Need VPN Server on FC2 to host WinXP remote clients
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So just out of curiosity, I pinged and trace-routed my router's external IP from the server's internal IP (192.168.1.150 --> 24.107.7.63) and got ziltch. nada.
Could this have anything to do with why I'm getting code 623: Server not responding from my XP VPN program and why LCP timeouts? If so, how do I fix this??
So in essence, my IP tunnel should look something like this:::
I guess I'm confused. No matter what my client side looks like, I need it to authenticate at 192.168.1.150 on the internal side of the office network, make the client's IP 192.168.1.200-254 on the internal side of the office network, and then let it act like just another PC connected to the internal office network.
That's /etc/init.d/pptpd with a d at the end, for daemon. Otherwise I think you're trying to make an outbound pptp VPN connection!
You'll also need to change one of the subnets from 192.168.1.0/24 to something else otherwise when you do get the link up the packets won't get routed. Have you read http://poptop.sourceforge.net/dox/redhat-howto.phtml?
There is no pptpd in the /etc/init.d/ directory. Only a pptp.
Following the steps in poptop.sourceforge.net/dox/redhat-howto.phtml --
# modprobe ppp-compress-18 && echo ok
ok
# rpm -U ppp-2.4.3-5.fc2.i386.rpm
warning: ppp-2.4.3-5.fc2.i386.rpm: V3 DSA signature: NOKEY, key ID b56a8bac
# rpm -U pptpd-1.3.0-0.i386.rpm
warning: /etc/ppp/options.pptpd created as /etc/ppp/options.pptpd.rpmnew
warning: /etc/pptpd.conf created as /etc/pptpd.conf.rpmnew
# rpm -U pptp-linux-1.5.0-1.i386.rpm
package pptp-linux-1.5.0-1 is already installed
Everybody with me so far? Can't find an /etc/modules.conf file... All my conf files (options.pptpd, pptpd.conf) remained intact, so I should be able to go...
# /sbin/service pptpd start
Starting pptpd: [ OK ]
Okay, so now in my MS-VPN I am now getting a 619 error. This is better than a 623 or an 800, so it is definately progress! Let's check the logs...
#vim /var/log/messages
{Whole bunch of smbd stuff, n/a}
pptpd[17996]: MGR: Manager process started
pptpd[17996]: MGR: Maximum of 50 connections available
bcrelay[17997]: Running as child
pptpd: pptpd startup succeeded
pptpd[18000]: CTRL: Client 24.107.22.223 control connection started
{{{ --- HEY! THAT'S ME! --- }}}
pptpd[18000]: CTRL: Starting call (launching pppd, opening GRE)
pppd[18001]: In file /etc/ppp/options.pptpd: unrecognized option 'ref use-MSCHAP'
pptpd[18000]: GRE: read(fd=6,buffer=804e560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
pptpd[18000]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
pptpd[18000]: CTRL: Client 24.107.22.223 control connection finished
{{{ --- Cycled Twice, I Think --- }}}
pptpd[18002]: CTRL: Client 24.107.22.223 control connection started
pptpd[18002]: CTRL: Starting call (launching pppd, opening GRE)
pppd[18003]: In file /etc/ppp/options.pptpd: unrecognized option 'ref use-MSCHAP'
pptpd[18002]: GRE: read(fd=6,buffer=804e560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
pptpd[18002]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
pptpd[18002]: CTRL: Client 24.107.22.223 control connection finished
Okay, so I have a problem with my MSCHAP reference...
Commented out NTLM line, just because if I have to, I'll fiddle with SMBD later.
Restarted pptpd, now I get this---
pptpd[18299]: CTRL: Starting call (launching pppd, opening GRE)
pppd[18300]: Plugin winbind.so loaded.
pppd[18300]: WINBIND plugin initialized.
pppd[18300]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
pppd[18300]: pptpd-logwtmp: $Version$
pppd[18300]: The remote system is required to authenticate itself
pppd[18300]: but I couldn't find any suitable secret (password) for it to use to do so.
pptpd[18299]: GRE: read(fd=6,buffer=804e560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
pptpd[18299]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
pptpd[18299]: CTRL: Client 64.241.37.140 control connection finished
Did I screw something up in my chap-secrets now? Sheesh...
