[lug] PoPToP connection issue
bdoctor at ps-ax.com
bdoctor at ps-ax.com
Wed Jan 7 17:18:46 MST 2004
Cool, no problem :)
> brad, thanks a bunch for your help. I was just looking at the
> netfilter patchomatic stuff. I'm calling it quits for today, and will
> tackle this tomorrow. I'll let you know how it goes.
>
> -rtw
> On Wednesday, Jan 7, 2004, at 17:06 America/Denver, bdoctor at ps-ax.com
> wrote:
>
> > For the RPM - don't worry about that as it is not required. That would
> > allow you to take it and install it on another machine, or for some
> > odd reason
> > to re-install on the current machine.
> >
> > For the module not loading properly, there are likely dependencies.
> > This is
> > how I force the loading from my startup script for pptpd:
> >
> > modprobe ip_conntrack_pptp 1> /dev/null 2>&1
> > modprobe ip_nat_pptp 1> /dev/null 2>&1
> >
> > You will need to download and install the patch-o-matic package from
> > netfilter.org. Then you will need to use the 'runme' command and
> > apply:
> >
> > runme extra/pptp-conntrack-nat.patch
> >
> > 32 @vpn:/home/bdoctor/patch-o-matic/extra > more
> > pptp-conntrack-nat.patch.help
> > Author: Harald Welte <laforge at gnumonks.org>
> > Status: Beta
> >
> > This adds CONFIG_IP_NF_PPTP:
> > Connection tracking and NAT support for PPTP.
> >
> > Note that this code currently has limitations
> > - can only NAT connections from PNS to PAC
> > - doesnt' support multiple calls within one session
> >
> >
> > Then, configure your kernel with your favorite method and enable:
> >
> > IP: tunneling
> > IP: GRE tunnels over IP (module)
> > IP: broadcast GRE over IP
> >
> > Netfilter:
> > Connection tracking
> > GRE protocol support
> > PPTP protocol support
> > All Connection tracking
> > ...
> >
> > Actually, for netfilter I enable everything as a module. The above
> > three
> > entries are critical, however.
> >
> > After you have done this, recompile the modules:
> > make modules
> > And install the modules:
> > make modules_install
> >
> > The kernelmod part did it's thing, but your netfilter setup is lacking.
> >
> > Also, in /etc/modules.conf I have these relevant entries:
> >
> > alias char-major-108 ppp_generic
> > alias ppp-compress-18 ppp_mppe
> > alias ppp-compress-21 bsd_comp
> > alias ppp-compress-24 ppp_deflate
> > alias ppp-compress-26 ppp_deflate
> > alias tty-ldisc-3 ppp_async
> > alias tty-ldisc-14 ppp_synctty
> >
> > One thing is for sure - as painful as this is, once it is setup, it
> > works
> > very well and requires nearly no maintenance. So there is a light at
> > the
> > end of this tunnel.
> >
> > -brad
> >
> >> Ok, i've run kernelmod again, and everything seemed to go fine, but it
> >> didn't seem to work. The script didn't ask me if i wanted to make an
> >> RPM (like the README says it will) here's the end output of the
> >> script:
> >>
> >> -------------------------------------------------
> >> --> Locating patches.
> >> Found patches for 2.4.
> >> Checking for specific patches.
> >> Found patches for 2.4.21
> >> -------------------------------------------------
> >> --> Patches & sources
> >> Applying patch /tmp/kernelmod/2.4/linux-2.4.21-bsd-mppe.patch
> >> patching file include/linux/ppp-comp.h
> >> patching file drivers/net/Config.in
> >> Hunk #1 succeeded at 307 (offset 18 lines).
> >> patching file drivers/net/Makefile
> >> Hunk #2 succeeded at 157 (offset 6 lines).
> >> Hunk #3 succeeded at 267 (offset 7 lines).
> >> patching file drivers/net/ppp_generic.c
> >> Hunk #1 succeeded at 1045 (offset 15 lines).
> >> Hunk #3 succeeded at 1573 (offset 15 lines).
