[lug] PoPToP connection issue
bdoctor at ps-ax.com
bdoctor at ps-ax.com
Wed Jan 7 17:06:14 MST 2004
For the RPM - don't worry about that as it is not required. That would
allow you to take it and install it on another machine, or for some odd reason
to re-install on the current machine.
For the module not loading properly, there are likely dependencies. This is
how I force the loading from my startup script for pptpd:
modprobe ip_conntrack_pptp 1> /dev/null 2>&1
modprobe ip_nat_pptp 1> /dev/null 2>&1
You will need to download and install the patch-o-matic package from
netfilter.org. Then you will need to use the 'runme' command and apply:
runme extra/pptp-conntrack-nat.patch
32 @vpn:/home/bdoctor/patch-o-matic/extra > more pptp-conntrack-nat.patch.help
Author: Harald Welte <laforge at gnumonks.org>
Status: Beta
This adds CONFIG_IP_NF_PPTP:
Connection tracking and NAT support for PPTP.
Note that this code currently has limitations
- can only NAT connections from PNS to PAC
- doesnt' support multiple calls within one session
Then, configure your kernel with your favorite method and enable:
IP: tunneling
IP: GRE tunnels over IP (module)
IP: broadcast GRE over IP
Netfilter:
Connection tracking
GRE protocol support
PPTP protocol support
All Connection tracking
...
Actually, for netfilter I enable everything as a module. The above three
entries are critical, however.
After you have done this, recompile the modules:
make modules
And install the modules:
make modules_install
The kernelmod part did it's thing, but your netfilter setup is lacking.
Also, in /etc/modules.conf I have these relevant entries:
alias char-major-108 ppp_generic
alias ppp-compress-18 ppp_mppe
alias ppp-compress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_deflate
alias tty-ldisc-3 ppp_async
alias tty-ldisc-14 ppp_synctty
One thing is for sure - as painful as this is, once it is setup, it works
very well and requires nearly no maintenance. So there is a light at the
end of this tunnel.
-brad
> Ok, i've run kernelmod again, and everything seemed to go fine, but it
> didn't seem to work. The script didn't ask me if i wanted to make an
> RPM (like the README says it will) here's the end output of the script:
>
> -------------------------------------------------
> --> Locating patches.
> Found patches for 2.4.
> Checking for specific patches.
> Found patches for 2.4.21
> -------------------------------------------------
> --> Patches & sources
> Applying patch /tmp/kernelmod/2.4/linux-2.4.21-bsd-mppe.patch
> patching file include/linux/ppp-comp.h
> patching file drivers/net/Config.in
> Hunk #1 succeeded at 307 (offset 18 lines).
> patching file drivers/net/Makefile
> Hunk #2 succeeded at 157 (offset 6 lines).
> Hunk #3 succeeded at 267 (offset 7 lines).
> patching file drivers/net/ppp_generic.c
> Hunk #1 succeeded at 1045 (offset 15 lines).
> Hunk #3 succeeded at 1573 (offset 15 lines).
> Copying extra sources to /usr/src/linux-2.4/
> arcfour.c --> /usr/src/linux-2.4//drivers/net/arcfour.c
> arcfour.h --> /usr/src/linux-2.4//drivers/net/arcfour.h
> ppp_mppe_compress.c -->
> /usr/src/linux-2.4//drivers/net/ppp_mppe_compress.c
> sha1.c --> /usr/src/linux-2.4//drivers/net/sha1.c
> sha1.h --> /usr/src/linux-2.4//drivers/net/sha1.h
> Copying extra sources to /tmp/kernelmod/build/
> -------------------------------------------------
> Building module arcfour.o
> Building module ppp_generic.o
> Building module ppp_mppe_compress.o
> Building module sha1.o
> Building module ppp_mppe.o
> -------------------------------------------------
> Installing module ppp_generic.o in
> /lib/modules/2.4.21-4.0.1.EL/kernel/drivers/net/
> Installing module ppp_mppe.o in
> /lib/modules/2.4.21-4.0.1.EL/kernel/drivers/net/
> Updating module dependencies
> Everything seems OK. Removing buildstuff in /tmp/kernelmod/build
>
> but, here's what actually gets installed:
>
> ]# lsmod
> Module Size Used by Tainted: P
> ppp_mppe 13912 0 (unused)
> ppp_generic 24820 0 [ppp_mppe]
> slhc 6756 0 [ppp_generic]
> agpgart 56664 5 (autoclean)
> parport_pc 19076 1 (autoclean)
> lp 9028 0 (autoclean)
> parport 37088 1 (autoclean) [parport_pc lp]
> autofs 13364 0 (autoclean) (unused)
> 3c59x 30928 1
> floppy 58160 0 (autoclean)
> microcode 4724 0 (autoclean)
> loop 12120 0 (autoclean)
> keybdev 2976 0 (unused)
> mousedev 5524 1
