[pptp-server] PPTPD Authentication problems...
Jeremy Higgs
jhiggs at bigpond.net.au
Wed Jan 16 01:31:56 CST 2002
Hi everyone!
I'm still struggling with getting a PPTPD server going... I've been reading
up on a couple of things, and found that the error I found in my
/var/log/daemon.log file before was related to VPN Masquerading (could this
be because the IPs I have assigned in /etc/pptpd.conf are private? I'm
connecting from a firewall box on the client end [which has a public IP] to
another firewall box with a public IP), so I added the VPN MASQ patch to
both the server and client, enabling "CONFIG_IP_MASQUERADE_PPTP=y".
After rebooting both these boxes, I turned on 'debug' in /etc/ppp/options on
both machines, and also in /etc/pptpd.conf on the server.
When I connected with pptp from the client, machine, I got a whole lot of
errors in /var/log/daemon.log, /var/log/messages and /var/log/debug, which
I've reproduced below, as well as various (relevant) config files. (A little
warning... Lots of text below!)
For 'piglet', the client machine (piglet.shacknet.nu):
--- /var/log/messages
Jan 16 18:03:26 piglet pppd[3558]: pppd 2.4.1 started by root, uid 0
Jan 16 18:03:26 piglet pppd[3558]: Using interface ppp0
Jan 16 18:03:26 piglet pppd[3558]: Connect: ppp0 <--> /dev/pts/1
Jan 16 18:03:29 piglet pppd[3558]: Connection terminated.
Jan 16 18:03:30 piglet pppd[3558]: Exit.
--- /var/log/daemon.log
Jan 16 18:03:25 piglet pptp[3555]:
log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:548]: Client connection
established.
Jan 16 18:03:26 piglet pptp[3555]:
log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:655]: Outgoing call established
(call ID 0, peer's call ID 0).
Jan 16 18:03:26 piglet modprobe: modprobe: Invalid line 84 in
/etc/modules.conf ^I/lib/modules/2.2.20
Jan 16 18:03:30 piglet pptp[3555]: log[callmgr_main:pptp_callmgr.c:240]:
Closing connection
Jan 16 18:03:30 piglet pptp[3555]: log[pptp_conn_close:pptp_ctrl.c:285]:
Closing PPTP connection
Jan 16 18:03:32 piglet pptp[3555]: log[call_callback:pptp_callmgr.c:88]:
Closing connection
--- /var/log/debug
Jan 16 18:03:26 piglet pppd[3558]: sent [LCP ConfReq id=0x1 <asyncmap 0x0>
<auth chap MD5> <magic 0x1945c36f> <pcomp> <accomp>]
Jan 16 18:03:29 piglet pppd[3558]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0>
<auth chap MD5> <magic 0xb0c49677> <pcomp> <accomp>]
Jan 16 18:03:29 piglet pppd[3558]: sent [LCP ConfAck id=0x1 <asyncmap 0x0>
<auth chap MD5> <magic 0xb0c49677> <pcomp> <accomp>]
Jan 16 18:03:29 piglet pppd[3558]: sent [LCP ConfReq id=0x1 <asyncmap 0x0>
<auth chap MD5> <magic 0x1945c36f> <pcomp> <accomp>]
Jan 16 18:03:29 piglet pppd[3558]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0>
<auth chap MD5> <magic 0x1945c36f> <pcomp> <accomp>]
Jan 16 18:03:29 piglet pppd[3558]: sent [LCP EchoReq id=0x0
magic=0x1945c36f]
Jan 16 18:03:29 piglet pppd[3558]: sent [CHAP Challenge id=0x1
<8010a1cd2078b257824ee8048ed01fa2a1599b3d0f>, name = "piglet"]
Jan 16 18:03:29 piglet pppd[3558]: rcvd [LCP EchoReq id=0x0
magic=0xb0c49677]
Jan 16 18:03:29 piglet pppd[3558]: sent [LCP EchoRep id=0x0
magic=0x1945c36f]
Jan 16 18:03:29 piglet pppd[3558]: rcvd [CHAP Challenge id=0x1
<5b6cbe281bb476ca0598ddef09a134b74b5031be1b>, name = "bluey"]
Jan 16 18:03:29 piglet pppd[3558]: sent [CHAP Response id=0x1
<8b8bc4909689269721eb01dfa5ba7619>, name = "piglet"]
Jan 16 18:03:29 piglet pppd[3558]: rcvd [LCP EchoRep id=0x0
magic=0xb0c49677]
Jan 16 18:03:29 piglet pppd[3558]: rcvd [CHAP Response id=0x1
<16dcead8779087f338a04cf17929c6a7>, name = "bluey"]
Jan 16 18:03:29 piglet pppd[3558]: sent [CHAP Failure id=0x1 "I don't like
you. Go 'way."]
Jan 16 18:03:29 piglet pppd[3558]: sent [LCP TermReq id=0x2 "Authentication
failed"]
Jan 16 18:03:29 piglet pppd[3558]: rcvd [CHAP Failure id=0x1 "I don't like
you. Go 'way."]
