Topic: VPN problem

[edform]

I've tried everything under the sun but I just cannot get one of my client's servers to support more than a single incoming VPN. The pair of workstations I want to connect can simultaneously make a VPN onto my server, and on to several other servers I have access to, but not onto the client's own server.

The server is a Dell Poweredge with two 866MHz Pentium IIIs, a Perc II and 64GBytes of fast SCSI discs as a mirror, 1Gbyte of RAM and is in perfect working order.

This server and my own have the same version of SME loaded, and exactly the same customisations, and things like antivirus logs and antispam logs are, as far as I see, the same.

Here is a message log fragment showing the opening of two simultaneous vpns on my server...

Oct 18 10:50:51 ml350 pptpd[17188]: MGR: Launching /usr/sbin/pptpctrl to handle client
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: local address = 192.168.178.1
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: remote address = 192.168.178.250
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: pppd speed = 460800
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: pppd options file = /etc/ppp/options.pptpd
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: Client 213.162.108.36 control connection started
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: Received PPTP Control Message (type: 1)
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: Made a START CTRL CONN RPLY packet
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: I wrote 156 bytes to the client.
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: Sent packet to client
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: Received PPTP Control Message (type: 7)
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: Set parameters to 1525 maxbps, 64 window size
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: Made a OUT CALL RPLY packet
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: Starting call (launching pppd, opening GRE)
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: pty_fd = 5
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: tty_fd = 6
Oct 18 10:50:51 ml350 pptpd[17189]: CTRL (PPPD Launcher): Connection speed = 460800
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: I wrote 32 bytes to the client.
Oct 18 10:50:51 ml350 pptpd[17189]: CTRL (PPPD Launcher): local address = 192.168.178.1
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: Sent packet to client
Oct 18 10:50:51 ml350 pptpd[17189]: CTRL (PPPD Launcher): remote address = 192.168.178.250
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: Received PPTP Control Message (type: 15)
Oct 18 10:50:51 ml350 pppd[17189]: pppd 2.4.2b1 started by root, uid 0
Oct 18 10:50:51 ml350 pptpd[17188]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Oct 18 10:50:52 ml350 pppd[17189]: Starting negotiation on /dev/pts/0
Oct 18 10:50:52 ml350 pptpd[17188]: GRE: Discarding duplicate packet
Oct 18 10:50:53 ml350 pptpd[17188]: CTRL: Received PPTP Control Message (type: 15)
Oct 18 10:50:53 ml350 pptpd[17188]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Oct 18 10:50:54 ml350 pppd[17189]: Using interface ppp0
Oct 18 10:50:54 ml350 kernel: divert: not allocating divert_blk for non-ethernet device ppp0
Oct 18 10:50:54 ml350 pppd[17189]: CHAP peer authentication succeeded for RABBIT1
Oct 18 10:50:54 ml350 /etc/hotplug/net.agent: assuming ppp0 is already up
Oct 18 10:50:54 ml350 pppd[17189]: MPPE 128-bit stateless compression enabled
Oct 18 10:50:56 ml350 pppd[17189]: found interface eth0 for proxy arp
Oct 18 10:50:56 ml350 pppd[17189]: local  IP address 192.168.178.1
Oct 18 10:50:56 ml350 pppd[17189]: remote IP address 192.168.178.250
Oct 18 10:50:57 ml350 e-smith[17203]: Processing event: ip-up.pptpd ppp0 /dev/pts/0 460800 192.168.178.1 192.168.178.250 pptpd
Oct 18 10:50:57 ml350 e-smith[17203]: Running event handler: /etc/e-smith/events/ip-up.pptpd/S70pptp-interface-access
Oct 18 10:50:57 ml350 /etc/e-smith/events/ip-up.pptpd/S70pptp-interface-access[17204]: /home/e-smith/configuration: OLD pptpd=service|Interfaces||StartIP|3232281337|sessions|2|status|enabled
Oct 18 10:50:57 ml350 /etc/e-smith/events/ip-up.pptpd/S70pptp-interface-access[17204]: /home/e-smith/configuration: NEW pptpd=service|Interfaces|ppp0|StartIP|3232281337|sessions|2|status|enabled
Oct 18 10:50:57 ml350 e-smith[17203]: S70pptp-interface-access=action|Event|ip-up.pptpd|Action|S70pptp-interface-access|Start|1129629057 160629|End|1129629057 414196|Elapsed|0.253567
Oct 18 10:50:57 ml350 e-smith[17203]: Running event handler: /etc/e-smith/events/ip-up.pptpd/S80conf-masq
Oct 18 10:50:58 ml350 e-smith[17203]: S80conf-masq=action|Event|ip-up.pptpd|Action|S80conf-masq|Start|1129629057 414425|End|1129629058 170757|Elapsed|0.756332
Oct 18 10:50:58 ml350 e-smith[17203]: Running event handler: /etc/e-smith/events/ip-up.pptpd/S85adjust-masq
Oct 18 10:50:59 ml350 e-smith[17203]: S85adjust-masq=action|Event|ip-up.pptpd|Action|S85adjust-masq|Start|1129629058 170971|End|1129629059 185415|Elapsed|1.014444
