN client for Windows 2000, and I'm wondering how (or if!) it's possible with PoPToP and Samba. After the initial connection, it should be possible with the MS VPN Server to force the Win2000 client to return a login dialog requiring the user to enter their NT username, password, and domain. Is there a way to enable this for the PPTP server so that VPN systems are also part of the Windows Domain and Domain users can log on with full rights, regardless of the system that they connect from? Thank you, Christopher Kalos Systems Administrator Gotham Broadband 212.206.9620 x340 From Steve at SteveCowles.com Wed Oct 3 14:07:16 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Wed, 3 Oct 2001 14:07:16 -0500 Subject: [pptp-server] NT Domain Logon via VPN Message-ID: <90769AF04F76D41186C700A0C90AFC3EE89D@defiant.infohiiway.com> > -----Original Message----- > From: Christopher Kalos [mailto:ckalos at gothambroadband.com] > Sent: Wednesday, October 03, 2001 11:48 AM > To: Poptop Mailing List > Subject: [pptp-server] NT Domain Logon via VPN > > > I know I've seen this under some implementation of the > VPN client for Windows 2000, and I'm wondering how (or if!) >.. it's possible with PoPToP and Samba. After the initial > connection, it should be possible with the MS VPN Server to > force the Win2000 client to return a login dialog requiring > the user to enter their NT username, password, and domain. > > Is there a way to enable this for the PPTP server so > that VPN systems are also part of the Windows Domain and > Domain users can log on with full rights, regardless of the > system that they connect from? Conceptually, not a bad idea. And I'm sure someone could write a program to prompt for the username/password/domain after the PPTP session is established. But you will still be faced with the problem of how the PPTP client will "first" join that domain. i.e. Without first joining the domain (SID), your domain logon credentials (rights) are meaningless. FWIW: I have been successful at joining an MS domain across a PPTP session, but then I also had admin rights to do so. This is where the real problem lies in what you are proposing for your average user, or better yet, maintaining a decent security model. Steve Cowles From ckalos at gothambroadband.com Wed Oct 3 14:15:27 2001 From: ckalos at gothambroadband.com (Christopher Kalos) Date: Wed, 3 Oct 2001 15:15:27 -0400 Subject: [pptp-server] NT Domain Logon via VPN In-Reply-To: <90769AF04F76D41186C700A0C90AFC3EE89D@defiant.infohiiway.com> Message-ID: What about the user himself? Is there any way to authenticate him to the NT domain from an arbitrary system on the VPN, provided the VPN *server* is on the domain (which it is?) I know I'm getting into much hairier stuff now in regards to what systems are trusted on a domain and which are not, but it's going to prove difficult to add some of these systems to the domain over the 3000+ miles that we're currently separated by anyway. Complexities abound, Christopher Kalos -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Cowles, Steve Sent: Wednesday, October 03, 2001 3:07 PM To: Poptop Mailing List Subject: RE: [pptp-server] NT Domain Logon via VPN > -----Original Message----- > From: Christopher Kalos [mailto:ckalos at gothambroadband.com] > Sent: Wednesday, October 03, 2001 11:48 AM > To: Poptop Mailing List > Subject: [pptp-server] NT Domain Logon via VPN > > > I know I've seen this under some implementation of the > VPN client for Windows 2000, and I'm wondering how (or if!) >.. it's possible with PoPToP and Samba. After the initial > connection, it should be possible with the MS VPN Server to > force the Win2000 client to return a login dialog requiring > the user to enter their NT username, password, and domain. > > Is there a way to enable this for the PPTP server so > that VPN systems are also part of the Windows Domain and > Domain users can log on with full rights, regardless of the > system that they connect from? Conceptually, not a bad idea. And I'm sure someone could write a program to prompt for the username/password/domain after the PPTP session is established. But you will still be faced with the problem of how the PPTP client will "first" join that domain. i.e. Without first joining the domain (SID), your domain logon credentials (rights) are meaningless. FWIW: I have been successful at joining an MS domain across a PPTP session, but then I also had admin rights to do so. This is where the real problem lies in what you are proposing for your average user, or better yet, maintaining a decent security model. Steve Cowles _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server --- To unsubscribe, go to the url just above this line. -- From alex at episteme.co.uk Wed Oct 3 15:08:36 2001 From: alex at episteme.co.uk (Alex Richards) Date: Wed, 3 Oct 2001 21:08:36 +0100 Subject: [pptp-server] Kernel Instructions Message-ID: Hi, Can anyone help me with the settings to use when recompiling the kernel? I allready have ip masq and portforwarding installed but need to know where the PTY stuff is ( and anything else ;) Please, please help! Cheers and thanks in adv. Alex From berzerke at swbell.net Wed Oct 3 15:38:22 2001 From: berzerke at swbell.net (robert) Date: Wed, 03 Oct 2001 15:38:22 -0500 Subject: [pptp-server] Kernel Instructions In-Reply-To: References: Message-ID: <0GKN0061YDBS9A@mta4.rcsntx.swbell.net> There is a url in the 2.4 kernel howto that has a valid kernel configuration file. On Wednesday 03 October 2001 03:08 pm, Alex Richards wrote: > Hi, > > Can anyone help me with the settings to use when recompiling > the kernel? I allready have ip masq and portforwarding installed > but need to know where the PTY stuff is ( and anything else ;) > > Please, please help! > > Cheers and thanks in adv. > > Alex From neale at lowendale.com.au Wed Oct 3 21:24:45 2001 From: neale at lowendale.com.au (Neale Banks) Date: Thu, 4 Oct 2001 12:24:45 +1000 (EST) Subject: [pptp-server] Negotiating MRU with Win2k? Message-ID: G'day, Here's what I see when PPTP comes up and PPP negotiates with Win2k (I have "mtu 1490" and "mru 1490" in my options): -----------------------------------8<----------------------------------- Oct 4 10:58:10 gull pppd[332]: Connect: ppp0 <--> /dev/pts/0 Oct 4 10:58:10 gull pppd[332]: sent [LCP ConfReq id=0x1 ] [...] Oct 4 10:58:11 gull pppd[332]: rcvd [LCP ConfNak id=0x1 ] -----------------------------------8<----------------------------------- Ditto if I try to negotiate 1480. As I see it, I asked that the max size to be sent over the ppp link be 1490 but was subsequently NACKed and told that it would be 1500. The symptoms I'm seeing include being able to get the front page a webserver that's down the tunnel but neither of the frames on that page (the front page is only 230 bytes and I'm guessing that each of the frames are >> 1400 bytes). Any ideas? Thanks, Neale. From geir at sunnkom.no Thu Oct 4 01:24:31 2001 From: geir at sunnkom.no (=?iso-8859-1?Q?Geir_N=F8stdahl?=) Date: Thu, 4 Oct 2001 08:24:31 +0200 Subject: [pptp-server] Problem with mppe Message-ID: Hi! I have been running PoPToP for a while on lots of systems, but now it seems i don't run any encryption. In most cases, i've used this behind a linux NAT firewall, is it a problem getting the encryption working when i do this ? If i uncheck the require encryptet in the Windows klients they connect OK and all is working. But when i check for require encryptet it doen't connect, and give me the not supported enctyption message. I have the mppe module loaded, patched the kernel. I also have those lines in modules.conf that refer to the mppe module. This is how my options.pptp look: lock debug proxyarp +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless What can be wrong ? regards Geir N?stdahl From bs at altavista.net Thu Oct 4 05:44:06 2001 From: bs at altavista.net (Bas) Date: Thu, 4 Oct 2001 12:44:06 +0200 Subject: [pptp-server] VPN and NAT Message-ID: <001401c14cc1$7e355cb0$0100a8c0@bas> I have established the VPN connection Thanks very much for the help Now I have some questions: - can the server service multiple conenctions from different clients? - how can I set up NAT for the clients and a firewall ? does anyone have maybe an example for me? thanks Bas Smit -------------- next part -------------- An HTML attachment was scrubbed... URL: From vivek_s7 at yahoo.com Thu Oct 4 06:28:31 2001 From: vivek_s7 at yahoo.com (Vivek S) Date: Thu, 4 Oct 2001 04:28:31 -0700 (PDT) Subject: [pptp-server] Some questions Message-ID: <20011004112831.69661.qmail@web20805.mail.yahoo.com> Hi, I am new to this list and have a few questions about poptop pptp server for Linux. Also I am very new to PPTP. 1. How many maximum concurrent pptp sessions can poptop pptp server can support ? 2.What are the hardware requirements ? I am planning to implement this in my office where the number of users can be around 500. Also I need the pptp server to authenticate users from a RADIUS server ? Does poptop support radius authentication and if yes is there any docs for configuring the same somewhere ? Also how will a well configured linux box with poptop compare to legacy VPN boxes like Intel Shiva VPN or Cisco VPN concentrator for only pptp services ? Thanks in advance Vivek __________________________________________________ Do You Yahoo!? NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 From MarekButas at seznam.cz Thu Oct 4 08:48:33 2001 From: MarekButas at seznam.cz (=?iso-8859-2?Q?Marek=20Butas?=) Date: Thu, 04 Oct 2001 15:48:33 +0200 (CEST) Subject: [pptp-server] =?iso-8859-2?Q?Building=20under=202=2E4?= Message-ID: <7295.20481-12060-777134631-1002203313@seznam.cz> Hi, is there any how-to for kernel 2.4 ? Well, as newbie to Linux I'm not sure if I did evrything right. Here is what I've done. take ppp-2.4.0-src mppe patch for this version patched the ppp package run configure script make clean make make install Till now no problems. But I cannot find ppp_mppe.o modules. I looked into the faq and there is different set of instructions. Do I really need to recompile whole kernel. Isn't there some other way? How can I now get this module? Thanks a lot MB ______________________________________________________________________ Jak si stoji kurz koruny? http://kurzy.seznam.cz From droman at romansys.com Thu Oct 4 05:40:37 2001 From: droman at romansys.com (Dean Roman) Date: Thu, 04 Oct 2001 03:40:37 -0700 Subject: [pptp-server] pptpd questions/info newbie... Message-ID: <3BBC3CA5.CD46A62C@romansys.com> Hello all, I've been using Linux for many years now, and have been tasked to setup a vpn that will have linux on the server side, and win2k clients(behind NAT'd firewalls...like cable modem running NAT) on the client side. Sounds to me like PPTP is the best solution? However, I'm a bit lost about PPTPD as it seems the docs that I have are outdated as are the patches. My setup is: DISTRIBUTION: Debian/GNU Linux(woody/testing) SETUP: Gateway(firewall) running iptables+bridging KERNEL: 2.4.9 PPP: 2.4.1 PPTPD: 1.0.0 I have some questions that hopefully you all can help me out with: Here are my questions: ===================== 1) Will PPTP work with the win2k clients behind NAT'd firewalls (like a cable modem running NAT)? 2) Does the basic package found in woody WITHOUT any patches support any kind of encryption mechanism? 3) If NO on 2, where can I find good docs/patches on how to add the MPPE/chap to kernel 2.4.9 and any other patches I need. 4) Do I need to patch the ppp daemon in Debian woody for this to work? 5) Is the concept the same as that for a regular dialup connection using ppp? 6) Could somebody explain exactly what needs to be patched in order to achieve some type of security(link encryption)? 7) If I downgraded to kernel 2.2.19 would this help things out? Any other info. would be really helpful in my learning how pptpd works. Thanks for help... ---Dean Roman. From droman at romansys.com Thu Oct 4 05:51:56 2001 From: droman at romansys.com (Dean Roman) Date: Thu, 04 Oct 2001 03:51:56 -0700 Subject: [pptp-server] pptpd questions/info newbie... Message-ID: <3BBC3F4C.2B3314B0@romansys.com> ==> Don't know if I was allowed to send email to this list before I registered on it, so I resent it after I signed up. Hello all, I've been using Linux for many years now, and have been tasked to setup a vpn that will have linux on the server side, and win2k clients(behind NAT'd firewalls...like cable modem running NAT) on the client side. Sounds to me like PPTP is the best solution? However, I'm a bit lost about PPTPD as it seems the docs that I have are outdated as are the patches. My setup is: DISTRIBUTION: Debian/GNU Linux(woody/testing) SETUP: Gateway(firewall) running iptables+bridging KERNEL: 2.4.9 PPP: 2.4.1 PPTPD: 1.0.0 I have some questions that hopefully you all can help me out with: Here are my questions: ===================== 1) Will PPTP work with the win2k clients behind NAT'd firewalls (like a cable modem running NAT)? 2) Does the basic package found in woody WITHOUT any patches support any kind of encryption mechanism? 3) If NO on 2, where can I find good docs/patches on how to add the MPPE/chap to kernel 2.4.9 and any other patches I need. 4) Do I need to patch the ppp daemon in Debian woody for this to work? 5) Is the concept the same as that for a regular dialup connection using ppp? 6) Could somebody explain exactly what needs to be patched in order to achieve some type of security(link encryption)? 7) If I downgraded to kernel 2.2.19 would this help things out? Any other info. would be really helpful in my learning how pptpd works. Thanks for help... ---Dean Roman. From neale at lowendale.com.au Thu Oct 4 17:08:38 2001 From: neale at lowendale.com.au (Neale Banks) Date: Fri, 5 Oct 2001 08:08:38 +1000 (EST) Subject: [pptp-server] pptpd questions/info newbie... In-Reply-To: <3BBC3CA5.CD46A62C@romansys.com> Message-ID: On Thu, 4 Oct 2001, Dean Roman wrote: [Long lines wrapped for clarity - Neale. Dean: please wrap lines] > I've been using Linux for many years now, and have been tasked to > setup a vpn that will have linux on the server side, and win2k > clients(behind NAT'd firewalls...like cable modem running NAT) on the > client side. > > Sounds to me like PPTP is the best solution? However, I'm a bit > lost about PPTPD as it seems the docs that I have are outdated as are > the patches. Probably the "most convenient" rather than "best" solution. > My setup is: > DISTRIBUTION: Debian/GNU Linux(woody/testing) > SETUP: Gateway(firewall) running iptables+bridging > KERNEL: 2.4.9 > PPP: 2.4.1 > PPTPD: 1.0.0 "should be " OK, but many here would probably strongly recommend a more current pptpd. > I have some questions that hopefully you all can help me out with: > > Here are my questions: > ===================== > 1) Will PPTP work with the win2k clients behind NAT'd firewalls (like a cable modem running NAT)? Qualified yes/sometimes - others can answer this better. BTW, if you mean > 1 client behind any given NAT, then expect problems. > 2) Does the basic package found in woody WITHOUT any patches support > any kind of encryption mechanism? AFAIK, no. > 3) If NO on 2, where can I find good docs/patches on how to add the > MPPE/chap to kernel 2.4.9 and any other patches I need. > 4) Do I need to patch the ppp daemon in Debian woody for this to work? Short answer: I just did this for potato (i.e. current "stable" Debian) and documented the process at http://www.planet.net.au/~neale/crypto/alpha/ - in particular see Debian-HOWTO.txt there. Other priorities permitting, I may be able to have a go at patching the ppp from woody soon (unless someone can provide a pointer to where this has already been done ;-). > 5) Is the concept the same as that for a regular dialup connection using ppp? Not sure what you men here - the isues within PPP (e.g. LCP, IPCP, CCP, CHAP negotiations) will be the same. > 6) Could somebody explain exactly what needs to be patched in order to > achieve some type of security(link encryption)? See above doc + Robert's HOWTO pointed to therefrom. > 7) If I downgraded to kernel 2.2.19 would this help things out? IMHO, that "shouldn't" be necessary. HTH, Neale. From martin at tuatha.org Fri Oct 5 04:08:59 2001 From: martin at tuatha.org (Martin Feeney) Date: Fri, 5 Oct 2001 10:08:59 +0100 Subject: [pptp-server] pptpd questions/info newbie... In-Reply-To: <3BBC3F4C.2B3314B0@romansys.com>; from droman@romansys.com on Thu, Oct 04, 2001 at 11:51:56 +0100 References: <3BBC3F4C.2B3314B0@romansys.com> Message-ID: <20011005100859.G9098@greenspot.nwcgroup.com> On Thu, 04 Oct 2001 11:51:56 Dean Roman wrote: > 1) Will PPTP work with the win2k clients behind NAT'd firewalls (like a > cable modem running NAT)? This is your biggest problem - probably not unless you can port forward port 1723 and protocol forward protocol 47(GRE). And it'll only work for one machine behind each NAT firewall. > 2) Does the basic package found in woody WITHOUT any patches support any > kind of encryption mechanism? Nope, but if you trust me not to do anything nasty, I can send you a .deb with mppe and smb-stripdomain patches. Then you can also install the kernel-patch-mppe package and apply it to your kernel. This should also take care of questions 3,4,6 and 7. > 5) Is the concept the same as that for a regular dialup connection using > ppp? Yes and no. The lcp/ppp protocols are the same (with the addition of mppe for encryption). The transport layer is over ip rather than over a telephone line, however. The client create a tcp connection on port 1723 to the server. They have a little chat and open up an ip socket connection (protocol 47 - GRE) to contain the tunnel and run ppp over it. Other than that simple explanation, there are many, many FAQs and whitepapers you can read - most of them available at, or linked from http://poptop.lineo.com/ Martin. From droman at romansys.com Fri Oct 5 04:31:04 2001 From: droman at romansys.com (Dean Roman) Date: Fri, 05 Oct 2001 02:31:04 -0700 Subject: [pptp-server] pptpd questions/info newbie... References: <3BBC3F4C.2B3314B0@romansys.com> <20011005100859.G9098@greenspot.nwcgroup.com> Message-ID: <3BBD7DD8.55BEDFA@romansys.com> Martin Feeney wrote: > > On Thu, 04 Oct 2001 11:51:56 Dean Roman wrote: > > > 1) Will PPTP work with the win2k clients behind NAT'd firewalls (like a > > cable modem running NAT)? > > This is your biggest problem - probably not unless you can port forward > port 1723 and protocol forward protocol 47(GRE). And it'll only work for > one machine behind each NAT firewall. > When I try it, I'll let the group know if it works for me or not. Any other ideas as to a good VPN solution that solves this problem, given that I have all windows boxes on the client side behind NAT, and Linux on the server side? > > 2) Does the basic package found in woody WITHOUT any patches support any > > kind of encryption mechanism? > > Nope, but if you trust me not to do anything nasty, I can send you a .deb > with mppe and smb-stripdomain patches. I would be very gratefull for this as I have been scratching my head trying to figure out how to get the ppp patches correctly built in, then into a deb package. (the ppp .debs you have, I'm assuming, are for ppp 2.4.1 and the newest pptpd)? > > Then you can also install the kernel-patch-mppe package and apply it to > your kernel. The kernel-patch-mppe I have already installed. I didn't see that one until Neale Banks gave me the scoop...thanks Neale. > > This should also take care of questions 3,4,6 and 7. > > > 5) Is the concept the same as that for a regular dialup connection using > > ppp? > > Yes and no. The lcp/ppp protocols are the same (with the addition of mppe > for encryption). The transport layer is over ip rather than over a > telephone line, however. > > The client create a tcp connection on port 1723 to the server. They have a > little chat and open up an ip socket connection (protocol 47 - GRE) to > contain the tunnel and run ppp over it. > > Other than that simple explanation, there are many, many FAQs and > whitepapers you can read - most of them available at, or linked from > http://poptop.lineo.com/ > > Martin. > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- Thanks for the info....I will look for the .debs in my mail or a URL for them. ---Dean. droman at romansys.com From iso9 at phantasticant.com Fri Oct 5 14:45:34 2001 From: iso9 at phantasticant.com (Jordan Share) Date: Fri, 5 Oct 2001 12:45:34 -0700 Subject: [pptp-server] pptpd questions/info newbie... In-Reply-To: <3BBD7DD8.55BEDFA@romansys.com> Message-ID: Are all your clients behind the same NAT? Or is each behind their own? Most NAT solutions that I've encountered recently work fine with a client behind the NAT box. IIRC, the linux-based NAT will even allow you to have multiple PPTP clients behind the same NATted IP address, as long as they all connect to different PPTP servers. If you have your clients behind the same NAT box, perhaps it supports IPSec? You can use FreeS/WAN on the linux side to create IPSec-based VPNs. Jordan -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Dean Roman Sent: Friday, October 05, 2001 2:31 AM To: pptp-server at lists.schulte.org Subject: Re: [pptp-server] pptpd questions/info newbie... Martin Feeney wrote: > > On Thu, 04 Oct 2001 11:51:56 Dean Roman wrote: > > > 1) Will PPTP work with the win2k clients behind NAT'd firewalls (like a > > cable modem running NAT)? > > This is your biggest problem - probably not unless you can port forward > port 1723 and protocol forward protocol 47(GRE). And it'll only work for > one machine behind each NAT firewall. > When I try it, I'll let the group know if it works for me or not. Any other ideas as to a good VPN solution that solves this problem, given that I have all windows boxes on the client side behind NAT, and Linux on the server side? > > 2) Does the basic package found in woody WITHOUT any patches support any > > kind of encryption mechanism? > > Nope, but if you trust me not to do anything nasty, I can send you a .deb > with mppe and smb-stripdomain patches. I would be very gratefull for this as I have been scratching my head trying to figure out how to get the ppp patches correctly built in, then into a deb package. (the ppp .debs you have, I'm assuming, are for ppp 2.4.1 and the newest pptpd)? > > Then you can also install the kernel-patch-mppe package and apply it to > your kernel. The kernel-patch-mppe I have already installed. I didn't see that one until Neale Banks gave me the scoop...thanks Neale. > > This should also take care of questions 3,4,6 and 7. > > > 5) Is the concept the same as that for a regular dialup connection using > > ppp? > > Yes and no. The lcp/ppp protocols are the same (with the addition of mppe > for encryption). The transport layer is over ip rather than over a > telephone line, however. > > The client create a tcp connection on port 1723 to the server. They have a > little chat and open up an ip socket connection (protocol 47 - GRE) to > contain the tunnel and run ppp over it. > > Other than that simple explanation, there are many, many FAQs and > whitepapers you can read - most of them available at, or linked from > http://poptop.lineo.com/ > > Martin. > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- Thanks for the info....I will look for the .debs in my mail or a URL for them. ---Dean. droman at romansys.com _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server --- To unsubscribe, go to the url just above this line. -- From droman at romansys.com Fri Oct 5 08:03:38 2001 From: droman at romansys.com (Dean Roman) Date: Fri, 05 Oct 2001 06:03:38 -0700 Subject: [pptp-server] pptpd questions/info newbie... References: Message-ID: <3BBDAFAA.F31BB415@romansys.com> Jordan Share wrote: > > Are all your clients behind the same NAT? Or is each behind their own? > Each client is behind it's own NAT. The scenario is... Each Windows 2K client is at home or on the road behind a cable modem or dsl nat'd modem. I have 20 or so windows clients all at different locations behind there own NAT. Each client connects into the same PPTP linux server in our office that is NOT behind a NAT'd firewall. > Most NAT solutions that I've encountered recently work fine with a client behind the NAT box. IIRC, the linux-based NAT will even allow you to have multiple PPTP clients behind the same NATted IP address, as long as they all connect to different PPTP servers. I am unfamiliar with IIRC linux based NAT. From what you are saying above, I gather that it uses the default windows PPTP VPN client built into win2k boxes. The server runs under linux...you can use it with the client behind a NAT/masquerading gateway/firewall...now for the big question... Does it support any type of encryption mechanism? Can you send me a link to somewhere I can find out more info. on the IIRC VPN? > > If you have your clients behind the same NAT box, perhaps it supports IPSec? You can use FreeS/WAN on the linux side to create IPSec-based VPNs. > > Jordan > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Dean Roman > Sent: Friday, October 05, 2001 2:31 AM > To: pptp-server at lists.schulte.org > Subject: Re: [pptp-server] pptpd questions/info newbie... > > Martin Feeney wrote: > > > > On Thu, 04 Oct 2001 11:51:56 Dean Roman wrote: > > > > > 1) Will PPTP work with the win2k clients behind NAT'd firewalls (like a > > > cable modem running NAT)? > > > > This is your biggest problem - probably not unless you can port forward > > port 1723 and protocol forward protocol 47(GRE). And it'll only work for > > one machine behind each NAT firewall. > > > > When I try it, I'll let the group know if it works for me or not. > > Any other ideas as to a good VPN solution that solves this problem, > given that I have all windows boxes on the client side behind NAT, and > Linux on the server side? > > > > 2) Does the basic package found in woody WITHOUT any patches support any > > > kind of encryption mechanism? > > > > Nope, but if you trust me not to do anything nasty, I can send you a .deb > > with mppe and smb-stripdomain patches. > > I would be very gratefull for this as I have been scratching my head > trying to figure out how to get the ppp patches correctly built in, then > into a deb package. (the ppp .debs you have, I'm assuming, are for ppp > 2.4.1 and the newest pptpd)? > > > > > Then you can also install the kernel-patch-mppe package and apply it to > > your kernel. > > The kernel-patch-mppe I have already installed. I didn't see that one > until Neale Banks gave me the scoop...thanks Neale. > > > > > This should also take care of questions 3,4,6 and 7. > > > > > 5) Is the concept the same as that for a regular dialup connection using > > > ppp? > > > > Yes and no. The lcp/ppp protocols are the same (with the addition of mppe > > for encryption). The transport layer is over ip rather than over a > > telephone line, however. > > > > The client create a tcp connection on port 1723 to the server. They have a > > little chat and open up an ip socket connection (protocol 47 - GRE) to > > contain the tunnel and run ppp over it. > > > > Other than that simple explanation, there are many, many FAQs and > > whitepapers you can read - most of them available at, or linked from > > http://poptop.lineo.com/ > > > > Martin. > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > --- To unsubscribe, go to the url just above this line. -- > > Thanks for the info....I will look for the .debs in my mail or a URL for > them. > > ---Dean. > droman at romansys.com > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- Thanks for the help... ---Dean. From ajlill at ajlc.waterloo.on.ca Fri Oct 5 15:17:48 2001 From: ajlill at ajlc.waterloo.on.ca (Tony Lill) Date: Fri, 05 Oct 2001 16:17:48 EDT Subject: [pptp-server] Windows 2000 PoPToP connection problems... In-Reply-To: References: Message-ID: <200110052017.f95KHm400406@spider.ajlc.waterloo.on.ca> I've had problems with Win2K ignoring routing information, that is the information the route command prints is correct, but the packets go out the wrong interface. This usually happens when netmeeting is run. Bring up the pptp connection, check that the route command prints out reasonable data, then sniff the packets coming up the ppp link, and if you can, going out the ethernet on the Win2K box. Ethereal is a good sniffer for this. There's both Linux and Windows versions of it. Also, Win2k will sometimes NOT use the DNS information handed it by pptp, but I've never been able to pin down what configuration settings make this so. Make sure it's not just that you can't resolv the names. -- Tony Lill, Tony.Lill at AJLC.Waterloo.ON.CA President, A. J. Lill Consultants fax/data (519) 650 3571 539 Grand Valley Dr., Cambridge, Ont. N3H 2S2 (519) 241 2461 --------------- http://www.ajlc.waterloo.on.ca/ ---------------- "Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!" From iso9 at phantasticant.com Fri Oct 5 15:25:56 2001 From: iso9 at phantasticant.com (Jordan Share) Date: Fri, 5 Oct 2001 13:25:56 -0700 Subject: [pptp-server] pptpd questions/info newbie... In-Reply-To: <3BBDAFAA.F31BB415@romansys.com> Message-ID: Sorry, I should have been more clear. IIRC == If I Recall Correctly. :) What I was trying to say is that the "default install" of RedHat 7.1 (I think all that is neccessary is the 2.4 kernel tho) will already automatically work with a PPTP client behind it. So, in that scenario, you have this layout: 192.168.0.3 -- client box behind nat | 192.168.0.1 -- linux 2.4 kernel NAT box | w.x.y.z - external ip of the linux NAT box | INTERNET | a.b.c.d - IP address of the PPTP server As long as only one client behind the "linux 2.4 kernel NAT box" is connecting to a.b.c.d, it "just works". Of course, you do need the MPPE encryption whatnot on the PPTP server. You have this already if you are using a windows box as the PPTP server, or you can apply the patches and compile your own ppp/pptpd. Jordan -----Original Message----- From: droman2 at granite.he.net [mailto:droman2 at granite.he.net]On Behalf Of Dean Roman Sent: Friday, October 05, 2001 6:04 AM To: Jordan Share Cc: pptp-server at lists.schulte.org Subject: Re: [pptp-server] pptpd questions/info newbie... Jordan Share wrote: > > Are all your clients behind the same NAT? Or is each behind their own? > Each client is behind it's own NAT. The scenario is... Each Windows 2K client is at home or on the road behind a cable modem or dsl nat'd modem. I have 20 or so windows clients all at different locations behind there own NAT. Each client connects into the same PPTP linux server in our office that is NOT behind a NAT'd firewall. > Most NAT solutions that I've encountered recently work fine with a client behind the NAT box. IIRC, the linux-based NAT will even allow you to have multiple PPTP clients behind the same NATted IP address, as long as they all connect to different PPTP servers. I am unfamiliar with IIRC linux based NAT. From what you are saying above, I gather that it uses the default windows PPTP VPN client built into win2k boxes. The server runs under linux...you can use it with the client behind a NAT/masquerading gateway/firewall...now for the big question... Does it support any type of encryption mechanism? Can you send me a link to somewhere I can find out more info. on the IIRC VPN? > > If you have your clients behind the same NAT box, perhaps it supports IPSec? You can use FreeS/WAN on the linux side to create IPSec-based VPNs. > > Jordan > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Dean Roman > Sent: Friday, October 05, 2001 2:31 AM > To: pptp-server at lists.schulte.org > Subject: Re: [pptp-server] pptpd questions/info newbie... > > Martin Feeney wrote: > > > > On Thu, 04 Oct 2001 11:51:56 Dean Roman wrote: > > > > > 1) Will PPTP work with the win2k clients behind NAT'd firewalls (like a > > > cable modem running NAT)? > > > > This is your biggest problem - probably not unless you can port forward > > port 1723 and protocol forward protocol 47(GRE). And it'll only work for > > one machine behind each NAT firewall. > > > > When I try it, I'll let the group know if it works for me or not. > > Any other ideas as to a good VPN solution that solves this problem, > given that I have all windows boxes on the client side behind NAT, and > Linux on the server side? > > > > 2) Does the basic package found in woody WITHOUT any patches support any > > > kind of encryption mechanism? > > > > Nope, but if you trust me not to do anything nasty, I can send you a .deb > > with mppe and smb-stripdomain patches. > > I would be very gratefull for this as I have been scratching my head > trying to figure out how to get the ppp patches correctly built in, then > into a deb package. (the ppp .debs you have, I'm assuming, are for ppp > 2.4.1 and the newest pptpd)? > > > > > Then you can also install the kernel-patch-mppe package and apply it to > > your kernel. > > The kernel-patch-mppe I have already installed. I didn't see that one > until Neale Banks gave me the scoop...thanks Neale. > > > > > This should also take care of questions 3,4,6 and 7. > > > > > 5) Is the concept the same as that for a regular dialup connection using > > > ppp? > > > > Yes and no. The lcp/ppp protocols are the same (with the addition of mppe > > for encryption). The transport layer is over ip rather than over a > > telephone line, however. > > > > The client create a tcp connection on port 1723 to the server. They have a > > little chat and open up an ip socket connection (protocol 47 - GRE) to > > contain the tunnel and run ppp over it. > > > > Other than that simple explanation, there are many, many FAQs and > > whitepapers you can read - most of them available at, or linked from > > http://poptop.lineo.com/ > > > > Martin. > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > --- To unsubscribe, go to the url just above this line. -- > > Thanks for the info....I will look for the .debs in my mail or a URL for > them. > > ---Dean. > droman at romansys.com > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- Thanks for the help... ---Dean. From neale at lowendale.com.au Fri Oct 5 19:55:13 2001 From: neale at lowendale.com.au (Neale Banks) Date: Sat, 6 Oct 2001 10:55:13 +1000 (EST) Subject: [pptp-server] pptpd questions/info newbie... In-Reply-To: <20011005100859.G9098@greenspot.nwcgroup.com> Message-ID: On Fri, 5 Oct 2001, Martin Feeney wrote: > > 2) Does the basic package found in woody WITHOUT any patches support any > > kind of encryption mechanism? > > Nope, but if you trust me not to do anything nasty, I can send you a .deb > with mppe and smb-stripdomain patches. If you've already done this with the ppp package in woody, then I'd be very interested in the procedure you used (I unpacked the source package and was most surprised to find what I now know to be DBS format - I'm still trying to locate doucmentation on the "correct" way of handling DBS). Thanks, Neale. From vorlon at netexpress.net Sat Oct 6 14:26:02 2001 From: vorlon at netexpress.net (Steve Langasek) Date: Sat, 6 Oct 2001 14:26:02 -0500 (CDT) Subject: [pptp-server] MSCHAPv2 + PPTP + RADIUS + Samba... guidance sought. Message-ID: Hello, My employer is in the process of deploying a wireless access solution which uses PPTP for security (since we all know WEP is useless, and IPSec is difficult when half of your potential customers run Win98). Our existing server-side infrastructure is all Linux-based, right down to the PDC for our NT domain, which is running on Samba 2.2.1a. We use RADIUS (freeradius) for authentication of all existing customers and for delivery of information such as static routes & session timeouts. The goal here is to have a PPTP server running on a Linux box that authenticates to the RADIUS server running freeradius, which then back-ends onto the Samba-based NT domain. Anyone gotten anywhere close to this, or will I effectively be building from scratch? :) I do see a 1999 mention of MSCHAPv2/MPPE patches for Linux ppp, but it's stated that this is a patch for portslave. My understanding is that portslave is only applicable when dealing with PPP over serial interfaces, so I'm not clear on how existing patches would be integrated with a PPTP solution. Is portslave the only Linux ppp software that currently supports RADIUS? If no one knows the answers, 'sok... I'll just fumble along until everything falls into place. But if anyone can give me a jump-start on this stuff, it would be much appreciated. :) Regards, Steve Langasek postmodern programmer From mattgav at bigpond.net.au Sun Oct 7 05:14:33 2001 From: mattgav at bigpond.net.au (Matthew Gavin) Date: Sun, 7 Oct 2001 20:14:33 +1000 Subject: [pptp-server] Windows 2000 Message-ID: Hi, I am having trouble connecting to my PoPToP VPN from a Windows 2000 client (It works perfectly with Windows 9x clients). I can connect successfully and there seems to be some temporary IP success, but I cannot contact any internal LAN Addresses. It seems to fail at "MPPE 128 bit, stateless compression enabled". Interestingly, I only get the temporary traffic success as seen below if I have "Use Default gateway on Remote Network" selected. Has anyone documented their success with a Windows 2000 client connecting? Can anyone tell me what might be happening here? Request timed out. Request timed out. Request timed out. Request timed out. Reply from 10.1.1.2: bytes=32 time=60ms TTL=252 Reply from 10.1.1.2: bytes=32 time=50ms TTL=252 Reply from 10.1.1.2: bytes=32 time=60ms TTL=252 Reply from 10.1.1.2: bytes=32 time=60ms TTL=252 Reply from 10.1.1.2: bytes=32 time=50ms TTL=252 Reply from 10.1.1.2: bytes=32 time=80ms TTL=252 Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Thanks in advance. Matt From mattgav at tempo.com.au Sun Oct 7 05:18:06 2001 From: mattgav at tempo.com.au (Matthew Gavin) Date: Sun, 7 Oct 2001 20:18:06 +1000 Subject: [pptp-server] Windows 2000 Message-ID: Hi, I am having trouble connecting to my PoPToP VPN from a Windows 2000 client (It works perfectly with Windows 9x clients). I can connect successfully and there seems to be some temporary IP success, but I cannot contact any internal LAN Addresses. It seems to fail at "MPPE 128 bit, stateless compression enabled". Interestingly, I only get the temporary traffic success as seen below if I have "Use Default gateway on Remote Network" selected. Has anyone documented their success with a Windows 2000 client connecting? Can anyone tell me what might be happening here? Request timed out. Request timed out. Request timed out. Request timed out. Reply from 10.1.1.2: bytes=32 time=60ms TTL=252 Reply from 10.1.1.2: bytes=32 time=50ms TTL=252 Reply from 10.1.1.2: bytes=32 time=60ms TTL=252 Reply from 10.1.1.2: bytes=32 time=60ms TTL=252 Reply from 10.1.1.2: bytes=32 time=50ms TTL=252 Reply from 10.1.1.2: bytes=32 time=80ms TTL=252 Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Thanks in advance. Matt From droman at romansys.com Sun Oct 7 13:20:42 2001 From: droman at romansys.com (Dean A. Roman) Date: Sun, 07 Oct 2001 11:20:42 -0700 Subject: [pptp-server] pptpd questions/info newbie... References: <3BBC3F4C.2B3314B0@romansys.com> <20011005100859.G9098@greenspot.nwcgroup.com> Message-ID: <3BC09CFA.8E180F6C@romansys.com> Martin Feeney wrote: > On Thu, 04 Oct 2001 11:51:56 Dean Roman wrote: > > > 1) Will PPTP work with the win2k clients behind NAT'd firewalls (like a > > cable modem running NAT)? > > This is your biggest problem - probably not unless you can port forward > port 1723 and protocol forward protocol 47(GRE). And it'll only work for > one machine behind each NAT firewall. > > > 2) Does the basic package found in woody WITHOUT any patches support any > > kind of encryption mechanism? > > Nope, but if you trust me not to do anything nasty, I can send you a .deb > with mppe and smb-stripdomain patches. > Any luck finding those patches for ppp w/ mppe for woody you were going to send? > > Then you can also install the kernel-patch-mppe package and apply it to > your kernel. > > This should also take care of questions 3,4,6 and 7. > > > 5) Is the concept the same as that for a regular dialup connection using > > ppp? > > Yes and no. The lcp/ppp protocols are the same (with the addition of mppe > for encryption). The transport layer is over ip rather than over a > telephone line, however. > > The client create a tcp connection on port 1723 to the server. They have a > little chat and open up an ip socket connection (protocol 47 - GRE) to > contain the tunnel and run ppp over it. > > Other than that simple explanation, there are many, many FAQs and > whitepapers you can read - most of them available at, or linked from > http://poptop.lineo.com/ > > Martin. > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- Thanks, ---Dean. -------------- next part -------------- A non-text attachment was scrubbed... Name: droman.vcf Type: text/x-vcard Size: 252 bytes Desc: Card for Dean A. Roman URL: From vorlon at netexpress.net Sun Oct 7 13:49:06 2001 From: vorlon at netexpress.net (Steve Langasek) Date: Sun, 7 Oct 2001 13:49:06 -0500 (CDT) Subject: [pptp-server] pptpd questions/info newbie... In-Reply-To: <3BC09CFA.8E180F6C@romansys.com> Message-ID: Hello Dean, On Sun, 7 Oct 2001, Dean A. Roman wrote: > > > 2) Does the basic package found in woody WITHOUT any patches support any > > > kind of encryption mechanism? > > Nope, but if you trust me not to do anything nasty, I can send you a .deb > > with mppe and smb-stripdomain patches. > Any luck finding those patches for ppp w/ mppe for woody you were going to > send? I'm not the original poster, but I've just yesterday finished patching the Debian/woody ppp package to include mppe support (no smb-stripdomain yet). I can make this package available for download, but I'd first like to check w/ Michael Beattie about getting it included in the next official package release. Does anyone know of reasons why this mppe patch should not be included in the upstream releases as well (e.g., crypto laws or patent concerns)? Steve Langasek postmodern programmer From jvonau at home.com Sun Oct 7 14:07:57 2001 From: jvonau at home.com (Jerry Vonau) Date: Sun, 07 Oct 2001 14:07:57 -0500 Subject: [Fwd: [pptp-server] PATCHES to allow MS-Chap v2 auth using Xtradius] Message-ID: <3BC0A80D.1621F947@home.com> Found this in my mail it may help, may not... James MacLean wrote: > > Hi Folks, > > Second in the series of hacks to get MSChap v2 authentication out of > chap-secrets and into somewhere easier to maintain :). Uses MySQL via 2 > simplistic perl scripts to add/modify users and access rules. > > No, this is not for the pizza :(. > > Please find for your development pleasure a combination of patches and > scripts at : > > http://www.ednet.ns.ca/~macleajb/chap_crap-0.2.tgz > > The README is brief. The chances of cleanly installing it at this time are > probably not above 60%. But don't let that stop you. > > When working, it will allow you to run a modified pppd which will use an > xtradius server to get the NtHash password and use it for authentication. > It will also send accounting start/stop to the server which can be used to > setup filter rules, etc... > > It also includes the smbpasswd patches from the first effort. > > It still uses the rule that if a password is 32 bytes, it will use it as > an NtHash password. > > The communication with the radius server is not the right way to do it. > The authenticate request call always succeeds if the user exists and then > returns with the NtHash in a CALLBACK response pair. I believe the more > correct method would have been to send to the radius server a > challenge/response and if valid return the same, but I took the short cut > to see if I could get something working. > > One benefit of these patches/scripts is that it allows you to authorize > access to only specific resources by making the accounting start/stop > procedures of Xtradius build filters from the rules stored in a database. > > This system expects to give each user their own IP at this time. > > Later, > JES > -- > James B. MacLean macleajb at ednet.ns.ca > Department of Education http://www.ednet.ns.ca/~macleajb > Nova Scotia, Canada > B3M 4B2 > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulte.org! The link still works!!! Here is the readme file: ****************************************************************************** * * Chap Crap : * * Hack to allow pppd to do * MS Chap v2 authentication using smbpasswd file and/or xtradius * with the emphasis on xtradius. * * Radius to also be used for setting up access rules using filtering * tools like ipchains. * * 2000-05-16 : James B. MacLean (macleajb at ednet.ns.ca) * ****************************************************************************** BACKGROUND: You have many sites (or not) that each have a secure tunnel back to your business network. You wish to allow access from these points but can not trust their local network to be free from sniffing. You wish to allow access to resources be controlled by user profiles so that access via the network to a resource is only granted if the signon userid has that resource included in their profile. Traffic to other resources is blocked from them. Perhaps and example is giving a consultant access to only one box that they are working on, instead of the current option of either letting them on your network, or not. These remote users would make a PPTP connection to the remote PPPD daemon which authenticates then via the central xtradius server and brings up a link between them and the resources they wish to access. That remote client can then be a Windows(tm) platform with MS Chap v2/MPPE 128bit stateless encryption. Resrouces are allowed or removed using a WWW interface to update a MySQL database. OPERATION: . Remote user with PPTP requests connection to PPTPD. . PPTPD uses modified PPPD to contact Xtradius on protected host at other end of tunnel (or on same box). . Xtradius returns NtHash for PPPD to authenticate user with. . If authentication is successfull, accouting start request is sent to Xtradius, which it uses to run external script radrules.pl that creates rules to allow / restrict user access. . These rules are read and applied from a MySQL database. . Remote user then works by being connected in a controlled manner to protected network. . Remote user logs off. . PPPD sends accouting stop to Xtradius which again runs radrules.pl to remove filter rules, and update accounting on MySQL database. INSTALLATION: Instructions in short form to get mschap_v2 authentication using xtradius server, or to use smbpasswd file for same. You need to have already installed and configured : . radiusclient : http://www.cityline.net/~lf/radius/ . libsmbpw : http://www.mssl.ucl.ac.uk/~atp/comp/libsmb/ . MySQL as a database to use for userids : http://www.mysql.org/ . pptpd : http://www.moretonbay.com/vpn/pptp.html . Others? Then get : . xtradius : http://www.xtradius.com/ . ppp-2.3.11 with MSCHAP/MPPE patches applied : ftp://ftp.linuxcare.com.au/pub/ppp/ + patches from ? . AuthAccount : http://www.xtradius.com/download/AuthAccount-1.0.tar.gz and recompile after applying the patches from this directory. There should be one for each application. You should look at each patch to see if you need all the changes that I made. Make ntpasswd : gcc -g -o ntpasswd ntpasswd.c -L. -lsmbpw and install where user.pl (discussed below) can access it to make NtPasswds from user passwds. Use the database table layouts in radius.sql to create your MySQL tables. (It is a little different from the AuthAccount setup). This step will also likely involve setting up a user/password for this project. Modify your /etc/raddb/users file to use the external checkmysql and radrules.pl. See users.sample file. Make changes to radrules.pl and put somewhere protected (mod 700 ?) as it will be called when a person logs in and again when they log out. Get access to rules.pl and user.pl via a webpage and use them for adding/modifying users, and modifying rules. Uses DBI::MySQL and CGI.pm stuff for perl. User.pl shows to passwds. The first one is not used. The second one gets translated to an NtHash once saved (still more work to do here :)). Modify /etc/ppp/chap-secrets to have a line like : * * !nothing * for access using xtradius or : * * &/etc/smbpasswd * if you only want access using /etc/smbpasswd hashes *** Notes *** . Currently only using NtHashes. . Currently hacked so that it expects that if the password is 32 bytes, then it must be an NtHash. . Currently missing scripts to route traffic between remote signin point and local authenticating server. http://www.ednet.ns.ca/~macleajb/chap_crap-0.2.tgz Later, JES Hope it helps Jerry Vonau From vorlon at netexpress.net Sun Oct 7 14:09:36 2001 From: vorlon at netexpress.net (Steve Langasek) Date: Sun, 7 Oct 2001 14:09:36 -0500 (CDT) Subject: Licensing and MSCHAP binaries for pppd (Was: [pptp-server] pptpd questions/info newbie...) In-Reply-To: Message-ID: > Does anyone know of reasons why this mppe patch should not be included in > the upstream releases as well (e.g., crypto laws or patent concerns)? Ah, I found the answer to this staring me in the face. There is a licensing issue here; the patch uses openssl headers to build, and these headers are under a license that's incompatible with the GPL -- it is not possible to distribute the resulting combination without express permission from the PPP authors. So I will not be distributing binary .deb packages at this time; however, I can make the patch available in a form that's well-suited for inclusion in a Debian package. If there's interest, let me know. Also, I'm in the process of extending pppd's plugin support to include hooks for alternate CHAP authenticators, which is functionality that my specific application requires (authenticating PPTP connections against a RADIUS server instead of against a chap-secrets file). Depending on the license restrictions the pppd authors choose to place on their plugin API, it may be possible to provide MS-CHAPv2 support in the form of a freely-distributable plugin. Cheers, Steve Langasek postmodern programmer From droman at romansys.com Sun Oct 7 14:10:29 2001 From: droman at romansys.com (Dean A. Roman) Date: Sun, 07 Oct 2001 12:10:29 -0700 Subject: [pptp-server] Does anyone have a PPP 2.4.1 .deb built with mppe for PPTP Message-ID: <3BC0A8A5.969A2EC2@romansys.com> Hello all, Does anyone have a .deb file built for PPP 2.4.1 (in Debian woody) for mppe and PPTPD. Or know were to get one? I would like to use PPTPD with encryption, and the only way is to rebuild the PPP daemon for it. I have already rebuilt my 2.2.19 kernel with the kernel-mppe-patch. Thanks, ---Dean. -------------- next part -------------- A non-text attachment was scrubbed... Name: droman.vcf Type: text/x-vcard Size: 252 bytes Desc: Card for Dean A. Roman URL: From charlieb at e-smith.com Sun Oct 7 14:17:47 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Sun, 7 Oct 2001 15:17:47 -0400 (EDT) Subject: [pptp-server] pptpd questions/info newbie... In-Reply-To: Message-ID: Hi Steve, On Sun, 7 Oct 2001, Steve Langasek wrote: > On Sun, 7 Oct 2001, Dean A. Roman wrote: > > > Any luck finding those patches for ppp w/ mppe for woody you were going to > > send? > > I'm not the original poster, but I've just yesterday finished patching the > Debian/woody ppp package to include mppe support (no smb-stripdomain yet). I > can make this package available for download, but I'd first like to check w/ > Michael Beattie about getting it included in the next official package > release. Does anyone know of reasons why this mppe patch should not be > included in the upstream releases as well (e.g., crypto laws or patent > concerns)? I know that Paul Mackerras was concerned about crypto laws, but things have changed (who knows for how long). Before we get the patches more widely distributed, I'd like to change the mppe-modified pppd to kernel interface so that the modified pppd will work with a standard ppp.o module. It doesn't at the moment because an oversize parameter block is used to pass encryption keys into the kernel for the mppe module to use. This is done via the ioctl handler of the ppp module. My idea is to change the interface so that only a pointer is passed, which will fit within the standard limit of 32 bytes. The mppe module would then upload the keys using copy from user to kernel space. We would then distribute the mppe modified pppd along with the mppe module, but use the standard ppp module. Care to help me develop and test this change, Steve? Charlie Brady charlieb at e-smith.com Lead Product Developer Network Server Solutions Group http://www.e-smith.com/ Mitel Networks Corporation http://www.mitel.com/ Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 From vorlon at netexpress.net Sun Oct 7 15:17:47 2001 From: vorlon at netexpress.net (Steve Langasek) Date: Sun, 7 Oct 2001 15:17:47 -0500 (CDT) Subject: [pptp-server] pptpd questions/info newbie... In-Reply-To: Message-ID: Hi Charlie, On Sun, 7 Oct 2001, Charlie Brady wrote: > > I'm not the original poster, but I've just yesterday finished patching the > > Debian/woody ppp package to include mppe support (no smb-stripdomain yet). I > > can make this package available for download, but I'd first like to check w/ > > Michael Beattie about getting it included in the next official package > > release. Does anyone know of reasons why this mppe patch should not be > > included in the upstream releases as well (e.g., crypto laws or patent > > concerns)? > I know that Paul Mackerras was concerned about crypto laws, but things > have changed (who knows for how long). #include MPPE is an encryption algorithm, and as such is regulated under US export law. As Open Source software, it is also covered by the TSU exemption of the EAR 740.13, which means it can be exported from the US without an export license so long as the source code is made publically available and the government is notified prior to the export. The MSCHAPv2 patch, OTOH, has licensing problems as described in my previous message. I know that Linux pppd includes a fair amount of source that is not covered under the GPL, and some of it may not even be covered by licenses that are compatible with the GPL; however, because it is the original authors of pppd who are doing this, there's an implicit license exception being granted. In the case of the third-party MSCHAP patch, no such permission can be assumed, and MSCHAP-enabled binaries should not be distributed until someone secures the appropriate permissions from Paul (et al., if appropriate). >From a crypto perspective, MSCHAPv2 doesn't pose any problems; there's no general-purpose (reversible) encryption involved, only message digesting, and it happens to be the same message digesting algorithm that Microsoft was selling internationally for years with NT under the old export laws. I'm cc:ing Paul on this message in case he wants to comment on the licensing issue. Hopefully this is a current email for him, it's the one listed on the freshmeat ppp page. Again (repeating for Paul's benefit), I'm currently trying to spec out some chap hooks for pppd because we have an application that requires all authentication requests (including MSCHAPv2) to be sent against a RADIUS server; so if this sort of approach would be more palatable than including MSCHAPv2 directly in the upstream ppp release, perhaps that would be an option. > Before we get the patches more widely distributed, I'd like to change the > mppe-modified pppd to kernel interface so that the modified pppd will work > with a standard ppp.o module. It doesn't at the moment because an oversize > parameter block is used to pass encryption keys into the kernel for the > mppe module to use. This is done via the ioctl handler of the ppp module. > My idea is to change the interface so that only a pointer is passed, which > will fit within the standard limit of 32 bytes. The mppe module would then > upload the keys using copy from user to kernel space. We would then > distribute the mppe modified pppd along with the mppe module, but use the > standard ppp module. > Care to help me develop and test this change, Steve? I think I would be amenable to that. Since my employer is in this for the long haul, the more of this stuff I can commoditize, the better. :) Steve Langasek postmodern programmer From vorlon at netexpress.net Sun Oct 7 15:41:47 2001 From: vorlon at netexpress.net (Steve Langasek) Date: Sun, 7 Oct 2001 15:41:47 -0500 (CDT) Subject: [pptp-server] Does anyone have a PPP 2.4.1 .deb built with mppe for PPTP In-Reply-To: <3BC0A8A5.969A2EC2@romansys.com> Message-ID: For the benefit of those on debian-user (this has already been discussed on pptp-server) -- There is currently a licensing question that prevents legal distribution of a pppd binary with MPPE/MS-CHAP support. I am currently pursuing this question with pppd upstream, and will provide either unofficial .debs, or step-by-step instructions for building such .debs, pending the outcome of the licensing discussion. I understand that the MPPE support is not currently in a state fit for inclusion in the official Debian packages, because it makes pppd incompatible with unpatched kernels. This issue is also being looked into. I am not currently subscribed to debian-user. Please direct any questions to the pptp-server mailing list or to me personally. Regards, Steve Langasek postmodern programmer On Sun, 7 Oct 2001, Dean A. Roman wrote: > Hello all, > Does anyone have a .deb file built for PPP 2.4.1 (in Debian woody) for > mppe and PPTPD. Or know were to get one? > I would like to use PPTPD with encryption, and the only way is to rebuild the PPP daemon for it. > I have already rebuilt my 2.2.19 kernel with the kernel-mppe-patch. > Thanks, > ---Dean. From neale at lowendale.com.au Sun Oct 7 17:04:58 2001 From: neale at lowendale.com.au (Neale Banks) Date: Mon, 8 Oct 2001 08:04:58 +1000 (EST) Subject: [pptp-server] pppd, CHAP and RADIUS (was: Licensing and MSCHAP binaries for pppd) In-Reply-To: Message-ID: On Sun, 7 Oct 2001, Steve Langasek wrote: [...] > Also, I'm in the process of extending pppd's plugin support to include hooks > for alternate CHAP authenticators, which is functionality that my specific > application requires (authenticating PPTP connections against a RADIUS server > instead of against a chap-secrets file). Depending on the license > restrictions the pppd authors choose to place on their plugin API, it may be > possible to provide MS-CHAPv2 support in the form of a freely-distributable > plugin. It might be even simpler than that: RFC2865 section 2.2 clearly (at least to me it's clear ;-) states that where you are doing CHAP and RADIUS then the CHAP computations are in the RADIUS server - i.e. your NAS (in this case pppd) does NOT need to have any CHAP computations in it. This should mean that MS-CHAP (ugh, but not MPPE :-( ) can live exclusively in the RADIUS server (e.g. see ftp://ftp.freeradius.org/pub/radius/contrib/mschap.tar.gz ). What pppd does need to know is then limited to negotiating MSCHAP auth in LCP and how to assemble the relevant RADIUS request and interpret the RADIUS response (see MS's "VENDOR" RADIUS A-V's) - which not necessarily inconsistent with your suggestion of plugin CHAP authenticators. Smart ideas on how to approach MPPE most gratefully accepted. Hmmm... 1) Is this what charlie was talking about solving? 2) Is this starting to turn into a Good Argument for L2TP/IPSec? ;-) Yes, at the end of the day all this does is move (some of) the problem. HTH, Neale. From Josh.Howlett at bristol.ac.uk Sun Oct 7 17:02:11 2001 From: Josh.Howlett at bristol.ac.uk (Josh Howlett) Date: Sun, 7 Oct 2001 23:02:11 +0100 (BST) Subject: [pptp-server] MSCHAPv2 + PPTP + RADIUS + Samba... guidance sought. In-Reply-To: Message-ID: Hi, We're doing the same thing - running PPTP over 802.11 w/ no WEP and using MPPE for security (actually PPTP over PPPoE over 802.11). It works great. We initially wanted it to integrate with our NT authentication, but you can't backend CHAP onto RADIUS via PAM. So, we then looked at dumping the NT password hashes into Samba passwd format, and using the smb poptop patch. But, it turns out MS-CHAP-v2 is vulnerable to a dictionary attack, so we dumped that (it worked :( ) in favour of mandatory random 10 character random passwords. Yeah, the users loved it! I'm in the process of knocking up a CDROM distribution that provides this functionality - let me know if'd you'd like an ISO. cheers, josh. On Sat, 6 Oct 2001, Steve Langasek wrote: > Hello, > > My employer is in the process of deploying a wireless access solution which > uses PPTP for security (since we all know WEP is useless, and IPSec is > difficult when half of your potential customers run Win98). Our existing > server-side infrastructure is all Linux-based, right down to the PDC for our > NT domain, which is running on Samba 2.2.1a. We use RADIUS (freeradius) for > authentication of all existing customers and for delivery of information such > as static routes & session timeouts. > > The goal here is to have a PPTP server running on a Linux box that > authenticates to the RADIUS server running freeradius, which then back-ends > onto the Samba-based NT domain. > > Anyone gotten anywhere close to this, or will I effectively be building from > scratch? :) > > I do see a 1999 mention of MSCHAPv2/MPPE patches for Linux ppp, but it's > stated that this is a patch for portslave. My understanding is that portslave > is only applicable when dealing with PPP over serial interfaces, so I'm not > clear on how existing patches would be integrated with a PPTP solution. Is > portslave the only Linux ppp software that currently supports RADIUS? > > If no one knows the answers, 'sok... I'll just fumble along until everything > falls into place. But if anyone can give me a jump-start on this stuff, it > would be much appreciated. :) > > Regards, > Steve Langasek > postmodern programmer > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > > --------------------------------------- Josh Howlett, Network Supervisor, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 0117 928 7850 | josh.howlett at bris.ac.uk --------------------------------------- From vorlon at netexpress.net Sun Oct 7 19:41:36 2001 From: vorlon at netexpress.net (Steve Langasek) Date: Sun, 7 Oct 2001 19:41:36 -0500 (CDT) Subject: [pptp-server] MSCHAPv2 + PPTP + RADIUS + Samba... guidance sought. In-Reply-To: Message-ID: On Sun, 7 Oct 2001, Josh Howlett wrote: > We're doing the same thing - running PPTP over 802.11 w/ no WEP and > using MPPE for security (actually PPTP over PPPoE over 802.11). It > works great. > We initially wanted it to integrate with our NT authentication, but you > can't backend CHAP onto RADIUS via PAM. So, we then looked at dumping > the NT password hashes into Samba passwd format, and using the smb > poptop patch. But, it turns out MS-CHAP-v2 is vulnerable to a > dictionary attack, so we dumped that (it worked :( ) in favour of > mandatory random 10 character random passwords. Yeah, the users loved > it! Hmm, it seems self-evident to me that any security built on top of user-chosen passwords is vulnerable to a dictionary attack. Even so, I admit I hadn't given much thought to this. There are still significant advantages for us if we can integrate this both with our RADIUS server and our NT domain, so we'll probably address the security questions by using centrally-assigned passwords. > I'm in the process of knocking up a CDROM distribution that provides > this functionality - let me know if'd you'd like an ISO. If it doesn't make use of RADIUS and NT auth, I'm not sure how much use it would be to me. Thanks for the offer, though. :) Regards, Steve Langasek postmodern programmer From vorlon at netexpress.net Sun Oct 7 19:55:57 2001 From: vorlon at netexpress.net (Steve Langasek) Date: Sun, 7 Oct 2001 19:55:57 -0500 (CDT) Subject: [pptp-server] pppd, CHAP and RADIUS (was: Licensing and MSCHAP binaries for pppd) In-Reply-To: Message-ID: On Mon, 8 Oct 2001, Neale Banks wrote: > [...] > > Also, I'm in the process of extending pppd's plugin support to include hooks > > for alternate CHAP authenticators, which is functionality that my specific > > application requires (authenticating PPTP connections against a RADIUS server > > instead of against a chap-secrets file). Depending on the license > > restrictions the pppd authors choose to place on their plugin API, it may be > > possible to provide MS-CHAPv2 support in the form of a freely-distributable > > plugin. > It might be even simpler than that: RFC2865 section 2.2 clearly (at least > to me it's clear ;-) states that where you are doing CHAP and RADIUS then > the CHAP computations are in the RADIUS server - i.e. your NAS (in this > case pppd) does NOT need to have any CHAP computations in it. > This should mean that MS-CHAP (ugh, but not MPPE :-( ) can live > exclusively in the RADIUS server (e.g. see > ftp://ftp.freeradius.org/pub/radius/contrib/mschap.tar.gz ). What pppd > does need to know is then limited to negotiating MSCHAP auth in LCP and > how to assemble the relevant RADIUS request and interpret the RADIUS > response (see MS's "VENDOR" RADIUS A-V's) - which not necessarily > inconsistent with your suggestion of plugin CHAP authenticators. Certainly, this is true for my circumstances. I'm also interested in a solution for the general case, where RADIUS is not involved. I actually have the chap-radius plugin for pppd all but written at this point, and am working on verifying that freeradius's existing MSCHAP support works with MSCHAPv2 (which I suspect it does not -- yet). > Smart ideas on how to approach MPPE most gratefully accepted. Hmmm... Oh, and most of MPPE should sit in the kernel. So all in all, the pppd code doesn't have to be too ugly. :) > 2) Is this starting to turn into a Good Argument for L2TP/IPSec? ;-) Do either of those options allow me to control IP assignment using centralized radius servers? :) If not, then hacking on one is as good as hacking any other, I suppose. :) Steve Langasek postmodern programmer From droman at romansys.com Sun Oct 7 20:16:05 2001 From: droman at romansys.com (Dean A. Roman) Date: Sun, 07 Oct 2001 18:16:05 -0700 Subject: [pptp-server] PPTP w/debian chapmsv2 Message-ID: <3BC0FE55.A21358EF@romansys.com> Hello all, Just want to let everybody know that I have PPTPD working with Debian (woody) thanks to the support of a lot of people on this list. I especially want to thank Steve Langasek who DIDN'T give me the compiled .deb for PPP 2.4.1 under debian(woody), but pointed me in the right direction and let me discover for myself the joys of patching. Also thanks to Neale Banks who gave me some good pointers. By the way, just a note of interest: I have PPTPD working on a machine that is also using FreeS/WAN for direct site to site VPN services. Thanks to all... ---Dean. -------------- next part -------------- A non-text attachment was scrubbed... Name: droman.vcf Type: text/x-vcard Size: 252 bytes Desc: Card for Dean A. Roman URL: From charlieb at e-smith.com Sun Oct 7 20:20:01 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Sun, 7 Oct 2001 21:20:01 -0400 (EDT) Subject: [pptp-server] pppd, CHAP and RADIUS (was: Licensing and MSCHAP binaries for pppd) In-Reply-To: Message-ID: On Sun, 7 Oct 2001, Steve Langasek wrote: > > Smart ideas on how to approach MPPE most gratefully accepted. Hmmm... > > Oh, and most of MPPE should sit in the kernel. So all in all, the pppd code > doesn't have to be too ugly. :) Yeah, right. MPPE and its options needs to be negotiated using CCP, then the encryption engine in the mppe module needs to be initialised. Then you need to handle the difference between stateless and stateful encryption - which I maintain the widely available patches do not do correctly. Charlie Brady charlieb at e-smith.com Lead Product Developer Network Server Solutions Group http://www.e-smith.com/ Mitel Networks Corporation http://www.mitel.com/ Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 From martin at tuatha.org Mon Oct 8 05:16:24 2001 From: martin at tuatha.org (Martin Feeney) Date: Mon, 8 Oct 2001 11:16:24 +0100 Subject: [pptp-server] pptpd questions/info newbie... In-Reply-To: ; from neale@lowendale.com.au on Sat, Oct 06, 2001 at 01:55:13 +0100 References: <20011005100859.G9098@greenspot.nwcgroup.com> Message-ID: <20011008111624.C25374@greenspot.nwcgroup.com> On Sat, 06 Oct 2001 01:55:13 Neale Banks wrote: > If you've already done this with the ppp package in woody, then I'd be > very interested in the procedure you used (I unpacked the source package > and was most surprised to find what I now know to be DBS format - I'm > still trying to locate doucmentation on the "correct" way of handling > DBS). Sorry for the delay - didn't read email at the weekend. If you apt-get source ppp. Then in the ppp-2.4.1 dir you'll see a debian dir. Under that you'll see a patches dir. There's a bunch of numbered patches that debian apply to the standard distribution. What I've done is added 998ppp-mppe.diff and 999stripMSDomain.diff to that dir. Then from the ppp-2.4.1 dir (back up two), run dpkg-buildpackage and it'll build a .deb for you. Some of the patches required some modifications for 2.4.1. Have a look a http://greenspot.ie.nwcgroup.com/ppp/ for the patches and the deb. Just remember to put the ppp package on hold so it doesn't get overwritten by the non-mppe ppp package next time you do and apt-get upgrade. Martin. From ybzhg at hotmail.com Mon Oct 8 22:07:07 2001 From: ybzhg at hotmail.com (zhang.yb) Date: Tue, 9 Oct 2001 11:07:07 +0800 Subject: [pptp-server] encryption and authentification? Message-ID: Hi, I have a pptp server running in linux set up on my office LAN. Red Hat 6.2 Kernel rpm RedHat 2.2.19-6.2.7 Server pptpd PoPToP v1.0.1 pppd-2.3.11 I can connect to the server from PPTP client (the pptp client is Win2K), and ping to it fine. the options file is as following: --cut from /etc/ppp/options-- name vip noauth #require-chap proxyarp --end of cut-- After i changed some items in /etc/ppp/options --cut from /etc/ppp/options-- name vip auth #changed require-chap #changed proxyarp --end of cut-- it is a error to establish VPN connection.the client's error number is 619 can you tell how to establish VPN connection which include encryption and authentification.thanks! Best wishes! -------------- next part -------------- An HTML attachment was scrubbed... URL: From neale at lowendale.com.au Mon Oct 8 22:48:26 2001 From: neale at lowendale.com.au (Neale Banks) Date: Tue, 9 Oct 2001 13:48:26 +1000 (EST) Subject: [pptp-server] encryption and authentification? In-Reply-To: Message-ID: On Tue, 9 Oct 2001, zhang.yb wrote: [...] > After i changed some items in /etc/ppp/options > --cut from /etc/ppp/options-- > name vip > auth #changed > require-chap #changed > proxyarp > --end of cut-- > > it is a error to establish VPN connection.the client's error number is 619 > can you tell how to establish VPN connection which include encryption and > authentification.thanks! According to http://support.microsoft.com/support/kb/articles/Q163/1/11.asp 619 is "The port is disconnected." - which doesn't tell us much other than probably the server closed the connection. Can you get pppd debug from the server and show us that? Neale. From ybzhg at hotmail.com Tue Oct 9 01:40:56 2001 From: ybzhg at hotmail.com (zhang.yb) Date: Tue, 9 Oct 2001 14:40:56 +0800 Subject: [pptp-server] encryption and authentification? References: Message-ID: hi, the pptp-server report this errors: pppd: The remote system is required to authenticate itself. pppd: but i could't find any suitable secret (password) for it to use to do so. pppd: (None of the available passwords would let it to use an Ip address) Can you tell me a whole process of establish VPN through pptp and what they needs. Best regard. ----- Original Message ----- From: "Neale Banks" To: "zhang.yb" Cc: "pptp-server" Sent: Tuesday, October 09, 2001 11:48 AM Subject: Re: [pptp-server] encryption and authentification? > On Tue, 9 Oct 2001, zhang.yb wrote: > > [...] > > After i changed some items in /etc/ppp/options > > --cut from /etc/ppp/options-- > > name vip > > auth #changed > > require-chap #changed > > proxyarp > > --end of cut-- > > > > it is a error to establish VPN connection.the client's error number is 619 > > can you tell how to establish VPN connection which include encryption and > > authentification.thanks! > > According to > http://support.microsoft.com/support/kb/articles/Q163/1/11.asp 619 is "The > port is disconnected." - which doesn't tell us much other than probably > the server closed the connection. > > Can you get pppd debug from the server and show us that? > > Neale. > > From neale at lowendale.com.au Tue Oct 9 02:56:59 2001 From: neale at lowendale.com.au (Neale Banks) Date: Tue, 9 Oct 2001 17:56:59 +1000 (EST) Subject: [pptp-server] encryption and authentification? In-Reply-To: Message-ID: On Tue, 9 Oct 2001, zhang.yb wrote: > hi, > the pptp-server report this errors: > pppd: The remote system is required to authenticate itself. > pppd: but i could't find any suitable secret (password) for it to use to do so. > pppd: (None of the available passwords would let it to use an Ip address) > > Can you tell me a whole process of establish VPN through pptp and what they needs. Did you put anything in /etc/ppp/chap-secrets file? Regards, Neale. From ybzhg at hotmail.com Tue Oct 9 03:19:54 2001 From: ybzhg at hotmail.com (zhang.yb) Date: Tue, 9 Oct 2001 16:19:54 +0800 Subject: [pptp-server] encryption and authentification? References: Message-ID: Hi, this is my /etc/ppp/chap-secrets file: vip * vip by the way, I use Uclibc instead of Glibc, and when compile ppp,i delete some functions such as PAM. is it wrong?have you do the same things? best regard. ----- Original Message ----- From: "Neale Banks" To: "zhang.yb" Cc: "pptp-server" Sent: Tuesday, October 09, 2001 3:56 PM Subject: Re: [pptp-server] encryption and authentification? > On Tue, 9 Oct 2001, zhang.yb wrote: > > > hi, > > the pptp-server report this errors: > > pppd: The remote system is required to authenticate itself. > > pppd: but i could't find any suitable secret (password) for it to use to do so. > > pppd: (None of the available passwords would let it to use an Ip address) > > > > Can you tell me a whole process of establish VPN through pptp and what they needs. > > Did you put anything in /etc/ppp/chap-secrets file? > > Regards, > Neale. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > From neale at lowendale.com.au Tue Oct 9 03:38:45 2001 From: neale at lowendale.com.au (Neale Banks) Date: Tue, 9 Oct 2001 18:38:45 +1000 (EST) Subject: [pptp-server] encryption and authentification? In-Reply-To: Message-ID: On Tue, 9 Oct 2001, zhang.yb wrote: > Hi, > > this is my /etc/ppp/chap-secrets file: > vip * vip You need to put something (either an ip-address or an asterisk) in the fourth column. See "man 8 pppd" and search for chap-secrets. > by the way, I use Uclibc instead of Glibc, and when compile ppp,i delete some functions such as PAM. > is it wrong?have you do the same things? I've never tried that. Neale. From PReid at candesco.com Tue Oct 9 09:46:32 2001 From: PReid at candesco.com (Patrick Reid) Date: Tue, 9 Oct 2001 10:46:32 -0400 Subject: [pptp-server] Poor Man's PPTP/Samba password integration Message-ID: I know that there is a patch out there to allow people to authenticate using smbpasswd. But, if you are like me and have had to set up your users with entries in the smbusers file so that they can log in as "Joe Bloggs" instead of "jbloggs", this patch doesn't work. I was about to implement a further modification to get pppd to check the smbusers file first and replace the name with the mapped name if appropriate (which would have been rough as I am nobody's idea of a C programmer) when it occurred to me that I could use Samba's password unix password sync and related options to take care of this. As follows: modify smb.conf to contain unix password sync = Yes passwd program = /samba/pptp_passwd.d/vpn_linux_passwd %u passwd chat = *New*password* %n\n *successfully* create a script called vpn_linux_paaswd in the appropriate directory. Yes, I know, it puts all passwords in plaintext. But the folder is not accessible fromany Samba share and both the directory and the file have their perms set to 700 and owned by root. I figure if someone can read files which are supposed to only be visible to root, I have more problems than may users' password integrity! My vpn_linux_passwd script is as follows: _______________________________________________ #!/bin/bash # # This script is designed to allow Samba to both change the Linux password # and the chap password file when it updates the Samba password. Basically, it # makes "unix password sync = true" be equivalent to a (fictitious) "unix & # pptp password sync = true" # if [ -z "$1" ]; then echo usage: $0 username exit 1 fi echo -n "New password: " read NEWPASS rm -rf /pass.tmp echo "$NEWPASS" | /usr/bin/passwd --stdin $1 > /pass.tmp 2>&1 grep successfully /pass.tmp >/dev/null if [ $? == 0 ]; then echo \"$NEWPASS\" >/samba/pptp_passwd.d/$1 chown root. /samba/pptp_passwd.d/$1 chmod 600 /samba/pptp_passwd.d/$1 cat /pass.tmp rm -f /pass.tmp exit 0 else echo "Password change attempt failed." rm -f /pass.tmp exit 1 fi ___________________________________________________ My chap-secrets file has entries that look like this for each user (note that I am using the chapms-strip-domain patch): "Joe Bloggs" * @/samba/pptp_passwd.d/jbloggs * "jbloggs" * @/samba/pptp_passwd.d/jbloggs * So no matter how my users authenticate; long or short form, with or without DOMAIN\user format, they are OK. And I only have to do the initial setup; no on-going maintenance. Patrick Reid From PReid at candesco.com Tue Oct 9 09:50:52 2001 From: PReid at candesco.com (Patrick Reid) Date: Tue, 9 Oct 2001 10:50:52 -0400 Subject: [pptp-server] RE: Poor Man's PPTP/Samba password integration In-Reply-To: Message-ID: Oops. Note that word wrap messed up my introductory comment lines; the line with just "it" in it should be at the end of the previous line. Patrick -----Original Message----- From: Patrick Reid [mailto:PReid at candesco.com] Sent: October 9, 2001 10:47 AM To: pptp-server at lists.schulte.org Subject: Poor Man's PPTP/Samba password integration I know that there is a patch out there to allow people to authenticate using smbpasswd. But, if you are like me and have had to set up your users with entries in the smbusers file so that they can log in as "Joe Bloggs" instead of "jbloggs", this patch doesn't work. I was about to implement a further modification to get pppd to check the smbusers file first and replace the name with the mapped name if appropriate (which would have been rough as I am nobody's idea of a C programmer) when it occurred to me that I could use Samba's password unix password sync and related options to take care of this. As follows: modify smb.conf to contain unix password sync = Yes passwd program = /samba/pptp_passwd.d/vpn_linux_passwd %u passwd chat = *New*password* %n\n *successfully* create a script called vpn_linux_paaswd in the appropriate directory. Yes, I know, it puts all passwords in plaintext. But the folder is not accessible fromany Samba share and both the directory and the file have their perms set to 700 and owned by root. I figure if someone can read files which are supposed to only be visible to root, I have more problems than may users' password integrity! My vpn_linux_passwd script is as follows: _______________________________________________ #!/bin/bash # # This script is designed to allow Samba to both change the Linux password # and the chap password file when it updates the Samba password. Basically, it # makes "unix password sync = true" be equivalent to a (fictitious) "unix & # pptp password sync = true" # if [ -z "$1" ]; then echo usage: $0 username exit 1 fi echo -n "New password: " read NEWPASS rm -rf /pass.tmp echo "$NEWPASS" | /usr/bin/passwd --stdin $1 > /pass.tmp 2>&1 grep successfully /pass.tmp >/dev/null if [ $? == 0 ]; then echo \"$NEWPASS\" >/samba/pptp_passwd.d/$1 chown root. /samba/pptp_passwd.d/$1 chmod 600 /samba/pptp_passwd.d/$1 cat /pass.tmp rm -f /pass.tmp exit 0 else echo "Password change attempt failed." rm -f /pass.tmp exit 1 fi ___________________________________________________ My chap-secrets file has entries that look like this for each user (note that I am using the chapms-strip-domain patch): "Joe Bloggs" * @/samba/pptp_passwd.d/jbloggs * "jbloggs" * @/samba/pptp_passwd.d/jbloggs * So no matter how my users authenticate; long or short form, with or without DOMAIN\user format, they are OK. And I only have to do the initial setup; no on-going maintenance. Patrick Reid From RLDITTO at BRIGHT.NET Tue Oct 9 14:08:45 2001 From: RLDITTO at BRIGHT.NET (JOE) Date: Tue, 9 Oct 2001 15:08:45 -0400 Subject: [pptp-server] TEST Message-ID: <005f01c150f5$d1f6b320$1f00a8c0@backdog> -------------- next part -------------- An HTML attachment was scrubbed... URL: From RLDITTO at BRIGHT.NET Tue Oct 9 14:15:44 2001 From: RLDITTO at BRIGHT.NET (JOE) Date: Tue, 9 Oct 2001 15:15:44 -0400 Subject: [pptp-server] HELP Message-ID: <007d01c150f6$cc152800$1f00a8c0@backdog> I've got poptop running properly on a server and i can reach it from anywhere, except from one of my clients offices. they are using dsl service through a company called corrcomm in columbus ohio. they have a flowpoint 2200 router i have firewalling turned off and the client still can't get through he's getting error 650. I've looked through the setup guide and read that their are some dsl companys that block this type of traffic i even tried telneting into the router and adding arguments like sys addserver 192.168.0.18 47 0 sys addserver 192.168.0.18 tcp 1723 but this only really applies to incoming traffic and the client still can't get out even though their machine has the correct i p address. help?!! if you need any other specs let me know. thanks, joe ditto -------------- next part -------------- An HTML attachment was scrubbed... URL: From vorlon at netexpress.net Tue Oct 9 14:23:50 2001 From: vorlon at netexpress.net (Steve Langasek) Date: Tue, 9 Oct 2001 14:23:50 -0500 (CDT) Subject: [pptp-server] HELP In-Reply-To: <007d01c150f6$cc152800$1f00a8c0@backdog> Message-ID: On Tue, 9 Oct 2001, JOE wrote: > I've got poptop running properly on a server and i can reach it from > anywhere, except from one of my clients offices. they are using dsl service > through a company called corrcomm in columbus ohio. they have a flowpoint > 2200 router i have firewalling turned off and the client still can't get > through he's getting error 650. I've looked through the setup guide and read > that their are some dsl companys that block this type of traffic i even > tried telneting into the router and adding arguments like > sys addserver 192.168.0.18 47 0 > sys addserver 192.168.0.18 tcp 1723 > but this only really applies to incoming traffic and the client still can't > get out even though their machine has the correct i p address. PPTP depends on being able to send GRE packets (not just tcp or udp) through your firewall. If the DSL router at the remote office does not forward GRE traffic through the NAT firewall, and cannot be configured to do so, you will only be able to use PPTP from that location if you get additional public IP addresses from the DSL provider. Steve Langasek postmodern programmer From dave at convio.com Tue Oct 9 18:05:56 2001 From: dave at convio.com (David Crooke) Date: Tue, 09 Oct 2001 18:05:56 -0500 Subject: [pptp-server] PPTP and Linux clients - no packets? References: Message-ID: <3BC382D4.D7750093@convio.com> This may be a semi-newbie question....... I am trying to get a PPTP client on Linux to connect to our PPTP server (also Linux, PoPToP). The server we have been running for several months, and it works more or less flawlessly with Windows clients (98, NT, 2k) - it does occasionally lock up a connection or the whole PPTP setup. The client is Red Hat 7.1 (Linux 2.4.2) The PoPToP server is running Linux 2.2.12 (RH6.1) with PPPD 2.3.10 and PoPToP 1.0.0 I searched the web and found a variety of conflicting advice, varying from "just install this, this and that" to "you have to apply this and that patch, do this, use these exact versions of everything, and fix this and this bug". Here are some URL's I looked at: http://www.sigpipe.org:8080/vpn/pptp.html http://poptop.lineo.com/setup_pptp_client.html http://www.rhapsodyk.net/adsl/HOWTO/ http://tiki-lounge.com/~ben/software/pptp.html And I ended up pulling a tarball from here which has all the sources and patches for security (MPPE etc.) http://pptpclient.sourceforge.net/ The client is using pppd 2.4.0 and PPTP 1.0.2 Side note: one thing I initially found confusing is that a lot of people just assume that if you're using PPP it's because it's dialup or some other point to point setup (PPPoE over DSL)( and that the PPTP VPN is the only connection running down that interface - what I'm trying to set up is VPN in its purest sense, over an existing ethernet (cable modem) connection. I have got to the state where I can type pptp server.name.com and it will connect and authenticate with CHAP, set up the tunnel with or without encryption (BSD Deflate type 15 or MPPE 128 bit type 18) and often exchange a couple of packets - sometimes I can ping the remote end of the tunnel, and if I set up an appropriate route entry, I can sometimes ping things on the LAN attached to it, sometimes not. When ping works, I can also get the start of a telnet session going - the SYN and ACK packets appear to pass without incident (I get the message "Connected to server ....."), but then the telnet session just hangs, no login prompt. Sometimes, when ping doesn't work, I get messages like this: Oct 9 17:42:57 poptop-server pptpd[988]: GRE: read(fd=5,buffer=804d7e0,len=8196) from PTY failed: status = -1 error = Input/output error Oct 9 17:42:57 poptop-server pptpd[988]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6) I also get some cases where, if I use MPPE-128, the client complains that the server needs to authenticate itself, even though I have noauth in the /etc/ppp/options file. Below is some log output from a semi-successful connection, done with deflate 15 mode (no encryption): 45.67.89.0/24 is the subnet of the server and LAN, 12.34.56.789 is the client's real IP (cable modem). The third bit of log is the result of doing the iptables command below on the client after connecting, and then setting a route at the client end for that IP and trying to ping and telnet from other machines on the LAN to the IP at the client's end of the tunnel - the behaviour in telnetting from the client to the LAN (or VPN server) is identical: iptables -I INPUT -d 45.67.89.0/24 -j LOG I'm stumped - something is choking but I can't figure out where. Any advice welcome Cheers Dave Server Log Oct 9 17:43:47 poptop-server pptpd[1043]: CTRL: Client 12.34.56.789 control connection started Oct 9 17:43:48 poptop-server pptpd[1043]: CTRL: Starting call (launching pppd, opening GRE) Oct 9 17:43:54 poptop-server pppd[1044]: pppd 2.3.10 started by root, uid 0 Oct 9 17:43:54 poptop-server pppd[1044]: Using interface ppp2 Oct 9 17:43:54 poptop-server pppd[1044]: Connect: ppp2 <--> /dev/pts/3 Oct 9 17:43:54 poptop-server pptpd[1043]: GRE: Discarding duplicate packet Oct 9 17:43:57 poptop-server pppd[1044]: MSCHAP-v2 peer authentication succeeded for cmurray Oct 9 17:43:58 poptop-server pppd[1044]: found interface eth0 for proxy arp Oct 9 17:43:58 poptop-server pppd[1044]: local IP address 45.67.89.231 Oct 9 17:43:58 poptop-server pppd[1044]: remote IP address 45.67.89.241 Oct 9 17:43:58 poptop-server pppd[1044]: Deflate (15) compression enabled Client Log Oct 9 17:39:49 client pppd[22142]: pppd 2.4.0 started by root, uid 0 Oct 9 17:39:49 client pppd[22142]: Using interface ppp0 Oct 9 17:39:49 client pppd[22142]: Connect: ppp0 <--> /dev/ttya0 Oct 9 17:39:58 client pppd[22142]: Remote message: S=0904759F0D01F9B7F74F54C516DAD7892A85B4F0 Oct 9 17:39:58 client pppd[22142]: Deflate (15) compression enabled Oct 9 17:39:58 client pppd[22142]: local IP address 45.67.89.241 Oct 9 17:39:58 client pppd[22142]: remote IP address 45.67.89.231 iptables on client - catching inbound packets sent to 45.67.89.0/24 subnet (i.e. ppp0 interface) Oct 9 17:49:42 alba kernel: IN=ppp0 OUT= MAC= SRC=45.67.89.17 DST=45.67.89.241 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=56018 PROTO=ICMP TYPE=8 CODE=0 ID=35371 SEQ=0 Oct 9 17:49:44 alba kernel: IN=ppp0 OUT= MAC= SRC=45.67.89.17 DST=45.67.89.241 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=56075 PROTO=ICMP TYPE=8 CODE=0 ID=35371 SEQ=512 Oct 9 17:49:46 alba kernel: IN=ppp0 OUT= MAC= SRC=45.67.89.17 DST=45.67.89.241 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=56130 PROTO=ICMP TYPE=8 CODE=0 ID=35371 SEQ=1024 Oct 9 17:49:48 alba kernel: IN=ppp0 OUT= MAC= SRC=45.67.89.17 DST=45.67.89.241 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=56198 PROTO=ICMP TYPE=8 CODE=0 ID=35371 SEQ=1536 Oct 9 17:49:50 alba kernel: IN=ppp0 OUT= MAC= SRC=45.67.89.17 DST=45.67.89.241 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=56253 PROTO=ICMP TYPE=8 CODE=0 ID=35371 SEQ=2048 Oct 9 17:49:52 alba kernel: IN=ppp0 OUT= MAC= SRC=45.67.89.17 DST=45.67.89.241 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=56310 PROTO=ICMP TYPE=8 CODE=0 ID=35371 SEQ=2560 Oct 9 17:50:05 alba kernel: IN=ppp0 OUT= MAC= SRC=45.67.89.56 DST=45.67.89.241 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=13904 PROTO=ICMP TYPE=8 CODE=0 ID=51209 SEQ=256 Oct 9 17:50:07 alba kernel: IN=ppp0 OUT= MAC= SRC=45.67.89.56 DST=45.67.89.241 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=14230 PROTO=ICMP TYPE=8 CODE=0 ID=51209 SEQ=768 Oct 9 17:50:09 alba kernel: IN=ppp0 OUT= MAC= SRC=45.67.89.56 DST=45.67.89.241 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=14261 PROTO=ICMP TYPE=8 CODE=0 ID=51209 SEQ=1280 Oct 9 17:50:21 alba kernel: IN=ppp0 OUT= MAC= SRC=45.67.89.56 DST=45.67.89.241 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=14705 DF PROTO=TCP SPT=1320 DPT=23 WINDOW=32120 RES=0x00 SYN URGP=0 Oct 9 17:50:21 alba kernel: IN=ppp0 OUT= MAC= SRC=45.67.89.56 DST=45.67.89.241 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=14705 DF PROTO=TCP SPT=1320 DPT=23 WINDOW=32120 RES=0x00 SYN URGP=0 Oct 9 17:50:22 alba kernel: IN=ppp0 OUT= MAC= SRC=45.67.89.56 DST=45.67.89.241 LEN=79 TOS=0x00 PREC=0x00 TTL=63 ID=1020 DF PROTO=TCP SPT=1319 DPT=23 WINDOW=32120 RES=0x00 ACK PSH URGP=0 Oct 9 17:50:25 alba kernel: IN=ppp0 OUT= MAC= SRC=45.67.89.56 DST=45.67.89.241 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=14710 DF PROTO=TCP SPT=1320 DPT=23 WINDOW=32120 RES=0x00 ACK URGP=0 Oct 9 17:50:26 alba kernel: IN=ppp0 OUT= MAC= SRC=45.67.89.56 DST=45.67.89.241 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=14712 DF PROTO=TCP SPT=1320 DPT=23 WINDOW=32120 RES=0x00 ACK URGP=0 Oct 9 17:50:40 alba kernel: IN=ppp0 OUT= MAC= SRC=45.67.89.56 DST=45.67.89.241 LEN=79 TOS=0x00 PREC=0x00 TTL=63 ID=15127 DF PROTO=TCP SPT=1320 DPT=23 WINDOW=32120 RES=0x00 ACK PSH URGP=0 Oct 9 17:50:40 alba kernel: IN=ppp0 OUT= MAC= SRC=45.67.89.56 DST=45.67.89.241 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=15130 DF PROTO=TCP SPT=1320 DPT=23 WINDOW=32120 RES=0x00 ACK URGP=0 ID=51366 DF PROTO=TCP SPT=2374 DPT=25 WINDOW=32120 RES=0x00 SYN URGP=0 -- David Crooke, Chief Technology Officer Convio Inc. - the online partner for nonprofits 4801 Plaza on the Lake, Suite 1500, Austin TX 78746 Tel: (512) 652 2600 - Fax: (512) 652 2699 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dave at convio.com Tue Oct 9 18:44:24 2001 From: dave at convio.com (David Crooke) Date: Tue, 09 Oct 2001 18:44:24 -0500 Subject: [pptp-server] PPTP and Linux clients - no packets? References: <3BC382D4.D7750093@convio.com> Message-ID: <3BC38BD8.39A63B33@convio.com> Further diagnostic - have made various tests with ping -s and different MTU settings, both to and from pipe endpoints and separate machines on the server LAN; in every case, the largest packet which will pass through the pipe intact is 313 bytes gross size (ping -s 285). No larger packets will pass, all packets this size or smaller do. Also, the response time for ping is a bit degraded; round trip ping down the tunnel is around 130ms average, vs around 70ms outside. -- David Crooke, Chief Technology Officer Convio Inc. - the online partner for nonprofits 4801 Plaza on the Lake, Suite 1500, Austin TX 78746 Tel: (512) 652 2600 - Fax: (512) 652 2699 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dave at convio.com Tue Oct 9 19:17:54 2001 From: dave at convio.com (David Crooke) Date: Tue, 09 Oct 2001 19:17:54 -0500 Subject: [pptp-server] PPTP and Linux clients - no packets? References: <3BC382D4.D7750093@convio.com> <3BC38BD8.39A63B33@convio.com> Message-ID: <3BC393B2.A9E6370A@convio.com> David Crooke wrote: > > Further diagnostic - have made various tests with ping -s and > different MTU settings, both to and from pipe endpoints and separate > machines on the server LAN; in every case, the largest packet which > will pass through the pipe intact is 313 bytes gross size (ping -s > 285). No larger packets will pass, all packets this size or smaller > do. > Curiouser and curiouser - actually, it only passes every second packet - the icmp_seq numbers that ping prints out go 0, 2, 4, 6, 8 or 1, 3, 5, 7, 9, etc. - this seems to be independent of packet size, below the 313 barrier. -- David Crooke, Chief Technology Officer Convio Inc. - the online partner for nonprofits 4801 Plaza on the Lake, Suite 1500, Austin TX 78746 Tel: (512) 652 2600 - Fax: (512) 652 2699 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ybzhg at hotmail.com Wed Oct 10 01:42:06 2001 From: ybzhg at hotmail.com (zhang.yb) Date: Wed, 10 Oct 2001 14:42:06 +0800 Subject: [pptp-server] encryption and authentification? References: Message-ID: Hi, After i changed the /etc/ppp/chap-secrets: vip * vip * Now the authentication is OK, thanks a lot. But if encryption is needed ,it will be wrong :error 741. when the client login on. My ppp is ppp-2.3.11,can u tell me what i need do ? Best wishes! ----- Original Message ----- From: "Neale Banks" To: "zhang.yb" Cc: "pptp-server" Sent: Tuesday, October 09, 2001 4:38 PM Subject: Re: [pptp-server] encryption and authentification? > On Tue, 9 Oct 2001, zhang.yb wrote: > > > Hi, > > > > this is my /etc/ppp/chap-secrets file: > > vip * vip > > You need to put something (either an ip-address or an asterisk) in the > fourth column. See "man 8 pppd" and search for chap-secrets. > > > by the way, I use Uclibc instead of Glibc, and when compile ppp,i delete some functions such as PAM. > > is it wrong?have you do the same things? > > I've never tried that. > > Neale. > > From MarekButas at seznam.cz Wed Oct 10 04:23:33 2001 From: MarekButas at seznam.cz (=?iso-8859-2?Q?Marek=20Butas?