Jan 16 18:03:29 piglet pppd[3558]: rcvd [LCP TermReq id=0x2 "Authentication
failed"]
Jan 16 18:03:29 piglet pppd[3558]: sent [LCP TermAck id=0x2]
Jan 16 18:03:29 piglet pppd[3558]: rcvd [LCP TermAck id=0x2]
--- /etc/ppp/options
root at piglet:~# cat /etc/ppp/options
# /etc/ppp/options
#
# Originally created by Jim Knoble <jmknoble at mercury.interpath.net>
# Modified for Debian by alvar Bray <alvar at meiko.co.uk>
# Modified for PPP Server setup by Christoph Lameter <clameter at debian.org>
#
# To quickly see what options are active in this file, use this command:
# egrep -v '#|^ *$' /etc/ppp/options
# Specify which DNS Servers the incoming Win95 or WinNT Connection should
use
# Two Servers can be remotely configured
# ms-dns 192.168.1.1
# ms-dns 192.168.1.2
# Specify which WINS Servers the incoming connection Win95 or WinNT should
use
# ms-wins 192.168.1.50
# ms-wins 192.168.1.51
# Run the executable or shell command specified after pppd has
# terminated the link. This script could, for example, issue commands
# to the modem to cause it to hang up if hardware modem control signals
# were not available.
#disconnect "chat -- \d+++\d\c OK ath0 OK"
