HOWTO-PoPToP.txt 35 KB

  2. ----------------
  3. Last Updated: 20021024
  4. Send changes to: Richard de Vroede <>
  5. HOWTO/FAQ mostly compiled from PoPToP help pages and the PoPToP Mailing List
  6. (hosted by Christopher Schulte) by Matthew Ramsay. Large contributions from
  7. Steve Rhodes and Michael Walter.
  8. Contents
  9. --------
  10. 1.0 Introduction
  11. 1.1 About PoPToP
  12. 1.2 Credits
  13. 2.0 System Requirements
  14. 3.0 PPP with MSCHAPv2/MPPE Installation
  15. 4.0 PoPToP Installation
  16. 5.0 Windows Client Setup
  17. 6.0 FAQ
  18. 1.0 Introduction
  19. ----------------
  20. 1.1 About PoPToP
  21. PoPToP is the PPTP Server solution for Linux. PoPToP allows Linux servers to
  22. function seamlessly in the PPTP VPN environment. This enables administrators
  23. to leverage the considerable benefits of both Microsoft and Linux. The
  24. current pre-release version supports Windows 95/98/NT/2000 PPTP clients and
  25. PPTP Linux clients. PoPToP is free GNU software.
  26. PoPToP Home Page:
  27. 1.2 Credits
  28. PoPToP was originally started by Matthew Ramsay under the control of
  29. Moreton Bay Ventures ( Around March 1999 PoPToP
  30. was publically released under the GNU GPL by Moreton Bay/Lineo.
  31. PoPToP is what it is today due to the help of a number of intelligent and
  32. experienced hackers. More specifically Kevin Thayer, David Luyer and
  33. Peter Galbavy.
  34. More contributors to PoPToP (in various forms) include Allan Clark, Seth
  35. Vidal, Harald Vogt and Ron O'Hara.
  36. And finally, credit to all the PoPToP followers who test and report
  37. problems.
  38. 1.3 PopToP migrating from
  39. March 18, 2002
  40. The main PoPToP developers left Lineo with the SnapGear spin-out. The ball
  41. is being picked up by Daniel Djamludin. PoPToP has been actively developed
  42. within SnapGear and a number of improvements need to be rolled out.
  43. Henceforth from this sentence onwards you should refer to "PoPToP" as
  44. "Poptop" for ease of use and typing.
  45. Lineo have been asked to forward to
  46. The sources are being gathered to go into CVS, new binaries and dev images will follow.
  47. Source Forge looks like the best neutral ground to smooth out future upheavals.
  48. 2.0 System Requirements
  49. -----------------------
  50. 1. A modern Linux distribution (such as Debian, Red Hat, etc.) with a recent
  51. kernel (2.4.x recommended, 2.2.x should be ok). Note: ports exist for
  52. Solaris, BSD and others but are not supported in this HOWTO at this
  53. time.
  54. 2. PPP (2.4.1 recommended, 2.3.11 should be ok)
  55. (and the MSCHAPv2/MPPE patch if you want enhanced Microsoft
  56. compatible authentication and encryption).
  57. 3. PoPToP v1.1.3 (or download the latest release at:
  59. 3.0 PoPToP Installation
  60. -----------------------
  61. Check out the documentation at
  62. 4.0 Windows Client Setup
  63. ------------------------
  64. Install it using the add-remove programs tool. Go to windows->communications
  65. and install VPN support.
  66. (If you do above you may *not* need to follow the instructions below as it
  67. will already be installed... ?
  68. follow the instructions:
  69. 1.start->settings->control panel->network
  70. 2.Click add
  71. 3.choose adapter
  72. 4.Click add
  73. microsoft as the Manufactuarer
  74. Microsoft Virtual Private Networking Adapter
  75. 7.Click ok
  76. 8.Insert any necessary disks
  77. 9.Reboot your Machine
  78. take a little nap here...
  79. Once your Machine is back
  80. 1.go to dial-up networking (usually start->programs->Accessories->communications->Dial-up Networking) YMMV
  81. 2.Click make new connection
  82. 3.Name the Connection whatever you'd like.
