Topic: VPN Does it work or not. Will anybody fix it?

[bobk]

I completely disagree that the VPN works in 6x and this is why.
I have been using E-Smith/SME since version 3 something (so long ago I do not remember)
Setting up the VPN consisted of enabling it in server manager and connecting to it. That was it. Worked flawlessly for me.
That is until version 5.6, once I updated 2 different boxes to that version _BOOM_, the VPN don't work no more on either of them. 'Downgrade' to 5.5 and it works perfect. Same exact setup as before, absulutely nothing changed exept the version of E-Smith/SME.
This is still true with 6.x, for me and many others it would seem.
I even installed a new HD in my working SME, put 6.x on it, and the VPN is broken out of the box.
Connect the old HD, boot it up, connect via VPN absolutley no problem.
That would seem to tell me that something changed with regards to VPN in SME since I did not change anything else.

Anyone have an explanation for this problem?

Explanation - 5.6 & 6.x have tighter rules. They are no longer tolerant of lax configuration.

As I have said several times, I have multiple clients with a mixture of 5.6 and 6.0.1-01 servers using a mixture of W2K Pro & XP Pro workstations. None of them are experiencing any problems using VPN. I travel extensively with an XP Pro laptop and can VPN into my office (SME 5.6 u6), home (SME 6.0.1-01) or any of my clients. I can also VPN from my home or office to any of my clients (from behind an SME to another network with an SME gateway).

If it works for me it will work for you! I suggest that you recheck your set-ups, forget about what worked in the past and concentrate cosely on what the settings should be.

[felipevidal]

Hello all,

I am new to SMEserver and my first post but have a light background in Linux/Unix use.  I had no problems getting a Windows 2000 VPN client to connect to SMEserver when I did the following.  I installed the SMEserver 6.01-01-Custom version onto one of my systems.  After some of the basic setup stuff I created a user with VPN access rights then enabled PPTP by allowing up to 5 users.  I followed the setup for the client described at this site:

Windows 2000 - http://www.domain-logic.com/support/secure_tunnel_w2k.htm
Windows XP - http://www.domain-logic.com/support/secure_tunnel_XP.htm

Using the instructions from that site I did not have any issues connecting.  I have read that on Windows 2000, Service Pack 4 must be installed for it to work as some extra encryption protocols were added then.

I hope this helps.

-felipe

[wykyd]

The only time I have had problems connecting to SME with VPN is when I was connecting with and unpatched win2K client.

I have never had any other problems.

[rswennen]

Hi I have read all how to's but still don't manage to create the certificates for a 6.0 server.

I am trying to create them via remote access to the server-manager though via https.

Can this be the problem ?  Do you have to create them locally or can you do this via remote access or via ssh access ??

Please help.

Rohnny

[jdness]

Well at least I am able to get PPTP working most of the time but I have run into an issue that I have not found an answer for.  I can normally get into pptp just fine with a W2k system.  BUT if for any reason I get dropped or disconnected I can not get back in.  I have tried waiting several days and nothing changes.  If I reboot the server I can get right back in.  As long as I can do a proper disconnect everything seems to be fine.  I don't have all the log messages but if I don't think it tells me much other than I was disconnected.  I have tried different users to see if it just locked out one user but it has stopped all pptp activity until I reboot the sme server.

I have read some comments about a inactivity timeout but that does not seem to be my issue as when it is working I can stay up for days.  But if I get disconnected for any other reason than me doing the disconnect I'm usually hosed.

Anyone got any ideas.  I suspect some type of timer too but I don't have a clue where to look for it.

[bobk]

...If I reboot the server I can get right back in.  As long as I can do a proper disconnect everything seems to be fine.  I don't have all the log messages but if I don't think it tells me much other than I was disconnected.  I have tried different users to see if it just locked out one user but it has stopped all pptp activity until I reboot the sme server...

Most likely the pptpd service is getting hung up. Instead of rebooting the server try this from console.
 

Code: [Select]

# service pptpd restart

[boringgit]

I can still only connect a VPN as the admin user.

Quite frustrating as it means I have to share my admin password with my directors who need VPN access, and of course only one of them/us can connect at one time...

[bobk]

I can still only connect a VPN as the admin user.

Quite frustrating as it means I have to share my admin password with my directors who need VPN access, and of course only one of them/us can connect at one time...

Have you authorized VPN Client Access in the Users panel under Collaboration in the Server Manager? You need to do this for each user that you want to grant VPN access.

