Need VPN Server on FC2 to host WinXP remote clients
 

Nothing makes me feel more like a newbie than this... I've preached the greatness of Linux to all of my customers and finally convinced one of my biggest ones to go to Linux. They have an HP NetServer LH6000, which FC4 & FC3 would not work on, but FC2 would.

Somehow this FC2 kernal is "2.6.5.1-358smp" and has all the goodies that I need to make a VPN work: MPPE, updated pppd, updated pptpd and so forth. Every time I read some support doc that says "upgrade the kernel" I diligently download the patch, only to receive messages like "It's already in there" when I try to recompile the kernal.

The kernal is fine.

So, here's the way the network looks:

Some Remt: *
DSL Modem: 67.64.{ }.{} -- static IP
To Router: 192.168.1.1 -- Allowing various ports, firewalled
To Server: 192.168.1.150 -- static IP, no firewall

I am currently remoting into this box via SSH. I would prefer not throwing up IPCHAINS, because then I'm SOL and have to travel to the office and explain to my patiently waiting customer why their VPN still isn't up yet.

I would like to use IPSec if possible, but I'll settle for anything and upgrade it later. I need config files. Here's why:

After getting frustrated with trying to configure PPTP, PPPD, OpenVPN, OpenSWAN, and a handful of other point-to-point server/clients, I am certain that I have hosed my configuration so bad that even if I got one half-way working, something is will interfere with it. For instance: according to my /var/log/messages, IPSEC has been continuously trying to connect every 20 seconds all night. I've put about 20 or so hours into this and have reached my limit. I am a persistent admin, but my patience is waning...

Please, please help me. :confused:

So what kind of problems are you getting starting pptpd?

Have you added the debug statement to both config files?
What are you logging as error messages?

pptp, pptpd and messages
 

I turned on logging, and here's what my configs look like for pptp and pptpd:

/etc/ppp/options.pptp --

lock
debug
nologfd
noauth
name apollo
nobsdcomp
proxyarp
refuse-pap
refuse-mschap
require-mschap-v2
require-mppe-128
# ms-dns
# ms-dns your-second-domain-name-server-ip-address
defaultroute
plugin winbind.so
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"

/etc/ppp/options.pptpd --

debug
name apollovpn
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe
proxyarp
defaultroute
logfile /var/log/pptpd
option /etc/ppp/options.pptp
localip 192.168.1.80-89 #look in the /etc/pptpd.conf file for more info about settings
remoteip 192.168.1.70-79
lock
nobsdcomp

Whenever I try to start pptp, I get messages like:

anon log[main:pptp.c:243]: The synchronous pptp option is NOT activated
anon warn[pptp_gre_bind:pptp_gre.c:95]: connect: Resource temporarily unavailable
fatal[main:pptp.c:251]: Cannot bind GRE socket, aborting.
Couldn't get channel number: Input/output error
Exit.

-OR-

pppd 2.4.3 started by root, uid 0
Using interface ppp0
Connect: ppp0 <--> /dev/pts/20
anon log[main:pptp.c:243]: The synchronous pptp option is NOT activated
LCP: timeout sending Config-Requests
Connection terminated.
anon warn[open_inetsock:pptp_callmgr.c:311]: connect: Connection timed out
anon fatal[callmgr_main:pptp_callmgr.c:123]: Could not open control connection to 67.64.{ }.{}
anon fatal[open_callmgr:pptp.c:402]: Call manager exited with error 256
Exit.

-OR-

The remote system (PPTP) is required to authenticate itself
but I couldn't find any suitable secret (password) for it to use to do so.

-OR-

KLIPS ipsec0 on eth0 192.168.1.150/255.255.255.0 broadcast 192.168.1.255
ipsec_setup: ...Openswan IPsec started
ipsec_setup: Restarting Openswan IPsec U2.4.4/K2.6.5-1.358smp...
ipsec__plutorun: 003 FATAL ERROR: bind() failed in find_raw_ifaces4(). Errno 98: Address already in use
ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
ipsec__plutorun: ...could not route conn "packetdefault"
ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
ipsec__plutorun: ...could not route conn "block"
ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
ipsec__plutorun: ...could not route conn "clear-or-private"
ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
ipsec__plutorun: ...could not route conn "clear"
ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
ipsec__plutorun: ...could not route conn "private-or-clear"
ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
ipsec__plutorun: ...could not route conn "private"
ipsec__plutorun: !pluto failure!: exited with error status 1
ipsec__plutorun: restarting IPsec after pause...
rmmod: ERROR: Module af_key is in use
ipsec_setup: ...Openswan IPsec stopped
ipsec_setup: Stopping Openswan IPsec...

