Topic: VPN & PPTP again

[John Crisp]

Hi,

I have a 5.6 SP5 server with a Netgear DM602 ADSL single port modem & router.

I have two network cards in the server. The router plugs into one with both the router and server configured with static IPS of 192.168.42.x

The server is set as a DMZ in the router setup so all ports should be open to it.

The second card connects to the network with the server using DHCP with an address range of 192.168.0.x

I have applied Patch 5 and then the mppe patch for the Athlon CPU. I have altered the option.pptd file adding multilink as advised elsewhere here.

Everything internet wise works fine except for VPN. I can now VPN into the server from a local machine without problems, but cannot get through from the Internet.

I had considered keeping the server in server only mode (rather than the current server & gateway) and attaching the router directly to the switch, but just wanted an extra layer between the local machines and the internet.

A port scan shows that port 1723 (for PPTP) is open.

I can only presume that it is now the modem/router causing the problem, but  would be grateful for any words of wisdom or others experiences.

Best regards,

John

I attach a log extract for reference.

login as: root
Sent username "root"
File: messages~9011202  Col 0              15769 bytes                                                                    100%
Sep 29 13:58:45 server sshd(pam_unix)[6283]: session opened for user root by root(uid=0)
Sep 29 14:00:00 server su(pam_unix)[6337]: session opened for user qmailr by (uid=0)
Sep 29 14:02:14 server su(pam_unix)[6337]: session closed for user qmailr
Sep 29 14:05:50 server pptpd[3084]: MGR: No free connection slots or IPs - no more clients can connect!
Sep 29 14:05:50 server pptpd[6435]: MGR: Launching /usr/sbin/pptpctrl to handle client
Sep 29 14:05:50 server pptpd[6435]: CTRL: local address = 192.168.0.1
Sep 29 14:05:50 server pptpd[6435]: CTRL: remote address = 192.168.0.40
Sep 29 14:05:50 server pptpd[6435]: CTRL: pppd speed = 460800
Sep 29 14:05:50 server pptpd[6435]: CTRL: pppd options file = /etc/ppp/options.pptpd
Sep 29 14:05:50 server pptpd[6435]: CTRL: Client 213.122.x.x control connection started
Sep 29 14:05:50 server pptpd[6435]: CTRL: Received PPTP Control Message (type: 1)
Sep 29 14:05:50 server pptpd[6435]: CTRL: Made a START CTRL CONN RPLY packet
Sep 29 14:05:50 server pptpd[6435]: CTRL: I wrote 156 bytes to the client.
Sep 29 14:05:50 server pptpd[6435]: CTRL: Sent packet to client
Sep 29 14:05:50 server pptpd[6435]: CTRL: Received PPTP Control Message (type: 7)
Sep 29 14:05:50 server pptpd[6435]: CTRL: Set parameters to 1525 maxbps, 64 window size
Sep 29 14:05:50 server pptpd[6435]: CTRL: Made a OUT CALL RPLY packet
Sep 29 14:05:50 server pptpd[6435]: CTRL: Starting call (launching pppd, opening GRE)
Sep 29 14:05:50 server pptpd[6435]: CTRL: pty_fd = 5
Sep 29 14:05:50 server pptpd[6435]: CTRL: tty_fd = 6
Sep 29 14:05:50 server pptpd[6435]: CTRL: I wrote 32 bytes to the client.
Sep 29 14:05:50 server pptpd[6435]: CTRL: Sent packet to client
Sep 29 14:05:50 server pptpd[6436]: CTRL (PPPD Launcher): Connection speed = 460800
Sep 29 14:05:50 server pptpd[6436]: CTRL (PPPD Launcher): local address = 192.168.0.1
Sep 29 14:05:50 server pptpd[6436]: CTRL (PPPD Launcher): remote address = 192.168.0.40
Sep 29 14:05:50 server pppd[6436]: pppd 2.4.2b1 started by root, uid 0
Sep 29 14:05:50 server pppd[6436]: Using interface ppp0
Sep 29 14:05:50 server pppd[6436]: Connect: ppp0 <--> /dev/pts/4
Sep 29 14:05:50 server pptpd[6435]: CTRL: Received PPTP Control Message (type: 15)
Sep 29 14:05:50 server pptpd[6435]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Sep 29 14:05:50 server /etc/hotplug/net.agent: assuming ppp0 is already up
Sep 29 14:05:50 server pptpd[6435]: GRE: Discarding duplicate packet
Sep 29 14:06:20 server pppd[6436]: LCP: timeout sending Config-Requests
Sep 29 14:06:20 server pppd[6436]: Connection terminated.
Sep 29 14:06:20 server pppd[6436]: Exit.
Sep 29 14:06:20 server pptpd[6435]: GRE: read(fd=5,buffer=804d940,len=8196) from PTY failed: status = -1 error = Input/output
error
Sep 29 14:06:20 server pptpd[6435]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6)
Sep 29 14:06:20 server pptpd[6435]: CTRL: Client 213.122.x.x control connection finished
Sep 29 14:06:20 server pptpd[6435]: CTRL: Exiting now
Sep 29 14:06:20 server pptpd[3084]: MGR: Reaped child 6435
Sep 29 14:06:20 server /etc/hotplug/net.agent: NET unregister event not supported