> >> Copying extra sources to /usr/src/linux-2.4/
> >> arcfour.c --> /usr/src/linux-2.4//drivers/net/arcfour.c
> >> arcfour.h --> /usr/src/linux-2.4//drivers/net/arcfour.h
> >> ppp_mppe_compress.c -->
> >> /usr/src/linux-2.4//drivers/net/ppp_mppe_compress.c
> >> sha1.c --> /usr/src/linux-2.4//drivers/net/sha1.c
> >> sha1.h --> /usr/src/linux-2.4//drivers/net/sha1.h
> >> Copying extra sources to /tmp/kernelmod/build/
> >> -------------------------------------------------
> >> Building module arcfour.o
> >> Building module ppp_generic.o
> >> Building module ppp_mppe_compress.o
> >> Building module sha1.o
> >> Building module ppp_mppe.o
> >> -------------------------------------------------
> >> Installing module ppp_generic.o in
> >> /lib/modules/2.4.21-4.0.1.EL/kernel/drivers/net/
> >> Installing module ppp_mppe.o in
> >> /lib/modules/2.4.21-4.0.1.EL/kernel/drivers/net/
> >> Updating module dependencies
> >> Everything seems OK. Removing buildstuff in /tmp/kernelmod/build
> >>
> >> but, here's what actually gets installed:
> >>
> >> ]# lsmod
> >> Module Size Used by Tainted: P
> >> ppp_mppe 13912 0 (unused)
> >> ppp_generic 24820 0 [ppp_mppe]
> >> slhc 6756 0 [ppp_generic]
> >> agpgart 56664 5 (autoclean)
> >> parport_pc 19076 1 (autoclean)
> >> lp 9028 0 (autoclean)
> >> parport 37088 1 (autoclean) [parport_pc lp]
> >> autofs 13364 0 (autoclean) (unused)
> >> 3c59x 30928 1
> >> floppy 58160 0 (autoclean)
> >> microcode 4724 0 (autoclean)
> >> loop 12120 0 (autoclean)
> >> keybdev 2976 0 (unused)
> >> mousedev 5524 1
> >> hid 22212 0 (unused)
> >> input 5920 0 [keybdev mousedev hid]
> >> usb-uhci 26412 0 (unused)
> >> usbcore 79424 1 [hid usb-uhci]
> >> ext3 91592 2
> >> jbd 52336 2 [ext3]
> >> lvm-mod 64672 3
> >>
> >>
> >> again, missing the modules that you specified... when i try to do an
> >> ]# insmod ipt_state
> >> Using
> >> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o
> >> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o:
> >> unresolved symbol ip_conntrack_get_Ra6f02512
> >> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o:
> >> unresolved symbol ip_conntrack_module_Rb0361033
> >> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o:
> >> unresolved symbol ipt_register_match_R91801b7c
> >> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o:
> >> unresolved symbol ipt_unregister_match_R77bac37b
> >>
> >>
> >> whenever I do a strings on pppd:
> >> set_mppe_enc_types
> >> refuse_mppe_stateful
> >> mppe_recv_key
> >> mppe_keys_set
> >> mppe_send_key
> >> mppe_set_keys
> >> nomppe-stateful
> >> mppe-stateful
> >> -mppe-128
> >> nomppe-128
> >> +mppe-128
> >> require-mppe-128
> >> -mppe-40
> >> nomppe-40
> >> +mppe-40
> >> require-mppe-40
> >> -mppe
> >> nomppe
> >> +mppe
> >> require-mppe
> >> mppe %s %s %s %s %s %s%s
> >>
> >> i'm not quite sure what the nomppe-stateful thing does. here's an
> >> output of the version on pppd: pppd version 2.4.2b3
> >>
> >> anyone got any ideas why those other modules don't start? or why the
> >> kernelmod.sh script seems to complete without actually installing all
> >> the right modules?
> >>
> >> sorry to burden the list with all this, it's just that i can't seem to
> >> find a lot of the documentation anywhere else.
> >>
> >> -r
> >>
> >> On Wednesday, Jan 7, 2004, at 13:16 America/Denver, bdoctor at ps-ax.com
> >> wrote:
> >>
> >>> I'd definitely put those refuse options in there - I seem to recall
> >>> it
> >>> not
> >>> working, or that the client would *always* do 40bit MPPE, which is
> >>> unacceptable.
> >>>
> >>> I also seem to recall patching pppd. I did a strings on it:
> >>>
> >>> 7 @vpn:/home/bdoctor/poptop-1.1.4 > strings /usr/sbin/pppd|grep mppe
> >>> set_mppe_enc_types
> >>> refuse_mppe_stateful
> >>> mppe_recv_key
> >>> mppe_keys_set
> >>> mppe_send_key
> >>> mppe_set_keys
> >>> require-mppe
> >>> +mppe
> >>> nomppe
> >>> require-mppe-40
> >>> +mppe-40
> >>> nomppe-40
> >>> require-mppe-128
> >>> +mppe-128
> >>> nomppe-128
> >>> nomppe-stateful
> >>> mppe %s %s %s %s %s %s%s
> >>>
> >>> and the version:
> >>>
> >>> 3 @vpn:/home/bdoctor> pppd --version
> >>> pppd version 2.4.2b3
> >>>
> >>> I cannot remember for sure if I patched it though. I think I did?
