PoPToP HOWTO/FAQ ---------------- Last Updated: 20021024 Send changes to: Richard de Vroede HOWTO/FAQ mostly compiled from PoPToP help pages and the PoPToP Mailing List (hosted by Christopher Schulte) by Matthew Ramsay. Large contributions from Steve Rhodes and Michael Walter. Contents -------- 1.0 Introduction 1.1 About PoPToP 1.2 Credits 2.0 System Requirements 3.0 PPP with MSCHAPv2/MPPE Installation 4.0 PoPToP Installation 5.0 Windows Client Setup 6.0 FAQ 1.0 Introduction ---------------- 1.1 About PoPToP PoPToP is the PPTP Server solution for Linux. PoPToP allows Linux servers to function seamlessly in the PPTP VPN environment. This enables administrators to leverage the considerable benefits of both Microsoft and Linux. The current pre-release version supports Windows 95/98/NT/2000 PPTP clients and PPTP Linux clients. PoPToP is free GNU software. PoPToP Home Page: http://www.moretonbay.com/vpn/pptp.html 1.2 Credits PoPToP was originally started by Matthew Ramsay under the control of Moreton Bay Ventures (http://www.moretonbay.com). Around March 1999 PoPToP was publically released under the GNU GPL by Moreton Bay/Lineo. PoPToP is what it is today due to the help of a number of intelligent and experienced hackers. More specifically Kevin Thayer, David Luyer and Peter Galbavy. More contributors to PoPToP (in various forms) include Allan Clark, Seth Vidal, Harald Vogt and Ron O'Hara. And finally, credit to all the PoPToP followers who test and report problems. 1.3 PopToP migrating from poptop.lineo.com March 18, 2002 The main PoPToP developers left Lineo with the SnapGear spin-out. The ball is being picked up by Daniel Djamludin. PoPToP has been actively developed within SnapGear and a number of improvements need to be rolled out. Henceforth from this sentence onwards you should refer to "PoPToP" as "Poptop" for ease of use and typing. Lineo have been asked to forward poptop.lineo.com to poptop.sourceforge.net The sources are being gathered to go into CVS, new binaries and dev images will follow. Source Forge looks like the best neutral ground to smooth out future upheavals. 2.0 System Requirements ----------------------- 1. A modern Linux distribution (such as Debian, Red Hat, etc.) with a recent kernel (2.4.x recommended, 2.2.x should be ok). Note: ports exist for Solaris, BSD and others but are not supported in this HOWTO at this time. 2. PPP (2.4.1 recommended, 2.3.11 should be ok) (and the MSCHAPv2/MPPE patch if you want enhanced Microsoft compatible authentication and encryption). 3. PoPToP v1.1.3 (or download the latest release at: http://sourceforge.net/projects/poptop 3.0 PoPToP Installation ----------------------- Check out the documentation at http://sourceforge.net/docman/?group_id=44827 4.0 Windows Client Setup ------------------------ Install it using the add-remove programs tool. Go to windows->communications and install VPN support. (If you do above you may *not* need to follow the instructions below as it will already be installed... ? follow the instructions: 1.start->settings->control panel->network 2.Click add 3.choose adapter 4.Click add 5.select microsoft as the Manufactuarer 6.select Microsoft Virtual Private Networking Adapter 7.Click ok 8.Insert any necessary disks 9.Reboot your Machine take a little nap here... Once your Machine is back 1.go to dial-up networking (usually start->programs->Accessories->communications->Dial-up Networking) YMMV 2.Click make new connection 3.Name the Connection whatever you'd like. 4.Select Microsoft VPN adapter as the device 5.click next 6.type in the ip address or hostname of your pptp server 7.click next 8.click finish 9.Right-click on the intranet icon 10.select properties 11.choose server types 12.check require encrypted password 13.uncheck netbeui, ipx/spx compatible 14.click tcp/ip settings 15.turn off use IP header compression 16.turn off use default gw on remote network 17.click ok. 18.start that connection 19.type in your username and pw (yadda, yadda, yadda) 20.once it finishes its connection your up. Note that the Win95 routine is similar but requires Dial Up Networking Update 1.3 (free from Microsoft) to be installed first. 