=) Date: Wed, 10 Oct 2001 11:23:33 +0200 (CEST) Subject: [pptp-server] =?iso-8859-2?Q?Cannot=20ping?= Message-ID: <836.2253-6181-1117768906-1002705813@seznam.cz> Hi, first thanks for the how-to, I compiled the kernel and now I am little bit further. But, I do have some major problems, I cannot connect with clients to other machines other than the pptp server. I looked for the answer in the archives, but it didn't help. And yes I use proxyarp option and the remote clients are in the same subnet. Also, from the server I cannot ping the connected remote clients. I guess this is why the NEtBeui si not working as well. Thanks for any suggestions. Marek Butas Here is the log Oct 10 10:55:45 indus pptpd[5029]: MGR: Launching /usr/sbin/pptpctrl to handle client Oct 10 10:55:45 indus pptpd[5029]: CTRL: local address = 10.0.1.2 Oct 10 10:55:45 indus pptpd[5029]: CTRL: remote address = 10.0.1.21 Oct 10 10:55:45 indus pptpd[5029]: CTRL: Client 10.0.0.2 control connection started Oct 10 10:55:45 indus pptpd[5029]: CTRL: Received PPTP Control Message (type: 1) Oct 10 10:55:45 indus pptpd[5029]: CTRL: Made a START CTRL CONN RPLY packet Oct 10 10:55:45 indus pptpd[5029]: CTRL: I wrote 156 bytes to the client. Oct 10 10:55:45 indus pptpd[5029]: CTRL: Sent packet to client Oct 10 10:55:45 indus pptpd[5029]: CTRL: Received PPTP Control Message (type: 7) Oct 10 10:55:45 indus pptpd[5029]: CTRL: Set parameters to 152 maxbps, 3 window size Oct 10 10:55:45 indus pptpd[5029]: CTRL: Made a OUT CALL RPLY packet Oct 10 10:55:45 indus pptpd[5029]: CTRL: Starting call (launching pppd, opening GRE) Oct 10 10:55:45 indus pptpd[5029]: CTRL: pty_fd = 4 Oct 10 10:55:45 indus pptpd[5029]: CTRL: tty_fd = 5 Oct 10 10:55:45 indus pptpd[5030]: CTRL (PPPD Launcher): Connection speed = 115200 Oct 10 10:55:45 indus pptpd[5030]: CTRL (PPPD Launcher): local address = 10.0.1.2 Oct 10 10:55:45 indus pptpd[5030]: CTRL (PPPD Launcher): remote address = 10.0.1.21 Oct 10 10:55:45 indus pptpd[5029]: CTRL: I wrote 32 bytes to the client. Oct 10 10:55:45 indus pptpd[5029]: CTRL: Sent packet to client Oct 10 10:55:45 indus pptpd[5029]: CTRL: Received PPTP Control Message (type: 15) Oct 10 10:55:45 indus pppd[5030]: pppd 2.4.0 started by root, uid 0 Oct 10 10:55:45 indus pptpd[5029]: CTRL: Got a SET LINK INFO packet with standard ACCMs Oct 10 10:55:45 indus pppd[5030]: using channel 2 Oct 10 10:55:45 indus pppd[5030]: Using interface ppp0 Oct 10 10:55:45 indus pppd[5030]: Connect: ppp0 <--> /dev/pts/1 Oct 10 10:55:45 indus pppd[5030]: sent [LCP ConfReq id=0x1 ] Oct 10 10:55:45 indus pppd[5030]: rcvd [LCP ConfReq id=0x0 < 0d 03 06>] Oct 10 10:55:45 indus pppd[5030]: sent [LCP ConfRej id=0x0 < 0d 03 06>] Oct 10 10:55:45 indus pppd[5030]: rcvd [LCP ConfAck id=0x1 ] Oct 10 10:55:45 indus pppd[5030]: rcvd [LCP ConfReq id=0x1 ] Oct 10 10:55:45 indus pppd[5030]: sent [LCP ConfAck id=0x1 ] Oct 10 10:55:45 indus pppd[5030]: sent [CHAP Challenge id=0x1 <5811f5c8be973a1efa3ac9bb1c09b56c>, name = "indus.intern"] Oct 10 10:55:45 indus pptpd[5029]: CTRL: Received PPTP Control Message (type: 15) Oct 10 10:55:45 indus pppd[5030]: rcvd [LCP code=0xc id=0x2 00 00 43 ee 4d 53 52 41 53 56 34 2e 30 30] Oct 10 10:55:45 indus pptpd[5029]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Oct 10 10:55:45 indus pppd[5030]: sent [LCP CodeRej id=0x2 0c 02 00 12 00 00 43 ee 4d 53 52 41 53 56 34 2e 30 30] Oct 10 10:55:46 indus pppd[5030]: rcvd [LCP code=0xc id=0x3 00 00 43 ee 4d 53 52 41 53 2d 31 2d 4e 54 42 52] Oct 10 10:55:46 indus pppd[5030]: sent [LCP CodeRej id=0x3 0c 03 00 14 00 00 43 ee 4d 53 52 41 53 2d 31 2d 4e 54 42 52] Oct 10 10:55:46 indus pppd[5030]: rcvd [CHAP Response id=0x1 <01b7e23353fa09453b43bf7f1558103500000000000000003af9b395859243c993c70311ea1e5c58f64648e11704f36300>, name = "MEGOS\\br"] Oct 10 10:55:46 indus pppd[5030]: sent [CHAP Success id=0x1 "S=D3F208CEC6675E3792A6403D5AE1757E4F1B6835"] Oct 10 10:55:46 indus pppd[5030]: sent [IPCP ConfReq id=0x1 ] Oct 10 10:55:46 indus pppd[5030]: sent [CCP ConfReq id=0x1 ] Oct 10 10:55:46 indus pppd[5030]: MSCHAP-v2 peer authentication succeeded for MEGOS\\br Oct 10 10:55:46 indus pppd[5030]: rcvd [CCP ConfReq id=0x4 ] Oct 10 10:55:46 indus pppd[5030]: sent [CCP ConfNak id=0x4 ] Oct 10 10:55:46 indus pppd[5030]: rcvd [IPCP ConfReq id=0x5 ] Oct 10 10:55:46 indus pppd[5030]: sent [IPCP ConfNak id=0x5 ] Oct 10 10:55:46 indus pppd[5030]: rcvd [IPCP ConfRej id=0x1 ] Oct 10 10:55:46 indus pppd[5030]: sent [IPCP ConfReq id=0x2 ] Oct 10 10:55:46 indus pppd[5030]: rcvd [CCP ConfRej id=0x1 ] Oct 10 10:55:46 indus pppd[5030]: sent [CCP ConfReq id=0x2 ] Oct 10 10:55:46 indus pppd[5030]: rcvd [CCP ConfReq id=0x6 ] Oct 10 10:55:46 indus pppd[5030]: sent [CCP ConfAck id=0x6 ] Oct 10 10:55:46 indus pppd[5030]: rcvd [IPCP ConfReq id=0x7 ] Oct 10 10:55:46 indus pppd[5030]: sent [IPCP ConfAck id=0x7 ] Oct 10 10:55:46 indus pppd[5030]: rcvd [IPCP ConfAck id=0x2 ] Oct 10 10:55:46 indus pppd[5030]: found interface eth0 for proxy arp Oct 10 10:55:46 indus pppd[5030]: local IP address 10.0.1.2 Oct 10 10:55:46 indus pppd[5030]: remote IP address 10.0.1.21 Oct 10 10:55:47 indus pppd[5030]: Script /etc/ppp/ip-up started (pid 5046) Oct 10 10:55:47 indus pppd[5030]: sent [CCP ConfReq id=0x3 ] Oct 10 10:55:47 indus pppd[5030]: Script /etc/ppp/ip-up finished (pid 5046), status = 0x0 Oct 10 10:55:47 indus pppd[5030]: rcvd [CCP ConfAck id=0x3 ] Oct 10 10:55:47 indus pppd[5030]: MPPE 40 bit, stateless compression enabled Oct 10 10:56:45 indus pptpd[5029]: CTRL: Received PPTP Control Message (type: 5) Oct 10 10:56:45 indus pptpd[5029]: CTRL: Made a ECHO RPLY packet Oct 10 10:56:45 indus pptpd[5029]: CTRL: I wrote 20 bytes to the client. ______________________________________________________________________ AIRFARE.CZ - setri Vas cas i penize pri ceste do zahranici. On-line rezervace a nakup letenek, ubytovani v hotelu a pronajem aut. From grj at lincom.no Wed Oct 10 06:05:59 2001 From: grj at lincom.no (Gustav Jansen) Date: Wed, 10 Oct 2001 13:05:59 +0200 (CEST) Subject: [pptp-server] patches for kernel-2.4.9 and pppd-2.4.1 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I have searched the mailinglist, and the faq and just about every site referred to in the documentation, but I can't find the appropiate patches for my system. I need the openssl-0.9.6a patch for both kernel-2.4.9 and pppd-2.4.1. Can anyone give me a clue as to where I can find these (if they exist)? - -- regards Gustav Jansen 1AB5 1DD3 4412 9F03 1A4D 9C64 4763 DD26 62DA 54BF -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjvEK5wACgkQR2PdJmLaVL/hjwCgkJHSxZcQT9JoOA5KChsAGI0W gcsAoKp4AFBdXKqoBEkYl0DFDiLD+He0 =uuHm -----END PGP SIGNATURE----- From admin at coldtech.com Wed Oct 10 08:09:43 2001 From: admin at coldtech.com (Michael C. Mitchell) Date: Wed, 10 Oct 2001 09:09:43 -0400 Subject: [pptp-server] Cannot ping Message-ID: <6372D899503ED311BAC30090277681EE16E573@COLDNT> -----Original Message----- From: Marek Butas [mailto:MarekButas at seznam.cz] Sent: Wednesday, October 10, 2001 5:24 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] Cannot ping Hi, first thanks for the how-to, I compiled the kernel and now I am little bit further. But, I do have some major problems, I cannot connect with clients to other machines other than the pptp server. I looked for the answer in the archives, but it didn't help. And yes I use proxyarp option and the remote clients are in the same subnet. Also, from the server I cannot ping the connected remote clients. I guess this is why the NEtBeui si not working as well. Interesting. I am having the same problems. My Win98 Client can cannot using chap2 and all authenticates properly, the pptpd server issues an IP to the client and pppd states all is well. I have not had the time to research an answer yet as I have some backlog on my development plate as opposed to my sysadmin plate :P Hopefully you'll have an answer for us before I swap hats. :) From cmitchel at bigpond.net.au Thu Oct 11 07:23:58 2001 From: cmitchel at bigpond.net.au (Chris Mitchell) Date: Thu, 11 Oct 2001 22:23:58 +1000 Subject: [pptp-server] unusual problems... Message-ID: <00f801c1524f$9a9ae120$2c00a8c0@dodecaheedron> gday, im using poptop on a rh6.2 boxen, i followed the instructions at http://www.vibres.com/pptpd/example.html, and everything *looks* okay, the box is running samba etc. i can connect to the VPN server from a windows client.....i can ping the upstream side, with pings of about 75ms, however trying to ping from the server to the client results in....not much at all, an example: PING 192.168.0.202 (192.168.0.202) from 192.168.0.200 : 56(84) bytes of data. 64 bytes from 192.168.0.202: icmp_seq=0 ttl=128 time=76.5 ms 64 bytes from 192.168.0.202: icmp_seq=1 ttl=128 time=74000.7 ms 64 bytes from 192.168.0.202: icmp_seq=2 ttl=128 time=148000.6 ms thats pinging from the server to the client, whereas client to server goes a little something like: Pinging 192.168.0.200 with 32 bytes of data: Reply from 192.168.0.200: bytes=32 time=70ms TTL=255 Reply from 192.168.0.200: bytes=32 time=60ms TTL=255 Reply from 192.168.0.200: bytes=32 time=60ms TTL=255 Reply from 192.168.0.200: bytes=32 time=60ms TTL=255 i do not have any idea what the problem is.......connection attempts look successful: example ct 12 22:16:16 wollongong pppd[4697]: pppd 2.3.11 started by root, uid 0 Oct 12 22:16:16 wollongong pppd[4697]: Using interface ppp1 Oct 12 22:16:16 wollongong pppd[4697]: Connect: ppp1 <--> /dev/pts/2 Oct 12 22:16:17 wollongong pptpd[4696]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Oct 12 22:16:17 wollongong pppd[4697]: MSCHAP-v2 peer authentication succeeded for chris Oct 12 22:16:17 wollongong pppd[4697]: found interface eth0 for proxy arp Oct 12 22:16:17 wollongong pppd[4697]: local IP address 192.168.0.200 Oct 12 22:16:17 wollongong pppd[4697]: remote IP address 192.168.0.202 Oct 12 22:16:17 wollongong pppd[4697]: MPPE 128 bit, stateless compression enabled it proxyarps and everything, but pinging anything except 200 results in nothing, browsing does not function either.....this is something i havent come across before and ive installed poptop a few times. by the same token, there is also a lot of stuff that i dont remember seeing in my logs before, stuff that looks a little something like this: Oct 12 22:12:08 wollongong pptpd[4346]: Buffering out-of-order packet; got 327 after 325 Oct 12 22:12:40 wollongong pptpd[4346]: Buffering out-of-order packet; got 359 after 357 Oct 12 22:12:41 wollongong pptpd[4346]: Packet reorder timeout waiting for 358 Oct 12 22:12:41 wollongong pptpd[4346]: Buffering out-of-order packet; got 360 after 358 anyone else had this problem? i can supply other config details upon request, however, they're basically cut'n'pastes from the above URL cheers, Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From yickkk at ariel.bdeb.qc.ca Fri Oct 12 00:17:38 2001 From: yickkk at ariel.bdeb.qc.ca (Ka Kit Yick) Date: Fri, 12 Oct 2001 01:17:38 -0400 Subject: [pptp-server] PoPToP, Nexland nad multisession PPTP Message-ID: <001401c152dd$38bf8490$473a0e0a@genilog.com> Hi, Do someone use a Nexland device (ISB Pro100) to allow multiple workstations behind the Nexland to establish a multiple VPN connections to a remote PoPToP server? Nexland ISB Pro100 is a NAT router this connect to the internet and share the internet connection for the LAN. I'm using SuSE Linux 7.2 with Poptop 1.1.2 that acts as a Firewall/VPN Server and the problem I have is when multiple users (they are on Win98) establish a VPN connection to the same VPN Server (my linux) through the Nexland. Only one session works and when another one try to establish a vpn connection, I have a lot of message on my linux box that says "Discarding out-of-order packet xxx". We contacted Nexland Technical Support and after few tests, they says that the configuration of our VPN server might be incorrect, because they try with a Win2000 PPTP server and a Nexland device and they can establish multiple vpn session simultaneously. If someone out there have a solution, please advice. Thanks Ka Kit -------------- next part -------------- An HTML attachment was scrubbed... URL: From chris at faredge.com.au Fri Oct 12 01:04:10 2001 From: chris at faredge.com.au (Chris Herrmann) Date: Fri, 12 Oct 2001 16:04:10 +1000 Subject: [pptp-server] LCP: timeout sending Config-Requests Message-ID: <002501c152e3$b70eaa50$c8965ecb@faredge.com.au> Hi all, I'm trying to get a win2k box to connect to a pptp server, and am having some grief. The linux box is an RH7.1, with a vanilla 2.4.8 kernel, poptop 1.1.2, ppp 2.4.1 with the following patches: ppp-2.4.1-MSCHAPv2-fix.patch.gz ppp-2.4.1-openssl-0.9.6-mppe-patch.gz linux-2.4.4-openssl-0.9.6a-mppe.patch.gz mppe-chapv1-fix.diff.gz mppe_stateless.patch.gz The linux box is connected to the internet via pppd, on a static IP. I'm sitting across the city somewhere from it. iptables is running on the box; rules I've added for this so far are only rudimentary (in fact I'm expecting this to be the problem): iptables -I INPUT -p tcp --dport 1723 -j ACCEPT iptables -I OUTPUT -p tcp --sport 1723 -j ACCEPT iptables -I INPUT -p 47 -j ACCEPT iptables -I OUTPUT -p 47 -j ACCEPT When I fire up pptpd, it starts ok... I then try and connect from my win2k box: tail /var/log/messages Oct 11 15:57:54 dragon pptpd[1707]: CTRL: Client 203.94.150.200 control connection started Oct 11 15:57:54 dragon pptpd[1707]: CTRL: Starting call (launching pppd, opening GRE) Oct 11 15:57:54 dragon pppd[1708]: pppd 2.4.1 started by root, uid 0 Oct 11 15:57:54 dragon pppd[1708]: Using interface ppp1 Oct 11 15:57:54 dragon pppd[1708]: Connect: ppp1 <--> /dev/pts/3 Oct 11 15:58:24 dragon pppd[1708]: LCP: timeout sending Config-Requests Oct 11 15:58:31 dragon pppd[1708]: Modem hangup Oct 11 15:58:31 dragon pppd[1708]: Connection terminated. Oct 11 15:58:31 dragon pppd[1708]: Failed to open /dev/pts/3: No such file or directory Oct 11 15:58:31 dragon last message repeated 8 times Oct 11 15:58:31 dragon pppd[1708]: Exit. Oct 11 15:58:31 dragon pptpd[1707]: GRE: read error: Bad file descriptor Oct 11 15:58:31 dragon pptpd[1707]: CTRL: PTY read or GRE write failed (pty,gre)=(-1,-1) Oct 11 15:58:31 dragon pptpd[1707]: CTRL: Client 203.94.150.200 control connection finished various files are: pptpd.conf is pretty close to the default, except that debug is on, remoteip 192.168.33.20-200 localip 192.168.33.1 [root at dragon ppp]# cat chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses chris * topsecret * [root at dragon ppp]# cat options lock defaultroute user bondjamesbond kdebug 7 debug #demand persist passive noauth #/dev/ttyS0 115200 +chap +chapms-v2 mppe-40 mppe-128 mppe-stateless ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 Any ideas as to what this might be? Many thanks, Chris Herrmann Far Edge Technology p. 02 99553640 f. 02 99547994 m. 0403 393309 http://www.faredge.com.au From chris at faredge.com.au Fri Oct 12 02:04:48 2001 From: chris at faredge.com.au (Chris Herrmann) Date: Fri, 12 Oct 2001 17:04:48 +1000 Subject: [pptp-server] LCP: timeout sending Config-Requests Message-ID: <002e01c152ec$2eee8e70$c8965ecb@faredge.com.au> Many thanks to Mikael L?nnroth, who correctly identified that a firewall/router somewhere along the way was blocking it. Fixed the rules, and now I'm getting a little further... Oct 11 16:58:37 dragon modprobe: modprobe: Can't locate module ppp-compress-18 Oct 11 16:58:37 dragon pppd[2517]: MSCHAP-v2 peer authentication succeeded for chris Oct 11 16:58:37 dragon modprobe: modprobe: Can't locate module ppp-compress-18 Oct 11 16:59:10 dragon last message repeated 9 times Oct 11 16:59:10 dragon pppd[2517]: IPCP: timeout sending Config-Requests Oct 11 16:59:10 dragon pppd[2517]: Connection terminated. Oct 11 16:59:10 dragon pppd[2517]: Connect time 0.7 minutes. Oct 11 16:59:10 dragon pppd[2517]: Sent 325 bytes, received 331 bytes. Oct 11 16:59:10 dragon pppd[2517]: Using interface ppp1 Oct 11 16:59:10 dragon pppd[2517]: Connect: ppp1 <--> /dev/pts/3 Oct 11 16:59:10 dragon pppd[2517]: Modem hangup Oct 11 16:59:10 dragon pppd[2517]: Connection terminated. Oct 11 16:59:10 dragon pppd[2517]: Failed to open /dev/pts/3: No such file or directory Oct 11 16:59:10 dragon last message repeated 7 times Oct 11 16:59:10 dragon pppd[2517]: Exit. Oct 11 16:59:11 dragon pptpd[2516]: GRE: read error: Bad file descriptor Oct 11 16:59:11 dragon pptpd[2516]: CTRL: PTY read or GRE write failed (pty,gre)=(-1,-1) Oct 11 16:59:11 dragon pptpd[2516]: CTRL: Client 203.94.150.200 control connection finished is the fact that it can't find ppp-compress-18 causing it to bomb out? ppp-compress-18 is aliased to ppp_mppe , which was in the kernel source tree, but not in /lib/modules/2.4.8/.... Cheers, Chris Herrmann Far Edge Technology p. 02 99553640 f. 02 99547994 m. 0403 393309 http://www.faredge.com.au From Josh.Howlett at bristol.ac.uk Fri Oct 12 02:41:29 2001 From: Josh.Howlett at bristol.ac.uk (Josh Howlett) Date: Fri, 12 Oct 2001 08:41:29 +0100 (BST) Subject: [pptp-server] LCP: timeout sending Config-Requests In-Reply-To: <002e01c152ec$2eee8e70$c8965ecb@faredge.com.au> Message-ID: Try "make clean" and "make all" in your ppp source, the recompile your kernel. josh. On Fri, 12 Oct 2001, Chris Herrmann wrote: > Many thanks to Mikael Lvnnroth, who correctly identified that a > firewall/router somewhere along the way was blocking it. Fixed the rules, > and now I'm getting a little further... > > Oct 11 16:58:37 dragon modprobe: modprobe: Can't locate module > ppp-compress-18 > Oct 11 16:58:37 dragon pppd[2517]: MSCHAP-v2 peer authentication succeeded > for chris > Oct 11 16:58:37 dragon modprobe: modprobe: Can't locate module > ppp-compress-18 > Oct 11 16:59:10 dragon last message repeated 9 times > Oct 11 16:59:10 dragon pppd[2517]: IPCP: timeout sending Config-Requests > Oct 11 16:59:10 dragon pppd[2517]: Connection terminated. > Oct 11 16:59:10 dragon pppd[2517]: Connect time 0.7 minutes. > Oct 11 16:59:10 dragon pppd[2517]: Sent 325 bytes, received 331 bytes. > Oct 11 16:59:10 dragon pppd[2517]: Using interface ppp1 > Oct 11 16:59:10 dragon pppd[2517]: Connect: ppp1 <--> /dev/pts/3 > Oct 11 16:59:10 dragon pppd[2517]: Modem hangup > Oct 11 16:59:10 dragon pppd[2517]: Connection terminated. > Oct 11 16:59:10 dragon pppd[2517]: Failed to open /dev/pts/3: No such file > or directory > Oct 11 16:59:10 dragon last message repeated 7 times > Oct 11 16:59:10 dragon pppd[2517]: Exit. > Oct 11 16:59:11 dragon pptpd[2516]: GRE: read error: Bad file descriptor > Oct 11 16:59:11 dragon pptpd[2516]: CTRL: PTY read or GRE write failed > (pty,gre)=(-1,-1) > Oct 11 16:59:11 dragon pptpd[2516]: CTRL: Client 203.94.150.200 control > connection finished > > is the fact that it can't find ppp-compress-18 causing it to bomb out? > ppp-compress-18 is aliased to ppp_mppe , which was in the kernel source > tree, but not in /lib/modules/2.4.8/.... > > Cheers, > > Chris Herrmann > Far Edge Technology > > p. 02 99553640 > f. 02 99547994 > m. 0403 393309 > http://www.faredge.com.au > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > > --------------------------------------- Josh Howlett, Network Supervisor, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 0117 928 7850 | josh.howlett at bris.ac.uk --------------------------------------- From jbouland at yahoo.fr Fri Oct 12 10:16:47 2001 From: jbouland at yahoo.fr (Julien BOULAND) Date: Fri, 12 Oct 2001 17:16:47 +0200 Subject: [pptp-server] pptp et EAP Message-ID: hi I would like do work the poptop pptp linux server with a client w2k with an authentification by certificat. This authentification run with EAP protocol, and when i try to run with EAP the client tell me that pppd of serveur can not support EAP authentification . argh !!! if someone now a solution, it's prety good to tell me about ! Julien BOULAND (sorry for my english) _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com From matt.a.jonkman at mail.sprint.com Fri Oct 12 10:32:06 2001 From: matt.a.jonkman at mail.sprint.com (matt.a.jonkman at mail.sprint.com) Date: Fri, 12 Oct 2001 10:32:06 -0500 Subject: [pptp-server] IPX Message-ID: Has anyone successfully passed ipx through a pptp tunnel? Matthew Jonkman, CISSP Senior Network Security Engineer Implementations Technical Lead From Josh.Howlett at bristol.ac.uk Fri Oct 12 10:44:04 2001 From: Josh.Howlett at bristol.ac.uk (Josh Howlett) Date: Fri, 12 Oct 2001 16:44:04 +0100 (BST) Subject: [pptp-server] pptp et EAP In-Reply-To: Message-ID: Hi, There is an EAP patch to ppp-2.4.0 released by James Carlson, if i remember. He hangs out on comp.protocols.ppp josh. On Fri, 12 Oct 2001, Julien BOULAND wrote: > hi > I would like do work the poptop pptp linux server with a client w2k with an > authentification by certificat. This authentification run with EAP protocol, > and when i try to run with EAP the client tell me that pppd of serveur can > not support EAP authentification . argh !!! > if someone now a solution, it's prety good to tell me about ! > Julien BOULAND > (sorry for my english) > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > > --------------------------------------- Josh Howlett, Network Supervisor, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 0117 928 7850 | josh.howlett at bris.ac.uk --------------------------------------- From knapp3 at palmfriendly.at Sat Oct 13 05:26:08 2001 From: knapp3 at palmfriendly.at (Mag. Harald Knapp (Mailinglist)) Date: Sat, 13 Oct 2001 12:26:08 +0200 Subject: [pptp-server] pptpd with SuSE 7.2 - Error from the W2k client: 732 Message-ID: hey there, who can help me? i am trying since weeks now to get pptp running. i am using eth1 with a registered ip to the internet and eth0 for my local network. i am sure i implemented all the features in the right way, because if i connect with w2k over the internal net - eth0 - to the pptp server - everything goes fine an very fast. by the moment i disconnect this w2k client from the local network and i am trying to get a tunnel working over the internet to eth1 - the clients in one case hangs at 'verifying userid & pw' or it tells me the error code 732. Additional information: i am using the firewall feature but turned protect_from_external="no" what am I doing wrong? who can help me! please email to me directly! harry my configuration looks like this: my option-file: +chap +chapms-v2 mppe-40 mppe-128 mppe-stateless mtu 1490 mru 1490 ipcp-accept-local ipcp-accept-remote #deflate 0 nodeflate nobsdcomp my chap-secret-file: # client server secret IP addresses hknapp poptop test * my pptpd.conf-file: speed 115200 option /etc/ppp/options debug localip 192.168.0.231-239 remoteip 192.168.1.231-239 pidfile /var/run/pptpd.pid From john at pmbbs.demon.co.uk Sat Oct 13 11:43:45 2001 From: john at pmbbs.demon.co.uk (John P) Date: Sat, 13 Oct 2001 17:43:45 +0100 Subject: [pptp-server] Setting up PoPToP behind masq firewall Message-ID: <002901c15406$3a2191a0$c807010a@networkwarick.co.uk> Hi I have PoPToP running on a RedHat 7.0 server. The server runs behind a Linux firewall which masquerades the internal network out on one IP address. Port 1723 is forwarded to the RedHat server as is protocol 53. The server is running kernel '2.2.16-22 #17 SMP' When I connect from my Win98 SE machine, I get the following in the logs: Oct 13 17:24:14 pluto pppd[2738]: pppd 2.4.0 started by root, uid 0 Oct 13 17:24:14 pluto pppd[2738]: Using interface ppp0 Oct 13 17:24:14 pluto pppd[2738]: Connect: ppp0 <--> /dev/pts/3 Oct 13 17:24:44 pluto pppd[2738]: LCP: timeout sending Config-Requests Oct 13 17:24:44 pluto pppd[2738]: Connection terminated. Oct 13 17:24:44 pluto pppd[2738]: Exit. Oct 13 17:24:44 pluto pptpd[2737]: GRE: read(fd=4,buffer=804da00,len=8196) from PTY failed: status = -1 error = Input/output error Oct 13 17:24:44 pluto pptpd[2737]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5) Oct 13 17:24:44 pluto pptpd[2737]: CTRL: Client 122.146.136.129 control connection finished [root at pluto ipv4]# From nate at anthropomorphization.com Sat Oct 13 10:43:22 2001 From: nate at anthropomorphization.com (Nate Perry-Thistle) Date: Sat, 13 Oct 2001 09:43:22 -0600 Subject: [pptp-server] Setting up PoPToP behind masq firewall In-Reply-To: <002901c15406$3a2191a0$c807010a@networkwarick.co.uk>; from john@pmbbs.demon.co.uk on Sat, Oct 13, 2001 at 05:43:45PM +0100 References: <002901c15406$3a2191a0$c807010a@networkwarick.co.uk> Message-ID: <20011013094322.A32453@perry-thistle.net> john, do you allow and forward protocol 47 (GRE) through the firewall? check out: http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO-3.html#ss3.6 for examples rules for iptables and ipchains. n. On Sat, Oct 13, 2001 at 05:43:45PM +0100, John P wrote: > Hi > > I have PoPToP running on a RedHat 7.0 server. The server runs behind a Linux > firewall which masquerades the internal network out on one IP address. Port > 1723 is forwarded to the RedHat server as is protocol 53. The server is > running kernel '2.2.16-22 #17 SMP' > > When I connect from my Win98 SE machine, I get the following in the logs: > Oct 13 17:24:14 pluto pppd[2738]: pppd 2.4.0 started by root, uid 0 > Oct 13 17:24:14 pluto pppd[2738]: Using interface ppp0 > Oct 13 17:24:14 pluto pppd[2738]: Connect: ppp0 <--> /dev/pts/3 > Oct 13 17:24:44 pluto pppd[2738]: LCP: timeout sending Config-Requests > Oct 13 17:24:44 pluto pppd[2738]: Connection terminated. > Oct 13 17:24:44 pluto pppd[2738]: Exit. > Oct 13 17:24:44 pluto pptpd[2737]: GRE: read(fd=4,buffer=804da00,len=8196) > from PTY failed: status = -1 error = Input/output error > Oct 13 17:24:44 pluto pptpd[2737]: CTRL: PTY read or GRE write failed > (pty,gre)=(4,5) > Oct 13 17:24:44 pluto pptpd[2737]: CTRL: Client 122.146.136.129 control > connection finished > [root at pluto ipv4]# > > >From reading the docs, it seems to imply that I need to patch the kernel > with the VPN masquerade patch. However, this isn't something I have > attempted before, and am a bit reluctant to do over SSH 100 miles from the > relevant server ;) - can I not install a module, or are there any other > workarounds? Is it something that is quite simple to do, > > I'm not quite sure why I need to install that patch though. Is it so that > the RedHat server knows to route the packets via the masq router? > > -- > John Portwin > Technical Director, > mobiletones.com > > john at mobiletones.com > Mobile (07801) 055722 > DDI (01923) 892722 > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From Steve at SteveCowles.com Sat Oct 13 11:54:19 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Sat, 13 Oct 2001 11:54:19 -0500 Subject: [pptp-server] Setting up PoPToP behind masq firewall Message-ID: <90769AF04F76D41186C700A0C90AFC3EE8A8@defiant.infohiiway.com> > -----Original Message----- > From: John P [mailto:john at pmbbs.demon.co.uk] > Sent: Saturday, October 13, 2001 11:44 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Setting up PoPToP behind masq firewall > > > Hi > > I have PoPToP running on a RedHat 7.0 server. The server runs > behind a Linux firewall which masquerades the internal network > out on one IP address. Port 1723 is forwarded to the RedHat > server as is protocol 53. That should be protocol 47 (GRE), not protocol 53 > The server is running kernel '2.2.16-22 #17 SMP' > > When I connect from my Win98 SE machine, I get the following > in the logs: > Oct 13 17:24:14 pluto pppd[2738]: pppd 2.4.0 started by root, uid 0 > Oct 13 17:24:14 pluto pppd[2738]: Using interface ppp0 > Oct 13 17:24:14 pluto pppd[2738]: Connect: ppp0 <--> /dev/pts/3 > Oct 13 17:24:44 pluto pppd[2738]: LCP: timeout sending Config-Requests > Oct 13 17:24:44 pluto pppd[2738]: Connection terminated. > Oct 13 17:24:44 pluto pppd[2738]: Exit. > Oct 13 17:24:44 pluto pptpd[2737]: GRE: > read(fd=4,buffer=804da00,len=8196) > from PTY failed: status = -1 error = Input/output error > Oct 13 17:24:44 pluto pptpd[2737]: CTRL: PTY read or GRE write failed > (pty,gre)=(4,5) > Oct 13 17:24:44 pluto pptpd[2737]: CTRL: Client > 122.146.136.129 control connection finished > [root at pluto ipv4]# > > From reading the docs, it seems to imply that I need to patch > the kernel with the VPN masquerade patch. However, this isn't > something I have attempted before, and am a bit reluctant to > do over SSH 100 miles from the relevant server ;) - can I not > install a module, or are there any other workarounds? Is it > something that is quite simple to do, Some of the latter Redhat kernels already contained the VPN MASQ Patches. To verify - see if you have module ip_masq_pptp.o > > I'm not quite sure why I need to install that patch though. > Is it so that the RedHat server knows to route the packets > via the masq router? > The patch is needed so that the GRE protocol can be properly masqueraded. i.e. module ip_masq_pptp.o Steve Cowles From john at pmbbs.demon.co.uk Sat Oct 13 12:04:59 2001 From: john at pmbbs.demon.co.uk (John P) Date: Sat, 13 Oct 2001 18:04:59 +0100 Subject: [pptp-server] Setting up PoPToP behind masq firewall References: <002901c15406$3a2191a0$c807010a@networkwarick.co.uk> <20011013094322.A32453@perry-thistle.net> Message-ID: <006801c15409$30dfd9a0$c807010a@networkwarick.co.uk> Yes, I have a blanet rule as #1 on my ipchains on the firewall accepting all port 47 connections. I also have ipfwd running '--masq 10.0.0.12 47' (10.0.0.12 being my internal server IP). The internal server has a completely open ipchains setup. Cheers John ----- Original Message ----- From: "Nate Perry-Thistle" To: "John P" Cc: Sent: Saturday, October 13, 2001 4:43 PM Subject: Re: [pptp-server] Setting up PoPToP behind masq firewall > john, > > do you allow and forward protocol 47 (GRE) through the firewall? check > out: http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO-3.html#ss3.6 for > examples rules for iptables and ipchains. > > n. > > On Sat, Oct 13, 2001 at 05:43:45PM +0100, John P wrote: > > Hi > > > > I have PoPToP running on a RedHat 7.0 server. The server runs behind a Linux > > firewall which masquerades the internal network out on one IP address. Port > > 1723 is forwarded to the RedHat server as is protocol 53. The server is > > running kernel '2.2.16-22 #17 SMP' > > > > When I connect from my Win98 SE machine, I get the following in the logs: > > Oct 13 17:24:14 pluto pppd[2738]: pppd 2.4.0 started by root, uid 0 > > Oct 13 17:24:14 pluto pppd[2738]: Using interface ppp0 > > Oct 13 17:24:14 pluto pppd[2738]: Connect: ppp0 <--> /dev/pts/3 > > Oct 13 17:24:44 pluto pppd[2738]: LCP: timeout sending Config-Requests > > Oct 13 17:24:44 pluto pppd[2738]: Connection terminated. > > Oct 13 17:24:44 pluto pppd[2738]: Exit. > > Oct 13 17:24:44 pluto pptpd[2737]: GRE: read(fd=4,buffer=804da00,len=8196) > > from PTY failed: status = -1 error = Input/output error > > Oct 13 17:24:44 pluto pptpd[2737]: CTRL: PTY read or GRE write failed > > (pty,gre)=(4,5) > > Oct 13 17:24:44 pluto pptpd[2737]: CTRL: Client 122.146.136.129 control > > connection finished > > [root at pluto ipv4]# > > > > >From reading the docs, it seems to imply that I need to patch the kernel > > with the VPN masquerade patch. However, this isn't something I have > > attempted before, and am a bit reluctant to do over SSH 100 miles from the > > relevant server ;) - can I not install a module, or are there any other > > workarounds? Is it something that is quite simple to do, > > > > I'm not quite sure why I need to install that patch though. Is it so that > > the RedHat server knows to route the packets via the masq router? > > > > -- > > John Portwin > > Technical Director, > > mobiletones.com > > > > john at mobiletones.com > > Mobile (07801) 055722 > > DDI (01923) 892722 > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > --- To unsubscribe, go to the url just above this line. -- From vorlon at netexpress.net Sat Oct 13 12:01:41 2001 From: vorlon at netexpress.net (Steve Langasek) Date: Sat, 13 Oct 2001 12:01:41 -0500 Subject: [pptp-server] Setting up PoPToP behind masq firewall In-Reply-To: <006801c15409$30dfd9a0$c807010a@networkwarick.co.uk> References: <002901c15406$3a2191a0$c807010a@networkwarick.co.uk> <20011013094322.A32453@perry-thistle.net> <006801c15409$30dfd9a0$c807010a@networkwarick.co.uk> Message-ID: <20011013120141.F1699@netexpress.net> On Sat, Oct 13, 2001 at 06:04:59PM +0100, John P wrote: > Yes, I have a blanet rule as #1 on my ipchains on the firewall accepting all > port 47 connections. I also have ipfwd running '--masq 10.0.0.12 47' > (10.0.0.12 being my internal server IP). The internal server has a > completely open ipchains setup. This is /protocol/ 47, not /port/ 47. IOW, 47 is the protocol number you would pass to 'ipchains -p' if you wanted GRE, as opposed to TCP, UDP, or ICMP. HTH, Steve Langasek postmodern programmer -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From john at pmbbs.demon.co.uk Sat Oct 13 12:41:36 2001 From: john at pmbbs.demon.co.uk (John P) Date: Sat, 13 Oct 2001 18:41:36 +0100 Subject: [pptp-server] Setting up PoPToP behind masq firewall References: <90769AF04F76D41186C700A0C90AFC3EE8A8@defiant.infohiiway.com> Message-ID: <008c01c1540e$4e8fb240$c807010a@networkwarick.co.uk> > > I have PoPToP running on a RedHat 7.0 server. The server runs > > behind a Linux firewall which masquerades the internal network > > out on one IP address. Port 1723 is forwarded to the RedHat > > server as is protocol 53. > That should be protocol 47 (GRE), not protocol 53 Duh, typo on my part. It is 47 that is used in ipfwd and allowed in ipchains. Sorry! > Some of the latter Redhat kernels already contained the VPN MASQ Patches. To > verify - see if you have module ip_masq_pptp.o No, I don't have it. I thought that anything that could be compiled into the kernel could also be loaded as a module? If so, can I get a copy of ip_masq_pptp.o from somewhere and just install it? I am a bit reluctant to recompile the kernel, because I haven't done it before. > > I'm not quite sure why I need to install that patch though. > > Is it so that the RedHat server knows to route the packets > > via the masq router? > The patch is needed so that the GRE protocol can be properly masqueraded. > i.e. module ip_masq_pptp.o OK, but who is doing the masquerading? Does the RedHat PPTP server masquerade the protocol, or is it the Linux firewall? That's what I can't work out - why would the RedHat server need to do any masquerading at all? (It just communicates with the firewall which does all the masq'ing) Cheers John From denis.bonnenfant at diderot.org Sat Oct 13 12:43:33 2001 From: denis.bonnenfant at diderot.org (denis bonnenfant) Date: Sat, 13 Oct 2001 19:43:33 +0200 Subject: [pptp-server] Both-side NAT Message-ID: I want to setup a VPN between my linux/samba server, behind a GNATBOX router/firewall(NAT), and Win2K workstations, on ADSL line with an Alcatel Speed touch (@pro) modem in PPP/NAT mode Is there anybody who have experiences with PPTP in this double-NAT setup ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steve at SteveCowles.com Sat Oct 13 13:10:44 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Sat, 13 Oct 2001 13:10:44 -0500 Subject: [pptp-server] Setting up PoPToP behind masq firewall Message-ID: <90769AF04F76D41186C700A0C90AFC3EE8A9@defiant.infohiiway.com> > -----Original Message----- > From: John P [mailto:john at pmbbs.demon.co.uk] > Sent: Saturday, October 13, 2001 12:42 PM > To: pptp-server at lists.schulte.org > Subject: Re: [pptp-server] Setting up PoPToP behind masq firewall > > > > > I have PoPToP running on a RedHat 7.0 server. The server runs > > > behind a Linux firewall which masquerades the internal network > > > out on one IP address. Port 1723 is forwarded to the RedHat > > > server as is protocol 53. > > > That should be protocol 47 (GRE), not protocol 53 > > Duh, typo on my part. It is 47 that is used in ipfwd and allowed in > ipchains. Sorry! Based on your other post, it looks like you are using the proper syntax for ipfwd. But it will not help until the firewall kernel understands how to masquerade a GRE packet. FWIW: The new linux kernel series (2.4.x) along with iptables do not require any patches. > > > Some of the latter Redhat kernels already contained the VPN > > MASQ Patches. To verify - see if you have module ip_masq_pptp.o > > No, I don't have it. I thought that anything that could be > compiled into the kernel could also be loaded as a module? If so, > can I get a copy of ip_masq_pptp.o from somewhere and just install > it? I am a bit reluctant to recompile the kernel, because I haven't > done it before. Recompiling a kernel for the first time can be a little scary. I learned by using an extra PC to test the procedure before trying it on a production system. As for downloading a pre-compiled module - most kernels are compiled where the module revision must match that of the kernel revision, or it will not load. Maybe you'll get lucky and find someone that has the ip_masq_pptp.o module for your kernel revision. > > > > I'm not quite sure why I need to install that patch though. > > > Is it so that the RedHat server knows to route the packets > > > via the masq router? > > > The patch is needed so that the GRE protocol can be > > properly masqueraded. i.e. module ip_masq_pptp.o > > OK, but who is doing the masquerading? Does the RedHat PPTP > server masquerade the protocol, or is it the Linux firewall? Using your terms... the firewall. > That's what I can't work out - why would the RedHat server need > to do any masquerading at all? (It just communicates with the > firewall which does all the masq'ing) Its the firewall that has to deal with masquerading GRE packets- so the VPN MASQ patches need to be applied to your firewall kernel, not the PoPToP server. Steve Cowles From charlieb at e-smith.com Sat Oct 13 15:14:54 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Sat, 13 Oct 2001 16:14:54 -0400 (EDT) Subject: [pptp-server] Setting up PoPToP behind masq firewall In-Reply-To: <008c01c1540e$4e8fb240$c807010a@networkwarick.co.uk> Message-ID: On Sat, 13 Oct 2001, John P wrote: > > Some of the latter Redhat kernels already contained the VPN MASQ Patches. To > > verify - see if you have module ip_masq_pptp.o > > No, I don't have it. I thought that anything that could be compiled into the > kernel could also be loaded as a module? If so, can I get a copy of > ip_masq_pptp.o from somewhere and just install it? I am a bit reluctant to > recompile the kernel, because I haven't done it before. The masquerading patch wasn't included in the original RH 7.0 kernel, but is included in the 2.2.19-7.0.8 update kernel. Grab the update RPM from your nearest RedHat mirror site, and follow the kernel upgrade instructions from RedHat's web site. Charlie Brady charlieb at e-smith.com Lead Product Developer Network Server Solutions Group http://www.e-smith.com/ Mitel Networks Corporation http://www.mitel.com/ Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 From john at pmbbs.demon.co.uk Sat Oct 13 19:39:18 2001 From: john at pmbbs.demon.co.uk (John P) Date: Sun, 14 Oct 2001 01:39:18 +0100 Subject: [pptp-server] Setting up PoPToP behind masq firewall References: <90769AF04F76D41186C700A0C90AFC3EE8A9@defiant.infohiiway.com> Message-ID: <005701c15448$c99ef1a0$c807010a@networkwarick.co.uk> > Its the firewall that has to deal with masquerading GRE packets- so the VPN > MASQ patches need to be applied to your firewall kernel, not the PoPToP > server. I have now upgraded the router's kernel so it can deal with masq'ing 47 etc, and all is working OK.. However, I have now discovered that I'm behind a nat/masqueraded connection on the client side! So although I can dial up using an modem and establish the connection to poptop, browse the internal Samba network etc, I'm not sure if I can establish the connection using my leased line access (residential connection). When I try to use the leased line access, poptop seems to be getting some replies from the client. What is missing on our side? I don't have any control over the NAT/firewall on the client side (although you never know, they may do something for me if I ask nicely!) Oct 14 01:15:21 pluto pptpd[6063]: MGR: Launching /usr/local/sbin/pptpctrl to handle client Oct 14 01:15:21 pluto pptpd[6063]: CTRL: local address = 10.0.0.234 Oct 14 01:15:21 pluto pptpd[6063]: CTRL: remote address = 10.0.1.234 Oct 14 01:15:21 pluto pptpd[6063]: CTRL: pppd speed = 115200 Oct 14 01:15:21 pluto pptpd[6063]: CTRL: Client 192.146.136.129 control connection started Oct 14 01:15:21 pluto pptpd[6063]: CTRL: Received PPTP Control Message (type: 1) Oct 14 01:15:21 pluto pptpd[6063]: CTRL: Made a START CTRL CONN RPLY packet Oct 14 01:15:21 pluto pptpd[6063]: CTRL: I wrote 156 bytes to the client. Oct 14 01:15:21 pluto pptpd[6063]: CTRL: Sent packet to client Oct 14 01:15:21 pluto pptpd[6063]: CTRL: Received PPTP Control Message (type: 7) Oct 14 01:15:21 pluto pptpd[6063]: CTRL: Set parameters to 0 maxbps, 16 window size Oct 14 01:15:21 pluto pptpd[6063]: CTRL: Made a OUT CALL RPLY packet Oct 14 01:15:21 pluto pptpd[6063]: CTRL: Starting call (launching pppd, opening GRE) Oct 14 01:15:21 pluto pptpd[6063]: CTRL: pty_fd = 4 Oct 14 01:15:21 pluto pptpd[6063]: CTRL: tty_fd = 5 Oct 14 01:15:21 pluto pptpd[6063]: CTRL: I wrote 32 bytes to the client. Oct 14 01:15:22 pluto pptpd[6063]: CTRL: Sent packet to client Oct 14 01:15:21 pluto pptpd[6064]: CTRL (PPPD Launcher): Connection speed = 115200 Oct 14 01:15:22 pluto pptpd[6064]: CTRL (PPPD Launcher): local address = 10.0.0.234 Oct 14 01:15:22 pluto pptpd[6064]: CTRL (PPPD Launcher): remote address = 10.0.1.234 Oct 14 01:15:22 pluto pppd[6064]: pppd 2.4.0 started by root, uid 0 Oct 14 01:15:22 pluto pppd[6064]: Using interface ppp0 Oct 14 01:15:22 pluto pppd[6064]: Connect: ppp0 <--> /dev/pts/4 Oct 14 01:15:22 pluto pppd[6064]: sent [LCP ConfReq id=0x1 ] Oct 14 01:15:22 pluto pppd[6064]: rcvd [LCP ConfReq id=0x1 ] Oct 14 01:15:22 pluto pppd[6064]: sent [LCP ConfAck id=0x1 ] Oct 14 01:15:25 pluto pppd[6064]: rcvd [LCP ConfReq id=0x2 ] Oct 14 01:15:25 pluto pppd[6064]: sent [LCP ConfAck id=0x2 ] Oct 14 01:15:25 pluto pppd[6064]: sent [LCP ConfReq id=0x1 ] Oct 14 01:15:28 pluto pppd[6064]: sent [LCP ConfReq id=0x1 ] Oct 14 01:15:31 pluto pppd[6064]: rcvd [LCP ConfReq id=0x4 ] Oct 14 01:15:31 pluto pppd[6064]: sent [LCP ConfAck id=0x4 ] Oct 14 01:15:31 pluto pppd[6064]: sent [LCP ConfReq id=0x1 ] Oct 14 01:15:34 pluto pppd[6064]: rcvd [LCP ConfReq id=0x5 ] Oct 14 01:15:34 pluto pppd[6064]: sent [LCP ConfAck id=0x5 ] Oct 14 01:15:34 pluto pppd[6064]: sent [LCP ConfReq id=0x1 ] Oct 14 01:15:37 pluto pppd[6064]: rcvd [LCP ConfReq id=0x6 ] Oct 14 01:15:37 pluto pppd[6064]: sent [LCP ConfAck id=0x6 ] Oct 14 01:15:37 pluto pppd[6064]: sent [LCP ConfReq id=0x1 ] Oct 14 01:15:40 pluto pppd[6064]: rcvd [LCP ConfReq id=0x7 ] Oct 14 01:15:40 pluto pppd[6064]: sent [LCP ConfAck id=0x7 ] Oct 14 01:15:40 pluto pppd[6064]: sent [LCP ConfReq id=0x1 ] Oct 14 01:15:43 pluto pppd[6064]: rcvd [LCP ConfReq id=0x8 ] Oct 14 01:15:43 pluto pppd[6064]: sent [LCP ConfAck id=0x8 ] Oct 14 01:15:43 pluto pppd[6064]: sent [LCP ConfReq id=0x1 ] Oct 14 01:15:46 pluto pppd[6064]: rcvd [LCP ConfReq id=0x9 ] Oct 14 01:15:46 pluto pppd[6064]: sent [LCP ConfAck id=0x9 ] Oct 14 01:15:46 pluto pppd[6064]: sent [LCP ConfReq id=0x1 ] Oct 14 01:15:49 pluto pppd[6064]: rcvd [LCP ConfReq id=0xa ] Oct 14 01:15:49 pluto pppd[6064]: sent [LCP ConfAck id=0xa ] Oct 14 01:15:49 pluto pppd[6064]: sent [LCP ConfReq id=0x1 ] Oct 14 01:15:52 pluto pptpd[6063]: CTRL: Received PPTP Control Message (type: 12) Oct 14 01:15:52 pluto pptpd[6063]: CTRL: Made a CALL DISCONNECT RPLY packet Oct 14 01:15:52 pluto pptpd[6063]: CTRL: Received CALL CLR request (closing call) Oct 14 01:15:52 pluto pptpd[6063]: CTRL: I wrote 148 bytes to the client. Oct 14 01:15:52 pluto pptpd[6063]: CTRL: Sent packet to client Oct 14 01:15:52 pluto pptpd[6063]: CTRL: Error with select(), quitting Oct 14 01:15:52 pluto pptpd[6063]: CTRL: Client 192.146.136.129 control connection finished Oct 14 01:15:52 pluto pptpd[6063]: CTRL: Exiting now Oct 14 01:15:52 pluto pptpd[6060]: MGR: Reaped child 6063 Oct 14 01:15:52 pluto pppd[6064]: Modem hangup Oct 14 01:15:52 pluto pppd[6064]: Connection terminated. Oct 14 01:15:52 pluto pppd[6064]: Exit. [root at pluto /root]# Any ideas much appreciated. Thanks to everyone for helping me get this far! Cheers, John From anesthes at cisdi.com Sun Oct 14 00:01:45 2001 From: anesthes at cisdi.com (Joey Coco) Date: Sun, 14 Oct 2001 00:01:45 -0500 (EST) Subject: [pptp-server] IPX In-Reply-To: Message-ID: Hello, Yes, having problems? -- Joe On Fri, 12 Oct 2001 matt.a.jonkman at mail.sprint.com wrote: > Has anyone successfully passed ipx through a pptp tunnel? > > Matthew Jonkman, CISSP > Senior Network Security Engineer > Implementations Technical Lead > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > From dan_bethe at yahoo.com Sun Oct 14 06:06:45 2001 From: dan_bethe at yahoo.com (Dan Bethe) Date: Sun, 14 Oct 2001 04:06:45 -0700 (PDT) Subject: [pptp-server] Immunix and/or kernel 2.2.19 Message-ID: <20011014110645.81476.qmail@web11008.mail.yahoo.com> Hi all. Please reply directly to me because I don't subscribe to this list. Has anyone gotten poptop to work on Immunix with kernel 2.2.19? The kernel is compiled with standard gcc but I can't get the patches to work right. I don't think there's a problem due to it being Immunix, and I think the focus is just on the kernel version. I used the tutorial here: http://www.vibres.com/pptpd/example.html I did everything listed there but of course the patch is for 2.2.17. The patches don't complete like they do on stock 2.2.17 and I can't build the kernel modules. Any advice? Should I downgrade to 2.2.17, or upgrade to 2.4? This is only to get the mppe module so must I go without encryption? Again, please reply directly to me because I don't subscribe to this list. Thanks! ===== Medium System Administrator and Junior I.T. Manager of 5 yrs -- Now available -- Linux, MacOS, Unix-like systems -- http://mmmgood.net -- dan_bethe at yahoo.com __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com From anesthes at cisdi.com Sun Oct 14 09:10:56 2001 From: anesthes at cisdi.com (Joey Coco) Date: Sun, 14 Oct 2001 09:10:56 -0500 (EST) Subject: [pptp-server] Immunix and/or kernel 2.2.19 In-Reply-To: <20011014110645.81476.qmail@web11008.mail.yahoo.com> Message-ID: Hey, If you don't have the integrity to at least join the list, how do you expect people to help you? Anyway, Your safer to get a production kernel. 