View previous topic :: View next topic |
Author |
Message |
mtombs Tux's lil' helper
Joined: 15 Sep 2003 Posts: 101 Location: Stockholm Sweden
|
Posted: Mon Jul 05, 2004 12:07 pm Post subject: Connecting to Microsoft VPN with Kernel 2.6.7 |
|
|
I've seen a few threads about connecting to Microsoft VPN using Kernel 2.6.x, so I thought I would shove in my 2p, as I have got it working. This is what I did.
n.b. I'm using kernel 2.6.7-gentoo-r7.
Patch the kernel.
I got the patch from here. Apply the patch and enable the modules like this:
Code: |
Device Drivers --> Networking support -->
<M> PPP (point-to-point protocol) support
<M> PPP support for async serial ports
<M> Microsoft PPP compression / encryption (MPPC/MPPE)
<M> PPP over ethernet
Cryptographic Options -->
<M> ARC4 cipher algorithm
|
Make, make modules_install, reboot. You know the drill.
Install ppp and pptpclient.
I did it by first emerging ppp and pptpclient to get all the dependencies, then downloading the latest ppp code from here. This already contains the mppe and mppc patches, but needs to be patched for a 'bpf.h not found' error. The patch for this is /usr/portage/net-dialup/ppp/files/2.4.2/pcap.patch. Apply this to the source and configure, make, make install.
Configuration.
Remove the gentoo config stuff from /etc/ppp (back it up though!). It doesn't work.
Make a new directory /etc/ppp/peers.
Make a new options.pptp. Mine looks like this:
Code: | lock
noauth
nobsdcomp
nodeflate
|
I then used pptp-command to set up the chap-secrets file, which looks something like this:
Code: | $domain\\$username PPTP $password
PPTP $domain\\$username $password |
Then I made /etc/ppp/peers/$connectionname like this:
Code: | # PPTP Tunnel configuration for tunnel $connectionname
# Server IP: $servername
#
#
# Tags for CHAP secret selection
#
#pty "pptp $servername --nolaunchpppd"
name $domain\$name
remotename PPTP
require-mppe-128
#
# Include the main PPTP configuration file
#
file /etc/ppp/options.pptp
|
I have also added ppp-mppe-mppc and arc4 to /etc/modules.autoload.d/kernel-2.6, but I am sure there is a better way of doing this, in a script for instance.
I can now connect using
Code: | pptp-command start $connectionname |
Then you need to set up your routing. I want to use the vpn server to connect to other machines in the network, so I use
Code: | route add -net 192.168.120.0 netmask 255.255.255.0 ppp0 |
Works ok for me. A bit messy I know but if it works...
(edited to add modules and routing info.) |
|
Back to top |
|
|
k2laz n00b
Joined: 06 Apr 2004 Posts: 55 Location: New York City, USA
|
Posted: Thu Jul 08, 2004 1:39 am Post subject: |
|
|
Quote: | n.b. I'm using kernel 2.6.7-gentoo-r7.
Patch the kernel.
I got the patch from here. Apply the patch and enable the modules like this:
Code:
Device Drivers --> Networking support -->
<M> PPP (point-to-point protocol) support
<M> PPP support for async serial ports
<M> Microsoft PPP compression / encryption (MPPC/MPPE)
<M> PPP over ethernet
Cryptographic Options -->
<M> ARC4 cipher algorithm
|
I have kernel 2.6.7-r8 but I could not find the entry for:
<M> Microsoft PPP compression / encryption (MPPC/MPPE)
Am I missing something? I would think r8 would have r7, but I could be wrong. Or is this patch sold separately? Batteries not included?
Seriously, I would imagine MPPE would be important to getting VPN client working. Any help would be appreciated.
--laz _________________ "No man has ever achieved immortality in his own lifetime." -- Thomas Weller
"No matter where you go, there you are!" -- Buckaroo Bonzai |
|
Back to top |
|
|
mtombs Tux's lil' helper
Joined: 15 Sep 2003 Posts: 101 Location: Stockholm Sweden
|
Posted: Thu Jul 08, 2004 9:42 am Post subject: |
|
|
Thats why you have to patch the kernel! mppe support is not in the standard gentoo-dev kernels. |
|
Back to top |
|
|
k2laz n00b
Joined: 06 Apr 2004 Posts: 55 Location: New York City, USA
|
Posted: Thu Jul 08, 2004 3:16 pm Post subject: |
|
|
Thanks, I found the patch at: http://www.polbox.com/h/hs001/
I assume that is the "official" version?
