Topic: VPN Problems

[Steve Bush]

I have several Win2k Pro and Servers that I have setup with PPTP connections to several SME5 servers.  I setup 5 concurrent connections with each.  They are all setup with 2 NIC's in server and gateway mode.  Some of the Win2k PC's connect to the Internet via an SME 5 server, others use dialup to Compuserve classic.  They all work without a problem.

> The setting in Windows 2000 Pro dialup networking are as
> follows:
>
> General - The March server's IP address
> Options - Display progress ...
>               Nothing else ticked
I have prompt for name and password

> Security - Typical
>                Require secure password
>                Nothing else ticked
I have Require data encryption


> Networking - Point to Point Tunneling Protocol (PPTP)
>                       Settings
>                           Enable LCP extentions
>                           Enable software compression
I use Automatic and settings with all items checked.

>                    Internet Protocol (TCP/IP)
This won't make a difference until you're connected, but in the advanced screen uncheck the use default gateway on remote network or everything goes through the remote server, even if destined to the Internet.

>                    File and Printer Sharing for MS Networks
>                    Client for MS Networks
> Sharing - Nothing ticked

Just another thought.  Do you have any software that would interfere with this, such as personal firewalls, etc.  Also is your Internet connection direct or through a proxy/router that doesn't allow PPTP?  I would double check that you have Win2k SP2 installed.  Possibly reinstalling it.  The problem you see is the same one I got with the old version of win2k.

Good luck!!!

[Filippo Carletti]

I have a P100 with 32 Megs of ram, really slow, but works.
We still have to see Bob's /var/log/messages, right ?

[Bob King]

Steve,
I have double checked all the Win2k boxes for SP2. Since I have tried connecting using several different machines from different locations using different types of internet connections, I can't see the problem being Win2k. I have tried all the different variations of settings you suggested. I even installed update 3 on the SMEServer.

I am going to setup a test SMEServer box and play around with it to see what I can do.

Philippo,
I posted the log here:
http://forums.contribs.org/index.php?topic=12205.msg45836#msg45836

[Steve Bush]

Is your SME server setup in server only mode?
If so there is a bug referenced here:

http://www.e-smith.org/bugs/index.php3?op=showBug&bugID=28


All of the servers that I setup are configured with two NICs in server and gateway mode.  If yours is setup with two NICs, do you have a firewall between the SME server and the Internet that could be interfering with PPTP?

[Steve Bush]

Hmm on a second look at the bug, you would still be allowed to connect to the SME box, but you wouldn't have access to any devices on the network.

[Shing Ho]

I'm currently running SME in server mode only and have a router between the server and the internet.  

I have enabled port 1723 to be routed thru and also have applied the bug fix as mentioned.  

I have also tried from a windows 98 machine and have the same results.

[Filippo Carletti]

> I posted the log here:
> http://forums.contribs.org/index.php?topic=12205.msg45836#msg45836

Sorry. I must be careful. Sorry.

I think that you have an authentication problem. My logs diverge from yours in this line: pppd[3329]: MSCHAP-v2 peer authentication succeeded for username, right after pppd[3329]: Connect: ppp0 <--> /dev/pts/0

You could add a debug option in /etc/ppp/options to see if it logs more infos.
Also, keep in mind that you're using chap auth, so your /etc/ppp/chap-secrets must have lines like this:
username        hostname  &/etc/smbpasswd         *
for every usernname.

[Shing Ho]

I had a closer look at my log.  It is a little different than Bob's.

There is a LCP Timeout in my log that is not in Bob's log.

Here is my log.