Oct 18 10:51:51 ml350 pptpd[17188]: CTRL: Received PPTP Control Message (type: 5)
Oct 18 10:51:51 ml350 pptpd[17188]: CTRL: Made a ECHO RPLY packet
Oct 18 10:51:51 ml350 pptpd[17188]: CTRL: I wrote 20 bytes to the client.
Oct 18 10:51:51 ml350 pptpd[17188]: CTRL: Sent packet to client
Oct 18 10:52:51 ml350 pptpd[17188]: CTRL: Received PPTP Control Message (type: 5)
Oct 18 10:52:51 ml350 pptpd[17188]: CTRL: Made a ECHO RPLY packet
Oct 18 10:52:51 ml350 pptpd[17188]: CTRL: I wrote 20 bytes to the client.
Oct 18 10:52:51 ml350 pptpd[17188]: CTRL: Sent packet to client
Oct 18 10:53:51 ml350 pptpd[17188]: CTRL: Received PPTP Control Message (type: 5)
Oct 18 10:53:51 ml350 pptpd[17188]: CTRL: Made a ECHO RPLY packet
Oct 18 10:53:51 ml350 pptpd[17188]: CTRL: I wrote 20 bytes to the client.
Oct 18 10:53:51 ml350 pptpd[17188]: CTRL: Sent packet to client
Oct 18 10:54:19 ml350 pptpd[2626]: MGR: No free connection slots or IPs - no more clients can connect!
Oct 18 10:54:19 ml350 pptpd[17473]: MGR: Launching /usr/sbin/pptpctrl to handle client
Oct 18 10:54:19 ml350 pptpd[17473]: CTRL: local address = 192.168.178.1
Oct 18 10:54:19 ml350 pptpd[17473]: CTRL: remote address = 192.168.178.249
Oct 18 10:54:19 ml350 pptpd[17473]: CTRL: pppd speed = 460800
Oct 18 10:54:19 ml350 pptpd[17473]: CTRL: pppd options file = /etc/ppp/options.pptpd
Oct 18 10:54:19 ml350 pptpd[17473]: CTRL: Client 213.162.108.55 control connection started
Oct 18 10:54:19 ml350 pptpd[17473]: CTRL: Received PPTP Control Message (type: 1)
Oct 18 10:54:19 ml350 pptpd[17473]: CTRL: Made a START CTRL CONN RPLY packet
Oct 18 10:54:19 ml350 pptpd[17473]: CTRL: I wrote 156 bytes to the client.
Oct 18 10:54:19 ml350 pptpd[17473]: CTRL: Sent packet to client
Oct 18 10:54:21 ml350 pptpd[17473]: CTRL: Received PPTP Control Message (type: 7)
Oct 18 10:54:21 ml350 pptpd[17473]: CTRL: Set parameters to 1525 maxbps, 64 window size
Oct 18 10:54:21 ml350 pptpd[17473]: CTRL: Made a OUT CALL RPLY packet
Oct 18 10:54:21 ml350 pptpd[17473]: CTRL: Starting call (launching pppd, opening GRE)
Oct 18 10:54:21 ml350 pptpd[17473]: CTRL: pty_fd = 5
Oct 18 10:54:21 ml350 pptpd[17473]: CTRL: tty_fd = 6
Oct 18 10:54:21 ml350 pptpd[17473]: CTRL: I wrote 32 bytes to the client.
Oct 18 10:54:21 ml350 pptpd[17474]: CTRL (PPPD Launcher): Connection speed = 460800
Oct 18 10:54:21 ml350 pptpd[17473]: CTRL: Sent packet to client
Oct 18 10:54:21 ml350 pptpd[17474]: CTRL (PPPD Launcher): local address = 192.168.178.1
Oct 18 10:54:21 ml350 pptpd[17474]: CTRL (PPPD Launcher): remote address = 192.168.178.249
Oct 18 10:54:21 ml350 pppd[17474]: pppd 2.4.2b1 started by root, uid 0
Oct 18 10:54:21 ml350 pppd[17474]: Starting negotiation on /dev/pts/1
Oct 18 10:54:21 ml350 pptpd[17473]: CTRL: Received PPTP Control Message (type: 15)
Oct 18 10:54:21 ml350 pptpd[17473]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Oct 18 10:54:21 ml350 pptpd[17473]: GRE: Discarding duplicate packet
Oct 18 10:54:23 ml350 pptpd[17473]: CTRL: Received PPTP Control Message (type: 15)
Oct 18 10:54:23 ml350 pptpd[17473]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Oct 18 10:54:23 ml350 kernel: divert: not allocating divert_blk for non-ethernet device ppp1
Oct 18 10:54:23 ml350 pppd[17474]: Using interface ppp1
Oct 18 10:54:23 ml350 pppd[17474]: New bundle ppp1 created
Oct 18 10:54:23 ml350 pppd[17474]: CHAP peer authentication succeeded for RABBIT2
Oct 18 10:54:23 ml350 /etc/hotplug/net.agent: assuming ppp1 is already up
Oct 18 10:54:23 ml350 pppd[17474]: MPPE 128-bit stateless compression enabled
Oct 18 10:54:26 ml350 pppd[17474]: found interface eth0 for proxy arp
Oct 18 10:54:26 ml350 pppd[17474]: local  IP address 192.168.178.1
Oct 18 10:54:26 ml350 pppd[17474]: remote IP address 192.168.178.249
Oct 18 10:54:27 ml350 e-smith[17488]: Processing event: ip-up.pptpd ppp1 /dev/pts/1 460800 192.168.178.1 192.168.178.249 pptpd
Oct 18 10:54:27 ml350 e-smith[17488]: Running event handler: /etc/e-smith/events/ip-up.pptpd/S70pptp-interface-access
Oct 18 10:54:27 ml350 /etc/e-smith/events/ip-up.pptpd/S70pptp-interface-access[17489]: /home/e-smith/configuration: OLD pptpd=service|Interfaces|ppp0|StartIP|3232281337|sessions|2|status|enabled
Oct 18 10:54:27 ml350 /etc/e-smith/events/ip-up.pptpd/S70pptp-interface-access[17489]: /home/e-smith/configuration: NEW pptpd=service|Interfaces|ppp0,ppp1|StartIP|3232281337|sessions|2|status|enabled
Oct 18 10:54:27 ml350 e-smith[17488]: S70pptp-interface-access=action|Event|ip-up.pptpd|Action|S70pptp-interface-access|Start|1129629267 33212|End|1129629267 286309|Elapsed|0.253097
Oct 18 10:54:27 ml350 e-smith[17488]: Running event handler: /etc/e-smith/events/ip-up.pptpd/S80conf-masq
Oct 18 10:54:27 ml350 e-smith[17488]: S80conf-masq=action|Event|ip-up.pptpd|Action|S80conf-masq|Start|1129629267 286545|End|1129629267 907393|Elapsed|0.620848
Oct 18 10:54:27 ml350 e-smith[17488]: Running event handler: /etc/e-smith/events/ip-up.pptpd/S85adjust-masq
Oct 18 10:54:28 ml350 e-smith[17488]: S85adjust-masq=action|Event|ip-up.pptpd|Action|S85adjust-masq|Start|1129629267 907620|End|1129629268 815672|Elapsed|0.908052