Thanks,
--laz _________________ "No man has ever achieved immortality in his own lifetime." -- Thomas Weller
"No matter where you go, there you are!" -- Buckaroo Bonzai |
|
Back to top |
|
|
meulie l33t
Joined: 17 Jun 2003 Posts: 845 Location: a Dutchman living in Norway
|
Posted: Tue Jul 20, 2004 7:14 pm Post subject: |
|
|
Hi!
Does anyone know whether MPPE/MPPC support will be implemented in a package sooner or later? I'd hate to have to patch my Gentoo kernel... _________________ Greetz,
Evert Meulie |
|
Back to top |
|
|
theonlymcc Apprentice
Joined: 16 Sep 2003 Posts: 274 Location: NC
|
Posted: Wed Jul 21, 2004 2:06 am Post subject: |
|
|
Connected but a little confused. I get the message Code: | All routes added.
Tunnel $tunnel is active on ppp0. IP address: 10.1.4.7 |
My IP through my router is 192.168.1.101. What do I need to execute to fully connect to the VPN? Code: | route add -net 10.1.0.0 netmask 255.255.0.0 ppp0 | I did that and I cannot ping any machines on the VPN. Any advice? |
|
Back to top |
|
|
mtombs Tux's lil' helper
Joined: 15 Sep 2003 Posts: 101 Location: Stockholm Sweden
|
Posted: Wed Jul 21, 2004 7:04 am Post subject: |
|
|
I'm no expert on routing, but I can tell you what I have. PPP creates a new network interface, so ifconfig produces:
Code: | ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.120.11 P-t-P:192.168.120.24 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1496 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:100 (100.0 b) TX bytes:94 (94.0 b)
|
192.168.120.11 is the address given to me by the vpn server. Then the route table is:
Code: | bash-2.05b# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.120.24 * 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
192.168.120.0 * 255.255.255.0 U 0 0 0 ppp0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
|
I reckon you need to do Code: | route add -net 10.1.4.0 netmask 255.255.255.0 ppp0 | but I could easily be wrong. |
|
Back to top |
|
|
dups n00b
Joined: 09 Aug 2004 Posts: 8
|
Posted: Mon Aug 09, 2004 3:05 pm Post subject: |
|
|
Well, I don't know what exactly I did wrong... I had it working at one point and then something must have happened or I must have changed something because now I can't get this to work again. It always times out on the connection no matter what connection I try. I've played with the settings but still cannot get any results. Tried recompiling and everything.
When I checked the logs though, this is the error I'm getting:
Aug 9 05:27:13 brian pppd[25103]: Using interface ppp0
Aug 9 05:27:13 brian pppd[25103]: Connect: ppp0 <--> /dev/pts/1
Aug 9 05:27:15 brian pptp[25100]: anon log[ctrlp_disp:pptp_ctrl.c:926]: PPTP_SET_LINK_INFO received from peer_callid 0
Aug 9 05:27:15 brian pptp[25100]: anon log[ctrlp_disp:pptp_ctrl.c:929]: send_accm is 00000000, recv_accm is FFFFFFFF
Aug 9 05:27:15 brian pptp[25100]: anon warn[ctrlp_disp:pptp_ctrl.c:932]: Non-zero Async Control Character Maps are not supported!
Aug 9 05:27:19 brian pppd[25103]: MPPC compression enabled
Aug 9 05:27:19 brian pptp[25100]: anon log[ctrlp_disp:pptp_ctrl.c:926]: PPTP_SET_LINK_INFO received from peer_callid 0
Aug 9 05:27:19 brian pptp[25100]: anon log[ctrlp_disp:pptp_ctrl.c:929]: send_accm is FFFFFFFF, recv_accm is FFFFFFFF
Aug 9 05:27:19 brian pptp[25100]: anon warn[ctrlp_disp:pptp_ctrl.c:932]: Non-zero Async Control Character Maps are not supported!
