Okay, here's a bit of a problem. This evening, here is what my network path looks like from beginning to end:

My Win--XP Laptop: 192.168.1.9
My LinkSys Router: 192.168.1.1/24.107.7.63 (int/ext)
Office LkS Router: 192.168.1.1/67.64.{ }.{} (int/ext) -- Allowing ports/forwarding
Office FC2 Server: 192.168.1.150

So just out of curiosity, I pinged and trace-routed my router's external IP from the server's internal IP (192.168.1.150 --> 24.107.7.63) and got ziltch. nada.

Could this have anything to do with why I'm getting code 623: Server not responding from my XP VPN program and why LCP timeouts? If so, how do I fix this??

So in essence, my IP tunnel should look something like this:::

................. IP: 192.168.1.1 ............. IP: 192.168.1.1 .................
IP: 192.168.1.? .................<...........>................ IP: 192.168.1.150
.................................................................................

But that doesn't make any sense... Shouldn't it be something like this:::

................. IP: 192.168.1.1 ............. IP: 192.168.1.1 ...............
IP: 192.168.1.9 .................<----------->............... IP: 192.168.1.200
................. IP: 24.107.7.63 ............. IP: 67.64.{ }.{} ...............

I guess I'm confused. No matter what my client side looks like, I need it to authenticate at 192.168.1.150 on the internal side of the office network, make the client's IP 192.168.1.200-254 on the internal side of the office network, and then let it act like just another PC connected to the internal office network.

Does this make any sense?

That's /etc/init.d/pptpd with a d at the end, for daemon. Otherwise I think you're trying to make an outbound pptp VPN connection!

You'll also need to change one of the subnets from 192.168.1.0/24 to something else otherwise when you do get the link up the packets won't get routed. Have you read http://poptop.sourceforge.net/dox/redhat-howto.phtml?

There is no pptpd in the /etc/init.d/ directory. Only a pptp.

Following the steps in poptop.sourceforge.net/dox/redhat-howto.phtml --

# modprobe ppp-compress-18 && echo ok
ok
# rpm -U ppp-2.4.3-5.fc2.i386.rpm
warning: ppp-2.4.3-5.fc2.i386.rpm: V3 DSA signature: NOKEY, key ID b56a8bac
# rpm -U pptpd-1.3.0-0.i386.rpm
warning: /etc/ppp/options.pptpd created as /etc/ppp/options.pptpd.rpmnew
warning: /etc/pptpd.conf created as /etc/pptpd.conf.rpmnew
# rpm -U pptp-linux-1.5.0-1.i386.rpm
package pptp-linux-1.5.0-1 is already installed

Everybody with me so far? Can't find an /etc/modules.conf file... All my conf files (options.pptpd, pptpd.conf) remained intact, so I should be able to go...

# /sbin/service pptpd start
Starting pptpd: [ OK ]

Okay, so now in my MS-VPN I am now getting a 619 error. This is better than a 623 or an 800, so it is definately progress! Let's check the logs...

#vim /var/log/messages
{Whole bunch of smbd stuff, n/a}
pptpd[17996]: MGR: Manager process started
pptpd[17996]: MGR: Maximum of 50 connections available
bcrelay[17997]: Running as child
pptpd: pptpd startup succeeded
pptpd[18000]: CTRL: Client 24.107.22.223 control connection started
{{{ --- HEY! THAT'S ME! --- }}}
pptpd[18000]: CTRL: Starting call (launching pppd, opening GRE)
pppd[18001]: In file /etc/ppp/options.pptpd: unrecognized option 'ref use-MSCHAP'
pptpd[18000]: GRE: read(fd=6,buffer=804e560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
pptpd[18000]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
pptpd[18000]: CTRL: Client 24.107.22.223 control connection finished
{{{ --- Cycled Twice, I Think --- }}}
pptpd[18002]: CTRL: Client 24.107.22.223 control connection started
pptpd[18002]: CTRL: Starting call (launching pppd, opening GRE)
pppd[18003]: In file /etc/ppp/options.pptpd: unrecognized option 'ref use-MSCHAP'
pptpd[18002]: GRE: read(fd=6,buffer=804e560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
pptpd[18002]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
pptpd[18002]: CTRL: Client 24.107.22.223 control connection finished

Okay, so I have a problem with my MSCHAP reference...

