[lug] PoPToP connection issue
Ryan Wheaton
ryan.wheaton at comcast.net
Wed Jan 7 16:26:02 MST 2004
Ok, i've run kernelmod again, and everything seemed to go fine, but it
didn't seem to work. The script didn't ask me if i wanted to make an
RPM (like the README says it will) here's the end output of the script:
-------------------------------------------------
--> Locating patches.
Found patches for 2.4.
Checking for specific patches.
Found patches for 2.4.21
-------------------------------------------------
--> Patches & sources
Applying patch /tmp/kernelmod/2.4/linux-2.4.21-bsd-mppe.patch
patching file include/linux/ppp-comp.h
patching file drivers/net/Config.in
Hunk #1 succeeded at 307 (offset 18 lines).
patching file drivers/net/Makefile
Hunk #2 succeeded at 157 (offset 6 lines).
Hunk #3 succeeded at 267 (offset 7 lines).
patching file drivers/net/ppp_generic.c
Hunk #1 succeeded at 1045 (offset 15 lines).
Hunk #3 succeeded at 1573 (offset 15 lines).
Copying extra sources to /usr/src/linux-2.4/
arcfour.c --> /usr/src/linux-2.4//drivers/net/arcfour.c
arcfour.h --> /usr/src/linux-2.4//drivers/net/arcfour.h
ppp_mppe_compress.c -->
/usr/src/linux-2.4//drivers/net/ppp_mppe_compress.c
sha1.c --> /usr/src/linux-2.4//drivers/net/sha1.c
sha1.h --> /usr/src/linux-2.4//drivers/net/sha1.h
Copying extra sources to /tmp/kernelmod/build/
-------------------------------------------------
Building module arcfour.o
Building module ppp_generic.o
Building module ppp_mppe_compress.o
Building module sha1.o
Building module ppp_mppe.o
-------------------------------------------------
Installing module ppp_generic.o in
/lib/modules/2.4.21-4.0.1.EL/kernel/drivers/net/
Installing module ppp_mppe.o in
/lib/modules/2.4.21-4.0.1.EL/kernel/drivers/net/
Updating module dependencies
Everything seems OK. Removing buildstuff in /tmp/kernelmod/build
but, here's what actually gets installed:
]# lsmod
Module Size Used by Tainted: P
ppp_mppe 13912 0 (unused)
ppp_generic 24820 0 [ppp_mppe]
slhc 6756 0 [ppp_generic]
agpgart 56664 5 (autoclean)
parport_pc 19076 1 (autoclean)
lp 9028 0 (autoclean)
parport 37088 1 (autoclean) [parport_pc lp]
autofs 13364 0 (autoclean) (unused)
3c59x 30928 1
floppy 58160 0 (autoclean)
microcode 4724 0 (autoclean)
loop 12120 0 (autoclean)
keybdev 2976 0 (unused)
mousedev 5524 1
hid 22212 0 (unused)
input 5920 0 [keybdev mousedev hid]
usb-uhci 26412 0 (unused)
usbcore 79424 1 [hid usb-uhci]
ext3 91592 2
jbd 52336 2 [ext3]
lvm-mod 64672 3
again, missing the modules that you specified... when i try to do an
]# insmod ipt_state
Using /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o
/lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o:
unresolved symbol ip_conntrack_get_Ra6f02512
/lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o:
unresolved symbol ip_conntrack_module_Rb0361033
/lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o:
unresolved symbol ipt_register_match_R91801b7c
/lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o:
unresolved symbol ipt_unregister_match_R77bac37b
whenever I do a strings on pppd:
set_mppe_enc_types
refuse_mppe_stateful
mppe_recv_key
mppe_keys_set
mppe_send_key
mppe_set_keys
nomppe-stateful
mppe-stateful
-mppe-128
nomppe-128
+mppe-128
require-mppe-128
-mppe-40
nomppe-40
+mppe-40
require-mppe-40
-mppe
nomppe
+mppe
require-mppe
mppe %s %s %s %s %s %s%s
i'm not quite sure what the nomppe-stateful thing does. here's an
output of the version on pppd: pppd version 2.4.2b3
anyone got any ideas why those other modules don't start? or why the
kernelmod.sh script seems to complete without actually installing all
the right modules?
sorry to burden the list with all this, it's just that i can't seem to
find a lot of the documentation anywhere else.