Aug 9 05:27:19 brian pppd[25103]: LCP terminated by peer (b.Ux^@<M-Mt^@^@^@^@)
Aug 9 05:27:19 brian pptp[25100]: anon log[ctrlp_disp:pptp_ctrl.c:888]: Received Call Clear Request.
Aug 9 05:27:22 brian pppd[25103]: Connection terminated.
Anybody know what that means by any chance? Thanks! |
|
Back to top |
|
|
stalcair n00b
Joined: 07 Aug 2003 Posts: 57
|
Posted: Sun Aug 15, 2004 2:31 am Post subject: |
|
|
I am in a similar situation. I have used this setup successfully and recently something caused this. I
Code: |
Aug 14 14:24:25 hershey pptp[11844]: anon log[main:pptp.c:237]: The synchronous pptp option is NOT activated
Aug 14 14:24:25 hershey pptp[11847]: anon log[ctrlp_rep:pptp_ctrl.c:243]: Sent control packet type is 1 'Start-Control-Connection-Request'
Aug 14 14:24:25 hershey pptp[11847]: anon log[ctrlp_disp:pptp_ctrl.c:714]: Received Start Control Connection Reply
Aug 14 14:24:25 hershey pptp[11847]: anon log[ctrlp_disp:pptp_ctrl.c:748]: Client connection established.
Aug 14 14:24:26 hershey pptp[11847]: anon log[ctrlp_rep:pptp_ctrl.c:243]: Sent control packet type is 7 'Outgoing-Call-Request'
Aug 14 14:24:26 hershey pptp[11847]: anon log[ctrlp_disp:pptp_ctrl.c:834]: Received Outgoing Call Reply.
Aug 14 14:24:26 hershey pptp[11847]: anon log[ctrlp_disp:pptp_ctrl.c:873]: Outgoing call established (call ID 0, peer's call ID 33763).
Aug 14 14:24:26 hershey pppd[11849]: pppd 2.4.2 started by root, uid 0
Aug 14 14:24:26 hershey pppd[11849]: Using interface ppp0
Aug 14 14:24:26 hershey pppd[11849]: Connect: ppp0 <--> /dev/pts/1
Aug 14 14:24:28 hershey pptp[11847]: anon log[ctrlp_disp:pptp_ctrl.c:888]: Received Call Clear Request.
Aug 14 14:24:59 hershey pppd[11849]: LCP: timeout sending Config-Requests
Aug 14 14:24:59 hershey pppd[11849]: Connection terminated.
Aug 14 14:25:00 hershey pppd[11849]: Exit.
Aug 14 14:25:00 hershey pptp[11874]: anon warn[decaps_hdlc:pptp_gre.c:196]: short read (-1): Input/output error
Aug 14 14:25:00 hershey pptp[11874]: anon warn[decaps_hdlc:pptp_gre.c:197]: pppd may have shutdown, see pppd log
Aug 14 14:25:26 hershey pptp[11847]: anon log[pptp_send_ctrl_packet:pptp_ctrl.c:599]: write error: Broken pipe
Aug 14 14:25:26 hershey pptp[11847]: anon log[call_callback:pptp_callmgr.c:77]: Closing connection
|
I am checking what I installed since my last successful use of pptp for conflicts, nothing concrete yet. It could be some strung out chain of libs where one had a change. Here are some interesting things that were installed after the last time I had pptpclient working:
dev-libs/libgpg-error-0.6
dev-libs/libgcrypt-1.1.94
dev-libs/glib-2.4.4
dunno yet, but I have re-emerged ppp and pptpclient with no change. BTW, I am using a modified ppp ebuild that uses the most recent packages from http://www.polbox.com/h/hs001/ (which ironically can't be reached at this time). Is VPN really this much of a problem in the 2.6 Kernels for everyone else. (I fought for a long time to get the few weeks of connectivity I did have)
Any known work-arounds and setups outside of what "vpn for 2.6.x kernels" posts already have? |
|
Back to top |
|
|
dups n00b
Joined: 09 Aug 2004 Posts: 8
|
Posted: Sun Aug 15, 2004 2:50 am Post subject: |
|
|
I actually have resolved my problem on my own. I was using one patch for the Kernel version and then there was a corresponding patch for pppd that I wasn't applying. The most recent version of ppp has MPPE support already in it, but I had a patch that needed to go with my kernel patch to make it all tie together correctly. Plus, I determined it is best to have MPPE/MPPC installed as a module instead of being built in. Just my experience. |
|
Back to top |
|
|
stalcair n00b
Joined: 07 Aug 2003 Posts: 57
|
Posted: Mon Aug 16, 2004 12:20 am Post subject: |
|
|
I've actually rebuilt the kernel (after performing a 'make distclean'), ppp, and pptpclient and had no changes. I also have noticed some other problems that appear to be either missing or incompatable libraries since that time as well (things that ldconfig are not solving).