5.0 FAQ ------- Q&A. INTRODUCTION After spending the better part of two weeks developing my configuration for a pptp sever for remote file access by Windows(tm) clients, I thought I would pass along these notes to those who may be interested. The basic configuration involves a Samba/PoPToP server behind a firewall, through which clients using Win98 machines will connect using the VPN facility built into that OS. This is diagrammed below. _____ ___ ______ ______ | | | \ | fire | | file | | win | ---> / net \ ---> | wall | ---> | srvr | |_____| \__/\_/ |______| |______| The components of the system consist of the Win98 clients running the built-in VPN facility dialing in to their ISP's and connecting through the firewall to the Samba server on the internal network using the pptp protocol. The firewall uses Network Address Translation to convert an open Internet IP address to an internal one. Sounds simple enough right? SIMPLE TEST SETUP As a starting point, I configured a Win98 box to connect directly to a PoPToP server without any authentication or encryption. This was just to get a feel for how pptp works and verify the setup. Using the pre-packaged rpm's was a big help here. You just rpm the thing onto the system and fire it up, and you're in business. The diagram below represents this simple system. 192.168.56.142 192.168.56.11 _____ ______ | | | file | | win | ------------------> | srvr | |_____| |______| Emboldend by my success, I set out to turn on MS authentication and encrytion, and this is where the fun started. AUTHENTICATION AND ENCRYPTION This is an area where Microsoft really shows its true colors. Turning on password and data encryption on the Win98 VPN server configuration was quite the eye opening experience. First with the authentication, you will have to go through a somewhat difficult compilation of the ppp-2.3.8 package. The worst part here is getting all the pieces together, namely the rc4 files. This process is well documented in this archive, so I won't go into it here. The next realization is that Microsoft prepends the domain name to the user name when submitting the login credentials. For example, srhodes is now DBNET\\srhodes. If that wasn't bad enough, I found that the domain wasn't even the one I was logged into. My best guess is that the first domain that the computer ever logs into is stuck with it for ever. This is a real problem if you have multiple domains that you log into. I modified the pppd.c code to strip out the domain on MSCHAP logins, but you can just set the user name in chap-secrets to match the windows version. Then I spent a whole day trying to figure out why data encryption does not work. I tried just about everything I could think of that could be wrong. That's when I discovered this archive, for which I am truly grateful. It turns out that the Win9x implementation of encrytpion is FUBAR! You have to download one of those patches from Microsoft, MSDUN 1.4 to get the thing to work. Windows 95 http://download.microsoft.com/download/win95/Update/17648/W95/EN-US/dun14-95.exe Windows 98 http://download.microsoft.com/download/win98/Update/17648/W98/EN-US/dun14-98.exe Windows 98se http://download.microsoft.com/download/win98SE/Update/17648/W98/EN-US/dun14-SE.exe FIREWALL CONFIGURATION The issue with a firewall in this setup is that you need to cover two types of protocol communication. There is one connection which is a tcp connection on port 1723 that handles the control functions and another connection using IP type 47, or GRE, which handles the actual data communication. This second connection presents a problem for the convention linux firewall, ipfwadm. You see, its only set up to handle tcp, udp and icmp protocols. It doesn't know about GRE. The trick around this block is to use one of the new 2.2 kernels, which employ a new firewall called ipchains. This tool willl handle arbitrary protocols, which can be specified by their numbers. 192.168.2.142 192.168.56.11 _____ ______ ______ | | | fire | 192.168.56.1 | file | | win | --------------->| wall | --------------> | srvr | |_____| 192.168.2.1 |______| |______| You need to remember a few things before getting too deep into this. The default gateway on win is set to 192.168.2.1, and the default gateway on file srvr is set to 192.168.56.1. The firewall has the two network interfaces spanning the two subnets and is configured for IP forwarding. If you have not yet applied any firewall rules, this configuration will work as before. The interesing part is to block out all other access to file srvr by implementing ipchains rules. The short story is: ipchains -F ipchains -P forward DENY ipchains -I forward -p tcp -d 192.168.56.11 1723 -j ACCEPT ipchains -A forward -p tcp -s 192.168.56.11 1723 -j ACCEPT ipchains -A forward -p 47 -d 192.168.56.11 -j ACCEPT ipchains -A forward -p 47 -s 192.168.56.11 -j ACCEPT NETWORK ADDRESS TRANSLATION The next hurdle is to configure the firewall so that it can run an open internet IP address on the outside and allow access to an internal address on the inside. NAT is very well suited to this task, although you may hear otherwise from knowledgable sources. It happens to be my preference, though certainly not the only way to skin this cat. You can obtain the NAT software and some detailed information from http://www.csn.tu-chemnitz.de/HyperNews/get/linux-ip-nat.html But again, there is a problem with the GRE