Now here's a log fragment showing one sucsessful and one failed vpn attempt on my client's server...

Oct 20 13:11:45 e-smith-server pptpd[2787]: MGR: Launching /usr/sbin/pptpctrl to handle client
Oct 20 13:11:45 e-smith-server pptpd[2787]: CTRL: local address = 192.168.1.1
Oct 20 13:11:45 e-smith-server pptpd[2787]: CTRL: remote address = 192.168.1.248
Oct 20 13:11:45 e-smith-server pptpd[2787]: CTRL: pppd speed = 460800
Oct 20 13:11:45 e-smith-server pptpd[2787]: CTRL: pppd options file = /etc/ppp/options.pptpd
Oct 20 13:11:45 e-smith-server pptpd[2787]: CTRL: Client 213.162.108.55 control connection started
Oct 20 13:11:45 e-smith-server pptpd[2787]: CTRL: Received PPTP Control Message (type: 1)
Oct 20 13:11:45 e-smith-server pptpd[2787]: CTRL: Made a START CTRL CONN RPLY packet
Oct 20 13:11:45 e-smith-server pptpd[2787]: CTRL: I wrote 156 bytes to the client.
Oct 20 13:11:45 e-smith-server pptpd[2787]: CTRL: Sent packet to client
Oct 20 13:11:48 e-smith-server pptpd[2787]: CTRL: Received PPTP Control Message (type: 7)
Oct 20 13:11:48 e-smith-server pptpd[2787]: CTRL: Set parameters to 1525 maxbps, 64 window size
Oct 20 13:11:48 e-smith-server pptpd[2787]: CTRL: Made a OUT CALL RPLY packet
Oct 20 13:11:48 e-smith-server pptpd[2787]: CTRL: Starting call (launching pppd, opening GRE)
Oct 20 13:11:48 e-smith-server pptpd[2787]: CTRL: pty_fd = 5
Oct 20 13:11:48 e-smith-server pptpd[2787]: CTRL: tty_fd = 6
Oct 20 13:11:48 e-smith-server pptpd[2787]: CTRL: I wrote 32 bytes to the client.
Oct 20 13:11:48 e-smith-server pptpd[2787]: CTRL: Sent packet to client
Oct 20 13:11:48 e-smith-server pptpd[2788]: CTRL (PPPD Launcher): Connection speed = 460800
Oct 20 13:11:48 e-smith-server pptpd[2788]: CTRL (PPPD Launcher): local address = 192.168.1.1
Oct 20 13:11:48 e-smith-server pptpd[2788]: CTRL (PPPD Launcher): remote address = 192.168.1.248
Oct 20 13:11:48 e-smith-server pptpd[2787]: CTRL: Received PPTP Control Message (type: 15)
Oct 20 13:11:48 e-smith-server pptpd[2787]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Oct 20 13:11:48 e-smith-server kernel: CSLIP: code copyright 1989 Regents of the University of California
Oct 20 13:11:48 e-smith-server kernel: PPP generic driver version 2.4.2
Oct 20 13:11:48 e-smith-server pppd[2788]: pppd 2.4.2b1 started by root, uid 0
Oct 20 13:11:48 e-smith-server pppd[2788]: Starting negotiation on /dev/pts/0
Oct 20 13:11:48 e-smith-server pptpd[2787]: GRE: Discarding duplicate packet
Oct 20 13:11:50 e-smith-server pptpd[2787]: CTRL: Received PPTP Control Message (type: 15)
Oct 20 13:11:50 e-smith-server pptpd[2787]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Oct 20 13:11:50 e-smith-server kernel: divert: not allocating divert_blk for non-ethernet device ppp0
Oct 20 13:11:50 e-smith-server pppd[2788]: Using interface ppp0
Oct 20 13:11:50 e-smith-server pppd[2788]: New bundle ppp0 created
Oct 20 13:11:50 e-smith-server /etc/hotplug/net.agent: assuming ppp0 is already up
Oct 20 13:11:50 e-smith-server kernel: PPP MPPE Compression module registered
Oct 20 13:11:50 e-smith-server insmod: Warning: loading /lib/modules/2.4.20-18.7smp-e-smith/kernel/drivers/net/ppp_mppe.o will taint the kernel: non-GPL license - BSD without advertisement clause
Oct 20 13:11:50 e-smith-server insmod:   See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Oct 20 13:11:50 e-smith-server insmod: Module ppp_mppe loaded, with warnings
Oct 20 13:11:50 e-smith-server pppd[2788]: CHAP peer authentication succeeded for BUNNY1
Oct 20 13:11:50 e-smith-server pppd[2788]: MPPE 128-bit stateless compression enabled
Oct 20 13:11:53 e-smith-server pppd[2788]: found interface eth0 for proxy arp
Oct 20 13:11:53 e-smith-server pppd[2788]: local  IP address 192.168.1.1
Oct 20 13:11:53 e-smith-server pppd[2788]: remote IP address 192.168.1.248
Oct 20 13:11:53 e-smith-server e-smith[2823]: Processing event: ip-up.pptpd ppp0 /dev/pts/0 460800 192.168.1.1 192.168.1.248 pptpd
Oct 20 13:11:53 e-smith-server e-smith[2823]: Running event handler: /etc/e-smith/events/ip-up.pptpd/S70pptp-interface-access
Oct 20 13:11:53 e-smith-server /etc/e-smith/events/ip-up.pptpd/S70pptp-interface-access[2824]: /home/e-smith/configuration: OLD pptpd=service|Interfaces||StartIP|3232236024|sessions|3|status|enabled
Oct 20 13:11:53 e-smith-server /etc/e-smith/events/ip-up.pptpd/S70pptp-interface-access[2824]: /home/e-smith/configuration: NEW pptpd=service|Interfaces|ppp0|StartIP|3232236024|sessions|3|status|enabled
Oct 20 13:11:53 e-smith-server e-smith[2823]: S70pptp-interface-access=action|Event|ip-up.pptpd|Action|S70pptp-interface-access|Start|1129810313 484312|End|1129810313 778750|Elapsed|0.294438
Oct 20 13:11:53 e-smith-server e-smith[2823]: Running event handler: /etc/e-smith/events/ip-up.pptpd/S80conf-masq
Oct 20 13:11:54 e-smith-server e-smith[2823]: S80conf-masq=action|Event|ip-up.pptpd|Action|S80conf-masq|Start|1129810313 779000|End|1129810314 569340|Elapsed|0.79034