I'm hoping there one magic bullet to all this and not complete overhaul
I am going to be modifying my router soon to be the VPN tunnel so I can get to work and avoid using XP. Yup, giving up... only so much time to spend on fixing stuff these days |
|
Back to top |
|
|
macgyver n00b
Joined: 07 Mar 2004 Posts: 6
|
Posted: Fri Sep 03, 2004 8:36 pm Post subject: |
|
|
I have it working after several tries and lots of struggle. I realized that some information has already been mentioned before, but I would like to offer a reproducable recipe to see if that helps you.
Here's how I did it:
(I am trying to get this info on pptpclient's website as well instead of the dated gentoo howto)
Update your portage tree:
In order to connect to windows servers you wil probably need MPPE/MPPC. The ppp-2.4.2-r2 I used is already patched for this, the kernel isn't
Let's start by emerging ppp and pptpclient (I used ~x86):
Code: | $ ACCEPT_KEYWORDS="~x86" emerge ppp
$ ACCEPT_KEYWORDS="~x86" emerge pptpclient |
After that you need to patch your kernel. Start by getting the patch from the site below.
http://www.polbox.com/h/hs001/
After unzipping the patch, apply it:
Code: | /usr/src/linux $ patch -p1 < /path/to/patchfile |
You'll need these options in your kernel:
Device Drivers --> Networking support -->
<M> PPP (point-to-point protocol) support
<M> PPP support for async serial ports
<M> Microsoft PPP compression / encryption (MPPC/MPPE)
<M> PPP over ethernet
Cryptographic Options -->
<M> ARC4 cipher algorithm
Then to the setup. You will need the following variables:
the IP address or host name of the server ($SERVER),
the name you wish to use to refer to the tunnel ($TUNNEL),
the authentication domain name ($DOMAIN),
the username you are to use ($USERNAME),
the password you are to use ($PASSWORD),
whether encryption is required.
In the steps below, substitute these values manually. For example, replace $PASSWORD with your password.
create the /etc/ppp/options.pptp file, which sets options common to all tunnels:
Code: | lock noauth nobsdcomp nodeflate |
create or add lines to the /etc/ppp/chap-secrets file, which holds usernames and passwords:
Code: | $DOMAIN\\$USERNAME PPTP $PASSWORD *
PPTP $DOMAIN\\$USERNAME $PASSWORD * |
Note: if you are using a PPTP Server that does not require a domain name, omit the slashes as well as the domain name.
Note: if the passwords contain any special characters, quote them. See man pppd for more details.