  83. 4.Select Microsoft VPN adapter as the device
  84. next
  85. 6.type in the ip address or hostname of your pptp server
  86. next
  87. finish
  88. 9.Right-click on the intranet icon
  89. properties
  90. 11.choose server types
  91. 12.check require encrypted password
  92. 13.uncheck netbeui, ipx/spx compatible
  93. tcp/ip settings
  94. 15.turn off use IP header compression
  95. 16.turn off use default gw on remote network
  96. ok.
  97. 18.start that connection
  98. 19.type in your username and pw (yadda, yadda, yadda)
  99. 20.once it finishes its connection your up.
  100. Note that the Win95 routine is similar but requires Dial Up Networking Update 1.3 (free from Microsoft) to be installed first.
  101. 5.0 FAQ
  102. -------
  103. Q&A.
  105. After spending the better part of two weeks developing my configuration
  106. for a pptp sever for remote file access by Windows(tm) clients, I
  107. thought I would pass along these notes to those who may be interested.
  108. The basic configuration involves a Samba/PoPToP server behind a
  109. firewall, through which clients using Win98 machines will connect using
  110. the VPN facility built into that OS. This is diagrammed below.
  111. _____ ___ ______ ______
  112. | | | \ | fire | | file |
  113. | win | ---> / net \ ---> | wall | ---> | srvr |
  114. |_____| \__/\_/ |______| |______|
  115. The components of the system consist of the Win98 clients running the
  116. built-in VPN facility dialing in to their ISP's and connecting through
  117. the firewall to the Samba server on the internal network using the pptp
  118. protocol. The firewall uses Network Address Translation to convert an
  119. open Internet IP address to an internal one. Sounds simple enough
  120. right?
  122. As a starting point, I configured a Win98 box to connect directly to a
  123. PoPToP server without any authentication or encryption. This was just
  124. to get a feel for how pptp works and verify the setup. Using the
  125. pre-packaged rpm's was a big help here. You just rpm the thing onto the
  126. system and fire it up, and you're in business. The diagram below
  127. represents this simple system.
  129. _____ ______
  130. | | | file |
  131. | win | ------------------> | srvr |
  132. |_____| |______|
  133. Emboldend by my success, I set out to turn on MS authentication and
  134. encrytion, and this is where the fun started.
  136. This is an area where Microsoft really shows its true colors. Turning
  137. on password and data encryption on the Win98 VPN server configuration
  138. was quite the eye opening experience. First with the authentication,
  139. you will have to go through a somewhat difficult compilation of the
  140. ppp-2.3.8 package. The worst part here is getting all the pieces
  141. together, namely the rc4 files. This process is well documented in this
  142. archive, so I won't go into it here.
  143. The next realization is that Microsoft prepends the domain name to the
  144. user name when submitting the login credentials. For example, srhodes is
  145. now DBNET\\srhodes. If that wasn't bad enough, I found that the domain
  146. wasn't even the one I was logged into. My best guess is that the first
  147. domain that the computer ever logs into is stuck with it for ever. This
  148. is a real problem if you have multiple domains that you log into. I
  149. modified the pppd.c code to strip out the domain on MSCHAP logins, but
  150. you can just set the user name in chap-secrets to match the windows
  151. version.
  152. Then I spent a whole day trying to figure out why data encryption does
  153. not work. I tried just about everything I could think of that could be
  154. wrong. That's when I discovered this archive, for which I am truly
  155. grateful. It turns out that the Win9x implementation of encrytpion is
  156. FUBAR! You have to download one of those patches from Microsoft,
  157. MSDUN 1.4 to get the thing to work.
  158. Windows 95
  160. Windows 98
  162. Windows 98se
  165. The issue with a firewall in this setup is that you need to cover two
  166. types of protocol communication. There is one connection which is a tcp
  167. connection on port 1723 that handles the control functions and another
  168. connection using IP type 47, or GRE, which handles the actual data
  169. communication. This second connection presents a problem for the
  170. convention linux firewall, ipfwadm. You see, its only set up to handle
  171. tcp, udp and icmp protocols. It doesn't know about GRE.
  172. The trick around this block is to use one of the new 2.2 kernels, which
  173. employ a new firewall called ipchains. This tool willl handle arbitrary
  174. protocols, which can be specified by their numbers.
