Topic: VPN Problems

[Bob King]

I have had March SME Server Ver 5 with update 2 installed for several months and everything seems to be working very well. Recently we developed the need for an internet VPN connection to allow sales people to log in and access a data base runinng on the internal Windows network.

I have read the March user's guide and several howto's but just can not get a connection established. The configuration in the Remote access server-manager is set to allow 2 PPTP conections.

The setting in Windows 2000 Pro dialup networking are as follows:

General - The March server's IP address
Options - Display progress ...
              Nothing else ticked
Security - Typical
               Require secure password
               Nothing else ticked

Networking - Point to Point Tunneling Protocol (PPTP)
                      Settings
                          Enable LCP extentions
                          Enable software compression
                   Internet Protocol (TCP/IP)
                   File and Printer Sharing for MS Networks
                   Client for MS Networks
Shariing - Nothing ticked

When trying to establish a connection it goes through verfiying user name and password and after a short time comes back with "Error 619 - The specified port is not connected".

Can someone please tell me what I am doing wrong.

[Chris Smith]

This is actually a Win2k issue. I had the same problem. Update the Win2k boxes to sp2 and it will work.

[Filippo Carletti]

If W2k pre SP2 (or SP1), disable Software compression

[Bob King]

Thanks to both Chris & Filippo for their responses.

The Win2K boxes are all SP2. I still get the same error even with software compression disabled. Have tried connecting from several different locations using different Win2K machines always the same error.

Any other ideas will be greatly appreciated.

Bob

[Filippo Carletti]

Time for a bit of debugging.
telnet your.external.ip.address 1723

Can you connect ?

If yes, show us some relevant pieces from /var/log/messages

[Bob King]

Telnet is disabled. Connected via SSH. Below are entries in /var/log/messages from one recent connection attempt. Hope this helps. And thanks for the assistance.