[Anonymous]

Having read several of the posts concerning VPN and E-Smith/SME I thought I would add my 2 bits to the discussion.
I, like one of the other posters, have never had a single problem with the VPN functionality in E-Smith/SME. Currently we use 6.0 and it works fine and seems faster than older versions.
There are a few tricks and gotchas I have picked up along the way that may be of help to some of you.

1. Not all versions of Windows are alike when it comes to VPN access. WinXP works "out of the box", other versions do not. You must download all the patchs pertaining to dialup networking to make the MS VPN client work at 128 bit encryption. Without that you will not connect as the Linux implementation demands that level of security.

2. On your E-Smith/SME server you must enable DHCP for whatever limited range of IPs you wish to be available to your VPN client(s). If you have another DHCP server on your internal network you can disable DHCP on your E-Smith/SME server but only after you have first enabled it for some range of addresses. This will still allow your clients to recieve an IP address when they connect even though the E-Smith/SME server is not providing your internal workstations with addresses. I haven't confirmed this next part but I would assume that whatever range you set the E-Smith/SME server to should not be allowed to conflict with an already functioning DHCP server on your network.

3. Your internal IP range cannot be the same as the internal IP range of the connecting VPN client. For instance if you are using 192.168.1.X as your workstation IP address assignments, your VPN client cannot be using that same range internally on their end. If that is the case they will connect but be unable to route to anything on your end. Make sure both sides are different.

4. Firewalls can play havoc with the connection. Some firewalls will work perfectly, others will need tweaking. For instance the Sonicwall we use where I work works fine but my Linksys tends to not work all that well. I believe it has to do with the 2 ports required (1723 and 47) and how the firewall handles GRE. Perhaps someone with more knowledge about this aspect than I have could step in here and explain this issue further.

To close, as long as the above guidelines are followed I have not seen a single problem with the VPN connectivity in E-Smith/SME in any version.
Hope that helps anyone who is having problems.

[boringgit]

Hiya,

Thanks for the replys  

What I do find odd is that connecting as admin works perfectly. I can browse the network, connect to servers inside my network etc. etc.

Anything other than admin - no go...

Looking in /var/log/messages I see the usual VPN connection messages, followed by

"CHAP peer authentication failed for USER" Where username is the user I am trying to log in as  

Looking about on the 'net it looks as if this is a shared secret problem - Certificates and the like were only used on the IPsec VPN provided by servicelink I thought?

[bobk]

...What I do find odd is that connecting as admin works perfectly. I can browse the network, connect to servers inside my network etc. etc.

Anything other than admin - no go...

Looking in /var/log/messages I see the usual VPN connection messages, followed by

"CHAP peer authentication failed for USER" Where username is the user I am trying to log in as  
...

Check your Client Login username & password settings:
1. You must logon to your local (Windows) PC with the same username and password as your account on the remote SME VPN server.
2. If you are connecting to a SME 6.x server - This user account must have VPN Client Access set to YES in the Server Manager User Panel.
3. You must establish your VPN login connection with the same username & password.

[wykyd]

1. You must logon to your local (Windows) PC with the same username and password as your account on the remote SME VPN server.

I don't log onto my work machine with the same accounts that I log into remotely. I type in the User and Password for the connection. Never had a problem so far.

[Anonymous]

One thing i forget was to increase the number of PPTP connections allowed in the server-manager pages!

I still can't connect to home from work, but i think  it might be the work firewall blocking the connection. Is there someway to see if my request is getting to the SME server? Perhaps looking in one of the log files? I just don't know which one.

Phil

[guest]

I have setup VPN on both 6.03b and 6.0.01 custonm vpn services using DSL @ both ends and have not had a bit of trouble !!!!!


Maybe its a PEBCAC Error......
Possible error between computer and chair!!!!


digout the dummy's BOOKS!!!!!

[stancol]

I had a problem with VPN on 6.0.1 and ran around and around looking for it. Found it right under my nose (some times it's the simply things that get you the most). Typing "service pptpd status" yeiled not running. Boy it's hard to trouble shoot VPN connections when the VPN service isn't running.

To fix it I'll I had to do was "service pptpd start".

Not sure this is a bug yet so I'm not going to post it as such yet. It appears that pptpd doesn't start on reboot. At least it doesn't on my machine. I've tried changing the number of users and saving the config from the server-manager but it doesn't seem to add it to any of the rc.d files. (Maybe I'm looking in the wrong place.) It might be a conflict between one of my contribs and pptpd.

I even had it stop one time with out rebooting the server. I did add another contrib at the time it stopped. However I add several and didn't notice that pptpd had stopped so I couldn't begin to tell you after which contrib it stopped.

Would be nice if someone could tell me how to either add it to the startup or tell me how to check for it.