  176. _____ ______ ______
  177. | | | fire | | file |
  178. | win | --------------->| wall | --------------> | srvr |
  179. |_____| |______| |______|
  180. You need to remember a few things before getting too deep into this.
  181. The default gateway on win is set to, and the default
  182. gateway on file srvr is set to The firewall has the two
  183. network interfaces spanning the two subnets and is configured for
  184. IP forwarding. If you have not yet applied any firewall rules, this
  185. configuration will work as before. The interesing part is to block out
  186. all other access to file srvr by implementing ipchains rules.
  187. The short story is:
  188. ipchains -F
  189. ipchains -P forward DENY
  190. ipchains -I forward -p tcp -d 1723 -j ACCEPT
  191. ipchains -A forward -p tcp -s 1723 -j ACCEPT
  192. ipchains -A forward -p 47 -d -j ACCEPT
  193. ipchains -A forward -p 47 -s -j ACCEPT
  195. The next hurdle is to configure the firewall so that it can run an open
  196. internet IP address on the outside and allow access to an internal
  197. address on the inside. NAT is very well suited to this task, although
  198. you may hear otherwise from knowledgable sources. It happens to be my
  199. preference, though certainly not the only way to skin this cat. You can
  200. obtain the NAT software and some detailed information from
  202. But again, there is a problem with the GRE protocol of type 47. The
  203. tool for configuring NAT, ipnatadm, like its half-brother ipfwadm, is
  204. not set up to handle arbitrary protocols. Unfortunately, you'll have to
  205. go into the code and make a slight modification if you want to use it
  206. for this purpose. There is a procedure called parse_protocol in the
  207. file routines.c that discriminates the type of protocol to be filtered.
  208. The basic idea is to accept a string representing a number and use that
  209. as the filter. Since you have to recompile the kernel anyway to get the
  210. NAT functionality, maybe it's not so horrible, relatively speaking.
  211. For those ambitous enough, here is the diff for the routines file, copy
  212. this into a file called routines.diff and use the command patch -p0 <
  213. routines.diff from within the same directory.
  214. --- routines.c Thu Mar 25 15:41:58 1999
  215. +++ /mnt/zip/nat/routines.c Wed Jul 21 21:09:28 1999
  216. @@ -112,11 +112,18 @@
  217. else if (strncmp("icmp", s, strlen(s)) == 0)
  218. nat_set.nat.protocol = IPPROTO_ICMP;
  219. else {
  220. + int number;
  221. + char * end;
  222. + number = (int)strtol(s, &end, 10);
  223. + nat_set.nat.protocol = number;
  224. + }
  225. + /*
  226. + else {
  227. fprintf(stderr, "ipnatadm: invalid protocol \"%s\"
  228. specified\n", s);
  229. exit_tryhelp(2);
  230. - /* make the compiler happy... */
  231. return;
  232. }
  233. + */
  234. }
  235. void parse_hostnetworkmask(char *name, struct in_addr **addrpp, __u32
  236. *maskp, int *naddrs)
  237. The patch is actually lifted from ipchains, which was derived from
  238. ipfwadm, which provides the basis for ipnatadm.
  239. Once you've got all that running, what you want to do is to set up the
  240. NAT rules so that the incoming client thinks its talking to the
  241. firewall, as does the outgoing file server. The short of it is:
  242. ipnatadm -F
  243. ipnatadm -I -i -P 6 -D 1723 -N 1723
  244. ipnatadm -O -i -P 6 -S 1723 -M 1723
  245. ipnatadm -I -i -P 47 -D -N
  246. ipnatadm -O -i -P 47 -S -M
  247. Here, the -P argument sets the protocol, 6 is tcp and 47 is GRE.
  248. PPTP packets targeting the firewall are translated to the internal host
  249. inbound and vice-versa on the way out. Very slick.
  250. SAMBA
  251. Here's a subject so complex you could probably devote a whole career to
  252. it. We don't want to get too bogged down, so I'll be brief. Samba
  253. implements the NetBIOS protocol, which has more quirks than you can
  254. shake a stick at. One of the biggest problems is the use of subnet
  255. broadcasting. Suffice it to say, if you want the best results, you
  256. should set your PoPToP IP addresses to reside within the subnet on which
  257. the file server ethernet is located. I choose for the
  258. server address, and it hands out IP's from 192.168.13-127.