Oct 20 13:11:54 e-smith-server e-smith[2823]: Running event handler: /etc/e-smith/events/ip-up.pptpd/S85adjust-masq
Oct 20 13:11:55 e-smith-server e-smith[2823]: S85adjust-masq=action|Event|ip-up.pptpd|Action|S85adjust-masq|Start|1129810314 569571|End|1129810315 501489|Elapsed|0.931918
Oct 20 13:12:45 e-smith-server pptpd[2787]: CTRL: Received PPTP Control Message (type: 5)
Oct 20 13:12:45 e-smith-server pptpd[2787]: CTRL: Made a ECHO RPLY packet
Oct 20 13:12:45 e-smith-server pptpd[2787]: CTRL: I wrote 20 bytes to the client.
Oct 20 13:12:45 e-smith-server pptpd[2787]: CTRL: Sent packet to client
Oct 20 13:13:14 e-smith-server pptpd[3053]: MGR: Launching /usr/sbin/pptpctrl to handle client
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: local address = 192.168.1.1
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: remote address = 192.168.1.249
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: pppd speed = 460800
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: pppd options file = /etc/ppp/options.pptpd
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: Client 213.162.108.36 control connection started
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: Received PPTP Control Message (type: 1)
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: Made a START CTRL CONN RPLY packet
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: I wrote 156 bytes to the client.
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: Sent packet to client
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: Received PPTP Control Message (type: 7)
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: Set parameters to 1525 maxbps, 64 window size
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: Made a OUT CALL RPLY packet
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: Starting call (launching pppd, opening GRE)
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: pty_fd = 5
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: tty_fd = 6
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: I wrote 32 bytes to the client.
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: Sent packet to client
Oct 20 13:13:14 e-smith-server pptpd[3054]: CTRL (PPPD Launcher): Connection speed = 460800
Oct 20 13:13:14 e-smith-server pptpd[3054]: CTRL (PPPD Launcher): local address = 192.168.1.1
Oct 20 13:13:14 e-smith-server pptpd[3054]: CTRL (PPPD Launcher): remote address = 192.168.1.249
Oct 20 13:13:14 e-smith-server pppd[3054]: pppd 2.4.2b1 started by root, uid 0
Oct 20 13:13:14 e-smith-server pppd[3054]: Starting negotiation on /dev/pts/1
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: Received PPTP Control Message (type: 15)
Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Oct 20 13:13:44 e-smith-server pppd[3054]: LCP: timeout sending Config-Requests
Oct 20 13:13:44 e-smith-server pppd[3054]: Connection terminated.
Oct 20 13:13:44 e-smith-server pppd[3054]: Exit.
Oct 20 13:13:44 e-smith-server pptpd[3053]: GRE: read(fd=5,buffer=804d940,len=8196) from PTY failed: status = -1 error = Input/output error
Oct 20 13:13:44 e-smith-server pptpd[3053]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6)
Oct 20 13:13:44 e-smith-server pptpd[3053]: CTRL: Client 213.162.108.36 control connection finished
Oct 20 13:13:44 e-smith-server pptpd[3053]: CTRL: Exiting now
Oct 20 13:13:44 e-smith-server pptpd[2507]: MGR: Reaped child 3053
Oct 20 13:13:45 e-smith-server pptpd[2787]: CTRL: Received PPTP Control Message (type: 5)
Oct 20 13:13:45 e-smith-server pptpd[2787]: CTRL: Made a ECHO RPLY packet
Oct 20 13:13:45 e-smith-server pptpd[2787]: CTRL: I wrote 20 bytes to the client.
Oct 20 13:13:45 e-smith-server pptpd[2787]: CTRL: Sent packet to client
Oct 20 13:14:45 e-smith-server pptpd[2787]: CTRL: Received PPTP Control Message (type: 5)
Oct 20 13:14:45 e-smith-server pptpd[2787]: CTRL: Made a ECHO RPLY packet
Oct 20 13:14:45 e-smith-server pptpd[2787]: CTRL: I wrote 20 bytes to the client.
Oct 20 13:14:45 e-smith-server pptpd[2787]: CTRL: Sent packet to client
Oct 20 13:15:13 e-smith-server pptpd[3095]: MGR: Launching /usr/sbin/pptpctrl to handle client
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: local address = 192.168.1.1
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: remote address = 192.168.1.250
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: pppd speed = 460800
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: pppd options file = /etc/ppp/options.pptpd
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: Client 213.162.108.36 control connection started
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: Received PPTP Control Message (type: 1)
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: Made a START CTRL CONN RPLY packet
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: I wrote 156 bytes to the client.
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: Sent packet to client