protocol of type 47. The tool for configuring NAT, ipnatadm, like its half-brother ipfwadm, is not set up to handle arbitrary protocols. Unfortunately, you'll have to go into the code and make a slight modification if you want to use it for this purpose. There is a procedure called parse_protocol in the file routines.c that discriminates the type of protocol to be filtered. The basic idea is to accept a string representing a number and use that as the filter. Since you have to recompile the kernel anyway to get the NAT functionality, maybe it's not so horrible, relatively speaking. For those ambitous enough, here is the diff for the routines file, copy this into a file called routines.diff and use the command patch -p0 < routines.diff from within the same directory. --- routines.c Thu Mar 25 15:41:58 1999 +++ /mnt/zip/nat/routines.c Wed Jul 21 21:09:28 1999 @@ -112,11 +112,18 @@ else if (strncmp("icmp", s, strlen(s)) == 0) nat_set.nat.protocol = IPPROTO_ICMP; else { + int number; + char * end; + number = (int)strtol(s, &end, 10); + nat_set.nat.protocol = number; + } + /* + else { fprintf(stderr, "ipnatadm: invalid protocol \"%s\" specified\n", s); exit_tryhelp(2); - /* make the compiler happy... */ return; } + */ } void parse_hostnetworkmask(char *name, struct in_addr **addrpp, __u32 *maskp, int *naddrs) The patch is actually lifted from ipchains, which was derived from ipfwadm, which provides the basis for ipnatadm. Once you've got all that running, what you want to do is to set up the NAT rules so that the incoming client thinks its talking to the firewall, as does the outgoing file server. The short of it is: ipnatadm -F ipnatadm -I -i -P 6 -D 192.168.2.1 1723 -N 192.168.56.11 1723 ipnatadm -O -i -P 6 -S 192.168.56.11 1723 -M 192.168.2.1 1723 ipnatadm -I -i -P 47 -D 192.168.2.1 -N 192.168.56.11 ipnatadm -O -i -P 47 -S 192.168.56.11 -M 192.168.2.1 Here, the -P argument sets the protocol, 6 is tcp and 47 is GRE. PPTP packets targeting the firewall are translated to the internal host inbound and vice-versa on the way out. Very slick. SAMBA Here's a subject so complex you could probably devote a whole career to it. We don't want to get too bogged down, so I'll be brief. Samba implements the NetBIOS protocol, which has more quirks than you can shake a stick at. One of the biggest problems is the use of subnet broadcasting. Suffice it to say, if you want the best results, you should set your PoPToP IP addresses to reside within the subnet on which the file server ethernet is located. I choose 192.168.56.12 for the server address, and it hands out IP's from 192.168.13-127. Setting the IP forwarding on the file server to true will give you access to other machines on the internal network. When you go at the samba sever from Win98, you have to use encrypted password. Look at smbpasswd and related stuff. Finding shares on the server is not so easy. The short story here is that browsing is implemented via broadcast packets, and broadcast packets will not travel down a PPP link. The only way to get browsing to work over pptp is to set Samba up as a WINS server and a Domain login server, and configure the clients to use that WINS server and force them to login to that Domain. Believe me, I tried just about everything to avoid that. You will also want to set the samba server as the domain master and preferred master for the browsing. If you can't do that, you can set the ppp/options file to include a ms-wins setting for the samba server. This will set the client up so they can at least resolve host names. The only way to find a share under this configuration is to name it explicitly. You can use the tools menu from the Win98 file browser and say find -> computer and enter in the name of the samba server and it will be found. I have found that setting domain master = yes and preferred master = yes gives a rather nice boost to the speed of name lookups on the network. Here is my abbreviated smb.conf [global] workgroup = VAULT server string = acer log file = /var/log/samba/log.%m max log size = 50 security = user encrypt passwords = yes smb passwd file = /etc/smbpasswd socket options = TCP_NODELAY domain master = yes preferred master = yes domain logons = yes wins support = yes dns proxy = no [homes] comment = Home Directories browseable = no writable = yes You should also use the lmhosts option for nmbd (-H) and set up an lmhosts file on the samba server. Make sure also the the samba server can resolve its own name, through either /etc/hosts or DNS. In all honesty , I went through the same simple test setup with samba as I did for PoPToP, although its not shown here explicitly. CONCLUSION PoPToP is a good program, as is Samba. This configuration can work if you put a little effort into it. I have seen a lot of questions here and in other places about these types of systems, so I would think that there is some demand on the part of users who want this type of functionality. I hope these notes are useful to you if this is what you want to do. **************************************************************************** Q&A I have a pptp server set up on my office LAN. I can connect to the server and ping to it fine, but I can't ping any other hosts on the office subnet. I have ip-forwarding turned on and I have proxyarp set in the ppp/options file. What can be wrong? There seem to be a lot of questions floating around about routing and masq'ing associated with this issue. Well, my curiosity got the best of me, so I thought I would check this out. Shown below is my test setup for investigating this problem. 192.168.8.142 192.168.56.10 192.168.56.11 192.168.56.12 ________ _______ ______ _____ | | | | | | | | | client |------->| fire |-------->| pptp |----->| host | | | | wall | | srvr | | | |________| |_______| |______| |______| H H H 192.168.8.10 H H H H===================================H 192.168.5.12 pptp connection 192.168.5.11 For the sake of simplicity, we will ignore address translation issues associated with the firewall. This assumes that the client at 192.168.8.142 is going to use 192.168.56.11 as its target address for the pptp connection to pptp_srvr. The firewall will block all access to the 192.168.56.0 subnet except for pptp connections associated with pptp_srvr. This can be implemented with ipchains ipchains -P input DENY ipchains -P forward DENY ipchains -A input 192.168.56.0/24 -j ACCEPT /* allow connections from inside */ ipchains -A input -p tcp -d 192.168.56.11 1723 -j ACCEPT ipchains -A input -p 47 -d 192.168.56.11 -j ACCEPT ipchains -A forward -p tcp -d 192.168.56.11 1723 -j ACCEPT ipchains -A forward -p tcp -s 192.168.56.11 1723 -j ACCEPT ipchains -A forward -p 47 -d 192.168.56.11 -j ACCEPT ipchains -A forward -p 47 -s 192.168.56.11 -j ACCEPT When you connect from client to pptp_srvr, you will be able to complete the connection and ping to pptp_srvr. However, if you attempt to ping host, at 192.168.56.12, this will fail. A clue to this problem can be found in the /var/tmp/messages file on pptp_srvr. There, in the pppd messages, you will find Cannot determine ethernet address for proxy ARP This is due to an issue with the pppd program, which attempts to find a hardware interface on the subnet to which the pppd client has been assigned. In this case its looking for a hardware interface on the 192.168.5.0 subnet. It will fail to find one, and will drop the proxyarp request. The simplest way around this problem, and the one that is suggested in the pppd documentation, is to set the pppd client IP assignment to be on the local subnet. An example in this case might be 192.168.56.129. However, it may not be possible to do that. In the case of a fully loaded subnet, there may not be any addresses to spare. Or there may be some security issues with giving out local subnet addresses. What to do? The place to look is in the arp table. If you run tcpdump on host (192.168.56.12) during the time when client is pinging, you will see unanswered arp requests from host attempting to find the hardware address for 192.168.5.12. You need to proxy the hardware address of the pptp_srvr for client in order for this request to be fulfilled. This is the job of proxyarp. However, proxyarp has let us down in this instance, and we need to find a workaround. This can be done manually using the arp command on pptp_srvr. For example, if the hardware address of the ethernet card on pptp_srvr is 00:60:08:98:14:14, you could force the arp to proxy the client pptp address by saying arp --set 192.168.5.12 00:60:08:98:14:13 pub You should now be able to ping from client to host through the pptp connection. This can be a problem, however, in a dynamic environment when clients are logging into and out of the pptp server on a continuous basis. One way around this problem is to write a script that will execute upon the initiation of each ppp connection. The place to do this is in /etc/ppp/ip-up. This script is executed each time a new ppp connection is started. It gets some variables passed into it, one of which is the assigned IP address of the client. Note that RedHat systems use ip-up.local as the place for you to make the script. Don't forget to chmod +x ! #! /bin/bash REMOTE_IP_ADDRESS=$5 date > /var/run/ppp.up echo "REMOTE_IP_ADDRESS = " $REMOTE_IP_ADDRESS >> /var/run/ppp.up arp --set $REMOTE_IP_ADDRESS 00:60:08:98:14:14 pub >> /var/run/ppp.up exit 0 This should put you in business for accessing the remote subnet under this scenario. I am a little bit concerned, however, because I also built a script ip-down.local, that should remove the arp proxy when client disconnected. It doesn't seem to do anything, however, and if I try to delete the arp entry manually, it just spits out a cryptic error message. The arp entries remain persistent, as far as I can tell. If this is a problem or not, I don't know. The next few clients that log in are treated well, so I guess its OK. **************************************************************************** Q. Also, after running pptpd and monitoring its log file and seeing that it failed to open ttyp1 - I chmod +rw /dev/ttyp[0-9] and it seemed to work somewhat. But, after I rebooted, I had to do this again. Is this normal? A. pptpd should be running as root (unless you have a system with a setuid openpty() helper, which isn't very common). If it fails to open a pty/tty pair as root then that is probably because it is in use. Other programs which use pty/tty's will change their permissions back to the standard ones. **************************************************************************** Q. sometimes when I make a connection to my pptpd server I see a message like Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-21 Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-26 Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-24 Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-21 Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-26 Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-24 Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-26 Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-24 Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-21 in /var/log/messages on the server. Any idea what I can do about it? A. yeah, in your /lib/modules//net/ directory, there should be files called bsd_comp.o and ppp_deflate.o.. insmod those files and you'll be good to go. **************************************************************************** Q. Hi, I'm having trouble getting pptpd & mschap-v2 to work. I downloaded all of the patches and compiled everything but whenever i try to connect from my win98 machine, it says: Error 691: The computer you have dialed in to has denied access because the username and/or password is invalid on the domain. What is this suppose to mean? A. Error 691 is an authentication problem probably due to the fact that MS chap uses the domain name and username combo to authenticate. If you look at the logs you will probably see a message saying that MS chap is trying to authenticate user "domain\\username". I got it to work by putting the full domain and user string in the client portion of the chap-secrets file. # Secrets for authentication using CHAP # client server secret IP addresses workgroup\\user server password * If anyone knows how to get it to default to a particular domain, I would like to know. **************************************************************************** Q. how do I go about checking who is logged in via tunnel? I need some way of writing the pppd data to wtmp/utmp. (and not sessreg either) does anyone know of any way of doing this via ppp? A. pppd syslogs everything to /var/log/messages (that's the default on my box anyways) and it will say something like : pppd[15450]: CHAP peer authentication succeeded for you could do a tail /var/log/messages -n2000 | grep CHAP if you wanted to see who has been logging in. other than that, there's not much i know of. all the authentication is provided by pppd (if you don't have an auth or a require-chap (or pap, etc.) option, it doesn't even ask for a username. **************************************************************************** Q. My NT client won't connect! A. Try taking header and software compression off. **************************************************************************** Q. PPTP *client* stops working. A. go to /var/run/pptp/ and look for a socket named x.x.x.x delete it and try it again. **************************************************************************** Q. How many clients does PoPToP support? A. The limits under Linux are: per-process filedescriptors - one per client (would limit clients to 256 by default, or 1024 with kernel recompile, or more with major libc/kernel hackery) - no relevant limit ttys - currently, with a standard kernel, 256 clients - with Unix98 ptys and a small amount of coding, 2048 ppp devices - no limit in kernel source for ppp - limit of 100 in dev_alloc_name() in 2.2.x for(i=0;i<100;i++) { sprintf(dev->name,name,i); if(dev_get(dev->name)==NULL) return i; } best fix is probably to keep a static int ppp_maxdev so you don't end up doing 2000 dev_get's to allocated the 2001'th device. processes - 2 per client plus system processes - standard kernel max = 512 processes, ie 256 clients - i386 max = 4096 processes, ie 2048 clients So it seems that 2048 will be the limit, if you fix a few things and with a minor kernel mod (I could do all of these pretty easily and send you a trivial kernel patch). To go above 2048 the easiest approach would be to combine pptpctrl and pppd in one process, which would get you to 4096. Beyond there, you need to go for a select() based model, which would be significant coding effort and require large fd-set sizes and so on. So 4096 is the practical limit, and 2048 the easy limit. **************************************************************************** Q. What authentication methods (PAP/CHAP) does PoPToP work with? A. PoPToP uses whatever authentication methods your PPPd provides (usually PAP and CHAP). With PPPd patches you can get MSCHAP and MSCHAPv2 authentication as well. **************************************************************************** Q. When running PoPToP I get the following error: Jun 11 08:29:04 server pptpd[4875]: MGR: No more free connection slots! What does this mean? A. I'd say at a guess you've only configured one IP address and you have connected a client, and as such there are no more free connection slots should any more clients wish to connect. **************************************************************************** Q. Does PoPToP suffer from the same security flaws (http://www.counterpane.com/pptp.html) as the Windows NT PPTP server? A. An initial look at the article suggests that what the authors hammered was not the PPTP protocol, but the authentication that the PPTP VPN servers on NT offered access to via open internet. PPTP seems initially to be just the path to the weakness, not the weakness itself. Part of their observance of weakness deals with use of poor passwords as well, a cheap component, simple enough to fix. > While no flaws were found in PPTP itself, several serious flaws were > found in the Microsoft implementation of it. > (http://www.counterpane.com/pptp-pressrel.html) The authors do not specifically say "this is ONLY effective against NT", just that NT is affected. This implies that they do not recognize PoPToP, and it may be included. The fact that PoPToP has to interOp with MS DUN's VPN client means that it will have the same weaknesses. It can only protect itself from DoS attacks, have immediate response to out-of-sequence packets or illogical packets, etc. The protocol is not considered weak in this analysis, but the weaknesses have to be replicated in apparent behavior by PoPToP. The only thing the developers can do with PoPToP is make it a stronger server per se -- more able to handle the attacks when the come. In conclusion: PoPToP suffers the same security vulnerabilities as the NT sever (this is because it operates with Windows clients). Update: MSCHAPv2 has been released and addresses some of the security issues. PoPToP works with MSCHAPv2. **************************************************************************** Q. Does PoPToP support data encryption? A. Yes.. with appropriate PPPd patches. Patches are available for PPPd to provide Microsoft compatible RC4 data encryption. The PPPd patch supports 40 and 128 bit RC4 encryption. **************************************************************************** Q. PoPToP or IPsec? Which is better suited to my needs? A. 1. The difference between PoPToP and IPsec is that PoPToP is ready NOW.. and requires *no* third party software on the Windows client end (Windows comes with a free PPTP client that is trivial to set up). 2. PoPToP is a completely *free* solution. Update: Unfortunately not true for Mac *clients* though. The Mac client software is around $400 US a copy. 3. PoPToP can be integrated with the latest PPPD patches that take advantage of MSCHAPv2 and MPPE (Microsoft encryption using RC4 - 40/128 bits). More details follow from Emir Toktar: (Refs: A Comprehensive Guide to Virtual Private Networks, IBM. Virtual Private Networking: An Overview White Paper - DRAFT, 3/18/98 Microsoft.) Neither network layer-based (L2TP, PPTP,...) nor application layer-based (IPSec,SSL,SSH) security techniques are the best choice for all situations. There will be trade-offs. Network layer security protects the information created by upper layer protocols, but it requires that IPSec be implemented in the communications stack. With network layer security, there is no need to modify existing upper layer applications. On the other hand, if security features are already imbedded within a given application, then the data for that specific application will be protected while it is in transit, even in the absence of network layer security. Therefore security functions must be imbedded on a per-application basis. There are still other considerations: Authentication is provided only for the identity of tunnel endpoints, but not for each individual packet that flows inside the tunnel. This can expose the tunnel to man-in-the-middle and spoofing attacks. Network layer security gives blanket protection, but this may not be as fine-grained as would be desired for a given application. It protects all traffic and is transparent to users and applications. Network layer security does not provide protection once the datagram has arrived at its destination host. That is, it is vulnerable to attack within the upper layers of the protocol stack at the destination machine. Application layer security can protect the information that has been generated within the upper layers of the stack, but it offers no protection against several common network layer attacks while the datagram is in transit. For example, a datagram in transit would be vulnerable to spoofing attacks against its source or destination address. Application layer security is more intelligent (as it knows the application) but also more complex and slower. IPSec provides for tunnel authentication, while PPTP does not. Layer 2 tunneling protocols inherit the user authentication schemes of PPP, including the EAP methods discussed below. Many Layer 3 tunneling schemes assume that the endpoints were well known (and authenticated) before the tunnel was established. An exception to this is IPSec ISAKMP negotiation, which provides mutual authentication of the tunnel endpoints. (Note that most IPSec implementations support machine-based certificates only, rather than user certificates. As a result, any user with access to one of the endpoint machines can use the tunnel. This potential security weakness can be eliminated when IPSec is paired with a Layer 2 protocol such as L2TP. Using the Extensible Authentication Protocol (EAP), Layer 2 tunneling protocols can support a wide variety of authentication methods, including one-time passwords, cryptographic calculators, and smart cards. Layer 3 tunneling protocols (IPSec) can use similar methods; for example, IPSec defines public key certificate authentication in its ISAKMP/Oakley negotiation. Layer 2 tunneling supports dynamic assignment of client addresses based on the Network Control Protocol (NCP) negotiation mechanism. Generally, Layer 3 tunneling schemes assume that an address has already been assigned prior to initiation of the tunnel. Schemes for assignment of addresses in IPSec tunnel mode are currently under development and are not yet available. Layer 2 tunneling protocols support PPP-based compression schemes. For example, the Microsoft implementations of both PPTP and L2TP use Microsoft Point-to-Point Compression (MPPC). The IETF is investigating similar mechanisms (such as IP Compression) for the Layer 3 tunneling protocols. Layer 2 tunneling protocols support PPP-based data encryption mechanisms. Microsoft's implementation of PPTP supports optional use of Microsoft Point-to-Point Encryption (MPPE), based on the RSA/RC4 algorithm. Layer 3 tunneling protocols can use similar methods; for example, IPSec defines several optional data encryption methods which are negotiated during the ISAKMP/Oakley exchange. MPPE, a Layer 2 protocol, relies on the initial key generated during user authentication, and then refreshes it periodically. IPSec, explicitly negotiates a common key during the ISAKMP exchange, and also refreshes it periodically. Layer 2 tunneling supports multiple payload protocols, which makes it easy for tunneling clients to access their corporate networks using IP, IPX, NetBEUI, and so forth. In contrast, Layer 3 tunneling protocols, such as IPSec tunnel mode, typically support only target networks that use the IP protocol. IPSec is not multi-protocol. IPSec will be suported by Windows 2000. Many cases can occur, each of which needs to be examined on its own merit. It may be desirable to employ a mix of both network layer security techniques and application layer techniques to achieve the desired overall level of protection. For example, you could use an upper layer mechanism such as Secure Sockets Layer (SSL) to encrypt upper layer data. SSL could then be supplemented with IPSec's AH protocol at the network layer to provide per-packet data origin authentication and protection against spoofing attacks. **************************************************************************** Q. I get a 'createHostSocket: Address already in use' error! what gives? A. Address already in use in createHostSocket means something is already using TCP port 1723 - maybe another pptp daemon is running? **************************************************************************** Q. Does PoPToP work with Windows 2000 clients? A. PoPToP v0.9.5 and above should work with Windows 2000 clients. ****************************************************************************