> hid 22212 0 (unused)
> input 5920 0 [keybdev mousedev hid]
> usb-uhci 26412 0 (unused)
> usbcore 79424 1 [hid usb-uhci]
> ext3 91592 2
> jbd 52336 2 [ext3]
> lvm-mod 64672 3
>
>
> again, missing the modules that you specified... when i try to do an
> ]# insmod ipt_state
> Using /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o
> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o:
> unresolved symbol ip_conntrack_get_Ra6f02512
> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o:
> unresolved symbol ip_conntrack_module_Rb0361033
> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o:
> unresolved symbol ipt_register_match_R91801b7c
> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o:
> unresolved symbol ipt_unregister_match_R77bac37b
>
>
> whenever I do a strings on pppd:
> set_mppe_enc_types
> refuse_mppe_stateful
> mppe_recv_key
> mppe_keys_set
> mppe_send_key
> mppe_set_keys
> nomppe-stateful
> mppe-stateful
> -mppe-128
> nomppe-128
> +mppe-128
> require-mppe-128
> -mppe-40
> nomppe-40
> +mppe-40
> require-mppe-40
> -mppe
> nomppe
> +mppe
> require-mppe
> mppe %s %s %s %s %s %s%s
>
> i'm not quite sure what the nomppe-stateful thing does. here's an
> output of the version on pppd: pppd version 2.4.2b3
>
> anyone got any ideas why those other modules don't start? or why the
> kernelmod.sh script seems to complete without actually installing all
> the right modules?
>
> sorry to burden the list with all this, it's just that i can't seem to
> find a lot of the documentation anywhere else.
>
> -r
>
> On Wednesday, Jan 7, 2004, at 13:16 America/Denver, bdoctor at ps-ax.com
> wrote:
>
> > I'd definitely put those refuse options in there - I seem to recall it
> > not
> > working, or that the client would *always* do 40bit MPPE, which is
> > unacceptable.
> >
> > I also seem to recall patching pppd. I did a strings on it:
> >
> > 7 @vpn:/home/bdoctor/poptop-1.1.4 > strings /usr/sbin/pppd|grep mppe
> > set_mppe_enc_types
> > refuse_mppe_stateful
> > mppe_recv_key
> > mppe_keys_set
> > mppe_send_key
> > mppe_set_keys
> > require-mppe
> > +mppe
> > nomppe
> > require-mppe-40
> > +mppe-40
> > nomppe-40
> > require-mppe-128
> > +mppe-128
> > nomppe-128
> > nomppe-stateful
> > mppe %s %s %s %s %s %s%s
> >
> > and the version:
> >
> > 3 @vpn:/home/bdoctor> pppd --version
> > pppd version 2.4.2b3
> >
> > I cannot remember for sure if I patched it though. I think I did?
> >
> > One thing is for sure - there are a lot of little gotchas that I
> > struggled
> > through and it was a complete pain. Not having MPPE support in your
> > module
> > listing is an issue I believe. I know that without the kernelmod
> > patch, nothing
> > would work properly for me.
> >
> > Also, without the conntrack modules connections through the device (to
> > the
> > Internet) would fail. Internal connections would work fine however.
> >
> > This particular installation fully supports windows clients, including
> > domain
> > logons, network/smb browsing, the whole bit. Also forces all traffic
> > to go
> > through the device, rather than a split-horizon type of setup.
> > Naturally,
> > I cannot remember everything that I did, beyond the pain :)
> >
> > Also, the kernelmod patch will produce modules, so if you have a
> > working
> > source tree for the running kernel, you won't have to install a new
> > kernel
> > image - so doing it remotely is safer than it would be otherwise.
> > This patch
> > provides the MPPE support.
> >
> > Another thing that helped me is to run tcpdump, and to run the server
> > in full
> > debug mode (both options.pptpd and pptpd.conf).
> >
> > -brad
> >
> >> Ok. I'm pretty sure that I did all that you said. I found that there
> >> was a problem in my options.pptpd file i had the option
> >>
> >> nobsdcomp
> >>
> >> with a "0" at the end of it. i ran pppd manually and it didn't like
> >> that one bit.
> >>
> >> now, when I try to connect, my client gives me the error:
> >>
> >> Error 732: Your computer and the remote computer could not agree on
> >> ppp control protocols
> >>
> >> Googling on this error only yields two sites.... Reading the PopToP
> >> FAQ, it says that there are patches available to make pppd compatable
> >> with the MSCHAP protocol, but the version on the patches that I found
> >> are version 2.3.5 while the one that I have is version 2.4.2.