*****************************************************************
Dec  8 05:24:45 AARAT01 pptpd[7233]: MGR: Launching /usr/sbin/pptpctrl to handle client
Dec  8 05:24:45 AARAT01 pptpd[7233]: CTRL: local address = 192.168.178.10
Dec  8 05:24:45 AARAT01 pptpd[7233]: CTRL: remote address = 192.168.178.147
Dec  8 05:24:45 AARAT01 pptpd[7233]: CTRL: pppd speed = 460800
Dec  8 05:24:45 AARAT01 pptpd[7233]: CTRL: pppd options file = /etc/ppp/options.pptpd
Dec  8 05:24:45 AARAT01 pptpd[7233]: CTRL: Client 203.59.204.105 control connection started
Dec  8 05:24:45 AARAT01 pptpd[7233]: CTRL: Received PPTP Control Message (type: 1)
Dec  8 05:24:45 AARAT01 pptpd[7233]: CTRL: Made a START CTRL CONN RPLY packet
Dec  8 05:24:45 AARAT01 pptpd[7233]: CTRL: I wrote 156 bytes to the client.
Dec  8 05:24:45 AARAT01 pptpd[7233]: CTRL: Sent packet to client
Dec  8 05:24:46 AARAT01 pptpd[7233]: CTRL: Received PPTP Control Message (type: 7)
Dec  8 05:24:46 AARAT01 pptpd[7233]: CTRL: 0 min_bps, 1525 max_bps, 32 window size
Dec  8 05:24:46 AARAT01 pptpd[7233]: CTRL: Made a OUT CALL RPLY packet
Dec  8 05:24:46 AARAT01 pptpd[7233]: CTRL: Starting call (launching pppd, opening GRE)
Dec  8 05:24:46 AARAT01 pptpd[7233]: CTRL: pty_fd = 5
Dec  8 05:24:46 AARAT01 pptpd[7233]: CTRL: tty_fd = 6
Dec  8 05:24:46 AARAT01 pptpd[7234]: CTRL (PPPD Launcher): Connection speed = 460800
Dec  8 05:24:46 AARAT01 pptpd[7234]: CTRL (PPPD Launcher): local address = 192.168.178.10
Dec  8 05:24:46 AARAT01 pptpd[7233]: CTRL: I wrote 32 bytes to the client.
Dec  8 05:24:46 AARAT01 pptpd[7233]: CTRL: Sent packet to client
Dec  8 05:24:46 AARAT01 pptpd[7234]: CTRL (PPPD Launcher): remote address = 192.168.178.147
Dec  8 05:24:46 AARAT01 modprobe: modprobe: Can't locate module char-major-108
Dec  8 05:24:46 AARAT01 pptpd[7233]: CTRL: Received PPTP Control Message (type: 15)
Dec  8 05:24:46 AARAT01 pptpd[7233]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Dec  8 05:24:46 AARAT01 kernel: CSLIP: code copyright 1989 Regents of the University of California
Dec  8 05:24:46 AARAT01 kernel: PPP: version 2.3.7 (demand dialling)
Dec  8 05:24:46 AARAT01 kernel: PPP line discipline registered.
Dec  8 05:24:46 AARAT01 kernel: registered device ppp0
Dec  8 05:24:46 AARAT01 pppd[7234]: pppd 2.4.0 started by root, uid 0
Dec  8 05:24:46 AARAT01 pppd[7234]: Using interface ppp0
Dec  8 05:24:46 AARAT01 pppd[7234]: Connect: ppp0 <--> /dev/pts/0
Dec  8 05:24:47 AARAT01 pptpd[7233]: CTRL: Received PPTP Control Message (type: 15)
Dec  8 05:24:47 AARAT01 pptpd[7233]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Dec  8 05:24:51 AARAT01 pptpd[7233]: CTRL: Received PPTP Control Message (type: 12)
Dec  8 05:24:51 AARAT01 pptpd[7233]: CTRL: Made a CALL DISCONNECT RPLY packet
Dec  8 05:24:51 AARAT01 pptpd[7233]: CTRL: Received CALL CLR request (closing call)
Dec  8 05:24:51 AARAT01 pptpd[7233]: CTRL: I wrote 148 bytes to the client.
Dec  8 05:24:51 AARAT01 pptpd[7233]: CTRL: Sent packet to client
Dec  8 05:24:51 AARAT01 pppd[7234]: Modem hangup
Dec  8 05:24:51 AARAT01 pppd[7234]: Connection terminated.
Dec  8 05:24:51 AARAT01 pppd[7234]: Exit.
Dec  8 05:24:51 AARAT01 pptpd[7233]: GRE: read error: Bad file descriptor
Dec  8 05:24:51 AARAT01 pptpd[7233]: CTRL: PTY read or GRE write failed (pty,gre)=(-1,-1)
Dec  8 05:24:51 AARAT01 pptpd[7233]: CTRL: Client 203.59.204.105 control connection finished
Dec  8 05:24:51 AARAT01 pptpd[7233]: CTRL: Exiting now
Dec  8 05:24:51 AARAT01 pptpd[5993]: MGR: Reaped child 7233
********************************************************************************

[Filippo Carletti]

> Telnet is disabled.

It was only to check if the port as open, don't worry.

> /var/log/messages from one recent connection attempt. Hope
> this helps. And thanks for the assistance.
> Dec  8 05:24:51 AARAT01 pptpd[7233]: CTRL: Received PPTP
> Control Message (type: 12)

Your win2k is asking to close the call.
Hard to say why.
Maybe win2k doesn't agree on compression option or something.

[Bob King]

Thanks anyway Filippo,

I've tried from several different Win2K machines from different locations, different networks and different types of internet access. Every attempt resulted in the exact same error.

I wonder if anyone on this forum has been able to use Win2K to establish a VPN connection with a SME Server 5.0 box. If so please let me know how!

I have double checked the user E-Smith manual & howto's. The Win2K boxes have SP2 installed and 128 bit encryption. I've tried all the different settings in the Win Dialup Networking VPN connection Dialog. Nothing has helped.