# async character map -- 32-bit hex; each bit is a character
# that needs to be escaped for pppd to receive it. 0x00000001
# represents '\x01', and 0x80000000 represents '\x1f'.
asyncmap 0
# Require the peer to authenticate itself before allowing network
# packets to be sent or received.
# Please do not disable this setting. It is expected to be standard in
# future releases of pppd. Use the call option (see manpage) to disable
# authentication for specific peers.
auth
# Use hardware flow control (i.e. RTS/CTS) to control the flow of data
# on the serial port.
crtscts
# Use software flow control (i.e. XON/XOFF) to control the flow of data
# on the serial port.
#xonxoff
# Specifies that certain characters should be escaped on transmission
# (regardless of whether the peer requests them to be escaped with its
# async control character map). The characters to be escaped are
# specified as a list of hex numbers separated by commas. Note that
# almost any character can be specified for the escape option, unlike
# the asyncmap option which only allows control characters to be
# specified. The characters which may not be escaped are those with hex
# values 0x20 - 0x3f or 0x5e.
#escape 11,13,ff
# Don't use the modem control lines.
#local
# Specifies that pppd should use a UUCP-style lock on the serial device
# to ensure exclusive access to the device.
lock
# Don't show the passwords when logging the contents of PAP packets.
# This is the default.
hide-password
# When logging the contents of PAP packets, this option causes pppd to
# show the password string in the log message.
#show-password
# Use the modem control lines. On Ultrix, this option implies hardware
# flow control, as for the crtscts option. (This option is not fully
# implemented.)
modem
# Set the MRU [Maximum Receive Unit] value to <n> for negotiation. pppd
# will ask the peer to send packets of no more than <n> bytes. The
# minimum MRU value is 128. The default MRU value is 1500. A value of
# 296 is recommended for slow links (40 bytes for TCP/IP header + 256
# bytes of data).
#mru 542
# Set the interface netmask to <n>, a 32 bit netmask in "decimal dot"
# notation (e.g. 255.255.255.0).
#netmask 255.255.255.0
# Disables the default behaviour when no local IP address is specified,
# which is to determine (if possible) the local IP address from the
# hostname. With this option, the peer will have to supply the local IP
# address during IPCP negotiation (unless it specified explicitly on the
# command line or in an options file).
#noipdefault
# Enables the "passive" option in the LCP. With this option, pppd will
# attempt to initiate a connection; if no reply is received from the
# peer, pppd will then just wait passively for a valid LCP packet from
# the peer (instead of exiting, as it does without this option).
#passive
# With this option, pppd will not transmit LCP packets to initiate a
# connection until a valid LCP packet is received from the peer (as for
# the "passive" option with old versions of pppd).
#silent
# Don't request or allow negotiation of any options for LCP and IPCP
# (use default values).
#-all
# Disable Address/Control compression negotiation (use default, i.e.
# address/control field disabled).
#-ac
# Disable asyncmap negotiation (use the default asyncmap, i.e. escape
# all control characters).
#-am
# Don't fork to become a background process (otherwise pppd will do so
# if a serial device is specified).
#-detach
# Disable IP address negotiation (with this option, the remote IP
# address must be specified with an option on the command line or in
# an options file).
#-ip
# Disable IPCP negotiation and IP communication. This option should
# only be required if the peer is buggy and gets confused by requests
# from pppd for IPCP negotiation.
#noip
# Disable magic number negotiation. With this option, pppd cannot
# detect a looped-back line.
#-mn
# Disable MRU [Maximum Receive Unit] negotiation (use default, i.e.
# 1500).
#-mru
# Disable protocol field compression negotiation (use default, i.e.
# protocol field compression disabled).
#-pc
# Require the peer to authenticate itself using PAP.
#+pap
# Don't agree to authenticate using PAP.
#-pap
# Require the peer to authenticate itself using CHAP [Cryptographic
# Handshake Authentication Protocol] authentication.
#+chap
# Don't agree to authenticate using CHAP.
#-chap
# Disable negotiation of Van Jacobson style IP header compression (use
# default, i.e. no compression).
#-vj
# Increase debugging level (same as -d). If this option is given, pppd
# will log the contents of all control packets sent or received in a
# readable form. The packets are logged through syslog with facility
# daemon and level debug. This information can be directed to a file by
# setting up /etc/syslog.conf appropriately (see syslog.conf(5)). (If
# pppd is compiled with extra debugging enabled, it will log messages
# using facility local2 instead of daemon).
debug
# Append the domain name <d> to the local host name for authentication
# purposes. For example, if gethostname() returns the name porsche,
# but the fully qualified domain name is porsche.Quotron.COM, you would
# use the domain option to set the domain name to Quotron.COM.
#domain <d>
# Enable debugging code in the kernel-level PPP driver. The argument n
# is a number which is the sum of the following values: 1 to enable
# general debug messages, 2 to request that the contents of received
# packets be printed, and 4 to request that the contents of transmitted
# packets be printed.
#kdebug n
# Set the MTU [Maximum Transmit Unit] value to <n>. Unless the peer
# requests a smaller value via MRU negotiation, pppd will request that
# the kernel networking code send data packets of no more than n bytes
# through the PPP network interface.
#mtu <n>
# Set the name of the local system for authentication purposes to <n>.
# This is a privileged option. With this option, pppd will use lines in the
# secrets files which have <n> as the second field when looking for a
# secret to use in authenticating the peer. In addition, unless overridden
# with the user option, <n> will be used as the name to send to the peer
# when authenticating the local system to the peer. (Note that pppd does
# not append the domain name to <n>.)
#name <n>
name piglet
# Enforce the use of the hostname as the name of the local system for
# authentication purposes (overrides the name option).
#usehostname
# Set the assumed name of the remote system for authentication purposes
# to <n>.
#remotename <n>
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.
proxyarp
# Use the system password database for authenticating the peer using
# PAP. Note: mgetty already provides this option. If this is specified
# then dialin from users using a script under Linux to fire up ppp wont
work.
