• Willkommen im Linux Club - dem deutschsprachigen Supportforum für GNU/Linux. Registriere dich kostenlos, um alle Inhalte zu sehen und Fragen zu stellen.

SuSE VPN Server und Win XP-Clients über Kabel-Netz

BigD

Newbie
Hi,

ich bin schon etwas am :( verzweifeln beim einrichten einer VPN-Verbindung.
nach stundenlanger Fehlersuche und noch längeren googelns poste ich mal. bin gespannt ob mir jemand weiterhelfen kann. iss ein recht kniffliges Problem.


Ausgangsbasis:

ich hab mein lokales Netzwerkerl (win98, winXP) hinter einem Linux 8.2 Rechner mit Firewall auf IP-Weiterleitung eingestellt.
ausgehende Verbindung mit dem Rechner funkt. Internet und Mail einwandfrei !
auf der anderen Seite gibts chello (Kabel-Netz), und von einem anderen chello Rechner greif ich per putty auf meine Linux-Kiste zu.
funkt auch einwandfrei.

zur bessern Übersicht (der Einfachheit halber mit nur einem Rechner hinter der Firewall) :


______
I______I winXP (fremder Rechner)
I 218.57.18.xx
I
I
I über chello
I
I
I 62.88.33.xx, eth0
_L____
I______I SuSE 8.2, Firewall, Router, pptpd, ppp, etc...
I 192.168.0.1, eth1
I
I LAN
I
I 192.168.0.111
_L____
I______I winXP (mein Rechner)


wie gesagt, am Linux-Rechner Firewall, Router, pptpd, ppp installiert um VPN zu ermöglichen.
die config-Scripts hab ich dem Mail angehängt.

am 218.57.18.xx hab ich VPN-Verbindung eingerichtet (x-tausend Konfigurationsmöglichkeiten hab ich durchprobiert)
die Verbindung hat er aufbauen können, iss aber beim Anmelden hängen geblieben (Fehler 718)
die Linux-Seite siehst du im Log-Auszug.

bei der Firewall hab ich für Testzwecke Ports 32 bis 65000 offen gelassen.
iptables stehen alle auf policy ACCEPT


anbei noch die wichtigsten Einstellungen/Log

lg
D


------------------------------------------------------------------------------------
/etc/pptpd.conf

SuSi:/etc # cat pptpd.conf
################################################################################
#
# Sample PoPToP configuration file
#
# for PoPToP version 1.0.0
#
################################################################################

# TAG: speed
#
# Specifies the speed for the PPP daemon to talk at.
# Some PPP daemons will ignore this value.
#
speed 115200

# TAG: option
#
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
#option /this/is/the/options/file
# siehe ganz unten

# TAG: debug
#
# Turns on (more) debugging to syslog.
#
debug

# TAG: localip
# TAG: remoteip
#
# Specifies the local and remote IP address ranges.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than MAX_CONNECTIONS, it will
# start at the beginning of the list and go until it gets
# MAX_CONNECTIONS IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245

localip 192.168.0.2-47
remoteip 192.168.0.100-145

# TAG: ipxnets
#
# This gives the range of IPX networks to allocate to clients. By
# default IPX network number allocation is not handled internally.
# By putting a low and high network number here a pool of IPX networks
# can be defined. If this is done then there must be one IPX network
# per client.
#
# The format is a pair of hex numbers without any 0x prefix separated
# by a hyphen.
#
#ipxnets 00001000-00001FFF

# TAG: listen
#
# Defines the IP address of the local interface on which pptpd
# should listen for connections. The default is to listen on all
# local interfaces (even ones brought up by pptp connections, thus
# permitting pptp tunnels inside the pptp tunnels).
#
#listen 192.168.0.1
listen 62.88.33.xx

# TAG: pidfile
#
# This defines the file name in which pptpd should store its process
# ID (or pid). The default is /var/run/pptpd.pid.
#
pidfile /var/run/pptpd.pid

# TAG: option
options /etc/ppp/options.ppp0
#


------------------------------------------------------------------------------------
/etc/ppp/options

SuSi:/etc/ppp #
SuSi:/etc/ppp # cat options
# /etc/ppp/options
#
# Not every option is listed here, see man pppd for more details.
# This file is read by the pppd, it is an error when it is not present.
#
# use the following command to see the active options:
# grep -v ^# /etc/ppp/options | grep -v ^$
#