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: Received PPTP Control Message (type: 7)
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: Set parameters to 1525 maxbps, 64 window size
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: Made a OUT CALL RPLY packet
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: Starting call (launching pppd, opening GRE)
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: pty_fd = 5
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: tty_fd = 6
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: I wrote 32 bytes to the client.
Oct 20 13:15:13 e-smith-server pptpd[3096]: CTRL (PPPD Launcher): Connection speed = 460800
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: Sent packet to client
Oct 20 13:15:13 e-smith-server pptpd[3096]: CTRL (PPPD Launcher): local address = 192.168.1.1
Oct 20 13:15:13 e-smith-server pptpd[3096]: CTRL (PPPD Launcher): remote address = 192.168.1.250
Oct 20 13:15:13 e-smith-server pppd[3096]: pppd 2.4.2b1 started by root, uid 0
Oct 20 13:15:13 e-smith-server pppd[3096]: Starting negotiation on /dev/pts/1
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: Received PPTP Control Message (type: 15)
Oct 20 13:15:13 e-smith-server pptpd[3095]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Oct 20 13:15:43 e-smith-server pppd[3096]: LCP: timeout sending Config-Requests
Oct 20 13:15:43 e-smith-server pppd[3096]: Connection terminated.
Oct 20 13:15:43 e-smith-server pppd[3096]: Exit.
Oct 20 13:15:43 e-smith-server pptpd[3095]: GRE: read(fd=5,buffer=804d940,len=8196) from PTY failed: status = -1 error = Input/output error
Oct 20 13:15:43 e-smith-server pptpd[3095]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6)
Oct 20 13:15:43 e-smith-server pptpd[3095]: CTRL: Client 213.162.108.36 control connection finished
Oct 20 13:15:43 e-smith-server pptpd[3095]: CTRL: Exiting now
Oct 20 13:15:43 e-smith-server pptpd[2507]: MGR: Reaped child 3095
Oct 20 13:15:45 e-smith-server pptpd[2787]: CTRL: Received PPTP Control Message (type: 5)
Oct 20 13:15:45 e-smith-server pptpd[2787]: CTRL: Made a ECHO RPLY packet
Oct 20 13:15:45 e-smith-server pptpd[2787]: CTRL: I wrote 20 bytes to the client.
Oct 20 13:15:45 e-smith-server pptpd[2787]: CTRL: Sent packet to client
Oct 20 13:16:45 e-smith-server pptpd[2787]: CTRL: Received PPTP Control Message (type: 5)
Oct 20 13:16:45 e-smith-server pptpd[2787]: CTRL: Made a ECHO RPLY packet
Oct 20 13:16:45 e-smith-server pptpd[2787]: CTRL: I wrote 20 bytes to the client.
Oct 20 13:16:45 e-smith-server pptpd[2787]: CTRL: Sent packet to client
Oct 20 13:17:45 e-smith-server pptpd[2787]: CTRL: Received PPTP Control Message (type: 5)
Oct 20 13:17:45 e-smith-server pptpd[2787]: CTRL: Made a ECHO RPLY packet
Oct 20 13:17:45 e-smith-server pptpd[2787]: CTRL: I wrote 20 bytes to the client.
Oct 20 13:17:45 e-smith-server pptpd[2787]: CTRL: Sent packet to client
Oct 20 13:18:45 e-smith-server pptpd[2787]: CTRL: Received PPTP Control Message (type: 5)
Oct 20 13:18:45 e-smith-server pptpd[2787]: CTRL: Made a ECHO RPLY packet
Oct 20 13:18:45 e-smith-server pptpd[2787]: CTRL: I wrote 20 bytes to the client.
Oct 20 13:18:45 e-smith-server pptpd[2787]: CTRL: Sent packet to client
Oct 20 13:19:45 e-smith-server pptpd[2787]: CTRL: Received PPTP Control Message (type: 5)
Oct 20 13:19:45 e-smith-server pptpd[2787]: CTRL: Made a ECHO RPLY packet
Oct 20 13:19:45 e-smith-server pptpd[2787]: CTRL: I wrote 20 bytes to the client.
Oct 20 13:19:45 e-smith-server pptpd[2787]: CTRL: Sent packet to client
Oct 20 13:20:45 e-smith-server pptpd[2787]: CTRL: Received PPTP Control Message (type: 5)
Oct 20 13:20:45 e-smith-server pptpd[2787]: CTRL: Made a ECHO RPLY packet
Oct 20 13:20:45 e-smith-server pptpd[2787]: CTRL: I wrote 20 bytes to the client.
Oct 20 13:20:45 e-smith-server pptpd[2787]: CTRL: Sent packet to client
Oct 20 13:21:29 e-smith-server dhcpd: DHCPINFORM from 192.168.1.65
Oct 20 13:21:32 e-smith-server dhcpd: DHCPINFORM from 192.168.1.65
Oct 20 13:21:45 e-smith-server pptpd[2787]: CTRL: Received PPTP Control Message (type: 5)
Oct 20 13:21:45 e-smith-server pptpd[2787]: CTRL: Made a ECHO RPLY packet
Oct 20 13:21:45 e-smith-server pptpd[2787]: CTRL: I wrote 20 bytes to the client.
Oct 20 13:21:45 e-smith-server pptpd[2787]: CTRL: Sent packet to client
Oct 20 13:22:45 e-smith-server pptpd[2787]: CTRL: Received PPTP Control Message (type: 5)
Oct 20 13:22:45 e-smith-server pptpd[2787]: CTRL: Made a ECHO RPLY packet
Oct 20 13:22:45 e-smith-server pptpd[2787]: CTRL: I wrote 20 bytes to the client.
Oct 20 13:22:45 e-smith-server pptpd[2787]: CTRL: Sent packet to client
Oct 20 13:23:45 e-smith-server pptpd[2787]: CTRL: Received PPTP Control Message (type: 5)
Oct 20 13:23:45 e-smith-server pptpd[2787]: CTRL: Made a ECHO RPLY packet
Oct 20 13:23:45 e-smith-server pptpd[2787]: CTRL: I wrote 20 bytes to the client.
Oct 20 13:23:45 e-smith-server pptpd[2787]: CTRL: Sent packet to client