  259. Setting the IP forwarding on the file server to true will give you
  260. access to other machines on the internal network.
  261. When you go at the samba sever from Win98, you have to use encrypted
  262. password. Look at smbpasswd and related stuff.
  263. Finding shares on the server is not so easy. The short story here is
  264. that browsing is implemented via broadcast packets, and broadcast
  265. packets will not travel down a PPP link. The only way to get browsing
  266. to work over pptp is to set Samba up as a WINS server and a Domain login
  267. server, and configure the clients to use that WINS server and force them
  268. to login to that Domain. Believe me, I tried just about everything to
  269. avoid that. You will also want to set the samba server as the domain
  270. master and preferred master for the browsing.
  271. If you can't do that, you can set the ppp/options file to include a
  272. ms-wins setting for the samba server. This will set the client up so
  273. they can at least resolve host names. The only way to find a share
  274. under this configuration is to name it explicitly. You can use the
  275. tools menu from the Win98 file browser and say find -> computer and
  276. enter in the name of the samba server and it will be found. I have
  277. found that setting domain master = yes and preferred master = yes gives
  278. a rather nice boost to the speed of name lookups on the network.
  279. Here is my abbreviated smb.conf
  280. [global]
  281. workgroup = VAULT
  282. server string = acer
  283. log file = /var/log/samba/log.%m
  284. max log size = 50
  285. security = user
  286. encrypt passwords = yes
  287. smb passwd file = /etc/smbpasswd
  288. socket options = TCP_NODELAY
  289. domain master = yes
  290. preferred master = yes
  291. domain logons = yes
  292. wins support = yes
  293. dns proxy = no
  294. [homes]
  295. comment = Home Directories
  296. browseable = no
  297. writable = yes
  298. You should also use the lmhosts option for nmbd (-H) and set up an
  299. lmhosts file on the samba server. Make sure also the the samba server
  300. can resolve its own name, through either /etc/hosts or DNS.
  301. In all honesty , I went through the same simple test setup with samba as
  302. I did for PoPToP, although its not shown here explicitly.
  304. PoPToP is a good program, as is Samba. This configuration can work if
  305. you put a little effort into it. I have seen a lot of questions here
  306. and in other places about these types of systems, so I would think that
  307. there is some demand on the part of users who want this type of
  308. functionality. I hope these notes are useful to you if this is what you
  309. want to do.
  310. ****************************************************************************
  311. Q&A
  312. I have a pptp server set up on my office LAN. I can connect to the
  313. server and ping to it fine, but I can't ping any other hosts on the
  314. office subnet. I have ip-forwarding turned on and I have proxyarp set
  315. in the ppp/options file. What can be wrong?
  316. There seem to be a lot of questions floating around about routing and
  317. masq'ing associated with this issue.
  318. Well, my curiosity got the best of me, so I thought I would check this
  319. out. Shown below is my test setup for investigating this problem.
  321. ________ _______ ______ _____
  322. | | | | | | | |
  323. | client |------->| fire |-------->| pptp |----->| host |
  324. | | | wall | | srvr | | |
  325. |________| |_______| |______| |______|
  326. H H
  327. H H
  328. H H
  329. H===================================H
  330. pptp connection
  331. For the sake of simplicity, we will ignore address translation issues
  332. associated with the firewall. This assumes that the client at
  333. is going to use as its target address for
  334. the pptp connection to pptp_srvr. The firewall will block all access to
  335. the subnet except for pptp connections associated with
  336. pptp_srvr. This can be implemented with ipchains
  337. ipchains -P input DENY
  338. ipchains -P forward DENY
  339. ipchains -A input -j ACCEPT /* allow connections from
  340. inside */
  341. ipchains -A input -p tcp -d 1723 -j ACCEPT
  342. ipchains -A input -p 47 -d -j ACCEPT
  343. ipchains -A forward -p tcp -d 1723 -j ACCEPT
  344. ipchains -A forward -p tcp -s 1723 -j ACCEPT
  345. ipchains -A forward -p 47 -d -j ACCEPT
  346. ipchains -A forward -p 47 -s -j ACCEPT
  347. When you connect from client to pptp_srvr, you will be able to complete
  348. the connection and ping to pptp_srvr. However, if you attempt to ping
  349. host, at, this will fail.
