Diese Website existiert nur weil wir Werbung mit AdSense ausliefern.
Bitte den AdBlocker daher auf dieser Website ausschalten! Danke.

SuSE VPN Server und Win XP-Clients über Kabel-Netz

Alles rund um das Internet, Internet-Anwendungen (E-Mail, Surfen, Cloud usw.) und das Einrichten von Netzwerken einschl. VPN unter Linux

Moderator: Moderatoren

Antworten
BigD
Newbie
Newbie
Beiträge: 2
Registriert: 22. Mär 2004, 18:02

SuSE VPN Server und Win XP-Clients über Kabel-Netz

Beitrag von BigD »

Hi,

ich bin schon etwas am :( verzweifeln beim einrichten einer VPN-Verbindung.
nach stundenlanger Fehlersuche und noch längeren googelns poste ich mal. bin gespannt ob mir jemand weiterhelfen kann. iss ein recht kniffliges Problem.


Ausgangsbasis:

ich hab mein lokales Netzwerkerl (win98, winXP) hinter einem Linux 8.2 Rechner mit Firewall auf IP-Weiterleitung eingestellt.
ausgehende Verbindung mit dem Rechner funkt. Internet und Mail einwandfrei !
auf der anderen Seite gibts chello (Kabel-Netz), und von einem anderen chello Rechner greif ich per putty auf meine Linux-Kiste zu.
funkt auch einwandfrei.

zur bessern Übersicht (der Einfachheit halber mit nur einem Rechner hinter der Firewall) :


______
I______I winXP (fremder Rechner)
I 218.57.18.xx
I
I
I über chello
I
I
I 62.88.33.xx, eth0
_L____
I______I SuSE 8.2, Firewall, Router, pptpd, ppp, etc...
I 192.168.0.1, eth1
I
I LAN
I
I 192.168.0.111
_L____
I______I winXP (mein Rechner)


wie gesagt, am Linux-Rechner Firewall, Router, pptpd, ppp installiert um VPN zu ermöglichen.
die config-Scripts hab ich dem Mail angehängt.

am 218.57.18.xx hab ich VPN-Verbindung eingerichtet (x-tausend Konfigurationsmöglichkeiten hab ich durchprobiert)
die Verbindung hat er aufbauen können, iss aber beim Anmelden hängen geblieben (Fehler 718)
die Linux-Seite siehst du im Log-Auszug.

bei der Firewall hab ich für Testzwecke Ports 32 bis 65000 offen gelassen.
iptables stehen alle auf policy ACCEPT


anbei noch die wichtigsten Einstellungen/Log

lg
D


------------------------------------------------------------------------------------
/etc/pptpd.conf

SuSi:/etc # cat pptpd.conf
################################################################################
#
# Sample PoPToP configuration file
#
# for PoPToP version 1.0.0
#
################################################################################

# TAG: speed
#
# Specifies the speed for the PPP daemon to talk at.
# Some PPP daemons will ignore this value.
#
speed 115200

# TAG: option
#
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
#option /this/is/the/options/file
# siehe ganz unten

# TAG: debug
#
# Turns on (more) debugging to syslog.
#
debug

# TAG: localip
# TAG: remoteip
#
# Specifies the local and remote IP address ranges.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than MAX_CONNECTIONS, it will
# start at the beginning of the list and go until it gets
# MAX_CONNECTIONS IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245

localip 192.168.0.2-47
remoteip 192.168.0.100-145

# TAG: ipxnets
#
# This gives the range of IPX networks to allocate to clients. By
# default IPX network number allocation is not handled internally.
# By putting a low and high network number here a pool of IPX networks
# can be defined. If this is done then there must be one IPX network
# per client.
#
# The format is a pair of hex numbers without any 0x prefix separated
# by a hyphen.
#
#ipxnets 00001000-00001FFF

# TAG: listen
#
# Defines the IP address of the local interface on which pptpd
# should listen for connections. The default is to listen on all
# local interfaces (even ones brought up by pptp connections, thus
# permitting pptp tunnels inside the pptp tunnels).
#
#listen 192.168.0.1
listen 62.88.33.xx

# TAG: pidfile
#
# This defines the file name in which pptpd should store its process
# ID (or pid). The default is /var/run/pptpd.pid.
#
pidfile /var/run/pptpd.pid

# TAG: option
options /etc/ppp/options.ppp0
#


------------------------------------------------------------------------------------
/etc/ppp/options