(Which was the one running every 20 seconds all night... BAH!)

Any ideas? :confused: :confused:

Check to make you have GRE configured in the kernel..
The module will be called ip-gre

Not too sure about the IPSEC error tho'..

How do I check to make sure that I have GRE configured in the kernel?

Well, I was able to get a hold of Jacco de Leeuw personally in the Netherlands about the L2TP/IPsec problems. After explaining everything that I was trying to accomplish, he told me that IPsec was probably overkill for what I was doing. He gave me a ton of good information, so I'm trying to impliment it today.

I'm back to doing PPTP/PPP. I finally got ipsec to shut down, still trying to figure out how to deactivate OpenVPN and now I get this message in my /var/log/messages:

pppd[25873]: pppd 2.4.3 started by hackman, uid 0
pptp[25874]: anon log[main:pptp.c:243]: The synchronous pptp option is NOT activated
pppd[25873]: Using interface ppp0
pppd[25873]: Connect: ppp0 <--> /dev/pts/65
pppd[25873]: LCP: timeout sending Config-Requests
pppd[25873]: Connection terminated.

And then after a few minutes this pops up also in the /var/log/messages ::

pptp[25876]: anon warn[open_inetsock:pptp_callmgr.c:311]: connect: Connection timed out
pptp[25876]: anon fatal[callmgr_main:pptp_callmgr.c:123]: Could not open control connection to 67.64.{ }.{}
pptp[25874]: anon fatal[open_callmgr:pptp.c:402]: Call manager exited with error 256
pppd[25873]: Exit.

After taking Jacco's suggestion and using the basic configuration found here:

ftp://ftp.samba.org/pub/unpacked/lor...nal-report.pdf

I was able to create the following /etc/ppp/pptpd.conf ::

option /etc/ppp/options.pptpd
localip 192.168.1.150
remoteip 192.168.1.200-254

And the new /etc/ppp/options.pptpd ::

## CHANGE TO SUIT YOUR SYSTEM
lock
## turn pppd syslog debugging on
debug
# The server will prove itself to us, but not the *normal* way
# so turn that off.
noauth
## change *pptpd* to whatever you specify as your server name in chap-secrets
name {name used in chap-secrets}
# Dont need this
nobsdcomp
# Bring VPN clients onto the local LAN
proxyarp
# These options are for use with the BSD-licensed patch (ppp => 2.4.2)
# This is the default implementation
refuse-pap
refuse-chap
refuse-MSCHAP
require-MSCHAP-v2
require-mppe
# These options will tell ppp to pass on these to your clients
# To use ms-dns or ms-dns in options.pptpd it must exist in /etc/resolv.conf
# ms-wins <ip-of-your-winsserver>
# ms-dns <ip-of-your-dnsserver>
# This tells the clients to use us as their default route
defaultroute
# Tell pppd to use Winbind for authentication
# (modify to suit your installation):
plugin winbind.so
ntlm_auth-helper /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1

I cannot figure out what versions of pppd, pptpd, samba, winbind or etc I have.
{{ My mind is going... I can feel it. }}
What's the rpm command to check my versions?
I just want to be sure I didn't overlook something...

Also, what do I do to fire up the MPPE alias in modprobe that this PDF suggests??

Hopefully something will kick today... Besides my backside!

{ . . . . . . }

alias ppp-compress-18 ppp_mppe

GRE is protocol 47
Check dmesg to see if it was registered at boot time..
or do modprobe ip_gre then lsmod to check

Another way is to do grep GRE /boot/config-2.6.5.1-358smp and see if it's either y or m

lsmod ip_gre just says:

Usage: lsmod

So I did a 'modprobe ip-gre' and it seemed to take it okay... Must not have been in there before.

lsmod gives me this::