  350. A clue to this problem can be found in the /var/tmp/messages file on
  351. pptp_srvr. There, in the pppd messages, you will find
  352. Cannot determine ethernet address for proxy ARP
  353. This is due to an issue with the pppd program, which attempts to find a
  354. hardware interface on the subnet to which the pppd client has been
  355. assigned. In this case its looking for a hardware interface on the
  356. subnet. It will fail to find one, and will drop the
  357. proxyarp request.
  358. The simplest way around this problem, and the one that is suggested in
  359. the pppd documentation, is to set the pppd client IP assignment to be on
  360. the local subnet. An example in this case might be
  361. However, it may not be possible to do that. In the case of a fully
  362. loaded subnet, there may not be any addresses to spare. Or there may be
  363. some security issues with giving out local subnet addresses. What to
  364. do?
  365. The place to look is in the arp table. If you run tcpdump on host
  366. ( during the time when client is pinging, you will see
  367. unanswered arp requests from host attempting to find the hardware
  368. address for You need to proxy the hardware address of the
  369. pptp_srvr for client in order for this request to be fulfilled. This is
  370. the job of proxyarp. However, proxyarp has let us down in this
  371. instance, and we need to find a workaround.
  372. This can be done manually using the arp command on pptp_srvr. For
  373. example, if the hardware address of the ethernet card on pptp_srvr is
  374. 00:60:08:98:14:14, you could force the arp to proxy the client pptp
  375. address by saying
  376. arp --set 00:60:08:98:14:13 pub
  377. You should now be able to ping from client to host through the pptp
  378. connection.
  379. This can be a problem, however, in a dynamic environment when clients
  380. are logging into and out of the pptp server on a continuous basis. One
  381. way around this problem is to write a script that will execute upon the
  382. initiation of each ppp connection.
  383. The place to do this is in /etc/ppp/ip-up. This script is executed each
  384. time a new ppp connection is started. It gets some variables passed
  385. into it, one of which is the assigned IP address of the client. Note
  386. that RedHat systems use ip-up.local as the place for you to make the
  387. script. Don't forget to chmod +x !
  388. #! /bin/bash
  390. date > /var/run/ppp.up
  391. echo "REMOTE_IP_ADDRESS = " $REMOTE_IP_ADDRESS >> /var/run/ppp.up
  392. arp --set $REMOTE_IP_ADDRESS 00:60:08:98:14:14 pub >> /var/run/ppp.up
  393. exit 0
  394. This should put you in business for accessing the remote subnet under
  395. this scenario. I am a little bit concerned, however, because I also
  396. built a script ip-down.local, that should remove the arp proxy when
  397. client disconnected. It doesn't seem to do anything, however, and if I
  398. try to delete the arp entry manually, it just spits out a cryptic error
  399. message. The arp entries remain persistent, as far as I can tell. If
  400. this is a problem or not, I don't know. The next few clients that log
  401. in are treated well, so I guess its OK.
  402. ****************************************************************************
  403. Q.
  404. Also, after running pptpd and monitoring its log file and seeing that it
  405. failed to open ttyp1 - I chmod +rw /dev/ttyp[0-9] and it seemed to work
  406. somewhat. But, after I rebooted, I had to do this again. Is this normal?
  407. A.
  408. pptpd should be running as root (unless you have a system with a setuid
  409. openpty() helper, which isn't very common). If it fails to open a pty/tty
  410. pair as root then that is probably because it is in use.
  411. Other programs which use pty/tty's will change their permissions back to
  412. the standard ones.
  413. ****************************************************************************
  414. Q.
  415. sometimes when I make a connection to my pptpd server I
  416. see a message like
  417. Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-21
  418. Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-26
  419. Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-24
  420. Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-21
  421. Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-26
  422. Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-24
  423. Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-26
  424. Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-24
  425. Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-21
  426. in /var/log/messages on the server. Any idea what I
  427. can do about it?
  428. A.
  429. yeah, in your /lib/modules/<kernel version>/net/ directory, there should
  430. be files called bsd_comp.o and ppp_deflate.o.. insmod those files and
  431. you'll be good to go.