> >>
> >> here is an lsmod output:
> >>
> >> Module Size Used by Not tainted
> >> ppp_async 9440 0 (autoclean)
> >> ppp_generic 24820 0 (autoclean) [ppp_async]
> >> slhc 6756 0 (autoclean) [ppp_generic]
> >> agpgart 56664 5 (autoclean)
> >> parport_pc 19076 1 (autoclean)
> >> lp 9028 0 (autoclean)
> >> parport 37088 1 (autoclean) [parport_pc lp]
> >> autofs 13364 0 (autoclean) (unused)
> >> 3c59x 30928 1
> >> floppy 58160 0 (autoclean)
> >> microcode 4724 0 (autoclean)
> >> loop 12120 0 (autoclean)
> >> keybdev 2976 0 (unused)
> >> mousedev 5524 1
> >> hid 22212 0 (unused)
> >> input 5888 0 [keybdev mousedev hid]
> >> usb-uhci 26412 0 (unused)
> >> usbcore 79392 1 [hid usb-uhci]
> >> ext3 91592 2
> >> jbd 52336 2 [ext3]
> >> lvm-mod 64672 3
> >>
> >> i'm not quite sure why i'm missing all the other modules (or where
> >> else
> >> to get them). I installed all the relevant packages you listed below.
> >>
> >> here is my options.pptpd:
> >>
> >> ## CHANGE TO SUIT YOUR SYSTEM
> >> lock
> >>
> >> ## turn pppd syslog debugging on
> >> debug
> >>
> >> ## change 'pptpd' to whatever you specify as your server name in
> >> chap-secrets
> >> name pptpd
> >>
> >> proxyarp
> >> nobsdcomp
> >>
> >> # This option applies if you use ppp with chapms-strip-domain patch
> >> #chapms-strip-domain
> >>
> >> # These options apply if you use ppp with mppe patch
> >> # NB! You should also apply the ChapMS-V2 patch
> >> #-chap
> >> #-chapms
> >> #+chapms-v2
> >> #mppe-128
> >> #mppe-stateless
> >>
> >> # These options will tell ppp to pass on these to your clients
> >> # To use ms-wins or ms-dns in options.pptpd it must exist in
> >> /etc/resolv.conf
> >> ms-wins ip.of.wins.srvr
> >> ms-dns ip.of.dns.srvr
> >>
> >> would it make a big difference to add the "refuse" options that you
> >> have listed in your options.pptpd file? (i'll give it a shot
> >> anyways).
> >>
> >> thanks for the help and sorry for the long post.
> >>
> >> -r
> >> On Wednesday, Jan 7, 2004, at 12:33 America/Denver, bdoctor at ps-ax.com
> >> wrote:
> >>
> >>> A module listing would be helpful. Here are the relevant modules
> >>> running on a
> >>> poptop server:
> >>>
> >>> ppp_async 9440 3 (autoclean)
> >>> ppp_mppe 13944 6
> >>> ppp_generic 24604 9 [ppp_async ppp_mppe]
> >>> slhc 6740 0 [ppp_generic]
> >>> ipt_state 1048 1 (autoclean)
> >>> ip_nat_pptp 2764 0 (unused)
> >>> ip_conntrack_pptp 3824 1
> >>> ip_conntrack_proto_gre 4468 0 [ip_nat_pptp ip_conntrack_pptp]
> >>>
> >>> And here is the options.pptpd:
> >>>
> >>> ## CHANGE TO SUIT YOUR SYSTEM
> >>> lock
> >>>
> >>> ## turn pppd syslog debugging on
> >>> debug
> >>>
> >>> ## change 'pptpd' to whatever you specify as your server name in
> >>> chap-secrets
> >>> name vpn.server.com
> >>>
> >>> # Don't need this
> >>> #nobsdcomp
> >>>
> >>> #noauth
> >>> auth
> >>> # Tell pptpd to find local interface and put it in proxyarp mode
> >>> proxyarp
> >>>
> >>> ipcp-accept-local
> >>> ipcp-accept-remote
> >>> lcp-echo-failure 3
> >>> lcp-echo-interval 5
> >>> deflate 0
> >>>
> >>> # This option applies if you use ppp with chapms-strip-domain patch
> >>> #chapms-strip-domain
> >>>
> >>> # These options are for use with the OpenSSL-licensed patch
> >>> # This flavor will be obsoleted ASAP.