2.4.x works great with PPTP, better than my experience with 2.2.x. You'll need to make sure your system can support 2.4, which means compiler, libraries, gnu utils, new PPPD, etc. --or-- You can figure out what files are not patching, and do it manually. Thats something you'll have to learn sooner or later anyway - welcome to Linux. Try downloading the stock 2.2.19 kernel, and running diff against it and your Immunix patched version in the directories the mppe patch complains about. -- Joe On Sun, 14 Oct 2001, Dan Bethe wrote: > Hi all. Please reply directly to me because I don't subscribe to this list. > Has anyone gotten poptop to work on Immunix with kernel 2.2.19? The kernel is > compiled with standard gcc but I can't get the patches to work right. I don't > think there's a problem due to it being Immunix, and I think the focus is just > on the kernel version. > I used the tutorial here: > > http://www.vibres.com/pptpd/example.html > > I did everything listed there but of course the patch is for 2.2.17. The > patches don't complete like they do on stock 2.2.17 and I can't build the > kernel modules. Any advice? Should I downgrade to 2.2.17, or upgrade to 2.4? > This is only to get the mppe module so must I go without encryption? > Again, please reply directly to me because I don't subscribe to this list. > Thanks! > > ===== > Medium System Administrator and Junior I.T. Manager of 5 yrs > -- Now available -- Linux, MacOS, Unix-like systems > -- http://mmmgood.net -- dan_bethe at yahoo.com > > __________________________________________________ > Do You Yahoo!? > Make a great connection at Yahoo! Personals. > http://personals.yahoo.com > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > _____________________________________________________________________________ "I will never engage myself in a corperation backed by a religion, making tax free profits while standing behind the protection of a execution symbol. I will never allow myself to be lured by the perversion of priesthood. I will never sit and watch my brothers starve in poverty living on the steps of a so-called house of god, nor will I ever call someone my father who is not closer than a stranger.." ----------------------------------------------------------------------------- http://members.cisdi.com/~anesthes/ AIM:imd3fc0n IRC:irc.epix.net #mac defcon From shanu at exocore.com Mon Oct 15 00:09:05 2001 From: shanu at exocore.com (Shanker Balan) Date: Mon, 15 Oct 2001 10:39:05 +0530 Subject: [pptp-server] [off-topic] PPTP on a 2 layer firewall Message-ID: <20011015103905.A9500@exocore.com> Hello: What is "the" way to add VPN to a network? My client has a 2 layer firewall setup comprising of 2 Linux boxes. The network looks like this: +-------------+ +------------+ +-------+ Internet -> | Firewall-1 | 10.0.0.x | Firewall-2 | 192.168.x.x | LAN | | PopTop |--------->| |------------>| | +-------------+ +------------+ +-------+ In the current setup, the PPTP VPN connection lands on Firewall-1 and gets an IP address in the 10.0.1.x segment. Firewall 2 will only accept packets from Firewall 1 (10.0.0.x segment). Since the VPN connection is on a another subnet all together (10.0.1.x), i have to masquerade the VPN connection so that Firewall-2 will accept it. I have to masquerade it once again on Firewall 2 as the LAN is again on another network altogether - 192.168.x.x. VPN -> Firewall-1 (NAT) -> Firewall-2 (NAT) -> LAN Some of the short comings i see with this setup are the following: - This setup makes the firewall redundant. I can directly access any machine on the LAN from Firewall-1 as Firewall-2 masquerades all connections from Firewall-1 - Cannot track VPN user access. Since the VPN connection is NAT'ed over twice (once on Firewall-1 and then again on Firewall-2), all connections made to the LAN have their originating IP set to Firewall-2. - Cannot put access controls on VPN users Don't ask me my things were done this way but the damage has been done. Now, how do i replace this setup to a more "secure" one? Should i port forward PPTP ports onto Firewall-2 and then give the VPN connection an address in the 192.168.x.x range? Will dedicating a separate VPN box for exclusively handling VPN traffic increase security? It would be great if i could get some VPN implementation details from people running VPN on a 2 layer firewall setup. IOW, how do the pros do it? :) Any help greatly appreciated. -- Shanu -- Princess Leia Organa: Help me, Obi-wan Kenobi. You're my only hope. From paul at bsdc.ca Mon Oct 15 02:49:49 2001 From: paul at bsdc.ca (Paul Reed) Date: Mon, 15 Oct 2001 03:49:49 -0400 Subject: [pptp-server] [off-topic] PPTP on a 2 layer firewall References: <20011015103905.A9500@exocore.com> Message-ID: <001f01c1554d$f7dd4200$1e6ea8c0@omega> It may not be the best solution, but this is how i would approch it: I would use a Linux (2.4 kernel) box as a central Firewall/Router (using iptables). PopTop Server (192.168.1.x/24) /\ | \/ (eth2) Internet ---> (eth0) Firewall/Router (eth1)<--> LAN (192.168.0.x/24) (eth3) /\ | \/ Other Servers (192.168.2.x/24) (the /24 on the ips means a subnet mask of 255.255.255.0) This way, the Firewall acts as a router between 4 separate networks. I would suggest a separate NIC for each network, but you could get away with 1 external and 1 internal NIC with 3 IPs on different networks (by aliasing). With this setup we have the ability to see very strict rules set in place. You can specify which machines/networks can see which servers, etc... Only the workstations (192.168.0.x) would need to use NAT through the router, but if the servers need to have internet access, you can setup firewall/NAT rules on an IP by IP basis. VERY strict rules would need to be setup on eth0 (External interface), you could still use another firewall in front, but it would just overcomplicate things when forwarding and NATing. As long as your rules are good, another box in front would just be redundant. Port 1723 and protocol 47 will be forwarded from the firewall to PoPToP server. The Poptop server can be setup to provide IP's by login, so you can then restrict 'joe' on 192.168.1.20 to see only 1 or two servers and not the LAN network, but 'fred' who uses 192.168.1.21 can see all servers and all networks. 'fred' can even be setup to use the pptp server as his internet gateway, and you can NAT him back through, that way internet traffic to him is filtered through your firewall aswell. This could get very complicated, routing and firewalling is only limited by your imagination.. :) Hope this helps.. :) Paul Reed Systems Administrator Black Sheep Digital Corp. www.bsdc.ca paul at bsdc.ca ----- Original Message ----- From: "Shanker Balan" To: "Pptp-Server" Sent: Monday, October 15, 2001 1:09 AM Subject: [pptp-server] [off-topic] PPTP on a 2 layer firewall > Hello: > > What is "the" way to add VPN to a network? My client has a 2 layer > firewall setup comprising of 2 Linux boxes. > > The network looks like this: > > +-------------+ +------------+ +-------+ > Internet -> | Firewall-1 | 10.0.0.x | Firewall-2 | 192.168.x.x | LAN | > | PopTop |--------->| |------------>| | > +-------------+ +------------+ +-------+ > > In the current setup, the PPTP VPN connection lands on Firewall-1 and > gets an IP address in the 10.0.1.x segment. Firewall 2 will only accept > packets from Firewall 1 (10.0.0.x segment). Since the VPN connection is > on a another subnet all together (10.0.1.x), i have to masquerade the > VPN connection so that Firewall-2 will accept it. I have to masquerade > it once again on Firewall 2 as the LAN is again on another network > altogether - 192.168.x.x. > > VPN -> Firewall-1 (NAT) -> Firewall-2 (NAT) -> LAN > > Some of the short comings i see with this setup are the following: > > - This setup makes the firewall redundant. I can directly access any > machine on the LAN from Firewall-1 as Firewall-2 masquerades all > connections from Firewall-1 > - Cannot track VPN user access. Since the VPN connection is NAT'ed over twice > (once on Firewall-1 and then again on Firewall-2), all connections made > to the LAN have their originating IP set to Firewall-2. > - Cannot put access controls on VPN users > > Don't ask me my things were done this way but the damage has been done. > Now, how do i replace this setup to a more "secure" one? > > Should i port forward PPTP ports onto Firewall-2 and then give the VPN > connection an address in the 192.168.x.x range? Will dedicating a > separate VPN box for exclusively handling VPN traffic increase security? > > It would be great if i could get some VPN implementation details from > people running VPN on a 2 layer firewall setup. IOW, how do the pros do > it? :) > > Any help greatly appreciated. > > -- Shanu > > -- > Princess Leia Organa: > Help me, Obi-wan Kenobi. You're my only hope. > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From MarekButas at seznam.cz Mon Oct 15 03:01:11 2001 From: MarekButas at seznam.cz (=?iso-8859-2?Q?Marek=20Butas?=) Date: Mon, 15 Oct 2001 10:01:11 +0200 (CEST) Subject: [pptp-server] =?iso-8859-2?Q?More=20pptp=20connections=3F?= Message-ID: <11099.31400-21857-2036069716-1003132871@seznam.cz> Hi, First thanks for the how-to. It really helped, now VPN is working and I have no probles with it so far. But, I tested it from only one client computer and somewhere I have read that there is a problem with more concurrent connections, that this is not supported. Now the question is what exactly will happen, when someone will try to use VPN while another client si already working there. Will it be just rejected? If not, can it mess up something (file ...)? Thanks Marek Butas ______________________________________________________________________ Nejenom anglicko-cesky slovnik: http://slovnik.seznam.cz From shanu at exocore.com Mon Oct 15 03:43:08 2001 From: shanu at exocore.com (Shanker Balan) Date: Mon, 15 Oct 2001 14:13:08 +0530 Subject: [pptp-server] Re: PPTP on a 2 layer firewall In-Reply-To: <001f01c1554d$f7dd4200$1e6ea8c0@omega>; from paul@bsdc.ca on Mon, Oct 15, 2001 at 03:49:49AM -0400 References: <20011015103905.A9500@exocore.com> <001f01c1554d$f7dd4200$1e6ea8c0@omega> Message-ID: <20011015141308.A1893@exocore.com> Hello: Paul Reed wrote, > It may not be the best solution, but this is how i would approch it: > > I would use a Linux (2.4 kernel) box as a central Firewall/Router (using > iptables). > > PopTop Server > (192.168.1.x/24) > /\ > | > \/ > (eth2) > Internet ---> (eth0) Firewall/Router (eth1)<--> LAN (192.168.0.x/24) > (eth3) > /\ > | > \/ > Other Servers (192.168.2.x/24) > > (the /24 on the ips means a subnet mask of 255.255.255.0) > This way, the Firewall acts as a router between 4 separate networks. > I would suggest a separate NIC for each network, but you could get > away with 1 external and 1 internal NIC with 3 IPs on different > networks (by aliasing). With this setup we have the ability to see > very strict rules set in place. You can specify which > machines/networks can see which servers, etc... This is an interesting setup. Does exactly what i want to do, which is: a) Restrict movement b) Track connections > Only the workstations (192.168.0.x) would need to use NAT through the > router, but if the servers need to have internet access, you can setup > firewall/NAT rules on an IP by IP basis. VERY strict rules would need to be > setup on eth0 (External interface), you could still use another firewall in > front, but it would just overcomplicate things when forwarding and > NATing. As long as your rules are good, another box in front would just be > redundant. Since the central router/firewall will have static routes to the PopTop server, i wont have to masquerade connections to and from the PopTop server. Great! > Port 1723 and protocol 47 will be forwarded from the firewall to PoPToP > server. The Poptop server can be setup to provide IP's by login, so you can > then restrict 'joe' on 192.168.1.20 to see only 1 or two servers and not the > LAN network, but 'fred' who uses 192.168.1.21 can see all servers and all > networks. 'fred' can even be setup to use the pptp server as his internet > gateway, and you can NAT him back through, that way internet traffic to him > is filtered through your firewall aswell. Access controls are always a good thing and something non-existent in the current setup. > This could get very complicated, routing and firewalling is only limited by > your imagination.. :) Heh! :) > Hope this helps.. :) Yes it did. Guess i will have to talk to management for a stand alone VPN server and another NIC. :) Thanks a lot for your time Paul. -- Luke Skywalker: I'm Luke Skywalker, I'm here to rescue you. From Josh.Howlett at bristol.ac.uk Mon Oct 15 04:39:14 2001 From: Josh.Howlett at bristol.ac.uk (Josh Howlett) Date: Mon, 15 Oct 2001 10:39:14 +0100 (BST) Subject: [pptp-server] pptp et EAP In-Reply-To: Message-ID: Get the EAP patch from: ftp://playground.sun.com/pub/eap/index.html josh. On Mon, 15 Oct 2001, Julien BOULAND wrote: > thank you for this answer. > But where can i get this patch. > I dont anderstand comp.protocols.ppp. > julien > > -----Message d'origine----- > De : pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]De la part de Josh Howlett > Envoye : vendredi 12 octobre 2001 17:44 > A : Julien BOULAND > Cc : pptp-server > Objet : Re: [pptp-server] pptp et EAP > > > Hi, > > There is an EAP patch to ppp-2.4.0 released by James Carlson, if i > remember. He hangs out on comp.protocols.ppp > > josh. > > On Fri, 12 Oct 2001, Julien BOULAND wrote: > > > hi > > I would like do work the poptop pptp linux server with a client w2k with > an > > authentification by certificat. This authentification run with EAP > protocol, > > and when i try to run with EAP the client tell me that pppd of serveur can > > not support EAP authentification . argh !!! > > if someone now a solution, it's prety good to tell me about ! > > Julien BOULAND > > (sorry for my english) > > > > > > _________________________________________________________ > > Do You Yahoo!? > > Get your free @yahoo.com address at http://mail.yahoo.com > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > --- To unsubscribe, go to the url just above this line. -- > > > > > > --------------------------------------- > Josh Howlett, Network Supervisor, > Networking & Digital Communications, > Information Systems & Computing, > University of Bristol, U.K. > 0117 928 7850 | josh.howlett at bris.ac.uk > --------------------------------------- > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > --------------------------------------- Josh Howlett, Network Supervisor, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 0117 928 7850 | josh.howlett at bris.ac.uk --------------------------------------- From ybzhg at hotmail.com Mon Oct 15 05:45:10 2001 From: ybzhg at hotmail.com (zhang.yb) Date: Mon, 15 Oct 2001 18:45:10 +0800 Subject: [pptp-server] MPPE support? Message-ID: Hi, I have a pptp server running in linux set up on my office LAN. Red Hat 6.2 Kernel rpm RedHat 2.2.19 Server pptpd PoPToP v1.0.1 The client is Win2000. if the /etc/ppp/options file is: --------------- name vip auth require-chap proxyarp -------------- and in the client not select "Need data encryption",the VPN establish. when select this item, i need to change the /etc/ppp/options file to : ------------------- name vip auth require-chap proxyarp require-chapms require-chapms-v2 mppe-40 mppe-128 mppe-stateless ------------------ Attention: i have install MPPE part into the kernel and ppp.but this connect is failed , error is 619. what's wrong? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ybzhg at hotmail.com Mon Oct 15 06:12:52 2001 From: ybzhg at hotmail.com (zhang.yb) Date: Mon, 15 Oct 2001 19:12:52 +0800 Subject: [pptp-server] unrecognized option Message-ID: Hi, I have a pptp server running in linux set up on my office LAN. Red Hat 6.2 Kernel rpm RedHat 2.2.19 Server pptpd PoPToP v1.0.1 The client is Win2000. the /etc/ppp/options file to : ------------------- name vip auth require-chap proxyarp require-chapms require-chapms-v2 mppe-40 mppe-128 mppe-stateless ------------------ Attention: i have install MPPE part into the kernel and ppp. { ppp-2.3.11.tar.gz ppp-2.3.11-openssl-0.9.5-mppe.patch.gz ppp_mppe_compressed_data_fix.diff } when i connect to the server , exists error : unrecognized option 'require-chapms' what's wrong? -------------- next part -------------- An HTML attachment was scrubbed... URL: From a.waller at webpoint.at Mon Oct 15 06:38:24 2001 From: a.waller at webpoint.at (Alex Waller) Date: Mon, 15 Oct 2001 13:38:24 +0200 Subject: [pptp-server] unrecognized option In-Reply-To: Message-ID: <00f901c1556d$e626c020$0101a8c0@intern.webpoint.at> Hi ! Did you patch with ppp_mppe_compressed_data_fix.diff Read http://www.vibres.com/pptpd/example.html. It helped me. Alex. WebPoint Internet Services Alexander Waller Ihr Partner f?r Ihren Web-Auftritt ! A-6840 G?tzis Tel 0043 5523 / 582-44 Fax 0043 5523 / 582-55 Mobil 0043 676 4121128 http://www.webpoint.at/ -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org] On Behalf Of zhang.yb Sent: Monday, October 15, 2001 1:13 PM To: pptp-server Subject: [pptp-server] unrecognized option Hi, I have a pptp server running in linux set up on my office LAN. Red Hat 6.2 Kernel rpm RedHat 2.2.19 Server pptpd PoPToP v1.0.1 The client is Win2000. the /etc/ppp/options file to : ------------------- name vip auth require-chap proxyarp require-chapms require-chapms-v2 mppe-40 mppe-128 mppe-stateless ------------------ Attention: i have install MPPE part into the kernel and ppp. { ppp-2.3.11.tar.gz ppp-2.3.11-openssl-0.9.5-mppe.patch.gz ppp_mppe_compressed_data_fix.diff } when i connect to the server , exists error : unrecognized option 'require-chapms' what's wrong? -------------- next part -------------- An HTML attachment was scrubbed... URL: From yickkk at ariel.bdeb.qc.ca Mon Oct 15 10:00:21 2001 From: yickkk at ariel.bdeb.qc.ca (Ka Kit Yick) Date: Mon, 15 Oct 2001 11:00:21 -0400 Subject: [pptp-server] More pptp connections? References: <11099.31400-21857-2036069716-1003132871@seznam.cz> Message-ID: <002901c1558a$1cca91d0$473a0e0a@genilog.com> I'm actually making test for multisession pptp connection via a NAT device (Winroute and Nexland) and it's not working at all for me. I'm using SuSE Linux 7.2, pppd 2.4.0 and poptop v.1.1.2. The Nat device (Nexland) is connected to the net and share the internet connection with the others behind it. For the internet, it works very well. If I make a pptp connection to my remote serveur, it works also, but when I try to connect a second one, these are the errors I got on the server : ct 15 10:33:21 cdrhpnq pptpd[3157]: Discarding out-of-order packet 5, already have 77 Oct 15 10:33:21 cdrhpnq pptpd[3668]: Discarding out-of-order packet 5, already have 77 Oct 15 10:33:21 cdrhpnq pptpd[3157]: Discarding out-of-order packet 6, already have 77 Oct 15 10:33:21 cdrhpnq pptpd[3668]: Discarding out-of-order packet 6, already have 77 Oct 15 10:33:24 cdrhpnq pptpd[3157]: Discarding out-of-order packet 7, already have 81 Oct 15 10:33:24 cdrhpnq pptpd[3668]: Discarding out-of-order packet 7, already have 81 Oct 15 10:33:24 cdrhpnq pptpd[3157]: Discarding out-of-order packet 8, already have 81 Oct 15 10:33:24 cdrhpnq pptpd[3668]: Discarding out-of-order packet 8, already have 81 Oct 15 10:33:27 cdrhpnq pptpd[3157]: Discarding out-of-order packet 9, already have 84 Oct 15 10:33:27 cdrhpnq pptpd[3668]: Discarding out-of-order packet 9, already have 84 It seems that poptop can't deal with pptp connections behind nat device. I talk with technical support of Nexland (www.nexland.com) and they told me the it work with a MS PPTP server. So it there any patch or other linux pptp server that support multiple pptp sessions behind a nat device? thanks ----- Original Message ----- From: "Marek Butas" To: "PPTP List" Sent: Monday, October 15, 2001 4:01 AM Subject: [pptp-server] More pptp connections? Hi, First thanks for the how-to. It really helped, now VPN is working and I have no probles with it so far. But, I tested it from only one client computer and somewhere I have read that there is a problem with more concurrent connections, that this is not supported. Now the question is what exactly will happen, when someone will try to use VPN while another client si already working there. Will it be just rejected? If not, can it mess up something (file ...)? Thanks Marek Butas ______________________________________________________________________ Nejenom anglicko-cesky slovnik: http://slovnik.seznam.cz _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server --- To unsubscribe, go to the url just above this line. -- From ckalos at gothambroadband.com Mon Oct 15 11:06:46 2001 From: ckalos at gothambroadband.com (Christopher Kalos) Date: Mon, 15 Oct 2001 12:06:46 -0400 Subject: [pptp-server] Poptop through NAT redux Message-ID: This weekend, we were forced to add a fourth interface to our firewall. As a result, we now have the following setup: Outside link->Firewall--| |-- DMZ |-- NAT 1 |-- NAT 2 The logic behind this is that the second NAT network needs to be completely isolated from our DMZ and primary NAT network for security reasons. It's only there to allow visitors (or in this case, I suppose "tenants" is a better word) to share our bandwidth. The firewall is running FreeBSD 4.3, using ipfw and out of box natd. The VPN server has been on the primary NAT network, with proper redirects in place for the GRE protocol and pptp port in place since it was built. However, once we added the new interface (fxp3), the VPN immediately broke. I'm not getting logs on the VPN server at all, and the firewall isn't reporting any rejected packets. Has anyone had any experience with this sort of situation? Telling me to move the VPN server outside isn't an option, and the same applies to getting rid of this secondary NAT network, or switching off of PoPToP. There are multiple internal reasons for this design, and none of them can be changed. Thanks in advance, Christopher Kalos Systems Administrator Gotham Broadband 212.206.9620 x340 From droman at romansys.com Mon Oct 15 04:14:51 2001 From: droman at romansys.com (Dean Roman) Date: Mon, 15 Oct 2001 02:14:51 -0700 Subject: [pptp-server] Poptop through NAT redux References: Message-ID: <3BCAA90B.2D435ACE@romansys.com> Christopher, Just a stupid question, but did you check to make sure that after adding the 4th card, your box didn't renumber the ethernet interfaces starting with the new card? In other words, make sure the logical interface name matches the physical card you think it should. Thanks, ---Dean. Christopher Kalos wrote: > > This weekend, we were forced to add a fourth interface to our firewall. As > a result, we now have the following setup: > Outside link->Firewall--| > |-- DMZ > |-- NAT 1 > |-- NAT 2 > > The logic behind this is that the second NAT network needs to be completely > isolated from our DMZ and primary NAT network for security reasons. It's > only there to allow visitors (or in this case, I suppose "tenants" is a > better word) to share our bandwidth. > The firewall is running FreeBSD 4.3, using ipfw and out of box natd. The > VPN server has been on the primary NAT network, with proper redirects in > place for the GRE protocol and pptp port in place since it was built. > However, once we added the new interface (fxp3), the VPN immediately broke. > I'm not getting logs on the VPN server at all, and the firewall isn't > reporting any rejected packets. > Has anyone had any experience with this sort of situation? Telling me to > move the VPN server outside isn't an option, and the same applies to getting > rid of this secondary NAT network, or switching off of PoPToP. There are > multiple internal reasons for this design, and none of them can be changed. > > Thanks in advance, > > Christopher Kalos > Systems Administrator > Gotham Broadband > 212.206.9620 x340 > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From ckalos at gothambroadband.com Mon Oct 15 11:15:43 2001 From: ckalos at gothambroadband.com (Christopher Kalos) Date: Mon, 15 Oct 2001 12:15:43 -0400 Subject: [pptp-server] Poptop through NAT redux In-Reply-To: <3BCAA90B.2D435ACE@romansys.com> Message-ID: Yeah, I made sure about that one, too. The other interfaces are unchanged, and the new interface is set to fxp3. CK -----Original Message----- From: droman2 at gothambroadband.com [mailto:droman2 at gothambroadband.com]On Behalf Of Dean Roman Sent: Monday, October 15, 2001 5:15 AM To: Christopher Kalos Cc: Poptop Mailing List Subject: Re: [pptp-server] Poptop through NAT redux Christopher, Just a stupid question, but did you check to make sure that after adding the 4th card, your box didn't renumber the ethernet interfaces starting with the new card? In other words, make sure the logical interface name matches the physical card you think it should. Thanks, ---Dean. Christopher Kalos wrote: > > This weekend, we were forced to add a fourth interface to our firewall. As > a result, we now have the following setup: > Outside link->Firewall--| > |-- DMZ > |-- NAT 1 > |-- NAT 2 > > The logic behind this is that the second NAT network needs to be completely > isolated from our DMZ and primary NAT network for security reasons. It's > only there to allow visitors (or in this case, I suppose "tenants" is a > better word) to share our bandwidth. > The firewall is running FreeBSD 4.3, using ipfw and out of box natd. The > VPN server has been on the primary NAT network, with proper redirects in > place for the GRE protocol and pptp port in place since it was built. > However, once we added the new interface (fxp3), the VPN immediately broke. > I'm not getting logs on the VPN server at all, and the firewall isn't > reporting any rejected packets. > Has anyone had any experience with this sort of situation? Telling me to > move the VPN server outside isn't an option, and the same applies to getting > rid of this secondary NAT network, or switching off of PoPToP. There are > multiple internal reasons for this design, and none of them can be changed. > > Thanks in advance, > > Christopher Kalos > Systems Administrator > Gotham Broadband > 212.206.9620 x340 > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From anesthes at cisdi.com Mon Oct 15 13:23:05 2001 From: anesthes at cisdi.com (Joey Coco) Date: Mon, 15 Oct 2001 13:23:05 -0500 (EST) Subject: [pptp-server] Anyone seen this one? In-Reply-To: <3BCAA90B.2D435ACE@romansys.com> Message-ID: Hi, This crashes my tunnel, using Linux kernel 2.4.7, pppd 2.4.0b4, get this in dmesg: Not enough space to encrypt packet: 1494<1494+4! Not enough space to encrypt packet: 1494<1494+4! Not enough space to encrypt packet: 1494<1494+4! Not enough space to encrypt packet: 1494<1494+4! Not enough space to encrypt packet: 1494<1494+4! Not enough space to encrypt packet: 1494<1494+4! Not enough space to encrypt packet: 1494<1494+4! PPP: VJ decompression error -- Joe From barjunk at attglobal.net Mon Oct 15 12:18:51 2001 From: barjunk at attglobal.net (Michael Barsalou) Date: Mon, 15 Oct 2001 09:18:51 -0800 Subject: [pptp-server] VPN clients sharing data Message-ID: <3BCAA9FB.23688.4DDCCB@localhost> We were thinking about letting two vpn clients share their data between each other. Is this possible? What are the kinds of things to look for if the machines aren't able to share their data? Mike Michael Barsalou barjunk at attglobal.net From Steve at SteveCowles.com Mon Oct 15 14:24:18 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Mon, 15 Oct 2001 14:24:18 -0500 Subject: [pptp-server] VPN clients sharing data Message-ID: <90769AF04F76D41186C700A0C90AFC3EE8B0@defiant.infohiiway.com> > -----Original Message----- > From: Michael Barsalou [mailto:barjunk at attglobal.net] > > We were thinking about letting two vpn clients share their data > between each other. Is this possible? > > What are the kinds of things to look for if the machines aren't able > to share their data? > > Mike > Personally, I have never tried this (security policies do not allow), but I would think its possible. Although, given the path that each packet would take to share data among the clients, it might be rather slow. With this in mind, I would think the only configuration issues to be resolved would be routing or firewall related. i.e.. Is ppp0 allowed to route data to/from ppp1 and vice-versa. Steve Cowles From a.waller at webpoint.at Mon Oct 15 15:24:56 2001 From: a.waller at webpoint.at (Alex Waller) Date: Mon, 15 Oct 2001 22:24:56 +0200 Subject: [pptp-server] Killing a specific VPN Message-ID: <001601c155b7$75003ad0$0101a8c0@intern.webpoint.at> Hi ! I have setup a POPTOP-Server. Multiple Useres connect to me. Sometimes there is a problem on some networks an one of the PPTP-Connection dies. But the interface and the pptpctrl-session stay alive. Now I want to kill this specific task. To test if the connection is alive I ping the other side regulaly. I know the pid of the pppd-task but it is not enough to "kill -s 9 " or to "ifconfig pppx down" The pptpctrl stays alive. Can someone help ? Alex. WebPoint Internet Services Alexander Waller Ihr Partner f?r Ihren Web-Auftritt ! A-6840 G?tzis Tel 0043 5523 / 582-44 Fax 0043 5523 / 582-55 Mobil 0043 676 4121128 http://www.webpoint.at/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From shost at intellimec.com Mon Oct 15 16:41:31 2001 From: shost at intellimec.com (Steve Host) Date: Mon, 15 Oct 2001 17:41:31 -0400 Subject: [pptp-server] Pptp is working, however something's wrong! Message-ID: <001801c155c2$2796dfa0$5009630a@intellimec.com> Setup: Dialup clients, connecting via PPTP to Linux gateway. Current state: client can ping any internal addresses, it can also browse any computers and retrieve files. Printing over network is no problem. Machines behind firewall on the LAN can not ping the clients assigned IP address, thus they can't reach the client. Client also doesn't see all the machines by default on network neighbourhood (however // works) I'm mostly concerned with the seemingly one way nature of the connection, and looking for possible causes of this. I've set the samba server to act as a WINS server, however only the dialup client is aware of the server. I don't believe this should make a difference. Forwarding rules: /sbin/ipchains -A input -p TCP -d 0.0.0.0/0 1723 -j ACCEPT /sbin/ipchains -A input -p 47 -j ACCEPT /sbin/ipchains -A output -p TCP -s 0.0.0.0/0 1723 -j ACCEPT /sbin/ipchains -A output -p 47 -j ACCEPT /sbin/ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT The last line is because the Client's IP range is 192.168.1.150-160 while PC's are in the 192.168.1.20-30 range Thanks, folks. From sean at cyberfarer.com Mon Oct 15 17:39:58 2001 From: sean at cyberfarer.com (Sean) Date: Mon, 15 Oct 2001 18:39:58 -0400 Subject: [pptp-server] Link being dropped References: <001601c155b7$75003ad0$0101a8c0@intern.webpoint.at> Message-ID: <005501c155ca$55185fa0$0202a8c0@sympatico.ca> Killing a specific VPNI set up pptpd on a server. Attempting a remote connect, I receive a connection, upon verification of username and password, I get dumped out. I am not yet using mschap as I would like to see it just work. I will get more complicated after a successful test on the default settings. pptpd.conf is as follows: speed 115200 localip 192.168.1.234-238 remoteip 192.168.1.239-243 chap-secrets username Server password * Sylog results: Oct 15 18:26:47 mail pptpd[2861]: CTRL: Received PPTP Control Message (type: 12) Oct 15 18:26:47 mail pptpd[2861]: CTRL: Made a CALL DISCONNECT RPLY packet Oct 15 18:26:47 mail pptpd[2861]: CTRL: Received CALL CLR request (closing call) Oct 15 18:26:47 mail pptpd[2861]: CTRL: I wrote 148 bytes to the client. Oct 15 18:26:47 mail pptpd[2861]: CTRL: Sent packet to client Oct 15 18:26:47 mail pptpd[2861]: CTRL: Error with select(), quitting Oct 15 18:26:47 mail pptpd[2861]: CTRL: Client x.x.x.x control connection finished Oct 15 18:26:47 mail pptpd[2861]: CTRL: Exiting now Oct 15 18:26:47 mail pptpd[2860]: MGR: Reaped child 2861 Oct 15 18:26:47 mail pppd[2862]: Modem hangup Oct 15 18:26:47 mail pppd[2862]: Connection terminated. Oct 15 18:26:47 mail pppd[2862]: Connect time 0.2 minutes. Oct 15 18:26:47 mail pppd[2862]: Sent 149 bytes, received 149 bytes. Oct 15 18:26:47 mail pppd[2862]: Exit. Oct 15 18:26:54 mail pppd[30237]: rcvd [LCP EchoReq id=0xa1 magic=0xba40d84e d8 7e 58 02] Oct 15 18:26:54 mail pppd[30237]: sent [LCP EchoRep id=0xa1 magic=0xa9926225 d8 7e 58 02] Any help appreciated. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jvonau at home.com Mon Oct 15 18:51:22 2001 From: jvonau at home.com (Jerry Vonau) Date: Mon, 15 Oct 2001 18:51:22 -0500 Subject: [pptp-server] Pptp is working, however something's wrong! References: <001801c155c2$2796dfa0$5009630a@intellimec.com> Message-ID: <3BCB767A.EF86D948@home.com> Steve: Just a quick thought.. using the -A option with ipchains places it at the end of the rules. This line needs to be before any masq lines, or it may cause a problem. Connections from the lan would be masq'ed in error while connections from ppp are forwarded correctly. First match of rules wins.... need to see a little more of your rules. Jerry Vonau Steve Host wrote: > > Setup: Dialup clients, connecting via PPTP to Linux gateway. > > Current state: client can ping any internal addresses, it can also browse > any computers and retrieve files. Printing over network is no problem. > Machines behind firewall on the LAN can not ping the clients assigned IP > address, thus they can't reach the client. > > Client also doesn't see all the machines by default on network neighbourhood > (however // works) > > I'm mostly concerned with the seemingly one way nature of the connection, > and looking for possible causes of this. > > I've set the samba server to act as a WINS server, however only the dialup > client is aware of the server. I don't believe this should make a > difference. > > Forwarding rules: > > /sbin/ipchains -A input -p TCP -d 0.0.0.0/0 1723 -j ACCEPT > /sbin/ipchains -A input -p 47 -j ACCEPT > > /sbin/ipchains -A output -p TCP -s 0.0.0.0/0 1723 -j ACCEPT > /sbin/ipchains -A output -p 47 -j ACCEPT > /sbin/ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT > > The last line is because the Client's IP range is 192.168.1.150-160 while > PC's are in the 192.168.1.20-30 range > > Thanks, folks. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From berzerke at swbell.net Mon Oct 15 21:44:12 2001 From: berzerke at swbell.net (robert) Date: Mon, 15 Oct 2001 21:44:12 -0500 Subject: [pptp-server] Anyone seen this one? In-Reply-To: References: Message-ID: <0GLA00DJ927ULH@mta4.rcsntx.swbell.net> What do the commands "free" and "df -h" show? On Monday 15 October 2001 01:23 pm, Joey Coco wrote: > Hi, > > This crashes my tunnel, using Linux kernel 2.4.7, > pppd 2.4.0b4, get this in dmesg: > > Not enough space to encrypt packet: 1494<1494+4! > Not enough space to encrypt packet: 1494<1494+4! > Not enough space to encrypt packet: 1494<1494+4! > Not enough space to encrypt packet: 1494<1494+4! > Not enough space to encrypt packet: 1494<1494+4! > Not enough space to encrypt packet: 1494<1494+4! > Not enough space to encrypt packet: 1494<1494+4! > PPP: VJ decompression error > > > -- Joe > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From neale at lowendale.com.au Mon Oct 15 22:04:36 2001 From: neale at lowendale.com.au (Neale Banks) Date: Tue, 16 Oct 2001 13:04:36 +1000 (EST) Subject: [pptp-server] Anyone seen this one? In-Reply-To: Message-ID: On Mon, 15 Oct 2001, Joey Coco wrote: > This crashes my tunnel, using Linux kernel 2.4.7, > pppd 2.4.0b4, get this in dmesg: > > Not enough space to encrypt packet: 1494<1494+4! > Not enough space to encrypt packet: 1494<1494+4! > Not enough space to encrypt packet: 1494<1494+4! > Not enough space to encrypt packet: 1494<1494+4! > Not enough space to encrypt packet: 1494<1494+4! > Not enough space to encrypt packet: 1494<1494+4! > Not enough space to encrypt packet: 1494<1494+4! > PPP: VJ decompression error This was discussed on another list recently. Here's what was suggested there: On Tue, 9 Oct 2001, Steven Ihde wrote: > > Date: Tue, 9 Oct 2001 20:28:11 -0700 > From: Steven Ihde > To: Neale Banks > Cc: Ferenc Tamas Gyurcsan , pptp at list.lameter.com > Subject: Re: [Pptp] Not enough space in kernel.... > > On Wed, Oct 10, 2001 at 12:39:32PM +1000, Neale Banks wrote: > > On Tue, 9 Oct 2001, Ferenc Tamas Gyurcsan wrote: > > > > > Hi people, > > > > > > I managed to get my pptp working. I'm connecting from linux to win2000. > > > Now I get this message in syslog: > > > > > > Oct 9 22:17:05 jade pppd[2159]: sent [LCP EchoReq id=0x10 > magic=0xc33c0bc5] > > > Oct 9 22:17:05 jade pppd[2159]: rcvd [LCP EchoRep id=0x10 > magic=0x50737f9f] > > > Oct 9 22:17:13 jade kernel: Not enough space to encrypt packet: > 1004<1004+4! > > > > > > How can I solve this problem? > > > > http://lists.schulte.org/pipermail/pptp-server/2000-July/007754.html ? > > > > In your case, perhaps try mru 990 and mtu 990 > > I do not believe that reducing the MTU will help (the MRU is not > relevant in this situation). The patch available at > > http://mirror.binarix.com/ppp-mppe/linux-2.4.4-openssl-0.9.6a-mppe.patch.gz > > should solve this problem (it should apply relatively cleanly to any > 2.4.x kernel version). > > The problem is that ppp_generic.c assumes that no "compression" method > will ever cause a frame to grow. However, MPPE causes every frame to > grow by four bytes. This only generates the above error message when > you are trying to send a frame that is within four bytes of the MTU. > > Reducing the MTU will not help because if you reduce the MTU, > ppp_generic.c will just reduce the size of the buffer that it passes > to the compressor. > > -Steve > > > -- > Steven C. Ihde > PGP Key ID: 0x7793756D > PGP Fingerprint: DC 55 8B CA 50 8B DD 75 67 45 96 4D FF 42 8A 6C > HTH, Neale. From berzerke at swbell.net Mon Oct 15 21:58:40 2001 From: berzerke at swbell.net (robert) Date: Mon, 15 Oct 2001 21:58:40 -0500 Subject: [pptp-server] Pptp is working, however something's wrong! In-Reply-To: <001801c155c2$2796dfa0$5009630a@intellimec.com> References: <001801c155c2$2796dfa0$5009630a@intellimec.com> Message-ID: <0GLA0049U2W2I6@mta4.rcsntx.swbell.net> Printing and retrieving files proves the communication is two way. I suspect your firewall is blocking the pings, or perhaps the client has a firewall that blocks pings... On Monday 15 October 2001 04:41 pm, Steve Host wrote: > Setup: Dialup clients, connecting via PPTP to Linux gateway. > > Current state: client can ping any internal addresses, it can also browse > any computers and retrieve files. Printing over network is no problem. > Machines behind firewall on the LAN can not ping the clients assigned IP > address, thus they can't reach the client. > > Client also doesn't see all the machines by default on network > neighbourhood (however // works) > > I'm mostly concerned with the seemingly one way nature of the connection, > and looking for possible causes of this. > > I've set the samba server to act as a WINS server, however only the dialup > client is aware of the server. I don't believe this should make a > difference. > > Forwarding rules: > > /sbin/ipchains -A input -p TCP -d 0.0.0.0/0 1723 -j ACCEPT > /sbin/ipchains -A input -p 47 -j ACCEPT > > /sbin/ipchains -A output -p TCP -s 0.0.0.0/0 1723 -j ACCEPT > /sbin/ipchains -A output -p 47 -j ACCEPT > /sbin/ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT > > The last line is because the Client's IP range is 192.168.1.150-160 while > PC's are in the 192.168.1.20-30 range > > > Thanks, folks. > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From ybzhg at hotmail.com Tue Oct 16 01:13:07 2001 From: ybzhg at hotmail.com (zhang.yb) Date: Tue, 16 Oct 2001 14:13:07 +0800 Subject: [pptp-server] use Sniffer to see the error? Message-ID: Hi, I set up pptpd on a server(redhat 6.1 kernel 2.2.19) Attempting a remote connect, I receive a connection, upon verification of username and password, I get the error :619 in the client(win 2000). I am using mschap as I would like to see it just work. the /etc/ppp/options file to : ------------------- name vip auth require-chap proxyarp require-chapms require-chapms-v2 mppe-40 mppe-128 mppe-stateless ------------------ and i have patched the kernel with MPPE support and patched the ppp with MPPE support. If you have Sniffer installed in your system, you can see more information about this error. Thanks a lot Best wishes! -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Snif.cap Type: application/octet-stream Size: 3986 bytes Desc: not available URL: From jbouland at yahoo.fr Tue Oct 16 03:44:04 2001 From: jbouland at yahoo.fr (Julien BOULAND) Date: Tue, 16 Oct 2001 10:44:04 +0200 Subject: [pptp-server] pptp with EAP and certificat In-Reply-To: Message-ID: hi, i want to create a vpn using pptpd serveur and windows client with certicat authentification methode. i use the EAP extension for pppd. if someone know something about this, this guy can tell me about. thanks for all, julien BOULAND. -------------- next part -------------- An HTML attachment was scrubbed... URL: From shost at intellimec.com Tue Oct 16 08:14:53 2001 From: shost at intellimec.com (Steve Host) Date: Tue, 16 Oct 2001 09:14:53 -0400 Subject: [pptp-server] Pptp is working, however something's wrong! References: <001801c155c2$2796dfa0$5009630a@intellimec.com> <3BCB767A.EF86D948@home.com> Message-ID: <004301c15644$8b3425e0$5009630a@intellimec.com> That's interesting. I origionally used -I and not until i changed it to -A was I able to actually do anything on the client side (that being telnet to a local unix server, or view shares inside the network, etc). ipchains --list Chain input (policy ACCEPT): target prot opt source destination ports ACCEPT tcp ------ anywhere anywhere any -> 1723 ACCEPT 47 ------ anywhere anywhere n/a Chain forward (policy ACCEPT): target prot opt source destination ports MASQ all ------ 192.168.1.0/24 anywhere n/a ACCEPT all ------ 192.168.1.0/24 10.99.9.0/24 n/a Chain output (policy ACCEPT): target prot opt source destination ports ACCEPT all ------ 10.99.9.0/24 anywhere n/a ACCEPT tcp ------ anywhere anywhere 1723 -> any ACCEPT 47 ------ anywhere anywhere n/a These are my rules.. notice lack of deny? =) My rules are pretty simple.. i haven't added too much yet. I'll reverse the order of my rules. and see what happens. ----- Original Message ----- From: "Jerry Vonau" To: "Steve Host" Cc: Sent: Monday, October 15, 2001 7:51 PM Subject: Re: [pptp-server] Pptp is working, however something's wrong! > Steve: > > Just a quick thought.. using the -A option with ipchains places it at > the end of the rules. > This line needs to be before any masq lines, or it may cause a problem. > Connections from the > lan would be masq'ed in error while connections from ppp are forwarded > correctly. > First match of rules wins.... need to see a little more of your rules. > > Jerry Vonau > > > > Steve Host wrote: > > > > Setup: Dialup clients, connecting via PPTP to Linux gateway. > > > > Current state: client can ping any internal addresses, it can also browse > > any computers and retrieve files. Printing over network is no problem. > > Machines behind firewall on the LAN can not ping the clients assigned IP > > address, thus they can't reach the client. > > > > Client also doesn't see all the machines by default on network neighbourhood > > (however // works) > > > > I'm mostly concerned with the seemingly one way nature of the connection, > > and looking for possible causes of this. > > > > I've set the samba server to act as a WINS server, however only the dialup > > client is aware of the server. I don't believe this should make a > > difference. > > > > Forwarding rules: > > > > /sbin/ipchains -A input -p TCP -d 0.0.0.0/0 1723 -j ACCEPT > > /sbin/ipchains -A input -p 47 -j ACCEPT > > > > /sbin/ipchains -A output -p TCP -s 0.0.0.0/0 1723 -j ACCEPT > > /sbin/ipchains -A output -p 47 -j ACCEPT > > /sbin/ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT > > > > The last line is because the Client's IP range is 192.168.1.150-160 while > > PC's are in the 192.168.1.20-30 range > > > > Thanks, folks. > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > --- To unsubscribe, go to the url just above this line. -- > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > From Steve at SteveCowles.com Tue Oct 16 08:52:30 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Tue, 16 Oct 2001 08:52:30 -0500 Subject: [pptp-server] Pptp is working, however something's wrong! Message-ID: <90769AF04F76D41186C700A0C90AFC3EE8B1@defiant.infohiiway.com> > -----Original Message----- > From: Steve Host [mailto:shost at intellimec.com] > Sent: Tuesday, October 16, 2001 8:15 AM > To: Jerry Vonau > Cc: pptp-server at lists.schulte.org > Subject: Re: [pptp-server] Pptp is working, however something's wrong! > > > That's interesting. I origionally used -I and not until i > changed it to -A was I able to actually do anything on the > client side (that being telnet to a local unix server, or > view shares inside the network, etc). > > ipchains --list Another option I find useful in trying to diagnose problems with firewall filter rules is: ipchains -L -n --line-numbers From ckalos at gothambroadband.com Tue Oct 16 08:56:56 2001 From: ckalos at gothambroadband.com (Christopher Kalos) Date: Tue, 16 Oct 2001 09:56:56 -0400 Subject: [pptp-server] Poptop through NAT redux In-Reply-To: Message-ID: Nevermind, somehow my constantly restarting natd (to test various additional options) finally kicked it back into working order. Don't ask how, since I can't figure it out either. Thanks, CK -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Christopher Kalos Sent: Monday, October 15, 2001 12:16 PM To: Poptop Mailing List Subject: RE: [pptp-server] Poptop through NAT redux Yeah, I made sure about that one, too. The other interfaces are unchanged, and the new interface is set to fxp3. CK -----Original Message----- From: droman2 at gothambroadband.com [mailto:droman2 at gothambroadband.com]On Behalf Of Dean Roman Sent: Monday, October 15, 2001 5:15 AM To: Christopher Kalos Cc: Poptop Mailing List Subject: Re: [pptp-server] Poptop through NAT redux Christopher, Just a stupid question, but did you check to make sure that after adding the 4th card, your box didn't renumber the ethernet interfaces starting with the new card? In other words, make sure the logical interface name matches the physical card you think it should. Thanks, ---Dean. Christopher