[pptp-server] pptpd routing issues

Frank Cusack fcusack at fcusack.com
Fri Jun 7 01:16:05 CDT 2002

On Thu, Jun 06, 2002 at 08:15:11PM -0700, Christopher Aedo wrote:
> Connecting and authenticating work prefectly.  Once connected I am able 
> to ping the VPN IP and the tunnel IP from the client machine.

Meaning and

> The two route tables are:
> Network Destination        Netmask          Gateway       Interface  Metric
>       1
>       21
>      1
>      50
>      50
>      20
>      20
>      20
>      20
>      20
>      1
>      1
> Default Gateway:

I would expect you to have a /32 route for, but it may
be that it didn't get added b/c you have the default route via ppp.

[ looks ok ]

> However, I can not ping PAST the VPN FROM the client machine.  (i.e. 
> timeout when pinging, which is the NAT machine gateway.) 
>  Pinging any other IP on the remote network also fails from the client 
> machine.

I would expect that ppp on the VPN server side is not doing proxy arp.

> ppp.conf:
> loop:
>   set timeout 0
>   set log phase chat connect lcp ipcp command
>   set device localhost:pptp
>   set dial
>   set login
>   set mppe * stateful

I would disable stateful mode, it's a giant security hole.

>   enable proxy

Does this enable proxy arp?  I am unable to find documentation for this
flavor of ppp on www.openbsd.org.

Get on another machine on 192.168.0/23 and see if you can ping
(or whatever IP the client gets).  Check the arp table after the ping to
see what it says for  If it looks like

    ? ( at <incomplete>

then your VPN server is not doing proxy arp.

If there is a MAC, verify that its the VPN server's MAC.  If not, you
have an IP conflict.  If so, the pptp tunnel isn't working correctly.


More information about the pptp-server mailing list