  432. ****************************************************************************
  433. Q.
  434. Hi, I'm having trouble getting pptpd & mschap-v2 to work. I downloaded
  435. all of the patches and compiled everything but whenever i try to connect
  436. from my win98 machine, it says:
  437. Error 691: The computer you have dialed in to has denied access because
  438. the username and/or password is invalid on the domain.
  439. What is this suppose to mean?
  440. A.
  441. Error 691 is an authentication problem probably due to the fact that MS
  442. chap uses the domain name and username combo to authenticate. If you
  443. look at the logs you will probably see a message saying that MS chap is
  444. trying to authenticate user "domain\\username". I got it to work by
  445. putting the full domain and user string in the client portion of the
  446. chap-secrets file.
  447. # Secrets for authentication using CHAP
  448. # client server secret IP
  449. addresses
  450. workgroup\\user server password *
  451. If anyone knows how to get it to default to a particular domain, I would
  452. like to know.
  453. ****************************************************************************
  454. Q.
  455. how do I go about checking who is logged in via tunnel?
  456. I need some way of writing the pppd data to wtmp/utmp.
  457. (and not sessreg either)
  458. does anyone know of any way of doing this via ppp?
  459. A.
  460. pppd syslogs everything to /var/log/messages (that's the default on my box
  461. anyways) and it will say something like :
  462. pppd[15450]: CHAP peer authentication succeeded for <username>
  463. you could do a tail /var/log/messages -n2000 | grep CHAP if you wanted to
  464. see who has been logging in.
  465. other than that, there's not much i know of. all the authentication is
  466. provided by pppd (if you don't have an auth or a require-chap (or pap, etc.)
  467. option, it doesn't even ask for a username.
  468. ****************************************************************************
  469. Q.
  470. My NT client won't connect!
  471. A.
  472. Try taking header and software compression off.
  473. ****************************************************************************
  474. Q. PPTP *client* stops working.
  475. A.
  476. go to /var/run/pptp/ and look for a socket named x.x.x.x
  477. delete it and try it again.
  478. ****************************************************************************
  479. Q.
  480. How many clients does PoPToP support?
  481. A.
  482. The limits under Linux are:
  483. per-process filedescriptors
  484. - one per client (would limit clients to 256 by default,
  485. or 1024 with kernel recompile, or more with major libc/kernel
  486. hackery)
  487. - no relevant limit
  488. ttys - currently, with a standard kernel, 256 clients
  489. - with Unix98 ptys and a small amount of coding, 2048
  490. ppp devices
  491. - no limit in kernel source for ppp
  492. - limit of 100 in dev_alloc_name() in 2.2.x
  493. for(i=0;i<100;i++)
  494. {
  495. sprintf(dev->name,name,i);
  496. if(dev_get(dev->name)==NULL)
  497. return i;
  498. }
  499. best fix is probably to keep a static int ppp_maxdev so you
  500. don't end up doing 2000 dev_get's to allocated the 2001'th
  501. device.
  502. processes
  503. - 2 per client plus system processes
  504. - standard kernel max = 512 processes, ie 256 clients
  505. - i386 max = 4096 processes, ie 2048 clients
  506. So it seems that 2048 will be the limit, if you fix a few things and
  507. with a minor kernel mod (I could do all of these pretty easily and send
  508. you a trivial kernel patch). To go above 2048 the easiest approach would
  509. be to combine pptpctrl and pppd in one process, which would get you to
  510. 4096. Beyond there, you need to go for a select() based model, which would
  511. be significant coding effort and require large fd-set sizes and so on.
  512. So 4096 is the practical limit, and 2048 the easy limit.
  513. ****************************************************************************
  514. Q.
  515. What authentication methods (PAP/CHAP) does PoPToP work with?
  516. A.
  517. PoPToP uses whatever authentication methods your PPPd provides (usually
  518. PAP and CHAP). With PPPd patches you can get MSCHAP and MSCHAPv2
  519. authentication as well.
  520. ****************************************************************************
  521. Q.
  522. When running PoPToP I get the following error:
  523. Jun 11 08:29:04 server pptpd[4875]: MGR: No more free connection slots!
  524. What does this mean?
  525. A.
  526. I'd say at a guess you've only configured one IP address and you have
  527. connected a client, and as such there are no more free connection slots should
  528. any more clients wish to connect.