I've changed all of the usernames mentioned, but the rest is just as the logs were written.

Does anyone know what is going on here????

I noticed the odd messages in these lines on the failing server...

Oct 20 13:11:50 e-smith-server insmod: Warning: loading /lib/modules/2.4.20-18.7smp-e-smith/kernel/drivers/net/ppp_mppe.o will taint the kernel: non-GPL license - BSD without advertisement clause
Oct 20 13:11:50 e-smith-server insmod: See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Oct 20 13:11:50 e-smith-server insmod: Module ppp_mppe loaded, with warnings

...and I can't understand why the two machines would behave differently. What does this refer to, and is it the problem?
Ed Form

[smeghead]

The prob is related to the line:

pppd[3054]: LCP: timeout sending Config-Requests

Have their been any attempts to upgrade the kernel and a resultant mismatch with the mppe module?

Is their a router/modem infront of this server that has an MTU smaller than 1500, if so try using 1500 to minimize the chance of packet fragmentation.

You do have multilink set for the w/s's VPN connection profiles (just checking)?

[edform]

Thanks for the reply Smeghead. You said...

> The prob is related to the line:
> pppd[3054]: LCP: timeout sending Config-Requests

> Have their been any attempts to upgrade the kernel
> and a resultant mismatch with the mppe module?

I need to add some more information here...

Aside from the fact that the two servers are different machines, everything else is identical. All my client servers, and my own server, are running the same customised 6.0.1-01, set up in the same way, and having the same SMC Barricade 7401BRA routers as their ADSL connections. All the Barricades are identically set up, and are on the same firmware release.

As a result of these problems I actually took my own Barricade down to this client's place about a week ago, and swapped it for theirs. With their Barricade installed in my server, it continues to support multiple VPNs - with my Barricade, their server still will not.

All of the servers are loaded from the same CD of the customised ISO, and configured in the same way - I follow an iron rule as to the order in which I do things. All have Spamassasin and Clam-AV loaded, using the same Swerts-Knudsen scripts. All of those installations work perfectly in every way I can see.

This one server - its a Dell Poweredge 1400, the rest are all Compaq Proliants of one sort or another - will not support multiple VPNs - I wondered whether it might be the outward facing network board, so I swapped this for a server grade Intel E100 today, with no change.

> Is their a router/modem infront of this server that
> has an MTU smaller than 1500, if so try using 1500
> to minimize the chance of packet fragmentation.

As I said, they now have my router which works perfectly on my Compaq server.

> You do have multilink set for the w/s's VPN
> connection profiles (just checking)?

I just accept the default settings for everything during configuration and never attempt to mess with anything that can't be seen in the server manager.

Ed Form

[smeghead]

.. the multilink setting on the XP client setup is very important as it allows the VPN packet size to exceed the MTU of 1500 provided by a single link connection (if memory serves PPTP packets require something like 1508 in total).

If this setting is incorrect then it will definately not work.

This info is paraphrased from a previous post here tho I can't remember by whom to credit them; my tests prove this out.

What error code does the w/s report?

Cheers

[edform]

Hi Smeghead,

The two workstations, which are at the client's remote office, and cannot make two VPNs to the clients own server, can make two VPNs to my server, so their settings are fine - if I kill the one successful VPN to the company server, and immediately make two calls to my server, they both succeed, every time.

The problem, whatever it is, is in the Dell Server.

Ed Form[/quote]

[MSmith]

Please don't take this as a slight; it'd be an easy omission ... do you have more than 1 PPTP client allowed, specified in the appropriate part of the server manager?

[edform]

> Please don't take this as a slight;
> it'd be an easy omission ...
> do you have more than 1 PPTP client
> allowed, specified in the appropriate
> part of the server manager?

Yes, in this particular case there are three pptp clients allowed, and three of the users have the "vpn client access" button ticked in their user profiles.

I have to say this is driving me crazy - I've actually bought the client a new Compaq server, so I'll get round it, but it would be good to know what's going on.