[bala]

Bob

Under your win2K "Virtual Private Connection Properties"

Options - Display progress ...
tick - Prompt for name and password

I'm using Wink2K to connect to my office (e-smith) from home....works...

I did try with your above mentioned settings and it gave me the same error code...
The only difference is the "tick - Prompt for name and password" ... tick it and maybe it should work as mine........


Regards


Bala

[Bob King]

Thanks Bala,

I tried it but no help - same error.

There must be something  that I am missing on the SME Server box since the problem occures when trying to connect from several different Win2K boxes.

[Filippo Carletti]

> There must be something  that I am missing on the SME Server
> box since the problem occures when trying to connect from
> several different Win2K boxes.

I agree. I tested connections from 98,2K and 2kSP2 to essg 4.1.2 and SME 5.0
Always worked, apart disabling compression on plain 2k.

[Shing Ho]

Hi Bob

I have the same problem as you.  I have a theory.

I'm running V5 on a P100.  I think it is too slow to run VPN connection.  It seems to disconnect (timeout) at 30 sec.  I tried to increased the timeout but there was no affect, may be it's a Microsoft bug.

The e-smith VPN does work, I can connect from home to office.  The office machine is significantly faster (800MHz).

Please let me know if you are currently running on a slow server as well.

This is just a theory!
Shing...Bob King wrote:

[Bob King]

Hi Shing Ho,

The server is a P200 with 512kb cache & 128mb RAM, 30gb HDD.
It has only 6 users on the connected network. Functions as a Gateway, DCHP, Web & E-mail server (no Web Mail). The Web site it hosts is very small (averages less than 100 hit/day) with no dynamic content. The permanent Internet connection is ADSL 64 up x 128 down. Another server on the network does File Server duties.

It doesn't seem to me that this configuration would be over stressing the P200.

Bob

[Shing Ho]

Can't explain it then.  I don't have anyother users on the server and it still doesn't connect.  May be CPU speed related???

Shing..

[Shing Ho]

Can't explain it then.  I don't have anyother users on the server and it still doesn't connect.  May be CPU speed related???

Shing..

[Steve Bush]

I have several Win2k Pro and Servers that I have setup with PPTP connections to several SME5 servers.  I setup 5 concurrent connections with each.  They are all setup with 2 NIC's in server and gateway mode.  Some of the Win2k PC's connect to the Internet via an SME 5 server, others use dialup to Compuserve classic.  They all work without a problem.

> The setting in Windows 2000 Pro dialup networking are as
> follows:
>
> General - The March server's IP address
> Options - Display progress ...
>               Nothing else ticked
I have prompt for name and password

> Security - Typical
>                Require secure password
>                Nothing else ticked
I have Require data encryption


> Networking - Point to Point Tunneling Protocol (PPTP)
>                       Settings
>                           Enable LCP extentions
>                           Enable software compression
I use Automatic and settings with all items checked.

>                    Internet Protocol (TCP/IP)
This won't make a difference until you're connected, but in the advanced screen uncheck the use default gateway on remote network or everything goes through the remote server, even if destined to the Internet.

>                    File and Printer Sharing for MS Networks
>                    Client for MS Networks
> Sharing - Nothing ticked

Just another thought.  Do you have any software that would interfere with this, such as personal firewalls, etc.  Also is your Internet connection direct or through a proxy/router that doesn't allow PPTP?  I would double check that you have Win2k SP2 installed.  Possibly reinstalling it.  The problem you see is the same one I got with the old version of win2k.

Good luck!!!

[Filippo Carletti]

I have a P100 with 32 Megs of ram, really slow, but works.
We still have to see Bob's /var/log/messages, right ?

[Bob King]

Steve,
I have double checked all the Win2k boxes for SP2. Since I have tried connecting using several different machines from different locations using different types of internet connections, I can't see the problem being Win2k. I have tried all the different variations of settings you suggested. I even installed update 3 on the SMEServer.

I am going to setup a test SMEServer box and play around with it to see what I can do.