  529. ****************************************************************************
  530. Q.
  531. Does PoPToP suffer from the same security flaws
  532. ( as the Windows NT PPTP server?
  533. A.
  534. An initial look at the article suggests that what the authors hammered was
  535. not the PPTP protocol, but the authentication that the PPTP VPN servers on
  536. NT offered access to via open internet. PPTP seems initially to be just
  537. the path to the weakness, not the weakness itself. Part of their
  538. observance of weakness deals with use of poor passwords as well, a cheap
  539. component, simple enough to fix.
  540. > While no flaws were found in PPTP itself, several serious flaws were
  541. > found in the Microsoft implementation of it.
  542. > (
  543. The authors do not specifically say "this is ONLY effective against NT",
  544. just that NT is affected. This implies that they do not recognize PoPToP,
  545. and it may be included. The fact that PoPToP has to interOp with MS DUN's
  546. VPN client means that it will have the same weaknesses. It can only
  547. protect itself from DoS attacks, have immediate response to out-of-sequence
  548. packets or illogical packets, etc.
  549. The protocol is not considered weak in this analysis, but the weaknesses
  550. have to be replicated in apparent behavior by PoPToP. The only thing the
  551. developers can do with PoPToP is make it a stronger server per se -- more
  552. able to handle the attacks when the come.
  553. In conclusion: PoPToP suffers the same security vulnerabilities as the NT
  554. sever (this is because it operates with Windows clients).
  555. Update: MSCHAPv2 has been released and addresses some of the security
  556. issues. PoPToP works with MSCHAPv2.
  557. ****************************************************************************
  558. Q.
  559. Does PoPToP support data encryption?
  560. A.
  561. Yes.. with appropriate PPPd patches. Patches are available for PPPd to
  562. provide Microsoft compatible RC4 data encryption. The PPPd patch supports
  563. 40 and 128 bit RC4 encryption.
  564. ****************************************************************************
  565. Q.
  566. PoPToP or IPsec? Which is better suited to my needs?
  567. A.
  568. 1. The difference between PoPToP and IPsec is that PoPToP is ready NOW..
  569. and requires *no* third party software on the Windows client end
  570. (Windows comes with a free PPTP client that is trivial to set up).
  571. 2. PoPToP is a completely *free* solution.
  572. Update: Unfortunately not true for Mac *clients* though. The Mac client
  573. software is around $400 US a copy.
  574. 3. PoPToP can be integrated with the latest PPPD patches that take
  575. advantage of MSCHAPv2 and MPPE (Microsoft encryption using RC4 - 40/128
  576. bits).
  577. More details follow from Emir Toktar:
  578. (Refs: A Comprehensive Guide to Virtual Private Networks, IBM.
  579. Virtual Private Networking: An Overview White Paper - DRAFT, 3/18/98
  580. Microsoft.)
  581. Neither network layer-based (L2TP, PPTP,...) nor application layer-based
  582. (IPSec,SSL,SSH) security techniques are the best choice for all
  583. situations. There will be trade-offs. Network layer security protects the
  584. information created by upper layer protocols, but it requires that IPSec
  585. be implemented in the communications stack.
  586. With network layer security, there is no need to modify existing upper
  587. layer applications. On the other hand, if security features are already
  588. imbedded within a given application, then the data for that specific
  589. application will be protected while it is in transit, even in the absence
  590. of network layer security. Therefore security functions must be imbedded
  591. on a per-application basis.
  592. There are still other considerations:
  593. Authentication is provided only for the identity of tunnel endpoints, but
  594. not for each individual packet that flows inside the tunnel. This can
  595. expose the tunnel to man-in-the-middle and spoofing attacks.
  596. Network layer security gives blanket protection, but this may not be as
  597. fine-grained as would be desired for a given application. It protects
  598. all traffic and is transparent to users and applications.
  599. Network layer security does not provide protection once the datagram has
  600. arrived at its destination host. That is, it is vulnerable to attack
  601. within the upper layers of the protocol stack at the destination machine.
  602. Application layer security can protect the information that has been
  603. generated within the upper layers of the stack, but it offers no
  604. protection against several common network layer attacks while the
  605. datagram is in transit. For example, a datagram in transit would be
  606. vulnerable to spoofing attacks against its source or destination address.