# login
# If this option is given, pppd will send an LCP echo-request frame to the
# peer every n seconds. Normally the peer should respond to the echo-request
# by sending an echo-reply. This option can be used with the
# lcp-echo-failure option to detect that the peer is no longer connected.
lcp-echo-interval 30
# If this option is given, pppd will presume the peer to be dead if n
# LCP echo-requests are sent without receiving a valid LCP echo-reply.
# If this happens, pppd will terminate the connection. Use of this
# option requires a non-zero value for the lcp-echo-interval parameter.
# This option can be used to enable pppd to terminate after the physical
# connection has been broken (e.g., the modem has hung up) in
# situations where no hardware modem control lines are available.
lcp-echo-failure 4
# Set the LCP restart interval (retransmission timeout) to <n> seconds
# (default 3).
#lcp-restart <n>
# Set the maximum number of LCP terminate-request transmissions to <n>
# (default 3).
#lcp-max-terminate <n>
# Set the maximum number of LCP configure-request transmissions to <n>
# (default 10).
#lcp-max-configure <n>
# Set the maximum number of LCP configure-NAKs returned before starting
# to send configure-Rejects instead to <n> (default 10).
#lcp-max-failure <n>
# Set the IPCP restart interval (retransmission timeout) to <n>
# seconds (default 3).
#ipcp-restart <n>
# Set the maximum number of IPCP terminate-request transmissions to <n>
# (default 3).
#ipcp-max-terminate <n>
# Set the maximum number of IPCP configure-request transmissions to <n>
# (default 10).
#ipcp-max-configure <n>
# Set the maximum number of IPCP configure-NAKs returned before starting
# to send configure-Rejects instead to <n> (default 10).
#ipcp-max-failure <n>
# Set the PAP restart interval (retransmission timeout) to <n> seconds
# (default 3).
#pap-restart <n>
# Set the maximum number of PAP authenticate-request transmissions to
# <n> (default 10).
#pap-max-authreq <n>
# Set the maximum time that pppd will wait for the peer to authenticate
# itself with PAP to <n> seconds (0 means no limit).
#pap-timeout <n>
# Set the CHAP restart interval (retransmission timeout for
# challenges) to <n> seconds (default 3).
#chap-restart <n>
# Set the maximum number of CHAP challenge transmissions to <n>
# (default 10).
#chap-max-challenge
# If this option is given, pppd will rechallenge the peer every <n>
# seconds.
#chap-interval <n>
# With this option, pppd will accept the peer's idea of our local IP
# address, even if the local IP address was specified in an option.
#ipcp-accept-local
# With this option, pppd will accept the peer's idea of its (remote) IP
# address, even if the remote IP address was specified in an option.
#ipcp-accept-remote
# Disable the IPXCP and IPX protocols.
# To let pppd pass IPX packets comment this out --- you'll probably also
# want to install ipxripd, and have the Internal IPX Network option enabled
# in your kernel. /usr/doc/HOWTO/IPX-HOWTO.gz contains more info.
noipx
# Exit once a connection has been made and terminated. This is the default,
# unless the `persist' or `demand' option has been specified.
#nopersist
# Do not exit after a connection is terminated; instead try to reopen
# the connection.
#persist
# Terminate after n consecutive failed connection attempts.
# A value of 0 means no limit. The default value is 10.
#maxfail <n>
# Initiate the link only on demand, i.e. when data traffic is present.
# With this option, the remote IP address must be specified by the user on
# the command line or in an options file. Pppd will initially configure
# the interface and enable it for IP traffic without connecting to the peer.
# When traffic is available, pppd will connect to the peer and perform
# negotiation, authentication, etc. When this is completed, pppd will
# commence passing data packets (i.e., IP packets) across the link.
#demand
# Specifies that pppd should disconnect if the link is idle for <n> seconds.
# The link is idle when no data packets (i.e. IP packets) are being sent or
# received. Note: it is not advisable to use this option with the persist
# option without the demand option. If the active-filter option is given,
# data packets which are rejected by the specified activity filter also
# count as the link being idle.
#idle <n>
# Specifies how many seconds to wait before re-initiating the link after
# it terminates. This option only has any effect if the persist or demand
# option is used. The holdoff period is not applied if the link was
# terminated because it was idle.
#holdoff <n>
# Wait for up n milliseconds after the connect script finishes for a valid
# PPP packet from the peer. At the end of this time, or when a valid PPP
# packet is received from the peer, pppd will commence negotiation by
# sending its first LCP packet. The default value is 1000 (1 second).
# This wait period only applies if the connect or pty option is used.
#connect-delay <n>
# ---<End of File>---
--- /etc/ppp/chap-secrets (note: no newline after final "*")
root at piglet:~# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
bluey piglet "password1" *
piglet bluey "password2" *
---
For 'bluey', the server machine (cata.mine.nu):
--- /var/log/messages
Jan 16 18:03:18 cata pppd[13824]: pppd 2.4.1 started by root, uid 0
Jan 16 18:03:18 cata pppd[13824]: Using interface ppp1
Jan 16 18:03:18 cata pppd[13824]: Connect: ppp1 <--> /dev/pts/6
Jan 16 18:03:22 cata pppd[13824]: Connection terminated.
Jan 16 18:03:22 cata pppd[13824]: Exit.
--- /var/log/daemon.log
Jan 16 18:03:17 cata pptpd[13823]: MGR: Launching /usr/sbin/pptpctrl to
handle client
Jan 16 18:03:17 cata pptpd[13823]: CTRL: local address = 192.168.1.1
Jan 16 18:03:17 cata pptpd[13823]: CTRL: remote address = 192.168.1.11
Jan 16 18:03:17 cata pptpd[13823]: CTRL: pppd speed = 115200
Jan 16 18:03:17 cata pptpd[13823]: CTRL: pppd options file =
/etc/ppp/pptpd-options
Jan 16 18:03:17 cata pptpd[13823]: CTRL: Client 144.132.140.185 control
connection started
Jan 16 18:03:17 cata pptpd[13823]: CTRL: Received PPTP Control Message
(type: 1)
Jan 16 18:03:17 cata pptpd[13823]: CTRL: Made a START CTRL CONN RPLY packet
Jan 16 18:03:17 cata pptpd[13823]: CTRL: I wrote 156 bytes to the client.
Jan 16 18:03:17 cata pptpd[13823]: CTRL: Sent packet to client
Jan 16 18:03:18 cata pptpd[13823]: CTRL: Received PPTP Control Message
(type: 7)
Jan 16 18:03:18 cata pptpd[13823]: CTRL: Set parameters to 10000000 maxbps,
3 window size
Jan 16 18:03:18 cata pptpd[13823]: CTRL: Made a OUT CALL RPLY packet
Jan 16 18:03:18 cata pptpd[13823]: CTRL: Starting call (launching pppd,
opening GRE)
Jan 16 18:03:18 cata pptpd[13823]: CTRL: pty_fd = 5
Jan 16 18:03:18 cata pptpd[13823]: CTRL: tty_fd = 6
Jan 16 18:03:18 cata pptpd[13824]: CTRL (PPPD Launcher): Connection speed =
115200
Jan 16 18:03:18 cata pptpd[13824]: CTRL (PPPD Launcher): local address =
192.168.1.1
Jan 16 18:03:18 cata pptpd[13824]: CTRL (PPPD Launcher): remote address =
192.168.1.11
Jan 16 18:03:18 cata pptpd[13823]: CTRL: I wrote 32 bytes to the client.
Jan 16 18:03:18 cata pptpd[13823]: CTRL: Sent packet to client
Jan 16 18:03:18 cata modprobe: modprobe: Invalid line 82 in
/etc/modules.conf ^I/lib/modules/2.2.20/
Jan 16 18:03:20 cata pptpd[13823]: GRE: Discarding duplicate packet
Jan 16 18:03:22 cata pptpd[13823]: GRE: read(fd=5,buffer=10014e54,len=8196)
from PTY failed: status = -1 error = Input/output error
Jan 16 18:03:22 cata pptpd[13823]: CTRL: PTY read or GRE write failed
(pty,gre)=(5,6)
Jan 16 18:03:22 cata pptpd[13823]: CTRL: Client 144.132.140.185 control
connection finished
Jan 16 18:03:22 cata pptpd[13823]: CTRL: Exiting with active call
Jan 16 18:03:22 cata pptpd[13823]: CTRL: Made a CALL DISCONNECT RPLY packet
Jan 16 18:03:22 cata pptpd[13823]: CTRL: Couldn't write packet to client.