> >>>
> >>> One thing is for sure - there are a lot of little gotchas that I
> >>> struggled
> >>> through and it was a complete pain. Not having MPPE support in your
> >>> module
> >>> listing is an issue I believe. I know that without the kernelmod
> >>> patch, nothing
> >>> would work properly for me.
> >>>
> >>> Also, without the conntrack modules connections through the device
> >>> (to
> >>> the
> >>> Internet) would fail. Internal connections would work fine however.
> >>>
> >>> This particular installation fully supports windows clients,
> >>> including
> >>> domain
> >>> logons, network/smb browsing, the whole bit. Also forces all traffic
> >>> to go
> >>> through the device, rather than a split-horizon type of setup.
> >>> Naturally,
> >>> I cannot remember everything that I did, beyond the pain :)
> >>>
> >>> Also, the kernelmod patch will produce modules, so if you have a
> >>> working
> >>> source tree for the running kernel, you won't have to install a new
> >>> kernel
> >>> image - so doing it remotely is safer than it would be otherwise.
> >>> This patch
> >>> provides the MPPE support.
> >>>
> >>> Another thing that helped me is to run tcpdump, and to run the server
> >>> in full
> >>> debug mode (both options.pptpd and pptpd.conf).
> >>>
> >>> -brad
> >>>
> >>>> Ok. I'm pretty sure that I did all that you said. I found that
> >>>> there
> >>>> was a problem in my options.pptpd file i had the option
> >>>>
> >>>> nobsdcomp
> >>>>
> >>>> with a "0" at the end of it. i ran pppd manually and it didn't like
> >>>> that one bit.
> >>>>
> >>>> now, when I try to connect, my client gives me the error:
> >>>>
> >>>> Error 732: Your computer and the remote computer could not agree on
> >>>> ppp control protocols
> >>>>
> >>>> Googling on this error only yields two sites.... Reading the PopToP
> >>>> FAQ, it says that there are patches available to make pppd
> >>>> compatable
> >>>> with the MSCHAP protocol, but the version on the patches that I
> >>>> found
> >>>> are version 2.3.5 while the one that I have is version 2.4.2.
> >>>>
> >>>> here is an lsmod output:
> >>>>
> >>>> Module Size Used by Not tainted
> >>>> ppp_async 9440 0 (autoclean)
> >>>> ppp_generic 24820 0 (autoclean) [ppp_async]
> >>>> slhc 6756 0 (autoclean) [ppp_generic]
> >>>> agpgart 56664 5 (autoclean)
> >>>> parport_pc 19076 1 (autoclean)
> >>>> lp 9028 0 (autoclean)
> >>>> parport 37088 1 (autoclean) [parport_pc lp]
> >>>> autofs 13364 0 (autoclean) (unused)
> >>>> 3c59x 30928 1
> >>>> floppy 58160 0 (autoclean)
> >>>> microcode 4724 0 (autoclean)
> >>>> loop 12120 0 (autoclean)
> >>>> keybdev 2976 0 (unused)
> >>>> mousedev 5524 1
> >>>> hid 22212 0 (unused)
> >>>> input 5888 0 [keybdev mousedev hid]
> >>>> usb-uhci 26412 0 (unused)
> >>>> usbcore 79392 1 [hid usb-uhci]
> >>>> ext3 91592 2
> >>>> jbd 52336 2 [ext3]
> >>>> lvm-mod 64672 3
> >>>>
> >>>> i'm not quite sure why i'm missing all the other modules (or where
> >>>> else
> >>>> to get them). I installed all the relevant packages you listed
> >>>> below.
