thr3ads.net - freebsd security - Fw: VPN setup problem

If this information is useful, please help other people find it:
Share via:

Koroush Saraf

2003-Jun-30 19:12 UTC

Fw: VPN setup problem - proxy arp I think

Hi all,

I read the setup at http://www.blackh0le.net/articles/vpn-dun-howto.html to
setup my VPN.
However, I'm having a problem which I think is proxy-ARP not working.  I
like to ask you to see if you know what's going on.  When I ping 10.77.1.1
from windows XP machine the packets get to the 10.77.1.1 machine, but they
don't have a return path to get back.  When I do ping the windows machine
from 10.77.1.1 I get:
ping: sendto: Host is down

When I add static route to 10.77.1.1 the machines can talk to each other. 
(route add 10.77.1.50/32 10.77.1.2)
 But I don't think I need to setup a static route if Proxy ARP worked!

I've included my config files in this email.  Please note that the I get a
message back saying "[pptp1] no interface to proxy arp on for
10.77.1.50"  could this be my problem?  how can I fix it?
Thanks very much,
~koroush


========================

I network looks as follows

Freebsd 4.6
IP 10.77.1.1/24
    |
    |
fxp0:10.77.1.2/24
Freebsd 4.8 (DELL2) (only 1 network card)
ng0: 10.77.13
    |
    |
Windows XP machine with tunnel.
10.77.1.50



=================Config files for Dell 2:
DELL2# ifconfig -a
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 129.197.244.10 netmask 0xfffffff0 broadcast 129.197.244.15
        inet 10.0.0.249 netmask 0xffffff00 broadcast 10.0.0.255
        inet 10.77.1.2 netmask 0xffffff00 broadcast 10.77.1.255
        inet 10.77.2.2 netmask 0xffffff00 broadcast 10.77.2.255
        inet 10.77.3.2 netmask 0xffffff00 broadcast 10.77.3.255
        inet 10.77.4.2 netmask 0xffffff00 broadcast 10.77.4.255
        inet 10.77.5.2 netmask 0xffffff00 broadcast 10.77.5.255
        ether 00:07:e9:87:ca:4f
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
lo1: flags=8008<LOOPBACK,MULTICAST> mtu 16384
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1256
        inet 10.77.1.2 --> 10.77.1.50 netmask 0xffffffff
ng1: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1500
ng2: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1500
ng3: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1500
ng4: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1500

==============
DELL2# pwd
/usr/local/etc/mpd
DELL2# cat mpd.conf
default:
        load client1
        load client2
        load client3
        load client4
        load client5

pptp_common_settings:
    set link type pptp
    set pptp enable incoming
    set pptp disable originate
        set iface disable on-demand
        set iface enable proxy-arp
#       set iface idle 1800
        set bundle enable multilink
        set link yes acfcomp protocomp
        set link no pap chap
        set link enable chap
#       set link keep-alive 10 60
        set link mtu 1260
        set ipcp yes vjcomp
#       set ipcp ranges 10.77.1.1/32 10.77.1.50/32
#       set ipcp dns 10.77.1.1
#       set ipcp nbns 10.77.1.1
        set bundle enable compression
        set ccp yes mppc
        set ccp yes mpp-e40
#       set ccp yes mpp-e128
        set ccp yes mpp-stateless

client1:
        new -i ng0 pptp1 pptp1
        set ipcp range 10.77.1.2/24 10.77.1.50/24
        load pptp_common_settings

client2:
        new -i ng1 pptp2 pptp2
        set ipcp range 10.77.2.2/32 10.77.2.50/32
        load pptp_common_settings

client3:
        new -i ng2 pptp3 pptp3
        set ipcp range 10.77.3.3/32 10.77.3.50/32
        load pptp_common_settings

client4:
        new -i ng3 pptp4 pptp4
        set ipcp range 10.77.4.3/32 10.77.4.50/32
        load pptp_common_settings

client5:
        new -i ng4 pptp5 pptp5
        set ipcp range 10.77.5.3/32 10.77.5.50/32
        load pptp_common_settings

DELL2#
====================DELL2# cat mpd.secret
demo1 "demo1" 10.77.1.50/24
demo2 "demo2" 10.77.2.50/24
demo3 "demo3" 10.77.3.50/24
demo4 "demo4" 10.77.4.50/24
demo5 "demo5" 10.77.5.50/24