From the logs it looks like the privacy system spawns a new thread when a second client attempts to log in and that thread doesn't work properly. It also appears that the privacy system is a kernel module - is it specific to the machine's hardware setup, and do the warning message that appear indicate that the module for the Dell machine is different in both origin and possibly inner workings to those loaded for more generic hardware? If so could this actual kernel module be buggy?

Ed Form

[raem]

edform

> in this particular case there are three pptp clients allowed...

Try increasing that to 5 or 10 to allow for VPN connections that have not disconnected (timed out).


> If so could this actual kernel module be buggy?

How was this server built, did you clone it from a master hard disk or did you install the OS from scratch using the CD ?
The module may be wrong for the architecture.

[edform]

How was this server built, did you clone it from a master hard disk or did you install the OS from scratch using the CD ?
The module may be wrong for the architecture.

I ran /sbin/lsmod on both machines, and they are not the same!!! The objects called ppp_mppe, ppp_async, ppp_generic, and slhc are missing completely.

Which modules do I need to get my hands on to put the missing bits in? I've already found...

ppp-modules-2.4.2b2-1es4_2.4.20_18.7.i686.rpm
ppp-modules-2.4.2b2-1es4_2.4.20_18.7.i586.rpm
ppp-modules-2.4.2b2-1es4_2.4.20_18.7.i386.rpm

But I can't find any defined list of other items I might need.

There was some discussion in one of the forums and one guy solved his VPN problem just by loading one of the above rpm's.

Anyone know the ropes here?

Ed Form

[RoyS]

Please excuse me I know this must be tiring, but i need some help with VPN.

My setup as best as I can describe is as follows. NTL cable modem to internet ( NTL apparently do not block any ports that would affect VPN, but warn against using VPN).

Pentium III 450MHz with 256M RAM, 80G H/D, Video Card and 2x Dlink 10/100 NIC.
SME 6.0.10 in server and gateway mode.
DHCP is disabled as my MS Server 2003 handles DHCP.
Number of PPTP clients is 5
Users have VPN Client Access = YES

I have email, web hosting, browsing FTP etc, but VPN fails.

Message is;
Connecting to 192.168.70.1
Error 800 Unable to establish the VPN connection.

I have tried everything I know possible even replacing the NIC cards and re-installing SME.

Any help will be greatly welcome.

[CharlieBrady]

>
From the logs it looks like the privacy system spawns a new thread when a second client attempts to log in and that thread doesn't work properly.

What "privacy system"? Do you mean pptpd (the pptp daemon)? If so, then no, a new thread is not spawned. A new process is, however. Actually, two new processes - one pptpd process and one pppd process.

It also appears that the privacy system is a kernel module - ...

No, the VPN is run by user space processes, but a kernel module is involved in doing the encryption. You can read more about the whole process at poptop.sourceforge.net.

... and do the warning message that appear indicate that the module for the Dell machine is different in both origin and possibly inner workings to those loaded for more generic hardware?

Nobody else has seen the warning messages of which you speak, so I doubt that anyone can answer.

If so could this actual kernel module be buggy?

If that's a possibility, you should be reporting via the bug tracker. However, before you post, be aware that the VPN server in SME is only capable of receiving a single inbound connection from any particular remote IP address. That is, you can't have two clients behind the same NAT router trying to connect at the same time. The connections may succeed, but the encypted streams will interfere with each other, and neither will work.

[ClaudioG]

The server is a Dell Poweredge with two 866MHz Pentium IIIs, a Perc II and 64GBytes of fast SCSI discs as a mirror, 1Gbyte of RAM and is in perfect working order.

As you wrote, you have two processor: your server boot with smp kernel, as we can see from your log:

Oct 20 13:11:50 e-smith-server insmod: Warning: loading /lib/modules/2.4.20-18.7smp-e-smith/kernel/drivers/net/ppp_mppe.o will taint the kernel: non-GPL license - BSD without advertisement clause

 Could you try with up kernel?

Modules and other differ from kernel-up to kernel-smp and this can make difference.

Claudio Girlanda

[CharlieBrady]

Oct 20 13:11:50 e-smith-server kernel: PPP MPPE Compression module registered
Oct 20 13:11:50 e-smith-server insmod: Warning: loading /lib/modules/2.4.20-18.7smp-e-smith/kernel/drivers/net/ppp_mppe.o will taint the kernel: non-GPL license - BSD without advertisement clause
Oct 20 13:11:50 e-smith-server insmod:   See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Oct 20 13:11:50 e-smith-server insmod: Module ppp_mppe loaded, with warnings

That's purely a warning about the non-GPL license of the kernel module. There's a URL quoted which explains what the warning means.

[CharlieBrady]

Oct 20 13:13:14 e-smith-server pptpd[3053]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Oct 20 13:13:44 e-smith-server pppd[3054]: LCP: timeout sending Config-Requests
Oct 20 13:13:44 e-smith-server pppd[3054]: Connection terminated.
Oct 20 13:13:44 e-smith-server pppd[3054]: Exit.
Oct 20 13:13:44 e-smith-server pptpd[3053]: GRE: read(fd=5,buffer=804d940,len=8196) from PTY failed: status = -1 error = Input/output error
Oct 20 13:13:44 e-smith-server pptpd[3053]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6)
Oct 20 13:13:44 e-smith-server pptpd[3053]: CTRL: Client 213.162.108.36 control connection finished

Both LCP timeout and GRE errors are dealt with here:

[edform]

I have email, web hosting, browsing FTP etc, but VPN fails.