Jan 16 18:03:22 cata pptpd[13823]: CTRL: Made a STOP CTRL REQ packet
Jan 16 18:03:22 cata pptpd[13823]: CTRL: Couldn't write packet to client.
Jan 16 18:03:22 cata pptpd[13823]: CTRL: Exiting now
Jan 16 18:03:22 cata pptpd[13707]: MGR: Reaped child 13823
--- /var/log/debug
Jan 16 18:03:17 cata pptpd[13823]: MGR: Launching /usr/sbin/pptpctrl to
handle client
Jan 16 18:03:17 cata pptpd[13823]: CTRL: local address = 192.168.1.1
Jan 16 18:03:17 cata pptpd[13823]: CTRL: remote address = 192.168.1.11
Jan 16 18:03:17 cata pptpd[13823]: CTRL: pppd speed = 115200
Jan 16 18:03:17 cata pptpd[13823]: CTRL: pppd options file =
/etc/ppp/pptpd-options
Jan 16 18:03:17 cata pptpd[13823]: CTRL: Received PPTP Control Message
(type: 1)
Jan 16 18:03:17 cata pptpd[13823]: CTRL: Made a START CTRL CONN RPLY packet
Jan 16 18:03:17 cata pptpd[13823]: CTRL: I wrote 156 bytes to the client.
Jan 16 18:03:17 cata pptpd[13823]: CTRL: Sent packet to client
Jan 16 18:03:18 cata pptpd[13823]: CTRL: Received PPTP Control Message
(type: 7)
Jan 16 18:03:18 cata pptpd[13823]: CTRL: Set parameters to 10000000 maxbps,
3 window size
Jan 16 18:03:18 cata pptpd[13823]: CTRL: Made a OUT CALL RPLY packet
Jan 16 18:03:18 cata pptpd[13823]: CTRL: pty_fd = 5
Jan 16 18:03:18 cata pptpd[13823]: CTRL: tty_fd = 6
Jan 16 18:03:18 cata pptpd[13824]: CTRL (PPPD Launcher): Connection speed =
115200
Jan 16 18:03:18 cata pptpd[13824]: CTRL (PPPD Launcher): local address =
192.168.1.1
Jan 16 18:03:18 cata pptpd[13824]: CTRL (PPPD Launcher): remote address =
192.168.1.11
Jan 16 18:03:18 cata pptpd[13823]: CTRL: I wrote 32 bytes to the client.
Jan 16 18:03:18 cata pptpd[13823]: CTRL: Sent packet to client
Jan 16 18:03:18 cata pppd[13824]: sent [LCP ConfReq id=0x1 <asyncmap 0x0>
<auth chap MD5> <magic 0xb0c49677> <pcomp> <accomp>]
Jan 16 18:03:21 cata pppd[13824]: sent [LCP ConfReq id=0x1 <asyncmap 0x0>
<auth chap MD5> <magic 0xb0c49677> <pcomp> <accomp>]
Jan 16 18:03:22 cata pppd[13824]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0>
<auth chap MD5> <magic 0xb0c49677> <pcomp> <accomp>]
Jan 16 18:03:22 cata pppd[13824]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0>
<auth chap MD5> <magic 0x1945c36f> <pcomp> <accomp>]
Jan 16 18:03:22 cata pppd[13824]: sent [LCP ConfAck id=0x1 <asyncmap 0x0>
<auth chap MD5> <magic 0x1945c36f> <pcomp> <accomp>]
Jan 16 18:03:22 cata pppd[13824]: sent [LCP EchoReq id=0x0 magic=0xb0c49677]
Jan 16 18:03:22 cata pppd[13824]: sent [CHAP Challenge id=0x1
<5b6cbe281bb476ca0598ddef09a134b74b5031be1b>, name = "bluey"]
Jan 16 18:03:22 cata pppd[13824]: rcvd [LCP EchoReq id=0x0 magic=0x1945c36f]
Jan 16 18:03:22 cata pppd[13824]: sent [LCP EchoRep id=0x0 magic=0xb0c49677]
Jan 16 18:03:22 cata pppd[13824]: rcvd [CHAP Challenge id=0x1
<8010a1cd2078b257824ee8048ed01fa2a1599b3d0f>, name = "piglet"]
Jan 16 18:03:22 cata pppd[13824]: sent [CHAP Response id=0x1
<16dcead8779087f338a04cf17929c6a7>, name = "bluey"]
Jan 16 18:03:22 cata pppd[13824]: rcvd [LCP EchoRep id=0x0 magic=0x1945c36f]
Jan 16 18:03:22 cata pppd[13824]: rcvd [CHAP Response id=0x1
<8b8bc4909689269721eb01dfa5ba7619>, name = "piglet"]
Jan 16 18:03:22 cata pppd[13824]: sent [CHAP Failure id=0x1 "I don't like
you. Go 'way."]