Module Size Used by
ip_gre 13088 0
ipcomp 9216 0
esp4 11136 0
ah4 9216 0
ppp_async 12416 0
ppp_mppe 17536 0
ppp_generic 30228 2 ppp_async,ppp_mppe
slhc 9600 1 ppp_generic
tun 9728 1
ip_vs 74368 0
snd_mixer_oss 17792 0
snd 43876 1 snd_mixer_oss
soundcore 10336 1 snd
parport_pc 23616 1
lp 12300 0
parport 34632 2 parport_pc,lp
autofs4 15488 0
rfcomm 32280 0
l2cap 21504 5 rfcomm
bluetooth 39780 4 rfcomm,l2cap
sunrpc 110280 1
e100 30852 0
mii 7552 1 e100
deflate 6528 0
zlib_deflate 23448 1 deflate
twofish 40576 0
serpent 16896 0
aes 35264 0
blowfish 13568 0
des 15232 0
sha256 12672 0
sha1 11904 0
crypto_null 5888 0
af_key 27792 2
floppy 52336 0
sg 32288 0
microcode 10400 0
dm_mod 37536 0
ipv6 214624 24
ext3 108136 2
jbd 50328 1 ext3
megaraid 37064 3
aic7xxx 141752 0
sd_mod 20352 4
scsi_mod 97224 4 sg,megaraid,aic7xxx,sd_mod

grep GRE /boot/config-2.6.5-1.358smp gives me this::

CONFIG_NET_IPGRE=m
CONFIG_NET_IPGRE_BROADCAST=y
CONFIG_NET_SCH_GRED=m
CONFIG_NET_SCH_INGRESS=m

So this output from /var/log/messages at least looks like I'm getting closer...

kernel: GRE over IPv4 tunneling driver
pppd[27290]: pppd 2.4.3 started by [me]
pptp[27291]: anon log[main:pptp.c:243]: The synchronous pptp option is NOT activated
pppd[27290]: Using interface ppp0
pppd[27290]: Connect: ppp0 <--> /dev/pts/69
pppd[27290]: LCP: timeout sending Config-Requests
pppd[27290]: Connection terminated.
pptp[27293]: anon warn[open_inetsock:pptp_callmgr.c:311]: connect: Connection timed out
pptp[27293]: anon fatal[callmgr_main:pptp_callmgr.c:123]: Could not open control connection to 67.64.{ }.{}
pptp[27291]: anon fatal[open_callmgr:pptp.c:402]: Call manager exited with error 256
pppd[27290]: Exit.

When I specify on my WinXP laptop that the VPN is PPTP and etc, it gives me an erro 628: The server did not respond. That's better than the error 800: Can't see it...

Just a bit more, I think it's getting closer!

Two quick questions...
 

Sort of off the main point of the topic, but...

1) Should my control connection be to the IP of the server on the local/private network (in this case 192.168.1.150) or to the external/public network (in this case 67.64.{ }.{} -- hidden for privacy's sake)?? Maybe that's part of the problem...?

Again, network looks like this:

DSL: 67.64.{ }.{} --> WRT54G: 192.168.1.1 --> 192.168.1.150 Server

2) I can see all kinds of garbage in this listing from lsmod that I can probably strip away. I don't need stuff like 'tun' and etc. What of this can I purge and which flags do I use with lsmod/modprobe to make them go away?? I only ask this so that I can eliminate the possibility of any of this interfering with what I'm trying to accomplish with PPTP. If it doesn't matter to get this goal, then I'll let it clean itself up on the next scheduled reboot if necessary.

Thanks! ;)

Ooops.. typo from me earlier.. modprobe ip_gre is correct..

Time to add the "debug" statement in both pptpd-options and pptpd.conf
then tail -f /var/log/debug or syslog or wherever debug or daemon info is sent to by syslog.
There will be error messages stating the failure.

The control connection should be to whatever is the last accessible ip address, so if it's behind a firewall, use the firewall address.

Don't worry about extra modules being loaded just yet. Start by changing just ONE thing at a time! Look at the logs, then trace the error.

Added debug to pptpd.conf, already had it in options.pptpd ...

Tried to run pptp, same response. Should the 'control connection' IP be the internal address of the router (192.168.1.1) or the external address?

Don't have a /var/log/debug, just a 'secure' and a 'messages'

So what do I do now?