create a /etc/ppp/peers/$TUNNEL file:
Code: | pty "pptp $SERVER --nolaunchpppd"
name $DOMAIN\\$USERNAME
# PPTP links to PPTP in chap-secrets
remotename PPTP
# indicate wether we need mschap-v2 (v1 is the default)
require-mschap-v2
# force 128-bit mppe encryption
require-mppe-128
# force 40-bit mppe encryption
require-mppe-40
# windows seems to like stateless mppe connections
nomppe-statefull
# include options.pptp
file /etc/ppp/options.pptp
|
you *should* now be able to get your tunnel up and running using
This did the trick for me, but in case it doesn't for you, you can get a bit more output by doing
Code: | $ pon $TUNNEL debug dump logfd 2 nodetach |
you can then diagnose problems at http://pptpclient.sourceforge.net/howto-diagnosis.phtml
Good luck! |
|
Back to top |
|
|
FreeFly42 l33t
Joined: 03 Nov 2003 Posts: 848 Location: Houston, TX
|
Posted: Wed Sep 08, 2004 5:59 am Post subject: |
|
|
Just FYI since I've seen a number of entries here with separate route commands... You can imbed special routing commands within the peers file for the tunnel as follows:
Code: | # Server IP: 2.2.2.2
# Route: add -host 172.16.32.1 dev TUNNEL_DEV
# Route: add -net 172.0.0.0 netmask 255.0.0.0 172.16.32.1 gw 172.16.32.1 dev TUNNEL_DEV
# Route: add -net 192.168.1.0 netmask 255.255.255.0 dev TUNNEL_DEV |
More keyword substitions are possible, see the pptp documentation for details. _________________ Kent
Planes are dangerous, get out of 'em quick |
|
Back to top |
|
|
mtombs Tux's lil' helper
Joined: 15 Sep 2003 Posts: 101 Location: Stockholm Sweden
|
Posted: Thu Sep 16, 2004 9:16 am Post subject: |
|
|
Just a quick one. The option
should be
(note only one l)
bye |
|
Back to top |
|
|
zaai Apprentice
Joined: 24 Jul 2004 Posts: 175
|
Posted: Wed Dec 15, 2004 1:33 am Post subject: |
|
|
Excellent guide
I tried following the step-by-step guide by McGyver because it uses the Gentoo ppp emerge. A very similar guide can be found here:
http://pptpclient.sourceforge.net/howto-gentoo.phtml
However I get an error running: pon myvpn
Quote: | /usr/sbin/pppd: In file /etc/ppp/peers/myvpn: unrecognized option 'require-mppe-128' |
I did patch the kernel, selected the right option, rebuild, installed it with the modules and rebooted. Portage's ppp-2.4.2-r9 already has the mppe-mppc patch, correct?
lsmod includes:
Code: | arc4 1920 0
ppp_mppe_mppc 15620 0
ppp_generic 29460 1 ppp_mppe_mppc |
Any ideas?
ps: disabling this option I get the error "No auth is possible", which is as expected. |
|
Back to top |
|
|
FreeFly42 l33t
Joined: 03 Nov 2003 Posts: 848 Location: Houston, TX
|
Posted: Wed Dec 15, 2004 4:20 am Post subject: |
|
|
The options you want to use are:
Code: | mppe required
mppe stateless |
require-mppe-128 was from a previous version of ppp/mppe
I don't believe the portage ppp includes the mppe patch, I had to patch it myself. _________________ Kent
Planes are dangerous, get out of 'em quick |
|
Back to top |
|
|
zaai Apprentice
Joined: 24 Jul 2004 Posts: 175
|
Posted: Wed Dec 15, 2004 7:21 am Post subject: Got it working with minor tweaks |
|
|
Thanks FreeFly42, I gave it a try with the standard portage ppp-2.4.2.
There is no more warning about options and a connection attempt is made. The attempt fails with "No auth is possible".
I'll try a patched ppp tomorrow.
macgyver wrote: Quote: |
In order to connect to windows servers you wil probably need MPPE/MPPC. The ppp-2.4.2-r2 I used is already patched for this, the kernel isn't |
macgyver, did you use the portage version of ppp?
update
It works, portage's ppp is already patched with mppe/mppc
FreeFly you're right, with the options "mppe required" and "mppe stateless" in the peers/$TUNNEL file it works. The option "require-mppe-128", "mppe-128", "require-mppe" as are mentioned at different places are not recognized. All these different options about enabling mppe are very confusing. It seems that every version of ppp does it differently.
The guide from mtombs has one typo: the file /etc/ppp/peers/$connectionname has the option "name $domain\$name". this must be a double-backslash: "name $domain\\$name"
So to summarize:
- Both the mtombs and macgyver guides are great, however I had to make changes for it to work.
- On Gentoo using kernel 2.6.8 or 2.6.9 the kernel needs to be patched (would be nice if the standard kernel came pre-patched )
- On Gentoo using ppp-2.4.2-r2 and up, ppp does not need to be patched any more. This is great, a thank-you for the ppp (ebuild) maintainer!
- the /etc/ppp/options.pptp file is fine as described by both guides
- the option 'require-mppe-128' in /etc/ppp/peers/$TUNNEL file does NOT work for me. I had to use "mppe required" and "mppe stateless". Thanks FreeFly for the tip.
- if you don't need a domain name to logon then leave out the domainname in both /etc/ppp/chap-secrets and /etc/ppp/peers/$TUNNEL.
Thanks everyone for the guides and tips |
|
Back to top |
|
|
|