Topic: NSLU2 pptpd problems

Hi all,

i just installed Kamikaze 8.09.2 onto my NSLU2 which works without any troubles. After the basic configuration i setup a pptpd server, configure it and tested it. The clients from the internet can connect but are not able to access my internal LAN. I played around with differnet settings but i'm not sucessfull till now.
Here is the scenario: Internet -> WRT54GL -> LAN (NSLU2 + int. Clients)
WRT54GL -> 192.168.222.1
NSLU2 -> 192.168.222.100
TCP1723 & GRE47 are forwarded by the WRT54GL

pptpd.conf:

#debug
option /etc/ppp/options.pptpd
speed 115200
stimeout 10
localip 192.168.222.100
remoteip 192.168.222.200

options.pptpd:

#debug
#logfile /tmp/pptp-server.log
#172.16.1.1:
auth
name pptpd
lcp-echo-failure 3
lcp-echo-interval 60
default-asyncmap
mtu 1482
mru 1482
nobsdcomp
nodeflate
#noproxyarp
#nomppc
mppe required,no40,no56,stateless
require-mschap-v2
refuse-chap
refuse-mschap
refuse-eap
refuse-pap
#ms-dns 172.16.1.1
#plugin radius.so
#radius-config-file /etc/radius.conf

chap-secrets:

#USERNAME  PROVIDER  PASSWORD  IPADDRESS
user    pptpd    password    *

I searched many sites on the internet and tried a lot of things but it doesnt work. Does anybody has an idea what is wrong in my configuration. Hope someone can help me with this problem.

Thanks alot.

der_Kief

| ADSL2+ (D16128/U800) | CL-040-I | WRT54GL (Tomato) | NSLU2 (Kamikaze) |

Re: NSLU2 pptpd problems

Hi,

noone here who can help me out with this problem ? In the meantime i tried different configs, played around with routes, iptables, proxyarp but nothing solved this problem.
Is it possible to get a NSLU2 to work in a LAN at all ? I didn't find a helpfull HOWTO and also i didnt find any success messages from people with similar constellation
like mine. Nevertheless i hope someone here was successfull and can help me out to get this thing working.

der_Kief

| ADSL2+ (D16128/U800) | CL-040-I | WRT54GL (Tomato) | NSLU2 (Kamikaze) |

Re: NSLU2 pptpd problems

Hi,

acoording to http://poptop.sourceforge.net/dox/diagnose-forwarding.phtml test#1 my problems start at the beginning ! Its not possible to ping the vpn-server from the connected client and vice versa.
Is this a general problem according to kamikaze 8.09.2 ? The firewall on the NSLU2 is disabled and Port 1723 TCP & GRE47 are forwarded by the WRT54. Do i miss something here. Please help me out with this problem. Thanks.

der_Kief

| ADSL2+ (D16128/U800) | CL-040-I | WRT54GL (Tomato) | NSLU2 (Kamikaze) |

Re: NSLU2 pptpd problems

Hi,

for my part its seems that pptpd on kamikaze 8.09.2 is broken. I cannot get this thing to work proberly. Connection establish works, tunnel is built but there is no communication beetween the endpoints.
Tried proxyarp. bcrelay, routes, iptables ..... nothing seems to be help. What a pity.

der_Kief

| ADSL2+ (D16128/U800) | CL-040-I | WRT54GL (Tomato) | NSLU2 (Kamikaze) |

Re: NSLU2 pptpd problems

Hi,

i cannot believe that noone else has these troubles. I'm lost with this. In the meantime i tried Backfire 10.03 Beta but there i cannot get pptpd to work at all. On the developer site of Openwrt i saw this -> https://dev.openwrt.org/changeset/19301 article about a updated pptpd but i dont know how to apply this patch ( Can someone instruct me ? )