SuSi:/etc/ppp #
SuSi:/etc/ppp # cat options
# /etc/ppp/options
#
# Not every option is listed here, see man pppd for more details.
# This file is read by the pppd, it is an error when it is not present.
#
# use the following command to see the active options:
# grep -v ^# /etc/ppp/options | grep -v ^$
#

# The name of this server. Often, the FQDN is used here.
#name <host>

# Enforce the use of the hostname as the name of the local system for
# authentication purposes (overrides the name option).
#usehostname

# If no local IP address is given, pppd will use the first IP address
# that belongs to the local hostname. If "noipdefault" is given, this
# is disabled and the peer will have to supply an IP address.
#noipdefault

# With this option, pppd will accept the peer's idea of our local IP
# address, even if the local IP address was specified in an option.
#ipcp-accept-local

# With this option, pppd will accept the peer's idea of its (remote) IP
# address, even if the remote IP address was specified in an option.
#ipcp-accept-remote

# Run the executable or shell command specified after pppd has terminated
# the link. This script could, for example, issue commands to the modem
# to cause it to hang up if hardware modem control signals were not
# available.
# If mgetty is running, it will reset the modem anyway. So there is no need
# to do it here.
#disconnect "chat -- \d+++\d\c OK ath0 OK"

# Increase debugging level (same as -d). The debug output is written
# to syslog LOG_LOCAL2.
#debug

# Enable debugging code in the kernel-level PPP driver. The argument n
# is a number which is the sum of the following values: 1 to enable
# general debug messages, 2 to request that the contents of received
# packets be printed, and 4 to request that the contents of transmitted
# packets be printed.
#kdebug n

# noauth means do not require the peer to authenticate itself, this must
# be set if you want to use pppd to connect to the internet. In this case
# *you* must authenicate yourself to the peer(internet provider), so do
# not disable this setting unless you are the dial-in server which where
# the peer has to autenticate to.
#noauth

# Use hardware flow control (i.e. RTS/CTS) to control the flow of data
# on the serial port.
#crtscts

# Specifies that pppd should use a UUCP-style lock on the serial device
# to ensure exclusive access to the device.
lock

# Use the modem control lines.(is default)
#modem
# The opposite: local
#
# Description:
# Don't use the modem control lines. With this
# option, pppd will ignore the state of the CD (Car­
# rier Detect) signal from the modem and will not
# change the state of the DTR (Data Terminal Ready)
# signal.
#
# You need to disable modem and enable local if you want to connect
# to anoter system without using a modem:
local

# async character map -- 32-bit hex; each bit is a character
# that needs to be escaped for pppd to receive it. 0x00000001
# represents '\x01', and 0x80000000 represents '\x1f'.
# To allow pppd to work over a rlogin/telnet connection, ou should escape
# XON (^Q), XOFF (^S) and ^]: (The peer should use "escape ff".)
#asyncmap 200a0000
asyncmap 0

# needed for some ISDN Terminaladaters, namely ELSA, those seem to have
# problems with asyncmap negotiation, so you can turn off this procedure
# in case your ISDN box has trouble with it, by enabling this option.
# You have to disable the asyncmap <x> option to be sure to have it
# active. If you use wvdial, set the ISDN parameter in /etc/wvdial.conf
# instead.
#default-asyncmap

# Set the MRU [Maximum Receive Unit] value to <n> for negotiation. pppd
# will ask the peer to send packets of no more than <n> bytes. The
# minimum MRU value is 128. The default MRU value is 1500. A value of
# 296 is recommended for slow links (40 bytes for TCP/IP header + 256
# bytes of data). The value 1492 is for DSL connections (PPP Default -
# PPPoE Header: 1500 - 8 = 1492)
# mru 1492

# Set the MTU [Maximum Transmit Unit] value to <n>. Unless the peer
# requests a smaller value via MRU negotiation, pppd will request that
# the kernel networking code send data packets of no more than n bytes
# through the PPP network interface. The value 1492 is for DSL connections
# (PPP Default - PPPoE Header: 1500 - 8 = 1492)
# mtu 1492

# Set the interface netmask to <n>, a 32 bit netmask in "decimal dot"
# notation (e.g. 255.255.255.0).
#netmask 255.255.255.0