-r
On Wednesday, Jan 7, 2004, at 13:16 America/Denver, bdoctor at ps-ax.com
wrote:
> I'd definitely put those refuse options in there - I seem to recall it
> not
> working, or that the client would *always* do 40bit MPPE, which is
> unacceptable.
>
> I also seem to recall patching pppd. I did a strings on it:
>
> 7 @vpn:/home/bdoctor/poptop-1.1.4 > strings /usr/sbin/pppd|grep mppe
> set_mppe_enc_types
> refuse_mppe_stateful
> mppe_recv_key
> mppe_keys_set
> mppe_send_key
> mppe_set_keys
> require-mppe
> +mppe
> nomppe
> require-mppe-40
> +mppe-40
> nomppe-40
> require-mppe-128
> +mppe-128
> nomppe-128
> nomppe-stateful
> mppe %s %s %s %s %s %s%s
>
> and the version:
>
> 3 @vpn:/home/bdoctor> pppd --version
> pppd version 2.4.2b3
>
> I cannot remember for sure if I patched it though. I think I did?
>
> One thing is for sure - there are a lot of little gotchas that I
> struggled
> through and it was a complete pain. Not having MPPE support in your
> module
> listing is an issue I believe. I know that without the kernelmod
> patch, nothing
> would work properly for me.
>
> Also, without the conntrack modules connections through the device (to
> the
> Internet) would fail. Internal connections would work fine however.
>
> This particular installation fully supports windows clients, including
> domain
> logons, network/smb browsing, the whole bit. Also forces all traffic
> to go
> through the device, rather than a split-horizon type of setup.
> Naturally,
> I cannot remember everything that I did, beyond the pain :)
>
> Also, the kernelmod patch will produce modules, so if you have a
> working
> source tree for the running kernel, you won't have to install a new
> kernel
> image - so doing it remotely is safer than it would be otherwise.
> This patch
> provides the MPPE support.
>
> Another thing that helped me is to run tcpdump, and to run the server
> in full
> debug mode (both options.pptpd and pptpd.conf).
>
> -brad
>
>> Ok. I'm pretty sure that I did all that you said. I found that there
>> was a problem in my options.pptpd file i had the option
>>
>> nobsdcomp
>>
>> with a "0" at the end of it. i ran pppd manually and it didn't like
>> that one bit.
>>
>> now, when I try to connect, my client gives me the error:
>>
>> Error 732: Your computer and the remote computer could not agree on
>> ppp control protocols
>>
>> Googling on this error only yields two sites.... Reading the PopToP
>> FAQ, it says that there are patches available to make pppd compatable
>> with the MSCHAP protocol, but the version on the patches that I found
>> are version 2.3.5 while the one that I have is version 2.4.2.
>>
>> here is an lsmod output:
>>
>> Module Size Used by Not tainted
>> ppp_async 9440 0 (autoclean)
>> ppp_generic 24820 0 (autoclean) [ppp_async]
>> slhc 6756 0 (autoclean) [ppp_generic]
>> agpgart 56664 5 (autoclean)
>> parport_pc 19076 1 (autoclean)
>> lp 9028 0 (autoclean)
>> parport 37088 1 (autoclean) [parport_pc lp]
>> autofs 13364 0 (autoclean) (unused)
>> 3c59x 30928 1
>> floppy 58160 0 (autoclean)
>> microcode 4724 0 (autoclean)
>> loop 12120 0 (autoclean)
>> keybdev 2976 0 (unused)
>> mousedev 5524 1
>> hid 22212 0 (unused)
>> input 5888 0 [keybdev mousedev hid]
>> usb-uhci 26412 0 (unused)
>> usbcore 79392 1 [hid usb-uhci]
>> ext3 91592 2
>> jbd 52336 2 [ext3]
>> lvm-mod 64672 3
>>
>> i'm not quite sure why i'm missing all the other modules (or where
>> else
>> to get them). I installed all the relevant packages you listed below.