Jan 16 18:03:22 cata pppd[13824]: sent [LCP TermReq id=0x2 "Authentication
failed"]
Jan 16 18:03:22 cata pppd[13824]: rcvd [CHAP Failure id=0x1 "I don't like
you. Go 'way."]
Jan 16 18:03:22 cata pppd[13824]: rcvd [LCP TermReq id=0x2 "Authentication
failed"]
Jan 16 18:03:22 cata pppd[13824]: sent [LCP TermAck id=0x2]
Jan 16 18:03:22 cata pppd[13824]: rcvd [LCP TermAck id=0x2]
Jan 16 18:03:22 cata pptpd[13823]: CTRL: Exiting with active call
Jan 16 18:03:22 cata pptpd[13823]: CTRL: Made a CALL DISCONNECT RPLY packet
Jan 16 18:03:22 cata pptpd[13823]: CTRL: Made a STOP CTRL REQ packet
Jan 16 18:03:22 cata pptpd[13823]: CTRL: Exiting now
Jan 16 18:03:22 cata pptpd[13707]: MGR: Reaped child 13823
--- /etc/ppp/options
cata:~# cat /etc/ppp/options
# /etc/ppp/options
#
# Originally created by Jim Knoble <jmknoble at mercury.interpath.net>
# Modified for Debian by alvar Bray <alvar at meiko.co.uk>
# Modified for PPP Server setup by Christoph Lameter <clameter at debian.org>
#
# To quickly see what options are active in this file, use this command:
# egrep -v '#|^ *$' /etc/ppp/options
# Specify which DNS Servers the incoming Win95 or WinNT Connection should
use
# Two Servers can be remotely configured
# ms-dns 192.168.1.1
# ms-dns 192.168.1.2
# Specify which WINS Servers the incoming connection Win95 or WinNT should
use
# ms-wins 192.168.1.50
# ms-wins 192.168.1.51
# Run the executable or shell command specified after pppd has
# terminated the link. This script could, for example, issue commands
# to the modem to cause it to hang up if hardware modem control signals
# were not available.
#disconnect "chat -- \d+++\d\c OK ath0 OK"
