[pptp-server] pptpd routing issues

Frank Cusack fcusack at fcusack.com
Fri Jun 7 01:16:05 CDT 2002 

On Thu, Jun 06, 2002 at 08:15:11PM -0700, Christopher Aedo wrote:
> Connecting and authenticating work prefectly.  Once connected I am able 
> to ping the VPN IP and the tunnel IP from the client machine.

Meaning 192.168.0.81 and 192.168.0.80?

> The two route tables are:
> [CLIENT]
> Network Destination        Netmask          Gateway       Interface  Metric
>           0.0.0.0          0.0.0.0     192.168.0.81    192.168.0.81      1
>           0.0.0.0          0.0.0.0  192.168.123.254  192.168.123.167      21
>         127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1      1
>      192.168.0.81  255.255.255.255        127.0.0.1       127.0.0.1      50
>     192.168.0.255  255.255.255.255     192.168.0.81    192.168.0.81      50
>     192.168.123.0    255.255.255.0  192.168.123.167  192.168.123.167      20
>   192.168.123.167  255.255.255.255        127.0.0.1       127.0.0.1      20
>   192.168.123.255  255.255.255.255  192.168.123.167  192.168.123.167      20
>    207.136.138.29  255.255.255.255  192.168.123.254  192.168.123.167      20
>         224.0.0.0        240.0.0.0  192.168.123.167  192.168.123.167      20
>         224.0.0.0        240.0.0.0     192.168.0.81    192.168.0.81      1
>   255.255.255.255  255.255.255.255  192.168.123.167  192.168.123.167      1
> Default Gateway:      192.168.0.81

I would expect you to have a /32 route for 192.168.0.80, but it may
be that it didn't get added b/c you have the default route via ppp.

> [VPN SERVER]
[ looks ok ]

> However, I can not ping PAST the VPN FROM the client machine.  (i.e. 
> timeout when pinging 192.168.0.1, which is the NAT machine gateway.) 
>  Pinging any other IP on the remote network also fails from the client 
> machine.

I would expect that ppp on the VPN server side is not doing proxy arp.

> ppp.conf:
> loop:
>   set timeout 0
>   set log phase chat connect lcp ipcp command
>   set device localhost:pptp
>   set dial
>   set login
>   set mppe * stateful

I would disable stateful mode, it's a giant security hole.

>   enable proxy

Does this enable proxy arp?  I am unable to find documentation for this
flavor of ppp on www.openbsd.org.

Get on another machine on 192.168.0/23 and see if you can ping 192.168.0.81
(or whatever IP the client gets).  Check the arp table after the ping to
see what it says for 192.168.0.81.  If it looks like

    ? (192.168.0.81) at <incomplete>

then your VPN server is not doing proxy arp.

If there is a MAC, verify that its the VPN server's MAC.  If not, you
have an IP conflict.  If so, the pptp tunnel isn't working correctly.

/fc

More information about the pptp-server mailing list