# The name of this server. Often, the FQDN is used here.
#name <host>

# Enforce the use of the hostname as the name of the local system for
# authentication purposes (overrides the name option).
#usehostname

# If no local IP address is given, pppd will use the first IP address
# that belongs to the local hostname. If "noipdefault" is given, this
# is disabled and the peer will have to supply an IP address.
#noipdefault

# With this option, pppd will accept the peer's idea of our local IP
# address, even if the local IP address was specified in an option.
#ipcp-accept-local

# With this option, pppd will accept the peer's idea of its (remote) IP
# address, even if the remote IP address was specified in an option.
#ipcp-accept-remote

# Run the executable or shell command specified after pppd has terminated
# the link. This script could, for example, issue commands to the modem
# to cause it to hang up if hardware modem control signals were not
# available.
# If mgetty is running, it will reset the modem anyway. So there is no need
# to do it here.
#disconnect "chat -- \d+++\d\c OK ath0 OK"

# Increase debugging level (same as -d). The debug output is written
# to syslog LOG_LOCAL2.
#debug

# Enable debugging code in the kernel-level PPP driver. The argument n
# is a number which is the sum of the following values: 1 to enable
# general debug messages, 2 to request that the contents of received
# packets be printed, and 4 to request that the contents of transmitted
# packets be printed.
#kdebug n

# noauth means do not require the peer to authenticate itself, this must
# be set if you want to use pppd to connect to the internet. In this case
# *you* must authenicate yourself to the peer(internet provider), so do
# not disable this setting unless you are the dial-in server which where
# the peer has to autenticate to.
#noauth

# Use hardware flow control (i.e. RTS/CTS) to control the flow of data
# on the serial port.
#crtscts

# Specifies that pppd should use a UUCP-style lock on the serial device
# to ensure exclusive access to the device.
lock

# Use the modem control lines.(is default)
#modem
# The opposite: local
#
# Description:
# Don't use the modem control lines. With this
# option, pppd will ignore the state of the CD (Car­
# rier Detect) signal from the modem and will not
# change the state of the DTR (Data Terminal Ready)
# signal.
#
# You need to disable modem and enable local if you want to connect
# to anoter system without using a modem:
local

# async character map -- 32-bit hex; each bit is a character
# that needs to be escaped for pppd to receive it. 0x00000001
# represents '\x01', and 0x80000000 represents '\x1f'.
# To allow pppd to work over a rlogin/telnet connection, ou should escape
# XON (^Q), XOFF (^S) and ^]: (The peer should use "escape ff".)
#asyncmap 200a0000
asyncmap 0

# needed for some ISDN Terminaladaters, namely ELSA, those seem to have
# problems with asyncmap negotiation, so you can turn off this procedure
# in case your ISDN box has trouble with it, by enabling this option.
# You have to disable the asyncmap <x> option to be sure to have it
# active. If you use wvdial, set the ISDN parameter in /etc/wvdial.conf
# instead.
#default-asyncmap

# Set the MRU [Maximum Receive Unit] value to <n> for negotiation. pppd
# will ask the peer to send packets of no more than <n> bytes. The
# minimum MRU value is 128. The default MRU value is 1500. A value of
# 296 is recommended for slow links (40 bytes for TCP/IP header + 256
# bytes of data). The value 1492 is for DSL connections (PPP Default -
# PPPoE Header: 1500 - 8 = 1492)
# mru 1492

# Set the MTU [Maximum Transmit Unit] value to <n>. Unless the peer
# requests a smaller value via MRU negotiation, pppd will request that
# the kernel networking code send data packets of no more than n bytes
# through the PPP network interface. The value 1492 is for DSL connections
# (PPP Default - PPPoE Header: 1500 - 8 = 1492)
# mtu 1492

# Set the interface netmask to <n>, a 32 bit netmask in "decimal dot"
# notation (e.g. 255.255.255.0).
#netmask 255.255.255.0

# Don't fork to become a background process (otherwise pppd will do so
# if a serial device is specified).
#nodetach

# If this option is given, pppd will send an LCP echo-request frame to
# the peer every n seconds. Under Linux, the echo-request is sent when
# no packets have been received from the peer for n seconds. Normally
# the peer should respond to the echo-request by sending an echo-reply.
# This option can be used with the lcp-echo-failure option to detect
# that the peer is no longer connected.
lcp-echo-interval 130

# If this option is given, pppd will presume the peer to be dead if n
# LCP echo-requests are sent without receiving a valid LCP echo-reply.
# If this happens, pppd will terminate the connection. Use of this
# option requires a non-zero value for the lcp-echo-interval parameter.
# This option can be used to enable pppd to terminate after the physical
# connection has been broken (e.g., the modem has hung up) in
# situations where no hardware modem control lines are available.
lcp-echo-failure 5

# Send up to 60 LCP configure-request during negotiation. With a value
# of 2 for lcp-restart below, this might take up to 2 minutes.
lcp-max-configure 60

# Resend unanswered LCP requests after 2 seconds.
lcp-restart 2

# Specifies that pppd should disconnect if the link is idle for n seconds.
idle 6600

# Specifies the maximal number of attempts to connect to the server. This
# is useful for dial on demand. Default value is 10.
#maxfail 3

# Disable the IPXCP and IPX protocols.
noipx

# In the file /etc/ppp/filters are some active-filter rules. See man pppd
# and man tcpdump for more informations.
# file /etc/ppp/filters

#-------------------------------------------------------------------------
# The next two options are only interesting for you if you are admin of
# a system with other users that use ppp, and those users are normally
# never allowed to add default route, or you do not want users to
# replace the default route.
#-------------------------------------------------------------------------

# enable this to prevent users from attempting to add a default route.
# Use this option with caution: If the user needs to use a program like
# wvdial, he will not be able to connect because wvdial forces defaulroute
# but this is rejected by this option and the user will not be able to
# connect to the internet.
#nodefaultroute

# enable this to prevent users from replacing an existing default route.
#noreplacedefaultroute

#-------------------------------------------------------------------------
# All options below only make sense if you configure pppd to be a dial-in
# server, so don't touch these if you want dial into your provider with
# PPP!
#-------------------------------------------------------------------------

# Set the assumed name of the remote system for authentication purposes
# to <n>.
#remotename <n>

# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. {proxyarp,noproxyarp}
proxyarp

# Use the system password database for authenticating the peer using
# PAP. Note: mgetty already provides this option. If this is specified
# then dialin from users using a script under Linux to fire up ppp wont work.
#login

# Specify which DNS Servers the incoming Win95 or WinNT Connection should use
# Two Servers can be remotely configured
#ms-dns 192.168.1.1
#ms-dns 192.168.1.2

# Specify which WINS Servers the incoming connection Win95 or WinNT should use
#ms-wins 192.168.1.50
#ms-wins 192.168.1.51


------------------------------------------------------------------------------------SuSi:/etc/ppp # cat options.ppp0
# noauth means do not require the peer to authenticate itself, this must
# be set if you want to use pppd to connect to the internet. In this case
# *you* must authenicate yourself to the peer(internet provider), so do
# not disable this setting unless you are the dial-in server which where
# the peer has to autenticate to.
auth

# Specifies that pppd should use a UUCP-style lock on the serial device
# to ensure exclusive access to the device.
lock

# Use the modem control lines.(is default)
#modem
# The opposite: local
#
# Description:
# Don't use the modem control lines. With this
# option, pppd will ignore the state of the CD (Car­
# rier Detect) signal from the modem and will not
# change the state of the DTR (Data Terminal Ready)
# signal.
#
# You need to disable modem and enable local if you want to connect
# to anoter system without using a modem:
local

# async character map -- 32-bit hex; each bit is a character
# that needs to be escaped for pppd to receive it. 0x00000001
# represents '\x01', and 0x80000000 represents '\x1f'.
# To allow pppd to work over a rlogin/telnet connection, ou should escape
# XON (^Q), XOFF (^S) and ^]: (The peer should use "escape ff".)
#asyncmap 200a0000
asyncmap 0