> >>>>
> >>>> here is my options.pptpd:
> >>>>
> >>>> ## CHANGE TO SUIT YOUR SYSTEM
> >>>> lock
> >>>>
> >>>> ## turn pppd syslog debugging on
> >>>> debug
> >>>>
> >>>> ## change 'pptpd' to whatever you specify as your server name in
> >>>> chap-secrets
> >>>> name pptpd
> >>>>
> >>>> proxyarp
> >>>> nobsdcomp
> >>>>
> >>>> # This option applies if you use ppp with chapms-strip-domain patch
> >>>> #chapms-strip-domain
> >>>>
> >>>> # These options apply if you use ppp with mppe patch
> >>>> # NB! You should also apply the ChapMS-V2 patch
> >>>> #-chap
> >>>> #-chapms
> >>>> #+chapms-v2
> >>>> #mppe-128
> >>>> #mppe-stateless
> >>>>
> >>>> # These options will tell ppp to pass on these to your clients
> >>>> # To use ms-wins or ms-dns in options.pptpd it must exist in
> >>>> /etc/resolv.conf
> >>>> ms-wins ip.of.wins.srvr
> >>>> ms-dns ip.of.dns.srvr
> >>>>
> >>>> would it make a big difference to add the "refuse" options that you
> >>>> have listed in your options.pptpd file? (i'll give it a shot
> >>>> anyways).
> >>>>
> >>>> thanks for the help and sorry for the long post.
> >>>>
> >>>> -r
> >>>> On Wednesday, Jan 7, 2004, at 12:33 America/Denver,
> >>>> bdoctor at ps-ax.com
> >>>> wrote:
> >>>>
> >>>>> A module listing would be helpful. Here are the relevant modules
> >>>>> running on a
> >>>>> poptop server:
> >>>>>
> >>>>> ppp_async 9440 3 (autoclean)
> >>>>> ppp_mppe 13944 6
> >>>>> ppp_generic 24604 9 [ppp_async ppp_mppe]
> >>>>> slhc 6740 0 [ppp_generic]
> >>>>> ipt_state 1048 1 (autoclean)
> >>>>> ip_nat_pptp 2764 0 (unused)
> >>>>> ip_conntrack_pptp 3824 1
> >>>>> ip_conntrack_proto_gre 4468 0 [ip_nat_pptp ip_conntrack_pptp]
> >>>>>
> >>>>> And here is the options.pptpd:
> >>>>>
> >>>>> ## CHANGE TO SUIT YOUR SYSTEM
> >>>>> lock
> >>>>>
> >>>>> ## turn pppd syslog debugging on
> >>>>> debug
> >>>>>
> >>>>> ## change 'pptpd' to whatever you specify as your server name in
> >>>>> chap-secrets
> >>>>> name vpn.server.com
> >>>>>
> >>>>> # Don't need this
> >>>>> #nobsdcomp
> >>>>>
> >>>>> #noauth
> >>>>> auth
> >>>>> # Tell pptpd to find local interface and put it in proxyarp mode
> >>>>> proxyarp
> >>>>>
> >>>>> ipcp-accept-local
> >>>>> ipcp-accept-remote
> >>>>> lcp-echo-failure 3
> >>>>> lcp-echo-interval 5
> >>>>> deflate 0
> >>>>>
> >>>>> # This option applies if you use ppp with chapms-strip-domain patch
> >>>>> #chapms-strip-domain
> >>>>>
> >>>>> # These options are for use with the OpenSSL-licensed patch
> >>>>> # This flavor will be obsoleted ASAP.
> >>>>> # NB! You should also apply the ChapMS-V2 patch
> >>>>> #-chap
> >>>>> #-chapms
> >>>>> #+chapms-v2
> >>>>> #mppe-40 # both 40-bits and 128-bits encryption bite
> >>>>> eachother
> >>>>> #mppe-128
> >>>>> #mppe-stateless
> >>>>>
> >>>>> # These options are for use with the BSD-licensed patch (ppp =>
> >>>>> 2.4.2)
> >>>>> # This is the default implementation
> >>>>> refuse-pap
> >>>>> refuse-eap
> >>>>> refuse-chap
> >>>>> refuse-mschap
> >>>>> require-mppe
> >>>>> nomppe-stateful
> >>>>> nomppe-40
> >>>>>
> >>>>> # These options will tell ppp to pass on these to your clients
> >>>>> # To use ms-dns or ms-dns in options.pptpd it must exist in
> >>>>> /etc/resolv.conf
> >>>>> #ms-wins <ip-of-your-winsserver>
> >>>>> ms-dns <internal IP>
> >>>>>
> >>>>>
> >>>>> Sample log entry for successful connection:
> >>>>>
> >>>>> Jan 7 11:37:41 vpn pptpd[12194]: CTRL: Client <ip.address> control
> >>>>> connection started
> >>>>> Jan 7 11:37:41 vpn pptpd[12194]: CTRL: Starting call (launching
> >>>>> pppd,
> >>>>> opening GRE)
> >>>>> Jan 7 11:37:41 vpn pppd[12195]: pppd 2.4.2b3 started by shmoe, uid
> >>>>> 8990
> >>>>> Jan 7 11:37:41 vpn pppd[12195]: Using interface ppp1
> >>>>> Jan 7 11:37:41 vpn pppd[12195]: Connect: ppp1 <--> /dev/pts/1
> >>>>> Jan 7 11:37:42 vpn pptpd[12194]: GRE: Discarding duplicate packet
> >>>>> Jan 7 11:37:44 vpn pptpd[12194]: CTRL: Ignored a SET LINK INFO
> >>>>> packet
> >>>>> with real ACCMs!