Checking my chap-secrets with no authentication...
pptpd[18739]: CTRL: Starting call (launching pppd, opening GRE)
pppd[18740]: Plugin winbind.so loaded.
pppd[18740]: WINBIND plugin initialized.
pppd[18740]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
pppd[18740]: pptpd-logwtmp: $Version$
pppd[18740]: The remote system is required to authenticate itself
pppd[18740]: but I couldn't find any suitable secret (password) for it to use to do so.
pptpd[18739]: GRE: read(fd=6,buffer=804e560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
pptpd[18739]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
pptpd[18739]: CTRL: Client 64.241.37.140 control connection finished
I hate to sound like Yoda, but time is short and I'm out of beer... My terrets is turning into vast sputtering and raspberries.
Where is pptpd trying to authenticate that I cannot find it. I want it to use chap-secrets, but since it is authenticating mschap-v2, do I call it something else or is it trying to authenticate through SAMBA somewhere?
Working backwards a little bit. I looked in the manual for ntlm_auth and found that my current version of ntlm_auth doesn't support "server-1" as an option. Where do I go to upgrade this?
Found this in some documentation somewhere after they got this "remote system is required to authenticate itself" message:
After countless hours of scratching my head trying to figure this out on a VPN server I'm setting up, I finally figued it out. Even though the MPPE patch was enabled in the kernel, it wasn't being recognized by pppd. After reading Jan's site I noticed that I had to enable SHA1 and RC4 encyption in the kernel. Recompiled and viola, works again.
So, how do I check if SHA1 and RC4 are in the kernel via this remote SSH2 connection I currently have, and if they are disabled (or unrecognized) how do I turn this on???
Did you want it to authenticate against a windows server? If not, you don't need the winbind stuff. I'm monitoring on the poptop list too; hopefully someone else will jump in here Oops, too slow, you've done that already! Looks like it might just be down to a routing problem now!
Tim, thank you immensely. I still have some hair left on my head thanks to you!
The purpose of this VPN is to allow remote users on WinXP to be able to get to a shared drive on the office LAN. It is shared with SAMBA. If I could connect -- without security, without SAMBA access, just plain connect -- I'd be 100% convinced that it's a routing problem for two reasons:
1. The LinkSys WRT54G Router is the firewall for the whole office. It is forwarding three ports to the server at 192.168.1.150 -- Port 22 (SSH2), Port 80 (Apache), and Port 1723 (PPTP).
2. Because the LinkSys is the firewall, IPTABLES and IPCHAINS are not enabled on the server. As bad an idea as this may be at the moment (*cringe*), I am not versed at either and if I cut myself off from being able to get to the server via SSH, I basically have to show my face at the office. This equals 'not good.'
Do I need to use openssl and generate a key of some kind? It doesn't appear to be using my chaps-secrets file (or I have set it up wrong). Any ideas?
# Secrets for authentication using CHAP
# client server secret IP addresses
hackman joshua {password here} *
####### redhat-config-network will overwrite this part!!! (begin) ##########
####### redhat-config-network will overwrite this part!!! (end) ############
And just for prose, my updated options.pptpd --
# cat options.pptpd
## CHANGE TO SUIT YOUR SYSTEM
lock
## turn pppd syslog debugging on
debug
# The server will prove itself to us, but not the *normal* way
# so turn that off.
noauth
## change *pptpd* to whatever you specify as your server name in chap-secrets
name joshua
# Dont need this
nobsdcomp
# Bring VPN clients onto the local LAN
proxyarp
# These options are for use with the BSD-licensed patch (ppp => 2.4.2)
# This is the default implementation
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe
nomppe-stateful
# These options will tell ppp to pass on these to your clients
# To use ms-dns or ms-dns in options.pptpd it must exist in /etc/resolv.conf
# ms-wins <ip-of-your-winsserver>
ms-dns 68.94.156.1
# This tells the clients to use us as their default route
defaultroute
# Tell pppd to use Winbind for authentication
# (modify to suit your installation):
# plugin winbind.so
# ntlm_auth-helper /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
IMO I wouldn't worry about the Linux firewall,that's what the router's for. The setup sounds correct, the only lingering doubt for me is that the remote subnet is the same i.e. your XP machine's LAN address is also 192.168.1.x - have you changed that? Oh yes, could you list your /etc/pptpd.conf as well (skip the comment lines for brevity)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.