Kalos wrote: > > This weekend, we were forced to add a fourth interface to our firewall. As > a result, we now have the following setup: > Outside link->Firewall--| > |-- DMZ > |-- NAT 1 > |-- NAT 2 > > The logic behind this is that the second NAT network needs to be completely > isolated from our DMZ and primary NAT network for security reasons. It's > only there to allow visitors (or in this case, I suppose "tenants" is a > better word) to share our bandwidth. > The firewall is running FreeBSD 4.3, using ipfw and out of box natd. The > VPN server has been on the primary NAT network, with proper redirects in > place for the GRE protocol and pptp port in place since it was built. > However, once we added the new interface (fxp3), the VPN immediately broke. > I'm not getting logs on the VPN server at all, and the firewall isn't > reporting any rejected packets. > Has anyone had any experience with this sort of situation? Telling me to > move the VPN server outside isn't an option, and the same applies to getting > rid of this secondary NAT network, or switching off of PoPToP. There are > multiple internal reasons for this design, and none of them can be changed. > > Thanks in advance, > > Christopher Kalos > Systems Administrator > Gotham Broadband > 212.206.9620 x340 > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server --- To unsubscribe, go to the url just above this line. -- From charlieb at e-smith.com Tue Oct 16 09:29:22 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Tue, 16 Oct 2001 10:29:22 -0400 (EDT) Subject: [pptp-server] pptp with EAP and certificat In-Reply-To: Message-ID: On Tue, 16 Oct 2001, Julien BOULAND wrote: > i want to create a vpn using pptpd serveur and windows client with certicat > authentification methode. > i use the EAP extension for pppd. > if someone know something about this, this guy can tell me about. Yes, you asked this question last Friday. It has since been answered here. The answer was also sent directly to you. There are some patches to do this - ftp://playground.sun.com/pub/eap/index.html but as far as I know nobody has interfaced them to PoPToP. Charlie Brady charlieb at e-smith.com Lead Product Developer Network Server Solutions Group http://www.e-smith.com/ Mitel Networks Corporation http://www.mitel.com/ Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 From shost at intellimec.com Tue Oct 16 10:31:24 2001 From: shost at intellimec.com (Steve Host) Date: Tue, 16 Oct 2001 11:31:24 -0400 Subject: [pptp-server] Pptp is working, however something's wrong! References: <001801c155c2$2796dfa0$5009630a@intellimec.com> <3BCB767A.EF86D948@home.com> Message-ID: <009d01c15657$9d7ad1a0$5009630a@intellimec.com> Here's my rules: Chain input (policy ACCEPT): num target prot opt source destination ports 1 ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1723 2 ACCEPT 47 ------ 0.0.0.0/0 0.0.0.0/0 n/a Chain forward (policy ACCEPT): num target prot opt source destination ports 1 MASQ all ------ 192.168.1.0/24 0.0.0.0/0 n/a 2 ACCEPT all ------ 192.168.1.0/24 192.168.1.0/24 n/a Chain output (policy ACCEPT): num target prot opt source destination ports 1 ACCEPT all ------ 10.99.9.0/24 0.0.0.0/0 n/a 2 ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 1723 -> * 3 ACCEPT 47 ------ 0.0.0.0/0 0.0.0.0/0 n/a I've re-arranged the chain forward MASQ rule to be first and second in that chain, and with MASQ FIRST my clients can ping any host in the internal network. When i put MASQ second in the chain client cannot ping any hosts. Internally I can't ping the client from LAN with either arrangement of masq chain forward rule. Note i've tried to delete rule 1 of output chain, it won't delete it. It should be irrelevant anyway. ----- Original Message ----- From: "Jerry Vonau" To: "Steve Host" Cc: Sent: Monday, October 15, 2001 7:51 PM Subject: Re: [pptp-server] Pptp is working, however something's wrong! > Steve: > > Just a quick thought.. using the -A option with ipchains places it at > the end of the rules. > This line needs to be before any masq lines, or it may cause a problem. > Connections from the > lan would be masq'ed in error while connections from ppp are forwarded > correctly. > First match of rules wins.... need to see a little more of your rules. > > Jerry Vonau > > > > Steve Host wrote: > > > > Setup: Dialup clients, connecting via PPTP to Linux gateway. > > > > Current state: client can ping any internal addresses, it can also browse > > any computers and retrieve files. Printing over network is no problem. > > Machines behind firewall on the LAN can not ping the clients assigned IP > > address, thus they can't reach the client. > > > > Client also doesn't see all the machines by default on network neighbourhood > > (however // works) > > > > I'm mostly concerned with the seemingly one way nature of the connection, > > and looking for possible causes of this. > > > > I've set the samba server to act as a WINS server, however only the dialup > > client is aware of the server. I don't believe this should make a > > difference. > > > > Forwarding rules: > > > > /sbin/ipchains -A input -p TCP -d 0.0.0.0/0 1723 -j ACCEPT > > /sbin/ipchains -A input -p 47 -j ACCEPT > > > > /sbin/ipchains -A output -p TCP -s 0.0.0.0/0 1723 -j ACCEPT > > /sbin/ipchains -A output -p 47 -j ACCEPT > > /sbin/ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT > > > > The last line is because the Client's IP range is 192.168.1.150-160 while > > PC's are in the 192.168.1.20-30 range > > > > Thanks, folks. > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > --- To unsubscribe, go to the url just above this line. -- > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > From jvonau at home.com Tue Oct 16 12:55:07 2001 From: jvonau at home.com (Jerry Vonau) Date: Tue, 16 Oct 2001 12:55:07 -0500 Subject: [pptp-server] Pptp is working, however something's wrong! References: <001801c155c2$2796dfa0$5009630a@intellimec.com> <3BCB767A.EF86D948@home.com> <009d01c15657$9d7ad1a0$5009630a@intellimec.com> Message-ID: <3BCC747B.6BCE14CC@home.com> Steve: I use the interface in all my forward rules, helps to recall what the rule is for :-) #LAN going anywhere is valid /sbin/ipchains -A input -j ACCEPT -i $INTIF -s $INTLAN -d $UNIVERSE /sbin/ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN /sbin/ipchains -A input -j ACCEPT -i $EXTIF -s $INTLAN -d $UNIVERSE /sbin/ipchains -A output -j ACCEPT -i $EXTIF -s $UNIVERSE -d $INTLAN #ppp going to/from LAN is Valid /sbin/ipchains -A input -j ACCEPT -i ppp+ -b -s $INTLAN -d $INTLAN /sbin/ipchains -A output -j ACCEPT -i ppp+ -b -s $INTLAN -d $INTLAN #pptp going to/from LAN is Valid /sbin/ipchains -A forward -j ACCEPT -i ppp+ -s $INTLAN -d $INTLAN /sbin/ipchains -A forward -j ACCEPT -i $INTIF -s $INTLAN -d $INTLAN #masq everyting out to the net /sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE I think that the -i may required for the forwarding rules to work correctly. Jerry Vonau Steve Host wrote: > > Here's my rules: > Chain input (policy ACCEPT): > num target prot opt source destination > ports > 1 ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> > 1723 > 2 ACCEPT 47 ------ 0.0.0.0/0 0.0.0.0/0 n/a > Chain forward (policy ACCEPT): > num target prot opt source destination > ports > 1 MASQ all ------ 192.168.1.0/24 0.0.0.0/0 > n/a > 2 ACCEPT all ------ 192.168.1.0/24 192.168.1.0/24 > n/a > Chain output (policy ACCEPT): > num target prot opt source destination > ports > 1 ACCEPT all ------ 10.99.9.0/24 0.0.0.0/0 n/a > 2 ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 > 1723 -> * > 3 ACCEPT 47 ------ 0.0.0.0/0 0.0.0.0/0 n/a > > I've re-arranged the chain forward MASQ rule to be first and second in that > chain, and with MASQ FIRST my clients can ping any host in the internal > network. When i put MASQ second in the chain client cannot ping any hosts. > > Internally I can't ping the client from LAN with either arrangement of masq > chain forward rule. > > Note i've tried to delete rule 1 of output chain, it won't delete it. It > should be irrelevant anyway. > > ----- Original Message ----- > From: "Jerry Vonau" > To: "Steve Host" > Cc: > Sent: Monday, October 15, 2001 7:51 PM > Subject: Re: [pptp-server] Pptp is working, however something's wrong! > > > Steve: > > > > Just a quick thought.. using the -A option with ipchains places it at > > the end of the rules. > > This line needs to be before any masq lines, or it may cause a problem. > > Connections from the > > lan would be masq'ed in error while connections from ppp are forwarded > > correctly. > > First match of rules wins.... need to see a little more of your rules. > > > > Jerry Vonau > > > > > > > > Steve Host wrote: > > > > > > Setup: Dialup clients, connecting via PPTP to Linux gateway. > > > > > > Current state: client can ping any internal addresses, it can also > browse > > > any computers and retrieve files. Printing over network is no problem. > > > Machines behind firewall on the LAN can not ping the clients assigned IP > > > address, thus they can't reach the client. > > > > > > Client also doesn't see all the machines by default on network > neighbourhood > > > (however // works) > > > > > > I'm mostly concerned with the seemingly one way nature of the > connection, > > > and looking for possible causes of this. > > > > > > I've set the samba server to act as a WINS server, however only the > dialup > > > client is aware of the server. I don't believe this should make a > > > difference. > > > > > > Forwarding rules: > > > > > > /sbin/ipchains -A input -p TCP -d 0.0.0.0/0 1723 -j ACCEPT > > > /sbin/ipchains -A input -p 47 -j ACCEPT > > > > > > /sbin/ipchains -A output -p TCP -s 0.0.0.0/0 1723 -j ACCEPT > > > /sbin/ipchains -A output -p 47 -j ACCEPT > > > /sbin/ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT > > > > > > The last line is because the Client's IP range is 192.168.1.150-160 > while > > > PC's are in the 192.168.1.20-30 range > > > > > > Thanks, folks. > > > > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > --- To unsubscribe, go to the url just above this line. -- > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > --- To unsubscribe, go to the url just above this line. -- > > From dan at 2000trainers.com Tue Oct 16 13:17:11 2001 From: dan at 2000trainers.com (Dan DiNicolo) Date: Tue, 16 Oct 2001 18:17:11 -0000 Subject: [pptp-server] modules not loading Message-ID: <001d01c1566e$e2a28ea0$08347141@mdtlaptop> Having fought with poptop for a couple of weeks now, I have everything running on Redhat 7.0 using the 2.2.19 kernel. The problem I am having is that on boot, my ppp_mppe, ppp_deflate, and bsd_comp modules are not loading. When I load them manually, I can make connections without issue. I know I can write a script that will load them on startup, but I would much rather have them load properly via modules.conf. The relevant contents of my modules.conf file is below, any thoughts or ideas would be much appreciated. alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate alias ppp-compress-26 ppp_deflate Thanks, Dan From charlieb at e-smith.com Tue Oct 16 13:40:44 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Tue, 16 Oct 2001 14:40:44 -0400 (EDT) Subject: [pptp-server] modules not loading In-Reply-To: <001d01c1566e$e2a28ea0$08347141@mdtlaptop> Message-ID: On Tue, 16 Oct 2001, Dan DiNicolo wrote: > Having fought with poptop for a couple of weeks now, I have everything > running on Redhat 7.0 using the 2.2.19 kernel. The problem I am having is > that on boot, my ppp_mppe, ppp_deflate, and bsd_comp modules are not > loading. You shouldn't need to have them load on boot. They should autoload as required. Have you run "depmod -a" since modifying /etc/modules.conf? > When I load them manually, I can make connections without issue. You should try to find out why they are not being autoloaded (on demand, not at boot time). Your modules.conf lines look correct to me. -- Charlie Brady charlieb at e-smith.com Lead Product Developer Network Server Solutions Group http://www.e-smith.com/ Mitel Networks Corporation http://www.mitel.com/ Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 From shost at intellimec.com Tue Oct 16 14:10:41 2001 From: shost at intellimec.com (Steve Host) Date: Tue, 16 Oct 2001 15:10:41 -0400 Subject: [pptp-server] Pptp is working, however something's wrong! References: <001801c155c2$2796dfa0$5009630a@intellimec.com> <3BCB767A.EF86D948@home.com> <009d01c15657$9d7ad1a0$5009630a@intellimec.com> <3BCC747B.6BCE14CC@home.com> Message-ID: <010c01c15676$3f681540$5009630a@intellimec.com> I've read all your advice and used it and simplified my setup. I disabled protocol 47 and port 1723 forwarding as the pptp server is not behind a firewall, but is the firewall. My rules are now as follows: Chain input (policy ACCEPT): Chain forward (policy ACCEPT): num target prot opt source destination ports 1 MASQ all ------ 192.168.1.0/24 anywhere n/a 2 ACCEPT all ------ 192.168.1.0/24 192.168.1.0/24 n/a 3 ACCEPT all ------ 192.168.1.0/24 192.168.1.0/24 n/a Chain output (policy ACCEPT): Command line order: /sbin/ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0 /sbin/ipchains -A forward -i eth0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT /sbin/ipchains -A forward -i eth1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT Again, rearranging the masq to AFTER the local IP forwarding breaks pinging ability from client machine (dialup internet) This being with the above configuration. I still cannot ping the client PC, even though it's able to recieve data/information from browsing internal PC's (such as \\application_server) Jerry, after adding the forwarding and input/output rules for ppp+ lan to lan it made no difference. Am i crazy to be thinking that the internal network should be able to ping the roadwarrior clients? ----- Original Message ----- From: "Jerry Vonau" To: "Steve Host" ; Sent: Tuesday, October 16, 2001 1:55 PM Subject: Re: [pptp-server] Pptp is working, however something's wrong! > Steve: > > I use the interface in all my forward rules, > helps to recall what the rule is for :-) > > #LAN going anywhere is valid > /sbin/ipchains -A input -j ACCEPT -i $INTIF -s $INTLAN -d $UNIVERSE > /sbin/ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN > /sbin/ipchains -A input -j ACCEPT -i $EXTIF -s $INTLAN -d $UNIVERSE > /sbin/ipchains -A output -j ACCEPT -i $EXTIF -s $UNIVERSE -d $INTLAN > #ppp going to/from LAN is Valid > /sbin/ipchains -A input -j ACCEPT -i ppp+ -b -s $INTLAN -d $INTLAN > /sbin/ipchains -A output -j ACCEPT -i ppp+ -b -s $INTLAN -d $INTLAN > #pptp going to/from LAN is Valid > /sbin/ipchains -A forward -j ACCEPT -i ppp+ -s $INTLAN -d $INTLAN > /sbin/ipchains -A forward -j ACCEPT -i $INTIF -s $INTLAN -d $INTLAN > #masq everyting out to the net > /sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE > > I think that the -i may required for the forwarding rules to work > correctly. > > Jerry Vonau > > > > > > > Steve Host wrote: > > > > Here's my rules: > > Chain input (policy ACCEPT): > > num target prot opt source destination > > ports > > 1 ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> > > 1723 > > 2 ACCEPT 47 ------ 0.0.0.0/0 0.0.0.0/0 n/a > > Chain forward (policy ACCEPT): > > num target prot opt source destination > > ports > > 1 MASQ all ------ 192.168.1.0/24 0.0.0.0/0 > > n/a > > 2 ACCEPT all ------ 192.168.1.0/24 192.168.1.0/24 > > n/a > > Chain output (policy ACCEPT): > > num target prot opt source destination > > ports > > 1 ACCEPT all ------ 10.99.9.0/24 0.0.0.0/0 n/a > > 2 ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 > > 1723 -> * > > 3 ACCEPT 47 ------ 0.0.0.0/0 0.0.0.0/0 n/a > > > > I've re-arranged the chain forward MASQ rule to be first and second in that > > chain, and with MASQ FIRST my clients can ping any host in the internal > > network. When i put MASQ second in the chain client cannot ping any hosts. > > > > Internally I can't ping the client from LAN with either arrangement of masq > > chain forward rule. > > > > Note i've tried to delete rule 1 of output chain, it won't delete it. It > > should be irrelevant anyway. > > > > ----- Original Message ----- > > From: "Jerry Vonau" > > To: "Steve Host" > > Cc: > > Sent: Monday, October 15, 2001 7:51 PM > > Subject: Re: [pptp-server] Pptp is working, however something's wrong! > > > > > Steve: > > > > > > Just a quick thought.. using the -A option with ipchains places it at > > > the end of the rules. > > > This line needs to be before any masq lines, or it may cause a problem. > > > Connections from the > > > lan would be masq'ed in error while connections from ppp are forwarded > > > correctly. > > > First match of rules wins.... need to see a little more of your rules. > > > > > > Jerry Vonau > > > > > > > > > > > > Steve Host wrote: > > > > > > > > Setup: Dialup clients, connecting via PPTP to Linux gateway. > > > > > > > > Current state: client can ping any internal addresses, it can also > > browse > > > > any computers and retrieve files. Printing over network is no problem. > > > > Machines behind firewall on the LAN can not ping the clients assigned IP > > > > address, thus they can't reach the client. > > > > > > > > Client also doesn't see all the machines by default on network > > neighbourhood > > > > (however // works) > > > > > > > > I'm mostly concerned with the seemingly one way nature of the > > connection, > > > > and looking for possible causes of this. > > > > > > > > I've set the samba server to act as a WINS server, however only the > > dialup > > > > client is aware of the server. I don't believe this should make a > > > > difference. > > > > > > > > Forwarding rules: > > > > > > > > /sbin/ipchains -A input -p TCP -d 0.0.0.0/0 1723 -j ACCEPT > > > > /sbin/ipchains -A input -p 47 -j ACCEPT > > > > > > > > /sbin/ipchains -A output -p TCP -s 0.0.0.0/0 1723 -j ACCEPT > > > > /sbin/ipchains -A output -p 47 -j ACCEPT > > > > /sbin/ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT > > > > > > > > The last line is because the Client's IP range is 192.168.1.150-160 > > while > > > > PC's are in the 192.168.1.20-30 range > > > > > > > > Thanks, folks. > > > > > > > > _______________________________________________ > > > > pptp-server maillist - pptp-server at lists.schulte.org > > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > > --- To unsubscribe, go to the url just above this line. -- > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > --- To unsubscribe, go to the url just above this line. -- > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > From shost at intellimec.com Tue Oct 16 16:16:59 2001 From: shost at intellimec.com (Steve Host) Date: Tue, 16 Oct 2001 17:16:59 -0400 Subject: [pptp-server] Pptp is working, however something's wrong! References: <001801c155c2$2796dfa0$5009630a@intellimec.com> <3BCB767A.EF86D948@home.com> <009d01c15657$9d7ad1a0$5009630a@intellimec.com> <3BCC747B.6BCE14CC@home.com> <010c01c15676$3f681540$5009630a@intellimec.com> Message-ID: <011901c15687$e48cf020$5009630a@intellimec.com> I changed the client's network address to 192.168.2.0/24 and in doing that, re-set the firewall rules for forwarding around the firewall, and it works now. I can now ping the client, and client still pings internal addresses. I'm working on network browsing now. Thanks again ----- Original Message ----- From: "Steve Host" To: "Jerry Vonau" ; Sent: Tuesday, October 16, 2001 3:10 PM Subject: Re: [pptp-server] Pptp is working, however something's wrong! > I've read all your advice and used it and simplified my setup. > > I disabled protocol 47 and port 1723 forwarding as the pptp server is not > behind a firewall, but is the firewall. My rules are now as follows: > > Chain input (policy ACCEPT): > Chain forward (policy ACCEPT): > num target prot opt source destination > ports > 1 MASQ all ------ 192.168.1.0/24 anywhere > n/a > 2 ACCEPT all ------ 192.168.1.0/24 192.168.1.0/24 > n/a > 3 ACCEPT all ------ 192.168.1.0/24 192.168.1.0/24 > n/a > Chain output (policy ACCEPT): > > Command line order: > /sbin/ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0 > /sbin/ipchains -A forward -i eth0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j > ACCEPT > /sbin/ipchains -A forward -i eth1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j > ACCEPT > > > Again, rearranging the masq to AFTER the local IP forwarding breaks pinging > ability from client machine (dialup internet) > This being with the above configuration. I still cannot ping the client PC, > even though it's able to recieve data/information from browsing internal > PC's (such as \\application_server) > > Jerry, after adding the forwarding and input/output rules for ppp+ lan to > lan it made no difference. > > Am i crazy to be thinking that the internal network should be able to ping > the roadwarrior clients? > > > > ----- Original Message ----- > From: "Jerry Vonau" > To: "Steve Host" ; > Sent: Tuesday, October 16, 2001 1:55 PM > Subject: Re: [pptp-server] Pptp is working, however something's wrong! > > > > Steve: > > > > I use the interface in all my forward rules, > > helps to recall what the rule is for :-) > > > > #LAN going anywhere is valid > > /sbin/ipchains -A input -j ACCEPT -i $INTIF -s $INTLAN -d $UNIVERSE > > /sbin/ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN > > /sbin/ipchains -A input -j ACCEPT -i $EXTIF -s $INTLAN -d $UNIVERSE > > /sbin/ipchains -A output -j ACCEPT -i $EXTIF -s $UNIVERSE -d $INTLAN > > #ppp going to/from LAN is Valid > > /sbin/ipchains -A input -j ACCEPT -i ppp+ -b -s $INTLAN -d $INTLAN > > /sbin/ipchains -A output -j ACCEPT -i ppp+ -b -s $INTLAN -d $INTLAN > > #pptp going to/from LAN is Valid > > /sbin/ipchains -A forward -j ACCEPT -i ppp+ -s $INTLAN -d $INTLAN > > /sbin/ipchains -A forward -j ACCEPT -i $INTIF -s $INTLAN -d $INTLAN > > #masq everyting out to the net > > /sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE > > > > I think that the -i may required for the forwarding rules to work > > correctly. > > > > Jerry Vonau > > > > > > > > > > > > > > Steve Host wrote: > > > > > > Here's my rules: > > > Chain input (policy ACCEPT): > > > num target prot opt source destination > > > ports > > > 1 ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 > * -> > > > 1723 > > > 2 ACCEPT 47 ------ 0.0.0.0/0 0.0.0.0/0 > n/a > > > Chain forward (policy ACCEPT): > > > num target prot opt source destination > > > ports > > > 1 MASQ all ------ 192.168.1.0/24 0.0.0.0/0 > > > n/a > > > 2 ACCEPT all ------ 192.168.1.0/24 192.168.1.0/24 > > > n/a > > > Chain output (policy ACCEPT): > > > num target prot opt source destination > > > ports > > > 1 ACCEPT all ------ 10.99.9.0/24 0.0.0.0/0 > n/a > > > 2 ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 > > > 1723 -> * > > > 3 ACCEPT 47 ------ 0.0.0.0/0 0.0.0.0/0 > n/a > > > > > > I've re-arranged the chain forward MASQ rule to be first and second in > that > > > chain, and with MASQ FIRST my clients can ping any host in the internal > > > network. When i put MASQ second in the chain client cannot ping any > hosts. > > > > > > Internally I can't ping the client from LAN with either arrangement of > masq > > > chain forward rule. > > > > > > Note i've tried to delete rule 1 of output chain, it won't delete it. It > > > should be irrelevant anyway. > > > > > > ----- Original Message ----- > > > From: "Jerry Vonau" > > > To: "Steve Host" > > > Cc: > > > Sent: Monday, October 15, 2001 7:51 PM > > > Subject: Re: [pptp-server] Pptp is working, however something's wrong! > > > > > > > Steve: > > > > > > > > Just a quick thought.. using the -A option with ipchains places it at > > > > the end of the rules. > > > > This line needs to be before any masq lines, or it may cause a > problem. > > > > Connections from the > > > > lan would be masq'ed in error while connections from ppp are forwarded > > > > correctly. > > > > First match of rules wins.... need to see a little more of your rules. > > > > > > > > Jerry Vonau > > > > > > > > > > > > > > > > Steve Host wrote: > > > > > > > > > > Setup: Dialup clients, connecting via PPTP to Linux gateway. > > > > > > > > > > Current state: client can ping any internal addresses, it can also > > > browse > > > > > any computers and retrieve files. Printing over network is no > problem. > > > > > Machines behind firewall on the LAN can not ping the clients > assigned IP > > > > > address, thus they can't reach the client. > > > > > > > > > > Client also doesn't see all the machines by default on network > > > neighbourhood > > > > > (however // works) > > > > > > > > > > I'm mostly concerned with the seemingly one way nature of the > > > connection, > > > > > and looking for possible causes of this. > > > > > > > > > > I've set the samba server to act as a WINS server, however only the > > > dialup > > > > > client is aware of the server. I don't believe this should make a > > > > > difference. > > > > > > > > > > Forwarding rules: > > > > > > > > > > /sbin/ipchains -A input -p TCP -d 0.0.0.0/0 1723 -j ACCEPT > > > > > /sbin/ipchains -A input -p 47 -j ACCEPT > > > > > > > > > > /sbin/ipchains -A output -p TCP -s 0.0.0.0/0 1723 -j ACCEPT > > > > > /sbin/ipchains -A output -p 47 -j ACCEPT > > > > > /sbin/ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j > ACCEPT > > > > > > > > > > The last line is because the Client's IP range is 192.168.1.150-160 > > > while > > > > > PC's are in the 192.168.1.20-30 range > > > > > > > > > > Thanks, folks. > > > > > > > > > > _______________________________________________ > > > > > pptp-server maillist - pptp-server at lists.schulte.org > > > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > > > --- To unsubscribe, go to the url just above this line. -- > > > > _______________________________________________ > > > > pptp-server maillist - pptp-server at lists.schulte.org > > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > > --- To unsubscribe, go to the url just above this line. -- > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > --- To unsubscribe, go to the url just above this line. -- > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > From Steve at SteveCowles.com Tue Oct 16 17:12:57 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Tue, 16 Oct 2001 17:12:57 -0500 Subject: [pptp-server] Pptp is working, however something's wrong! Message-ID: <90769AF04F76D41186C700A0C90AFC3EE8B5@defiant.infohiiway.com> > -----Original Message----- > From: Steve Host [mailto:shost at intellimec.com] > Sent: Tuesday, October 16, 2001 4:17 PM > To: Jerry Vonau; pptp-server at lists.schulte.org > Subject: Re: [pptp-server] Pptp is working, however something's wrong! > > > I changed the client's network address to 192.168.2.0/24 and > in doing that, re-set the firewall rules for forwarding around > the firewall, and it works now. I can now ping the client, and > client still pings internal addresses. > Sounds like your pptp server was not configured to act as a proxyarp for the pptp client. > > I'm working on network browsing now. Thanks again > > From sean at cyberfarer.com Tue Oct 16 22:47:27 2001 From: sean at cyberfarer.com (Sean) Date: Tue, 16 Oct 2001 23:47:27 -0400 Subject: [pptp-server] Success! Mostly ... Message-ID: <001201c156be$70b6fce0$0802a8c0@sympatico.ca> I am able to connect remotely from a win98 system across a DSL link. I am able to ping internal IP addresses (i.e. 192.168.1.1, 192.168.1.2) An ifconfig on the host sytstem produces the following: ppp1 Link encap:Point-to-Point Protocol inet addr:192.168.1.140 P-t-P:192.168.1.141 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:20 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:1266 (1.2 Kb) TX bytes:102 (102.0 b) Final issue: I am unable to locate the samba server either by IP address or netbios name. I can ping it, I just can't access it. I have enabled wins, but the MS VPN adaptor has no option to enable wins. The samba server is broadcasting to 192.168.1.255. I just can't get it to appear for drive mapping or any other use. Any ideas? Thanks. From sean at cyberfarer.com Wed Oct 17 01:13:00 2001 From: sean at cyberfarer.com (Sean) Date: Wed, 17 Oct 2001 02:13:00 -0400 Subject: [pptp-server] Success! Mostly ... References: <001201c156be$70b6fce0$0802a8c0@sympatico.ca> <000d01c156ca$c48d4660$01000001@lonnroth> Message-ID: <008601c156d4$5f78eae0$0802a8c0@sympatico.ca> That worked. Thank you! ----- Original Message ----- From: "Mikael L?nnroth" To: "Sean" Sent: Wednesday, October 17, 2001 1:15 AM Subject: Re: [pptp-server] Success! Mostly ... > Do you have the following in /etc/ppp/options: > > ms-wins your.wins.server.ip > > ? > > Kindly, > Mikael L?nnroth > mikael.lonnroth at advancevpn.com > www.advancevpn.com > > ----- Original Message ----- > From: "Sean" > To: > Sent: Wednesday, October 17, 2001 6:47 AM > Subject: [pptp-server] Success! Mostly ... > > > > I am able to connect remotely from a win98 system across a DSL link. > > I am able to ping internal IP addresses (i.e. 192.168.1.1, 192.168.1.2) > > An ifconfig on the host sytstem produces the following: > > > > > > ppp1 Link encap:Point-to-Point Protocol > > inet addr:192.168.1.140 P-t-P:192.168.1.141 > Mask:255.255.255.255 > > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > > RX packets:20 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 > > RX bytes:1266 (1.2 Kb) TX bytes:102 (102.0 b) > > > > Final issue: I am unable to locate the samba server either by IP address > or > > netbios name. > > I can ping it, I just can't access it. I have enabled wins, but the MS VPN > > adaptor has no option to enable wins. > > The samba server is broadcasting to 192.168.1.255. I just can't get it to > > appear for drive mapping or any other use. Any ideas? > > > > Thanks. > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > --- To unsubscribe, go to the url just above this line. -- > > > From MarekButas at seznam.cz Wed Oct 17 08:21:39 2001 From: MarekButas at seznam.cz (=?iso-8859-2?Q?Marek=20Butas?=) Date: Wed, 17 Oct 2001 15:21:39 +0200 (CEST) Subject: [pptp-server] =?iso-8859-2?Q?Strange=20problem=20=2E=2E=2E?= Message-ID: <1959.5592-9211-828830205-1003324899@seznam.cz> Hi, I have one problem. Yesterday one of the home users experienced strange behavior. First he got on server and was there for about 30 minutes. No problems, authentification OK. Then he diconnected himself and tried to connect again. And then he could not get inside! He tried ti several times, but no luck. In the morning I looked in the logs and found that he connected himself for those 30 minutes, but also that he could not get in afterwords. Here is a part of the log. In the FAQ, they say, that this is problem on the firewall (iptables), but I checked, it is still the same (no reboots, no restarting) and in the logs I can see that pptp packets went through it. I'm logging GRE packets, establishing new connection Oct 16 22:46:15 indus pptpd[13832]: MGR: Launching /usr/sbin/pptpctrl to handle client Oct 16 22:46:15 indus pptpd[13832]: CTRL: local address = 10.0.1.2 Oct 16 22:46:15 indus pptpd[13832]: CTRL: remote address = 10.0.1.21 Oct 16 22:46:15 indus pptpd[13832]: CTRL: Client 10.0.1.1 control connection started Oct 16 22:46:15 indus pptpd[13832]: CTRL: Received PPTP Control Message (type: 1) Oct 16 22:46:15 indus pptpd[13832]: CTRL: Made a START CTRL CONN RPLY packet Oct 16 22:46:15 indus pptpd[13832]: CTRL: I wrote 156 bytes to the client. Oct 16 22:46:15 indus pptpd[13832]: CTRL: Sent packet to client Oct 16 22:46:16 indus pptpd[13832]: CTRL: Received PPTP Control Message (type: 7) Oct 16 22:46:16 indus pptpd[13832]: CTRL: Set parameters to 1525 maxbps, 64 window size Oct 16 22:46:16 indus pptpd[13832]: CTRL: Made a OUT CALL RPLY packet Oct 16 22:46:16 indus pptpd[13832]: CTRL: Starting call (launching pppd, opening GRE) Oct 16 22:46:16 indus pptpd[13832]: CTRL: pty_fd = 4 Oct 16 22:46:16 indus pptpd[13832]: CTRL: tty_fd = 5 Oct 16 22:46:16 indus pptpd[13833]: CTRL (PPPD Launcher): Connection speed = 115200 Oct 16 22:46:16 indus pptpd[13833]: CTRL (PPPD Launcher): local address = 10.0.1.2 Oct 16 22:46:16 indus pptpd[13833]: CTRL (PPPD Launcher): remote address = 10.0.1.21 Oct 16 22:46:16 indus pptpd[13832]: CTRL: I wrote 32 bytes to the client. Oct 16 22:46:16 indus pptpd[13832]: CTRL: Sent packet to client Oct 16 22:46:16 indus pppd[13833]: pppd 2.4.0 started by root, uid 0 Oct 16 22:46:16 indus pppd[13833]: using channel 5 Oct 16 22:46:16 indus pppd[13833]: Using interface ppp0 Oct 16 22:46:16 indus pppd[13833]: Connect: ppp0 <--> /dev/pts/1 Oct 16 22:46:16 indus pppd[13833]: sent [LCP ConfReq id=0x1 ] Oct 16 22:46:43 indus last message repeated 9 times Oct 16 22:46:46 indus pptpd[13832]: CTRL: Received PPTP Control Message (type: 12) Oct 16 22:46:46 indus pptpd[13832]: CTRL: Made a CALL DISCONNECT RPLY packet Oct 16 22:46:46 indus pptpd[13832]: CTRL: Received CALL CLR request (closing call) Oct 16 22:46:46 indus pptpd[13832]: CTRL: I wrote 148 bytes to the client. Oct 16 22:46:46 indus pptpd[13832]: CTRL: Sent packet to client Oct 16 22:46:46 indus pptpd[13832]: CTRL: Error with select(), quitting Oct 16 22:46:46 indus pptpd[13832]: CTRL: Client 10.0.1.1 control connection finished Oct 16 22:46:46 indus pptpd[13832]: CTRL: Exiting now Oct 16 22:46:46 indus pptpd[692]: MGR: Reaped child 13832 Oct 16 22:46:46 indus pppd[13833]: Modem hangup client. Regards MArek Butas ______________________________________________________________________ Nejenom anglicko-cesky slovnik: http://slovnik.seznam.cz From chris at faredge.com.au Wed Oct 17 19:39:09 2001 From: chris at faredge.com.au (Chris Herrmann) Date: Thu, 18 Oct 2001 10:39:09 +1000 Subject: [pptp-server] Chap secrets not found Message-ID: <000d01c1576d$4e702a30$c8965ecb@faredge.com.au> Gday all, having some fun with poptop and a win98 client... when the client tries to connect, i get: Oct 17 17:42:16 dragon pptpd[5303]: CTRL: Client 192.168.33.27 control connection started Oct 17 17:42:16 dragon pptpd[5303]: CTRL: Starting call (launching pppd, opening GRE) Oct 17 17:42:16 dragon pppd[5304]: pppd 2.4.1 started by root, uid 0 Oct 17 17:42:16 dragon pppd[5304]: Using interface ppp1 Oct 17 17:42:16 dragon pppd[5304]: Connect: ppp1 <--> /dev/pts/0 Oct 17 17:42:16 dragon pptpd[5303]: Buffering out-of-order packet; got 1 after 4294967295 Oct 17 17:42:19 dragon pptpd[5303]: Packet reorder timeout waiting for 0 Oct 17 17:42:19 dragon pptpd[5303]: Buffering out-of-order packet; got 2 after 0 Oct 17 17:42:19 dragon pppd[5304]: No CHAP secret found for authenticating \\elinac Oct 17 17:42:19 dragon pppd[5304]: MSCHAP-v2 peer authentication failed for remote host \\elinac Oct 17 17:42:19 dragon pppd[5304]: Connection terminated. Oct 17 17:42:19 dragon pppd[5304]: Couldn't attach to PPP unit 1: Invalid argument Oct 17 17:42:19 dragon pppd[5304]: Failed to open /dev/pts/0: No such file or directory Oct 17 17:42:19 dragon last message repeated 7 times Oct 17 17:42:19 dragon pppd[5304]: Exit. Oct 17 17:42:19 dragon modprobe: modprobe: Can't locate module ppp1 Oct 17 17:42:24 dragon pptpd[5303]: GRE: read error: Bad file descriptor Oct 17 17:42:24 dragon pptpd[5303]: CTRL: PTY read or GRE write failed (pty,gre)=(-1,-1) Oct 17 17:42:24 dragon pptpd[5303]: CTRL: Client 192.168.33.27 control connection finished The client sees "username/password failed". ppp0 is a real modem connected to the internet. The client's hostname is ELINAC, username elinac, in chap-secrets, i've tried pretty much every combination i can think of for authentication: elinac * secret * elinac elinac secret * ELINAC\\elinac elinac secret * ELINAC\\\\elinac elinac secret * elinac localhost secret * elinac dragon secret * ELINAC\\elinac dragon secret * ELINAC\\\\elinac dragon secret * elinac dragon.myplace.com.au secret * ELINAC\\elinac dragon.myplace.com.au secret * ELINAC\\\\elinac dragon.myplace.com.au secret * (spacing added for legibility) From loki at icenet.com.au Wed Oct 17 20:05:36 2001 From: loki at icenet.com.au (Cory Robson) Date: Thu, 18 Oct 2001 09:05:36 +0800 Subject: [pptp-server] Pre compiled module for mppe Message-ID: <002301c15770$fef97700$1a4cb5ca@service> Does anybody have a pre-compiled module for mppe for kernel 2.4.3-20mdk and ppp 2.4.1 ? For mandrake 8 all works ok with multiple connections but I suppose if I use mppe then this will break ? thoughts and suggestions ppl Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From jroland at roland.net Thu Oct 18 01:01:38 2001 From: jroland at roland.net (Jim Roland) Date: Thu, 18 Oct 2001 01:01:38 -0500 Subject: [pptp-server] Strange problem ... References: <1959.5592-9211-828830205-1003324899@seznam.cz> Message-ID: <001f01c1579a$5abc8950$bb1cfa18@JimWS> If you're using MPPE, it has a bug in it that prevents a secondary (single) connection, or multiple simultaneous connections. For a single user, you have to unload the ppp_mppe module before the 2nd connection. If you're using the kmod loader, then the module will auto-load itself the next connection. But for it to work at all, MPPE has to be unloaded before it's used. I have been unsuccessful trying to locate the author of ppp_mppe to alert to this problem. I've tried contacting the PPTPd author, no reply; Tim Hockin (noted in the source code) says he hasn't maintained it for over a year and turned it back to PPTPd authors; the original author in Hungary(? I think, also seen in the source code) gives no reply as well. VERY FRUSTRATING BECAUSE IT'S A GOOD MODULE AND WORKS WELL, JUST IF YOU WORK ON IT A LOT TO KEEP IT WORKING. Anyway, I managed to make it work for a single user by creating a script in /etc/ppp called "ipdown.local" and have the following commands (check your ipdown script to make sure it calls ipdown.local and be sure to "chmod +x ipdown.local"): #!/bin/sh /sbin/rmmod ppp_mppe That's all I had to do (2 line script). But, remember...it still doesn't work for multiple connections. AUTHOR: IF YOU'RE MONITORING THIS LIST, PLEASE CONTACT ME DIRECT. I have a need to deploy PPTPd both for my day job and for 2 other people, all needing multiple connections. Regards, Jim Roland, RHCE ----- Original Message ----- From: "Marek Butas" To: "PPTP List" Sent: Wednesday, October 17, 2001 8:21 AM Subject: [pptp-server] Strange problem ... > > Hi, > > I have one problem. Yesterday one of the home users experienced > strange behavior. First he got on server and was there for about 30 > minutes. No problems, authentification OK. > Then he diconnected himself and tried to connect again. And then he > could not get inside! He tried ti several times, but no luck. In the > morning I looked in the logs and found that he connected himself for > those 30 minutes, but also that he could not get in afterwords. > > Here is a part of the log. In the FAQ, they say, that this is problem > on the firewall (iptables), but I checked, it is still the same (no > reboots, no restarting) and in the logs I can see that pptp packets > went through it. I'm logging GRE packets, establishing new connection > > Oct 16 22:46:15 indus pptpd[13832]: MGR: Launching /usr/sbin/pptpctrl > to handle client > Oct 16 22:46:15 indus pptpd[13832]: CTRL: local address = 10.0.1.2 > Oct 16 22:46:15 indus pptpd[13832]: CTRL: remote address = 10.0.1.21 > Oct 16 22:46:15 indus pptpd[13832]: CTRL: Client 10.0.1.1 control > connection started > Oct 16 22:46:15 indus pptpd[13832]: CTRL: Received PPTP Control > Message (type: 1) > Oct 16 22:46:15 indus pptpd[13832]: CTRL: Made a START CTRL CONN RPLY > packet > Oct 16 22:46:15 indus pptpd[13832]: CTRL: I wrote 156 bytes to the > client. > Oct 16 22:46:15 indus pptpd[13832]: CTRL: Sent packet to client > Oct 16 22:46:16 indus pptpd[13832]: CTRL: Received PPTP Control > Message (type: 7) > Oct 16 22:46:16 indus pptpd[13832]: CTRL: Set parameters to 1525 > maxbps, 64 window size > Oct 16 22:46:16 indus pptpd[13832]: CTRL: Made a OUT CALL RPLY packet > Oct 16 22:46:16 indus pptpd[13832]: CTRL: Starting call (launching > pppd, opening GRE) > Oct 16 22:46:16 indus pptpd[13832]: CTRL: pty_fd = 4 > Oct 16 22:46:16 indus pptpd[13832]: CTRL: tty_fd = 5 > Oct 16 22:46:16 indus pptpd[13833]: CTRL (PPPD Launcher): Connection > speed = 115200 > Oct 16 22:46:16 indus pptpd[13833]: CTRL (PPPD Launcher): local > address = 10.0.1.2 > Oct 16 22:46:16 indus pptpd[13833]: CTRL (PPPD Launcher): remote > address = 10.0.1.21 > Oct 16 22:46:16 indus pptpd[13832]: CTRL: I wrote 32 bytes to the > client. > Oct 16 22:46:16 indus pptpd[13832]: CTRL: Sent packet to client > Oct 16 22:46:16 indus pppd[13833]: pppd 2.4.0 started by root, uid 0 > Oct 16 22:46:16 indus pppd[13833]: using channel 5 > Oct 16 22:46:16 indus pppd[13833]: Using interface ppp0 > Oct 16 22:46:16 indus pppd[13833]: Connect: ppp0 <--> /dev/pts/1 > Oct 16 22:46:16 indus pppd[13833]: sent [LCP ConfReq id=0x1 0x0> ] > Oct 16 22:46:43 indus last message repeated 9 times > Oct 16 22:46:46 indus pptpd[13832]: CTRL: Received PPTP Control > Message (type: 12) > Oct 16 22:46:46 indus pptpd[13832]: CTRL: Made a CALL DISCONNECT RPLY > packet > Oct 16 22:46:46 indus pptpd[13832]: CTRL: Received CALL CLR request > (closing call) > Oct 16 22:46:46 indus pptpd[13832]: CTRL: I wrote 148 bytes to the > client. > Oct 16 22:46:46 indus pptpd[13832]: CTRL: Sent packet to client > Oct 16 22:46:46 indus pptpd[13832]: CTRL: Error with select(), > quitting > Oct 16 22:46:46 indus pptpd[13832]: CTRL: Client 10.0.1.1 control > connection finished > Oct 16 22:46:46 indus pptpd[13832]: CTRL: Exiting now > Oct 16 22:46:46 indus pptpd[692]: MGR: Reaped child 13832 > Oct 16 22:46:46 indus pppd[13833]: Modem hangup > client. > > Regards > MArek Butas > > ______________________________________________________________________ > Nejenom anglicko-cesky slovnik: http://slovnik.seznam.cz > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > From jroland at roland.net Thu Oct 18 01:07:37 2001 From: jroland at roland.net (Jim Roland) Date: Thu, 18 Oct 2001 01:07:37 -0500 Subject: [pptp-server] Success! Mostly ... References: <001201c156be$70b6fce0$0802a8c0@sympatico.ca> Message-ID: <002f01c1579b$3076e450$bb1cfa18@JimWS> Enable "WINS" in your /etc/ppp/options file (assuming you're not using a special options file, and assuming you have a WINS server on 192.168.1.8): ms-wins 192.168.1.8 This should assign WINS for you. You can duplicate for a secondary WINS server by adding a second entry with the IP of the 2nd WINS system. It would be wise to also make sure a DNS with your windows machines is available on your RFC1918 network as well. ----- Original Message ----- From: "Sean" To: Sent: Tuesday, October 16, 2001 10:47 PM Subject: [pptp-server] Success! Mostly ... > I am able to connect remotely from a win98 system across a DSL link. > I am able to ping internal IP addresses (i.e. 192.168.1.1, 192.168.1.2) > An ifconfig on the host sytstem produces the following: > > > ppp1 Link encap:Point-to-Point Protocol > inet addr:192.168.1.140 P-t-P:192.168.1.141 Mask:255.255.255.255 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > RX packets:20 errors:0 dropped:0 overruns:0 frame:0 > TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 > RX bytes:1266 (1.2 Kb) TX bytes:102 (102.0 b) > > Final issue: I am unable to locate the samba server either by IP address or > netbios name. > I can ping it, I just can't access it. I have enabled wins, but the MS VPN > adaptor has no option to enable wins. > The samba server is broadcasting to 192.168.1.255. I just can't get it to > appear for drive mapping or any other use. Any ideas? > > Thanks. > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > From chris at faredge.com.au Thu Oct 18 02:15:51 2001 From: chris at faredge.com.au (Chris Herrmann) Date: Thu, 18 Oct 2001 17:15:51 +1000 Subject: [pptp-server] chapms-strip-domain patch against 2.4? Message-ID: <001a01c157a4$b8c62150$c8965ecb@faredge.com.au> is there a chapms-strip-domain patch against ppp 2.4.1? Google hasn't been able to reveal one to me... Thanks, Chris Herrmann Far Edge Technology p. 02 99553640 f. 02 99547994 m. 0403 393309 http://www.faredge.com.au From mattgav at tempo.com.au Thu Oct 18 02:42:33 2001 From: mattgav at tempo.com.au (Matthew Gavin) Date: Thu, 18 Oct 2001 17:42:33 +1000 Subject: [pptp-server] IP Question. Message-ID: Hi all, I have a small problem with Windows clients (Laptops) who connect to both our Corporate LAN and our VPN (Not at the same time). For VPN access, ie: when they are remote to the LAN... There is no problems authenticating and then connecting, but IP Traffic does not occur to or from the internal network unless the user changes the Static IP Address assigned to their NIC to anything but the LAN subnet (10.1.1.0)... ie: 10.1.1.234 to 10.0.0.234. Same for the gateway 10.1.1.1 to 10.0.0.1. All is fine once they do this! I have senior managers who get the shits with this every time they need to VPN in, and some have given up all together. Has anyone experienced this or do the majority of "your" VPN users always remain as VPN users? Matt. :) From tim at tim.brody.btinternet.co.uk Thu Oct 18 05:40:31 2001 From: tim at tim.brody.btinternet.co.uk (Tim Brody) Date: Thu, 18 Oct 2001 11:40:31 +0100 Subject: [pptp-server] IP Question. References: Message-ID: <002701c157c1$4fb63390$ec7bfea9@Advocate> Hi, Unless you change the routing on the mobile computer, they'll be trying to access your network through the NIC card, rather than the PPTP interface (which is entirely logical ...). By changing the IP addy of the NIC you're changing the routing table so the machine no longer associates your internal network with the NIC, but with PPTP. I *think* the easiest solution for you would be to set up a DHCP server, which would give you a distinction between when your VPN users are connected directly and indirectly to your network. Set up a DHCP on your network with your proper internal IP addresses (10.1.1.x && 10.1.1.1), with a short TTL (say 10 minutes). When your users are out-and-about their lease will expire, stopping them routing through their NIC, and will start routing through the PPTP instead. All the best, Tim. ----- Original Message ----- From: "Matthew Gavin" To: "PPTPD User Group (E-mail)" Sent: Thursday, October 18, 2001 8:42 AM Subject: [pptp-server] IP Question. > Hi all, > > I have a small problem with Windows clients (Laptops) who connect to both > our Corporate LAN and our VPN (Not at the same time). > > For VPN access, ie: when they are remote to the LAN... There is no problems > authenticating and then connecting, but IP Traffic does not occur to or from > the internal network unless the user changes the Static IP Address assigned > to their NIC to anything but the LAN subnet (10.1.1.0)... > > ie: 10.1.1.234 to 10.0.0.234. Same for the gateway 10.1.1.1 to 10.0.0.1. All > is fine once they do this! > > I have senior managers who get the shits with this every time they need to > VPN in, and some have given up all together. Has anyone experienced this or > do the majority of "your" VPN users always remain as VPN users? > > Matt. :) > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From iso9 at phantasticant.com Thu Oct 18 13:35:59 2001 From: iso9 at phantasticant.com (Jordan Share) Date: Thu, 18 Oct 2001 11:35:59 -0700 Subject: [pptp-server] Strange problem ... In-Reply-To: <001f01c1579a$5abc8950$bb1cfa18@JimWS> Message-ID: Wait, are you saying that two people cannot be connected at once to a linux PPTP server with MPPE ? Jordan -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jim Roland Sent: Wednesday, October 17, 2001 11:02 PM To: Marek Butas; PPTP List Subject: Re: [pptp-server] Strange problem ... If you're using MPPE, it has a bug in it that prevents a secondary (single) connection, or multiple simultaneous connections. From Steve at SteveCowles.com Thu Oct 18 08:11:00 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Thu, 18 Oct 2001 08:11:00 -0500 Subject: [pptp-server] IP Question. Message-ID: <90769AF04F76D41186C700A0C90AFC3EE8C6@defiant.infohiiway.com> > -----Original Message----- > From: Matthew Gavin [mailto:mattgav at tempo.com.au] > Sent: Thursday, October 18, 2001 2:43 AM > To: PPTPD User Group (E-mail) > Subject: [pptp-server] IP Question. > > > Hi all, > > I have a small problem with Windows clients (Laptops) who > connect to both our Corporate LAN and our VPN (Not at the > same time). > > > I have senior managers who get the shits with this every time > they need to VPN in, and some have given up all together. Has > anyone experienced this or do the majority of "your" VPN users > always remain as VPN users? > > Matt. :) > This is a very typical problem with LAN and Roadwarrior types. Especially when your dealing with static IP's. As Tim Brody stated, the ip/netmask is being associated with the NIC card and not the PPTP tunnel. Another alternative that I use (especially for non-technical management types) is to create a separate windows hardware profile. i.e. Office/Remote. Then in Windows Device Manager -- disable the Ethernet NIC for the "Remote" hardware profile. This approach has the usual pluses/minuses associated with it. PLUS: It fixes this problem by not initializing the NIC at boot up. Dialup/PPTP and TCP/IP stack still function normally. MINUS: When the user turns on their PC/Laptop, they will now be prompted to select the appropriate hardware profile before windows fully boots. The way I explain how to correctly answer this additional prompt to the non technical managers types... Ask yourself the following question: "Where are you powering up your Laptop? The Office or are you Remote?" So far, even the most computer illiterate can correctly answer this prompt. From RLDITTO at BRIGHT.NET Thu Oct 18 07:57:32 2001 From: RLDITTO at BRIGHT.NET (JOE) Date: Thu, 18 Oct 2001 08:57:32 -0400 Subject: [pptp-server] speed Message-ID: <002901c157d4$74012580$1f00a8c0@backdog> I've got a piii 1ghz on a 700k connection (duplex) and a cable modem connection 300+k and it just seems that these connections on the vpn are really slow i have tried different mru's and mtu's and even tried to set the baud speed for pptp in the pptp.conf file. is their a way to speed things up? -------------- next part -------------- An HTML attachment was scrubbed... URL: From charlieb at e-smith.com Thu Oct 18 13:50:38 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Thu, 18 Oct 2001 14:50:38 -0400 (EDT) Subject: [pptp-server] speed In-Reply-To: <002901c157d4$74012580$1f00a8c0@backdog> Message-ID: On Thu, 18 Oct 2001, JOE wrote: > I've got a piii 1ghz on a 700k connection (duplex) and a cable modem > connection 300+k and it just seems that these connections on the vpn > are really slow i have tried different mru's and mtu's and even tried > to set the baud speed for pptp in the pptp.conf file. is their a way > to speed things up? Check whether you have any packet loss. Packet loss can cause really serious performance degradation. -- Charlie Brady charlieb at e-smith.com Lead Product Developer Network Server Solutions Group http://www.e-smith.com/ Mitel Networks Corporation http://www.mitel.com/ Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 From jroland at roland.net Thu Oct 18 14:49:01 2001 From: jroland at roland.net (Jim Roland) Date: Thu, 18 Oct 2001 14:49:01 -0500 Subject: [pptp-server] Strange problem ... References: Message-ID: <001b01c1580d$efd16060$a000a8c0@gespl2k1> That is correct. There is also a problem of no packets running at all if "mppe-40" is enabled in /etc/ppp/options, in all cases. Symptoms occur as soon as MPPE mode is initialized (after IP assignment and authentication). The instant the "MPPE Loaded" message occurs in the /var/log/messages logfile, packets stop running (with and without mppe-stateless and with and without mppe-128). Reproducing the problem and workarounds are noted below. Here is what's loaded on the box: Server- RedHat 7.1 distro, custom compiled kernel (compiled to add iptables & connection tracking capabilities, and mppe module) Kernel 2.4.2-2 pptpd (PoPToP v1.1.2) ppp-2.4.0 (have tried ppp-2.4.1 same result), compiled from source code after the following patches installed: linux-2.4.0-openssl-0.9.6-mppe.patch.gz ppp-2.4.0-openssl-0.9.6-mppe.patch.gz ** The box is being used as a firewall & squid proxy. It works w/o MPPE (read below). ----- Client- Windows 2000, with no SP, and with SP1 and with SP2 ----- This is the way I reproduce the problem: 1) Multiple users: A user connects in with MPPE, the ppp_mppe module auto-loads. No problems thus far. a) While the first user stays connected, a 2nd user connects. The moment "MPPE loaded" shows in the messages log, packets stop moving through the tunnel. First user can still access the tunnel (I think). 