# Don't fork to become a background process (otherwise pppd will do so
# if a serial device is specified).
#nodetach

# If this option is given, pppd will send an LCP echo-request frame to
# the peer every n seconds. Under Linux, the echo-request is sent when
# no packets have been received from the peer for n seconds. Normally
# the peer should respond to the echo-request by sending an echo-reply.
# This option can be used with the lcp-echo-failure option to detect
# that the peer is no longer connected.
lcp-echo-interval 130

# If this option is given, pppd will presume the peer to be dead if n
# LCP echo-requests are sent without receiving a valid LCP echo-reply.
# If this happens, pppd will terminate the connection. Use of this
# option requires a non-zero value for the lcp-echo-interval parameter.
# This option can be used to enable pppd to terminate after the physical
# connection has been broken (e.g., the modem has hung up) in
# situations where no hardware modem control lines are available.
lcp-echo-failure 5

# Send up to 60 LCP configure-request during negotiation. With a value
# of 2 for lcp-restart below, this might take up to 2 minutes.
lcp-max-configure 60

# Resend unanswered LCP requests after 2 seconds.
lcp-restart 2

# Specifies that pppd should disconnect if the link is idle for n seconds.
idle 6600

# Specifies the maximal number of attempts to connect to the server. This
# is useful for dial on demand. Default value is 10.
#maxfail 3

# Disable the IPXCP and IPX protocols.
noipx

# In the file /etc/ppp/filters are some active-filter rules. See man pppd
# and man tcpdump for more informations.
# file /etc/ppp/filters

#-------------------------------------------------------------------------
# The next two options are only interesting for you if you are admin of
# a system with other users that use ppp, and those users are normally
# never allowed to add default route, or you do not want users to
# replace the default route.
#-------------------------------------------------------------------------

# enable this to prevent users from attempting to add a default route.
# Use this option with caution: If the user needs to use a program like
# wvdial, he will not be able to connect because wvdial forces defaulroute
# but this is rejected by this option and the user will not be able to
# connect to the internet.
#nodefaultroute

# enable this to prevent users from replacing an existing default route.
#noreplacedefaultroute

#-------------------------------------------------------------------------
# All options below only make sense if you configure pppd to be a dial-in
# server, so don't touch these if you want dial into your provider with
# PPP!
#-------------------------------------------------------------------------

# Set the assumed name of the remote system for authentication purposes
# to <n>.
#remotename <n>

# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. {proxyarp,noproxyarp}
proxyarp

# Use the system password database for authenticating the peer using
# PAP. Note: mgetty already provides this option. If this is specified
# then dialin from users using a script under Linux to fire up ppp wont work.
#login

# Specify which DNS Servers the incoming Win95 or WinNT Connection should use
# Two Servers can be remotely configured
#ms-dns 192.168.1.1
#ms-dns 192.168.1.2

# Specify which WINS Servers the incoming connection Win95 or WinNT should use
#ms-wins 192.168.1.50
#ms-wins 192.168.1.51


------------------------------------------------------------------------------------SuSi:/etc/ppp # cat options.ppp0
# noauth means do not require the peer to authenticate itself, this must
# be set if you want to use pppd to connect to the internet. In this case
# *you* must authenicate yourself to the peer(internet provider), so do
# not disable this setting unless you are the dial-in server which where
# the peer has to autenticate to.
auth

# Specifies that pppd should use a UUCP-style lock on the serial device
# to ensure exclusive access to the device.
lock

# Use the modem control lines.(is default)
#modem
# The opposite: local
#
# Description:
# Don't use the modem control lines. With this
# option, pppd will ignore the state of the CD (Car­
# rier Detect) signal from the modem and will not
# change the state of the DTR (Data Terminal Ready)
# signal.
#
# You need to disable modem and enable local if you want to connect
# to anoter system without using a modem:
local

# async character map -- 32-bit hex; each bit is a character
# that needs to be escaped for pppd to receive it. 0x00000001
# represents '\x01', and 0x80000000 represents '\x1f'.
# To allow pppd to work over a rlogin/telnet connection, ou should escape
# XON (^Q), XOFF (^S) and ^]: (The peer should use "escape ff".)
#asyncmap 200a0000
asyncmap 0

# needed for some ISDN Terminaladaters, namely ELSA, those seem to have
# problems with asyncmap negotiation, so you can turn off this procedure
# in case your ISDN box has trouble with it, by enabling this option.
# You have to disable the asyncmap <x> option to be sure to have it
# active. If you use wvdial, set the ISDN parameter in /etc/wvdial.conf
# instead.
#default-asyncmap