# needed for some ISDN Terminaladaters, namely ELSA, those seem to have
# problems with asyncmap negotiation, so you can turn off this procedure
# in case your ISDN box has trouble with it, by enabling this option.
# You have to disable the asyncmap <x> option to be sure to have it
# active. If you use wvdial, set the ISDN parameter in /etc/wvdial.conf
# instead.
#default-asyncmap

# Set the MRU [Maximum Receive Unit] value to <n> for negotiation. pppd
# will ask the peer to send packets of no more than <n> bytes. The
# minimum MRU value is 128. The default MRU value is 1500. A value of
# 296 is recommended for slow links (40 bytes for TCP/IP header + 256
# bytes of data). The value 1492 is for DSL connections (PPP Default -
# PPPoE Header: 1500 - 8 = 1492)
mru 1200

# Set the MTU [Maximum Transmit Unit] value to <n>. Unless the peer
# requests a smaller value via MRU negotiation, pppd will request that
# the kernel networking code send data packets of no more than n bytes
# through the PPP network interface. The value 1492 is for DSL connections
# (PPP Default - PPPoE Header: 1500 - 8 = 1492)
mtu 1200

# Set the interface netmask to <n>, a 32 bit netmask in "decimal dot"
# notation (e.g. 255.255.255.0).
netmask 255.255.255.0

# Don't fork to become a background process (otherwise pppd will do so
# if a serial device is specified).
#nodetach

# eigenes , 2.4.2004


auth
#refuse-pap
#refuse-chap

require-chapms-v2

+chapms-v2
mppe-40
mppe-128
mppe-stateless

SuSi:/etc/ppp #


------------------------------------------------------------------------------------

/etc/ppp/filters


SuSi:/etc/ppp # cat filters
#
# These filter rules should prevent unwanted internet services to
# keep your connections up by ignoring their connection requests
# and your 'go way' responses.
#
# Activate them by activating the line 'file /etc/ppp/filters' in
# /etc/ppp/options.
#
# Note: This has nothing to do with firewall rules. It only affects
# the idle time calculation of the kernel/pppd.
#

active-filter 'outbound and not icmp[0] == 3 and not tcp[13] & 4 != 0'

SuSi:/etc/ppp #



------------------------------------------------------------------------------------
Logfile – Auszug :


Feb 4 11:12:02 SuSi pptpd[4519]: MGR: Manager process started
Feb 4 11:12:20 SuSi pptpd[4521]: MGR: Launching /usr/sbin/pptpctrl to handle client
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: local address = 192.168.0.4
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: remote address = 192.168.1.102
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: pppd speed = 115200
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Client 218.57.18.xx control connection started
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Received PPTP Control Message (type: 1)
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Made a START CTRL CONN RPLY packet
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: I wrote 156 bytes to the client.
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Sent packet to client
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Received PPTP Control Message (type: 7)
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: 0 min_bps, 1525 max_bps, 32 window size
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Made a OUT CALL RPLY packet
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Starting call (launching pppd, opening GRE)
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: pty_fd = 4
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: tty_fd = 5
Feb 4 11:12:20 SuSi pptpd[4522]: CTRL (PPPD Launcher): Connection speed = 115200
Feb 4 11:12:20 SuSi pptpd[4522]: CTRL (PPPD Launcher): local address = 192.168.0.4
Feb 4 11:12:20 SuSi pptpd[4522]: CTRL (PPPD Launcher): remote address = 192.168.1.102
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: I wrote 32 bytes to the client.
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Sent packet to client
Feb 4 11:12:20 SuSi pppd[4522]: pppd 2.4.1 started by root, uid 0
Feb 4 11:12:20 SuSi pppd[4522]: Using interface ppp0
Feb 4 11:12:20 SuSi pppd[4522]: Connect: ppp0 <--> /dev/pts/3
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Received PPTP Control Message (type: 15)
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Feb 4 11:12:57 SuSi pptpd[4521]: CTRL: Received PPTP Control Message (type: 12)
Feb 4 11:12:57 SuSi pptpd[4521]: CTRL: Made a CALL DISCONNECT RPLY packet
Feb 4 11:12:57 SuSi pptpd[4521]: CTRL: Received CALL CLR request (closing call)
Feb 4 11:12:57 SuSi pptpd[4521]: CTRL: I wrote 148 bytes to the client.
Feb 4 11:12:57 SuSi pptpd[4521]: CTRL: Sent packet to client
Feb 4 11:12:57 SuSi pppd[4522]: Modem hangup
Feb 4 11:12:57 SuSi pppd[4522]: Connection terminated.
Feb 4 11:12:57 SuSi pptpd[4521]: GRE: read error: Bad file descriptor
Feb 4 11:12:57 SuSi pptpd[4521]: CTRL: PTY read or GRE write failed (pty,gre)=(-1,-1)
Feb 4 11:12:57 SuSi pptpd[4521]: CTRL: Client 218.57.18.xx control connection finished
Feb 4 11:12:57 SuSi pptpd[4521]: CTRL: Exiting now
Feb 4 11:12:57 SuSi pptpd[4519]: MGR: Reaped child 4521
Feb 4 11:12:57 SuSi pppd[4522]: Exit.
 