Sorry for doing this step-by-step, but troubleshooting this is helping me out immensely and I hope it helps somebody else, too ---

So I had 'MSCHAP' capitalized. Picky it is. Restarted and tried again::

pptpd: pptpd startup succeeded
pptpd[18227]: CTRL: Client 64.241.37.140 control connection started
pptpd[18227]: CTRL: Starting call (launching pppd, opening GRE)
pppd[18228]: Plugin winbind.so loaded.
pppd[18228]: WINBIND plugin initialized.
pppd[18228]: In file /etc/ppp/options.pptpd: unrecognized option '-
-helper-protocol=ntlm-server-1'
pptpd[18227]: GRE: read(fd=6,buffer=804e560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
pptpd[18227]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
pptpd[18227]: CTRL: Client 64.241.37.140 control connection finished

Hmm... More fun in the config file...

Commented out NTLM line, just because if I have to, I'll fiddle with SMBD later.

Restarted pptpd, now I get this---

pptpd[18299]: CTRL: Starting call (launching pppd, opening GRE)
pppd[18300]: Plugin winbind.so loaded.
pppd[18300]: WINBIND plugin initialized.
pppd[18300]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
pppd[18300]: pptpd-logwtmp: $Version$
pppd[18300]: The remote system is required to authenticate itself
pppd[18300]: but I couldn't find any suitable secret (password) for it to use to do so.
pptpd[18299]: GRE: read(fd=6,buffer=804e560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
pptpd[18299]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
pptpd[18299]: CTRL: Client 64.241.37.140 control connection finished

Did I screw something up in my chap-secrets now? Sheesh...

Checking my chap-secrets with no authentication...

pptpd[18739]: CTRL: Starting call (launching pppd, opening GRE)
pppd[18740]: Plugin winbind.so loaded.
pppd[18740]: WINBIND plugin initialized.
pppd[18740]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
pppd[18740]: pptpd-logwtmp: $Version$
pppd[18740]: The remote system is required to authenticate itself
pppd[18740]: but I couldn't find any suitable secret (password) for it to use to do so.
pptpd[18739]: GRE: read(fd=6,buffer=804e560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
pptpd[18739]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
pptpd[18739]: CTRL: Client 64.241.37.140 control connection finished

Greeeat... Now what the heck does that mean?

# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
Could not check secret

What the heck does that mean!?

I hate to sound like Yoda, but time is short and I'm out of beer... My terrets is turning into vast sputtering and raspberries.

Where is pptpd trying to authenticate that I cannot find it. I want it to use chap-secrets, but since it is authenticating mschap-v2, do I call it something else or is it trying to authenticate through SAMBA somewhere?

This is just frustrating!!!

Working backwards a little bit. I looked in the manual for ntlm_auth and found that my current version of ntlm_auth doesn't support "server-1" as an option. Where do I go to upgrade this?

Found this in some documentation somewhere after they got this "remote system is required to authenticate itself" message:

After countless hours of scratching my head trying to figure this out on a VPN server I'm setting up, I finally figued it out. Even though the MPPE patch was enabled in the kernel, it wasn't being recognized by pppd. After reading Jan's site I noticed that I had to enable SHA1 and RC4 encyption in the kernel. Recompiled and viola, works again.

So, how do I check if SHA1 and RC4 are in the kernel via this remote SSH2 connection I currently have, and if they are disabled (or unrecognized) how do I turn this on???