# Set the MRU [Maximum Receive Unit] value to <n> for negotiation. pppd
# will ask the peer to send packets of no more than <n> bytes. The
# minimum MRU value is 128. The default MRU value is 1500. A value of
# 296 is recommended for slow links (40 bytes for TCP/IP header + 256
# bytes of data). The value 1492 is for DSL connections (PPP Default -
# PPPoE Header: 1500 - 8 = 1492)
mru 1200

# Set the MTU [Maximum Transmit Unit] value to <n>. Unless the peer
# requests a smaller value via MRU negotiation, pppd will request that
# the kernel networking code send data packets of no more than n bytes
# through the PPP network interface. The value 1492 is for DSL connections
# (PPP Default - PPPoE Header: 1500 - 8 = 1492)
mtu 1200

# Set the interface netmask to <n>, a 32 bit netmask in "decimal dot"
# notation (e.g. 255.255.255.0).
netmask 255.255.255.0

# Don't fork to become a background process (otherwise pppd will do so
# if a serial device is specified).
#nodetach

# eigenes , 2.4.2004


auth
#refuse-pap
#refuse-chap

require-chapms-v2

+chapms-v2
mppe-40
mppe-128
mppe-stateless

SuSi:/etc/ppp #


------------------------------------------------------------------------------------

/etc/ppp/filters


SuSi:/etc/ppp # cat filters
#
# These filter rules should prevent unwanted internet services to
# keep your connections up by ignoring their connection requests
# and your 'go way' responses.
#
# Activate them by activating the line 'file /etc/ppp/filters' in
# /etc/ppp/options.
#
# Note: This has nothing to do with firewall rules. It only affects
# the idle time calculation of the kernel/pppd.
#

active-filter 'outbound and not icmp[0] == 3 and not tcp[13] & 4 != 0'

SuSi:/etc/ppp #



------------------------------------------------------------------------------------
Logfile – Auszug :


Feb 4 11:12:02 SuSi pptpd[4519]: MGR: Manager process started
Feb 4 11:12:20 SuSi pptpd[4521]: MGR: Launching /usr/sbin/pptpctrl to handle client
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: local address = 192.168.0.4
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: remote address = 192.168.1.102
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: pppd speed = 115200
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Client 218.57.18.xx control connection started
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Received PPTP Control Message (type: 1)
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Made a START CTRL CONN RPLY packet
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: I wrote 156 bytes to the client.
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Sent packet to client
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Received PPTP Control Message (type: 7)
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: 0 min_bps, 1525 max_bps, 32 window size
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Made a OUT CALL RPLY packet
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Starting call (launching pppd, opening GRE)
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: pty_fd = 4
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: tty_fd = 5
Feb 4 11:12:20 SuSi pptpd[4522]: CTRL (PPPD Launcher): Connection speed = 115200
Feb 4 11:12:20 SuSi pptpd[4522]: CTRL (PPPD Launcher): local address = 192.168.0.4
Feb 4 11:12:20 SuSi pptpd[4522]: CTRL (PPPD Launcher): remote address = 192.168.1.102
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: I wrote 32 bytes to the client.
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Sent packet to client
Feb 4 11:12:20 SuSi pppd[4522]: pppd 2.4.1 started by root, uid 0
Feb 4 11:12:20 SuSi pppd[4522]: Using interface ppp0
Feb 4 11:12:20 SuSi pppd[4522]: Connect: ppp0 <--> /dev/pts/3
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Received PPTP Control Message (type: 15)
Feb 4 11:12:20 SuSi pptpd[4521]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Feb 4 11:12:57 SuSi pptpd[4521]: CTRL: Received PPTP Control Message (type: 12)
Feb 4 11:12:57 SuSi pptpd[4521]: CTRL: Made a CALL DISCONNECT RPLY packet
Feb 4 11:12:57 SuSi pptpd[4521]: CTRL: Received CALL CLR request (closing call)
Feb 4 11:12:57 SuSi pptpd[4521]: CTRL: I wrote 148 bytes to the client.
Feb 4 11:12:57 SuSi pptpd[4521]: CTRL: Sent packet to client
Feb 4 11:12:57 SuSi pppd[4522]: Modem hangup
Feb 4 11:12:57 SuSi pppd[4522]: Connection terminated.
Feb 4 11:12:57 SuSi pptpd[4521]: GRE: read error: Bad file descriptor
Feb 4 11:12:57 SuSi pptpd[4521]: CTRL: PTY read or GRE write failed (pty,gre)=(-1,-1)
Feb 4 11:12:57 SuSi pptpd[4521]: CTRL: Client 218.57.18.xx control connection finished
Feb 4 11:12:57 SuSi pptpd[4521]: CTRL: Exiting now
Feb 4 11:12:57 SuSi pptpd[4519]: MGR: Reaped child 4521
Feb 4 11:12:57 SuSi pppd[4522]: Exit.
jado
Member
Member
Beiträge: 170
Registriert: 4. Mär 2004, 11:00
Wohnort: Hamburg