> >>>>> Jan 7 11:37:44 vpn pppd[12195]: CHAP peer authentication succeeded
> >>>>> for username
> >>>>> Jan 7 11:37:44 vpn pppd[12195]: MPPE 128-bit stateless compression
> >>>>> enabled
> >>>>>
> >>>>> And then for the setup on the windows client, it is really basic -
> >>>>> no
> >>>>> custom
> >>>>> options, just select maximum security for the connection.
> >>>>>
> >>>>> Key elements for this to work:
> >>>>>
> >>>>> mppe support in kernel
> >>>>> gre support in kernel
> >>>>> conntrack support, as noted above
> >>>>>
> >>>>> Also be sure to download and apply the kernelmod package. It won't
> >>>>> work until
> >>>>> you do that.
> >>>>>
> >>>>> Best of luck!
> >>>>> -brad
> >>>>>
> >>>>>> hey guys,
> >>>>>>
> >>>>>> i'm lost, basically cause i've never set up a VPN server before,
> >>>>>> but
> >>>>>> i'm trying to set one up using PoPToP on WhiteBox Linux. I've
> >>>>>> patched
> >>>>>> the kernel and installed all the right stuff and edited the right
> >>>>>> conf
> >>>>>> files per the RedHat installation instructions on the poptop.org
> >>>>>> website. But, when I try to connect a Win2k client to the server
> >>>>>> I
> >>>>>> get
> >>>>>> this:
> >>>>>>
> >>>>>> Error 619: The specified port is not connected.
> >>>>>>
> >>>>>> here's what is in the logs:
> >>>>>>
> >>>>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: Client
> >>>>>> home.ip.add.ress
> >>>>>> control connection started
> >>>>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: Starting call
> >>>>>> (launching
> >>>>>> pppd, opening GRE)
> >>>>>> Jan 7 09:44:38 hostname pptpd[1823]: GRE:
> >>>>>> read(fd=5,buffer=804d5a0,len=8196) from PTY failed: status = -1
> >>>>>> error
> >>>>>> =
> >>>>>> Input/output error
> >>>>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: PTY read or GRE write
> >>>>>> failed (pty,gre)=(5,6)
> >>>>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: Client
> >>>>>> home.ip.add.ress
> >>>>>> control connection finished
> >>>>>>
> >>>>>>
> >>>>>> this doesn't make much sense to me. I don't have much experience
> >>>>>> with
> >>>>>> GRE, so I'm a little lost. The only ideas that I have is to
> >>>>>> disable
> >>>>>> GRE in the kernel and recompile, but, I'm working from home today
> >>>>>> (to
> >>>>>> test the VPN) and don't really wish to recompile and test a new
> >>>>>> kernel
> >>>>>> remotely :)
> >>>>>>
> >>>>>>
> >>>>>> thanks for help in advance.
> >>>>>>
> >>>>>> -r
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Web Page: http://lug.boulder.co.us
> >>>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>>>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>>>>>
> >>>>>
> >>>>> --
> >>>>> Brad Doctor, CISSP
> >>>>> _______________________________________________
> >>>>> Web Page: http://lug.boulder.co.us
> >>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>>>>
> >>>>
> >>>> _______________________________________________
> >>>> Web Page: http://lug.boulder.co.us
> >>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>>>
> >>>
> >>> --
> >>> Brad Doctor, CISSP
> >>> _______________________________________________
> >>> Web Page: http://lug.boulder.co.us
> >>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>>
> >>
> >> _______________________________________________
> >> Web Page: http://lug.boulder.co.us
> >> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>
> >
> > --
> > Brad Doctor, CISSP
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
--
Brad Doctor, CISSP
More information about the LUG
mailing list