[lug] PoPToP connection issue
Ryan Wheaton
ryan.wheaton at comcast.net
Wed Jan 7 17:04:59 MST 2004
brad, thanks a bunch for your help. I was just looking at the
netfilter patchomatic stuff. I'm calling it quits for today, and will
tackle this tomorrow. I'll let you know how it goes.
-rtw
On Wednesday, Jan 7, 2004, at 17:06 America/Denver, bdoctor at ps-ax.com
wrote:
> For the RPM - don't worry about that as it is not required. That would
> allow you to take it and install it on another machine, or for some
> odd reason
> to re-install on the current machine.
>
> For the module not loading properly, there are likely dependencies.
> This is
> how I force the loading from my startup script for pptpd:
>
> modprobe ip_conntrack_pptp 1> /dev/null 2>&1
> modprobe ip_nat_pptp 1> /dev/null 2>&1
>
> You will need to download and install the patch-o-matic package from
> netfilter.org. Then you will need to use the 'runme' command and
> apply:
>
> runme extra/pptp-conntrack-nat.patch
>
> 32 @vpn:/home/bdoctor/patch-o-matic/extra > more
> pptp-conntrack-nat.patch.help
> Author: Harald Welte <laforge at gnumonks.org>
> Status: Beta
>
> This adds CONFIG_IP_NF_PPTP:
> Connection tracking and NAT support for PPTP.
>
> Note that this code currently has limitations
> - can only NAT connections from PNS to PAC
> - doesnt' support multiple calls within one session
>
>
> Then, configure your kernel with your favorite method and enable:
>
> IP: tunneling
> IP: GRE tunnels over IP (module)
> IP: broadcast GRE over IP
>
> Netfilter:
> Connection tracking
> GRE protocol support
> PPTP protocol support
> All Connection tracking
> ...
>
> Actually, for netfilter I enable everything as a module. The above
> three
> entries are critical, however.
>
> After you have done this, recompile the modules:
> make modules
> And install the modules:
> make modules_install
>
> The kernelmod part did it's thing, but your netfilter setup is lacking.
>
> Also, in /etc/modules.conf I have these relevant entries:
>
> alias char-major-108 ppp_generic
> alias ppp-compress-18 ppp_mppe
> alias ppp-compress-21 bsd_comp
> alias ppp-compress-24 ppp_deflate
> alias ppp-compress-26 ppp_deflate
> alias tty-ldisc-3 ppp_async
> alias tty-ldisc-14 ppp_synctty
>
> One thing is for sure - as painful as this is, once it is setup, it
> works
> very well and requires nearly no maintenance. So there is a light at
> the
> end of this tunnel.
>
> -brad
>
>> Ok, i've run kernelmod again, and everything seemed to go fine, but it
>> didn't seem to work. The script didn't ask me if i wanted to make an
>> RPM (like the README says it will) here's the end output of the
>> script:
>>
>> -------------------------------------------------
>> --> Locating patches.
>> Found patches for 2.4.
>> Checking for specific patches.
>> Found patches for 2.4.21
>> -------------------------------------------------
>> --> Patches & sources
>> Applying patch /tmp/kernelmod/2.4/linux-2.4.21-bsd-mppe.patch
>> patching file include/linux/ppp-comp.h
>> patching file drivers/net/Config.in
>> Hunk #1 succeeded at 307 (offset 18 lines).
>> patching file drivers/net/Makefile
>> Hunk #2 succeeded at 157 (offset 6 lines).
>> Hunk #3 succeeded at 267 (offset 7 lines).
>> patching file drivers/net/ppp_generic.c
>> Hunk #1 succeeded at 1045 (offset 15 lines).
>> Hunk #3 succeeded at 1573 (offset 15 lines).