jado

Member
Hi, hatte auch Schwierigkeiten, bei der VPN-Einrichtung unter SuSE.

hab irgendwann den originalen PPPD mit dem MPPE-Patch kompiliert
und über das suse-rpm installiert (suse-rpm hab ich nicht entfernt,
damit yast nicht bei den abhängigkeiten meckert)

pppd: http://samba.org/ppp/
mppe-patch: http://www.polbox.com/h/hs001/

Und dann solltest du noch kurz hier reinschaun:
http://www.linux-club.de/viewtopic.php?t=3202&highlight=ppp
 
OP
B

BigD

Newbie
gib mir doch bitte noch nen tip, wie du das genau gemacht hast ?? :oops:
ich bin noch nicht so versiert. :oops:

kann es auch sein, daß ich pppoe irgendwie brauche ???
im prinzip hab ich ja keine wählverbindung.
 

jado

Member
Hallo BigD,

PPPoE (PPP over Ethernet) benötigst du nur, wenn du per DSL deine Internet-Verbindung aufbaust.
PPTP hingegen ist Art "PPP over IP", bei der die PPP-Pakete mittels
GRE (Generic Routing Encapsulation) übers Internet transportiert
werden.

Zum Patch:
Als erstes hab ich mir die folgenden beiden Files gezogen:
- ppp-2.4.2.tar.gz
- ppp-2.4.2-mppe-mppc-0.82.patch
dann:
Code:
> tar xzf ppp-2.4.2.tar.gz
> patch -p0 <ppp-2.4.2-mppe-mppc-0.82.patch 
> cd ppp-2.4.2
> ./configure
> make
> make install

> vi /etc/modules.conf
#alias ppp-compress-18 ppp_mppe
alias ppp-compress-18 ppp_mppe_mppc
>

Welche Fehlermeldungen dann genau beim Laden des Modules
kamen, kann ich jetzt nicht mehr sagen. Aber es drehte
sich unter anderem um Versionsnummern und um MPPE/MPPC.

Daher hab ich dann noch das File "linux-2.4.21-mppe-mppc-0.98.patch"
in die Kernel-Sourcen eingespielt:
Code:
> cd /usr/src/linux
> patch -p1 <linux-2.4.21-mppe-mppc-0.98.patch
Dann mit "make menuconfig" prüfen, ob MPPE als Modul aktiviert ist
und "make modules && make modules_install" absetzen.

Danach ging es bei mir.
Allerdings gibt es hier wiedermal einen Unterschied zw. den original
Sourcen und SuSE (chapms -> mschap):

Code:
#
# /etc/pptpd.conf
#

speed 115200
option /etc/ppp/options.pptp
debug
remote

localip 192.168.2.2-10
remoteip 192.168.2.100-199

pidfile /var/run/pptpd.pid

### EOF ###

........
#
# /etc/ppp/options.pptp
#

lock

name pptpd

proxyarp

auth
-chap
-mschap
+mschap-v2

nobsdcomp
nodeflate

require-mppe-128

mtu 1000
mru 1000

lcp-echo-failure 60
lcp-echo-interval 60
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.2

#plugin radius.so

### EOF ###

Tipp:
In der Shell, in der du "/etc/init.d/pptpd start" absetzt,
erscheinen ggf. auch Fehlermeldungen...


Viel Spass :)


PS: ich hoffe, ich hab nichts vergessen.
 
Oben