========RUN TIME =======
DELL2# mdp default
mdp: Command not found.
DELL2# mpd default
Multi-link PPP for FreeBSD, by Archie L. Cobbs.
Based on iij-ppp, by Toshiharu OHNO.
mpd: pid 281, version 3.13 (root@DELL2.lmms.lmco.com 09:44 23-Jun-2003)
[pptp1] ppp node is "mpd281-pptp1"
mpd: local IP address for PPTP is 129.197.244.10
[pptp1] using interface ng0
[pptp1] device type already set to pptp
[pptp2] ppp node is "mpd281-pptp2"
[pptp2] using interface ng1
[pptp2] device type already set to pptp
[pptp3] ppp node is "mpd281-pptp3"
[pptp3] using interface ng2
[pptp3] device type already set to pptp
[pptp4] ppp node is "mpd281-pptp4"
[pptp4] using interface ng3
[pptp4] device type already set to pptp
[pptp5] ppp node is "mpd281-pptp5"
[pptp5] using interface ng4
[pptp5] device type already set to pptp
[pptp5:pptp5] mpd: PPTP connection from 129.197.244.12:1127
pptp0: attached to connection with 129.197.244.12:1127
[pptp1] IFACE: Open event
[pptp1] IPCP: Open event
[pptp1] IPCP: state change Initial --> Starting
[pptp1] IPCP: LayerStart
[pptp1] IPCP: Open event
[pptp1] bundle: OPEN event in state CLOSED
[pptp1] opening link "pptp1"...
[pptp1] link: OPEN event
[pptp1] LCP: Open event
[pptp1] LCP: state change Initial --> Starting
[pptp1] LCP: LayerStart
[pptp1] device: OPEN event in state DOWN
[pptp1] attaching to peer's outgoing call
[pptp1] device is now in state OPENING
[pptp1] device: UP event in state OPENING
[pptp1] device is now in state UP
[pptp1] link: UP event
[pptp1] link: origination is remote
[pptp1] LCP: Up event
[pptp1] LCP: state change Starting --> Req-Sent
[pptp1] LCP: phase shift DEAD --> ESTABLISH
[pptp1] LCP: SendConfigReq #1
 ACFCOMP
 PROTOCOMP
 MRU 1500
 MAGICNUM 5611757b
 AUTHPROTO CHAP MSOFTv2
 MP MRRU 1600
 MP SHORTSEQ
 ENDPOINTDISC [802.1] 00 07 e9 87 ca 4f
pptp0-0: ignoring SetLinkInfo
[pptp1] LCP: rec'd Configure Request #0 link 0 (Req-Sent)
 MRU 1400
 MAGICNUM 4d905023
 PROTOCOMP
 ACFCOMP
 CALLBACK
   Not supported
[pptp1] LCP: SendConfigRej #0
 CALLBACK
[pptp1] LCP: rec'd Configure Request #1 link 0 (Req-Sent)
 MRU 1400
 MAGICNUM 4d905023
 PROTOCOMP
 ACFCOMP
[pptp1] LCP: SendConfigAck #1
 MRU 1400
 MAGICNUM 4d905023
 PROTOCOMP
 ACFCOMP
[pptp1] LCP: state change Req-Sent --> Ack-Sent
[pptp1] LCP: SendConfigReq #2
 ACFCOMP
 PROTOCOMP
 MRU 1500
 MAGICNUM 5611757b
 AUTHPROTO CHAP MSOFTv2
 MP MRRU 1600
 MP SHORTSEQ
 ENDPOINTDISC [802.1] 00 07 e9 87 ca 4f
[pptp1] LCP: rec'd Configure Reject #2 link 0 (Ack-Sent)
 MP MRRU 1600
 MP SHORTSEQ
 ENDPOINTDISC [802.1] 00 07 e9 87 ca 4f
[pptp1] LCP: SendConfigReq #3
 ACFCOMP
 PROTOCOMP
 MRU 1500
 MAGICNUM 5611757b
 AUTHPROTO CHAP MSOFTv2
[pptp1] LCP: rec'd Configure Ack #3 link 0 (Ack-Sent)
 ACFCOMP
 PROTOCOMP
 MRU 1500
 MAGICNUM 5611757b
 AUTHPROTO CHAP MSOFTv2
[pptp1] LCP: state change Ack-Sent --> Opened
[pptp1] LCP: phase shift ESTABLISH --> AUTHENTICATE
[pptp1] LCP: auth: peer wants nothing, I want CHAP
[pptp1] CHAP: sending CHALLENGE
[pptp1] LCP: LayerUp
[pptp1] LCP: rec'd Ident #2 link 0 (Opened)
 MESG: MSRASV5.10
pptp0-0: ignoring SetLinkInfo
[pptp1] LCP: rec'd Ident #3 link 0 (Opened)
 MESG: MSRAS-1-DELL4
[pptp1] CHAP: rec'd RESPONSE #1
 Name: "demo1"
 Peer name: "demo1"
 Response is valid
[pptp1] CHAP: sending SUCCESS
[pptp1] LCP: authorization successful
[pptp1] LCP: phase shift AUTHENTICATE --> NETWORK
[pptp1] setting interface ng0 MTU to 1260 bytes
[pptp1] up: 1 link, total bandwidth 64000 bps
[pptp1] IPCP: Up event
[pptp1] IPCP: state change Starting --> Req-Sent
[pptp1] IPCP: SendConfigReq #1
 IPADDR 10.77.1.2
 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp1] CCP: Open event
[pptp1] CCP: state change Initial --> Starting
[pptp1] CCP: LayerStart
[pptp1] CCP: Up event
[pptp1] CCP: state change Starting --> Req-Sent
[pptp1] CCP: SendConfigReq #1
 MPPC
   0x01000020: MPPE, 40 bit, stateless
[pptp1] CCP: rec'd Configure Request #4 link 0 (Req-Sent)
 MPPC
   0x01000001: MPPC
[pptp1] CCP: SendConfigNak #4
 MPPC
   0x01000020: MPPE, 40 bit, stateless
[pptp1] IPCP: rec'd Configure Request #5 link 0 (Req-Sent)
 IPADDR 0.0.0.0
   NAKing with 10.77.1.50
 PRIDNS 0.0.0.0
 PRINBNS 0.0.0.0
 SECDNS 0.0.0.0
 SECNBNS 0.0.0.0
[pptp1] IPCP: SendConfigRej #5
 PRIDNS 0.0.0.0
 PRINBNS 0.0.0.0
 SECDNS 0.0.0.0
 SECNBNS 0.0.0.0
[pptp1] IPCP: rec'd Configure Reject #1 link 0 (Req-Sent)
 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp1] IPCP: SendConfigReq #2
 IPADDR 10.77.1.2
[pptp1] CCP: rec'd Configure Ack #1 link 0 (Req-Sent)
 MPPC
   0x01000020: MPPE, 40 bit, stateless
[pptp1] CCP: state change Req-Sent --> Ack-Rcvd
[pptp1] CCP: rec'd Configure Request #6 link 0 (Ack-Rcvd)
 MPPC
   0x01000020: MPPE, 40 bit, stateless
[pptp1] CCP: SendConfigAck #6
 MPPC
   0x01000020: MPPE, 40 bit, stateless
[pptp1] CCP: state change Ack-Rcvd --> Opened
[pptp1] CCP: LayerUp
  Compress using: MPPE, 40 bit, stateless
Decompress using: MPPE, 40 bit, stateless
[pptp1] setting interface ng0 MTU to 1256 bytes
[pptp1] IPCP: rec'd Configure Request #7 link 0 (Req-Sent)
 IPADDR 0.0.0.0
   NAKing with 10.77.1.50
[pptp1] IPCP: SendConfigNak #7
 IPADDR 10.77.1.50
[pptp1] IPCP: rec'd Configure Ack #2 link 0 (Req-Sent)
 IPADDR 10.77.1.2
[pptp1] IPCP: state change Req-Sent --> Ack-Rcvd
[pptp1] IPCP: rec'd Configure Request #8 link 0 (Ack-Rcvd)
 IPADDR 10.77.1.50
   10.77.1.50 is OK
[pptp1] IPCP: SendConfigAck #8
 IPADDR 10.77.1.50
[pptp1] IPCP: state change Ack-Rcvd --> Opened
[pptp1] IPCP: LayerUp
  10.77.1.2 -> 10.77.1.50
[pptp1] IFACE: Up event
[pptp1] setting interface ng0 MTU to 1256 bytes
[pptp1] exec: /sbin/ifconfig ng0 10.77.1.2 10.77.1.50 netmask 0xffffffff -link0
[pptp1] no interface to proxy arp on for 10.77.1.50
[pptp1] exec: /sbin/route add 10.77.1.2 -iface lo0
[pptp1] IFACE: Up event