Beitrag von jado »

Hi, hatte auch Schwierigkeiten, bei der VPN-Einrichtung unter SuSE.

hab irgendwann den originalen PPPD mit dem MPPE-Patch kompiliert
und über das suse-rpm installiert (suse-rpm hab ich nicht entfernt,
damit yast nicht bei den abhängigkeiten meckert)

pppd: http://samba.org/ppp/
mppe-patch: http://www.polbox.com/h/hs001/

Und dann solltest du noch kurz hier reinschaun:
http://www.linux-club.de/viewtopic.php? ... hlight=ppp
BigD
Newbie
Newbie
Beiträge: 2
Registriert: 22. Mär 2004, 18:02

Beitrag von BigD »

gib mir doch bitte noch nen tip, wie du das genau gemacht hast ?? :oops:
ich bin noch nicht so versiert. :oops:

kann es auch sein, daß ich pppoe irgendwie brauche ???
im prinzip hab ich ja keine wählverbindung.
jado
Member
Member
Beiträge: 170
Registriert: 4. Mär 2004, 11:00
Wohnort: Hamburg

Beitrag von jado »

Hallo BigD,

PPPoE (PPP over Ethernet) benötigst du nur, wenn du per DSL deine Internet-Verbindung aufbaust.
PPTP hingegen ist Art "PPP over IP", bei der die PPP-Pakete mittels
GRE (Generic Routing Encapsulation) übers Internet transportiert
werden.

Zum Patch:
Als erstes hab ich mir die folgenden beiden Files gezogen:
- ppp-2.4.2.tar.gz
- ppp-2.4.2-mppe-mppc-0.82.patch
dann:

Code: Alles auswählen

> tar xzf ppp-2.4.2.tar.gz
> patch -p0 <ppp-2.4.2-mppe-mppc-0.82.patch 
> cd ppp-2.4.2
> ./configure
> make
> make install

> vi /etc/modules.conf
#alias ppp-compress-18 ppp_mppe
alias ppp-compress-18 ppp_mppe_mppc
>
Welche Fehlermeldungen dann genau beim Laden des Modules
kamen, kann ich jetzt nicht mehr sagen. Aber es drehte
sich unter anderem um Versionsnummern und um MPPE/MPPC.

Daher hab ich dann noch das File "linux-2.4.21-mppe-mppc-0.98.patch"
in die Kernel-Sourcen eingespielt:

Code: Alles auswählen

> cd /usr/src/linux
> patch -p1 <linux-2.4.21-mppe-mppc-0.98.patch
Dann mit "make menuconfig" prüfen, ob MPPE als Modul aktiviert ist
und "make modules && make modules_install" absetzen.

Danach ging es bei mir.
Allerdings gibt es hier wiedermal einen Unterschied zw. den original
Sourcen und SuSE (chapms -> mschap):

Code: Alles auswählen

#
# /etc/pptpd.conf
#

speed 115200
option /etc/ppp/options.pptp
debug
remote

localip 192.168.2.2-10
remoteip 192.168.2.100-199

pidfile /var/run/pptpd.pid

### EOF ###

........
#
# /etc/ppp/options.pptp
#

lock

name pptpd

proxyarp

auth
-chap
-mschap
+mschap-v2

nobsdcomp
nodeflate

require-mppe-128

mtu 1000
mru 1000

lcp-echo-failure 60
lcp-echo-interval 60
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.2

#plugin radius.so

### EOF ###

Tipp:
In der Shell, in der du "/etc/init.d/pptpd start" absetzt,
erscheinen ggf. auch Fehlermeldungen...


Viel Spass :)


PS: ich hoffe, ich hab nichts vergessen.
Antworten