# async character map -- 32-bit hex; each bit is a character
# that needs to be escaped for pppd to receive it. 0x00000001
# represents '\x01', and 0x80000000 represents '\x1f'.
asyncmap 0
# Require the peer to authenticate itself before allowing network
# packets to be sent or received.
# Please do not disable this setting. It is expected to be standard in
# future releases of pppd. Use the call option (see manpage) to disable
# authentication for specific peers.
auth
# Use hardware flow control (i.e. RTS/CTS) to control the flow of data
# on the serial port.
crtscts
# Use software flow control (i.e. XON/XOFF) to control the flow of data
# on the serial port.
#xonxoff
# Specifies that certain characters should be escaped on transmission
# (regardless of whether the peer requests them to be escaped with its
# async control character map). The characters to be escaped are
# specified as a list of hex numbers separated by commas. Note that
# almost any character can be specified for the escape option, unlike
# the asyncmap option which only allows control characters to be
# specified. The characters which may not be escaped are those with hex
# values 0x20 - 0x3f or 0x5e.
#escape 11,13,ff
# Don't use the modem control lines.
#local
# Specifies that pppd should use a UUCP-style lock on the serial device
# to ensure exclusive access to the device.
lock
# Don't show the passwords when logging the contents of PAP packets.
# This is the default.
hide-password
# When logging the contents of PAP packets, this option causes pppd to
# show the password string in the log message.
#show-password
# Use the modem control lines. On Ultrix, this option implies hardware
# flow control, as for the crtscts option. (This option is not fully
# implemented.)
modem
# Set the MRU [Maximum Receive Unit] value to <n> for negotiation. pppd
# will ask the peer to send packets of no more than <n> bytes. The
# minimum MRU value is 128. The default MRU value is 1500. A value of
# 296 is recommended for slow links (40 bytes for TCP/IP header + 256
# bytes of data).
#mru 542
# Set the interface netmask to <n>, a 32 bit netmask in "decimal dot"
# notation (e.g. 255.255.255.0).
#netmask 255.255.255.0
# Disables the default behaviour when no local IP address is specified,
# which is to determine (if possible) the local IP address from the
# hostname. With this option, the peer will have to supply the local IP
# address during IPCP negotiation (unless it specified explicitly on the
# command line or in an options file).
#noipdefault
# Enables the "passive" option in the LCP. With this option, pppd will
# attempt to initiate a connection; if no reply is received from the
# peer, pppd will then just wait passively for a valid LCP packet from
# the peer (instead of exiting, as it does without this option).
#passive
# With this option, pppd will not transmit LCP packets to initiate a
# connection until a valid LCP packet is received from the peer (as for
# the "passive" option with old versions of pppd).
#silent
# Don't request or allow negotiation of any options for LCP and IPCP
# (use default values).
#-all
# Disable Address/Control compression negotiation (use default, i.e.
# address/control field disabled).
#-ac
# Disable asyncmap negotiation (use the default asyncmap, i.e. escape
# all control characters).
#-am
# Don't fork to become a background process (otherwise pppd will do so
# if a serial device is specified).
#-detach
# Disable IP address negotiation (with this option, the remote IP
# address must be specified with an option on the command line or in
# an options file).
#-ip
# Disable IPCP negotiation and IP communication. This option should
# only be required if the peer is buggy and gets confused by requests
# from pppd for IPCP negotiation.
#noip
# Disable magic number negotiation. With this option, pppd cannot
# detect a looped-back line.
#-mn
# Disable MRU [Maximum Receive Unit] negotiation (use default, i.e.
# 1500).
#-mru
# Disable protocol field compression negotiation (use default, i.e.
# protocol field compression disabled).
#-pc
# Require the peer to authenticate itself using PAP.
#+pap
# Don't agree to authenticate using PAP.
#-pap
# Require the peer to authenticate itself using CHAP [Cryptographic
# Handshake Authentication Protocol] authentication.
#+chap
# Don't agree to authenticate using CHAP.
#-chap
# Disable negotiation of Van Jacobson style IP header compression (use
# default, i.e. no compression).
#-vj
# Increase debugging level (same as -d). If this option is given, pppd
# will log the contents of all control packets sent or received in a
# readable form. The packets are logged through syslog with facility
# daemon and level debug. This information can be directed to a file by
# setting up /etc/syslog.conf appropriately (see syslog.conf(5)). (If
# pppd is compiled with extra debugging enabled, it will log messages
# using facility local2 instead of daemon).
debug
# Append the domain name <d> to the local host name for authentication
# purposes. For example, if gethostname() returns the name porsche,
# but the fully qualified domain name is porsche.Quotron.COM, you would
# use the domain option to set the domain name to Quotron.COM.
#domain <d>
# Enable debugging code in the kernel-level PPP driver. The argument n
# is a number which is the sum of the following values: 1 to enable
# general debug messages, 2 to request that the contents of received
# packets be printed, and 4 to request that the contents of transmitted
# packets be printed.
#kdebug n
# Set the MTU [Maximum Transmit Unit] value to <n>. Unless the peer
# requests a smaller value via MRU negotiation, pppd will request that
# the kernel networking code send data packets of no more than n bytes
# through the PPP network interface.
#mtu <n>
# Set the name of the local system for authentication purposes to <n>.
# This is a privileged option. With this option, pppd will use lines in the
# secrets files which have <n> as the second field when looking for a
# secret to use in authenticating the peer. In addition, unless overridden
# with the user option, <n> will be used as the name to send to the peer
# when authenticating the local system to the peer. (Note that pppd does
# not append the domain name to <n>.)
#name <n>
name bluey
# Enforce the use of the hostname as the name of the local system for
# authentication purposes (overrides the name option).
#usehostname
# Set the assumed name of the remote system for authentication purposes
# to <n>.
#remotename <n>
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.
proxyarp
# Use the system password database for authenticating the peer using
# PAP. Note: mgetty already provides this option. If this is specified
# then dialin from users using a script under Linux to fire up ppp wont
work.