[Guck Puppy]

John Crisp wrote:

> Sep 29 14:05:50 server pptpd[3084]: MGR: No free connection
> slots or IPs - no more clients can connect!

Doesn't this suggest you haven't allocated any connection slots via the server manager?

Remote Access / Number of PPTP clients

G

[John Crisp]

Uuurrrrrr. Damn. Sorry. Not a good example. It had been another long night

Made sure that I allow 2 PPTP connections, ensured 'multilink' is in options.pppd

Seems that I keep getting LCP timeouts which indicates that the link dies ?

Hmm. Any thoughts would be appreciated.

Best regards,

John

File: options.pptpd     Col 0
#------------------------------------------------------------
# DO NOT MODIFY THIS FILE! It is updated automatically by the
# SME Server software. Instead, modify the source template in
# an /etc/e-smith/templates-custom directory. For more
# information, see http://www.e-smith.org/custom/
#
# copyright (C) 2002 Mitel Networks Corporation
#------------------------------------------------------------

auth
# debug is not enabled
domain localnet.com
# Tell ip-up and ip-down who is running them
ipparam pptpd
nodeflate
nobsdcomp
require-mppe-128
nomppe-40
nomppe-stateful # refuse stateful mode, i.e. use stateless
ms-dns 192.168.0.1
ms-wins 192.168.0.1
multilink
name server
netmask 255.255.255.0
proxyarp
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2 # Need MSCHAP-v2 to initialise encryption key
chapms-strip-domain



Log sample :

Sep 30 12:48:14 server pptpd[10693]: MGR: Launching /usr/sbin/pptpctrl to handle client
Sep 30 12:48:14 server pptpd[10693]: CTRL: local address = 192.168.0.1
Sep 30 12:48:14 server pptpd[10693]: CTRL: remote address = 192.168.0.40
Sep 30 12:48:14 server pptpd[10693]: CTRL: pppd speed = 460800
Sep 30 12:48:14 server pptpd[10693]: CTRL: pppd options file = /etc/ppp/options.pptpd
Sep 30 12:48:14 server pptpd[10693]: CTRL: Client 213.122.x.x control connection started
Sep 30 12:48:14 server pptpd[10693]: CTRL: Received PPTP Control Message (type: 1)
Sep 30 12:48:14 server pptpd[10693]: CTRL: Made a START CTRL CONN RPLY packet
Sep 30 12:48:14 server pptpd[10693]: CTRL: I wrote 156 bytes to the client.
Sep 30 12:48:14 server pptpd[10693]: CTRL: Sent packet to client
Sep 30 12:48:14 server pptpd[10693]: CTRL: Received PPTP Control Message (type: 7)
Sep 30 12:48:14 server pptpd[10693]: CTRL: Set parameters to 1525 maxbps, 64 window size
Sep 30 12:48:14 server pptpd[10693]: CTRL: Made a OUT CALL RPLY packet
Sep 30 12:48:14 server pptpd[10693]: CTRL: Starting call (launching pppd, opening GRE)
Sep 30 12:48:14 server pptpd[10693]: CTRL: pty_fd = 5
Sep 30 12:48:14 server pptpd[10693]: CTRL: tty_fd = 6
Sep 30 12:48:14 server pptpd[10693]: CTRL: I wrote 32 bytes to the client.
Sep 30 12:48:14 server pptpd[10693]: CTRL: Sent packet to client
Sep 30 12:48:14 server pptpd[10694]: CTRL (PPPD Launcher): Connection speed = 460800
Sep 30 12:48:14 server pptpd[10694]: CTRL (PPPD Launcher): local address = 192.168.0.1
Sep 30 12:48:14 server pptpd[10694]: CTRL (PPPD Launcher): remote address = 192.168.0.40
Sep 30 12:48:14 server pppd[10694]: pppd 2.4.2b1 started by root, uid 0
Sep 30 12:48:14 server pppd[10694]: Starting negotiation on /dev/pts/1
Sep 30 12:48:14 server pptpd[10693]: CTRL: Received PPTP Control Message (type: 15)
Sep 30 12:48:14 server pptpd[10693]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Sep 30 12:48:14 server pptpd[10693]: GRE: Discarding duplicate packet
Sep 30 12:48:44 server pppd[10694]: LCP: timeout sending Config-Requests
Sep 30 12:48:44 server pppd[10694]: Connection terminated.
Sep 30 12:48:44 server pppd[10694]: Exit.
Sep 30 12:48:44 server pptpd[10693]: GRE: read(fd=5,buffer=804d940,len=8196) from PTY failed: status = -1 error = Input/output
 error
Sep 30 12:48:44 server pptpd[10693]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6)
Sep 30 12:48:44 server pptpd[10693]: CTRL: Client 213.122.105.127 control connection finished
Sep 30 12:48:44 server pptpd[10693]: CTRL: Exiting now
Sep 30 12:48:44 server pptpd[10564]: MGR: Reaped child 10693

