PPTP Poptop Konfigurationsproblem

[radiohead]

Moin Forum,

ich versuche gerade einen PPTP Server aufzusetzen und bin dabei folgendem Tutorial gefolgt:

http://blogs.techrepublic.com.com/networking/?p=44&tag=rbxccnbtr1
http://blogs.techrepublic.com.com/networking/?p=48

Mein System ist ein OpenBSD 4.3 stable. Das einzige, was ich nicht gemacht habe, ist den Kernel zu kompilieren, denn die GRE Option scheint ja bei 4.3 schon mit im GENERIC drin zu sein, sie war bei mir nicht auskommentiert.

Jetzt taucht in /var/log/daemon folgendes auf, wenn sich ein Client verbinden will:

Jul 17 13:26:31 voldemort pptpd[22104]: MGR: Manager process started
Jul 17 13:27:15 voldemort pptpd[8501]: CTRL: Client 80.187.101.2 control connection started
Jul 17 13:27:15 voldemort pptpd[8501]: CTRL: Starting call (launching pppd, opening GRE)
Jul 17 13:27:15 voldemort ppp[18044]: Warning: Label ipparam rejected -direct connection: Configuration label not found 
Jul 17 13:27:15 voldemort pptpd[8501]: GRE: read(fd=7,buffer=3c0046a0,len=8196) from PTY failed: status = 0 error = No error
Jul 17 13:27:15 voldemort pptpd[8501]: CTRL: PTY read or GRE write failed (pty,gre)=(7,6)
Jul 17 13:27:15 voldemort pptpd[8501]: CTRL: Client 80.187.101.2 control connection finished

Ich verstehe auch nicht ganz, wo dieses Label ipparam herkommt. Das wird nirgends erwähnt und noipparam ist in der pptpd.conf auch auskommentiert, da er ja dem Client eine IP aus dem Bereich geben soll. Ich hänge hier noch meine Configs an:

pptpd.conf:

###############################################################################
# $Id: pptpd.conf,v 1.8 2004/04/28 11:36:07 quozl Exp $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################

# TAG: ppp
#       Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd

# TAG: option
#       Specifies the location of the PPP options file.
#       By default PPP looks in '/etc/ppp/options'
#
#option /etc/ppp/options.pptpd
option /etc/ppp/ppp.conf

# TAG: debug
#       Turns on (more) debugging to syslog
#
#debug

# TAG: stimeout
#       Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10

# TAG: noipparam
#       Suppress the passing of the client's IP address to PPP, which is
#       done by default otherwise.
#
#noipparam

# TAG: logwtmp
#       Use wtmp(5) to record client connections and disconnections.
#
logwtmp

# TAG: bcrelay <if>
#       Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1

# TAG: localip
# TAG: remoteip
#       Specifies the local and remote IP address ranges.
#
#       Any addresses work as long as the local machine takes care of the
#       routing.  But if you want to use MS-Windows networking, you should
#       use IP addresses out of the LAN address space and use the proxyarp
#       option in the pppd options file, or run bcrelay.
#
#       You can specify single IP addresses seperated by commas or you can
#       specify ranges, or both. For example:
#
#               192.168.0.234,192.168.0.245-249,192.168.0.254
#
#       IMPORTANT RESTRICTIONS:
#
#       1. No spaces are permitted between commas or within addresses.
#
#       2. If you give more IP addresses than MAX_CONNECTIONS, it will
#          start at the beginning of the list and go until it gets 
#          MAX_CONNECTIONS IPs. Others will be ignored.
#
#       3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
#          you must type 234-238 if you mean this.
#
#       4. If you give a single localIP, that's ok - all local IPs will
#          be set to the given one. You MUST still give at least one remote
#          IP for each simultaneous client.
#
# (Recommended)
localip 10.0.100.254
remoteip 10.0.100.200-205
listen MY_EXTERNAL_IP
pidfile /var/run/pptpd.pid
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245

ppp.conf:

loop:
      set timeout 0
      set log phase chat connect lcp ipcp command
      set device localhost:pptp
      set dial
      set login
      set mppe * stateful
      # Server (local) IP address, Range for Clients, and Netmask
      # Use the same IP addresses you specified in /etc/pppd.conf :
      set ifaddr 10.0.100.254 10.0.100.200-205 255.255.255.255
      set server /tmp/loop "" 0177
loop-in:
     set timeout 0
     set log phase lcp ipcp command
     allow mode direct
pptp:
     load loop
     # Disable unsecured auth
     disable pap
     disable chap
     enable mschapv2
     disable deflate pred1
     deny deflate pred1
     disable ipv6
     accept mppe
     enable proxy
     accept dns
    # DNS Servers to assign client 
     # Use your own DNS server IP address :
     set dns 10.0.100.231
     # NetBIOS/WINS Servers to assign client 
     # Use your own WINS server IP address :
     # set nbns 20.1.1.100
     set device !/etc/ppp/secure

/etc/ppp/secure:

#!/bin/sh
exec /usr/sbin/ppp -direct loop-in

/etc/ppp/ppp.secret:

jle   MY_PASS     *       *       *

Jemand eine Idee, warum der Fehler so auftaucht?

Danke im voraus!

 

[Elwood]

Moin,

hab hier noch eine andere Möglichkeit (mittels mpd) entdeckt, die offenbar einfacher zu konfigurieren ist. Bin auch gerade am Basteln:

http://www.section6.net/wiki/index.php/Setting_up_a_PPTP_VPN_server_in_FreeBSD

Grüsse, Elwood

 

[radiohead]

Leider scheint es das Teil nicht für OpenBSD zu geben. Weder in den Ports noch als Package...

 

[Elwood]

Sry for the Noise... Hab mal wieder nicht gesehen, daß ich im falschen OS gepostet habe. :|

 

[radiohead]

Eventuell hat es doch noch was mit der Firewall zu tun? Also der Daemon läuft und lauscht auf allen Interfaces. Ich bekomme beim netstat -a ein *.pptp LISTEN angezeigt. In der pf.conf sind folgende PPTP Regeln enthalten:

### vr2 PPTP traffic
pass in quick on $ext_if inet proto tcp from any to <firewall> port pptp
pass in quick on $ext_if inet proto gre from any to <firewall>
pass out quick on $ext_if inet proto gre from <firewall> to any

In der table firewall steht auch die korrekte IP nach extern mit drin.

Mache ich nun ein tcpdump -eni vr2 proto 47 or icmp bekomme ich folgendes:

19:10:06.145116 00:1d:68:77:fd:7b 00:0d:b9:13:54:aa 0800 70: call 384 seq 1 gre-ppp-payload (gre encap)
19:10:06.145264 00:0d:b9:13:54:aa 00:1d:68:77:fd:7b 0800 70: MY_EXT > CLIENT_IP: icmp: MY_EXT protocol 47 unreachable

Jemand noch ne Ahnung? Der PPTP Server soll auf der OpenBSD Box laufen und terminiert hier auch. Der Client ist ein iPhone.

 

[radiohead]

Bin jetzt ein bissel weiter. Habe in der pptpd.conf mal den noipparam gesetzt und ein anderes Netz für die PPTP Clients genommen. Jetzt erscheint folgendes im Log:

Jul 17 20:55:25 voldemort pptpd[32283]: CTRL: Client 80.187.127.1 control connection started
Jul 17 20:55:25 voldemort pptpd[32283]: CTRL: Starting call (launching pppd, opening GRE)
Jul 17 20:55:25 voldemort ppp[27158]: Phase: Using interface: tun1 
Jul 17 20:55:25 voldemort ppp[27158]: Phase: deflink: Created in closed state 
Jul 17 20:55:25 voldemort ppp[27158]: Command: loop: set device localhost:pptp 
Jul 17 20:55:25 voldemort ppp[27158]: Command: loop: set dial 
Jul 17 20:55:25 voldemort ppp[27158]: Command: loop: set login 
Jul 17 20:55:25 voldemort ppp[27158]: Command: loop: set mppe * stateful 
Jul 17 20:55:25 voldemort ppp[27158]: Command: loop: set ifaddr 10.123.145.1 10.123.145.5-10.123.145.10 255.255.255.255 
Jul 17 20:55:25 voldemort ppp[27158]: IPCP: Selected IP address 10.123.145.10 
Jul 17 20:55:25 voldemort ppp[27158]: Command: loop: set server /tmp/loop ******** 0177 
Jul 17 20:55:25 voldemort ppp[27158]: Warning: Local: bind: Address already in use 
Jul 17 20:55:25 voldemort ppp[27158]: Warning: set server: Failed 2 
Jul 17 20:55:25 voldemort ppp[27158]: Command: pptp: disable pap 
Jul 17 20:55:25 voldemort ppp[27158]: Command: pptp: disable chap 
Jul 17 20:55:25 voldemort ppp[27158]: Command: pptp: enable mschapv2 
Jul 17 20:55:25 voldemort ppp[27158]: Command: pptp: disable deflate pred1 
Jul 17 20:55:25 voldemort ppp[27158]: Command: pptp: deny deflate pred1 
Jul 17 20:55:25 voldemort ppp[27158]: Command: pptp: disable ipv6 
Jul 17 20:55:25 voldemort ppp[27158]: Command: pptp: accept mppe 
Jul 17 20:55:25 voldemort ppp[27158]: Command: pptp: enable proxy 
Jul 17 20:55:25 voldemort ppp[27158]: Command: pptp: accept dns 
Jul 17 20:55:25 voldemort ppp[27158]: Command: pptp: set device !/etc/ppp/secure 
Jul 17 20:55:25 voldemort ppp[27158]: Phase: PPP Started (direct mode). 
Jul 17 20:55:25 voldemort ppp[27158]: Phase: bundle: Establish 
Jul 17 20:55:25 voldemort ppp[27158]: Phase: deflink: closed -> opening 
Jul 17 20:55:25 voldemort ppp[27158]: Phase: deflink: Connected! 
Jul 17 20:55:25 voldemort ppp[27158]: Phase: deflink: opening -> carrier 
Jul 17 20:55:25 voldemort ppp[27158]: Phase: deflink: carrier -> lcp 
Jul 17 20:55:25 voldemort ppp[27158]: LCP: FSM: Using "deflink" as a transport 
Jul 17 20:55:25 voldemort ppp[27158]: LCP: deflink: State change Initial --> Closed 
Jul 17 20:55:25 voldemort ppp[27158]: LCP: deflink: State change Closed --> Stopped 
Jul 17 20:55:26 voldemort ppp[27158]: LCP: deflink: LayerStart 
Jul 17 20:55:26 voldemort ppp[27158]: LCP: deflink: SendConfigReq(1) state = Stopped 
Jul 17 20:55:26 voldemort ppp[27158]: LCP:  ACFCOMP[2] 
Jul 17 20:55:26 voldemort ppp[27158]: LCP:  PROTOCOMP[2] 
Jul 17 20:55:26 voldemort ppp[27158]: LCP:  ACCMAP[6] 0x00000000 
Jul 17 20:55:26 voldemort ppp[27158]: LCP:  MRU[4] 1500 
Jul 17 20:55:26 voldemort ppp[27158]: LCP:  MAGICNUM[6] 0x7d6c2fd2 
Jul 17 20:55:26 voldemort ppp[27158]: LCP:  AUTHPROTO[5] 0xc223 (CHAP 0x81) 
Jul 17 20:55:26 voldemort ppp[27158]: LCP: deflink: State change Stopped --> Req-Sent 
Jul 17 20:55:27 voldemort ppp[27158]: LCP: deflink: RecvConfigReq(1) state = Req-Sent 
Jul 17 20:55:27 voldemort ppp[27158]: LCP:  ACCMAP[6] 0x00000000 
Jul 17 20:55:27 voldemort ppp[27158]: LCP:  MAGICNUM[6] 0xd018ef87 
Jul 17 20:55:27 voldemort ppp[27158]: LCP:  PROTOCOMP[2] 
Jul 17 20:55:27 voldemort ppp[27158]: LCP:  ACFCOMP[2] 
Jul 17 20:55:27 voldemort ppp[27158]: LCP: deflink: SendConfigAck(1) state = Req-Sent 
Jul 17 20:55:27 voldemort ppp[27158]: LCP:  ACCMAP[6] 0x00000000 
Jul 17 20:55:27 voldemort ppp[27158]: LCP:  MAGICNUM[6] 0xd018ef87 
Jul 17 20:55:27 voldemort ppp[27158]: LCP:  PROTOCOMP[2] 
Jul 17 20:55:27 voldemort ppp[27158]: LCP:  ACFCOMP[2] 
Jul 17 20:55:27 voldemort ppp[27158]: LCP: deflink: State change Req-Sent --> Ack-Sent 
Jul 17 20:55:29 voldemort ppp[27158]: LCP: deflink: SendConfigReq(1) state = Ack-Sent 
Jul 17 20:55:29 voldemort ppp[27158]: LCP:  ACFCOMP[2] 
Jul 17 20:55:29 voldemort ppp[27158]: LCP:  PROTOCOMP[2] 
Jul 17 20:55:29 voldemort ppp[27158]: LCP:  ACCMAP[6] 0x00000000 
Jul 17 20:55:29 voldemort ppp[27158]: LCP:  MRU[4] 1500 
Jul 17 20:55:29 voldemort ppp[27158]: LCP:  MAGICNUM[6] 0x7d6c2fd2 
Jul 17 20:55:29 voldemort ppp[27158]: LCP:  AUTHPROTO[5] 0xc223 (CHAP 0x81) 
Jul 17 20:55:30 voldemort ppp[27158]: LCP: deflink: RecvConfigReq(1) state = Ack-Sent 
Jul 17 20:55:30 voldemort ppp[27158]: LCP:  ACCMAP[6] 0x00000000 
Jul 17 20:55:30 voldemort ppp[27158]: LCP:  MAGICNUM[6] 0xd018ef87 
Jul 17 20:55:30 voldemort ppp[27158]: LCP:  PROTOCOMP[2] 
Jul 17 20:55:30 voldemort ppp[27158]: LCP:  ACFCOMP[2] 
Jul 17 20:55:30 voldemort ppp[27158]: LCP: deflink: SendConfigAck(1) state = Ack-Sent 
Jul 17 20:55:30 voldemort ppp[27158]: LCP:  ACCMAP[6] 0x00000000 
Jul 17 20:55:30 voldemort ppp[27158]: LCP:  MAGICNUM[6] 0xd018ef87 
Jul 17 20:55:30 voldemort ppp[27158]: LCP:  PROTOCOMP[2] 
Jul 17 20:55:30 voldemort ppp[27158]: LCP:  ACFCOMP[2] 
Jul 17 20:55:30 voldemort ppp[27158]: LCP: deflink: RecvConfigAck(1) state = Ack-Sent 
Jul 17 20:55:30 voldemort ppp[27158]: LCP:  ACFCOMP[2] 
Jul 17 20:55:30 voldemort ppp[27158]: LCP:  PROTOCOMP[2] 
Jul 17 20:55:30 voldemort ppp[27158]: LCP:  ACCMAP[6] 0x00000000 
Jul 17 20:55:30 voldemort ppp[27158]: LCP:  MRU[4] 1500 
Jul 17 20:55:30 voldemort ppp[27158]: LCP:  MAGICNUM[6] 0x7d6c2fd2 
Jul 17 20:55:30 voldemort ppp[27158]: LCP:  AUTHPROTO[5] 0xc223 (CHAP 0x81) 
Jul 17 20:55:30 voldemort ppp[27158]: LCP: deflink: State change Ack-Sent --> Opened 
Jul 17 20:55:30 voldemort ppp[27158]: LCP: deflink: LayerUp 
Jul 17 20:55:30 voldemort ppp[27158]: Phase: bundle: Authenticate 
Jul 17 20:55:30 voldemort ppp[27158]: Phase: deflink: his = none, mine = CHAP 0x81 
Jul 17 20:55:30 voldemort ppp[27158]: Phase: Chap Output: CHALLENGE 
Jul 17 20:55:30 voldemort ppp[27158]: LCP: deflink: RecvEchoRequest(0) state = Opened 
Jul 17 20:55:30 voldemort ppp[27158]: LCP: deflink: SendEchoReply(0) state = Opened 
Jul 17 20:55:30 voldemort ppp[27158]: Phase: Chap Input: RESPONSE (49 bytes from jle) 
Jul 17 20:55:30 voldemort ppp[27158]: Phase: Chap Output: SUCCESS 
Jul 17 20:55:30 voldemort ppp[27158]: Phase: deflink: lcp -> open 
Jul 17 20:55:30 voldemort ppp[27158]: Phase: bundle: Network 