Philippo,
I posted the log here:
http://forums.contribs.org/index.php?topic=12205.msg45836#msg45836

[Steve Bush]

Is your SME server setup in server only mode?
If so there is a bug referenced here:

http://www.e-smith.org/bugs/index.php3?op=showBug&bugID=28


All of the servers that I setup are configured with two NICs in server and gateway mode.  If yours is setup with two NICs, do you have a firewall between the SME server and the Internet that could be interfering with PPTP?

[Steve Bush]

Hmm on a second look at the bug, you would still be allowed to connect to the SME box, but you wouldn't have access to any devices on the network.

[Shing Ho]

I'm currently running SME in server mode only and have a router between the server and the internet.  

I have enabled port 1723 to be routed thru and also have applied the bug fix as mentioned.  

I have also tried from a windows 98 machine and have the same results.

[Filippo Carletti]

> I posted the log here:
> http://forums.contribs.org/index.php?topic=12205.msg45836#msg45836

Sorry. I must be careful. Sorry.

I think that you have an authentication problem. My logs diverge from yours in this line: pppd[3329]: MSCHAP-v2 peer authentication succeeded for username, right after pppd[3329]: Connect: ppp0 <--> /dev/pts/0

You could add a debug option in /etc/ppp/options to see if it logs more infos.
Also, keep in mind that you're using chap auth, so your /etc/ppp/chap-secrets must have lines like this:
username        hostname  &/etc/smbpasswd         *
for every usernname.

[Shing Ho]

I had a closer look at my log.  It is a little different than Bob's.

There is a LCP Timeout in my log that is not in Bob's log.

Here is my log.

Dec 12 11:56:12 shing-server pptpd[2664]: MGR: Launching /usr/sbin/pptpctrl to handle client
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: local address = 192.168.0.10
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: remote address = 192.168.0.249
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: pppd speed = 460800
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: pppd options file = /etc/ppp/options.pptpd
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: Client 64.230.79.173 control connection started
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: Received PPTP Control Message (type: 1)
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: Made a START CTRL CONN RPLY packet
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: I wrote 156 bytes to the client.
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: Sent packet to client
Dec 12 11:56:14 shing-server pptpd[2664]: CTRL: Received PPTP Control Message (type: 7)
Dec 12 11:56:14 shing-server pptpd[2664]: CTRL: 0 min_bps, 1525 max_bps, 32 window size
Dec 12 11:56:14 shing-server pptpd[2664]: CTRL: Made a OUT CALL RPLY packet
Dec 12 11:56:14 shing-server pptpd[2664]: CTRL: Starting call (launching pppd, opening GRE)
Dec 12 11:56:14 shing-server pptpd[2664]: CTRL: pty_fd = 5
Dec 12 11:56:14 shing-server pptpd[2664]: CTRL: tty_fd = 6
Dec 12 11:56:15 shing-server pptpd[2665]: CTRL (PPPD Launcher): Connection speed = 460800
Dec 12 11:56:15 shing-server pptpd[2665]: CTRL (PPPD Launcher): local address = 192.168.0.10
Dec 12 11:56:15 shing-server pptpd[2665]: CTRL (PPPD Launcher): remote address = 192.168.0.249
Dec 12 11:56:15 shing-server pptpd[2664]: CTRL: I wrote 32 bytes to the client.
Dec 12 11:56:15 shing-server pptpd[2664]: CTRL: Sent packet to client
Dec 12 11:56:15 shing-server pptpd[2664]: CTRL: Received PPTP Control Message (type: 15)
Dec 12 11:56:15 shing-server pptpd[2664]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Dec 12 11:56:15 shing-server modprobe: modprobe: Can't locate module char-major-108
Dec 12 11:56:15 shing-server pppd[2665]: pppd 2.4.0 started by root, uid 0
Dec 12 11:56:15 shing-server pppd[2665]: Using interface ppp0
Dec 12 11:56:15 shing-server pppd[2665]: Connect: ppp0 <--> /dev/pts/1
Dec 12 11:56:45 shing-server pppd[2665]: LCP: timeout sending Config-Requests
Dec 12 11:56:45 shing-server pppd[2665]: Connection terminated.
Dec 12 11:56:45 shing-server pppd[2665]: Exit.
Dec 12 11:56:45 shing-server pptpd[2664]: Error reading from pppd: Input/output error
Dec 12 11:56:45 shing-server pptpd[2664]: CTRL: GRE read or PTY write failed (gre,pty)=(6,5)
Dec 12 11:56:45 shing-server pptpd[2664]: CTRL: Client 64.230.79.173 control connection finished
Dec 12 11:56:45 shing-server pptpd[2664]: CTRL: Exiting now
Dec 12 11:56:45 shing-server pptpd[1411]: MGR: Reaped child 2664