[Manuel Lazo]

Well, There is a issue with the GRE (protocol??) 47, I just forward udp 47 to my SME server, and I can log with pptp (with the modification of multilink).

Someone says you have to set the GRE 47 command!! I don't know how to do that, but forwarding the UPD 47 port works for me!!

Hope that's work for you

Sorry about my english!!

[Manuel Lazo]

I forgot!!

I can pptp inside my LAN on SME 5.6 (had not try from Internet),  but when I VPN I loose my INET connection. Is this correct?? or there is an issue that I don't know about!!

I ask this because with E-smith 5.0, this kind of issues didn't exists at all !! I could pptp to my server (from LAN or Internet) and I didn't loose my Internet connection!! I could do both at the same time!!

[Guck Puppy]

Manuel Lazo wrote:

> I can pptp inside my LAN on SME 5.6 (had not try from
> Internet),  but when I VPN I loose my INET connection. Is
> this correct?? or there is an issue that I don't know about!!

I think this sounds like a "use default gateway" issue. In the TCP/IP properties for the VPN connectoid in Windows, make sure that :

Networking tab.../ TCP/IP properties ../ Advanced.../ "Use default gateway on remote network" is UNchecked.

G

[Manuel Lazo]

Thank you so much!!! that did the trick!

[Manuel Lazo]

Well !! The trick works very well on my LAN, but if I'm on the road or at home, I have to set the defaul gateway on my PC but I loose my Inet connection, I can not do both!!

[John Crisp]

A couple of things I have seen whilst reading around.

>I had the same problem, and I solved it putting in my options.pptpd
>configuration file as follow:
>
>lcp-echo-failure 30
>lcp-echo-interval 5
>
>This is to prevent timeouts in the client side, with the
>lcp-echo-faliure  your server send echo request to the clients for
>respons when are an idle time, so you can modify this parameter to a
>higher value.

Don't know the relevance of this bit. However, the next makes interesting reading. Could this be something that the router blocks / allows ? I can add port forwarding but that would not appear to be sufficient. Presumably, as I have set the server to be a DMZ machine. all packets should be allowed. Perhaps they are not, and if so, how do I test the router ?

Firewall Integration with PTPP
The basic difficulty of running PPTP through a firewall is that PPTP consists of two connections running across very different protocols. The PPTP control connection runs across TCP via port 1723 and the data runs on top of IP (or UDP). GRE-IP packets are IP type 47 (TCP is type 6, UDP is type 17 for example); GRE-UDP packets are UDP packets with destination port 47. Note: that UDP port 47 is not an official IANA (Internet Assigned Numbers Authority) port. An application called NI-FTP is officially assigned UDP 47. However, most firewalls are restricted in their configuration of protocols lower than UDP or TCP and simply don't allow administrators to set up filters for new IP packet types (ie, GRE over IP). GRE over UDP is the best bet in these cases.  Note that Extended Systems added the GRE-UDP functionality to the ExtendNet VPN.  Microsoft's Dial-Up Networking supports this configuration for clients running Windows 9x, Windows NT 4.0, but not Windows 2000.

If you have a firewall not on the listed in the application notes, see if your firewall can support opening up TCP port 1723 and IP packet type 47 (or UDP port 47). Careful administrators might balk at such a request (and probably rightly so) because it circumvents the very nature of the strictest firewalls (proxy firewalls).