  607. Application layer security is more intelligent (as it knows the
  608. application) but also more complex and slower.
  609. IPSec provides for tunnel authentication, while PPTP does not.
  610. <User Authentication> Layer 2 tunneling protocols inherit the user
  611. authentication schemes of PPP, including the EAP methods discussed below.
  612. Many Layer 3 tunneling schemes assume that the endpoints were well
  613. known (and authenticated) before the tunnel was established. An exception
  614. to this is IPSec ISAKMP negotiation, which provides mutual authentication
  615. of the tunnel endpoints. (Note that most IPSec implementations support
  616. machine-based certificates only, rather than user certificates. As a
  617. result, any user with access to one of the endpoint machines can use
  618. the tunnel. This potential security weakness can be eliminated when
  619. IPSec is paired with a Layer 2 protocol such as L2TP.
  620. <Token card support> Using the Extensible Authentication Protocol
  621. (EAP), Layer 2 tunneling protocols can support a wide variety of
  622. authentication methods, including one-time passwords, cryptographic
  623. calculators, and smart cards. Layer 3 tunneling protocols (IPSec) can
  624. use similar methods; for example, IPSec defines public key certificate
  625. authentication in its ISAKMP/Oakley negotiation.
  626. <Dynamic address assignment> Layer 2 tunneling supports dynamic
  627. assignment of client addresses based on the Network Control Protocol
  628. (NCP) negotiation mechanism.
  629. Generally, Layer 3 tunneling schemes assume that an address has already
  630. been assigned prior to initiation of the tunnel. Schemes for assignment
  631. of addresses in IPSec tunnel mode are currently under development and
  632. are not yet available.
  633. <Data Compression> Layer 2 tunneling protocols support PPP-based
  634. compression schemes. For example, the Microsoft implementations of both
  635. PPTP and L2TP use Microsoft Point-to-Point Compression (MPPC). The IETF
  636. is investigating similar mechanisms (such as IP Compression) for the
  637. Layer 3 tunneling protocols.
  638. <Data Encryption> Layer 2 tunneling protocols support PPP-based data
  639. encryption mechanisms. Microsoft's implementation of PPTP supports
  640. optional use of Microsoft Point-to-Point Encryption (MPPE), based on
  641. the RSA/RC4 algorithm. Layer 3 tunneling protocols can use similar
  642. methods; for example, IPSec defines several optional data encryption
  643. methods which are negotiated during the ISAKMP/Oakley exchange.
  644. <Key Management> MPPE, a Layer 2 protocol, relies on the initial key
  645. generated during user authentication, and then refreshes it
  646. periodically. IPSec, explicitly negotiates a common key during the
  647. ISAKMP exchange, and also refreshes it periodically.
  648. <Multi-protocol support> Layer 2 tunneling supports multiple payload
  649. protocols, which makes it easy for tunneling clients to access their
  650. corporate networks using IP, IPX, NetBEUI, and so forth. In contrast,
  651. Layer 3 tunneling protocols, such as IPSec tunnel mode, typically
  652. support only target networks that use the IP protocol. IPSec is not
  653. multi-protocol.
  654. IPSec will be suported by Windows 2000.
  655. Many cases can occur, each of which needs to be examined on its own
  656. merit. It may be desirable to employ a mix of both network layer
  657. security techniques and application layer techniques to achieve the
  658. desired overall level of protection. For example, you could use an upper
  659. layer mechanism such as Secure Sockets Layer (SSL) to encrypt upper
  660. layer data. SSL could then be supplemented with IPSec's AH protocol at
  661. the network layer to provide per-packet data origin authentication and
  662. protection against spoofing attacks.
  663. ****************************************************************************
  664. Q.
  665. I get a 'createHostSocket: Address already in use' error! what gives?
  666. A.
  667. Address already in use in createHostSocket means something is already using
  668. TCP port 1723 - maybe another pptp daemon is running?
  669. ****************************************************************************
  670. Q.
  671. Does PoPToP work with Windows 2000 clients?
  672. A.
  673. PoPToP v0.9.5 and above should work with Windows 2000 clients.
  674. ****************************************************************************