[pptp-server] pptpd routing issues
Frank Cusack
fcusack at fcusack.com
Fri Jun 7 01:16:05 CDT 2002
On Thu, Jun 06, 2002 at 08:15:11PM -0700, Christopher Aedo wrote:
> Connecting and authenticating work prefectly. Once connected I am able
> to ping the VPN IP and the tunnel IP from the client machine.
Meaning 192.168.0.81 and 192.168.0.80?
> The two route tables are:
> [CLIENT]
> Network Destination Netmask Gateway Interface Metric
> 0.0.0.0 0.0.0.0 192.168.0.81 192.168.0.81 1
> 0.0.0.0 0.0.0.0 192.168.123.254 192.168.123.167 21
> 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
> 192.168.0.81 255.255.255.255 127.0.0.1 127.0.0.1 50
> 192.168.0.255 255.255.255.255 192.168.0.81 192.168.0.81 50
> 192.168.123.0 255.255.255.0 192.168.123.167 192.168.123.167 20
> 192.168.123.167 255.255.255.255 127.0.0.1 127.0.0.1 20
> 192.168.123.255 255.255.255.255 192.168.123.167 192.168.123.167 20
> 207.136.138.29 255.255.255.255 192.168.123.254 192.168.123.167 20
> 224.0.0.0 240.0.0.0 192.168.123.167 192.168.123.167 20
> 224.0.0.0 240.0.0.0 192.168.0.81 192.168.0.81 1
> 255.255.255.255 255.255.255.255 192.168.123.167 192.168.123.167 1
> Default Gateway: 192.168.0.81
I would expect you to have a /32 route for 192.168.0.80, but it may
be that it didn't get added b/c you have the default route via ppp.
> [VPN SERVER]
[ looks ok ]
> However, I can not ping PAST the VPN FROM the client machine. (i.e.
> timeout when pinging 192.168.0.1, which is the NAT machine gateway.)
> Pinging any other IP on the remote network also fails from the client
> machine.
I would expect that ppp on the VPN server side is not doing proxy arp.
> ppp.conf:
> loop:
> set timeout 0
> set log phase chat connect lcp ipcp command
> set device localhost:pptp
> set dial
> set login
> set mppe * stateful
I would disable stateful mode, it's a giant security hole.
> enable proxy
Does this enable proxy arp? I am unable to find documentation for this
flavor of ppp on www.openbsd.org.
Get on another machine on 192.168.0/23 and see if you can ping 192.168.0.81
(or whatever IP the client gets). Check the arp table after the ping to
see what it says for 192.168.0.81. If it looks like
? (192.168.0.81) at <incomplete>
then your VPN server is not doing proxy arp.
If there is a MAC, verify that its the VPN server's MAC. If not, you
have an IP conflict. If so, the pptp tunnel isn't working correctly.
/fc
More information about the pptp-server
mailing list