Tried authenticating without encryption and without winbind ---

pptpd[20069]: CTRL: Client 64.241.37.140 control connection started
pptpd[20069]: CTRL: Starting call (launching pppd, opening GRE)
pppd[20070]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
pppd[20070]: pptpd-logwtmp: $Version$
pppd[20070]: pppd 2.4.3 started by root, uid 0
pppd[20070]: Using interface ppp0
pppd[20070]: Connect: ppp0 <--> /dev/pts/121
pptpd[20069]: GRE: Bad checksum from pppd.
pppd[20070]: LCP: timeout sending Config-Requests
pppd[20070]: Connection terminated.
pppd[20070]: Using interface ppp0
pppd[20070]: Connect: ppp0 <--> /dev/pts/121
pppd[20070]: tcflush failed: Bad file descriptor
pppd[20070]: tcsetattr: Invalid argument (line 1016)
pppd[20070]: Exit.
pptpd[20069]: GRE: read(fd=6,buffer=804e560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
pptpd[20069]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
pptpd[20069]: CTRL: Client 64.241.37.140 control connection finished

I have never seen anything that looks like this.... ????

Did you want it to authenticate against a windows server? If not, you don't need the winbind stuff. I'm monitoring on the poptop list too; hopefully someone else will jump in here Oops, too slow, you've done that already! Looks like it might just be down to a routing problem now!

Tim, thank you immensely. I still have some hair left on my head thanks to you!

The purpose of this VPN is to allow remote users on WinXP to be able to get to a shared drive on the office LAN. It is shared with SAMBA. If I could connect -- without security, without SAMBA access, just plain connect -- I'd be 100% convinced that it's a routing problem for two reasons:

1. The LinkSys WRT54G Router is the firewall for the whole office. It is forwarding three ports to the server at 192.168.1.150 -- Port 22 (SSH2), Port 80 (Apache), and Port 1723 (PPTP).

2. Because the LinkSys is the firewall, IPTABLES and IPCHAINS are not enabled on the server. As bad an idea as this may be at the moment (*cringe*), I am not versed at either and if I cut myself off from being able to get to the server via SSH, I basically have to show my face at the office. This equals 'not good.'

Do I need to use openssl and generate a key of some kind? It doesn't appear to be using my chaps-secrets file (or I have set it up wrong). Any ideas?

[root@joshua hackman]# cat chap-secrets

# Secrets for authentication using CHAP
# client server secret IP addresses
hackman joshua {password here} *
####### redhat-config-network will overwrite this part!!! (begin) ##########
####### redhat-config-network will overwrite this part!!! (end) ############

And just for prose, my updated options.pptpd --

# cat options.pptpd

## CHANGE TO SUIT YOUR SYSTEM
lock
## turn pppd syslog debugging on
debug
# The server will prove itself to us, but not the *normal* way
# so turn that off.
noauth
## change *pptpd* to whatever you specify as your server name in chap-secrets
name joshua
# Dont need this
nobsdcomp
# Bring VPN clients onto the local LAN
proxyarp
# These options are for use with the BSD-licensed patch (ppp => 2.4.2)
# This is the default implementation
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe
nomppe-stateful
# These options will tell ppp to pass on these to your clients
# To use ms-dns or ms-dns in options.pptpd it must exist in /etc/resolv.conf
# ms-wins <ip-of-your-winsserver>
ms-dns 68.94.156.1
# This tells the clients to use us as their default route
defaultroute
# Tell pppd to use Winbind for authentication
# (modify to suit your installation):
# plugin winbind.so
# ntlm_auth-helper /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1

So where do I go from here?

IMO I wouldn't worry about the Linux firewall,that's what the router's for. The setup sounds correct, the only lingering doubt for me is that the remote subnet is the same i.e. your XP machine's LAN address is also 192.168.1.x - have you changed that? Oh yes, could you list your /etc/pptpd.conf as well (skip the comment lines for brevity)