>>
>> here is my options.pptpd:
>>
>> ## CHANGE TO SUIT YOUR SYSTEM
>> lock
>>
>> ## turn pppd syslog debugging on
>> debug
>>
>> ## change 'pptpd' to whatever you specify as your server name in
>> chap-secrets
>> name pptpd
>>
>> proxyarp
>> nobsdcomp
>>
>> # This option applies if you use ppp with chapms-strip-domain patch
>> #chapms-strip-domain
>>
>> # These options apply if you use ppp with mppe patch
>> # NB! You should also apply the ChapMS-V2 patch
>> #-chap
>> #-chapms
>> #+chapms-v2
>> #mppe-128
>> #mppe-stateless
>>
>> # These options will tell ppp to pass on these to your clients
>> # To use ms-wins or ms-dns in options.pptpd it must exist in
>> /etc/resolv.conf
>> ms-wins ip.of.wins.srvr
>> ms-dns ip.of.dns.srvr
>>
>> would it make a big difference to add the "refuse" options that you
>> have listed in your options.pptpd file? (i'll give it a shot
>> anyways).
>>
>> thanks for the help and sorry for the long post.
>>
>> -r
>> On Wednesday, Jan 7, 2004, at 12:33 America/Denver, bdoctor at ps-ax.com
>> wrote:
>>
>>> A module listing would be helpful. Here are the relevant modules
>>> running on a
>>> poptop server:
>>>
>>> ppp_async 9440 3 (autoclean)
>>> ppp_mppe 13944 6
>>> ppp_generic 24604 9 [ppp_async ppp_mppe]
>>> slhc 6740 0 [ppp_generic]
>>> ipt_state 1048 1 (autoclean)
>>> ip_nat_pptp 2764 0 (unused)
>>> ip_conntrack_pptp 3824 1
>>> ip_conntrack_proto_gre 4468 0 [ip_nat_pptp ip_conntrack_pptp]
>>>
>>> And here is the options.pptpd:
>>>
>>> ## CHANGE TO SUIT YOUR SYSTEM
>>> lock
>>>
>>> ## turn pppd syslog debugging on
>>> debug
>>>
>>> ## change 'pptpd' to whatever you specify as your server name in
>>> chap-secrets
>>> name vpn.server.com
>>>
>>> # Don't need this
>>> #nobsdcomp
>>>
>>> #noauth
>>> auth
>>> # Tell pptpd to find local interface and put it in proxyarp mode
>>> proxyarp
>>>
>>> ipcp-accept-local
>>> ipcp-accept-remote
>>> lcp-echo-failure 3
>>> lcp-echo-interval 5
>>> deflate 0
>>>
>>> # This option applies if you use ppp with chapms-strip-domain patch
>>> #chapms-strip-domain
>>>
>>> # These options are for use with the OpenSSL-licensed patch
>>> # This flavor will be obsoleted ASAP.