>> Copying extra sources to /usr/src/linux-2.4/
>> arcfour.c --> /usr/src/linux-2.4//drivers/net/arcfour.c
>> arcfour.h --> /usr/src/linux-2.4//drivers/net/arcfour.h
>> ppp_mppe_compress.c -->
>> /usr/src/linux-2.4//drivers/net/ppp_mppe_compress.c
>> sha1.c --> /usr/src/linux-2.4//drivers/net/sha1.c
>> sha1.h --> /usr/src/linux-2.4//drivers/net/sha1.h
>> Copying extra sources to /tmp/kernelmod/build/
>> -------------------------------------------------
>> Building module arcfour.o
>> Building module ppp_generic.o
>> Building module ppp_mppe_compress.o
>> Building module sha1.o
>> Building module ppp_mppe.o
>> -------------------------------------------------
>> Installing module ppp_generic.o in
>> /lib/modules/2.4.21-4.0.1.EL/kernel/drivers/net/
>> Installing module ppp_mppe.o in
>> /lib/modules/2.4.21-4.0.1.EL/kernel/drivers/net/
>> Updating module dependencies
>> Everything seems OK. Removing buildstuff in /tmp/kernelmod/build
>>
>> but, here's what actually gets installed:
>>
>> ]# lsmod
>> Module Size Used by Tainted: P
>> ppp_mppe 13912 0 (unused)
>> ppp_generic 24820 0 [ppp_mppe]
>> slhc 6756 0 [ppp_generic]
>> agpgart 56664 5 (autoclean)
>> parport_pc 19076 1 (autoclean)
>> lp 9028 0 (autoclean)
>> parport 37088 1 (autoclean) [parport_pc lp]
>> autofs 13364 0 (autoclean) (unused)
>> 3c59x 30928 1
>> floppy 58160 0 (autoclean)
>> microcode 4724 0 (autoclean)
>> loop 12120 0 (autoclean)
>> keybdev 2976 0 (unused)
>> mousedev 5524 1
>> hid 22212 0 (unused)
>> input 5920 0 [keybdev mousedev hid]
>> usb-uhci 26412 0 (unused)
>> usbcore 79424 1 [hid usb-uhci]
>> ext3 91592 2
>> jbd 52336 2 [ext3]
>> lvm-mod 64672 3
>>
>>
>> again, missing the modules that you specified... when i try to do an
>> ]# insmod ipt_state
>> Using
>> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o
>> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o:
>> unresolved symbol ip_conntrack_get_Ra6f02512
>> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o:
>> unresolved symbol ip_conntrack_module_Rb0361033
>> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o:
>> unresolved symbol ipt_register_match_R91801b7c
>> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o:
>> unresolved symbol ipt_unregister_match_R77bac37b
>>
>>
>> whenever I do a strings on pppd:
>> set_mppe_enc_types
>> refuse_mppe_stateful
>> mppe_recv_key
>> mppe_keys_set
>> mppe_send_key
>> mppe_set_keys
>> nomppe-stateful
>> mppe-stateful
>> -mppe-128
>> nomppe-128
>> +mppe-128
>> require-mppe-128
>> -mppe-40
>> nomppe-40
>> +mppe-40
>> require-mppe-40
>> -mppe
>> nomppe
>> +mppe
>> require-mppe
>> mppe %s %s %s %s %s %s%s
>>
>> i'm not quite sure what the nomppe-stateful thing does. here's an
>> output of the version on pppd: pppd version 2.4.2b3
>>
>> anyone got any ideas why those other modules don't start? or why the
>> kernelmod.sh script seems to complete without actually installing all
>> the right modules?
>>
>> sorry to burden the list with all this, it's just that i can't seem to
>> find a lot of the documentation anywhere else.
>>
>> -r
>>
>> On Wednesday, Jan 7, 2004, at 13:16 America/Denver, bdoctor at ps-ax.com
>> wrote:
>>
>>> I'd definitely put those refuse options in there - I seem to recall
>>> it
>>> not
>>> working, or that the client would *always* do 40bit MPPE, which is
>>> unacceptable.
>>>
>>> I also seem to recall patching pppd. I did a strings on it:
>>>
>>> 7 @vpn:/home/bdoctor/poptop-1.1.4 > strings /usr/sbin/pppd|grep mppe
>>> set_mppe_enc_types
>>> refuse_mppe_stateful
>>> mppe_recv_key
>>> mppe_keys_set
>>> mppe_send_key
>>> mppe_set_keys
>>> require-mppe
>>> +mppe
>>> nomppe
>>> require-mppe-40
>>> +mppe-40
>>> nomppe-40
>>> require-mppe-128
>>> +mppe-128
>>> nomppe-128
>>> nomppe-stateful
>>> mppe %s %s %s %s %s %s%s
>>>
>>> and the version:
>>>
>>> 3 @vpn:/home/bdoctor> pppd --version
>>> pppd version 2.4.2b3
>>>
>>> I cannot remember for sure if I patched it though. I think I did?