Message is;
Connecting to 192.168.70.1
Error 800 Unable to establish the VPN connection.

I have tried everything I know possible even replacing the NIC cards and re-installing SME.

Any help will be greatly welcome.

How is the SME server connected to the internet? As you have 2 NICs in the machine, I assume it's by an ADSL router of some kind - you need to open ports 500/UDP and 1723/TCP or the VPN cannot talk.

Ed Form

[edform]

If so could this actual kernel module be buggy?

If that's a possibility, you should be reporting via the bug tracker. However, before you post, be aware that the VPN server in SME is only capable of receiving a single inbound connection from any particular remote IP address. That is, you can't have two clients behind the same NAT router trying to connect at the same time. The connections may succeed, but the encypted streams will interfere with each other, and neither will work.

The two machines that need to connect are individually attached to their own ADSL connections with separate remote addresses.

I have actually cured the problem, but still have no idea what was going on. I needed to bring this particular server into a condition in which it can be changed over to SME 7 when the time comes, and the PERCII SCSI RAID controller would not allow this, so I fitted a Compaq controller and reloaded 6.0.1 from scratch. It now handles multiple VPNs without so much as a murmur.

Ed Form

[RoyS]

How is the SME server connected to the internet? As you have 2 NICs in the machine, I assume it's by an ADSL router of some kind - you need to open ports 500/UDP and 1723/TCP or the VPN cannot talk.

Hi Ed,
At the risk of sounfing stupid, how do i open these ports?
Thanks
Roy

[edform]

How is the SME server connected to the internet? As you have 2 NICs in the machine, I assume it's by an ADSL router of some kind - you need to open ports 500/UDP and 1723/TCP or the VPN cannot talk.

Hi Ed,
At the risk of sounfing stupid, how do i open these ports?
Thanks
Roy

I don't know how it's done in your particular ADSL router, but mine has a configuration section called 'Virtual Server' where I enter the port number I want to open - or forward, strictly speaking. I enter 500 for the public port, 500 for the private port, put a tick in UDP, and give the IP address of the outward facing NIC as the address to forward the port to.

Ed Form

[RoyS]

Hi Ed,

I am using NTL cable modem, and don't have any access to settings. Checked on NTL website and they don't block any ports.
The NTL modem is connected direct to SME box via UTP.

[edform]

I am using NTL cable modem, and don't have any access to settings. Checked on NTL website and they don't block any ports.
The NTL modem is connected direct to SME box via UTP.

I think you have an insoluble problem here. I got rid of the only NTL cable system I've been exposed to, and installed a normal ADSL line for one of my clients, specifically to get round this problem.

The other item that is a problem with an NTL system is that you don't have a fixed IP address, and they won't give you one - I've never tried to use VPN to a Dynamic address system, so I can't really advise you.

Ed Form

[RoyS]

Thanks ED,
I too am suspect of NTL, but a friend of mine aslo has a similar setup with NTL-SME-LAN and his setup works. I am going to try change DNS providers.
Regards
Roy

[CharlieBrady]

 you need to open ports 500/UDP and 1723/TCP or the VPN cannot talk.

That's incorrect. port 500 UDP is not used for PPTP (it's used for key negotiation for IPSEC VPNs). For PPTP VPN to work, there needs to be a port 1723 TCP connection from client to server, and protocol 50 (GRE) needs to be able to pass between client and server. In some cases GRE can pass through a NAT firewall without special rules because outbound traffic creates a connection which will allow return traffic to pass. In other cases, a specific forwarding rule is needed. Not all NAT firewalls will allow you to forward arbitrary protocols (only offering TCP and UDP).

[edform]

That's incorrect. port 500 UDP is not used for PPTP (it's used for key negotiation for IPSEC VPNs). For PPTP VPN to work, there needs to be a port 1723 TCP connection from client to server, and protocol 50 (GRE) needs to be able to pass between client and server. In some cases GRE can pass through a NAT firewall without special rules because outbound traffic creates a connection which will allow return traffic to pass. In other cases, a specific forwarding rule is needed. Not all NAT firewalls will allow you to forward arbitrary protocols (only offering TCP and UDP).

Thanks for that Charlie, You'd be amazed how much incorrect [and confusing!!!!!!] information there is on the web about ports needed for the various services. Getting the real skinny from an authority is a bonus.

Ed Form

[RoyS]

 you need to open ports 500/UDP and 1723/TCP or the VPN cannot talk.

That's incorrect. port 500 UDP is not used for PPTP (it's used for key negotiation for IPSEC VPNs). For PPTP VPN to work, there needs to be a port 1723 TCP connection from client to server, and protocol 50 (GRE) needs to be able to pass between client and server. In some cases GRE can pass through a NAT firewall without special rules because outbound traffic creates a connection which will allow return traffic to pass. In other cases, a specific forwarding rule is needed. Not all NAT firewalls will allow you to forward arbitrary protocols (only offering TCP and UDP).

Well Charlie, maybe you can review the last few messages between Ed and I and hopefully give me some advice that will help cure my VPN problem, as I am at a complete loss.

[CharlieBrady]

Thanks for that Charlie, You'd be amazed how much incorrect [and confusing!!!!!!] information there is on the web about ports needed for the various services. Getting the real skinny from an authority is a bonus.

I'm only an authority on my intentions in code I've written and other opinions I hold. Anything else I post is just based on research. I usually make efforts to verify before posting advice here.

PPTP is defined here http://www.faqs.org/rfcs/rfc2637.html. Unfortunately it's rather poorly written, and isn't as clear as it should be. Case in point: it requires call ids to be unique to a particular tunnel, but it doesn't define what constitutes a tunnel.