>>> # NB! You should also apply the ChapMS-V2 patch
>>> #-chap
>>> #-chapms
>>> #+chapms-v2
>>> #mppe-40 # both 40-bits and 128-bits encryption bite eachother
>>> #mppe-128
>>> #mppe-stateless
>>>
>>> # These options are for use with the BSD-licensed patch (ppp =>
>>> 2.4.2)
>>> # This is the default implementation
>>> refuse-pap
>>> refuse-eap
>>> refuse-chap
>>> refuse-mschap
>>> require-mppe
>>> nomppe-stateful
>>> nomppe-40
>>>
>>> # These options will tell ppp to pass on these to your clients
>>> # To use ms-dns or ms-dns in options.pptpd it must exist in
>>> /etc/resolv.conf
>>> #ms-wins <ip-of-your-winsserver>
>>> ms-dns <internal IP>
>>>
>>>
>>> Sample log entry for successful connection:
>>>
>>> Jan 7 11:37:41 vpn pptpd[12194]: CTRL: Client <ip.address> control
>>> connection started
>>> Jan 7 11:37:41 vpn pptpd[12194]: CTRL: Starting call (launching
>>> pppd,
>>> opening GRE)
>>> Jan 7 11:37:41 vpn pppd[12195]: pppd 2.4.2b3 started by shmoe, uid
>>> 8990
>>> Jan 7 11:37:41 vpn pppd[12195]: Using interface ppp1
>>> Jan 7 11:37:41 vpn pppd[12195]: Connect: ppp1 <--> /dev/pts/1
>>> Jan 7 11:37:42 vpn pptpd[12194]: GRE: Discarding duplicate packet
>>> Jan 7 11:37:44 vpn pptpd[12194]: CTRL: Ignored a SET LINK INFO
>>> packet
>>> with real ACCMs!
>>> Jan 7 11:37:44 vpn pppd[12195]: CHAP peer authentication succeeded
>>> for username
>>> Jan 7 11:37:44 vpn pppd[12195]: MPPE 128-bit stateless compression
>>> enabled
>>>
>>> And then for the setup on the windows client, it is really basic - no
>>> custom
>>> options, just select maximum security for the connection.
>>>
>>> Key elements for this to work:
>>>
>>> mppe support in kernel
>>> gre support in kernel
>>> conntrack support, as noted above
>>>
>>> Also be sure to download and apply the kernelmod package. It won't
>>> work until
>>> you do that.
>>>
>>> Best of luck!
>>> -brad
>>>
>>>> hey guys,
>>>>
>>>> i'm lost, basically cause i've never set up a VPN server before, but
>>>> i'm trying to set one up using PoPToP on WhiteBox Linux. I've
>>>> patched
>>>> the kernel and installed all the right stuff and edited the right
>>>> conf
>>>> files per the RedHat installation instructions on the poptop.org
>>>> website. But, when I try to connect a Win2k client to the server I
>>>> get
>>>> this:
>>>>
>>>> Error 619: The specified port is not connected.
>>>>
>>>> here's what is in the logs:
>>>>
>>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: Client home.ip.add.ress
>>>> control connection started
>>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: Starting call (launching
>>>> pppd, opening GRE)
>>>> Jan 7 09:44:38 hostname pptpd[1823]: GRE:
>>>> read(fd=5,buffer=804d5a0,len=8196) from PTY failed: status = -1
>>>> error
>>>> =
>>>> Input/output error
>>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: PTY read or GRE write
>>>> failed (pty,gre)=(5,6)
>>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: Client home.ip.add.ress
>>>> control connection finished
>>>>
>>>>
>>>> this doesn't make much sense to me. I don't have much experience
>>>> with
>>>> GRE, so I'm a little lost. The only ideas that I have is to disable
>>>> GRE in the kernel and recompile, but, I'm working from home today
>>>> (to
>>>> test the VPN) and don't really wish to recompile and test a new
>>>> kernel
>>>> remotely :)
>>>>
>>>>
>>>> thanks for help in advance.
>>>>
>>>> -r
>>>>
>>>> _______________________________________________
>>>> Web Page: http://lug.boulder.co.us
>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>>>
>>>
>>> --
>>> Brad Doctor, CISSP
>>> _______________________________________________
>>> Web Page: http://lug.boulder.co.us
>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>>
>>
>> _______________________________________________
>> Web Page: http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>
>
> --
> Brad Doctor, CISSP
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
More information about the LUG
mailing list