2) Single user: A user connects in with MPPE, the ppp_mppe module auto-loads. No problems accessing the tunnel. a) Single user disconnects, waits a few minutes and reconnects (mppe module not unloaded yet). b) Single user unable to access tunnel as soon as "MPPE loaded" shows up in the messages log. ----- Workarounds (either 1 or 2): 1) No MPPE usage at all (tunnel works fine for multiple users): a) End users turn encryption requirement off b) mppe-* options are disabled in the /etc/ppp/options log c) ppp_mppe module not loaded 2) Single user, MPPE usage: a) Manually unloading ppp_mppe at shell prompt via rmmod or b) Unloading ppp_mppe when pppd terminates (via ipdown.local with an rmmod command inside the script) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jim Roland, RHCE (RedHat Certified Engineer) Owner, Roland Internet Services "The four surefire rules for success: Show up, Pay attention, Ask questions, Don't quit." --Rob Gilbert, PH.D. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ----- Original Message ----- From: "Jordan Share" To: "Jim Roland" ; "Marek Butas" ; "PPTP List" Sent: Thursday, October 18, 2001 1:35 PM Subject: RE: [pptp-server] Strange problem ... > Wait, are you saying that two people cannot be connected at once to a linux PPTP server with MPPE ? > > Jordan > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jim Roland > Sent: Wednesday, October 17, 2001 11:02 PM > To: Marek Butas; PPTP List > Subject: Re: [pptp-server] Strange problem ... > > > If you're using MPPE, it has a bug in it that prevents a secondary (single) > connection, or multiple simultaneous connections. > > From jroland at roland.net Thu Oct 18 14:51:12 2001 From: jroland at roland.net (Jim Roland) Date: Thu, 18 Oct 2001 14:51:12 -0500 Subject: [pptp-server] speed References: Message-ID: <002401c1580e$3def3d80$a000a8c0@gespl2k1> I'm experiencing the same issue. I have 0%-1% packet loss to my VPN box, and latency of 50ms. I only get about 110-140kbps throughput. I've tried changing the speed option above 115200 in /etc/pptpd.conf, however pppd (v2.4.0 or v2.4.1) does not appear like any speed above 115200... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jim Roland, RHCE (RedHat Certified Engineer) Owner, Roland Internet Services "The four surefire rules for success: Show up, Pay attention, Ask questions, Don't quit." --Rob Gilbert, PH.D. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ----- Original Message ----- From: "Charlie Brady" To: "JOE" Cc: Sent: Thursday, October 18, 2001 1:50 PM Subject: Re: [pptp-server] speed > > On Thu, 18 Oct 2001, JOE wrote: > > > I've got a piii 1ghz on a 700k connection (duplex) and a cable modem > > connection 300+k and it just seems that these connections on the vpn > > are really slow i have tried different mru's and mtu's and even tried > > to set the baud speed for pptp in the pptp.conf file. is their a way > > to speed things up? > > Check whether you have any packet loss. Packet loss can cause really > serious performance degradation. > > -- > > Charlie Brady charlieb at e-smith.com > Lead Product Developer > Network Server Solutions Group http://www.e-smith.com/ > Mitel Networks Corporation http://www.mitel.com/ > Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > From iso9 at phantasticant.com Thu Oct 18 18:01:06 2001 From: iso9 at phantasticant.com (Jordan Share) Date: Thu, 18 Oct 2001 16:01:06 -0700 Subject: [pptp-server] Strange problem ... In-Reply-To: <001b01c1580d$efd16060$a000a8c0@gespl2k1> Message-ID: This boggles my mind. I can't believe this is the first time I've even heard of it. I've already rolled this out on our LAN (thought it would save us from buying a win2k server box). I wasn't fully able to reproduce the behaviour you describe, but there was definite weirdness when I tried connecting two boxes. They would alternately drop off the network (it's a little hard to tell what's going on, since I only have a flat LAN to play with here at work, and all the machines are on the same network. Still, I was able to connect 2 at the same time, albeit with intermittant failures (I had a continuous ping running on each machine the whole time). As I understood your message, you were saying that the second client would not be able to send/recieve data when it connected? I was able to successfully connect the second client, and ping its (new) address from another machine. Does this jibe with your experience? Jordan -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jim Roland Sent: Thursday, October 18, 2001 12:49 PM To: Jordan Share; Marek Butas; PPTP List Subject: Re: [pptp-server] Strange problem ... That is correct. There is also a problem of no packets running at all if "mppe-40" is enabled in /etc/ppp/options, in all cases. Symptoms occur as soon as MPPE mode is initialized (after IP assignment and authentication). The instant the "MPPE Loaded" message occurs in the /var/log/messages logfile, packets stop running (with and without mppe-stateless and with and without mppe-128). Reproducing the problem and workarounds are noted below. Here is what's loaded on the box: Server- RedHat 7.1 distro, custom compiled kernel (compiled to add iptables & connection tracking capabilities, and mppe module) Kernel 2.4.2-2 pptpd (PoPToP v1.1.2) ppp-2.4.0 (have tried ppp-2.4.1 same result), compiled from source code after the following patches installed: linux-2.4.0-openssl-0.9.6-mppe.patch.gz ppp-2.4.0-openssl-0.9.6-mppe.patch.gz ** The box is being used as a firewall & squid proxy. It works w/o MPPE (read below). ----- Client- Windows 2000, with no SP, and with SP1 and with SP2 ----- This is the way I reproduce the problem: 1) Multiple users: A user connects in with MPPE, the ppp_mppe module auto-loads. No problems thus far. a) While the first user stays connected, a 2nd user connects. The moment "MPPE loaded" shows in the messages log, packets stop moving through the tunnel. First user can still access the tunnel (I think). 2) Single user: A user connects in with MPPE, the ppp_mppe module auto-loads. No problems accessing the tunnel. a) Single user disconnects, waits a few minutes and reconnects (mppe module not unloaded yet). b) Single user unable to access tunnel as soon as "MPPE loaded" shows up in the messages log. ----- Workarounds (either 1 or 2): 1) No MPPE usage at all (tunnel works fine for multiple users): a) End users turn encryption requirement off b) mppe-* options are disabled in the /etc/ppp/options log c) ppp_mppe module not loaded 2) Single user, MPPE usage: a) Manually unloading ppp_mppe at shell prompt via rmmod or b) Unloading ppp_mppe when pppd terminates (via ipdown.local with an rmmod command inside the script) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jim Roland, RHCE (RedHat Certified Engineer) Owner, Roland Internet Services "The four surefire rules for success: Show up, Pay attention, Ask questions, Don't quit." --Rob Gilbert, PH.D. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ----- Original Message ----- From: "Jordan Share" To: "Jim Roland" ; "Marek Butas" ; "PPTP List" Sent: Thursday, October 18, 2001 1:35 PM Subject: RE: [pptp-server] Strange problem ... > Wait, are you saying that two people cannot be connected at once to a linux PPTP server with MPPE ? > > Jordan > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jim Roland > Sent: Wednesday, October 17, 2001 11:02 PM > To: Marek Butas; PPTP List > Subject: Re: [pptp-server] Strange problem ... > > > If you're using MPPE, it has a bug in it that prevents a secondary (single) > connection, or multiple simultaneous connections. > > _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server --- To unsubscribe, go to the url just above this line. -- From jroland at roland.net Thu Oct 18 18:18:05 2001 From: jroland at roland.net (Jim Roland) Date: Thu, 18 Oct 2001 18:18:05 -0500 Subject: [pptp-server] Strange problem ... References: Message-ID: <000601c1582b$24b76000$a000a8c0@gespl2k1> ----- Original Message ----- From: "Jordan Share" To: "Jim Roland" ; "Marek Butas" ; "PPTP List" Sent: Thursday, October 18, 2001 6:01 PM Subject: RE: [pptp-server] Strange problem ... > This boggles my mind. I can't believe this is the first time I've even heard of it. I've already rolled this out on our LAN (thought it would save us from buying a win2k server box). I wasn't fully able to reproduce the behaviour you describe, but there was definite weirdness when I tried connecting two boxes. They would alternately drop off the network (it's a little hard to tell what's going on, since I only have a flat LAN to play with here at work, and all the machines are on the same network. > > Still, I was able to connect 2 at the same time, albeit with intermittant failures (I had a continuous ping running on each machine the whole time). > > As I understood your message, you were saying that the second client would not be able to send/recieve data when it connected? I was able to successfully connect the second client, and ping its (new) address from another machine. Does this jibe with your experience? Sort of. If I let the connection sit without manually intervening, the 2nd client will drop on it's own after a while. When experiencing the problem, I am unable to ping the gateway from the 2nd client at all...2nd client can ping itself, but nowhere else. The gateway and LAN machines are unable to ping the 2nd client. I believe I have tried setting up for multiple LOCAL IPs in pptpd.conf, but believe I got the same response. When using multiple REMOTE IPs, am I forced to use multiple LOCAL IPs (having those locals aliased to eth1 or eth0)? My network setup: Internet ---> External Firewall (forwarding/NATingGRE and 1723 to Internal FW) --> Internal FW/Proxy with PPTP --> LAN Now, I don't think it's a NAT issue since turning MPPE off completely and unloading MPPE allows 2 clients to work flawlessly. > Jordan > > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jim Roland > Sent: Thursday, October 18, 2001 12:49 PM > To: Jordan Share; Marek Butas; PPTP List > Subject: Re: [pptp-server] Strange problem ... > > > That is correct. There is also a problem of no packets running at all if > "mppe-40" is enabled in /etc/ppp/options, in all cases. Symptoms occur as > soon as MPPE mode is initialized (after IP assignment and authentication). > The instant the "MPPE Loaded" message occurs in the /var/log/messages > logfile, packets stop running (with and without mppe-stateless and with and > without mppe-128). Reproducing the problem and workarounds are noted below. > > Here is what's loaded on the box: > Server- > RedHat 7.1 distro, custom compiled kernel (compiled to add iptables & > connection tracking capabilities, and mppe module) > Kernel 2.4.2-2 > pptpd (PoPToP v1.1.2) > ppp-2.4.0 (have tried ppp-2.4.1 same result), compiled from source code > after the following patches installed: > linux-2.4.0-openssl-0.9.6-mppe.patch.gz > ppp-2.4.0-openssl-0.9.6-mppe.patch.gz > ** The box is being used as a firewall & squid proxy. It works w/o MPPE > (read below). > ----- > Client- > Windows 2000, with no SP, and with SP1 and with SP2 > > ----- > This is the way I reproduce the problem: > 1) Multiple users: A user connects in with MPPE, the ppp_mppe module > auto-loads. No problems thus far. > a) While the first user stays connected, a 2nd user connects. The > moment "MPPE loaded" shows in the messages log, packets stop moving through > the tunnel. First user can still access the tunnel (I think). > 2) Single user: A user connects in with MPPE, the ppp_mppe module > auto-loads. No problems accessing the tunnel. > a) Single user disconnects, waits a few minutes and reconnects (mppe > module not unloaded yet). > b) Single user unable to access tunnel as soon as "MPPE loaded" shows up > in the messages log. > > ----- > Workarounds (either 1 or 2): > 1) No MPPE usage at all (tunnel works fine for multiple users): > a) End users turn encryption requirement off > b) mppe-* options are disabled in the /etc/ppp/options log > c) ppp_mppe module not loaded > 2) Single user, MPPE usage: > a) Manually unloading ppp_mppe at shell prompt via rmmod > or > b) Unloading ppp_mppe when pppd terminates (via ipdown.local with an > rmmod command inside the script) > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Jim Roland, RHCE (RedHat Certified Engineer) > Owner, Roland Internet Services > "The four surefire rules for success: Show up, Pay attention, Ask > questions, Don't quit." > --Rob Gilbert, PH.D. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > ----- Original Message ----- > From: "Jordan Share" > To: "Jim Roland" ; "Marek Butas" ; > "PPTP List" > Sent: Thursday, October 18, 2001 1:35 PM > Subject: RE: [pptp-server] Strange problem ... > > > > Wait, are you saying that two people cannot be connected at once to a > linux PPTP server with MPPE ? > > > > Jordan > > > > -----Original Message----- > > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jim Roland > > Sent: Wednesday, October 17, 2001 11:02 PM > > To: Marek Butas; PPTP List > > Subject: Re: [pptp-server] Strange problem ... > > > > > > If you're using MPPE, it has a bug in it that prevents a secondary > (single) > > connection, or multiple simultaneous connections. > > > > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > From dholmes at bigpond.net.au Thu Oct 18 18:45:38 2001 From: dholmes at bigpond.net.au (Dougal Holmes) Date: Fri, 19 Oct 2001 09:45:38 +1000 Subject: [pptp-server] IP Question. References: <002701c157c1$4fb63390$ec7bfea9@Advocate> Message-ID: <000801c1582e$fdbaeb30$1103a8c0@mel.watsonwyatt.com.au> The other 'solution' is to use WINIPCFG (for Win95/98) or IPCONFIG (WinNT/2000) to release the IP address on the NIC before connecting the PPTP tunnel. Dougal -- Dougal Holmes (at home) mailto://dholmes at bigpond.net.au ----- Original Message ----- From: "Tim Brody" To: "PPTPD User Group (E-mail)" Cc: Sent: Thursday, October 18, 2001 8:40 PM Subject: Re: [pptp-server] IP Question. > Hi, > > Unless you change the routing on the mobile computer, they'll be trying to > access your network through the NIC card, rather than the PPTP interface > (which is entirely logical ...). By changing the IP addy of the NIC you're > changing the routing table so the machine no longer associates your internal > network with the NIC, but with PPTP. > > I *think* the easiest solution for you would be to set up a DHCP server, > which would give you a distinction between when your VPN users are connected > directly and indirectly to your network. > > Set up a DHCP on your network with your proper internal IP addresses > (10.1.1.x && 10.1.1.1), with a short TTL (say 10 minutes). When your users > are out-and-about their lease will expire, stopping them routing through > their NIC, and will start routing through the PPTP instead. > > All the best, > Tim. > > ----- Original Message ----- > From: "Matthew Gavin" > To: "PPTPD User Group (E-mail)" > Sent: Thursday, October 18, 2001 8:42 AM > Subject: [pptp-server] IP Question. > > > > Hi all, > > > > I have a small problem with Windows clients (Laptops) who connect to both > > our Corporate LAN and our VPN (Not at the same time). > > > > For VPN access, ie: when they are remote to the LAN... There is no > problems > > authenticating and then connecting, but IP Traffic does not occur to or > from > > the internal network unless the user changes the Static IP Address > assigned > > to their NIC to anything but the LAN subnet (10.1.1.0)... > > > > ie: 10.1.1.234 to 10.0.0.234. Same for the gateway 10.1.1.1 to 10.0.0.1. > All > > is fine once they do this! > > > > I have senior managers who get the shits with this every time they need to > > VPN in, and some have given up all together. Has anyone experienced this > or > > do the majority of "your" VPN users always remain as VPN users? > > > > Matt. :) > > > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > --- To unsubscribe, go to the url just above this line. -- > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From fforest at netcarrier.com Thu Oct 18 18:42:51 2001 From: fforest at netcarrier.com (Fred Forester) Date: Thu, 18 Oct 2001 19:42:51 -0400 Subject: [pptp-server] all in one Message-ID: <006901c1582e$9b3adab0$0701a8c0@forester.com> Hi Guys, Been using poptop now for about 7 months but got lazy during the install in applying all the patches descibed in the setup/how-to Also not a subscriber to the list cause frankly the thing just works! (thank you all a whole bunch!!) So... Does someone out there have a 1.0.1 version of poptop with ALL the patches pre applied? Thanx Fred Forester FreeMED developer. http://freemed.ourexchange.net/ http://sourceforge.net/projects/freemed/ From jvonau at home.com Thu Oct 18 19:03:03 2001 From: jvonau at home.com (Jerry Vonau) Date: Thu, 18 Oct 2001 19:03:03 -0500 Subject: [pptp-server] IP Question. References: <002701c157c1$4fb63390$ec7bfea9@Advocate> <000801c1582e$fdbaeb30$1103a8c0@mel.watsonwyatt.com.au> Message-ID: <3BCF6DB7.1D116123@home.com> Dougal: Sorry you can't release a static ip, just dhcp(in win95 anyway). Jerry Vonau Dougal Holmes wrote: > > The other 'solution' is to use WINIPCFG (for Win95/98) or IPCONFIG > (WinNT/2000) to release the IP address on the NIC before connecting the PPTP > tunnel. > > Dougal > > -- > Dougal Holmes (at home) > mailto://dholmes at bigpond.net.au > ----- Original Message ----- > From: "Tim Brody" > To: "PPTPD User Group (E-mail)" > Cc: > Sent: Thursday, October 18, 2001 8:40 PM > Subject: Re: [pptp-server] IP Question. > > > Hi, > > > > Unless you change the routing on the mobile computer, they'll be trying to > > access your network through the NIC card, rather than the PPTP interface > > (which is entirely logical ...). By changing the IP addy of the NIC you're > > changing the routing table so the machine no longer associates your > internal > > network with the NIC, but with PPTP. > > > > I *think* the easiest solution for you would be to set up a DHCP server, > > which would give you a distinction between when your VPN users are > connected > > directly and indirectly to your network. > > > > Set up a DHCP on your network with your proper internal IP addresses > > (10.1.1.x && 10.1.1.1), with a short TTL (say 10 minutes). When your users > > are out-and-about their lease will expire, stopping them routing through > > their NIC, and will start routing through the PPTP instead. > > > > All the best, > > Tim. > > > > ----- Original Message ----- > > From: "Matthew Gavin" > > To: "PPTPD User Group (E-mail)" > > Sent: Thursday, October 18, 2001 8:42 AM > > Subject: [pptp-server] IP Question. > > > > > > > Hi all, > > > > > > I have a small problem with Windows clients (Laptops) who connect to > both > > > our Corporate LAN and our VPN (Not at the same time). > > > > > > For VPN access, ie: when they are remote to the LAN... There is no > > problems > > > authenticating and then connecting, but IP Traffic does not occur to or > > from > > > the internal network unless the user changes the Static IP Address > > assigned > > > to their NIC to anything but the LAN subnet (10.1.1.0)... > > > > > > ie: 10.1.1.234 to 10.0.0.234. Same for the gateway 10.1.1.1 to 10.0.0.1. > > All > > > is fine once they do this! > > > > > > I have senior managers who get the shits with this every time they need > to > > > VPN in, and some have given up all together. Has anyone experienced this > > or > > > do the majority of "your" VPN users always remain as VPN users? > > > > > > Matt. :) > > > > > > > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > --- To unsubscribe, go to the url just above this line. -- > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > --- To unsubscribe, go to the url just above this line. -- > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From dholmes at bigpond.net.au Thu Oct 18 19:18:47 2001 From: dholmes at bigpond.net.au (Dougal Holmes) Date: Fri, 19 Oct 2001 10:18:47 +1000 Subject: [pptp-server] IP Question. References: <002701c157c1$4fb63390$ec7bfea9@Advocate> <000801c1582e$fdbaeb30$1103a8c0@mel.watsonwyatt.com.au> <3BCF6DB7.1D116123@home.com> Message-ID: <005c01c15833$9f65f480$1103a8c0@mel.watsonwyatt.com.au> True. I also liked the suggestion of using startup profiles, or (better still) removing the PCMCIA card from the PC when remote. BTW, Win2K handles this in a much more elegent way, as it 'knows' when the local NIC is not connected to a network. Dougal ----- Original Message ----- From: "Jerry Vonau" To: "Dougal Holmes" Cc: "PPTPD User Group (E-mail)" Sent: Friday, October 19, 2001 10:03 AM Subject: Re: [pptp-server] IP Question. > Dougal: > > Sorry you can't release a static ip, just dhcp(in win95 anyway). > > Jerry Vonau > > > Dougal Holmes wrote: > > > > The other 'solution' is to use WINIPCFG (for Win95/98) or IPCONFIG > > (WinNT/2000) to release the IP address on the NIC before connecting the PPTP > > tunnel. > > > > Dougal > > > > -- > > Dougal Holmes (at home) > > mailto://dholmes at bigpond.net.au > > ----- Original Message ----- > > From: "Tim Brody" > > To: "PPTPD User Group (E-mail)" > > Cc: > > Sent: Thursday, October 18, 2001 8:40 PM > > Subject: Re: [pptp-server] IP Question. > > > > > Hi, > > > > > > Unless you change the routing on the mobile computer, they'll be trying to > > > access your network through the NIC card, rather than the PPTP interface > > > (which is entirely logical ...). By changing the IP addy of the NIC you're > > > changing the routing table so the machine no longer associates your > > internal > > > network with the NIC, but with PPTP. > > > > > > I *think* the easiest solution for you would be to set up a DHCP server, > > > which would give you a distinction between when your VPN users are > > connected > > > directly and indirectly to your network. > > > > > > Set up a DHCP on your network with your proper internal IP addresses > > > (10.1.1.x && 10.1.1.1), with a short TTL (say 10 minutes). When your users > > > are out-and-about their lease will expire, stopping them routing through > > > their NIC, and will start routing through the PPTP instead. > > > > > > All the best, > > > Tim. > > > > > > ----- Original Message ----- > > > From: "Matthew Gavin" > > > To: "PPTPD User Group (E-mail)" > > > Sent: Thursday, October 18, 2001 8:42 AM > > > Subject: [pptp-server] IP Question. > > > > > > > > > > Hi all, > > > > > > > > I have a small problem with Windows clients (Laptops) who connect to > > both > > > > our Corporate LAN and our VPN (Not at the same time). > > > > > > > > For VPN access, ie: when they are remote to the LAN... There is no > > > problems > > > > authenticating and then connecting, but IP Traffic does not occur to or > > > from > > > > the internal network unless the user changes the Static IP Address > > > assigned > > > > to their NIC to anything but the LAN subnet (10.1.1.0)... > > > > > > > > ie: 10.1.1.234 to 10.0.0.234. Same for the gateway 10.1.1.1 to 10.0.0.1. > > > All > > > > is fine once they do this! > > > > > > > > I have senior managers who get the shits with this every time they need > > to > > > > VPN in, and some have given up all together. Has anyone experienced this > > > or > > > > do the majority of "your" VPN users always remain as VPN users? > > > > > > > > Matt. :) > > > > > > > > > > > > _______________________________________________ > > > > pptp-server maillist - pptp-server at lists.schulte.org > > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > > --- To unsubscribe, go to the url just above this line. -- > > > > > > _______________________________________________ > > > pptp-server maillist - pptp-server at lists.schulte.org > > > http://lists.schulte.org/mailman/listinfo/pptp-server > > > --- To unsubscribe, go to the url just above this line. -- > > > > _______________________________________________ > > pptp-server maillist - pptp-server at lists.schulte.org > > http://lists.schulte.org/mailman/listinfo/pptp-server > > --- To unsubscribe, go to the url just above this line. -- > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From Steve at SteveCowles.com Thu Oct 18 21:41:30 2001 From: Steve at SteveCowles.com (Cowles, Steve) Date: Thu, 18 Oct 2001 21:41:30 -0500 Subject: [pptp-server] IP Question. Message-ID: <90769AF04F76D41186C700A0C90AFC3EE8CB@defiant.infohiiway.com> > -----Original Message----- > From: Dougal Holmes [mailto:dholmes at bigpond.net.au] > Sent: Thursday, October 18, 2001 7:19 PM > To: Jerry Vonau > Cc: PPTPD User Group (E-mail) > Subject: Re: [pptp-server] IP Question. > > > True. > > I also liked the suggestion of using startup profiles, or > (better still) removing the PCMCIA card from the PC when > remote. Based on my experience, asking (or even training) non-technical types to remove a PCMCIA card is like asking them to make a change to the registry. They will eventually get frustrated and stop using that feature. > > BTW, Win2K handles this in a much more elegant way, as it > 'knows' when the local NIC is not connected to a network. > Agreed. W2K does handle this situation better. Then again, in my so called "perfect world", all companies would have unlimited IT budgets and be able to send Microsoft huge licensing fees. Then I could configure all the road warrior types with W2K and IPSEC. :-) Steve Cowles From MarekButas at seznam.cz Fri Oct 19 03:06:27 2001 From: MarekButas at seznam.cz (=?iso-8859-2?Q?Marek=20Butas?=) Date: Fri, 19 Oct 2001 10:06:27 +0200 (CEST) Subject: [pptp-server] =?iso-8859-2?Q?Re=3A=20=5Bpptp=2Dserver=5D=20Strange=20problem=20=2E=2E=2E?= Message-ID: <3928.19525-8567-1560980437-1003478787@seznam.cz> Hi, first thank Roland for your hints and info. I'm still trying to establish VPN with MPPE. Here's what I found ... This problem with second connection (not at the same time!) I only have with clients connecting by dial up. Before that I was testing VPN with client connected by fixed leased line and I did not have these problems. Could be coincidence though. I'm trying to correct this situation with creating the ip-down.local script. I'm getting into another sort of problem, it could not be directly connected to pptpd. Sometimes it takes some time to unload mppe module from memory, sometimes it is ok. Here are the logs. Look where is exit and where the unloading. Of course, that if a client is trying to log in and module was not unloaded yet, it just hangs. Oct 17 21:00:13 indus pptpd[18123]: CTRL: Client 10.0.1.1 control connection started Oct 17 21:00:13 indus pptpd[18123]: CTRL: Starting call (launching pppd, opening GRE) Oct 17 21:00:14 indus kernel: CSLIP: code copyright 1989 Regents of the University of California Oct 17 21:00:14 indus kernel: PPP generic driver version 2.4.1 Oct 17 21:00:14 indus pppd[18124]: pppd 2.4.0 started by root, uid 0 Oct 17 21:00:15 indus pppd[18124]: Using interface ppp0 Oct 17 21:00:15 indus pppd[18124]: Connect: ppp0 <--> /dev/pts/0 Oct 17 21:00:15 indus pptpd[18123]: GRE: Discarding duplicate packet Oct 17 21:00:17 indus kernel: PPP BSD Compression module registered Oct 17 21:00:17 indus kernel: PPP MPPE compression module registered Oct 17 21:00:17 indus kernel: PPP Deflate Compression module registered Oct 17 21:00:17 indus pppd[18124]: MSCHAP-v2 peer authentication succeeded for ms Oct 17 21:00:17 indus pppd[18124]: found interface eth0 for proxy arp Oct 17 21:00:17 indus pppd[18124]: local IP address 10.0.1.2 Oct 17 21:00:17 indus pppd[18124]: remote IP address 10.0.1.25 Oct 17 21:00:17 indus pppd[18124]: MPPE 128 bit, stateless compression enabled Oct 17 21:01:23 indus pptpd[18123]: GRE: Discarding out of order packet Oct 17 21:01:24 indus pptpd[18123]: GRE: Discarding out of order packet Oct 17 21:04:59 indus pppd[18124]: LCP terminated by peer Oct 17 21:05:00 indus pptpd[18123]: CTRL: Error with select(), quitting Oct 17 21:05:00 indus pptpd[18123]: CTRL: Client 10.0.1.1 control connection finished Oct 17 21:05:00 indus pppd[18124]: Modem hangup Oct 17 21:05:00 indus pppd[18124]: Connection terminated. Oct 17 21:05:00 indus pppd[18124]: Connect time 4.8 minutes. Oct 17 21:05:00 indus pppd[18124]: Sent 17028 bytes, received 18827 bytes. Oct 17 21:05:00 indus pppd[18124]: Exit. Oct 17 21:07:36 indus pptpd[18173]: CTRL: Client 10.0.1.1 control connection started Oct 17 21:07:36 indus pptpd[18173]: CTRL: Starting call (launching pppd, opening GRE) Oct 17 21:07:37 indus pppd[18174]: pppd 2.4.0 started by root, uid 0 Oct 17 21:07:37 indus pppd[18174]: Using interface ppp0 Oct 17 21:07:37 indus pppd[18174]: Connect: ppp0 <--> /dev/pts/0 Oct 17 21:08:07 indus pptpd[18173]: CTRL: Error with select(), quitting Oct 17 21:08:07 indus pptpd[18173]: CTRL: Client 10.0.1.1 control connection finished Oct 17 21:08:07 indus pppd[18174]: Modem hangup Oct 17 21:08:07 indus pppd[18174]: Connection terminated. Oct 17 21:08:07 indus pppd[18174]: Exit. Oct 17 21:08:50 indus pptpd[18198]: CTRL: Client 10.0.1.1 control connection started Oct 17 21:08:50 indus pptpd[18198]: CTRL: Starting call (launching pppd, opening GRE) Oct 17 21:08:50 indus pppd[18199]: pppd 2.4.0 started by root, uid 0 Oct 17 21:08:50 indus pppd[18199]: Using interface ppp0 Oct 17 21:08:50 indus pppd[18199]: Connect: ppp0 <--> /dev/pts/0 Oct 17 21:09:20 indus pptpd[18198]: CTRL: Error with select(), quitting Oct 17 21:09:20 indus pptpd[18198]: CTRL: Client 10.0.1.1 control connection finished Oct 17 21:09:20 indus pppd[18199]: Modem hangup Oct 17 21:09:20 indus pppd[18199]: Connection terminated. Oct 17 21:09:20 indus pppd[18199]: Exit. Oct 17 21:09:36 indus pptpd[18223]: CTRL: Client 10.0.1.1 control connection started Oct 17 21:09:36 indus pptpd[18223]: CTRL: Starting call (launching pppd, opening GRE) Oct 17 21:09:36 indus pppd[18224]: pppd 2.4.0 started by root, uid 0 Oct 17 21:09:37 indus pppd[18224]: Using interface ppp0 Oct 17 21:09:37 indus pppd[18224]: Connect: ppp0 <--> /dev/pts/0 Oct 17 21:10:07 indus pptpd[18223]: CTRL: Error with select(), quitting Oct 17 21:10:07 indus pptpd[18223]: CTRL: Client 10.0.1.1 control connection finished Oct 17 21:10:07 indus pppd[18224]: Modem hangup Oct 17 21:10:07 indus pppd[18224]: Connection terminated. Oct 17 21:10:07 indus pppd[18224]: Exit. Oct 17 21:12:03 indus pptpd[18252]: CTRL: Client 10.0.1.1 control connection started Oct 17 21:12:03 indus pptpd[18252]: CTRL: Starting call (launching pppd, opening GRE) Oct 17 21:12:03 indus pppd[18253]: pppd 2.4.0 started by root, uid 0 Oct 17 21:12:03 indus pppd[18253]: Using interface ppp0 Oct 17 21:12:03 indus pppd[18253]: Connect: ppp0 <--> /dev/pts/0 Oct 17 21:12:33 indus pptpd[18252]: CTRL: Error with select(), quitting Oct 17 21:12:33 indus pptpd[18252]: CTRL: Client 10.0.1.1 control connection finished Oct 17 21:12:33 indus pppd[18253]: Modem hangup Oct 17 21:12:33 indus pppd[18253]: Connection terminated. Oct 17 21:12:34 indus pppd[18253]: Exit. Oct 17 21:14:01 indus pptpd[18277]: CTRL: Client 10.0.1.1 control connection started Oct 17 21:14:01 indus pptpd[18277]: CTRL: Starting call (launching pppd, opening GRE) Oct 17 21:14:01 indus pppd[18278]: pppd 2.4.0 started by root, uid 0 Oct 17 21:14:01 indus pppd[18278]: Using interface ppp0 Oct 17 21:14:01 indus pppd[18278]: Connect: ppp0 <--> /dev/pts/0 Oct 17 21:14:31 indus pptpd[18277]: CTRL: Error with select(), quitting Oct 17 21:14:31 indus pptpd[18277]: CTRL: Client 10.0.1.1 control connection finished Oct 17 21:14:31 indus pppd[18278]: Modem hangup Oct 17 21:14:31 indus pppd[18278]: Connection terminated. Oct 17 21:14:32 indus pppd[18278]: Exit. Oct 17 21:20:00 indus kernel: PPP MPPE compression module unregistered You see after one succesfull connection, the module did not unload itself. It took 6 minutes! But here is another client. Oct 18 09:26:43 indus pptpd[19428]: CTRL: Client 10.0.0.2 control connection started Oct 18 09:26:43 indus pptpd[19428]: CTRL: Starting call (launching pppd, opening GRE) Oct 18 09:26:44 indus kernel: CSLIP: code copyright 1989 Regents of the University of California Oct 18 09:26:44 indus kernel: PPP generic driver version 2.4.1 Oct 18 09:26:44 indus pppd[19429]: pppd 2.4.0 started by root, uid 0 Oct 18 09:26:44 indus pppd[19429]: Using interface ppp0 Oct 18 09:26:44 indus pppd[19429]: Connect: ppp0 <--> /dev/pts/2 Oct 18 09:26:44 indus pptpd[19428]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Oct 18 09:26:45 indus kernel: PPP BSD Compression module registered Oct 18 09:26:45 indus kernel: PPP MPPE compression module registered Oct 18 09:26:46 indus kernel: PPP Deflate Compression module registered Oct 18 09:26:46 indus pppd[19429]: MSCHAP-v2 peer authentication succeeded for MEGOS\\br Oct 18 09:26:46 indus pppd[19429]: MPPE 40 bit, stateless compression enabled Oct 18 09:26:49 indus pppd[19429]: found interface eth0 for proxy arp Oct 18 09:26:49 indus pppd[19429]: local IP address 10.0.1.2 Oct 18 09:26:49 indus pppd[19429]: remote IP address 10.0.1.22 Oct 18 09:27:27 indus pptpd[19428]: CTRL: Error with select(), quitting Oct 18 09:27:27 indus pptpd[19428]: CTRL: Client 10.0.0.2 control connection finished Oct 18 09:27:27 indus pppd[19429]: Modem hangup Oct 18 09:27:27 indus pppd[19429]: Connection terminated. Oct 18 09:27:27 indus pppd[19429]: Connect time 0.8 minutes. Oct 18 09:27:27 indus pppd[19429]: Sent 3663 bytes, received 177 bytes. Oct 18 09:27:28 indus kernel: PPP MPPE compression module unregistered Oct 18 09:27:28 indus pppd[19429]: Exit. Oct 18 09:42:26 indus pptpd[19570]: CTRL: Client 10.0.0.2 control connection started Oct 18 09:42:26 indus pptpd[19570]: CTRL: Starting call (launching pppd, opening GRE) Oct 18 09:42:26 indus kernel: CSLIP: code copyright 1989 Regents of the University of California Oct 18 09:42:26 indus kernel: PPP generic driver version 2.4.1 Oct 18 09:42:26 indus pppd[19571]: pppd 2.4.0 started by root, uid 0 Oct 18 09:42:26 indus pppd[19571]: Using interface ppp0 Oct 18 09:42:26 indus pppd[19571]: Connect: ppp0 <--> /dev/pts/1 Oct 18 09:42:26 indus pptpd[19570]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Oct 18 09:42:27 indus kernel: PPP BSD Compression module registered Oct 18 09:42:27 indus kernel: PPP MPPE compression module registered Oct 18 09:42:27 indus kernel: PPP Deflate Compression module registered Oct 18 09:42:27 indus pppd[19571]: MSCHAP-v2 peer authentication succeeded for MEGOS\\br Oct 18 09:42:27 indus pppd[19571]: found interface eth0 for proxy arp Oct 18 09:42:27 indus pppd[19571]: local IP address 10.0.1.2 Oct 18 09:42:27 indus pppd[19571]: remote IP address 10.0.1.22 Oct 18 09:42:27 indus pppd[19571]: MPPE 40 bit, stateless compression enabled Oct 18 09:43:40 indus pptpd[19570]: CTRL: Error with select(), quitting Oct 18 09:43:40 indus pptpd[19570]: CTRL: Client 10.0.0.2 control connection finished Oct 18 09:43:40 indus pppd[19571]: Modem hangup Oct 18 09:43:40 indus pppd[19571]: Connection terminated. Oct 18 09:43:40 indus pppd[19571]: Connect time 1.3 minutes. Oct 18 09:43:40 indus pppd[19571]: Sent 2230 bytes, received 143 bytes. Oct 18 09:43:40 indus kernel: PPP MPPE compression module unregistered Oct 18 09:43:41 indus pppd[19571]: Exit. Interesting thing for me is that the module is unloading before exit and not after. I would be grateful for any comments. Regards MArek Butas ______________________________________________________________________ Co davaji v TV? http://tv.seznam.cz From jrmann1999 at yahoo.com Fri Oct 19 19:57:38 2001 From: jrmann1999 at yahoo.com (Jeremy Mann) Date: Fri, 19 Oct 2001 17:57:38 -0700 (PDT) Subject: [pptp-server] Routing issues Message-ID: <20011020005738.43895.qmail@web14102.mail.yahoo.com> Here's a question I'm sure has a quick answer. I've just recently installed PoPToP for VPN services, and when I have users connect remotely through the internet to my VPN server, my machine becomes their default gateway. Why is this and is there a way around it? Here's my Network for those interested Local Machines Linux Box on 10.10.0.x ---> 10.10.0.1(local)(eth0) subnet Dynamic IP(internet)(eth1) The VPN runs on the 10.10.0.6-10.10.0.50 localip 10.10.0.51-10.10.0.100 remoteip I'm probably going about this all wrong, but any help is appreciated :) J __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com From dholmes at bigpond.net.au Fri Oct 19 22:18:27 2001 From: dholmes at bigpond.net.au (Dougal Holmes) Date: Sat, 20 Oct 2001 13:18:27 +1000 Subject: [pptp-server] Routing issues References: <20011020005738.43895.qmail@web14102.mail.yahoo.com> Message-ID: <003a01c15915$e2d241a0$40dd0fcb@shoephone.apana.org.au> Not an easy answer, unfortunately. Windows clients have two options for routing when using VPN connections: 1. Use the connection as the default gateway for all packets 2. Only use the network connected ("Use default gateway" disabled) (which will work for you, as all your addresses are on the same network). Which is a real pain if you want to have several networks at the end of the VPN connection, but keep your current default gateway. What we do is use the CMAK kit (part of IEAK) to create a custom connection, and wrote a small VB program to call the route command after the connection comes up to add specific routes to some networks. It's grunchy, but it works. Dougal Holmes (at home) mailto:dholmes at bigpond.net.au ----- Original Message ----- From: "Jeremy Mann" To: Sent: Saturday, October 20, 2001 10:57 AM Subject: [pptp-server] Routing issues > Here's a question I'm sure has a quick answer. I've > just recently installed PoPToP for VPN services, and > when I have users connect remotely through the > internet to my VPN server, my machine becomes their > default gateway. Why is this and is there a way > around it? Here's my Network for those interested > > > Local Machines Linux Box > on 10.10.0.x ---> 10.10.0.1(local)(eth0) > subnet Dynamic IP(internet)(eth1) > > The VPN runs on the > 10.10.0.6-10.10.0.50 localip > 10.10.0.51-10.10.0.100 remoteip > > I'm probably going about this all wrong, but any help > is appreciated :) > > J > > __________________________________________________ > Do You Yahoo!? > Make a great connection at Yahoo! Personals. > http://personals.yahoo.com > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From jsubs at shanholtz.com Sat Oct 20 12:10:42 2001 From: jsubs at shanholtz.com (Jeff Shanholtz) Date: Sat, 20 Oct 2001 10:10:42 -0700 Subject: [pptp-server] strange packets rejected by my firewall Message-ID: <008101c1598a$29a654d0$01ba10ac@Jeff> When using my VPN, my firewall regularly logs rejected packets that arrive on my internal interface (172.16.186.1:4095 or 192.168.227.1:4096) destined for the pptp client (192.168.0.245:139). My internal network is using the 192.168.0.0 subnet. Does anyone know what this traffic is all about? Specifically, why the odd source addresses when I don't have machines on my network that are using them? -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsubs at shanholtz.com Sun Oct 21 15:16:01 2001 From: jsubs at shanholtz.com (Jeff Shanholtz) Date: Sun, 21 Oct 2001 13:16:01 -0700 Subject: [pptp-server] strange packets rejected by my firewall In-Reply-To: <3BD1B518.F2E9DE63@home.com> Message-ID: <008c01c15a6d$37ce0bf0$01ba10ac@Jeff> Jerry, you forgot to reply to the list, so I'm bringing this back on-list. The client (my work computer) is XP and it only has one nic, but it just occurred to me when I started this reply that the client runs VMware, so perhaps one or both of the addresses I mentioned are coming from it's virtual nic(s). My work's subnet is 192.168.100.0, so it must be VMware. I'll have to check to see what IP's are involved with Vmware tomorrow when I'm at work. I'll post back to the list when I find out... BTW, to answer your questions, my vpn server isn't assigning a gateway to the client, so that shouldn't be an issue. And here are the relevant logs from ipchains (eth0 is my internal card and 192.168.0.245 is the address assigned to the vpn client). I don't see much relevance to detailing my firewall rules because my problem isn't in configuring my firewall (I could easily enable this traffic if necessary), plus there are just too many rules (it's based on David Ranch's TrinityOS script). 