Thanks
Shing...

[Filippo Carletti]

> There is a LCP Timeout in my log that is not in Bob's log.
>
> Here is my log.
>
> Dec 12 11:56:15 shing-server pppd[2665]: Connect: ppp0 <-->
> /dev/pts/1
> Dec 12 11:56:45 shing-server pppd[2665]: LCP: timeout sending
> Config-Requests

The server waits 30 seconds for an answer from the client. Is there a firewall between the two machines or on the client ?

[Shing Ho]

Hi Filippo

There are two senarios.

1.

Home                                  Office

SME - Linksys router  -  - E-smith server - W2K PC


2.

Home                                  Home2

SME - Linksys router  -  - W98 PC



On the router I have enabled port 1723 to be routed to the SME server.  In both senarios I get the same results.  I'm not sure if home2 has the 128-bit Dial up networking, will check tonight.

The office server is configured as server/gateway.  Could the office server be blocking the VPN path??


Shing..

[Filippo Carletti]

> The office server is configured as server/gateway.  Could the
> office server be blocking the VPN path??

It shouldn't. Better to have different subnets at home and at the office.
I also tested connecting from behind an e-smith to another SME. It works.

[Steve Bush]

Okay.  My gut feeling is that your firewall is not setup to allow the correct ports through or the NAT translation is not setup correctly if you're using it.

You may want to try getting support from your router vendor or if you support it, verify the NAT translation and temporarily punch a hole in the firewall to allow all ports through to your SME, then back off once you know it works.

Good Luck

[Brent]

Did this get resolved.  I am dealing with the same issue.  I am able to go out my sme at home over cable modem pptp to a w2k server at my office connecting fine.  However, when I attempt to do the same to my sme server at the office I get the error 619 as discussed.  If anyone resolved this let me know.  I am going to attempt tomorrow after I upgrade to SP2.
TIA
Brent

[Shad]

These are the same error I get if I forget to allow GRE packets (protocol 47) thought my firewall at work.  The TCP connection gets established and it tries to connect the GRE connection and fails.  Eventually the timeout occurs and the connection drops.  When I opened up protocol 47 on the firewall then the connection goes through fine.

I know that the linksys will allow you to pass TCP and UDP packets through but the only way to get GRE packets though is to set the SME server as the DMZ host.  That way all packets that don't have a reverse NAT mapping will get passed to the SME server.

-Shad

[Shad]

These are the same error I get if I forget to allow GRE packets (protocol 47) thought my firewall at work.  The TCP connection gets established and it tries to connect the GRE connection and fails.  Eventually the timeout occurs and the connection drops.  When I opened up protocol 47 on the firewall then the connection goes through fine.

I know that the linksys will allow you to pass TCP and UDP packets through but the only way to get GRE packets though is to set the SME server as the DMZ host.  That way all packets that don't have a reverse NAT mapping will get passed to the SME server.

-Shad

[Bob King]

Filippo Carletti wrote:

> Also, keep in mind that you're using chap auth, so your
> /etc/ppp/chap-secrets must have lines like this:
> username        hostname  &/etc/smbpasswd         *
> for every usernname.