> >>> # NB! You should also apply the ChapMS-V2 patch
> >>> #-chap
> >>> #-chapms
> >>> #+chapms-v2
> >>> #mppe-40 # both 40-bits and 128-bits encryption bite eachother
> >>> #mppe-128
> >>> #mppe-stateless
> >>>
> >>> # These options are for use with the BSD-licensed patch (ppp =>
> >>> 2.4.2)
> >>> # This is the default implementation
> >>> refuse-pap
> >>> refuse-eap
> >>> refuse-chap
> >>> refuse-mschap
> >>> require-mppe
> >>> nomppe-stateful
> >>> nomppe-40
> >>>
> >>> # These options will tell ppp to pass on these to your clients
> >>> # To use ms-dns or ms-dns in options.pptpd it must exist in
> >>> /etc/resolv.conf
> >>> #ms-wins <ip-of-your-winsserver>
> >>> ms-dns <internal IP>
> >>>
> >>>
> >>> Sample log entry for successful connection:
> >>>
> >>> Jan 7 11:37:41 vpn pptpd[12194]: CTRL: Client <ip.address> control
> >>> connection started
> >>> Jan 7 11:37:41 vpn pptpd[12194]: CTRL: Starting call (launching
> >>> pppd,
> >>> opening GRE)
> >>> Jan 7 11:37:41 vpn pppd[12195]: pppd 2.4.2b3 started by shmoe, uid
> >>> 8990
> >>> Jan 7 11:37:41 vpn pppd[12195]: Using interface ppp1
> >>> Jan 7 11:37:41 vpn pppd[12195]: Connect: ppp1 <--> /dev/pts/1
> >>> Jan 7 11:37:42 vpn pptpd[12194]: GRE: Discarding duplicate packet
> >>> Jan 7 11:37:44 vpn pptpd[12194]: CTRL: Ignored a SET LINK INFO
> >>> packet
> >>> with real ACCMs!
> >>> Jan 7 11:37:44 vpn pppd[12195]: CHAP peer authentication succeeded
> >>> for username
> >>> Jan 7 11:37:44 vpn pppd[12195]: MPPE 128-bit stateless compression
> >>> enabled
> >>>
> >>> And then for the setup on the windows client, it is really basic - no
> >>> custom
> >>> options, just select maximum security for the connection.
> >>>
> >>> Key elements for this to work:
> >>>
> >>> mppe support in kernel
> >>> gre support in kernel
> >>> conntrack support, as noted above
> >>>
> >>> Also be sure to download and apply the kernelmod package. It won't
> >>> work until
> >>> you do that.
> >>>
> >>> Best of luck!
> >>> -brad
> >>>
> >>>> hey guys,
> >>>>
> >>>> i'm lost, basically cause i've never set up a VPN server before, but
> >>>> i'm trying to set one up using PoPToP on WhiteBox Linux. I've
> >>>> patched
> >>>> the kernel and installed all the right stuff and edited the right
> >>>> conf
> >>>> files per the RedHat installation instructions on the poptop.org
> >>>> website. But, when I try to connect a Win2k client to the server I
> >>>> get
> >>>> this:
> >>>>
> >>>> Error 619: The specified port is not connected.
> >>>>
> >>>> here's what is in the logs:
> >>>>
> >>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: Client home.ip.add.ress
> >>>> control connection started
> >>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: Starting call (launching
> >>>> pppd, opening GRE)
> >>>> Jan 7 09:44:38 hostname pptpd[1823]: GRE:
> >>>> read(fd=5,buffer=804d5a0,len=8196) from PTY failed: status = -1
> >>>> error
> >>>> =
> >>>> Input/output error
> >>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: PTY read or GRE write
> >>>> failed (pty,gre)=(5,6)
> >>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: Client home.ip.add.ress
> >>>> control connection finished
> >>>>
> >>>>
> >>>> this doesn't make much sense to me. I don't have much experience
> >>>> with
> >>>> GRE, so I'm a little lost. The only ideas that I have is to disable
> >>>> GRE in the kernel and recompile, but, I'm working from home today
> >>>> (to
> >>>> test the VPN) and don't really wish to recompile and test a new
> >>>> kernel
> >>>> remotely :)
> >>>>
> >>>>
> >>>> thanks for help in advance.
> >>>>
> >>>> -r
> >>>>
> >>>> _______________________________________________
> >>>> Web Page: http://lug.boulder.co.us
> >>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>>>
> >>>
> >>> --
> >>> Brad Doctor, CISSP
> >>> _______________________________________________
> >>> Web Page: http://lug.boulder.co.us
> >>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>>
> >>
> >> _______________________________________________
> >> Web Page: http://lug.boulder.co.us
> >> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>
> >
> > --
> > Brad Doctor, CISSP
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
--
Brad Doctor, CISSP
More information about the LUG
mailing list