[lug] PoPToP connection issue

bdoctor at ps-ax.com bdoctor at ps-ax.com
Wed Jan 7 12:33:54 MST 2004 

A module listing would be helpful.  Here are the relevant modules running on a
poptop server:

ppp_async               9440   3 (autoclean)
ppp_mppe               13944   6
ppp_generic            24604   9 [ppp_async ppp_mppe]
slhc                    6740   0 [ppp_generic]
ipt_state               1048   1 (autoclean)
ip_nat_pptp             2764   0 (unused)
ip_conntrack_pptp       3824   1
ip_conntrack_proto_gre    4468   0 [ip_nat_pptp ip_conntrack_pptp]

And here is the options.pptpd:

## CHANGE TO SUIT YOUR SYSTEM
lock

## turn pppd syslog debugging on
debug

## change 'pptpd' to whatever you specify as your server name in chap-secrets
name vpn.server.com

# Don't need this
#nobsdcomp 

#noauth
auth
# Tell pptpd to find local interface and put it in proxyarp mode
proxyarp

ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 3
lcp-echo-interval 5
deflate 0

# This option applies if you use ppp with chapms-strip-domain patch
#chapms-strip-domain

# These options are for use with the OpenSSL-licensed patch
# This flavor will be obsoleted ASAP.
# NB! You should also apply the ChapMS-V2 patch
#-chap
#-chapms
#+chapms-v2
#mppe-40        # both 40-bits and 128-bits encryption bite eachother
#mppe-128
#mppe-stateless

# These options are for use with the BSD-licensed patch (ppp => 2.4.2)
# This is the default implementation
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
require-mppe
nomppe-stateful
nomppe-40

# These options will tell ppp to pass on these to your clients
# To use ms-dns or ms-dns in options.pptpd it must exist in /etc/resolv.conf
#ms-wins <ip-of-your-winsserver>
ms-dns <internal IP>


Sample log entry for successful connection:

Jan  7 11:37:41 vpn pptpd[12194]: CTRL: Client <ip.address> control connection started
Jan  7 11:37:41 vpn pptpd[12194]: CTRL: Starting call (launching pppd, opening GRE)
Jan  7 11:37:41 vpn pppd[12195]: pppd 2.4.2b3 started by shmoe, uid 8990
Jan  7 11:37:41 vpn pppd[12195]: Using interface ppp1
Jan  7 11:37:41 vpn pppd[12195]: Connect: ppp1 <--> /dev/pts/1
Jan  7 11:37:42 vpn pptpd[12194]: GRE: Discarding duplicate packet
Jan  7 11:37:44 vpn pptpd[12194]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Jan  7 11:37:44 vpn pppd[12195]: CHAP peer authentication succeeded for username
Jan  7 11:37:44 vpn pppd[12195]: MPPE 128-bit stateless compression enabled

And then for the setup on the windows client, it is really basic - no custom
options, just select maximum security for the connection.

Key elements for this to work:

mppe support in kernel
gre support in kernel
conntrack support, as noted above

Also be sure to download and apply the kernelmod package.  It won't work until
you do that.

Best of luck!
-brad

> hey guys,
> 
> i'm lost, basically cause i've never set up a VPN server before, but 
> i'm trying to set one up using PoPToP on WhiteBox Linux.  I've patched 
> the kernel and installed all the right stuff and edited the right conf 
> files per the RedHat installation instructions on the poptop.org 
> website.  But, when I try to connect a Win2k client to the server I get 
> this:
> 
> Error 619:  The specified port is not connected.
> 
> here's what is in the logs:
> 
> Jan  7 09:44:38 hostname pptpd[1823]: CTRL: Client home.ip.add.ress 
> control connection started
> Jan  7 09:44:38 hostname pptpd[1823]: CTRL: Starting call (launching 
> pppd, opening GRE)
> Jan  7 09:44:38 hostname pptpd[1823]: GRE: 
> read(fd=5,buffer=804d5a0,len=8196) from PTY failed: status = -1 error = 
> Input/output error
> Jan  7 09:44:38 hostname pptpd[1823]: CTRL: PTY read or GRE write 
> failed (pty,gre)=(5,6)
> Jan  7 09:44:38 hostname pptpd[1823]: CTRL: Client home.ip.add.ress 
> control connection finished
> 
> 
> this doesn't make much sense to me.  I don't have much experience with 
> GRE, so I'm a little lost.  The only ideas that I have is to disable 
> GRE in the kernel and recompile, but, I'm working from home today (to 
> test the VPN) and don't really wish to recompile and test a new kernel 
> remotely :)
> 
> 
> thanks for help in advance.
> 
> -r
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> 

-- 
Brad Doctor, CISSP

More information about the LUG mailing list