Date: Thu, 9 Jan 2003 18:10:09 -0800 (PST) From: Julian Elischer <julian@elischer.org> To: Brett Glass <brett@lariat.org> Cc: freebsd-net@freebsd.org Subject: Re: PPTP tunneling over PPPoE link Message-ID: <Pine.BSF.4.21.0301091809540.34227-100000@InterJet.elischer.org> In-Reply-To: <4.3.2.7.2.20030109182517.02963410@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
mpd can do both pppoe and pptp. On Thu, 9 Jan 2003, Brett Glass wrote: > I'm having trouble doing something which I'd THOUGHT would just work... but it's not. Any help would be much appreciated. > > Here's the story. A client's LAN is connected to the Internet via a FreeBSD firewall/router. The FreeBSD box is using PPPoE (userland PPP plus NetGraph PPPOE) to connect to the upstream router. The LAN inside the firewall is NATted to 192.168/16. It works perfectly; it even correctly passes SMTP connections on to an internal machine with the address 192.168.0.2 (see the configuration file below). > > The client calls and says that expects to be away for awhile, and wants to tunnel back into the LAN with his Windows laptop. Since userland PPP is already running on the machine and works fine, I set up PPTP on his server, using PopTop (yes, it's GPLed, but there's no actively maintained alternative) and userland PPP. The result, in theory, will be a tunnel that uses PPTP (which is encrypted PPP over GRE) over PPP over Ethernet. A bit awkward, but necessary given the need for an encrypted tunnel. > > Alas, try as I might, I can't tunnel in from the outside world. I can verify that TCP port 1723 (which is used by PPTP for a control channel) is open on the firewall and accepting connections. But attempts to establish a tunnel fail; the client reports that the server isn't responding to it. The log looks like this: > > Jan 9 09:55:00 www ppp[3119]: Phase: Using interface: tun1 > Jan 9 09:55:00 www ppp[3119]: Phase: deflink: Created in closed state > Jan 9 09:55:00 www ppp[3119]: tun1: Command: default: ident user-ppp VERSION (built COMPILATIONDATE) > Jan 9 09:55:00 www ppp[3119]: tun1: Command: pptp: set timeout 0 > Jan 9 09:55:00 www ppp[3119]: tun1: Command: pptp: set dial > Jan 9 09:55:00 www ppp[3119]: tun1: Command: pptp: set login > Jan 9 09:55:00 www ppp[3119]: tun1: Command: pptp: set ifaddr 192.168.0.1/32 > Jan 9 09:55:00 www ppp[3119]: tun1: Command: pptp: set server /var/run/pptp_ppp_%d ******** 0700 > Jan 9 09:55:00 www ppp[3119]: tun1: Phase: Listening at local socket /var/run/pptp_ppp_1. > Jan 9 09:55:00 www ppp[3119]: tun1: Command: pptp: disable chap > Jan 9 09:55:00 www ppp[3119]: tun1: Command: pptp: deny chap > Jan 9 09:55:00 www ppp[3119]: tun1: Command: pptp: disable pap > Jan 9 09:55:00 www ppp[3119]: tun1: Command: pptp: disable passwdauth > Jan 9 09:55:00 www ppp[3119]: tun1: Command: pptp: disable deflate pred1 > Jan 9 09:55:00 www ppp[3119]: tun1: Command: pptp: deny deflate pred1 > Jan 9 09:55:00 www ppp[3119]: tun1: Command: pptp: disable utmp > Jan 9 09:55:00 www ppp[3119]: tun1: Command: pptp: enable mschapv2 mppe > Jan 9 09:55:00 www ppp[3119]: tun1: Command: pptp: set mppe * stateless > Jan 9 09:55:00 www ppp[3119]: tun1: Command: pptp: disable proxy > Jan 9 09:55:00 www ppp[3119]: tun1: Command: pptp: accept dns > Jan 9 09:55:00 www ppp[3119]: tun1: Command: pptp: set dns 192.168.0.1 > Jan 9 09:55:00 www ppp[3119]: tun1: Phase: PPP Started (direct mode). > Jan 9 09:55:00 www ppp[3119]: tun1: Phase: bundle: Establish > Jan 9 09:55:00 www ppp[3119]: tun1: Phase: deflink: closed -> opening > Jan 9 09:55:00 www ppp[3119]: tun1: Phase: deflink: Connected! > Jan 9 09:55:00 www ppp[3119]: tun1: Phase: deflink: opening -> carrier > Jan 9 09:55:00 www ppp[3119]: tun1: Phase: deflink: carrier -> lcp > Jan 9 09:55:00 www ppp[3119]: tun1: LCP: FSM: Using "deflink" as a transport > Jan 9 09:55:00 www ppp[3119]: tun1: LCP: deflink: State change Initial --> Closed > Jan 9 09:55:00 www ppp[3119]: tun1: LCP: deflink: State change Closed --> Stopped > Jan 9 09:55:01 www ppp[3119]: tun1: LCP: deflink: LayerStart > Jan 9 09:55:01 www ppp[3119]: tun1: LCP: deflink: SendConfigReq(1) state = Stopped > Jan 9 09:55:01 www ppp[3119]: tun1: LCP: ACFCOMP[2] > Jan 9 09:55:01 www ppp[3119]: tun1: LCP: PROTOCOMP[2] > Jan 9 09:55:01 www ppp[3119]: tun1: LCP: ACCMAP[6] 0x00000000 > Jan 9 09:55:01 www ppp[3119]: tun1: LCP: MRU[4] 1500 > Jan 9 09:55:01 www ppp[3119]: tun1: LCP: MAGICNUM[6] 0x02b7e69a > Jan 9 09:55:01 www ppp[3119]: tun1: LCP: AUTHPROTO[5] 0xc223 (CHAP 0x81) > Jan 9 09:55:01 www ppp[3119]: tun1: LCP: deflink: State change Stopped --> Req-Sent > Jan 9 09:55:04 www ppp[3119]: tun1: LCP: deflink: SendConfigReq(1) state = Req-Sent > Jan 9 09:55:04 www ppp[3119]: tun1: LCP: ACFCOMP[2] > Jan 9 09:55:04 www ppp[3119]: tun1: LCP: PROTOCOMP[2] > Jan 9 09:55:04 www ppp[3119]: tun1: LCP: ACCMAP[6] 0x00000000 > Jan 9 09:55:04 www ppp[3119]: tun1: LCP: MRU[4] 1500 > Jan 9 09:55:04 www ppp[3119]: tun1: LCP: MAGICNUM[6] 0x02b7e69a > Jan 9 09:55:04 www ppp[3119]: tun1: LCP: AUTHPROTO[5] 0xc223 (CHAP 0x81) > Jan 9 09:55:07 www ppp[3119]: tun1: LCP: deflink: SendConfigReq(1) state = Req-Sent > Jan 9 09:55:07 www ppp[3119]: tun1: LCP: ACFCOMP[2] > Jan 9 09:55:07 www ppp[3119]: tun1: LCP: PROTOCOMP[2] > Jan 9 09:55:07 www ppp[3119]: tun1: LCP: ACCMAP[6] 0x00000000 > Jan 9 09:55:07 www ppp[3119]: tun1: LCP: MRU[4] 1500 > Jan 9 09:55:07 www ppp[3119]: tun1: LCP: MAGICNUM[6] 0x02b7e69a > Jan 9 09:55:07 www ppp[3119]: tun1: LCP: AUTHPROTO[5] 0xc223 (CHAP 0x81) > Jan 9 09:55:10 www ppp[3119]: tun1: LCP: deflink: SendConfigReq(1) state = Req-Sent > Jan 9 09:55:10 www ppp[3119]: tun1: LCP: ACFCOMP[2] > Jan 9 09:55:10 www ppp[3119]: tun1: LCP: PROTOCOMP[2] > Jan 9 09:55:10 www ppp[3119]: tun1: LCP: ACCMAP[6] 0x00000000 > Jan 9 09:55:10 www ppp[3119]: tun1: LCP: MRU[4] 1500 > Jan 9 09:55:10 www ppp[3119]: tun1: LCP: MAGICNUM[6] 0x02b7e69a > Jan 9 09:55:10 www ppp[3119]: tun1: LCP: AUTHPROTO[5] 0xc223 (CHAP 0x81) > Jan 9 09:55:13 www ppp[3119]: tun1: LCP: deflink: SendConfigReq(1) state = Req-Sent > Jan 9 09:55:13 www ppp[3119]: tun1: LCP: ACFCOMP[2] > Jan 9 09:55:13 www ppp[3119]: tun1: LCP: PROTOCOMP[2] > Jan 9 09:55:13 www ppp[3119]: tun1: LCP: ACCMAP[6] 0x00000000 > Jan 9 09:55:13 www ppp[3119]: tun1: LCP: MRU[4] 1500 > Jan 9 09:55:13 www ppp[3119]: tun1: LCP: MAGICNUM[6] 0x02b7e69a > Jan 9 09:55:13 www ppp[3119]: tun1: LCP: AUTHPROTO[5] 0xc223 (CHAP 0x81) > Jan 9 09:55:16 www ppp[3119]: tun1: LCP: deflink: LayerFinish > Jan 9 09:55:16 www ppp[3119]: tun1: LCP: deflink: State change Req-Sent --> Stopped > Jan 9 09:55:16 www ppp[3119]: tun1: LCP: deflink: State change Stopped --> Closed > Jan 9 09:55:16 www ppp[3119]: tun1: LCP: deflink: State change Closed --> Initial > Jan 9 09:55:16 www ppp[3119]: tun1: Phase: deflink: Disconnected! > Jan 9 09:55:16 www ppp[3119]: tun1: Phase: deflink: Connect time: 16 secs: 0 octets in, 300 octets out > Jan 9 09:55:16 www ppp[3119]: tun1: Phase: deflink: : 0 packets in, 5 packets out > Jan 9 09:55:16 www ppp[3119]: tun1: Phase: total 18 bytes/sec, peak 24 bytes/sec on Thu Jan 9 09:55:16 2003 > Jan 9 09:55:16 www ppp[3119]: tun1: Phase: deflink: lcp -> closed > Jan 9 09:55:16 www ppp[3119]: tun1: Phase: bundle: Dead > Jan 9 09:55:16 www ppp[3119]: tun1: Phase: PPP Terminated (normal). > > What's wrong? It looks (though I'm not positive) as if the GRE packets, which carry the underlying PPP session, can't get through the PPPoE link. I've checked the documentation for userland PPP, and there's nothing to indicate that they wouldn't (or how to allow them to pass if they're blocked by default). > > The /etc/ppp.conf file looks like this, with passwords erased to protect the guilty. Note that the top portion is for the PPPoE connection and the bottom portion is for PPTP: > > default: > set log Phase Chat LCP IPCP CCP tun command > ident user-ppp VERSION (built COMPILATIONDATE) > > lariat: > set device PPPoE:fxp1:provider > set mru 1492 > set mtu 1492 > set speed sync > set authname USERID > set authkey PASSWORD > set timeout 0 > set cd 5 > enable lqr > set lqrperiod 15 > disable chap > disable pap > disable mppe > deny mppe > nat enable yes > nat unregistered_only yes > nat same_ports yes > nat port tcp 192.168.0.2:smtp smtp > set dial > set login > set redial 0 0 > > pptp: > set timeout 0 > set dial > set login > set ifaddr 192.168.0.1/32 > set server /var/run/pptp_ppp_%d "" 0700 > disable chap > deny chap > disable pap > disable passwdauth > disable deflate pred1 > deny deflate pred1 > disable utmp > enable mschapv2 mppe > set mppe * stateless > disable proxy > accept dns > set dns 192.168.0.1 > > --Brett Glass > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0301091809540.34227-100000>