Jul 17 20:55:30 voldemort ppp[27158]: IPCP: FSM: Using "deflink" as a transport 
Jul 17 20:55:30 voldemort ppp[27158]: IPCP: deflink: State change Initial --> Closed 
Jul 17 20:55:30 voldemort ppp[27158]: IPCP: deflink: LayerStart. 
Jul 17 20:55:30 voldemort ppp[27158]: IPCP: deflink: SendConfigReq(1) state = Closed 
Jul 17 20:55:30 voldemort ppp[27158]: IPCP:  IPADDR[6] 10.123.145.1 
Jul 17 20:55:30 voldemort ppp[27158]: IPCP:  COMPPROTO[6] 16 VJ slots with slot compression 
Jul 17 20:55:30 voldemort ppp[27158]: IPCP: deflink: State change Closed --> Req-Sent 
Jul 17 20:55:31 voldemort ppp[27158]: LCP: deflink: RecvTerminateReq(2) state = Opened 
Jul 17 20:55:31 voldemort ppp[27158]: LCP: deflink: LayerDown 
Jul 17 20:55:31 voldemort ppp[27158]: LCP: deflink: SendTerminateAck(2) state = Opened 
Jul 17 20:55:31 voldemort ppp[27158]: LCP: deflink: State change Opened --> Stopping 
Jul 17 20:55:31 voldemort ppp[27158]: LCP: deflink: State change Stopping --> Closing 
Jul 17 20:55:31 voldemort ppp[27158]: Phase: deflink: open -> lcp 
Jul 17 20:55:31 voldemort ppp[27158]: Warning: ff01:13::/32: Change route failed: errno: Network is unreachable 
Jul 17 20:55:31 voldemort ppp[27158]: Warning: ff02:13::/32: Change route failed: errno: Network is unreachable 
Jul 17 20:55:31 voldemort ppp[27158]: IPCP: deflink: State change Req-Sent --> Starting 
Jul 17 20:55:31 voldemort ppp[27158]: IPCP: deflink: LayerFinish. 
Jul 17 20:55:31 voldemort ppp[27158]: IPCP: Connect time: 1 secs: 0 octets in, 0 octets out 
Jul 17 20:55:31 voldemort ppp[27158]: IPCP: 0 packets in, 0 packets out 
Jul 17 20:55:31 voldemort ppp[27158]: IPCP:  total 0 bytes/sec, peak 0 bytes/sec on Thu Jul 17 20:55:30 2008 
Jul 17 20:55:31 voldemort ppp[27158]: IPCP: deflink: State change Starting --> Initial 
Jul 17 20:55:31 voldemort ppp[27158]: Phase: bundle: Terminate 
Jul 17 20:55:31 voldemort pptpd[32283]: CTRL: EOF or bad error reading ctrl packet length.
Jul 17 20:55:31 voldemort pptpd[32283]: CTRL: couldn't read packet header (exit)
Jul 17 20:55:31 voldemort pptpd[32283]: CTRL: CTRL read failed
Jul 17 20:55:31 voldemort ppp[27158]: Phase: deflink: read (0): Got zero bytes 
Jul 17 20:55:31 voldemort ppp[27158]: LCP: deflink: LayerFinish 
Jul 17 20:55:31 voldemort ppp[27158]: LCP: deflink: State change Closing --> Initial 
Jul 17 20:55:31 voldemort ppp[27158]: Phase: deflink: Disconnected! 
Jul 17 20:55:31 voldemort ppp[27158]: Phase: deflink: Connect time: 6 secs: 369 octets in, 385 octets out 
Jul 17 20:55:31 voldemort ppp[27158]: Phase: deflink: 8 packets in, 11 packets out 
Jul 17 20:55:31 voldemort ppp[27158]: Phase:  total 125 bytes/sec, peak 77 bytes/sec on Thu Jul 17 20:55:30 2008 
Jul 17 20:55:31 voldemort ppp[27158]: Phase: deflink: lcp -> closed 
Jul 17 20:55:31 voldemort ppp[27158]: Phase: bundle: Dead 
Jul 17 20:55:31 voldemort ppp[27158]: Phase: PPP Terminated (normal). 
Jul 17 20:55:31 voldemort ppp[27158]: Warning: 10.123.145.10: Cannot determine ethernet address for proxy ARP 
Jul 17 20:55:31 voldemort pptpd[32283]: CTRL: Client 80.187.127.1 control connection finished

Ich suche weiter

 

[radiohead]

Habe die halb nacht dran gesessen und es will irgendwie nicht klappen. Nutzt denn hier niemand einen Poptop Server mit OpenBSD? Das kann doch fast nicht sein

 

[starzer]

openbsd 4.2, poptop 1.1.4

bei mir gehts mit

options:

lock
auth
usehostname
proxyarp
+MSChap-V2
mppe-128
mppe-stateless
nodefaultroute
nobsdcomp
proxyarp
+chapms-v2
mppe-40
noipparam


ppp.conf.

loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhostptp
set dial
set login
set mppe * stateful
# Server (local) IP address, Range for Clients, and Netmask
set ifaddr 10.220.221.50 10.220.221.70-10.220.221.80 255.255.255.255
set server /tmp/loop "" 0177

loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct

pptp:
load loop
enable chap
disable pap
disable ipv6cp
enable mschapv2
accept mppe
disable deflate pred1
deny deflate pred1
# Authenticate against /etc/passwd
##enable passwdauth
enable proxy
accept dns
# DNS Servers to assign client
set dns 10.220.220.5
# NetBIOS/WINS Servers to assign client
set nbns 10.220.220.5
set device !/etc/ppp/secure

pf.conf: (bei mir tun2)

pass in quick on $ext_if proto tcp from any to $fw_ext port 1723 modulate state
pass in quick on $ext_if proto gre from any to $fw_ext keep state
pass out quick on $ext_if proto gre from $fw_ext to any keep state

pass in quick log on tun2 all
pass out quick log on tun2 all

---
am iphone muss ich derzeit die verschlüsselung abdrehen. die verbindung am iphone funktioniert dann...
mein problem derzeit: ich bekomm keine daten über diese vpn verbindung (über windows xp als client funktionierts)
im pflog(auswertung über wireshark) hörts bei
20347 2008-07-26 08:49:21.619154 10.220.221.73 10.220.220.5 TCP 51183 > http [SYN] Seq=0 Win=65535 Len=0[Packet size limited during capture]
auf..

 

[radiohead]

Verschlüsselung aus ist ein No-Go...