Here is the pptpd-server.log

pptp-server.log :

using channel 2
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <mru 1482> <auth chap MS-v2> <magic 0x1358a170>]
rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x48024770> <pcomp> <accomp> <callback CBCP>]
sent [LCP ConfRej id=0x0 <pcomp> <accomp> <callback CBCP>]
rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x48024770>]
sent [LCP ConfAck id=0x1 <mru 1400> <magic 0x48024770>]
sent [LCP ConfReq id=0x1 <mru 1482> <auth chap MS-v2> <magic 0x1358a170>]
rcvd [LCP ConfAck id=0x1 <mru 1482> <auth chap MS-v2> <magic 0x1358a170>]
sent [LCP EchoReq id=0x0 magic=0x1358a170]
sent [CHAP Challenge id=0x19 <0c4a16aaca78fcb5689bc760885e6c07>, name = "pptpd"]
rcvd [LCP code=0xc id=0x2 48 02 47 70 4d 53 52 41 53 56 35 2e 32 30]
sent [LCP CodeRej id=0x2 0c 02 00 12 48 02 47 70 4d 53 52 41 53 56 35 2e 32 30]
rcvd [LCP code=0xc id=0x3 48 02 47 70 4d 53 52 41 53 2d 30 2d 4d 45 41 4e 4d 41 43 48 49 4e 45]
sent [LCP CodeRej id=0x3 0c 03 00 1b 48 02 47 70 4d 53 52 41 53 2d 30 2d 4d 45 41 4e 4d 41 43 48 49 4e 45]
rcvd [LCP code=0xc id=0x4 48 02 47 70 91 3c 18 9b 7e 6e 87 41 a6 aa aa cc c9 37 47 4a]
sent [LCP CodeRej id=0x4 0c 04 00 18 48 02 47 70 91 3c 18 9b 7e 6e 87 41 a6 aa aa cc c9 37 47 4a]
rcvd [LCP EchoRep id=0x0 magic=0x48024770]
rcvd [CHAP Response id=0x19 <97c35e52146cfb875ca79715993f3e490000000000000000b3134148727ecf32633c5db17c474167dfb3b0e4392f21b300>, name = "xxxxxx"]
Warning - secret file /etc/ppp/chap-secrets has world and/or group access
sent [CHAP Success id=0x19 "S=249A830785DF0B5A73DAB2D1A46F2569EA530DAB M=Access granted"]
sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [IPV6CP ConfReq id=0x5 <addr fe80::c85c:a618:4540:e6ab>]
Unsupported protocol 0x8057 received
sent [LCP ProtRej id=0x5 80 57 01 05 00 0e 01 0a c8 5c a6 18 45 40 e6 ab]
rcvd [CCP ConfReq id=0x6 <mppe +H -M +S -L -D -C>]
sent [CCP ConfAck id=0x6 <mppe +H -M +S -L -D -C>]
rcvd [IPCP ConfReq id=0x7 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
sent [IPCP TermAck id=0x7]
rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
MPPE 128-bit stateless compression enabled
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 192.168.222.100>]
rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
sent [IPCP ConfReq id=0x2 <addr 192.168.222.100>]
rcvd [IPCP ConfAck id=0x2 <addr 192.168.222.100>]
rcvd [IPCP ConfReq id=0x8 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
sent [IPCP ConfRej id=0x8 <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
rcvd [IPCP ConfReq id=0x9 <addr 0.0.0.0>]
sent [IPCP ConfNak id=0x9 <addr 192.168.222.200>]
rcvd [IPCP ConfReq id=0xa <addr 192.168.222.200>]
sent [IPCP ConfAck id=0xa <addr 192.168.222.200>]
found interface eth0 for proxy arp
local  IP address 192.168.222.100
remote IP address 192.168.222.200
Script /etc/ppp/ip-up started (pid 2456)
rcvd [proto=0xce1f] a8 3d 80 bc 10 bb a3 f2 0b b1 86 42 e8 3b 48 9d 6e 84 7c 24 76 c0 6c 1e a0 86 50 56 f2 57 c2 86 ...
Unsupported protocol 0xce1f received
sent [LCP ProtRej id=0x6 ce 1f a8 3d 80 bc 10 bb a3 f2 0b b1 86 42 e8 3b 48 9d 6e 84 7c 24 76 c0 6c 1e a0 86 50 56 f2 57 ...]
rcvd [proto=0x1f] 63 00 1f a2 79 06 e0 ae 63 64 30 60 69 09 77 51 47 b9 08 6f 4a 1f 54 8d 29 73 cf c8 5c a6 f1 4e ...
Unsupported protocol 0x1f received
sent [LCP ProtRej id=0x7 00 1f 63 00 1f a2 79 06 e0 ae 63 64 30 60 69 09 77 51 47 b9 08 6f 4a 1f 54 8d 29 73 cf c8 5c a6 ...]
rcvd [proto=0x4d] aa 37 74 92 84 96 dc 6e c3 50 45 a9 9c 0e bb 0e a5 df 60 56 77 4d 34 8d cc 38 5d 43 a5 50 a5 61 ...
Modem hangup
Connect time 2.6 minutes.
Sent 4 bytes, received 10722 bytes.
Script /etc/ppp/ip-down started (pid 2533)
MPPE disabled
sent [LCP TermReq id=0x78 "MPPE disabled"]
Connection terminated.
Waiting for 1 child processes...
  script /etc/ppp/ip-down, pid 2533
Script /etc/ppp/ip-down finished (pid 2533), status = 0x1

