Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 09 Jan 2003 19:04:18 -0700
From:      Brett Glass <brett@lariat.org>
To:        freebsd-net@freebsd.org
Subject:   PPTP tunneling over PPPoE link
Message-ID:  <4.3.2.7.2.20030109182517.02963410@localhost>

next in thread | raw e-mail | index | archive | help
I'm having trouble doing something which I'd THOUGHT would just work... but it's not. Any help would be much appreciated.

Here's the story. A client's LAN is connected to the Internet via a FreeBSD firewall/router. The FreeBSD box is using PPPoE (userland PPP plus NetGraph PPPOE) to connect to the upstream router. The LAN inside the firewall is NATted to 192.168/16. It works perfectly; it even correctly passes SMTP connections on to an internal machine with the address 192.168.0.2 (see the configuration file below).

The client calls and says that expects to be away for awhile, and wants to tunnel back into the LAN with his Windows laptop. Since userland PPP is already running on the machine and works fine, I set up PPTP on his server, using PopTop (yes, it's GPLed, but there's no actively maintained alternative) and userland PPP. The result, in theory, will be a tunnel that uses PPTP (which is encrypted PPP over GRE) over PPP over Ethernet. A bit awkward, but necessary given the need for an encrypted tunnel.

Alas, try as I might, I can't tunnel in from the outside world. I can verify that TCP port 1723 (which is used by PPTP for a control channel) is open on the firewall and accepting connections. But attempts to establish a tunnel fail; the client reports that the server isn't responding to it. The log looks like this:

Jan  9 09:55:00 www ppp[3119]: Phase: Using interface: tun1
Jan  9 09:55:00 www ppp[3119]: Phase: deflink: Created in closed state
Jan  9 09:55:00 www ppp[3119]: tun1: Command: default: ident user-ppp VERSION (built COMPILATIONDATE)
Jan  9 09:55:00 www ppp[3119]: tun1: Command: pptp: set timeout 0
Jan  9 09:55:00 www ppp[3119]: tun1: Command: pptp: set dial
Jan  9 09:55:00 www ppp[3119]: tun1: Command: pptp: set login
Jan  9 09:55:00 www ppp[3119]: tun1: Command: pptp: set ifaddr 192.168.0.1/32
Jan  9 09:55:00 www ppp[3119]: tun1: Command: pptp: set server /var/run/pptp_ppp_%d ******** 0700
Jan  9 09:55:00 www ppp[3119]: tun1: Phase: Listening at local socket /var/run/pptp_ppp_1.
Jan  9 09:55:00 www ppp[3119]: tun1: Command: pptp: disable chap
Jan  9 09:55:00 www ppp[3119]: tun1: Command: pptp: deny chap
Jan  9 09:55:00 www ppp[3119]: tun1: Command: pptp: disable pap
Jan  9 09:55:00 www ppp[3119]: tun1: Command: pptp: disable passwdauth
Jan  9 09:55:00 www ppp[3119]: tun1: Command: pptp: disable deflate pred1
Jan  9 09:55:00 www ppp[3119]: tun1: Command: pptp: deny deflate pred1
Jan  9 09:55:00 www ppp[3119]: tun1: Command: pptp: disable utmp
Jan  9 09:55:00 www ppp[3119]: tun1: Command: pptp: enable mschapv2 mppe
Jan  9 09:55:00 www ppp[3119]: tun1: Command: pptp: set mppe * stateless
Jan  9 09:55:00 www ppp[3119]: tun1: Command: pptp: disable proxy
Jan  9 09:55:00 www ppp[3119]: tun1: Command: pptp: accept dns
Jan  9 09:55:00 www ppp[3119]: tun1: Command: pptp: set dns 192.168.0.1
Jan  9 09:55:00 www ppp[3119]: tun1: Phase: PPP Started (direct mode).
Jan  9 09:55:00 www ppp[3119]: tun1: Phase: bundle: Establish
Jan  9 09:55:00 www ppp[3119]: tun1: Phase: deflink: closed -> opening
Jan  9 09:55:00 www ppp[3119]: tun1: Phase: deflink: Connected!
Jan  9 09:55:00 www ppp[3119]: tun1: Phase: deflink: opening -> carrier
Jan  9 09:55:00 www ppp[3119]: tun1: Phase: deflink: carrier -> lcp
Jan  9 09:55:00 www ppp[3119]: tun1: LCP: FSM: Using "deflink" as a transport
Jan  9 09:55:00 www ppp[3119]: tun1: LCP: deflink: State change Initial --> Closed
Jan  9 09:55:00 www ppp[3119]: tun1: LCP: deflink: State change Closed --> Stopped
Jan  9 09:55:01 www ppp[3119]: tun1: LCP: deflink: LayerStart
Jan  9 09:55:01 www ppp[3119]: tun1: LCP: deflink: SendConfigReq(1) state = Stopped
Jan  9 09:55:01 www ppp[3119]: tun1: LCP:  ACFCOMP[2]
Jan  9 09:55:01 www ppp[3119]: tun1: LCP:  PROTOCOMP[2]
Jan  9 09:55:01 www ppp[3119]: tun1: LCP:  ACCMAP[6] 0x00000000
Jan  9 09:55:01 www ppp[3119]: tun1: LCP:  MRU[4] 1500
Jan  9 09:55:01 www ppp[3119]: tun1: LCP:  MAGICNUM[6] 0x02b7e69a
Jan  9 09:55:01 www ppp[3119]: tun1: LCP:  AUTHPROTO[5] 0xc223 (CHAP 0x81)
Jan  9 09:55:01 www ppp[3119]: tun1: LCP: deflink: State change Stopped --> Req-Sent
Jan  9 09:55:04 www ppp[3119]: tun1: LCP: deflink: SendConfigReq(1) state = Req-Sent
Jan  9 09:55:04 www ppp[3119]: tun1: LCP:  ACFCOMP[2]
Jan  9 09:55:04 www ppp[3119]: tun1: LCP:  PROTOCOMP[2]
Jan  9 09:55:04 www ppp[3119]: tun1: LCP:  ACCMAP[6] 0x00000000
Jan  9 09:55:04 www ppp[3119]: tun1: LCP:  MRU[4] 1500
Jan  9 09:55:04 www ppp[3119]: tun1: LCP:  MAGICNUM[6] 0x02b7e69a
Jan  9 09:55:04 www ppp[3119]: tun1: LCP:  AUTHPROTO[5] 0xc223 (CHAP 0x81)
Jan  9 09:55:07 www ppp[3119]: tun1: LCP: deflink: SendConfigReq(1) state = Req-Sent
Jan  9 09:55:07 www ppp[3119]: tun1: LCP:  ACFCOMP[2]
Jan  9 09:55:07 www ppp[3119]: tun1: LCP:  PROTOCOMP[2]
Jan  9 09:55:07 www ppp[3119]: tun1: LCP:  ACCMAP[6] 0x00000000
Jan  9 09:55:07 www ppp[3119]: tun1: LCP:  MRU[4] 1500
Jan  9 09:55:07 www ppp[3119]: tun1: LCP:  MAGICNUM[6] 0x02b7e69a
Jan  9 09:55:07 www ppp[3119]: tun1: LCP:  AUTHPROTO[5] 0xc223 (CHAP 0x81)
Jan  9 09:55:10 www ppp[3119]: tun1: LCP: deflink: SendConfigReq(1) state = Req-Sent
Jan  9 09:55:10 www ppp[3119]: tun1: LCP:  ACFCOMP[2]
Jan  9 09:55:10 www ppp[3119]: tun1: LCP:  PROTOCOMP[2]
Jan  9 09:55:10 www ppp[3119]: tun1: LCP:  ACCMAP[6] 0x00000000
Jan  9 09:55:10 www ppp[3119]: tun1: LCP:  MRU[4] 1500
Jan  9 09:55:10 www ppp[3119]: tun1: LCP:  MAGICNUM[6] 0x02b7e69a
Jan  9 09:55:10 www ppp[3119]: tun1: LCP:  AUTHPROTO[5] 0xc223 (CHAP 0x81)
Jan  9 09:55:13 www ppp[3119]: tun1: LCP: deflink: SendConfigReq(1) state = Req-Sent
Jan  9 09:55:13 www ppp[3119]: tun1: LCP:  ACFCOMP[2]
Jan  9 09:55:13 www ppp[3119]: tun1: LCP:  PROTOCOMP[2]
Jan  9 09:55:13 www ppp[3119]: tun1: LCP:  ACCMAP[6] 0x00000000
Jan  9 09:55:13 www ppp[3119]: tun1: LCP:  MRU[4] 1500
Jan  9 09:55:13 www ppp[3119]: tun1: LCP:  MAGICNUM[6] 0x02b7e69a
Jan  9 09:55:13 www ppp[3119]: tun1: LCP:  AUTHPROTO[5] 0xc223 (CHAP 0x81)
Jan  9 09:55:16 www ppp[3119]: tun1: LCP: deflink: LayerFinish
Jan  9 09:55:16 www ppp[3119]: tun1: LCP: deflink: State change Req-Sent --> Stopped
Jan  9 09:55:16 www ppp[3119]: tun1: LCP: deflink: State change Stopped --> Closed
Jan  9 09:55:16 www ppp[3119]: tun1: LCP: deflink: State change Closed --> Initial
Jan  9 09:55:16 www ppp[3119]: tun1: Phase: deflink: Disconnected!
Jan  9 09:55:16 www ppp[3119]: tun1: Phase: deflink: Connect time: 16 secs: 0 octets in, 300 octets out
Jan  9 09:55:16 www ppp[3119]: tun1: Phase: deflink: : 0 packets in, 5 packets out
Jan  9 09:55:16 www ppp[3119]: tun1: Phase:  total 18 bytes/sec, peak 24 bytes/sec on Thu Jan  9 09:55:16 2003
Jan  9 09:55:16 www ppp[3119]: tun1: Phase: deflink: lcp -> closed
Jan  9 09:55:16 www ppp[3119]: tun1: Phase: bundle: Dead
Jan  9 09:55:16 www ppp[3119]: tun1: Phase: PPP Terminated (normal).