>>>
>>> One thing is for sure - there are a lot of little gotchas that I
>>> struggled
>>> through and it was a complete pain. Not having MPPE support in your
>>> module
>>> listing is an issue I believe. I know that without the kernelmod
>>> patch, nothing
>>> would work properly for me.
>>>
>>> Also, without the conntrack modules connections through the device
>>> (to
>>> the
>>> Internet) would fail. Internal connections would work fine however.
>>>
>>> This particular installation fully supports windows clients,
>>> including
>>> domain
>>> logons, network/smb browsing, the whole bit. Also forces all traffic
>>> to go
>>> through the device, rather than a split-horizon type of setup.
>>> Naturally,
>>> I cannot remember everything that I did, beyond the pain :)
>>>
>>> Also, the kernelmod patch will produce modules, so if you have a
>>> working
>>> source tree for the running kernel, you won't have to install a new
>>> kernel
>>> image - so doing it remotely is safer than it would be otherwise.
>>> This patch
>>> provides the MPPE support.
>>>
>>> Another thing that helped me is to run tcpdump, and to run the server
>>> in full
>>> debug mode (both options.pptpd and pptpd.conf).
>>>
>>> -brad
>>>
>>>> Ok. I'm pretty sure that I did all that you said. I found that
>>>> there
>>>> was a problem in my options.pptpd file i had the option
>>>>
>>>> nobsdcomp
>>>>
>>>> with a "0" at the end of it. i ran pppd manually and it didn't like
>>>> that one bit.
>>>>
>>>> now, when I try to connect, my client gives me the error:
>>>>
>>>> Error 732: Your computer and the remote computer could not agree on
>>>> ppp control protocols
>>>>
>>>> Googling on this error only yields two sites.... Reading the PopToP
>>>> FAQ, it says that there are patches available to make pppd
>>>> compatable
>>>> with the MSCHAP protocol, but the version on the patches that I
>>>> found
>>>> are version 2.3.5 while the one that I have is version 2.4.2.
>>>>
>>>> here is an lsmod output:
>>>>
>>>> Module Size Used by Not tainted
>>>> ppp_async 9440 0 (autoclean)
>>>> ppp_generic 24820 0 (autoclean) [ppp_async]
>>>> slhc 6756 0 (autoclean) [ppp_generic]
>>>> agpgart 56664 5 (autoclean)
>>>> parport_pc 19076 1 (autoclean)
>>>> lp 9028 0 (autoclean)
>>>> parport 37088 1 (autoclean) [parport_pc lp]
>>>> autofs 13364 0 (autoclean) (unused)
>>>> 3c59x 30928 1
>>>> floppy 58160 0 (autoclean)
>>>> microcode 4724 0 (autoclean)
>>>> loop 12120 0 (autoclean)
>>>> keybdev 2976 0 (unused)
>>>> mousedev 5524 1
>>>> hid 22212 0 (unused)
>>>> input 5888 0 [keybdev mousedev hid]
>>>> usb-uhci 26412 0 (unused)
>>>> usbcore 79392 1 [hid usb-uhci]
>>>> ext3 91592 2
>>>> jbd 52336 2 [ext3]
>>>> lvm-mod 64672 3
>>>>
>>>> i'm not quite sure why i'm missing all the other modules (or where
>>>> else
>>>> to get them). I installed all the relevant packages you listed
>>>> below.
>>>>
>>>> here is my options.pptpd:
>>>>
>>>> ## CHANGE TO SUIT YOUR SYSTEM
>>>> lock
>>>>
>>>> ## turn pppd syslog debugging on
>>>> debug
>>>>
>>>> ## change 'pptpd' to whatever you specify as your server name in
>>>> chap-secrets
>>>> name pptpd
>>>>
>>>> proxyarp
>>>> nobsdcomp
>>>>
>>>> # This option applies if you use ppp with chapms-strip-domain patch
>>>> #chapms-strip-domain
>>>>
>>>> # These options apply if you use ppp with mppe patch
>>>> # NB! You should also apply the ChapMS-V2 patch
>>>> #-chap
>>>> #-chapms
>>>> #+chapms-v2
>>>> #mppe-128
>>>> #mppe-stateless
>>>>
>>>> # These options will tell ppp to pass on these to your clients
>>>> # To use ms-wins or ms-dns in options.pptpd it must exist in
>>>> /etc/resolv.conf
>>>> ms-wins ip.of.wins.srvr
>>>> ms-dns ip.of.dns.srvr
>>>>
>>>> would it make a big difference to add the "refuse" options that you
>>>> have listed in your options.pptpd file? (i'll give it a shot
>>>> anyways).
>>>>
>>>> thanks for the help and sorry for the long post.
>>>>
>>>> -r
>>>> On Wednesday, Jan 7, 2004, at 12:33 America/Denver,
>>>> bdoctor at ps-ax.com
>>>> wrote:
>>>>
>>>>> A module listing would be helpful. Here are the relevant modules
>>>>> running on a
>>>>> poptop server:
>>>>>
>>>>> ppp_async 9440 3 (autoclean)
>>>>> ppp_mppe 13944 6
>>>>> ppp_generic 24604 9 [ppp_async ppp_mppe]
>>>>> slhc 6740 0 [ppp_generic]
>>>>> ipt_state 1048 1 (autoclean)
>>>>> ip_nat_pptp 2764 0 (unused)
>>>>> ip_conntrack_pptp 3824 1
>>>>> ip_conntrack_proto_gre 4468 0 [ip_nat_pptp ip_conntrack_pptp]
>>>>>
>>>>> And here is the options.pptpd:
>>>>>
>>>>> ## CHANGE TO SUIT YOUR SYSTEM
>>>>> lock
>>>>>
>>>>> ## turn pppd syslog debugging on
>>>>> debug
>>>>>
>>>>> ## change 'pptpd' to whatever you specify as your server name in
>>>>> chap-secrets
>>>>> name vpn.server.com
>>>>>
>>>>> # Don't need this
>>>>> #nobsdcomp
>>>>>
>>>>> #noauth
>>>>> auth
>>>>> # Tell pptpd to find local interface and put it in proxyarp mode
>>>>> proxyarp
>>>>>
>>>>> ipcp-accept-local
>>>>> ipcp-accept-remote
>>>>> lcp-echo-failure 3
>>>>> lcp-echo-interval 5
>>>>> deflate 0
>>>>>
>>>>> # This option applies if you use ppp with chapms-strip-domain patch
>>>>> #chapms-strip-domain
>>>>>
>>>>> # These options are for use with the OpenSSL-licensed patch
>>>>> # This flavor will be obsoleted ASAP.
>>>>> # NB! You should also apply the ChapMS-V2 patch
>>>>> #-chap
>>>>> #-chapms
>>>>> #+chapms-v2
>>>>> #mppe-40 # both 40-bits and 128-bits encryption bite
>>>>> eachother
>>>>> #mppe-128
>>>>> #mppe-stateless
>>>>>
>>>>> # These options are for use with the BSD-licensed patch (ppp =>
>>>>> 2.4.2)
>>>>> # This is the default implementation
>>>>> refuse-pap
>>>>> refuse-eap
>>>>> refuse-chap
>>>>> refuse-mschap
>>>>> require-mppe
>>>>> nomppe-stateful
>>>>> nomppe-40
>>>>>
>>>>> # These options will tell ppp to pass on these to your clients
>>>>> # To use ms-dns or ms-dns in options.pptpd it must exist in
>>>>> /etc/resolv.conf
>>>>> #ms-wins <ip-of-your-winsserver>
>>>>> ms-dns <internal IP>
>>>>>
>>>>>
>>>>> Sample log entry for successful connection:
>>>>>
>>>>> Jan 7 11:37:41 vpn pptpd[12194]: CTRL: Client <ip.address> control
>>>>> connection started
>>>>> Jan 7 11:37:41 vpn pptpd[12194]: CTRL: Starting call (launching
>>>>> pppd,
>>>>> opening GRE)
>>>>> Jan 7 11:37:41 vpn pppd[12195]: pppd 2.4.2b3 started by shmoe, uid
>>>>> 8990
>>>>> Jan 7 11:37:41 vpn pppd[12195]: Using interface ppp1
>>>>> Jan 7 11:37:41 vpn pppd[12195]: Connect: ppp1 <--> /dev/pts/1
>>>>> Jan 7 11:37:42 vpn pptpd[12194]: GRE: Discarding duplicate packet
>>>>> Jan 7 11:37:44 vpn pptpd[12194]: CTRL: Ignored a SET LINK INFO
>>>>> packet
>>>>> with real ACCMs!
>>>>> Jan 7 11:37:44 vpn pppd[12195]: CHAP peer authentication succeeded
>>>>> for username
>>>>> Jan 7 11:37:44 vpn pppd[12195]: MPPE 128-bit stateless compression
>>>>> enabled
>>>>>
>>>>> And then for the setup on the windows client, it is really basic -
>>>>> no
>>>>> custom
>>>>> options, just select maximum security for the connection.
>>>>>
>>>>> Key elements for this to work:
>>>>>
>>>>> mppe support in kernel
>>>>> gre support in kernel
>>>>> conntrack support, as noted above
>>>>>
>>>>> Also be sure to download and apply the kernelmod package. It won't
>>>>> work until
>>>>> you do that.
>>>>>
>>>>> Best of luck!
>>>>> -brad
>>>>>
>>>>>> hey guys,
>>>>>>
>>>>>> i'm lost, basically cause i've never set up a VPN server before,
>>>>>> but
>>>>>> i'm trying to set one up using PoPToP on WhiteBox Linux. I've
>>>>>> patched
>>>>>> the kernel and installed all the right stuff and edited the right
>>>>>> conf
>>>>>> files per the RedHat installation instructions on the poptop.org
>>>>>> website. But, when I try to connect a Win2k client to the server
>>>>>> I
>>>>>> get
>>>>>> this:
>>>>>>
>>>>>> Error 619: The specified port is not connected.
>>>>>>
>>>>>> here's what is in the logs:
>>>>>>
>>>>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: Client
>>>>>> home.ip.add.ress
>>>>>> control connection started
>>>>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: Starting call
>>>>>> (launching
>>>>>> pppd, opening GRE)
>>>>>> Jan 7 09:44:38 hostname pptpd[1823]: GRE:
>>>>>> read(fd=5,buffer=804d5a0,len=8196) from PTY failed: status = -1
>>>>>> error
>>>>>> =
>>>>>> Input/output error
>>>>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: PTY read or GRE write
>>>>>> failed (pty,gre)=(5,6)
>>>>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: Client
>>>>>> home.ip.add.ress
>>>>>> control connection finished
>>>>>>
>>>>>>
>>>>>> this doesn't make much sense to me. I don't have much experience
>>>>>> with
>>>>>> GRE, so I'm a little lost. The only ideas that I have is to
>>>>>> disable
>>>>>> GRE in the kernel and recompile, but, I'm working from home today
>>>>>> (to
>>>>>> test the VPN) and don't really wish to recompile and test a new
>>>>>> kernel
>>>>>> remotely :)
>>>>>>
>>>>>>
>>>>>> thanks for help in advance.
>>>>>>
>>>>>> -r
>>>>>>
>>>>>> _______________________________________________
>>>>>> Web Page: http://lug.boulder.co.us
>>>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>>>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>>>>>
>>>>>
>>>>> --
>>>>> Brad Doctor, CISSP
>>>>> _______________________________________________
>>>>> Web Page: http://lug.boulder.co.us
>>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>>>>
>>>>
>>>> _______________________________________________
>>>> Web Page: http://lug.boulder.co.us
>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>>>
>>>
>>> --
>>> Brad Doctor, CISSP
>>> _______________________________________________
>>> Web Page: http://lug.boulder.co.us
>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>>
>>
>> _______________________________________________
>> Web Page: http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>
>
> --
> Brad Doctor, CISSP
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
More information about the LUG
mailing list