I still hope that someone (hopefully a developer) can help me out with this.

der_Kief

| ADSL2+ (D16128/U800) | CL-040-I | WRT54GL (Tomato) | NSLU2 (Kamikaze) |

Re: NSLU2 pptpd problems

der_Kief wrote:

Hi all,

i just installed Kamikaze 8.09.2 onto my NSLU2 which works without any troubles. After the basic configuration i setup a pptpd server, configure it and tested it. The clients from the internet can connect but are not able to access my internal LAN. I played around with differnet settings but i'm not sucessfull till now.
Here is the scenario: Internet -> WRT54GL -> LAN (NSLU2 + int. Clients)
WRT54GL -> 192.168.222.1
NSLU2 -> 192.168.222.100
TCP1723 & GRE47 are forwarded by the WRT54GL

der_Kief

Clients can connect -- does this mean that client can ping pptp server inside pptp ? If yes than You probably have problems with iptables rules on pptp server. If no -- problems with gre forwarding.

You can try this:

1. You should have loaded nf_nat_pptp, nf_conntrack_pptp, nf_nat_proto_gre and nf_conntrack_proto_gre modules on Your WRT54GL. This modules usually  are necessary for get pptp working though NAT. I think You don't need to forwarg GRE47 -- it will be done automatically by this modules. Kernel modules  ---> Netfilter Extensions  ---> kmod-ipt-nathelper-extra -- this pkg contains modules for pptp conntrack.

2. Check firewall rules on both routers. As I know standart openwrt firewal uses connection state in FORWARD and any input connection (from wan) can be dropped.

3. use tcpdump to watch packets on both routers input output and so on.

Re: NSLU2 pptpd problems

Hi @ All,

For your information.

i just installed Debian Lenny on my SLUG and with exact the same settings as with OpenWRT pptpd is working now ! So this is an issue with OpenWRT/Kamikaze 8.09.2.
Maybe the devolpers can fix this. For now i stay with Debian because i need pptpd support.

der_Kief

| ADSL2+ (D16128/U800) | CL-040-I | WRT54GL (Tomato) | NSLU2 (Kamikaze) |

8 (edited by smokie 2010-03-25 01:29:25)

Re: NSLU2 pptpd problems

I have Kamikaze v8.09 r15317 (being the trunk at the time I compiled it) as the router of our office LAN, and the PopTop pptpd v1.3.0 is working succussfully in my environment, with some minor issues. They are 1) a client have to make several failed attempts before the successful connection, with the errors 619 and 651 on the client side, which I think are somehow caused by the client's router PPTP pass-through setup, and 2) inability to efficiently forward broadcasts among interfaces, which makes Network Neighborhood / Computer browser unusable on Windows machines. The only solution I know is to use bcrelay, which is VERY CPU hungry, so the one VPN client can easily put whole network down, so it's not really a solution.

However, this PopTop configuration was hard to make work. The main difficulty was to configure the firewall correctly, considering the fact that the WAN itself is VPN too and each connecting client require its own iptables rule to enable packet forwarding. All these in the absence of good presets makes VPN setup a nontrivial task. I'm hoping the Luci developers will eventually add the page to configure it with the GUI, so no manual setup will be required and much time will be saved. Same wishes go for PPTP pass-through, which is troublesome also (i suspect this ESTABLISHED,RELATED stuff is missing in my client's config, so first PPTP connection attempts fail and the user have to press Retry repeatedly). Still in research on this topic.

DIR-300 [8.09 r15317] || WRT54GL [10.03 beta r20324]

Re: NSLU2 pptpd problems

It seems good and I hope you will keep up the good work in future as well

read more about 642-359 and 642-436 exam preparation 642-446 and 642-456