What's wrong? It looks (though I'm not positive) as if the GRE packets, which carry the underlying PPP session, can't get through the PPPoE link. I've checked the documentation for userland PPP, and there's nothing to indicate that they wouldn't (or how to allow them to pass if they're blocked by default).

The /etc/ppp.conf file looks like this, with passwords erased to protect the guilty. Note that the top portion is for the PPPoE connection and the bottom portion is for PPTP:

default:
      set log Phase Chat LCP IPCP CCP tun command
      ident user-ppp VERSION (built COMPILATIONDATE)

lariat:
      set device PPPoE:fxp1:provider
      set mru 1492
      set mtu 1492
      set speed sync
      set authname USERID
      set authkey PASSWORD
      set timeout 0
      set cd 5
      enable lqr
      set lqrperiod 15
      disable chap
      disable pap
      disable mppe
      deny mppe
      nat enable yes
      nat unregistered_only yes
      nat same_ports yes
      nat port tcp 192.168.0.2:smtp  smtp
      set dial
      set login
      set redial 0 0

pptp:
      set timeout 0
      set dial
      set login
      set ifaddr 192.168.0.1/32
      set server /var/run/pptp_ppp_%d "" 0700
      disable chap
      deny chap
      disable pap
      disable passwdauth
      disable deflate pred1
      deny deflate pred1
      disable utmp
      enable mschapv2 mppe
      set mppe * stateless
      disable proxy
      accept dns
      set dns 192.168.0.1

--Brett Glass


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20030109182517.02963410>