12:18:55 input REJECT eth0 PROTO=6 172.16.186.1 :4095 192.168.0.245 :139 L=48 S=0x00 I=32345 F=0x4000 T=128 SYN (#57) 12:18:55 input REJECT eth0 PROTO=6 192.168.227.1 :4096 192.168.0.245 :139 L=48 S=0x00 I=32346 F=0x4000 T=128 SYN (#57) 12:18:57 input REJECT eth0 PROTO=6 172.16.186.1 :4099 192.168.0.245 :139 L=48 S=0x00 I=32370 F=0x4000 T=128 SYN (#57) 12:18:57 input REJECT eth0 PROTO=6 192.168.227.1 :4100 192.168.0.245 :139 L=48 S=0x00 I=32371 F=0x4000 T=128 SYN (#57) 12:19:00 input REJECT eth0 PROTO=6 172.16.186.1 :4103 192.168.0.245 :139 L=48 S=0x00 I=32399 F=0x4000 T=128 SYN (#57) 12:19:00 input REJECT eth0 PROTO=6 192.168.227.1 :4104 192.168.0.245 :139 L=48 S=0x00 I=32400 F=0x4000 T=128 SYN (#57) -----Original Message----- From: Jerry Vonau [mailto:jvonau at home.com] Sent: Saturday, October 20, 2001 10:32 AM To: Jeff Shanholtz Subject: Re: [pptp-server] strange packets rejected by my firewall Jeff: Just to clear up in my head about what you are describing. How about a snip from the logs, and sample of the rules that are loaded? What kind of client is it? 98, 2000, linux? Does the client have 2 nics? (172.16.186.1:4095 or 192.168.227.1:4096) is this the source address? Maybe the default gateway on the client is changing to the vpn tunnel and the client has routes setup, forcing that traffic up the tunnel? Sounds like the client is routing traffic up the tunnel from its home lan(s?), but that is just a guess without more info. Jerry Vonau > Jeff Shanholtz wrote: > > When using my VPN, my firewall regularly logs rejected packets that > arrive on my internal interface (172.16.186.1:4095 or > 192.168.227.1:4096) destined for the pptp client (192.168.0.245:139). > My internal network is using the 192.168.0.0 subnet. Does anyone know > what this traffic is all about? Specifically, why the odd source > addresses when I don't have machines on my network that are using > them? From jvonau at home.com Sun Oct 21 19:25:06 2001 From: jvonau at home.com (Jerry Vonau) Date: Sun, 21 Oct 2001 19:25:06 -0500 Subject: [pptp-server] strange packets rejected by my firewall References: <008c01c15a6d$37ce0bf0$01ba10ac@Jeff> Message-ID: <3BD36762.EE644724@home.com> Jeff: Jeff Shanholtz wrote: > > Jerry, you forgot to reply to the list, so I'm bringing this back > on-list. > > The client (my work computer) is XP and it only has one nic, but it just > occurred to me when I started this reply that the client runs VMware, so > perhaps one or both of the addresses I mentioned are coming from it's > virtual nic(s). My work's subnet is 192.168.100.0, so it must be VMware. > I'll have to check to see what IP's are involved with Vmware tomorrow > when I'm at work. I'll post back to the list when I find out... That makes sense to me. > BTW, to answer your questions, my vpn server isn't assigning a gateway > to the client, so that shouldn't be an issue. That does not prevent the "use default gateway on remote" from being tick in the advance properties on the client. That routes all traffic up the tunnel. > And here are the relevant > logs from ipchains (eth0 is my internal card and 192.168.0.245 is the > address assigned to the vpn client). I don't see much relevance to > detailing my firewall rules because my problem isn't in configuring my > firewall (I could easily enable this traffic if necessary), plus there > are just too many rules (it's based on David Ranch's TrinityOS script). I like David Ranch's stuff, used alot of his examples, except that I group the rules by services required instead of input output. Makes for an easier read when you haven't looked at it for a few months. Just my preference. Why I was asking about the firewall script because that traffic should be rejected at the ppp interface, the internal nic should not even see that traffic. If your doing something like: /sbin/ipchains -A input -j ACCEPT -i ppp+ -b -s 0/0 -d 0/0 then all the traffic is allowed to pass. I use: /sbin/ipchains -A input -j ACCEPT -i ppp+ -b -s $INTLAN -d $INTLAN just the lan traffic is allowed to pass, and the rejects are tied to the ppp interface involved. Just my thoughts.. Jerry Vonau From jroland at roland.net Mon Oct 22 09:06:14 2001 From: jroland at roland.net (Jim Roland) Date: Mon, 22 Oct 2001 09:06:14 -0500 Subject: [pptp-server] Strange problem ... References: <3928.19525-8567-1560980437-1003478787@seznam.cz> Message-ID: <002201c15b02$b92d4ae0$bb1cfa18@JimWS> So Jordan, any ideas on mine and Marek's problem? ----- Original Message ----- From: "Marek Butas" To: "Jim Roland" ; "PPTP List" Sent: Friday, October 19, 2001 3:06 AM Subject: Re: [pptp-server] Strange problem ... > Hi, > > first thank Roland for your hints and info. I'm still trying to > establish VPN with MPPE. Here's what I found ... > > This problem with second connection (not at the same time!) I only > have with clients connecting by dial up. Before that I was testing > VPN with client connected by fixed leased line and I did not have > these problems. Could be coincidence though. > > I'm trying to correct this situation with creating the ip-down.local > script. I'm getting into another sort of problem, it could not be > directly connected to pptpd. Sometimes it takes some time to unload > mppe module from memory, sometimes it is ok. Here are the logs. Look > where is exit and where the unloading. Of course, that if a client is > trying to log in and module was not unloaded yet, it just hangs. > > Oct 17 21:00:13 indus pptpd[18123]: CTRL: Client 10.0.1.1 control > connection started > Oct 17 21:00:13 indus pptpd[18123]: CTRL: Starting call (launching > pppd, opening GRE) > Oct 17 21:00:14 indus kernel: CSLIP: code copyright 1989 Regents of > the University of California > Oct 17 21:00:14 indus kernel: PPP generic driver version 2.4.1 > Oct 17 21:00:14 indus pppd[18124]: pppd 2.4.0 started by root, uid 0 > Oct 17 21:00:15 indus pppd[18124]: Using interface ppp0 > Oct 17 21:00:15 indus pppd[18124]: Connect: ppp0 <--> /dev/pts/0 > Oct 17 21:00:15 indus pptpd[18123]: GRE: Discarding duplicate packet > Oct 17 21:00:17 indus kernel: PPP BSD Compression module registered > Oct 17 21:00:17 indus kernel: PPP MPPE compression module registered > Oct 17 21:00:17 indus kernel: PPP Deflate Compression module > registered > Oct 17 21:00:17 indus pppd[18124]: MSCHAP-v2 peer authentication > succeeded for ms > Oct 17 21:00:17 indus pppd[18124]: found interface eth0 for proxy arp > Oct 17 21:00:17 indus pppd[18124]: local IP address 10.0.1.2 > Oct 17 21:00:17 indus pppd[18124]: remote IP address 10.0.1.25 > Oct 17 21:00:17 indus pppd[18124]: MPPE 128 bit, stateless > compression enabled > Oct 17 21:01:23 indus pptpd[18123]: GRE: Discarding out of order > packet > Oct 17 21:01:24 indus pptpd[18123]: GRE: Discarding out of order > packet > Oct 17 21:04:59 indus pppd[18124]: LCP terminated by peer > Oct 17 21:05:00 indus pptpd[18123]: CTRL: Error with select(), > quitting > Oct 17 21:05:00 indus pptpd[18123]: CTRL: Client 10.0.1.1 control > connection finished > Oct 17 21:05:00 indus pppd[18124]: Modem hangup > Oct 17 21:05:00 indus pppd[18124]: Connection terminated. > Oct 17 21:05:00 indus pppd[18124]: Connect time 4.8 minutes. > Oct 17 21:05:00 indus pppd[18124]: Sent 17028 bytes, received 18827 > bytes. > Oct 17 21:05:00 indus pppd[18124]: Exit. > Oct 17 21:07:36 indus pptpd[18173]: CTRL: Client 10.0.1.1 control > connection started > Oct 17 21:07:36 indus pptpd[18173]: CTRL: Starting call (launching > pppd, opening GRE) > Oct 17 21:07:37 indus pppd[18174]: pppd 2.4.0 started by root, uid 0 > Oct 17 21:07:37 indus pppd[18174]: Using interface ppp0 > Oct 17 21:07:37 indus pppd[18174]: Connect: ppp0 <--> /dev/pts/0 > Oct 17 21:08:07 indus pptpd[18173]: CTRL: Error with select(), > quitting > Oct 17 21:08:07 indus pptpd[18173]: CTRL: Client 10.0.1.1 control > connection finished > Oct 17 21:08:07 indus pppd[18174]: Modem hangup > Oct 17 21:08:07 indus pppd[18174]: Connection terminated. > Oct 17 21:08:07 indus pppd[18174]: Exit. > Oct 17 21:08:50 indus pptpd[18198]: CTRL: Client 10.0.1.1 control > connection started > Oct 17 21:08:50 indus pptpd[18198]: CTRL: Starting call (launching > pppd, opening GRE) > Oct 17 21:08:50 indus pppd[18199]: pppd 2.4.0 started by root, uid 0 > Oct 17 21:08:50 indus pppd[18199]: Using interface ppp0 > Oct 17 21:08:50 indus pppd[18199]: Connect: ppp0 <--> /dev/pts/0 > Oct 17 21:09:20 indus pptpd[18198]: CTRL: Error with select(), > quitting > Oct 17 21:09:20 indus pptpd[18198]: CTRL: Client 10.0.1.1 control > connection finished > Oct 17 21:09:20 indus pppd[18199]: Modem hangup > Oct 17 21:09:20 indus pppd[18199]: Connection terminated. > Oct 17 21:09:20 indus pppd[18199]: Exit. > Oct 17 21:09:36 indus pptpd[18223]: CTRL: Client 10.0.1.1 control > connection started > Oct 17 21:09:36 indus pptpd[18223]: CTRL: Starting call (launching > pppd, opening GRE) > Oct 17 21:09:36 indus pppd[18224]: pppd 2.4.0 started by root, uid 0 > Oct 17 21:09:37 indus pppd[18224]: Using interface ppp0 > Oct 17 21:09:37 indus pppd[18224]: Connect: ppp0 <--> /dev/pts/0 > Oct 17 21:10:07 indus pptpd[18223]: CTRL: Error with select(), > quitting > Oct 17 21:10:07 indus pptpd[18223]: CTRL: Client 10.0.1.1 control > connection finished > Oct 17 21:10:07 indus pppd[18224]: Modem hangup > Oct 17 21:10:07 indus pppd[18224]: Connection terminated. > Oct 17 21:10:07 indus pppd[18224]: Exit. > Oct 17 21:12:03 indus pptpd[18252]: CTRL: Client 10.0.1.1 control > connection started > Oct 17 21:12:03 indus pptpd[18252]: CTRL: Starting call (launching > pppd, opening GRE) > Oct 17 21:12:03 indus pppd[18253]: pppd 2.4.0 started by root, uid 0 > Oct 17 21:12:03 indus pppd[18253]: Using interface ppp0 > Oct 17 21:12:03 indus pppd[18253]: Connect: ppp0 <--> /dev/pts/0 > Oct 17 21:12:33 indus pptpd[18252]: CTRL: Error with select(), > quitting > Oct 17 21:12:33 indus pptpd[18252]: CTRL: Client 10.0.1.1 control > connection finished > Oct 17 21:12:33 indus pppd[18253]: Modem hangup > Oct 17 21:12:33 indus pppd[18253]: Connection terminated. > Oct 17 21:12:34 indus pppd[18253]: Exit. > Oct 17 21:14:01 indus pptpd[18277]: CTRL: Client 10.0.1.1 control > connection started > Oct 17 21:14:01 indus pptpd[18277]: CTRL: Starting call (launching > pppd, opening GRE) > Oct 17 21:14:01 indus pppd[18278]: pppd 2.4.0 started by root, uid 0 > Oct 17 21:14:01 indus pppd[18278]: Using interface ppp0 > Oct 17 21:14:01 indus pppd[18278]: Connect: ppp0 <--> /dev/pts/0 > Oct 17 21:14:31 indus pptpd[18277]: CTRL: Error with select(), > quitting > Oct 17 21:14:31 indus pptpd[18277]: CTRL: Client 10.0.1.1 control > connection finished > Oct 17 21:14:31 indus pppd[18278]: Modem hangup > Oct 17 21:14:31 indus pppd[18278]: Connection terminated. > Oct 17 21:14:32 indus pppd[18278]: Exit. > Oct 17 21:20:00 indus kernel: PPP MPPE compression module > unregistered > > You see after one succesfull connection, the module did not unload > itself. It took 6 minutes! > > But here is another client. > > Oct 18 09:26:43 indus pptpd[19428]: CTRL: Client 10.0.0.2 control > connection started > Oct 18 09:26:43 indus pptpd[19428]: CTRL: Starting call (launching > pppd, opening GRE) > Oct 18 09:26:44 indus kernel: CSLIP: code copyright 1989 Regents of > the University of California > Oct 18 09:26:44 indus kernel: PPP generic driver version 2.4.1 > Oct 18 09:26:44 indus pppd[19429]: pppd 2.4.0 started by root, uid 0 > Oct 18 09:26:44 indus pppd[19429]: Using interface ppp0 > Oct 18 09:26:44 indus pppd[19429]: Connect: ppp0 <--> /dev/pts/2 > Oct 18 09:26:44 indus pptpd[19428]: CTRL: Ignored a SET LINK INFO > packet with real ACCMs! > Oct 18 09:26:45 indus kernel: PPP BSD Compression module registered > Oct 18 09:26:45 indus kernel: PPP MPPE compression module registered > Oct 18 09:26:46 indus kernel: PPP Deflate Compression module > registered > Oct 18 09:26:46 indus pppd[19429]: MSCHAP-v2 peer authentication > succeeded for MEGOS\\br > Oct 18 09:26:46 indus pppd[19429]: MPPE 40 bit, stateless compression > enabled > Oct 18 09:26:49 indus pppd[19429]: found interface eth0 for proxy arp > Oct 18 09:26:49 indus pppd[19429]: local IP address 10.0.1.2 > Oct 18 09:26:49 indus pppd[19429]: remote IP address 10.0.1.22 > Oct 18 09:27:27 indus pptpd[19428]: CTRL: Error with select(), > quitting > Oct 18 09:27:27 indus pptpd[19428]: CTRL: Client 10.0.0.2 control > connection finished > Oct 18 09:27:27 indus pppd[19429]: Modem hangup > Oct 18 09:27:27 indus pppd[19429]: Connection terminated. > Oct 18 09:27:27 indus pppd[19429]: Connect time 0.8 minutes. > Oct 18 09:27:27 indus pppd[19429]: Sent 3663 bytes, received 177 > bytes. > Oct 18 09:27:28 indus kernel: PPP MPPE compression module > unregistered > Oct 18 09:27:28 indus pppd[19429]: Exit. > Oct 18 09:42:26 indus pptpd[19570]: CTRL: Client 10.0.0.2 control > connection started > Oct 18 09:42:26 indus pptpd[19570]: CTRL: Starting call (launching > pppd, opening GRE) > Oct 18 09:42:26 indus kernel: CSLIP: code copyright 1989 Regents of > the University of California > Oct 18 09:42:26 indus kernel: PPP generic driver version 2.4.1 > Oct 18 09:42:26 indus pppd[19571]: pppd 2.4.0 started by root, uid 0 > Oct 18 09:42:26 indus pppd[19571]: Using interface ppp0 > Oct 18 09:42:26 indus pppd[19571]: Connect: ppp0 <--> /dev/pts/1 > Oct 18 09:42:26 indus pptpd[19570]: CTRL: Ignored a SET LINK INFO > packet with real ACCMs! > Oct 18 09:42:27 indus kernel: PPP BSD Compression module registered > Oct 18 09:42:27 indus kernel: PPP MPPE compression module registered > Oct 18 09:42:27 indus kernel: PPP Deflate Compression module > registered > Oct 18 09:42:27 indus pppd[19571]: MSCHAP-v2 peer authentication > succeeded for MEGOS\\br > Oct 18 09:42:27 indus pppd[19571]: found interface eth0 for proxy arp > Oct 18 09:42:27 indus pppd[19571]: local IP address 10.0.1.2 > Oct 18 09:42:27 indus pppd[19571]: remote IP address 10.0.1.22 > Oct 18 09:42:27 indus pppd[19571]: MPPE 40 bit, stateless compression > enabled > Oct 18 09:43:40 indus pptpd[19570]: CTRL: Error with select(), > quitting > Oct 18 09:43:40 indus pptpd[19570]: CTRL: Client 10.0.0.2 control > connection finished > Oct 18 09:43:40 indus pppd[19571]: Modem hangup > Oct 18 09:43:40 indus pppd[19571]: Connection terminated. > Oct 18 09:43:40 indus pppd[19571]: Connect time 1.3 minutes. > Oct 18 09:43:40 indus pppd[19571]: Sent 2230 bytes, received 143 > bytes. > Oct 18 09:43:40 indus kernel: PPP MPPE compression module > unregistered > Oct 18 09:43:41 indus pppd[19571]: Exit. > > Interesting thing for me is that the module is unloading before exit > and not after. > > I would be grateful for any comments. > > Regards > MArek > Butas > > ______________________________________________________________________ > Co davaji v TV? http://tv.seznam.cz > From damon at betcoinc.com Mon Oct 22 12:19:01 2001 From: damon at betcoinc.com (Damon Brinkley) Date: Mon, 22 Oct 2001 13:19:01 -0400 Subject: [pptp-server] Iptables rules help Message-ID: <001501c15b1d$a5455c50$01f111ac@mis5> I have POPTOP setup and working great but I'm having troubles with iptables. If I open all ports then I can connect fine with a client. But if I open only ports 1723 and protocol (47)GRE I can't connect. Then client gives me an Error: 678 The remote computer did not respond within a reasonable amount of time. I'm not sure why this is happening but I would like to close everything but the PPTP ports since that is its sole purpose. Anyone have any rules that work great for you? Any help would be greatly appreciated. Damon Brinkley --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.286 / Virus Database: 152 - Release Date: 10/9/2001 From chris at ooc2000.com Mon Oct 22 15:54:15 2001 From: chris at ooc2000.com (Chris) Date: Mon, 22 Oct 2001 15:54:15 -0500 Subject: [pptp-server] Newbie: +chapms, +chapms-v2 etc not recoginzed Message-ID: <5.1.0.14.0.20011022155255.00a63b80@www.carttest.com> Hi all, I'm attempting to run PopTop 1.0.1 (my new FAVORITE daemon!) on Mandrake Linux 8.1 (kernel = 2.4.8-26mdk), and connect to it from my laptop, which is running Win 2000. For now, I'm just doing things within my LAN. Long story short, I followed the FAQ's instructions on configuring PopTop, but when I try to connect from the Win Client I get this error on the client: Error 619: The specified port is not connected And this error on the server: In file /etc/ppp/options: Unrecoginzed option '+chapms' If I comment the +chapms line out of /etc/ppp/options, I get the same error message for +chapms-v2, mppe-40, mppe-128, and mppe-stateless. (It doesn't mind +chap though.) If I comment all the offending lines out, and make the client connect without encryption, I can get on the VPN no problem. I'm new and clueless at this stuff, but I'm guessing that the problem is that my server machine's PPP is too old and doesn't support those options, all of which seem to be for encryption. I'm also guessing that I can upgrade my PPP and be just fine. But I came to the list because 1) I'm not sure about this, 2) The instructions in the FAQ for upgrading PPP seem tied in with upgrading the kernel, and I don't really want to mess with that, and 3) I can't seem to find an RPM called PPP that I can just upgrade, nor can I find what version of PPP I currently have installed. My machine does seem to have a bunch of files with ppp-2.4.8 in their names, but I don't know precisely what to make of this. Any help would be MUCH appreciated! Thanks, Chris From jsubs at shanholtz.com Tue Oct 23 00:11:52 2001 From: jsubs at shanholtz.com (Jeff Shanholtz) Date: Mon, 22 Oct 2001 22:11:52 -0700 Subject: [pptp-server] strange packets rejected by my firewall In-Reply-To: <3BD36762.EE644724@home.com> Message-ID: <00ad01c15b81$3a4936b0$01ba10ac@Jeff> Turns out it's really VMware on a machine in my internal LAN, not on the vpn client (I forgot VMware was even installed there). > > BTW, to answer your questions, my vpn server isn't assigning a gateway > > to the client, so that shouldn't be an issue. > > That does not prevent the "use default gateway on remote" from being > tick > in the advance properties on the client. That routes all traffic up the > tunnel. Really? If the vpn client *knows* that there is no remote gateway (because poptop tells it there is no gateway), it surprises me that a route would be set up for it. At any rate, I do have that option unchecked on the client. Thanks for your help, even though it was mostly just a matter of figuring it out by thinking out loud. -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org] On Behalf Of Jerry Vonau Sent: Sunday, October 21, 2001 5:25 PM To: Jeff Shanholtz Cc: 'PoPToP List' Subject: Re: [pptp-server] strange packets rejected by my firewall Jeff: Jeff Shanholtz wrote: > > Jerry, you forgot to reply to the list, so I'm bringing this back > on-list. > > The client (my work computer) is XP and it only has one nic, but it just > occurred to me when I started this reply that the client runs VMware, so > perhaps one or both of the addresses I mentioned are coming from it's > virtual nic(s). My work's subnet is 192.168.100.0, so it must be VMware. > I'll have to check to see what IP's are involved with Vmware tomorrow > when I'm at work. I'll post back to the list when I find out... That makes sense to me. > BTW, to answer your questions, my vpn server isn't assigning a gateway > to the client, so that shouldn't be an issue. That does not prevent the "use default gateway on remote" from being tick in the advance properties on the client. That routes all traffic up the tunnel. > And here are the relevant > logs from ipchains (eth0 is my internal card and 192.168.0.245 is the > address assigned to the vpn client). I don't see much relevance to > detailing my firewall rules because my problem isn't in configuring my > firewall (I could easily enable this traffic if necessary), plus there > are just too many rules (it's based on David Ranch's TrinityOS script). I like David Ranch's stuff, used alot of his examples, except that I group the rules by services required instead of input output. Makes for an easier read when you haven't looked at it for a few months. Just my preference. Why I was asking about the firewall script because that traffic should be rejected at the ppp interface, the internal nic should not even see that traffic. If your doing something like: /sbin/ipchains -A input -j ACCEPT -i ppp+ -b -s 0/0 -d 0/0 then all the traffic is allowed to pass. I use: /sbin/ipchains -A input -j ACCEPT -i ppp+ -b -s $INTLAN -d $INTLAN just the lan traffic is allowed to pass, and the rejects are tied to the ppp interface involved. Just my thoughts.. Jerry Vonau _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server --- To unsubscribe, go to the url just above this line. -- From jsubs at shanholtz.com Tue Oct 23 00:33:58 2001 From: jsubs at shanholtz.com (Jeff Shanholtz) Date: Mon, 22 Oct 2001 22:33:58 -0700 Subject: [pptp-server] Iptables rules help In-Reply-To: <001501c15b1d$a5455c50$01f111ac@mis5> Message-ID: <00ae01c15b84$50b08180$01ba10ac@Jeff> That's where examining your firewall's logs is invaluable. That's how I figured out the bare minimum required to get my vpn client through my firewall. I'm still using ipchains, but you can probably figure out what to do with iptables by looking at my rules. BTW, my firewall and my pptp server run on the same machine. One more thing... you might be able to get by without some of the rules, but it is close to bare minimum. I'm almost certain about all the rules except perhaps the ICMP and DHCP rules. I recommend you start with what I have to get it working and try removing those if you want and see if anything breaks. # IP network address of the PPTP network PPTPLAN="192.168.0.245/32" PPTPIF="ppp+" # IP network address of the internal network INTLAN="192.168.0.0/24" INTIF="eth0" EXTIF="eth1" UNIVERSE="0.0.0.0/0" BROADCAST="255.255.255.255" SECUREHOST= # PPTP traffic /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP 1723 /sbin/ipchains -A input -p 47 -j ACCEPT /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST 1723 -d $UNIVERSE /sbin/ipchains -A output -p 47 -j ACCEPT # PPTP: need to allow all incoming traffic on PPTPIF /sbin/ipchains -A input -i $PPTPIF -s $PPTPLAN -d $INTLAN -j ACCEPT # PPTP: need to allow all outgoing traffic on PPTPIF /sbin/ipchains -A output -i $PPTPIF -s $INTLAN -d $PPTPLAN -j ACCEPT # Enable TCP/IP forwarding between the PPTP network and the Internal LAN /sbin/ipchains -A forward -i $INTIF -s $PPTPLAN -d $INTLAN -j ACCEPT /sbin/ipchains -A forward -i $PPTPIF -s $INTLAN -d $PPTPLAN -j ACCEPT # DHCP traffic /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p udp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p tcp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps # ICMP traffic (ping) /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p icmp -s $UNIVERSE -d $EXTIP -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org] On Behalf Of Damon Brinkley Sent: Monday, October 22, 2001 10:19 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] Iptables rules help I have POPTOP setup and working great but I'm having troubles with iptables. If I open all ports then I can connect fine with a client. But if I open only ports 1723 and protocol (47)GRE I can't connect. Then client gives me an Error: 678 The remote computer did not respond within a reasonable amount of time. I'm not sure why this is happening but I would like to close everything but the PPTP ports since that is its sole purpose. Anyone have any rules that work great for you? Any help would be greatly appreciated. Damon Brinkley --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.286 / Virus Database: 152 - Release Date: 10/9/2001 _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server --- To unsubscribe, go to the url just above this line. -- From RLDITTO at BRIGHT.NET Tue Oct 23 07:57:36 2001 From: RLDITTO at BRIGHT.NET (JOE) Date: Tue, 23 Oct 2001 08:57:36 -0400 Subject: [pptp-server] Fw: speed Message-ID: <005501c15bc2$4a75c620$3c00a8c0@backdog> how do i check for packet loss? and is their a way to reduce or eliminate it? i also tried increasing the baud rate in the pptpd.conf file but that didn't seem to affect anything. thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From berzerke at swbell.net Tue Oct 23 09:19:15 2001 From: berzerke at swbell.net (robert) Date: Tue, 23 Oct 2001 09:19:15 -0500 Subject: [pptp-server] Iptables rules help In-Reply-To: <00ae01c15b84$50b08180$01ba10ac@Jeff> References: <00ae01c15b84$50b08180$01ba10ac@Jeff> Message-ID: <0GLN00D95X42DV@mta5.rcsntx.swbell.net> A more complete, but pptpd enabled sample firewall (iptables) is at http://home.swbell.net/berzerke On Tuesday 23 October 2001 12:33 am, Jeff Shanholtz wrote: > That's where examining your firewall's logs is invaluable. That's how I > figured out the bare minimum required to get my vpn client through my > firewall. I'm still using ipchains, but you can probably figure out what > to do with iptables by looking at my rules. > > BTW, my firewall and my pptp server run on the same machine. > > One more thing... you might be able to get by without some of the rules, > but it is close to bare minimum. I'm almost certain about all the rules > except perhaps the ICMP and DHCP rules. I recommend you start with what > I have to get it working and try removing those if you want and see if > anything breaks. > > # IP network address of the PPTP network > PPTPLAN="192.168.0.245/32" > PPTPIF="ppp+" > > # IP network address of the internal network > INTLAN="192.168.0.0/24" > INTIF="eth0" > > EXTIF="eth1" > > UNIVERSE="0.0.0.0/0" > > BROADCAST="255.255.255.255" > > SECUREHOST= use UNIVERSE instead if you want it wide open> > > # PPTP traffic > /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d > $EXTIP 1723 > /sbin/ipchains -A input -p 47 -j ACCEPT > > /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST 1723 > -d $UNIVERSE > /sbin/ipchains -A output -p 47 -j ACCEPT > > # PPTP: need to allow all incoming traffic on PPTPIF > /sbin/ipchains -A input -i $PPTPIF -s $PPTPLAN -d $INTLAN -j ACCEPT > > # PPTP: need to allow all outgoing traffic on PPTPIF > /sbin/ipchains -A output -i $PPTPIF -s $INTLAN -d $PPTPLAN -j ACCEPT > > # Enable TCP/IP forwarding between the PPTP network and the Internal LAN > /sbin/ipchains -A forward -i $INTIF -s $PPTPLAN -d $INTLAN -j ACCEPT > /sbin/ipchains -A forward -i $PPTPIF -s $INTLAN -d $PPTPLAN -j ACCEPT > > # DHCP traffic > /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p udp -s $UNIVERSE bootpc > -d $BROADCAST/0 bootps > /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p tcp -s $UNIVERSE bootpc > -d $BROADCAST/0 bootps > > # ICMP traffic (ping) > /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p icmp -s $UNIVERSE -d > $EXTIP > > > -----Original Message----- > From: pptp-server-admin at lists.schulte.org > [mailto:pptp-server-admin at lists.schulte.org] On Behalf Of Damon Brinkley > Sent: Monday, October 22, 2001 10:19 AM > To: pptp-server at lists.schulte.org > Subject: [pptp-server] Iptables rules help > > > I have POPTOP setup and working great but I'm having troubles with > iptables. > If I open all ports then I can connect fine with a client. But if I > open > only ports 1723 and protocol (47)GRE I can't connect. Then client gives > me > an Error: 678 The remote computer did not respond within a reasonable > amount > of time. I'm not sure why this is happening but I would like to close > everything but the PPTP ports since that is its sole purpose. Anyone > have > any rules that work great for you? Any help would be greatly > appreciated. > > Damon Brinkley > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.286 / Virus Database: 152 - Release Date: 10/9/2001 > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From bridget at e-smith.com Tue Oct 23 11:39:20 2001 From: bridget at e-smith.com (Bridget Grounds) Date: Tue, 23 Oct 2001 12:39:20 -0400 (EDT) Subject: [pptp-server] Fw: speed In-Reply-To: <005501c15bc2$4a75c620$3c00a8c0@backdog> Message-ID: On Tue, 23 Oct 2001, JOE wrote: > how do i check for packet loss? Ping. > and is their a way to reduce or eliminate it? Revamp the Internet :-) -- Charlie From leo at maximsoftware.com Tue Oct 23 11:55:45 2001 From: leo at maximsoftware.com (Leo Torio) Date: Tue, 23 Oct 2001 11:55:45 -0500 Subject: [pptp-server] Martian packets and NetBIOS problems Message-ID: <000001c15be3$8f5f3610$9900a8c0@leo> I've been trying to setup pptpd without success. So far, I am able to connect to the VPN server. However, I cannot ping anything on the LAN or the server. The server, however, seems to be able to ping the client. I disabled my firewall (just in case), but I get the same results. I view my logs and I find that after the VPN connection is established, martian packets are logged. Here is a sample of my logs: Oct 23 11:33:50 neptune pptpd[16040]: CTRL: Client 149.99.222.31 control connection started Oct 23 11:33:51 neptune pptpd[16040]: CTRL: Starting call (launching pppd, opening GRE) Oct 23 11:33:51 neptune pppd[16041]: pppd 2.4.0 started by root, uid 0 Oct 23 11:33:51 neptune pppd[16041]: Using interface ppp1 Oct 23 11:33:51 neptune pppd[16041]: Connect: ppp1 <--> /dev/pts/3 Oct 23 11:33:51 neptune pptpd[16040]: GRE: Bad checksum from pppd. Oct 23 11:33:51 neptune pptpd[16040]: GRE: Discarding duplicate packet Oct 23 11:33:53 neptune pptpd[16040]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Oct 23 11:33:53 neptune kernel: PPP BSD Compression module registered Oct 23 11:33:53 neptune kernel: PPP MPPE compression module registered Oct 23 11:33:54 neptune kernel: PPP Deflate Compression module registered Oct 23 11:33:54 neptune pppd[16041]: MSCHAP-v2 peer authentication succeeded for leo Oct 23 11:33:54 neptune pppd[16041]: found interface eth1 for proxy arp Oct 23 11:33:54 neptune pppd[16041]: local IP address 192.168.1.51 Oct 23 11:33:54 neptune pppd[16041]: remote IP address 192.168.1.51 Oct 23 11:33:54 neptune pppd[16041]: MPPE 128 bit, stateless compression enabled Oct 23 11:33:54 neptune kernel: NET: 1 messages suppressed. Oct 23 11:33:54 neptune kernel: martian source 255.255.255.255 from 192.168.1.51, on dev ppp1 Oct 23 11:33:54 neptune kernel: ll header: 45:00:00:60:89:b2:00:00 Oct 23 11:33:55 neptune kernel: martian source 255.255.255.255 from 192.168.1.51, on dev ppp1 Oct 23 11:33:55 neptune kernel: ll header: 45:00:00:60:89:b4:00:00 Oct 23 11:34:23 neptune pppd[16041]: LCP terminated by peer (2M-qCM-X^@ Hello, I have this problem. Whenever I try from my Windows client this ... net use z: \\10.0.0.7\dev it waits for about one minute, then it connects to that compiuter without any problems. But this one minute is strange. This Windows client is sitting very close to the vpn server. First I thought this could be some problem with the protocol negotiating, but now I'm not so sure. Can help anybody help me? Regards Marek Butas ______________________________________________________________________ Nejenom anglicko-cesky slovnik: http://slovnik.seznam.cz From berzerke at swbell.net Wed Oct 24 07:51:05 2001 From: berzerke at swbell.net (robert) Date: Wed, 24 Oct 2001 07:51:05 -0500 Subject: [pptp-server] Connectring is slow In-Reply-To: <238.56846-32287-1947283389-1003907153@seznam.cz> References: <238.56846-32287-1947283389-1003907153@seznam.cz> Message-ID: <0GLP008DUNOTO2@mta5.rcsntx.swbell.net> One explaination is time outs. Windows is stupid. Even though you and I can see quite clearly that 10.0.0.7 is an ip address and not a hostname, Windows can't. So, it first tries to resolve the name "10.0.0.7". Depending on your setup, it may try to contact a wins server, then if that doesn't resolve the name, Windows will try to use a broadcast to locate the "name". Eventually, that times out, and THEN it tries it as an ip address, which succeeds. On Wednesday 24 October 2001 02:05 am, Marek Butas wrote: > Hello, > > I have this problem. Whenever I try from my Windows client this ... > > net use z: \\10.0.0.7\dev > > it waits for about one minute, then it connects to that compiuter > without any problems. But this one minute is strange. This Windows > client is sitting very close to the vpn server. First I thought this > could be some problem with the protocol negotiating, but now I'm not > so sure. Can help anybody help me? > > Regards > > Marek > Butas > > ______________________________________________________________________ > Nejenom anglicko-cesky slovnik: http://slovnik.seznam.cz > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From magnus at vonkoeller.de Wed Oct 24 08:33:25 2001 From: magnus at vonkoeller.de (Magnus von Koeller) Date: Wed, 24 Oct 2001 15:33:25 +0200 Subject: [pptp-server] Linux clients can't connect after server kernel update from 2.4.2 to 2.4.12-ac5 Message-ID: <20011024132838.1BE1ED1421@poontang.schulte.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, after updating my linux pptp server / router to Kernel 2.4.12-ac5 from 2.4.2 none of the Linux clients could connect. All I got was this on the server: Oct 23 20:09:48 localhost pptpd[5063]: GRE: read error: Bad file descriptor Oct 23 20:09:48 localhost pptpd[5063]: CTRL: PTY read or GRE write failed (pty,gre)=(-1,-1) Oct 23 20:09:48 localhost pptpd[5063]: CTRL: Client 10.1.12.4 control connection finished The client pretty much just failed silently. Windows clients, OTOH, work without any problems. Does anybody have an idea for me? Thanks ... - -- - -M - ------- Magnus von Koeller ------ Georg-Westermann-Allee 76 / 38104 Braunschweig / Germany Phone: +49-(0)531/2094886 Mobile: +49-(0)179/4562940 lp1 on fire (One of the more obfuscated kernel messages) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE71sMnUIvM6e6BgFARAtoHAKCBSwlDBPr5DJQHzF3sFpuOsbFkLACglog9 aul2huZBGH+faX5fw4WEVFs= =N/nP -----END PGP SIGNATURE----- From martin at tuatha.org Wed Oct 24 08:43:43 2001 From: martin at tuatha.org (Martin Feeney) Date: Wed, 24 Oct 2001 14:43:43 +0100 Subject: [pptp-server] Linux clients can't connect after server kernel update from 2.4.2 to 2.4.12-ac5 In-Reply-To: <20011024132838.1BE1ED1421@poontang.schulte.org>; from magnus@vonkoeller.de on Wed, Oct 24, 2001 at 14:33:25 +0100 References: <20011024132838.1BE1ED1421@poontang.schulte.org> Message-ID: <20011024144343.A23054@greenspot.nwcgroup.com> On Wed, 24 Oct 2001 14:33:25 Magnus von Koeller wrote: > after updating my linux pptp server / router to Kernel 2.4.12-ac5 from 2.4.2 > none of the Linux clients could connect. All I got was this on the server: I had exactly the same problem almost two months ago. The last kernel version that works for me is 2.4.7. I suspect it's some sort of subtle timing issue, but who knows? What Linux distribution are you using? I'm using Debian Sid. Martin. From leo at maximsoftware.com Wed Oct 24 10:01:12 2001 From: leo at maximsoftware.com (Leo Torio) Date: Wed, 24 Oct 2001 10:01:12 -0500 Subject: [pptp-server] Martian packets and NetBIOS problems In-Reply-To: Message-ID: <000001c15c9c$b95c92f0$9900a8c0@leo> Matt: Hi. Thanks for replying. Here's what I'm using: Client: Win2K Pro (using default VPN settings) Server: Red Hat Linx 7.1 (with a stock 2.4.2-2 kernel) running a modified ppp (ppp-mppe-2.4.0-4 from http://pptpclient.sourceforge.net/) and pptp 1.0.1. All were installed via RPM. When you ask if I'm patched for 128-bit encryption, you mean the client or the server? If it's the client, then yes. Win2K is already patched for 128-bit encryption. If you mean the server, I'm guess it is. About pinging with encryption disabled, do I disable it on the server or the client. If you mean the client, I can't. Win2K defaults to using the highest encryption available on the server and there is no option to lower it (maybe I just can't find it). Here is the most recent log I've made using suggestions from other users: Oct 24 09:44:55 neptune ipchains: Flushing all chains: succeeded Oct 24 09:44:55 neptune ipchains: Removing user defined chains: succeeded Oct 24 09:44:55 neptune ipchains: Resetting built-in chains to the default ACCEPT policy succeeded Oct 24 09:45:20 neptune pptpd[17964]: CTRL: Client 149.99.98.43 control connection started Oct 24 09:45:20 neptune pptpd[17964]: CTRL: Starting call (launching pppd, opening GRE) Oct 24 09:45:20 neptune pppd[17965]: pppd 2.4.0 started by root, uid 0 Oct 24 09:45:20 neptune pppd[17965]: Using interface ppp1 Oct 24 09:45:20 neptune pppd[17965]: Connect: ppp1 <--> /dev/pts/5 Oct 24 09:45:20 neptune pptpd[17964]: GRE: Bad checksum from pppd. Oct 24 09:45:20 neptune pptpd[17964]: GRE: Discarding duplicate packet Oct 24 09:45:23 neptune pptpd[17964]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Oct 24 09:45:23 neptune pppd[17965]: MSCHAP-v2 peer authentication succeeded for leo Oct 24 09:45:23 neptune pppd[17965]: found interface eth1 for proxy arp Oct 24 09:45:23 neptune pppd[17965]: local IP address 192.168.1.51 Oct 24 09:45:23 neptune pppd[17965]: remote IP address 192.168.1.86 Oct 24 09:45:23 neptune pppd[17965]: MPPE 128 bit, stateless compression enabled Oct 24 09:50:43 neptune pppd[17965]: LCP terminated by peer (^CM--/M-E^@ Message-ID: <000101c15c9c$fdd01290$9900a8c0@leo> Jerry: Thanks for replying. I did what you said and the martian packets are gone, but now I have another problem. I still can't ping anything from the client. It doesn't seem to route properly. No firewall. Can't ping 192.168.1.1 or anything behind the gateway. Thanks. Leo -----Original Message----- From: Jerry Vonau [mailto:jvonau at home.com] Sent: Tuesday, October 23, 2001 10:01 PM To: Leo Torio Subject: Re: [pptp-server] Martian packets and NetBIOS problems Leo: This maybe the problem: >Oct 23 11:33:54 neptune pppd[16041]: local IP address 192.168.1.51 >Oct 23 11:33:54 neptune pppd[16041]: remote IP address 192.168.1.51 They should not be the same, change the local or remote in your /etc/pptpd.conf. and restart it Jerry Vonau From leo at maximsoftware.com Wed Oct 24 10:41:10 2001 From: leo at maximsoftware.com (Leo Torio) Date: Wed, 24 Oct 2001 10:41:10 -0500 Subject: [pptp-server] Martian packets and NetBIOS problems In-Reply-To: Message-ID: <000201c15ca2$4ea81460$9900a8c0@leo> OK. This is a follow up to my last couple of posts. I've disable data encryption on the server. As well as disabled my firewall. The client can now connect and "see" the other machines on my mini-network, but my client cannot access any of them. It keeps saying "the network name was not found". I'd like to be able to re-enable data encryption. Does anyone know what could be wrong? Also, I've been looking for a good set of ipchains rules that will allow the VPN connection and NetBIOS to work properly. I don't think my set is adequate enough. Does anyone have any guidelines I need to follow to write a proper set? Thanks very much to everyone that helps and replies. Leo From mattgav at tempo.com.au Wed Oct 24 17:47:32 2001 From: mattgav at tempo.com.au (Matt Gavin) Date: Thu, 25 Oct 2001 08:47:32 +1000 Subject: [pptp-server] Martian packets and NetBIOS problems In-Reply-To: <000201c15ca2$4ea81460$9900a8c0@leo> Message-ID: You need to patch you PoPToP Vpn server to allow 128 Bit encryption. I only have 40 Bit encryption enabled on my server at the moment have not had time to look at 128 Bit. You can get the patch and documentation from http://poptop.lineo.com You should be able to connect with the Windows 2000 client with 40 Bit encryption enabled. If you are running Samba on your "Mini network" then accessing shared folders is another issue, I don't do this myself, but again there are Docs on allowing SMB through the PoPToP at the PoPToP site as above. As for Ipchains, someone posted this earlier in the week: # IP network address of the PPTP network PPTPLAN="192.168.0.245/32" PPTPIF="ppp+" # IP network address of the internal network INTLAN="192.168.0.0/24" INTIF="eth0" EXTIF="eth1" UNIVERSE="0.0.0.0/0" BROADCAST="255.255.255.255" SECUREHOST= # PPTP traffic /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP 1723 /sbin/ipchains -A input -p 47 -j ACCEPT /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST 1723 -d $UNIVERSE /sbin/ipchains -A output -p 47 -j ACCEPT # PPTP: need to allow all incoming traffic on PPTPIF /sbin/ipchains -A input -i $PPTPIF -s $PPTPLAN -d $INTLAN -j ACCEPT # PPTP: need to allow all outgoing traffic on PPTPIF /sbin/ipchains -A output -i $PPTPIF -s $INTLAN -d $PPTPLAN -j ACCEPT # Enable TCP/IP forwarding between the PPTP network and the Internal LAN /sbin/ipchains -A forward -i $INTIF -s $PPTPLAN -d $INTLAN -j ACCEPT /sbin/ipchains -A forward -i $PPTPIF -s $INTLAN -d $PPTPLAN -j ACCEPT # DHCP traffic /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p udp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p tcp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps # ICMP traffic (ping) /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p icmp -s $UNIVERSE -d $EXTIP Matt Gavin Tempo Services Limited ~~~~~~~~~~~~~~~~~~~~~~ From berzerke at swbell.net Wed Oct 24 19:10:00 2001 From: berzerke at swbell.net (robert) Date: Wed, 24 Oct 2001 19:10:00 -0500 Subject: [pptp-server] Linux clients can't connect after server kernel update from 2.4.2 to 2.4.12-ac5 In-Reply-To: <20011024144343.A23054@greenspot.nwcgroup.com> References: <20011024132838.1BE1ED1421@poontang.schulte.org> <20011024144343.A23054@greenspot.nwcgroup.com> Message-ID: <0GLQ00JCNJ484O@mta4.rcsntx.swbell.net> I've had success with 2.4.8. On Wednesday 24 October 2001 08:43 am, Martin Feeney wrote: > On Wed, 24 Oct 2001 14:33:25 Magnus von Koeller wrote: > > after updating my linux pptp server / router to Kernel 2.4.12-ac5 from > > 2.4.2 none of the Linux clients could connect. All I got was this on the > > server: > > I had exactly the same problem almost two months ago. The last kernel > version that works for me is 2.4.7. > > I suspect it's some sort of subtle timing issue, but who knows? > > What Linux distribution are you using? I'm using Debian Sid. > > Martin. > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From jsubs at shanholtz.com Wed Oct 24 23:25:28 2001 From: jsubs at shanholtz.com (Jeff Shanholtz) Date: Wed, 24 Oct 2001 21:25:28 -0700 Subject: [pptp-server] frequent ppp disconnects Message-ID: <00f501c15d0d$14182810$01ba10ac@Jeff> My vpn client is frequently disconnecting. It can happen as often as every few minutes, but usually it takes more like 15 or 20 minutes. Once I was able to stay connected for 3-4 hours before the disconnection, but that is the only time I've been able to maintain a relatively long connection. I'm using 1.1.2 and pppd 2.4.1 on RH 7.1. I haven't installed any of the patches. Other than the frequent disconnects, networking works great. How does one track down such a problem? Does anyone know the solution? Does anyone think it would (or wouldn't) be worth going back to the "stable" build of poptop? Here's a few lines from /var/log/messages: Oct 24 14:10:20 shane pptpd[6771]: Buffering out-of-order packet; got 67888 after 67885 Oct 24 14:10:20 shane pptpd[6771]: Buffering out-of-order packet; got 67889 after 67885 Oct 24 14:10:20 shane pptpd[6771]: Buffering out-of-order packet; got 67890 after 67885 Oct 24 14:10:20 shane pptpd[6771]: Gave up waiting for 2 lost packets beginning with 67886 Oct 24 14:10:52 shane pppd[6772]: No response to 3 echo-requests Oct 24 14:10:52 shane pppd[6772]: Serial link appears to be disconnected. Oct 24 14:10:58 shane pppd[6772]: Connection terminated. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Joe at Polcari.com Wed Oct 24 23:55:40 2001 From: Joe at Polcari.com (Joe Polcari) Date: Thu, 25 Oct 2001 00:55:40 -0400 Subject: [pptp-server] Martian packets and NetBIOS problems References: <000001c15c9c$b95c92f0$9900a8c0@leo> Message-ID: <3BD79B4C.2557B30E@Polcari.com> Your problem seems to start with the initial connection from pptp to pppd using GRE. Maybe an encryption mismatch. Is an SSL upgrade possibly required for what you did? Leo Torio wrote: > Matt: > > Hi. Thanks for replying. > > Here's what I'm using: > Client: Win2K Pro (using default VPN settings) > Server: Red Hat Linx 7.1 (with a stock 2.4.2-2 kernel) running a modified > ppp (ppp-mppe-2.4.0-4 from http://pptpclient.sourceforge.net/) and pptp > 1.0.1. All were installed via RPM. > > When you ask if I'm patched for 128-bit encryption, you mean the client or > the server? If it's the client, then yes. Win2K is already patched for > 128-bit encryption. If you mean the server, I'm guess it is. > > About pinging with encryption disabled, do I disable it on the server or the > client. If you mean the client, I can't. Win2K defaults to using the highest > encryption available on the server and there is no option to lower it (maybe > I just can't find it). > > Here is the most recent log I've made using suggestions from other users: > > Oct 24 09:44:55 neptune ipchains: Flushing all chains: succeeded > Oct 24 09:44:55 neptune ipchains: Removing user defined chains: succeeded > Oct 24 09:44:55 neptune ipchains: Resetting built-in chains to the default > ACCEPT policy succeeded > Oct 24 09:45:20 neptune pptpd[17964]: CTRL: Client 149.99.98.43 control > connection started > Oct 24 09:45:20 neptune pptpd[17964]: CTRL: Starting call (launching pppd, > opening GRE) > Oct 24 09:45:20 neptune pppd[17965]: pppd 2.4.0 started by root, uid 0 > Oct 24 09:45:20 neptune pppd[17965]: Using interface ppp1 > Oct 24 09:45:20 neptune pppd[17965]: Connect: ppp1 <--> /dev/pts/5 > Oct 24 09:45:20 neptune pptpd[17964]: GRE: Bad checksum from pppd. > Oct 24 09:45:20 neptune pptpd[17964]: GRE: Discarding duplicate packet > Oct 24 09:45:23 neptune pptpd[17964]: CTRL: Ignored a SET LINK INFO packet > with real ACCMs! > Oct 24 09:45:23 neptune pppd[17965]: MSCHAP-v2 peer authentication succeeded > for leo > Oct 24 09:45:23 neptune pppd[17965]: found interface eth1 for proxy arp > Oct 24 09:45:23 neptune pppd[17965]: local IP address 192.168.1.51 > Oct 24 09:45:23 neptune pppd[17965]: remote IP address 192.168.1.86 > Oct 24 09:45:23 neptune pppd[17965]: MPPE 128 bit, stateless compression > enabled > Oct 24 09:50:43 neptune pppd[17965]: LCP terminated by peer > (^CM--/M-E^@ Oct 24 09:50:43 neptune pppd[17965]: Modem hangup > Oct 24 09:50:43 neptune pppd[17965]: Connection terminated. > Oct 24 09:50:43 neptune pppd[17965]: Connect time 5.4 minutes. > Oct 24 09:50:43 neptune pppd[17965]: Sent 9285 bytes, received 21089 bytes. > Oct 24 09:50:43 neptune pptpd[17964]: CTRL: Error with select(), quitting > Oct 24 09:50:43 neptune pptpd[17964]: CTRL: Client 149.99.98.43 control > connection finished > Oct 24 09:50:43 neptune pppd[17965]: Exit. > > I don't get the martian packets anymore (others told me to change the remote > and local IP addresses). I did that before and got the same result. I did it > again and now the packets are gone. > > My problem now is that I can't ping anything from the client. > > I try to browse the network and I get: > > WORKGROUP is not accessible. > > The list of servers for this workgroup is not currently available. > > Any thoughts? Thanks. > > Leo > > -----Original Message----- > From: Matt Gavin [mailto:mattgav at tempo.com.au] > Sent: Tuesday, October 23, 2001 5:54 PM > To: Leo Torio > Subject: RE: [pptp-server] Martian packets and NetBIOS problems > > What is the client? > What is the servers OS/Kernel/PPPD/PPTPD? > Have you patched for 128-Bit encryption? > Can you ping when Encryption is disabled? > > Matt. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From Joe at Polcari.com Thu Oct 25 00:01:16 2001 From: Joe at Polcari.com (Joe Polcari) Date: Thu, 25 Oct 2001 01:01:16 -0400 Subject: [pptp-server] Martian packets and NetBIOS problems References: Message-ID: <3BD79C9C.9D6924B@Polcari.com> Could someone translate this to iptables - I haven't been successful at doing so myself. Thanks, Joe Matt Gavin wrote: ------8<-------- > > As for Ipchains, someone posted this earlier in the week: > > # IP network address of the PPTP network > PPTPLAN="192.168.0.245/32" > PPTPIF="ppp+" > > # IP network address of the internal network > INTLAN="192.168.0.0/24" > INTIF="eth0" > > EXTIF="eth1" > > UNIVERSE="0.0.0.0/0" > > BROADCAST="255.255.255.255" > > SECUREHOST= use UNIVERSE instead if you want it wide open> > > # PPTP traffic > /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d > $EXTIP 1723 > /sbin/ipchains -A input -p 47 -j ACCEPT > > /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST 1723 > -d $UNIVERSE > /sbin/ipchains -A output -p 47 -j ACCEPT > > # PPTP: need to allow all incoming traffic on PPTPIF > /sbin/ipchains -A input -i $PPTPIF -s $PPTPLAN -d $INTLAN -j ACCEPT > > # PPTP: need to allow all outgoing traffic on PPTPIF > /sbin/ipchains -A output -i $PPTPIF -s $INTLAN -d $PPTPLAN -j ACCEPT > > # Enable TCP/IP forwarding between the PPTP network and the Internal LAN > /sbin/ipchains -A forward -i $INTIF -s $PPTPLAN -d $INTLAN -j ACCEPT > /sbin/ipchains -A forward -i $PPTPIF -s $INTLAN -d $PPTPLAN -j ACCEPT > > # DHCP traffic > /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p udp -s $UNIVERSE bootpc > -d $BROADCAST/0 bootps > /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p tcp -s $UNIVERSE bootpc > -d $BROADCAST/0 bootps > > # ICMP traffic (ping) > /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p icmp -s $UNIVERSE -d > $EXTIP -----------8<------------ From adam.brett at mail.internetseer.com Thu Oct 25 02:29:55 2001 From: adam.brett at mail.internetseer.com (adam.brett at mail.internetseer.com) Date: Thu, 25 Oct 2001 03:29:55 -0400 (EDT) Subject: [pptp-server] We are Unable to Reach your Web Page Message-ID: <6281473.1003994995599.JavaMail.promon@pm68> There appears to be a problem in reaching the following Web page from Philadelphia, Pennsylvania: http://lists.schulte.org/pipermail/pptp-server/2000-April/002193.html Error: Connection Refused This error is most commonly due to an Internet connection problem and does not necessarily indicate that your server is down. As recommended by the robot Guidelines, this email is to explain our research activity and to alert you about the connectivity error we encountered. InternetSeer, the world's largest web site monitoring service, does not store or publish the content of your pages, but rather uses the information to update our ongoing Web Connectivity Study. To learn more about our study results or to request InternetSeer to continue monitoring your Web site in this way, visit: http://scclick.internetseer.com/sitecheck/clickthrough.jsp?I5s57d5e5n5k5d5n52R5sNyTA8fc5aWVzJVz5vSLWxx5dz_QPCTV5bwwM55P5qQxPz5m5c5eSLWxx5dz_QPCTV5bwwM5eNLzVzN6tLI5byzxy5czRPWRP5b5f5f5c5d5c5tyPXC5e5c5d5h5d5m5i5aXTCC55x5q5g=e3 If you find this information about the availability of your Web site useful, we would appreciate your feedback. Should you prefer not to receive these error notices in the future please let us know by replying to this email and placing "remove" in the subject line. You will be removed from receiving further email error notices. Adam Brett Analyst Manager cs-adam.brett at mail.internetseer.com InternetSeer.com "Your Remote Web Site Monitor" http://www.internetseer.com PS. We will send you a courtesy email when we are able to reach your Web page again. ##pptp-server at lists.schulte.org## -------------- next part -------------- An HTML attachment was scrubbed... URL: From berzerke at swbell.net Thu Oct 25 09:00:56 2001 From: berzerke at swbell.net (robert) Date: Thu, 25 Oct 2001 09:00:56 -0500 Subject: [pptp-server] Martian packets and NetBIOS problems In-Reply-To: <3BD79C9C.9D6924B@Polcari.com> References: <3BD79C9C.9D6924B@Polcari.com> Message-ID: <0GLR004A7LL14L@mta5.rcsntx.swbell.net> There is a pptpd enabled sample iptables firewall at http://home.swbell.net/berzerke On Thursday 25 October 2001 12:01 am, Joe Polcari wrote: > Could someone translate this to iptables - I haven't been successful at > doing so myself. > > Thanks, Joe > > Matt Gavin wrote: > > ------8<-------- > > > As for Ipchains, someone posted this earlier in the week: > > > > # IP network address of the PPTP network > > PPTPLAN="192.168.0.245/32" > > PPTPIF="ppp+" > > > > # IP network address of the internal network > > INTLAN="192.168.0.0/24" > > INTIF="eth0" > > > > EXTIF="eth1" > > > > UNIVERSE="0.0.0.0/0" > > > > BROADCAST="255.255.255.255" > > > > SECUREHOST= > use UNIVERSE instead if you want it wide open> > > > > # PPTP traffic > > /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d > > $EXTIP 1723 > > /sbin/ipchains -A input -p 47 -j ACCEPT > > > > /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST 1723 > > -d $UNIVERSE > > /sbin/ipchains -A output -p 47 -j ACCEPT > > > > # PPTP: need to allow all incoming traffic on PPTPIF > > /sbin/ipchains -A input -i $PPTPIF -s $PPTPLAN -d $INTLAN -j ACCEPT > > > > # PPTP: need to allow all outgoing traffic on PPTPIF > > /sbin/ipchains -A output -i $PPTPIF -s $INTLAN -d $PPTPLAN -j ACCEPT > > > > # Enable TCP/IP forwarding between the PPTP network and the Internal LAN > > /sbin/ipchains -A forward -i $INTIF -s $PPTPLAN -d $INTLAN -j ACCEPT > > /sbin/ipchains -A forward -i $PPTPIF -s $INTLAN -d $PPTPLAN -j ACCEPT > > > > # DHCP traffic > > /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p udp -s $UNIVERSE bootpc > > -d $BROADCAST/0 bootps > > /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p tcp -s $UNIVERSE bootpc > > -d $BROADCAST/0 bootps > > > > # ICMP traffic (ping) > > /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p icmp -s $UNIVERSE -d > > $EXTIP > > -----------8<------------ > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From magnus at vonkoeller.de Thu Oct 25 09:31:56 2001 From: magnus at vonkoeller.de (Magnus von Koeller) Date: Thu, 25 Oct 2001 16:31:56 +0200 Subject: [pptp-server] Linux clients can't connect after server kernel update from 2.4.2 to 2.4.12-ac5 In-Reply-To: <0GLQ00JCNJ484O@mta4.rcsntx.swbell.net> References: <20011024132838.1BE1ED1421@poontang.schulte.org> <20011024144343.A23054@greenspot.nwcgroup.com> <0GLQ00JCNJ484O@mta4.rcsntx.swbell.net> Message-ID: <200110251631.36438@vonkoeller.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can anybody else tell me which kernels they run successfully? - -- - -M - ------- Magnus von Koeller ------ Georg-Westermann-Allee 76 / 38104 Braunschweig / Germany Phone: +49-(0)531/2094886 Mobile: +49-(0)179/4562940 lp1 on fire (One of the more obfuscated kernel messages) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE72CJfUIvM6e6BgFARAkatAKCKTeNV3eQpgT4C71i+B4IEAqHpgQCgz1iV LfckVhR97FGe0Fkr48pS3q8= =qrTp -----END PGP SIGNATURE----- From forever at klub.chip.pl Thu Oct 25 09:49:47 2001 From: forever at klub.chip.pl (ForeveR) Date: Thu, 25 Oct 2001 16:49:47 +0200 Subject: [pptp-server] MSCHAP/MPPE patch Message-ID: <3BD8268B.80405@klub.chip.pl> I'v got following problem: I tried to run the pppd 2.3.11 on linux redhat 7.1 and I was not successfull, It compiled, but instead of working it just hanged. It is wor4king correctly on linux 7.0. WHat is the problem is there any patch against pppd v. 2.4 ???? Or how to make run the ver. 2.3.11 with linux 7.1 (even not patched hangs) -- _4ever_ From paul at bsdc.ca Thu Oct 25 10:07:41 2001 From: paul at bsdc.ca (Paul Reed) Date: Thu, 25 Oct 2001 11:07:41 -0400 Subject: [pptp-server] Linux clients can't connect after server kernel update from 2.4.2 to 2.4.12-ac5 References: <20011024132838.1BE1ED1421@poontang.schulte.org> <20011024144343.A23054@greenspot.nwcgroup.com> <0GLQ00JCNJ484O@mta4.rcsntx.swbell.net> <200110251631.36438@vonkoeller.de> Message-ID: <001f01c15d66$cb19d640$1e6ea8c0@omega> Success with 2.4.4, 2.4.9 and 2.4.10, all openssl 0.9.6a-mppe patched. ... ppp-2.4.1 openssl-0.9.6-mppe patched. Hope this helps .. Paul Reed Systems Administrator Black Sheep Digital Corp. ----- Original Message ----- From: "Magnus von Koeller" To: Sent: Thursday, October 25, 2001 10:31 AM Subject: Re: [pptp-server] Linux clients can't connect after server kernel update from 2.4.2 to 2.4.12-ac5 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Can anybody else tell me which kernels they run successfully? > > - -- > - -M > > - ------- Magnus von Koeller ------ > Georg-Westermann-Allee 76 / 38104 Braunschweig / Germany > Phone: +49-(0)531/2094886 Mobile: +49-(0)179/4562940 > > lp1 on fire (One of the more obfuscated kernel messages) > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE72CJfUIvM6e6BgFARAkatAKCKTeNV3eQpgT4C71i+B4IEAqHpgQCgz1iV > LfckVhR97FGe0Fkr48pS3q8= > =qrTp > -----END PGP SIGNATURE----- > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From leo at maximsoftware.com Thu Oct 25 10:21:18 2001 From: leo at maximsoftware.com (Leo Torio) Date: Thu, 25 Oct 2001 10:21:18 -0500 Subject: [pptp-server] Martian packets and NetBIOS problems In-Reply-To: <3BD79B4C.2557B30E@Polcari.com> Message-ID: <001601c15d68$b2881810$9900a8c0@leo> I was told to lower the encryption to 40-bit and it seems to work. I can browse the network and ping machines by IP address, but I can't ping machines by machine name. I also can't access any machines (even though I see them in Network Neighbourhood). I'm still trying to fix my firewall and I'm re-compiling PPP with the 128-bit encryption patch. I'm doing that as I write this. Thanks. -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Joe Polcari Sent: Wednesday, October 24, 2001 11:56 PM To: pptp-server at lists.schulte.org Subject: Re: [pptp-server] Martian packets and NetBIOS problems Your problem seems to start with the initial connection from pptp to pppd using GRE. Maybe an encryption mismatch. Is an SSL upgrade possibly required for what you did? Leo Torio wrote: > Matt: > > Hi. Thanks for replying. > > Here's what I'm using: > Client: Win2K Pro (using default VPN settings) > Server: Red Hat Linx 7.1 (with a stock 2.4.2-2 kernel) running a modified > ppp (ppp-mppe-2.4.0-4 from http://pptpclient.sourceforge.net/) and pptp > 1.0.1. All were installed via RPM. > > When you ask if I'm patched for 128-bit encryption, you mean the client or > the server? If it's the client, then yes. Win2K is already patched for > 128-bit encryption. If you mean the server, I'm guess it is. > > About pinging with encryption disabled, do I disable it on the server or the > client. If you mean the client, I can't. Win2K defaults to using the highest > encryption available on the server and there is no option to lower it (maybe > I just can't find it). > > Here is the most recent log I've made using suggestions from other users: > > Oct 24 09:44:55 neptune ipchains: Flushing all chains: succeeded > Oct 24 09:44:55 neptune ipchains: Removing user defined chains: succeeded > Oct 24 09:44:55 neptune ipchains: Resetting built-in chains to the default > ACCEPT policy succeeded > Oct 24 09:45:20 neptune pptpd[17964]: CTRL: Client 149.99.98.43 control > connection started > Oct 24 09:45:20 neptune pptpd[17964]: CTRL: Starting call (launching pppd, > opening GRE) > Oct 24 09:45:20 neptune pppd[17965]: pppd 2.4.0 started by root, uid 0 > Oct 24 09:45:20 neptune pppd[17965]: Using interface ppp1 > Oct 24 09:45:20 neptune pppd[17965]: Connect: ppp1 <--> /dev/pts/5 > Oct 24 09:45:20 neptune pptpd[17964]: GRE: Bad checksum from pppd. > Oct 24 09:45:20 neptune pptpd[17964]: GRE: Discarding duplicate packet > Oct 24 09:45:23 neptune pptpd[17964]: CTRL: Ignored a SET LINK INFO packet > with real ACCMs! > Oct 24 09:45:23 neptune pppd[17965]: MSCHAP-v2 peer authentication succeeded > for leo > Oct 24 09:45:23 neptune pppd[17965]: found interface eth1 for proxy arp > Oct 24 09:45:23 neptune pppd[17965]: local IP address 192.168.1.51 > Oct 24 09:45:23 neptune pppd[17965]: remote IP address 192.168.1.86 > Oct 24 09:45:23 neptune pppd[17965]: MPPE 128 bit, stateless compression > enabled > Oct 24 09:50:43 neptune pppd[17965]: LCP terminated by peer > (^CM--/M-E^@ Oct 24 09:50:43 neptune pppd[17965]: Modem hangup > Oct 24 09:50:43 neptune pppd[17965]: Connection terminated. > Oct 24 09:50:43 neptune pppd[17965]: Connect time 5.4 minutes. > Oct 24 09:50:43 neptune pppd[17965]: Sent 9285 bytes, received 21089 bytes. > Oct 24 09:50:43 neptune pptpd[17964]: CTRL: Error with select(), quitting > Oct 24 09:50:43 neptune pptpd[17964]: CTRL: Client 149.99.98.43 control > connection finished > Oct 24 09:50:43 neptune pppd[17965]: Exit. > > I don't get the martian packets anymore (others told me to change the remote > and local IP addresses). I did that before and got the same result. I did it > again and now the packets are gone. > > My problem now is that I can't ping anything from the client. > > I try to browse the network and I get: > > WORKGROUP is not accessible. > > The list of servers for this workgroup is not currently available. > > Any thoughts? Thanks. > > Leo > > -----Original Message----- > From: Matt Gavin [mailto:mattgav at tempo.com.au] > Sent: Tuesday, October 23, 2001 5:54 PM > To: Leo Torio > Subject: RE: [pptp-server] Martian packets and NetBIOS problems > > What is the client? > What is the servers OS/Kernel/PPPD/PPTPD? > Have you patched for 128-Bit encryption? > Can you ping when Encryption is disabled? > > Matt. > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- From shost at intellimec.com Thu Oct 25 10:35:31 2001 From: shost at intellimec.com (Steve Host) Date: Thu, 25 Oct 2001 11:35:31 -0400 Subject: [pptp-server] The computer you're dialing in to does not support the data encryption requirements specified. References: <3BD8268B.80405@klub.chip.pl> Message-ID: <002401c15d6c$c5858e80$5009630a@intellimec.com> I was writing to figure out why this wasn't working (encryption) and in the process i figured out my problem. Hence, this message will serve as a solution to all you who search this list and find yourself here looking for a solution: Problem: You've compiled encryption into PPPD, reloaded PPPD, compiled, installed your new modules, and all seems to be working, except that when you enable data encryption on clients (I only tested Windows clients) it doesn't work, and you get the error similar to title of this message. Why? Check your /etc/pptpd.conf. If you have a line: options /etc/ppp/pptpd.options and in this option file you have your PPTPD options such as nolock, +chapms, +chapmsv2, mppe-40, mppe-128, etc and you also have your /etc/ppp/options file (should be pretty empty), then there lies your problem: Remove that options /etc/ppp/pptpd.options file from your ppptpd.conf and instead, take that pptpd.options file and append it to your /etc/ppp/options. In other words, only use one options file for PPP, not two. This (for some reason unknown) fixed my problem and data encryption seems to work fine now. So this brings closure for me. Thank you very much to the PPTPD community here. I hope this adds to the wealth of knowledge this community brings. Good luck to all of you. I'll be back here first if somethign new crops up. Cheers - Steve From chris at pds2k.com Thu Oct 25 11:05:27 2001 From: chris at pds2k.com (Christopher Tarricone) Date: Thu, 25 Oct 2001 12:05:27 -0400 Subject: [pptp-server] Can connect with 128bit but need unencrypted connection first Message-ID: <01a301c15d6e$dcb17e50$021c593f@pds2k.net> To all, I have been using the archives for about three weeks and I have found answers almost all of my questions there but I cannot find this one... [ Sorry for the long post but I wanted to be as specific as possible ] I cannot connect to the pptp server unless I have a Windows 9x client connect with the following options NOT checked Log on to network Enable software compression Require Encrypted Password Require Data Encryption Once the unauthenticated user is connect all of the other connect using MSCHAP-V2 and 128bit encryption with all of the above settings on (except software compression) This is my options.pptp file name LMSI noauth crtscts lock asyncmap 0 nodetach lcp-echo-interval 45 lcp-echo-failure 4 idle 720 noipx auth lock debug +chap +chapms +chapms-v2 mppe-128 mppe-40 mppe-stateless nodeflate nobsdcomp This is the output of the connection. You will see the Win 95 Machine connect then the Win2k Oct 25 07:44:26 lmsi-wall pptpd[844]: CTRL: Client 63.89.28.3 control connection started Oct 25 07:44:26 lmsi-wall pptpd[844]: CTRL: Starting call (launching pppd, opening GRE) Oct 25 07:44:26 lmsi-wall pptpd[844]: GRE: Bad checksum from pppd. Oct 25 07:44:26 lmsi-wall pppd[845]: pppd 2.4.0 started by root, uid 0 Oct 25 07:44:26 lmsi-wall pppd[845]: Using interface ppp0 Oct 25 07:44:26 lmsi-wall pppd[845]: Connect: ppp0 <--> /dev/pts/2 Oct 25 07:44:26 lmsi-wall pptpd[844]: GRE: Bad checksum from pppd. Oct 25 07:44:29 lmsi-wall pppd[845]: MSCHAP-v2 peer authentication succeeded for pds2k\\ctarricone Oct 25 07:44:29 lmsi-wall pppd[845]: Protocol-Reject for unsupported protocol 0x4c6f Oct 25 07:44:29 lmsi-wall pppd[845]: Protocol-Reject for unsupported protocol 0x47 Oct 25 07:44:30 lmsi-wall last message repeated 23 times Oct 25 07:44:32 lmsi-wall pppd[845]: local IP address 172.16.48.111 Oct 25 07:44:32 lmsi-wall pppd[845]: remote IP address 172.16.48.131 Oct 25 07:44:42 lmsi-wall pptpd[863]: CTRL: Client 63.89.28.2 control connection started Oct 25 07:44:42 lmsi-wall pptpd[863]: CTRL: Starting call (launching pppd, opening GRE) Oct 25 07:44:42 lmsi-wall pptpd[863]: GRE: Discarding duplicate packet Oct 25 07:44:42 lmsi-wall pppd[864]: pppd 2.4.0 started by root, uid 0 Oct 25 07:44:42 lmsi-wall pppd[864]: Using interface ppp1 Oct 25 07:44:42 lmsi-wall pppd[864]: Connect: ppp1 <--> /dev/pts/3 Oct 25 07:44:42 lmsi-wall pptpd[863]: GRE: Bad checksum from pppd. Oct 25 07:44:44 lmsi-wall pptpd[863]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Oct 25 07:44:44 lmsi-wall pppd[864]: MSCHAP-v2 peer authentication succeeded for ctarricone Oct 25 07:44:44 lmsi-wall pppd[864]: Protocol-Reject for unsupported protocol 0x4c6f Oct 25 07:44:44 lmsi-wall pppd[864]: Protocol-Reject for unsupported protocol 0x47 Oct 25 07:44:45 lmsi-wall last message repeated 60 times Oct 25 07:44:45 lmsi-wall pppd[864]: local IP address 172.16.48.112 Oct 25 07:44:45 lmsi-wall pppd[864]: remote IP address 172.16.48.132 Oct 25 07:44:52 lmsi-wall pppd[864]: MPPE 128 bit, stateless compression enabled Oct 25 07:50:00 lmsi-wall CROND[884]: (root) CMD ( /sbin/rmmod -as) From charlieb at e-smith.com Thu Oct 25 11:26:24 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Thu, 25 Oct 2001 12:26:24 -0400 (EDT) Subject: [pptp-server] The computer you're dialing in to does not support the data encryption requirements specified. In-Reply-To: <002401c15d6c$c5858e80$5009630a@intellimec.com> Message-ID: On Thu, 25 Oct 2001, Steve Host wrote: > Check your /etc/pptpd.conf. If you have a line: > options /etc/ppp/pptpd.options > > and in this option file you have your PPTPD options such as nolock, +chapms, > +chapmsv2, mppe-40, mppe-128, etc > and you also have your /etc/ppp/options file (should be pretty empty), then > there lies your problem: > > Remove that options /etc/ppp/pptpd.options file from your ppptpd.conf and > instead, take that pptpd.options file and append it to your > /etc/ppp/options. In other words, only use one options file for PPP, not > two. > > This (for some reason unknown) fixed my problem and data encryption seems to > work fine now. > > So this brings closure for me. For you perhaps. But that will cause problems for anyone who uses pppd for anything else, e.g. for creating a dialup link to an ISP. Requiring mppe, chapmsv2, etc for an ISP dialup link is sure to cause problems. Although this may have solved your problem, I'd advise you to seek another solution. -- Charlie Brady charlieb at e-smith.com Lead Product Developer Network Server Solutions Group http://www.e-smith.com/ Mitel Networks Corporation http://www.mitel.com/ Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 From shost at intellimec.com Thu Oct 25 11:39:54 2001 From: shost at intellimec.com (Steve Host) Date: Thu, 25 Oct 2001 12:39:54 -0400 Subject: [pptp-server] The computer you're dialing in to does not support the data encryption requirements specified. References: Message-ID: <003301c15d73$acba5780$5009630a@intellimec.com> Then someone suggest something. Why would loading the options from an external file in pptp.conf break encryption? ----- Original Message ----- From: "Charlie Brady" To: "Steve Host" Cc: Sent: Thursday, October 25, 2001 12:26 PM Subject: Re: [pptp-server] The computer you're dialing in to does not support the data encryption requirements specified. > > On Thu, 25 Oct 2001, Steve Host wrote: > > > Check your /etc/pptpd.conf. If you have a line: > > options /etc/ppp/pptpd.options > > > > and in this option file you have your PPTPD options such as nolock, +chapms, > > +chapmsv2, mppe-40, mppe-128, etc > > and you also have your /etc/ppp/options file (should be pretty empty), then > > there lies your problem: > > > > Remove that options /etc/ppp/pptpd.options file from your ppptpd.conf and > > instead, take that pptpd.options file and append it to your > > /etc/ppp/options. In other words, only use one options file for PPP, not > > two. > > > > This (for some reason unknown) fixed my problem and data encryption seems to > > work fine now. > > > > So this brings closure for me. > > For you perhaps. But that will cause problems for anyone who uses pppd for > anything else, e.g. for creating a dialup link to an ISP. Requiring mppe, > chapmsv2, etc for an ISP dialup link is sure to cause problems. > > Although this may have solved your problem, I'd advise you to seek another > solution. > > -- > > Charlie Brady charlieb at e-smith.com > Lead Product Developer > Network Server Solutions Group http://www.e-smith.com/ > Mitel Networks Corporation http://www.mitel.com/ > Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 > > From shost at intellimec.com Thu Oct 25 12:26:15 2001 From: shost at intellimec.com (Steve Host) Date: Thu, 25 Oct 2001 13:26:15 -0400 Subject: [pptp-server] The computer you're dialing in to does not support the data encryption requirements specified. References: Message-ID: <003901c15d7a$6d6f79a0$5009630a@intellimec.com> Well, adding those entries to /etc/ppp/options isn't breaking my ADSL (pppoe) Hence, for me it really has no effect. Your certain it would break regular dialup connections? (outgoing)? ----- Original Message ----- From: "Charlie Brady" To: "Steve Host" Cc: Sent: Thursday, October 25, 2001 12:26 PM Subject: Re: [pptp-server] The computer you're dialing in to does not support the data encryption requirements specified. > > On Thu, 25 Oct 2001, Steve Host wrote: > > > Check your /etc/pptpd.conf. If you have a line: > > options /etc/ppp/pptpd.options > > > > and in this option file you have your PPTPD options such as nolock, +chapms, > > +chapmsv2, mppe-40, mppe-128, etc > > and you also have your /etc/ppp/options file (should be pretty empty), then > > there lies your problem: > > > > Remove that options /etc/ppp/pptpd.options file from your ppptpd.conf and > > instead, take that pptpd.options file and append it to your > > /etc/ppp/options. In other words, only use one options file for PPP, not > > two. > > > > This (for some reason unknown) fixed my problem and data encryption seems to > > work fine now. > > > > So this brings closure for me. > > For you perhaps. But that will cause problems for anyone who uses pppd for > anything else, e.g. for creating a dialup link to an ISP. Requiring mppe, > chapmsv2, etc for an ISP dialup link is sure to cause problems. > > Although this may have solved your problem, I'd advise you to seek another > solution. > > -- > > Charlie Brady charlieb at e-smith.com > Lead Product Developer > Network Server Solutions Group http://www.e-smith.com/ > Mitel Networks Corporation http://www.mitel.com/ > Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > From iso9 at phantasticant.com Thu Oct 25 12:29:25 2001 From: iso9 at phantasticant.com (Jordan Share) Date: Thu, 25 Oct 2001 10:29:25 -0700 Subject: [pptp-server] frequent ppp disconnects In-Reply-To: <00f501c15d0d$14182810$01ba10ac@Jeff> Message-ID: It looks like you are having problems with latency/packets dropping. I have a user who is all but unable to use PPTP to tunnel into our LAN because he is using Starband for his internet access. The combination of latency and packet loss seems to really screw up his connection. Sometimes it works, sometimes it doesn't. Anyway, the best thing I could think of to do is increase the time between echo packets, and the number of echo packets that have to fail before it drops the connection by putting this into my ppp/options file: lcp-echo-failure 10 lcp-echo-interval 5 From adam.brett at mail.internetseer.com Thu Oct 25 16:15:28 2001 From: adam.brett at mail.internetseer.com (adam.brett at mail.internetseer.com) Date: Thu, 25 Oct 2001 17:15:28 -0400 (EDT) Subject: [pptp-server] We are Now Able to Reach your Web Page Message-ID: <954895.1004044528824.JavaMail.promon@pm68> We are please to inform you that we no longer have a problem in reaching your Web page from the Philadelphia area: http://lists.schulte.org/pipermail/pptp-server/2000-April/002193.html As recommended by the robot Guidelines, this email is to explain our research activity and to alert you about the connectivity error we encountered. InternetSeer, the world's largest web site monitoring service, does not store or publish the content of your pages, but rather uses the information to update our ongoing Web Connectivity Study. To learn more about our study results or request InternetSeer to continue monitoring your Web site and sending you error messages visit http://scclick.internetseer.com/sitecheck/clickthrough.jsp?I5s57d5f5j5d5j5m52R5sNyTA8ac5aWVzJVz5vSLWxx5dz_QPCTV5bwwM55P5qQxPz5m5c5eSLWxx5dz_QPCTV5bwwM5eNLzVzN6tLI5byzxy5czRPWRP5b5f5f5c5d5c5tyPXC5e5c5d5h5d5m5i5aXTCC55x5q5g=e3. If you prefer not to receive these occasional error notices please let us know by replying to this email and placing "remove" in the subject line. You will be removed from receiving further email error notices. Adam Brett Analyst Manager cs-adam.brett at mail.internetseer.com InternetSeer.com "Your Remote Web Site Monitor" http://www.internetseer.com ##pptp-server at lists.schulte.org## -------------- next part -------------- An HTML attachment was scrubbed... URL: From lhicks at nc.rr.com Thu Oct 25 21:17:18 2001 From: lhicks at nc.rr.com (C. Linus Hicks) Date: 25 Oct 2001 22:17:18 -0400 Subject: [pptp-server] MSCHAP/MPPE patch In-Reply-To: <3BD8268B.80405@klub.chip.pl> References: <3BD8268B.80405@klub.chip.pl> Message-ID: <1004062638.17515.9.camel@lh2> On 25 Oct 2001 16:49:47 +0200, ForeveR wrote: > I'v got following problem: > I tried to run the pppd 2.3.11 on linux redhat 7.1 and I was not > successfull, It compiled, but instead of working it just hanged. > It is wor4king correctly on linux 7.0. WHat is the problem is there any > patch against pppd v. 2.4 ???? > Or how to make run the ver. 2.3.11 with linux 7.1 (even not patched hangs) If you run a 2.4 kernel, you must run at least 2.4 pppd. Go to: http://www.vibrationresearch.com/pptpd/ Then select the "FAQ for the pptpd program" link. Section 1.1.1 tells where to find instructions for both 2.2 and 2.4 kernels. I got mine working following these instructions. Linus From forever at klub.chip.pl Fri Oct 26 04:06:18 2001 From: forever at klub.chip.pl (ForeveR) Date: Fri, 26 Oct 2001 11:06:18 +0200 Subject: [pptp-server] MSCHAP/MPPE patch References: <3BD8268B.80405@klub.chip.pl> <1004062638.17515.9.camel@lh2> Message-ID: <3BD9278A.3050804@klub.chip.pl> Thanks it's exactelly what I asked for:))) Again thanks for the response:) C. Linus Hicks wrote: > On 25 Oct 2001 16:49:47 +0200, ForeveR wrote: > >>I'v got following problem: >>I tried to run the pppd 2.3.11 on linux redhat 7.1 and I was not >>successfull, It compiled, but instead of working it just hanged. >>It is wor4king correctly on linux 7.0. WHat is the problem is there any >>patch against pppd v. 2.4 ???? >>Or how to make run the ver. 2.3.11 with linux 7.1 (even not patched hangs) >> > > If you run a 2.4 kernel, you must run at least 2.4 pppd. > > Go to: > > http://www.vibrationresearch.com/pptpd/ > > Then select the "FAQ for the pptpd program" link. Section 1.1.1 tells > where to find instructions for both 2.2 and 2.4 kernels. I got mine > working following these instructions. > > Linus > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > > > -- _4ever_ From mikael.lonnroth at advancevpn.com Fri Oct 26 07:38:48 2001 From: mikael.lonnroth at advancevpn.com (=?iso-8859-1?Q?Mikael_L=F6nnroth?=) Date: Fri, 26 Oct 2001 15:38:48 +0300 Subject: [pptp-server] PPTP server and Windows XP References: <001801c155c2$2796dfa0$5009630a@intellimec.com> <0GLA0049U2W2I6@mta4.rcsntx.swbell.net> Message-ID: <00b301c15e1b$3f993e20$cd80aac3@lonnroth> Hello, I am sure this must have been discussed at one point or another, but I cannot find anything in the archives: Has anyone been able to connect to poptop with Windows XP, and if so, did it require any special configuration? Kindly, Mikael L?nnroth www.advancevpn.com From Josh.Howlett at bristol.ac.uk Fri Oct 26 07:46:06 2001 From: Josh.Howlett at bristol.ac.uk (Josh Howlett) Date: Fri, 26 Oct 2001 13:46:06 +0100 (BST) Subject: [pptp-server] PPTP server and Windows XP In-Reply-To: <00b301c15e1b$3f993e20$cd80aac3@lonnroth> Message-ID: I haven't tested it extensively, but WinXP gold (developer) seems to work fine (ie. connected, browsed web for few minutes, disconnected) with MS-CHAP-v2 and MPPE-128. Earlier betas seemed to have more problems. No special config appeared necessary. josh. On Fri, 26 Oct 2001, [iso-8859-1] Mikael L?nnroth wrote: > Hello, > > I am sure this must have been discussed at one point or another, but I > cannot find anything in the archives: > > Has anyone been able to connect to poptop with Windows XP, and if so, did it > require any special configuration? > > Kindly, > Mikael Lvnnroth > www.advancevpn.com > > > _______________________________________________ > pptp-server maillist - pptp-server at lists.schulte.org > http://lists.schulte.org/mailman/listinfo/pptp-server > --- To unsubscribe, go to the url just above this line. -- > > --------------------------------------- Josh Howlett, Network Supervisor, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 0117 928 7850 | josh.howlett at bris.ac.uk --------------------------------------- From Gareth_Marlow at scientia.com Fri Oct 26 09:49:51 2001 From: Gareth_Marlow at scientia.com (Gareth Marlow) Date: Fri, 26 Oct 2001 15:49:51 +0100 (GMT Daylight Time) Subject: [pptp-server] IP address allocation Message-ID: I have certain VPN users who should be allocated fixed IP addresses, and others which should receive an address from the pool. I have an address pool of 192.168.0.39-44 which I am using for fixed addresses and 192.168.0.45-58 which I am using for the pool addresses. The PPTP server is on 192.168.0.38 The fixed addresses are being allocated correctly. Unfortunately, only the first address in the pool range is being allocated to pool users, so I am getting multiple people all being given 192.168.0.45 - obviously things then stop working for everyone. Any ideas? /etc/ppp/options: debug lock auth name server +chap +chapms +chapms-v2 mppe-40 mppe-128 mppe-stateless proxyarp /etc/ppp/chap-secrets (example): fred * password1 192.168.0.39 john * password2 192.168.0.40 jane * password3 * anne * password4 * /etc/pptp.conf: debug speed 115200 localip 192.168.0.38 remoteip 192.168.0.45-58 /etc/inetd.conf (relevant line): pptpctrl stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/pptpctrl 0 0 0 0 1 192.168.0.45-58 0 --buffer-- So here, if all users logged in simultaneously, fred is getting 38, john is getting 40 and jane and anne are both getting 45. Help! Gareth -- Systems Manager, Scientia Ltd. and Fontal Ltd. From jsubs at shanholtz.com Fri Oct 26 10:37:48 2001 From: jsubs at shanholtz.com (Jeff Shanholtz) Date: Fri, 26 Oct 2001 08:37:48 -0700 Subject: [pptp-server] PPTP server and Windows XP In-Reply-To: <00b301c15e1b$3f993e20$cd80aac3@lonnroth> Message-ID: <000001c15e34$2b3d6a00$6500a8c0@Jeff> Other than frequent disconnects (which appear to be a server-side problem), it's been working fine for me on XP. I haven't installed the ms-chap and encryption patches yet though. I think the configuration is identical to that of win2k. -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org] On Behalf Of Mikael L?nnroth Sent: Friday, October 26, 2001 5:39 AM To: pptp-server at lists.schulte.org Subject: [pptp-server] PPTP server and Windows XP Hello, I am sure this must have been discussed at one point or another, but I cannot find anything in the archives: Has anyone been able to connect to poptop with Windows XP, and if so, did it require any special configuration? Kindly, Mikael L?nnroth www.advancevpn.com _______________________________________________ pptp-server maillist - pptp-server at lists.schulte.org http://lists.schulte.org/mailman/listinfo/pptp-server --- To unsubscribe, go to the url just above this line. -- From jsubs at shanholtz.com Sat Oct 27 02:31:49 2001 From: jsubs at shanholtz.com (Jeff Shanholtz) Date: Sat, 27 Oct 2001 00:31:49 -0700 Subject: [pptp-server] frequent ppp disconnects In-Reply-To: Message-ID: <000801c15eb9$7338fd80$6500a8c0@Jeff> Thanks for the tip. It appears that that did the trick. My connection ran for almost 5 hours before I manually disconnected. -----Original Message----- From: Jordan Share [mailto:iso9 at phantasticant.com] Sent: Thursday, October 25, 2001 10:29 AM To: Jeff Shanholtz; PoPToP List Subject: RE: [pptp-server] frequent ppp disconnects It looks like you are having problems with latency/packets dropping. I have a user who is all but unable to use PPTP to tunnel into our LAN because he is using Starband for his internet access. The combination of latency and packet loss seems to really screw up his connection. Sometimes it works, sometimes it doesn't. Anyway, the best thing I could think of to do is increase the time between echo packets, and the number of echo packets that have to fail before it drops the connection by putting this into my ppp/options file: lcp-echo-failure 10 lcp-echo-interval 5 >From the man page for pppd: lcp-echo-failure n If this option is given, pppd will presume the peer to be dead if n LCP echo-requests are sent without receiving a valid LCP echo-reply. If this happens, pppd will terminate the connection. Use of this option requires a non-zero value for the lcp-echo- interval parameter. This option can be used to enable pppd to terminate after the physical connec- tion has been broken (e.g., the modem has hung up) in situations where no hardware modem control lines are available. lcp-echo-interval n If this option is given, pppd will send an LCP echo-request frame to the peer every n seconds. Normally the peer should respond to the echo- request by sending an echo-reply. This option can be used with the lcp-echo-failure option to detect that the peer is no longer connected. Jordan -----Original Message----- From: pptp-server-admin at lists.schulte.org [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jeff Shanholtz Sent: Wednesday, October 24, 2001 9:25 PM To: PoPToP List Subject: [pptp-server] frequent ppp disconnects My vpn client is frequently disconnecting. It can happen as often as every few minutes, but usually it takes more like 15 or 20 minutes. Once I was able to stay connected for 3-4 hours before the disconnection, but that is the only time I've been able to maintain a relatively long connection. I'm using 1.1.2 and pppd 2.4.1 on RH 7.1. I haven't installed any of the patches. Other than the frequent disconnects, networking works great. How does one track down such a problem? Does anyone know the solution? Does anyone think it would (or wouldn't) be worth going back to the "stable" build of poptop? Here's a few lines from /var/log/messages: Oct 24 14:10:20 shane pptpd[6771]: Buffering out-of-order packet; got 67888 after 67885 Oct 24 14:10:20 shane pptpd[6771]: Buffering out-of-order packet; got 67889 after 67885 Oct 24 14:10:20 shane pptpd[6771]: Buffering out-of-order packet; got 67890 after 67885 Oct 24 14:10:20 shane pptpd[6771]: Gave up waiting for 2 lost packets beginning with 67886 Oct 24 14:10:52 shane pppd[6772]: No response to 3 echo-requests Oct 24 14:10:52 shane pppd[6772]: Serial link appears to be disconnected. Oct 24 14:10:58 shane pppd[6772]: Connection terminated. From chris at pds2k.com Tue Oct 30 06:11:07 2001 From: chris at pds2k.com (Christopher Tarricone) Date: Tue, 30 Oct 2001 07:11:07 -0500 Subject: [pptp-server] Can connect with 128bit but need unencrypted connection first Message-ID: <004401c1613b$f47be6d0$021c593f@pds2k.net> To all, I have been using the archives for about three weeks and I have found answers almost all of my questions there but I cannot find this one... [ Sorry for the long post but I wanted to be as specific as possible ] I cannot connect to the pptp server unless I have a Windows 9x client connect with the following options NOT checked Log on to network Enable software compression Require Encrypted Password Require Data Encryption Once the unauthenticated user is connect all of the other connect using MSCHAP-V2 and 128bit encryption with all of the above settings on (except software compression) This is my options.pptp file name LMSI noauth crtscts lock asyncmap 0 nodetach lcp-echo-interval 45 lcp-echo-failure 4 idle 720 noipx auth lock debug +chap +chapms +chapms-v2 mppe-128 mppe-40 mppe-stateless nodeflate nobsdcomp This is the output of the connection. You will see the Win 95 Machine connect then the Win2k Oct 25 07:44:26 lmsi-wall pptpd[844]: CTRL: Client 63.89.28.3 control connection started Oct 25 07:44:26 lmsi-wall pptpd[844]: CTRL: Starting call (launching pppd, opening GRE) Oct 25 07:44:26 lmsi-wall pptpd[844]: GRE: Bad checksum from pppd. Oct 25 07:44:26 lmsi-wall pppd[845]: pppd 2.4.0 started by root, uid 0 Oct 25 07:44:26 lmsi-wall pppd[845]: Using interface ppp0 Oct 25 07:44:26 lmsi-wall pppd[845]: Connect: ppp0 <--> /dev/pts/2 Oct 25 07:44:26 lmsi-wall pptpd[844]: GRE: Bad checksum from pppd. Oct 25 07:44:29 lmsi-wall pppd[845]: MSCHAP-v2 peer authentication succeeded for pds2k\\ctarricone Oct 25 07:44:29 lmsi-wall pppd[845]: Protocol-Reject for unsupported protocol 0x4c6f Oct 25 07:44:29 lmsi-wall pppd[845]: Protocol-Reject for unsupported protocol 0x47 Oct 25 07:44:30 lmsi-wall last message repeated 23 times Oct 25 07:44:32 lmsi-wall pppd[845]: local IP address 172.16.48.111 Oct 25 07:44:32 lmsi-wall pppd[845]: remote IP address 172.16.48.131 Oct 25 07:44:42 lmsi-wall pptpd[863]: CTRL: Client 63.89.28.2 control connection started Oct 25 07:44:42 lmsi-wall pptpd[863]: CTRL: Starting call (launching pppd, opening GRE) Oct 25 07:44:42 lmsi-wall pptpd[863]: GRE: Discarding duplicate packet Oct 25 07:44:42 lmsi-wall pppd[864]: pppd 2.4.0 started by root, uid 0 Oct 25 07:44:42 lmsi-wall pppd[864]: Using interface ppp1 Oct 25 07:44:42 lmsi-wall pppd[864]: Connect: ppp1 <--> /dev/pts/3 Oct 25 07:44:42 lmsi-wall pptpd[863]: GRE: Bad checksum from pppd. Oct 25 07:44:44 lmsi-wall pptpd[863]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Oct 25 07:44:44 lmsi-wall pppd[864]: MSCHAP-v2 peer authentication succeeded for ctarricone Oct 25 07:44:44 lmsi-wall pppd[864]: Protocol-Reject for unsupported protocol 0x4c6f Oct 25 07:44:44 lmsi-wall pppd[864]: Protocol-Reject for unsupported protocol 0x47 Oct 25 07:44:45 lmsi-wall last message repeated 60 times Oct 25 07:44:45 lmsi-wall pppd[864]: local IP address 172.16.48.112 Oct 25 07:44:45 lmsi-wall pppd[864]: remote IP address 172.16.48.132 Oct 25 07:44:52 lmsi-wall pppd[864]: MPPE 128 bit, stateless compression enabled Oct 25 07:50:00 lmsi-wall CROND[884]: (root) CMD ( /sbin/rmmod -as) From foonet3000 at yahoo.de Tue Oct 30 08:14:13 2001 From: foonet3000 at yahoo.de (=?iso-8859-1?q?Foo=20Netmann?=) Date: Tue, 30 Oct 2001 15:14:13 +0100 (CET) Subject: [pptp-server] kernel 2.4.8...13, pptp/mppe problems Message-ID: <20011030141413.70787.qmail@web9601.mail.yahoo.com> i'm using linux-2.4.13 and got the same problems with pptp/mppe (something like GRE: read error: ...) i think there are some changes in the kernel-error codes. here's my quick and dirty resolution: get pptpd-1.1.2, open pptpgre.c, change the line 462 to: return 0; and recompile ppptd. for me it works fine, i hope some people work out a better resolution. greets jan __________________________________________________________________ Gesendet von Yahoo! Mail http://mail.yahoo.de From RLDITTO at BRIGHT.NET Tue Oct 30 08:57:00 2001 From: RLDITTO at BRIGHT.NET (JOE) Date: Tue, 30 Oct 2001 09:57:00 -0500 Subject: [pptp-server] ppp speed Message-ID: <000e01c16153$21ec5200$5700a8c0@backdog> sorry to rehash this, i have on the server end a machine that has a 700+k connection full duplex, and a client machine that has a 300+k connection but things seem very slow. both machines have very fast hardware. i've read in prior posts that you can compress data through the tunnel, will this speed things up significantly? is there something else i can do to speed things up, is there something I'm missing? would using something else like ssl for samba and not using poptop be faster? thank-you -------------- next part -------------- An HTML attachment was scrubbed... URL: From charlieb at e-smith.com Tue Oct 30 09:04:09 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Tue, 30 Oct 2001 10:04:09 -0500 (EST) Subject: [pptp-server] ppp speed In-Reply-To: <000e01c16153$21ec5200$5700a8c0@backdog> Message-ID: On Tue, 30 Oct 2001, JOE wrote: > sorry to rehash this, i have on the server end a machine that has a > 700+k connection full duplex, and a client machine that has a 300+k > connection but things seem very slow. both machines have very fast > hardware. But what's the network connection like them like? Any congestion? > i've read in prior posts that you can compress data through the > tunnel, will this speed things up significantly? PoPToP does not support the (proprietary) MPPC compression protocol. Charlie Brady charlieb at e-smith.com Lead Product Developer Network Server Solutions Group http://www.e-smith.com/ Mitel Networks Corporation http://www.mitel.com/ Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 From RLDITTO at BRIGHT.NET Tue Oct 30 09:35:39 2001 From: RLDITTO at BRIGHT.NET (JOE) Date: Tue, 30 Oct 2001 10:35:39 -0500 Subject: [pptp-server] ppp speed Message-ID: <002b01c16158$87fe70a0$5700a8c0@backdog> there's no congestion as far as i know. were talking 5 users on each end using the internet connection intermittantly. the one user that uses the vpn connection is just working with word processing documents and one database. On Tue, 30 Oct 2001, JOE wrote: > sorry to rehash this, i have on the server end a machine that has a > 700+k connection full duplex, and a client machine that has a 300+k > connection but things seem very slow. both machines have very fast > hardware. But what's the network connection like them like? Any congestion? > i've read in prior posts that you can compress data through the > tunnel, will this speed things up significantly? PoPToP does not support the (proprietary) MPPC compression protocol. -------------- next part -------------- An HTML attachment was scrubbed... URL: From charlieb at e-smith.com Tue Oct 30 09:46:09 2001 From: charlieb at e-smith.com (Charlie Brady) Date: Tue, 30 Oct 2001 10:46:09 -0500 (EST) Subject: [pptp-server] ppp speed In-Reply-To: <002b01c16158$87fe70a0$5700a8c0@backdog> Message-ID: On Tue, 30 Oct 2001, JOE wrote: > there's no congestion as far as i know. were talking 5 users on each > end using the internet connection intermittantly. Any congestion is more likely to be in routers between ISP's networks, so number of users doesn't really matter. You'll need to ping from end to end and look at ping time, ping time variation and packet loss. -- Charlie Brady charlieb at e-smith.com Lead Product Developer Network Server Solutions Group http://www.e-smith.com/ Mitel Networks Corporation http://www.mitel.com/ Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 From bparker at alacare.com Tue Oct 30 17:32:57 2001 From: bparker at alacare.com (Parker Blake MIS) Date: Tue, 30 Oct 2001 17:32:57 -0600 Subject: [pptp-server] Radius Support Message-ID: Does this daemon support user authentication against a radius database? Blake Parker, Network Administrator Alacare Home Health & Hospice 4752 Hwy 280 East Birmingham, Al. 35242 (205) 981-8648, Beeper: 501-0408 bparker at alacare.com Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From john_g123 at yahoo.com Tue Oct 30 22:42:27 2001 From: john_g123 at yahoo.com (john) Date: Tue, 30 Oct 2001 20:42:27 -0800 (PST) Subject: [pptp-server] network design and pptp In-Reply-To: <000801c15eb9$7338fd80$6500a8c0@Jeff> Message-ID: <20011031044227.94075.qmail@web20709.mail.yahoo.com> though there are some emails etc regarding issues with pptp i have not seen (could be i missed) mails pertaining to network design. so i would request the list for.... 1. where to place the PPTP server in the overall network, behind, ahead, or beside (dmz) of firewall 2. then according to above, what should be the address range that is being alloted by the PPTP server. 3. any other useful configuration that you may suggest. most of my clients ask for simple PPTP server either with windows NT (RAS) or with linux. any pros and cons. and last not the least any doc or guide etc for a vpn between linux and windows NT (or 2000). please email me netowrk diags etc for configuratios that you may have or are willing to send me. you can send me personal email also. thanks __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com From jsubs at shanholtz.com Wed Oct 31 01:28:18 2001 From: jsubs at shanholtz.com (Jeff Shanholtz) Date: Tue, 30 Oct 2001 23:28:18 -0800 Subject: [pptp-server] pptpd dies spontaneously Message-ID: <003c01c161dd$9cddc1d0$6500a8c0@Jeff> On a number of occasions the pptpd process has simply died. Running "service pptpd status" reports "pptpd dead but subsys locked" and, sure enough, running "ps -A" confirms that it isn't running. Restarting the service gets me back up and running. Anyone know what would cause this? I'm running 1.1.2 with ppp 2.4.1 under kernel 2.4.9 and no patches. Is this an example of when it is better to use the "stable" release over the latest? Or would it be a configuration thing? The last few lines in my log file are... Oct 30 10:37:57 shane pptpd[5923]: GRE: read error: Bad file descriptor Oct 30 10:37:57 shane pptpd[5923]: CTRL: PTY read or GRE write failed (pty,gre)=(-1,-1) Oct 30 10:37:57 shane pptpd[5923]: CTRL: Client 209.162.219.9 control connection finished -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmankal at home.com Wed Oct 31 19:52:44 2001 From: kmankal at home.com (Khaled Mankal) Date: Wed, 31 Oct 2001 20:52:44 -0500 Subject: [pptp-server] pptp help Message-ID: <001401c16277$e6ab49a0$0f04fc0a@superjuice.dhs.org> I have a win98SE machine and I'm trying to connect to a Poptop server on the internet, between the win98SE machine and the internet is 2.4.3 linux firewall box using iptables and natting the internal network which works fine, all internal computers can browse. If I remove the Linux firewall from the equation the but the Win98 machine directly on the internet I can connect fine. I know its something with iptables not allowing GRE back through the firewall I really need to get this working, any help work be greatly appreaciated Khaled -------------- next part -------------- An HTML attachment was scrubbed... URL: