[lug] PoPToP connection issue
bdoctor at ps-ax.com
bdoctor at ps-ax.com
Thu Jan 8 16:24:14 MST 2004
Hmm - if you can connect, then we are mostly there. Here are the settings
that work with the setup that you now have:
Under the security tab, select the 'advanced settings' radio button, then
click on settings
For the Data Encryption, select 'Maximum strength...'
Under allow these protocols, make sure that only MS CHAP V2 is selected.
In fact, that should be the only thing selected at all on this tab
And that is basically it! We do also add a domain name to append for the DNS
information for the vpn connection, but beyond that there is nothing special.
Do you have ICMP blocked on either end? You can verify this by pinging
either host from either host - including traceroute.
It looks like it disabled MPPE only after the other side did not respond
to any pings. If you have a personal FW going, make sure it allows ICMP
from the VPN server.
Now it is pretty much down to basic network issues - protocols allowed, etc.
One other thing to check is that the network connection uses the default
GW on the remote host:
Networking tab, IP properties, Advanced
>From here you can also specify the domain name to append.
You should be all set once this stuff is figured out!
-brad
> well, it didn't work right off the bat.... when i first tried to
> connect i got:
> Error 619: The specified port is not connected.
>
> and in my logs it read:
>
> Jan 8 15:15:58 hostname pptpd[2389]: CTRL: Client ip.add.res.sss
> control connection started
> Jan 8 15:15:58 hostname pptpd[2389]: CTRL: Starting call (launching
> pppd, opening GRE)
> Jan 8 15:15:58 hostname pptpd[2389]: GRE:
> read(fd=5,buffer=804d5a0,len=8196) from PTY failed: status = -1 error =
> Input/output error
> Jan 8 15:15:58 hostname pptpd[2389]: CTRL: PTY read or GRE write
> failed (pty,gre)=(5,6)
> Jan 8 15:15:58 hostname pptpd[2389]: CTRL: Client ip.add.res.sss
> control connection finished
>
> so I ran pppd against my pptpd options:
> ]# /usr/sbin/pppd file /etc/ppp/options.pptpd
> /usr/sbin/pppd: The remote system is required to authenticate itself
> /usr/sbin/pppd: but I couldn't find any suitable secret (password) for
> it to use to do so.
>
> and then had to populate the /etc/ppp/chap-secrets file. which is
> easy, or you can use the script from poptop.org.
>
> so, now, I can connect and browse around by IP, but it disconnects
> after about a minute or so. here's the logs:
>
> Jan 8 15:44:22 hostname pppd[2522]: CHAP peer authentication succeeded
> for ryan
> Jan 8 15:44:22 hostname pppd[2522]: MPPE 128-bit stateless compression
> enabled
> Jan 8 15:44:25 hostname pppd[2522]: found interface eth0 for proxy arp
> Jan 8 15:44:25 hostname pppd[2522]: local IP address ip.add.res.sss
> Jan 8 15:44:25 hostname pppd[2522]: remote IP address ip.add.res.sss
> Jan 8 15:45:22 hostname pppd[2522]: No response to 3 echo-requests
> Jan 8 15:45:22 hostname pppd[2522]: Serial link appears to be
> disconnected.
> Jan 8 15:45:22 hostname pppd[2522]: MPPE disabled
> Jan 8 15:45:25 hostname pppd[2522]: Connection terminated.
> Jan 8 15:45:25 hostname pppd[2522]: Connect time 1.1 minutes.
> Jan 8 15:45:25 hostname pppd[2522]: Sent 13157 bytes, received 19413
> bytes.
> Jan 8 15:45:25 hostname pppd[2522]: Connect time 1.1 minutes.
> Jan 8 15:45:25 hostname pppd[2522]: Sent 13157 bytes, received 19413
> bytes.
> Jan 8 15:45:25 hostname pppd[2522]: Exit.
> Jan 8 15:45:25 hostname pptpd[2521]: GRE:
> read(fd=5,buffer=804d5a0,len=8196) from PTY failed: status = -1 error =
> Input/output error
> Jan 8 15:45:25 hostname pptpd[2521]: CTRL: PTY read or GRE write
> failed (pty,gre)=(5,6)
> Jan 8 15:45:25 hostname pptpd[2521]: CTRL: Client ip.add.res.sss
> control connection finished
>
>
> the options.pptpd file looks fine, and pppd manually runs against it
> fine, so I'm not sure why it's saying MPPE disabled. You think that
> this might be a client thing? I set up the client per the win2k
> instructions on the poptop website.
>
> -ryan
>
> On Thursday, Jan 8, 2004, at 11:53 America/Denver, bdoctor at ps-ax.com
> wrote:
>
> > Great! You should be good on the server side for name resolution,
> > however
> > on the client side be sure the specific VPN connection has the proper
> > DNS
> > domain names appended. If name resolution fails, try accessing via IP:
> >
> > \\internal.ip\resource
> >
> > If that works, then you are pretty much assured the resolution problem
> > is on
> > the client side. This has been a big issue with our clients, and it
> > has always
> > been a connection-specific DNS issue.
> >
> > Also, to test the pure IP side of things, you should be able to
> > traceroute
> > (tracert) from the client to an internal machine, assuming you are not
> > blocking
> > it on the vpn server. Same from the vpn server to the client, and any
> > other
> > internal host to the client.
> >
> > Good luck!
> > -brad
> >
> >> Ok, sweet. I think that everything looks good now. I have to go home
> >> to test it, but i got all the modules up and running. here's an
> >> output
> >> now:
> >>
> >> ]# lsmod
> >> Module Size Used by Tainted: P
> >> ppp_mppe 13912 0 (unused)
> >> ppp_generic 24820 0 [ppp_mppe]
> >> slhc 6756 0 [ppp_generic]
> >> agpgart 56664 4 (autoclean)
> >> ip_nat_pptp 3180 0 (unused)
> >> iptable_nat 22168 1 [ip_nat_pptp]
> >> ip_tables 15776 3 [iptable_nat]
> >> ip_conntrack_pptp 4176 1
> >> ip_conntrack_proto_gre 4276 0 [ip_nat_pptp ip_conntrack_pptp]
> >> ip_conntrack 28552 3 [ip_nat_pptp iptable_nat
> >> ip_conntrack_pptp ip_conntrack_proto_gre]
> >>
> >> but, after making the netfilter config changes to the modules and
> >> recompiling, i had to re-run the kernelmod stuff to get the ppp_mpee
> >> and ppp_generic modules to run. I'm going home after lunch and gonna
> >> try and connect from there. I'll let you know how it goes.
> >>
> >> do i have to config anything else to get network neighborhood and
> >> stuff
> >> to work other than specifying the wins and dns servers in the pptpd
> >> config?
> >>
> >> thanks again for your help. your instructions were a godsend ;)
> >>
> >> -r
> >>
> >> On Wednesday, Jan 7, 2004, at 17:18 America/Denver, bdoctor at ps-ax.com
> >> wrote:
> >>
> >>> Cool, no problem :)
> >>>
> >>>> brad, thanks a bunch for your help. I was just looking at the
> >>>> netfilter patchomatic stuff. I'm calling it quits for today, and
> >>>> will
> >>>> tackle this tomorrow. I'll let you know how it goes.
> >>>>
> >>>> -rtw
> >>>> On Wednesday, Jan 7, 2004, at 17:06 America/Denver,
> >>>> bdoctor at ps-ax.com
> >>>> wrote:
> >>>>
> >>>>> For the RPM - don't worry about that as it is not required. That
> >>>>> would
> >>>>> allow you to take it and install it on another machine, or for some
> >>>>> odd reason
> >>>>> to re-install on the current machine.
> >>>>>
> >>>>> For the module not loading properly, there are likely dependencies.
> >>>>> This is
> >>>>> how I force the loading from my startup script for pptpd:
> >>>>>
> >>>>> modprobe ip_conntrack_pptp 1> /dev/null 2>&1
> >>>>> modprobe ip_nat_pptp 1> /dev/null 2>&1
> >>>>>
> >>>>> You will need to download and install the patch-o-matic package
> >>>>> from
> >>>>> netfilter.org. Then you will need to use the 'runme' command and
> >>>>> apply:
> >>>>>
> >>>>> runme extra/pptp-conntrack-nat.patch
> >>>>>
> >>>>> 32 @vpn:/home/bdoctor/patch-o-matic/extra > more
> >>>>> pptp-conntrack-nat.patch.help
> >>>>> Author: Harald Welte <laforge at gnumonks.org>
> >>>>> Status: Beta
> >>>>>
> >>>>> This adds CONFIG_IP_NF_PPTP:
> >>>>> Connection tracking and NAT support for PPTP.
> >>>>>
> >>>>> Note that this code currently has limitations
> >>>>> - can only NAT connections from PNS to PAC
> >>>>> - doesnt' support multiple calls within one session
> >>>>>
> >>>>>
> >>>>> Then, configure your kernel with your favorite method and enable:
> >>>>>
> >>>>> IP: tunneling
> >>>>> IP: GRE tunnels over IP (module)
> >>>>> IP: broadcast GRE over IP
> >>>>>
> >>>>> Netfilter:
> >>>>> Connection tracking
> >>>>> GRE protocol support
> >>>>> PPTP protocol support
> >>>>> All Connection tracking
> >>>>> ...
> >>>>>
> >>>>> Actually, for netfilter I enable everything as a module. The above
> >>>>> three
> >>>>> entries are critical, however.
> >>>>>
> >>>>> After you have done this, recompile the modules:
> >>>>> make modules
> >>>>> And install the modules:
> >>>>> make modules_install
> >>>>>
> >>>>> The kernelmod part did it's thing, but your netfilter setup is
> >>>>> lacking.
> >>>>>
> >>>>> Also, in /etc/modules.conf I have these relevant entries:
> >>>>>
> >>>>> alias char-major-108 ppp_generic
> >>>>> alias ppp-compress-18 ppp_mppe
> >>>>> alias ppp-compress-21 bsd_comp
> >>>>> alias ppp-compress-24 ppp_deflate
> >>>>> alias ppp-compress-26 ppp_deflate
> >>>>> alias tty-ldisc-3 ppp_async
> >>>>> alias tty-ldisc-14 ppp_synctty
> >>>>>
> >>>>> One thing is for sure - as painful as this is, once it is setup, it
> >>>>> works
> >>>>> very well and requires nearly no maintenance. So there is a light
> >>>>> at
> >>>>> the
> >>>>> end of this tunnel.
> >>>>>
> >>>>> -brad
> >>>>>
> >>>>>> Ok, i've run kernelmod again, and everything seemed to go fine,
> >>>>>> but
> >>>>>> it
> >>>>>> didn't seem to work. The script didn't ask me if i wanted to make
> >>>>>> an
> >>>>>> RPM (like the README says it will) here's the end output of the
> >>>>>> script:
> >>>>>>
> >>>>>> -------------------------------------------------
> >>>>>> --> Locating patches.
> >>>>>> Found patches for 2.4.
> >>>>>> Checking for specific patches.
> >>>>>> Found patches for 2.4.21
> >>>>>> -------------------------------------------------
> >>>>>> --> Patches & sources
> >>>>>> Applying patch /tmp/kernelmod/2.4/linux-2.4.21-bsd-mppe.patch
> >>>>>> patching file include/linux/ppp-comp.h
> >>>>>> patching file drivers/net/Config.in
> >>>>>> Hunk #1 succeeded at 307 (offset 18 lines).
> >>>>>> patching file drivers/net/Makefile
> >>>>>> Hunk #2 succeeded at 157 (offset 6 lines).
> >>>>>> Hunk #3 succeeded at 267 (offset 7 lines).
> >>>>>> patching file drivers/net/ppp_generic.c
> >>>>>> Hunk #1 succeeded at 1045 (offset 15 lines).
> >>>>>> Hunk #3 succeeded at 1573 (offset 15 lines).
> >>>>>> Copying extra sources to /usr/src/linux-2.4/
> >>>>>> arcfour.c --> /usr/src/linux-2.4//drivers/net/arcfour.c
> >>>>>> arcfour.h --> /usr/src/linux-2.4//drivers/net/arcfour.h
> >>>>>> ppp_mppe_compress.c -->
> >>>>>> /usr/src/linux-2.4//drivers/net/ppp_mppe_compress.c
> >>>>>> sha1.c --> /usr/src/linux-2.4//drivers/net/sha1.c
> >>>>>> sha1.h --> /usr/src/linux-2.4//drivers/net/sha1.h
> >>>>>> Copying extra sources to /tmp/kernelmod/build/
> >>>>>> -------------------------------------------------
> >>>>>> Building module arcfour.o
> >>>>>> Building module ppp_generic.o
> >>>>>> Building module ppp_mppe_compress.o
> >>>>>> Building module sha1.o
> >>>>>> Building module ppp_mppe.o
> >>>>>> -------------------------------------------------
> >>>>>> Installing module ppp_generic.o in
> >>>>>> /lib/modules/2.4.21-4.0.1.EL/kernel/drivers/net/
> >>>>>> Installing module ppp_mppe.o in
> >>>>>> /lib/modules/2.4.21-4.0.1.EL/kernel/drivers/net/
> >>>>>> Updating module dependencies
> >>>>>> Everything seems OK. Removing buildstuff in /tmp/kernelmod/build
> >>>>>>
> >>>>>> but, here's what actually gets installed:
> >>>>>>
> >>>>>> ]# lsmod
> >>>>>> Module Size Used by Tainted: P
> >>>>>> ppp_mppe 13912 0 (unused)
> >>>>>> ppp_generic 24820 0 [ppp_mppe]
> >>>>>> slhc 6756 0 [ppp_generic]
> >>>>>> agpgart 56664 5 (autoclean)
> >>>>>> parport_pc 19076 1 (autoclean)
> >>>>>> lp 9028 0 (autoclean)
> >>>>>> parport 37088 1 (autoclean) [parport_pc lp]
> >>>>>> autofs 13364 0 (autoclean) (unused)
> >>>>>> 3c59x 30928 1
> >>>>>> floppy 58160 0 (autoclean)
> >>>>>> microcode 4724 0 (autoclean)
> >>>>>> loop 12120 0 (autoclean)
> >>>>>> keybdev 2976 0 (unused)
> >>>>>> mousedev 5524 1
> >>>>>> hid 22212 0 (unused)
> >>>>>> input 5920 0 [keybdev mousedev hid]
> >>>>>> usb-uhci 26412 0 (unused)
> >>>>>> usbcore 79424 1 [hid usb-uhci]
> >>>>>> ext3 91592 2
> >>>>>> jbd 52336 2 [ext3]
> >>>>>> lvm-mod 64672 3
> >>>>>>
> >>>>>>
> >>>>>> again, missing the modules that you specified... when i try to do
> >>>>>> an
> >>>>>> ]# insmod ipt_state
> >>>>>> Using
> >>>>>> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/ipt_state.o
> >>>>>> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/
> >>>>>> ipt_state.o:
> >>>>>> unresolved symbol ip_conntrack_get_Ra6f02512
> >>>>>> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/
> >>>>>> ipt_state.o:
> >>>>>> unresolved symbol ip_conntrack_module_Rb0361033
> >>>>>> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/
> >>>>>> ipt_state.o:
> >>>>>> unresolved symbol ipt_register_match_R91801b7c
> >>>>>> /lib/modules/2.4.21-4.0.1.EL/kernel/net/ipv4/netfilter/
> >>>>>> ipt_state.o:
> >>>>>> unresolved symbol ipt_unregister_match_R77bac37b
> >>>>>>
> >>>>>>
> >>>>>> whenever I do a strings on pppd:
> >>>>>> set_mppe_enc_types
> >>>>>> refuse_mppe_stateful
> >>>>>> mppe_recv_key
> >>>>>> mppe_keys_set
> >>>>>> mppe_send_key
> >>>>>> mppe_set_keys
> >>>>>> nomppe-stateful
> >>>>>> mppe-stateful
> >>>>>> -mppe-128
> >>>>>> nomppe-128
> >>>>>> +mppe-128
> >>>>>> require-mppe-128
> >>>>>> -mppe-40
> >>>>>> nomppe-40
> >>>>>> +mppe-40
> >>>>>> require-mppe-40
> >>>>>> -mppe
> >>>>>> nomppe
> >>>>>> +mppe
> >>>>>> require-mppe
> >>>>>> mppe %s %s %s %s %s %s%s
> >>>>>>
> >>>>>> i'm not quite sure what the nomppe-stateful thing does. here's an
> >>>>>> output of the version on pppd: pppd version 2.4.2b3
> >>>>>>
> >>>>>> anyone got any ideas why those other modules don't start? or why
> >>>>>> the
> >>>>>> kernelmod.sh script seems to complete without actually installing
> >>>>>> all
> >>>>>> the right modules?
> >>>>>>
> >>>>>> sorry to burden the list with all this, it's just that i can't
> >>>>>> seem
> >>>>>> to
> >>>>>> find a lot of the documentation anywhere else.
> >>>>>>
> >>>>>> -r
> >>>>>>
> >>>>>> On Wednesday, Jan 7, 2004, at 13:16 America/Denver,
> >>>>>> bdoctor at ps-ax.com
> >>>>>> wrote:
> >>>>>>
> >>>>>>> I'd definitely put those refuse options in there - I seem to
> >>>>>>> recall
> >>>>>>> it
> >>>>>>> not
> >>>>>>> working, or that the client would *always* do 40bit MPPE, which
> >>>>>>> is
> >>>>>>> unacceptable.
> >>>>>>>
> >>>>>>> I also seem to recall patching pppd. I did a strings on it:
> >>>>>>>
> >>>>>>> 7 @vpn:/home/bdoctor/poptop-1.1.4 > strings /usr/sbin/pppd|grep
> >>>>>>> mppe
> >>>>>>> set_mppe_enc_types
> >>>>>>> refuse_mppe_stateful
> >>>>>>> mppe_recv_key
> >>>>>>> mppe_keys_set
> >>>>>>> mppe_send_key
> >>>>>>> mppe_set_keys
> >>>>>>> require-mppe
> >>>>>>> +mppe
> >>>>>>> nomppe
> >>>>>>> require-mppe-40
> >>>>>>> +mppe-40
> >>>>>>> nomppe-40
> >>>>>>> require-mppe-128
> >>>>>>> +mppe-128
> >>>>>>> nomppe-128
> >>>>>>> nomppe-stateful
> >>>>>>> mppe %s %s %s %s %s %s%s
> >>>>>>>
> >>>>>>> and the version:
> >>>>>>>
> >>>>>>> 3 @vpn:/home/bdoctor> pppd --version
> >>>>>>> pppd version 2.4.2b3
> >>>>>>>
> >>>>>>> I cannot remember for sure if I patched it though. I think I
> >>>>>>> did?
> >>>>>>>
> >>>>>>> One thing is for sure - there are a lot of little gotchas that I
> >>>>>>> struggled
> >>>>>>> through and it was a complete pain. Not having MPPE support in
> >>>>>>> your
> >>>>>>> module
> >>>>>>> listing is an issue I believe. I know that without the kernelmod
> >>>>>>> patch, nothing
> >>>>>>> would work properly for me.
> >>>>>>>
> >>>>>>> Also, without the conntrack modules connections through the
> >>>>>>> device
> >>>>>>> (to
> >>>>>>> the
> >>>>>>> Internet) would fail. Internal connections would work fine
> >>>>>>> however.
> >>>>>>>
> >>>>>>> This particular installation fully supports windows clients,
> >>>>>>> including
> >>>>>>> domain
> >>>>>>> logons, network/smb browsing, the whole bit. Also forces all
> >>>>>>> traffic
> >>>>>>> to go
> >>>>>>> through the device, rather than a split-horizon type of setup.
> >>>>>>> Naturally,
> >>>>>>> I cannot remember everything that I did, beyond the pain :)
> >>>>>>>
> >>>>>>> Also, the kernelmod patch will produce modules, so if you have a
> >>>>>>> working
> >>>>>>> source tree for the running kernel, you won't have to install a
> >>>>>>> new
> >>>>>>> kernel
> >>>>>>> image - so doing it remotely is safer than it would be otherwise.
> >>>>>>> This patch
> >>>>>>> provides the MPPE support.
> >>>>>>>
> >>>>>>> Another thing that helped me is to run tcpdump, and to run the
> >>>>>>> server
> >>>>>>> in full
> >>>>>>> debug mode (both options.pptpd and pptpd.conf).
> >>>>>>>
> >>>>>>> -brad
> >>>>>>>
> >>>>>>>> Ok. I'm pretty sure that I did all that you said. I found that
> >>>>>>>> there
> >>>>>>>> was a problem in my options.pptpd file i had the option
> >>>>>>>>
> >>>>>>>> nobsdcomp
> >>>>>>>>
> >>>>>>>> with a "0" at the end of it. i ran pppd manually and it didn't
> >>>>>>>> like
> >>>>>>>> that one bit.
> >>>>>>>>
> >>>>>>>> now, when I try to connect, my client gives me the error:
> >>>>>>>>
> >>>>>>>> Error 732: Your computer and the remote computer could not
> >>>>>>>> agree
> >>>>>>>> on
> >>>>>>>> ppp control protocols
> >>>>>>>>
> >>>>>>>> Googling on this error only yields two sites.... Reading the
> >>>>>>>> PopToP
> >>>>>>>> FAQ, it says that there are patches available to make pppd
> >>>>>>>> compatable
> >>>>>>>> with the MSCHAP protocol, but the version on the patches that I
> >>>>>>>> found
> >>>>>>>> are version 2.3.5 while the one that I have is version 2.4.2.
> >>>>>>>>
> >>>>>>>> here is an lsmod output:
> >>>>>>>>
> >>>>>>>> Module Size Used by Not tainted
> >>>>>>>> ppp_async 9440 0 (autoclean)
> >>>>>>>> ppp_generic 24820 0 (autoclean) [ppp_async]
> >>>>>>>> slhc 6756 0 (autoclean) [ppp_generic]
> >>>>>>>> agpgart 56664 5 (autoclean)
> >>>>>>>> parport_pc 19076 1 (autoclean)
> >>>>>>>> lp 9028 0 (autoclean)
> >>>>>>>> parport 37088 1 (autoclean) [parport_pc lp]
> >>>>>>>> autofs 13364 0 (autoclean) (unused)
> >>>>>>>> 3c59x 30928 1
> >>>>>>>> floppy 58160 0 (autoclean)
> >>>>>>>> microcode 4724 0 (autoclean)
> >>>>>>>> loop 12120 0 (autoclean)
> >>>>>>>> keybdev 2976 0 (unused)
> >>>>>>>> mousedev 5524 1
> >>>>>>>> hid 22212 0 (unused)
> >>>>>>>> input 5888 0 [keybdev mousedev hid]
> >>>>>>>> usb-uhci 26412 0 (unused)
> >>>>>>>> usbcore 79392 1 [hid usb-uhci]
> >>>>>>>> ext3 91592 2
> >>>>>>>> jbd 52336 2 [ext3]
> >>>>>>>> lvm-mod 64672 3
> >>>>>>>>
> >>>>>>>> i'm not quite sure why i'm missing all the other modules (or
> >>>>>>>> where
> >>>>>>>> else
> >>>>>>>> to get them). I installed all the relevant packages you listed
> >>>>>>>> below.
> >>>>>>>>
> >>>>>>>> here is my options.pptpd:
> >>>>>>>>
> >>>>>>>> ## CHANGE TO SUIT YOUR SYSTEM
> >>>>>>>> lock
> >>>>>>>>
> >>>>>>>> ## turn pppd syslog debugging on
> >>>>>>>> debug
> >>>>>>>>
> >>>>>>>> ## change 'pptpd' to whatever you specify as your server name in
> >>>>>>>> chap-secrets
> >>>>>>>> name pptpd
> >>>>>>>>
> >>>>>>>> proxyarp
> >>>>>>>> nobsdcomp
> >>>>>>>>
> >>>>>>>> # This option applies if you use ppp with chapms-strip-domain
> >>>>>>>> patch
> >>>>>>>> #chapms-strip-domain
> >>>>>>>>
> >>>>>>>> # These options apply if you use ppp with mppe patch
> >>>>>>>> # NB! You should also apply the ChapMS-V2 patch
> >>>>>>>> #-chap
> >>>>>>>> #-chapms
> >>>>>>>> #+chapms-v2
> >>>>>>>> #mppe-128
> >>>>>>>> #mppe-stateless
> >>>>>>>>
> >>>>>>>> # These options will tell ppp to pass on these to your clients
> >>>>>>>> # To use ms-wins or ms-dns in options.pptpd it must exist in
> >>>>>>>> /etc/resolv.conf
> >>>>>>>> ms-wins ip.of.wins.srvr
> >>>>>>>> ms-dns ip.of.dns.srvr
> >>>>>>>>
> >>>>>>>> would it make a big difference to add the "refuse" options that
> >>>>>>>> you
> >>>>>>>> have listed in your options.pptpd file? (i'll give it a shot
> >>>>>>>> anyways).
> >>>>>>>>
> >>>>>>>> thanks for the help and sorry for the long post.
> >>>>>>>>
> >>>>>>>> -r
> >>>>>>>> On Wednesday, Jan 7, 2004, at 12:33 America/Denver,
> >>>>>>>> bdoctor at ps-ax.com
> >>>>>>>> wrote:
> >>>>>>>>
> >>>>>>>>> A module listing would be helpful. Here are the relevant
> >>>>>>>>> modules
> >>>>>>>>> running on a
> >>>>>>>>> poptop server:
> >>>>>>>>>
> >>>>>>>>> ppp_async 9440 3 (autoclean)
> >>>>>>>>> ppp_mppe 13944 6
> >>>>>>>>> ppp_generic 24604 9 [ppp_async ppp_mppe]
> >>>>>>>>> slhc 6740 0 [ppp_generic]
> >>>>>>>>> ipt_state 1048 1 (autoclean)
> >>>>>>>>> ip_nat_pptp 2764 0 (unused)
> >>>>>>>>> ip_conntrack_pptp 3824 1
> >>>>>>>>> ip_conntrack_proto_gre 4468 0 [ip_nat_pptp
> >>>>>>>>> ip_conntrack_pptp]
> >>>>>>>>>
> >>>>>>>>> And here is the options.pptpd:
> >>>>>>>>>
> >>>>>>>>> ## CHANGE TO SUIT YOUR SYSTEM
> >>>>>>>>> lock
> >>>>>>>>>
> >>>>>>>>> ## turn pppd syslog debugging on
> >>>>>>>>> debug
> >>>>>>>>>
> >>>>>>>>> ## change 'pptpd' to whatever you specify as your server name
> >>>>>>>>> in
> >>>>>>>>> chap-secrets
> >>>>>>>>> name vpn.server.com
> >>>>>>>>>
> >>>>>>>>> # Don't need this
> >>>>>>>>> #nobsdcomp
> >>>>>>>>>
> >>>>>>>>> #noauth
> >>>>>>>>> auth
> >>>>>>>>> # Tell pptpd to find local interface and put it in proxyarp
> >>>>>>>>> mode
> >>>>>>>>> proxyarp
> >>>>>>>>>
> >>>>>>>>> ipcp-accept-local
> >>>>>>>>> ipcp-accept-remote
> >>>>>>>>> lcp-echo-failure 3
> >>>>>>>>> lcp-echo-interval 5
> >>>>>>>>> deflate 0
> >>>>>>>>>
> >>>>>>>>> # This option applies if you use ppp with chapms-strip-domain
> >>>>>>>>> patch
> >>>>>>>>> #chapms-strip-domain
> >>>>>>>>>
> >>>>>>>>> # These options are for use with the OpenSSL-licensed patch
> >>>>>>>>> # This flavor will be obsoleted ASAP.
> >>>>>>>>> # NB! You should also apply the ChapMS-V2 patch
> >>>>>>>>> #-chap
> >>>>>>>>> #-chapms
> >>>>>>>>> #+chapms-v2
> >>>>>>>>> #mppe-40 # both 40-bits and 128-bits encryption bite
> >>>>>>>>> eachother
> >>>>>>>>> #mppe-128
> >>>>>>>>> #mppe-stateless
> >>>>>>>>>
> >>>>>>>>> # These options are for use with the BSD-licensed patch (ppp =>
> >>>>>>>>> 2.4.2)
> >>>>>>>>> # This is the default implementation
> >>>>>>>>> refuse-pap
> >>>>>>>>> refuse-eap
> >>>>>>>>> refuse-chap
> >>>>>>>>> refuse-mschap
> >>>>>>>>> require-mppe
> >>>>>>>>> nomppe-stateful
> >>>>>>>>> nomppe-40
> >>>>>>>>>
> >>>>>>>>> # These options will tell ppp to pass on these to your clients
> >>>>>>>>> # To use ms-dns or ms-dns in options.pptpd it must exist in
> >>>>>>>>> /etc/resolv.conf
> >>>>>>>>> #ms-wins <ip-of-your-winsserver>
> >>>>>>>>> ms-dns <internal IP>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Sample log entry for successful connection:
> >>>>>>>>>
> >>>>>>>>> Jan 7 11:37:41 vpn pptpd[12194]: CTRL: Client <ip.address>
> >>>>>>>>> control
> >>>>>>>>> connection started
> >>>>>>>>> Jan 7 11:37:41 vpn pptpd[12194]: CTRL: Starting call
> >>>>>>>>> (launching
> >>>>>>>>> pppd,
> >>>>>>>>> opening GRE)
> >>>>>>>>> Jan 7 11:37:41 vpn pppd[12195]: pppd 2.4.2b3 started by shmoe,
> >>>>>>>>> uid
> >>>>>>>>> 8990
> >>>>>>>>> Jan 7 11:37:41 vpn pppd[12195]: Using interface ppp1
> >>>>>>>>> Jan 7 11:37:41 vpn pppd[12195]: Connect: ppp1 <--> /dev/pts/1
> >>>>>>>>> Jan 7 11:37:42 vpn pptpd[12194]: GRE: Discarding duplicate
> >>>>>>>>> packet
> >>>>>>>>> Jan 7 11:37:44 vpn pptpd[12194]: CTRL: Ignored a SET LINK INFO
> >>>>>>>>> packet
> >>>>>>>>> with real ACCMs!
> >>>>>>>>> Jan 7 11:37:44 vpn pppd[12195]: CHAP peer authentication
> >>>>>>>>> succeeded
> >>>>>>>>> for username
> >>>>>>>>> Jan 7 11:37:44 vpn pppd[12195]: MPPE 128-bit stateless
> >>>>>>>>> compression
> >>>>>>>>> enabled
> >>>>>>>>>
> >>>>>>>>> And then for the setup on the windows client, it is really
> >>>>>>>>> basic
> >>>>>>>>> -
> >>>>>>>>> no
> >>>>>>>>> custom
> >>>>>>>>> options, just select maximum security for the connection.
> >>>>>>>>>
> >>>>>>>>> Key elements for this to work:
> >>>>>>>>>
> >>>>>>>>> mppe support in kernel
> >>>>>>>>> gre support in kernel
> >>>>>>>>> conntrack support, as noted above
> >>>>>>>>>
> >>>>>>>>> Also be sure to download and apply the kernelmod package. It
> >>>>>>>>> won't
> >>>>>>>>> work until
> >>>>>>>>> you do that.