I could be completely wrong here, but I don't see any mention of you starting pptpd. Try stopping and starting it manually with:
/etc/init.d/pptpd stop
ps -ef | grep pp (and kill off anything pptpd/pptp/ppp/pppd)
/etc/init.d/pptpd start
(assuming it isn't setup in /etc/inetd.conf instead, although I haven't heard of that being done)

My system is Debian, but this is what I see in my /var/log/daemon.log:
Dec 17 14:31:50 newrouter pptpd[5553]: MGR: Manager process started
Dec 17 14:31:50 newrouter pptpd[5553]: MGR: Maximum of 19 connections available


Here's an example of what I see in my logs after a successful connection:
Dec 17 14:35:07 newrouter pptpd[5559]: MGR: Launching /usr/sbin/pptpctrl to handle client
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: local address = 192.168.5.1
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: remote address = 192.168.5.3
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: pppd options file = /etc/ppp/pptpd-options
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: Client 192.168.6.2 control connection started
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: Received PPTP Control Message (type: 1)
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: Made a START CTRL CONN RPLY packet
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: I wrote 156 bytes to the client.
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: Sent packet to client
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: Received PPTP Control Message (type: 7)
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: Set parameters to 100000000 maxbps, 64 window size
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: Made a OUT CALL RPLY packet
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: Starting call (launching pppd, opening GRE)
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: pty_fd = 4
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: tty_fd = 5
Dec 17 14:35:07 newrouter pptpd[5560]: CTRL (PPPD Launcher): program binary = /usr/sbin/pppd
Dec 17 14:35:07 newrouter pptpd[5560]: CTRL (PPPD Launcher): local address = 192.168.5.1
Dec 17 14:35:07 newrouter pptpd[5560]: CTRL (PPPD Launcher): remote address = 192.168.5.3
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: I wrote 32 bytes to the client.
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: Sent packet to client
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: Received PPTP Control Message (type: 15)
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Dec 17 14:35:07 newrouter pptpd[5559]: GRE: Bad checksum from pppd.
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: Received PPTP Control Message (type: 15)
Dec 17 14:35:07 newrouter pptpd[5559]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!

HTH

Tim

[root@{server} {user}]# /etc/rc.d/init.d/pptp stop
WARNING: /etc/resolv.conf.real not installed
/etc/resolv.conf does not match /etc/resolv.conf.pptp
Sending HUP signal to PPTP processes...
/usr/sbin/pptp: no process killed
[root@{server} {user}]# ps -ef|grep pp
xfs 2530 1 0 Nov28 ? 00:00:00 xfs -droppriv -daemon
root 2411 1 0 Dec07 ? 00:11:05 /usr/bin/python /usr/bin/rhn-applet-gui --sm -config-prefix /rhn-applet-YOkBs1/ --sm-client-id 117f000001000113272121600000034720006 --screen 0
root 2442 1 0 Dec07 ? 00:00:00 /usr/libexec/mapping-daemon
root 2445 1 0 Dec07 ? 00:00:17 /usr/libexec/clock-applet --oaf-activate-iid=OAFIID:GNOME_ClockApplet_Factory --oaf-ior-fd=31
root 2447 1 0 Dec07 ? 00:00:01 /usr/libexec/notification-area-applet --oaf-activate-iid=OAFIID:GNOME_NotificationAreaApplet_Factory --oaf-ior-fd=33
root 2449 1 0 Dec07 ? 00:00:01 /usr/libexec/mixer_applet2 --oaf-activate-iid=OAFIID:GNOME_MixerApplet_Factory --oaf-ior-fd=35
root 2481 1 0 Dec07 ? 00:00:18 /usr/libexec/wnck-applet --oaf-activate-iid=OAFIID:GNOME_Wncklet_Factory --oaf-ior-fd=37
root 6569 6534 0 22:50 pts/78 00:00:00 grep pp

{{Hmmm... Nothing that looks like pppd or pptpd... }}

[root@{server} {user}]# /etc/rc.d/init.d/pptp start
Using interface ppp0
Connect: ppp0 <--> /dev/pts/79
LCP: timeout sending Config-Requests
Connection terminated.

{{ A Pause... }}

anon warn[open_inetsock:pptp_callmgr.c:311]: connect: Connection timed out
anon fatal[callmgr_main:pptp_callmgr.c:123]: Could not open control connection to 192.168.1.151
anon fatal[open_callmgr:pptp.c:402]: Call manager exited with error 256
pptp-command: pppd indicated failure
[root@{server} {user}]# tail --l 256 /var/log/messages
{{ A bunch of SSH stuff about me logging in via remote... }}
pptp[6637]: anon warn[open_inetsock:pptp_callmgr.c:311]: connect: Connection timed out
pptp[6637]: anon fatal[callmgr_main:pptp_callmgr.c:123]: Could not open control connection to 192.168.1.151
pptp[6634]: anon fatal[open_callmgr:pptp.c:402]: Call manager exited with error 256
pppd[6633]: Exit.
[root@{server} {user}]#

And then...?