# login
# If this option is given, pppd will send an LCP echo-request frame to the
# peer every n seconds. Normally the peer should respond to the echo-request
# by sending an echo-reply. This option can be used with the
# lcp-echo-failure option to detect that the peer is no longer connected.
lcp-echo-interval 30
# If this option is given, pppd will presume the peer to be dead if n
# LCP echo-requests are sent without receiving a valid LCP echo-reply.
# If this happens, pppd will terminate the connection. Use of this
# option requires a non-zero value for the lcp-echo-interval parameter.
# This option can be used to enable pppd to terminate after the physical
# connection has been broken (e.g., the modem has hung up) in
# situations where no hardware modem control lines are available.
lcp-echo-failure 4
# Set the LCP restart interval (retransmission timeout) to <n> seconds
# (default 3).
#lcp-restart <n>
# Set the maximum number of LCP terminate-request transmissions to <n>
# (default 3).
#lcp-max-terminate <n>
# Set the maximum number of LCP configure-request transmissions to <n>
# (default 10).
#lcp-max-configure <n>
# Set the maximum number of LCP configure-NAKs returned before starting
# to send configure-Rejects instead to <n> (default 10).
#lcp-max-failure <n>
# Set the IPCP restart interval (retransmission timeout) to <n>
# seconds (default 3).
#ipcp-restart <n>
# Set the maximum number of IPCP terminate-request transmissions to <n>
# (default 3).
#ipcp-max-terminate <n>
# Set the maximum number of IPCP configure-request transmissions to <n>
# (default 10).
#ipcp-max-configure <n>
# Set the maximum number of IPCP configure-NAKs returned before starting
# to send configure-Rejects instead to <n> (default 10).
#ipcp-max-failure <n>
# Set the PAP restart interval (retransmission timeout) to <n> seconds
# (default 3).
#pap-restart <n>
# Set the maximum number of PAP authenticate-request transmissions to
# <n> (default 10).
#pap-max-authreq <n>
# Set the maximum time that pppd will wait for the peer to authenticate
# itself with PAP to <n> seconds (0 means no limit).
#pap-timeout <n>
# Set the CHAP restart interval (retransmission timeout for
# challenges) to <n> seconds (default 3).
#chap-restart <n>
# Set the maximum number of CHAP challenge transmissions to <n>
# (default 10).
#chap-max-challenge
# If this option is given, pppd will rechallenge the peer every <n>
# seconds.
#chap-interval <n>
# With this option, pppd will accept the peer's idea of our local IP
# address, even if the local IP address was specified in an option.
#ipcp-accept-local
# With this option, pppd will accept the peer's idea of its (remote) IP
# address, even if the remote IP address was specified in an option.
#ipcp-accept-remote
# Disable the IPXCP and IPX protocols.
# To let pppd pass IPX packets comment this out --- you'll probably also
# want to install ipxripd, and have the Internal IPX Network option enabled
# in your kernel. /usr/doc/HOWTO/IPX-HOWTO.gz contains more info.
noipx
# Exit once a connection has been made and terminated. This is the default,
# unless the `persist' or `demand' option has been specified.
#nopersist
# Do not exit after a connection is terminated; instead try to reopen
# the connection.
#persist
# Terminate after n consecutive failed connection attempts.
# A value of 0 means no limit. The default value is 10.
#maxfail <n>
# Initiate the link only on demand, i.e. when data traffic is present.
# With this option, the remote IP address must be specified by the user on
# the command line or in an options file. Pppd will initially configure
# the interface and enable it for IP traffic without connecting to the peer.
# When traffic is available, pppd will connect to the peer and perform
# negotiation, authentication, etc. When this is completed, pppd will
# commence passing data packets (i.e., IP packets) across the link.
#demand
# Specifies that pppd should disconnect if the link is idle for <n> seconds.
# The link is idle when no data packets (i.e. IP packets) are being sent or
# received. Note: it is not advisable to use this option with the persist
# option without the demand option. If the active-filter option is given,
# data packets which are rejected by the specified activity filter also
# count as the link being idle.
#idle <n>
# Specifies how many seconds to wait before re-initiating the link after
# it terminates. This option only has any effect if the persist or demand
# option is used. The holdoff period is not applied if the link was
# terminated because it was idle.
#holdoff <n>
# Wait for up n milliseconds after the connect script finishes for a valid
# PPP packet from the peer. At the end of this time, or when a valid PPP
# packet is received from the peer, pppd will commence negotiation by
# sending its first LCP packet. The default value is 1000 (1 second).
# This wait period only applies if the connect or pty option is used.
#connect-delay <n>
# ---<End of File>---
--- /etc/pptpd.conf
cata:~# cat /etc/pptpd.conf
############################################################################
####
#
# Sample PoPToP configuration file
#
# for PoPToP version 0.9.12
#
############################################################################
####
# TAG: speed
#
# Specifies the speed for the PPP daemon to talk at.
#
speed 115200
# TAG: option
#
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/pptpd-options
# TAG: debug
#
# Turns on (more) debugging to syslog
#
debug
# TAG: localip
# TAG: remoteip
#
# Specifies the local and remote IP address ranges.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than MAX_CONNECTIONS, it will
# start at the beginning of the list and go until it gets
# MAX_CONNECTIONS IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
#localip 10.0.1.1
#remoteip 10.0.1.2-100
#localip 203.17.40.97
#remoteip 203.17.40.109,203.17.40.106
localip 192.168.1.1-10
remoteip 192.168.1.11-20
/etc/ppp/pptpd-options
cata:~# cat /etc/ppp/pptpd-options
## SAMPLE ONLY
## CHANGE TO SUIT YOUR SYSTEM
## turn pppd syslog debugging on
#debug
## change 'servername' to whatever you specify as your server name in
chap-secrets
name bluey
## change the domainname to your local domain
domain foo.bar
## these are reasonable defaults for WinXXXX clients
## for the security related settings
auth
require-chap
#require-chapms
#require-chapms-v2
+chap
#+chapms
#+chapms-v2
#mppe-40
#mppe-128
#mppe-stateless
#require-mppe
#require-mppe-stateless
## Fill in your addresses
#ms-dns 10.0.0.1
#ms-wins 10.0.0.1
## Fill in your netmask
netmask 255.255.255.0
## some defaults
nodefaultroute
proxyarp
lock
--- /etc/ppp/chap-secrets (note: no newline after final "*")
cata:~# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
"paulnet at bigpond" * "xxxxxxxx"
piglet bluey "password1" *
bluey piglet "password2" *
---
I'm sorry about the length of this email, but I felt that it would be
beneficial to include whatever seemed relevant...
Can anyone help me through this? I'd really like to get this PPTP VPN server
working...
Any help would be GREATLY appreciated...
Thankyou!
P.S. If anyone feels the need to email me directly about this, please reply
to jhiggs at iprsystems.com and not the above address, as the iprsystems.com
server is currently listed on orbz as an open-relay (shouldn't be...
settings appear to be fine), and the pptp mail server rejects the mail from
me.... :-/
More information about the pptp-server
mailing list