I have been loking at the files located in the /etc/ppp directory on the SMEServer box.

list of files in the /etc/ppp/ directory:
chap-secrets (e-smith template)
options (not e-smith template)
options.pptpd (e-smith template)
options.server (not e-smith template)
pap-secrets (e-smith template)
pppoe.conf (not e-smith template)
pppoe-server-options (not e-smith template)
*ip-down
*ip-up
*ip-up.local

The relavent content of these files (except those starting with *) is shown below.

There seems to be a conflict between options.pptpd and options.server.
options.pptpd states "require-chap"
options.server states "require-pap" and "refuse-chap"
Could this be part of the problem?

chap-secrets seems to be correct with an entry for each user log-in name however pap-secrets does not have any entries.

Hopefully someone with more knowledge than me will be able to check these files and determine if there is a problem or not.

Contents of the files follows:

/etc/ppp/chap-secrets (e-smith template)
**************************************************
username  hostname  &/etc/smbpasswd         *

(there is a line as above for every user log-in name on the system)
****************************************************


/etc/ppp/options (not e-smth template)
*********************************************
lock
*********************************************

/etc/options/options.pptpd (e-smith template)
****************************************************
auth
+chapms-v2
chapms-strip-domain
domain (real domain name is here)
# Tell ip-up and ip-down who is running them
ipparam pptpd
nodeflate
mppe-128
mppe-stateless
require-mppe
require-mppe-stateless
ms-dns 192.168.187.10
# Server is not master - no ms-wins value set
name (real hostname is here)
netmask 255.255.255.0
proxyarp
require-chap
**********************************************

/etc/ppp/options.server (not e-smith template)
*************************************************
lock
crtscts
modem
require-pap
refuse-chap
login
noauth
netmask 255.255.25.0
ms-dns 192.168.178.10
ms-wins 192.168.178.10
proxyarp
192.168.178.10:192.168.178.20
***************************************************

/etc/ppp/pap-secrets (e-smith template)
*********************************************
*      *     ""             *
*********************************************


/etc/ppp/ppoe.conf (not an e-smith template)
***********************************************************************      
#
# pppoe.conf
#
# Configuration file for rp-pppoe.  Edit as appropriate and install in
# /etc/ppp/pppoe.conf
#
# NOTE: This file is used by the adsl-start, adsl-stop, adsl-connect and
#       adsl-status shell scripts.  It is *not* used in any way by the
#       "pppoe" executable
#  
# Copyright (C) 2000 Roaring Penguin Software Inc
#
# This file may be distributed under the terms of the GNU General
# Public License.
#
# When you configure a variable, DO NOT leave spaces around the "=" sign.
# Ethernet card connected to ADSL modem
ETH=eth1
# ADSL user name.  You may have to supply "@provider.com"  Sympatico
# users in Canada do need to include "@sympatico.ca"
# Sympatico uses PAP authentication.  Make sure /etc/ppp/pap-secrets  
# contains the right username/password combination.
# For Magma, use xxyyzz@magma.ca
USER=bxxxnxnx@sympatico.ca
# Bring link up on demand?  Default is to leave link up all the time.
# If you want the link to come up on demand, set DEMAND to a number indicating    
# the idle time after which the link is brought down.
DEMAND=no  
#DEMAND=300
# Obtain DNS server addresses from the peer (recent versions of pppd only)
******************************************************************************************

/etc/ppp/pppoe-server-options (not an e-smith template)
****************************************************************
# PPP options for the PPPoE server
require-pap
****************************************************************

[Filippo Carletti]

I don't see anything strange in your config files.
Have you been able to connect from the same client win pc to another sme server ?
Could it be that client needs tweaking ?
Force client to ask for encryption ?

[Lazo]

Why don't you try this!! I have a NAT firewall, and what i did is foward port 1723 and port 47 to my SME server, (and a pptp compiled version), I can log in to the server, I can ping any pc on the LAN, I can http:/SME/server-manager, the only thing I can't do is to access my shares, even I ping the PC, I know I have to edit the hostname, but can U tell me where is this file??

Thanks!!