> >>>>>>>>>
> >>>>>>>>> Best of luck!
> >>>>>>>>> -brad
> >>>>>>>>>
> >>>>>>>>>> hey guys,
> >>>>>>>>>>
> >>>>>>>>>> i'm lost, basically cause i've never set up a VPN server
> >>>>>>>>>> before,
> >>>>>>>>>> but
> >>>>>>>>>> i'm trying to set one up using PoPToP on WhiteBox Linux. I've
> >>>>>>>>>> patched
> >>>>>>>>>> the kernel and installed all the right stuff and edited the
> >>>>>>>>>> right
> >>>>>>>>>> conf
> >>>>>>>>>> files per the RedHat installation instructions on the
> >>>>>>>>>> poptop.org
> >>>>>>>>>> website. But, when I try to connect a Win2k client to the
> >>>>>>>>>> server
> >>>>>>>>>> I
> >>>>>>>>>> get
> >>>>>>>>>> this:
> >>>>>>>>>>
> >>>>>>>>>> Error 619: The specified port is not connected.
> >>>>>>>>>>
> >>>>>>>>>> here's what is in the logs:
> >>>>>>>>>>
> >>>>>>>>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: Client
> >>>>>>>>>> home.ip.add.ress
> >>>>>>>>>> control connection started
> >>>>>>>>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: Starting call
> >>>>>>>>>> (launching
> >>>>>>>>>> pppd, opening GRE)
> >>>>>>>>>> Jan 7 09:44:38 hostname pptpd[1823]: GRE:
> >>>>>>>>>> read(fd=5,buffer=804d5a0,len=8196) from PTY failed: status =
> >>>>>>>>>> -1
> >>>>>>>>>> error
> >>>>>>>>>> =
> >>>>>>>>>> Input/output error
> >>>>>>>>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: PTY read or GRE
> >>>>>>>>>> write
> >>>>>>>>>> failed (pty,gre)=(5,6)
> >>>>>>>>>> Jan 7 09:44:38 hostname pptpd[1823]: CTRL: Client
> >>>>>>>>>> home.ip.add.ress
> >>>>>>>>>> control connection finished
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> this doesn't make much sense to me. I don't have much
> >>>>>>>>>> experience
> >>>>>>>>>> with
> >>>>>>>>>> GRE, so I'm a little lost. The only ideas that I have is to
> >>>>>>>>>> disable
> >>>>>>>>>> GRE in the kernel and recompile, but, I'm working from home
> >>>>>>>>>> today
> >>>>>>>>>> (to
> >>>>>>>>>> test the VPN) and don't really wish to recompile and test a
> >>>>>>>>>> new
> >>>>>>>>>> kernel
> >>>>>>>>>> remotely :)
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> thanks for help in advance.
> >>>>>>>>>>
> >>>>>>>>>> -r
> >>>>>>>>>>
> >>>>>>>>>> _______________________________________________
> >>>>>>>>>> Web Page: http://lug.boulder.co.us
> >>>>>>>>>> Mailing List:
> >>>>>>>>>> http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>>>>>>>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> Brad Doctor, CISSP
> >>>>>>>>> _______________________________________________
> >>>>>>>>> Web Page: http://lug.boulder.co.us
> >>>>>>>>> Mailing List:
> >>>>>>>>> http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>>>>>>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> Web Page: http://lug.boulder.co.us
> >>>>>>>> Mailing List:
> >>>>>>>> http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>>>>>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> Brad Doctor, CISSP
> >>>>>>> _______________________________________________
> >>>>>>> Web Page: http://lug.boulder.co.us
> >>>>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>>>>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Web Page: http://lug.boulder.co.us
> >>>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>>>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>>>>>
> >>>>>
> >>>>> --
> >>>>> Brad Doctor, CISSP
> >>>>> _______________________________________________
> >>>>> Web Page: http://lug.boulder.co.us
> >>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>>>>
> >>>>
> >>>> _______________________________________________
> >>>> Web Page: http://lug.boulder.co.us
> >>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>>>
> >>>
> >>> --
> >>> Brad Doctor, CISSP
> >>> _______________________________________________
> >>> Web Page: http://lug.boulder.co.us
> >>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>>
> >>
> >> _______________________________________________
> >> Web Page: http://lug.boulder.co.us
> >> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >>
> >
> > --
> > Brad Doctor, CISSP
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
--
Brad Doctor, CISSP
More information about the LUG
mailing list