Dec 12 11:56:12 shing-server pptpd[2664]: MGR: Launching /usr/sbin/pptpctrl to handle client
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: local address = 192.168.0.10
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: remote address = 192.168.0.249
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: pppd speed = 460800
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: pppd options file = /etc/ppp/options.pptpd
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: Client 64.230.79.173 control connection started
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: Received PPTP Control Message (type: 1)
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: Made a START CTRL CONN RPLY packet
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: I wrote 156 bytes to the client.
Dec 12 11:56:12 shing-server pptpd[2664]: CTRL: Sent packet to client
Dec 12 11:56:14 shing-server pptpd[2664]: CTRL: Received PPTP Control Message (type: 7)
Dec 12 11:56:14 shing-server pptpd[2664]: CTRL: 0 min_bps, 1525 max_bps, 32 window size
Dec 12 11:56:14 shing-server pptpd[2664]: CTRL: Made a OUT CALL RPLY packet
Dec 12 11:56:14 shing-server pptpd[2664]: CTRL: Starting call (launching pppd, opening GRE)
Dec 12 11:56:14 shing-server pptpd[2664]: CTRL: pty_fd = 5
Dec 12 11:56:14 shing-server pptpd[2664]: CTRL: tty_fd = 6
Dec 12 11:56:15 shing-server pptpd[2665]: CTRL (PPPD Launcher): Connection speed = 460800
Dec 12 11:56:15 shing-server pptpd[2665]: CTRL (PPPD Launcher): local address = 192.168.0.10
Dec 12 11:56:15 shing-server pptpd[2665]: CTRL (PPPD Launcher): remote address = 192.168.0.249
Dec 12 11:56:15 shing-server pptpd[2664]: CTRL: I wrote 32 bytes to the client.
Dec 12 11:56:15 shing-server pptpd[2664]: CTRL: Sent packet to client
Dec 12 11:56:15 shing-server pptpd[2664]: CTRL: Received PPTP Control Message (type: 15)
Dec 12 11:56:15 shing-server pptpd[2664]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Dec 12 11:56:15 shing-server modprobe: modprobe: Can't locate module char-major-108
Dec 12 11:56:15 shing-server pppd[2665]: pppd 2.4.0 started by root, uid 0
Dec 12 11:56:15 shing-server pppd[2665]: Using interface ppp0
Dec 12 11:56:15 shing-server pppd[2665]: Connect: ppp0 <--> /dev/pts/1
Dec 12 11:56:45 shing-server pppd[2665]: LCP: timeout sending Config-Requests
Dec 12 11:56:45 shing-server pppd[2665]: Connection terminated.
Dec 12 11:56:45 shing-server pppd[2665]: Exit.
Dec 12 11:56:45 shing-server pptpd[2664]: Error reading from pppd: Input/output error
Dec 12 11:56:45 shing-server pptpd[2664]: CTRL: GRE read or PTY write failed (gre,pty)=(6,5)
Dec 12 11:56:45 shing-server pptpd[2664]: CTRL: Client 64.230.79.173 control connection finished
Dec 12 11:56:45 shing-server pptpd[2664]: CTRL: Exiting now
Dec 12 11:56:45 shing-server pptpd[1411]: MGR: Reaped child 2664


Thanks
Shing...

[Filippo Carletti]

> There is a LCP Timeout in my log that is not in Bob's log.
>
> Here is my log.
>
> Dec 12 11:56:15 shing-server pppd[2665]: Connect: ppp0 <-->
> /dev/pts/1
> Dec 12 11:56:45 shing-server pppd[2665]: LCP: timeout sending
> Config-Requests

The server waits 30 seconds for an answer from the client. Is there a firewall between the two machines or on the client ?

[Shing Ho]

Hi Filippo

There are two senarios.

1.

Home                                  Office

SME - Linksys router  -  - E-smith server - W2K PC


2.

Home                                  Home2

SME - Linksys router  -  - W98 PC



On the router I have enabled port 1723 to be routed to the SME server.  In both senarios I get the same results.  I'm not sure if home2 has the 128-bit Dial up networking, will check tonight.

The office server is configured as server/gateway.  Could the office server be blocking the VPN path??


Shing..

[Filippo Carletti]

> The office server is configured as server/gateway.  Could the
> office server be blocking the VPN path??

It shouldn't. Better to have different subnets at home and at the office.
I also tested connecting from behind an e-smith to another SME. It works.

[Steve Bush]

Okay.  My gut feeling is that your firewall is not setup to allow the correct ports through or the NAT translation is not setup correctly if you're using it.

You may want to try getting support from your router vendor or if you support it, verify the NAT translation and temporarily punch a hole in the firewall to allow all ports through to your SME, then back off once you know it works.

Good Luck

[Brent]

Did this get resolved.  I am dealing with the same issue.  I am able to go out my sme at home over cable modem pptp to a w2k server at my office connecting fine.  However, when I attempt to do the same to my sme server at the office I get the error 619 as discussed.  If anyone resolved this let me know.  I am going to attempt tomorrow after I upgrade to SP2.
TIA
Brent

[Shad]

These are the same error I get if I forget to allow GRE packets (protocol 47) thought my firewall at work.  The TCP connection gets established and it tries to connect the GRE connection and fails.  Eventually the timeout occurs and the connection drops.  When I opened up protocol 47 on the firewall then the connection goes through fine.

I know that the linksys will allow you to pass TCP and UDP packets through but the only way to get GRE packets though is to set the SME server as the DMZ host.  That way all packets that don't have a reverse NAT mapping will get passed to the SME server.

-Shad

[Shad]

These are the same error I get if I forget to allow GRE packets (protocol 47) thought my firewall at work.  The TCP connection gets established and it tries to connect the GRE connection and fails.  Eventually the timeout occurs and the connection drops.  When I opened up protocol 47 on the firewall then the connection goes through fine.

I know that the linksys will allow you to pass TCP and UDP packets through but the only way to get GRE packets though is to set the SME server as the DMZ host.  That way all packets that don't have a reverse NAT mapping will get passed to the SME server.

-Shad