Michael Collette

2003-Jul-01 17:28 UTC

head link

Fw: VPN setup problem - proxy arp I think

Koroush,

Couple of notes included within your config.  A few comments to follow, along 
with a version of my working mpd.conf file.  Moving along....

On Monday 30 June 2003 07:12 pm, Koroush Saraf wrote:> Hi all,
>
> I read the setup at http://www.blackh0le.net/articles/vpn-dun-howto.html to
> setup my VPN. However, I'm having a problem which I think is proxy-ARP
not
> working.  I like to ask you to see if you know what's going on.  When I
> ping 10.77.1.1 from windows XP machine the packets get to the 10.77.1.1
> machine, but they don't have a return path to get back.  When I do ping
the
> windows machine from 10.77.1.1 I get: ping: sendto: Host is down
>
> When I add static route to 10.77.1.1 the machines can talk to each other.
> (route add 10.77.1.50/32 10.77.1.2)
>  But I don't think I need to setup a static route if Proxy ARP worked!
>
> I've included my config files in this email.  Please note that the I
get a
> message back saying "[pptp1] no interface to proxy arp on for
10.77.1.50"
> could this be my problem?  how can I fix it? Thanks very much,
> ~koroush
A couple of points I don't believe the article in question addresses.  First
off, several folks on this list and around web sites recommended changes to 
the MTU.  Usually the recommendation was to increase it to larger than 1400.  
This can no longer be done.  XP will not recognize anything above 1400, and 
making it smaller fixes nothing.

You should not need to add any static routing information to the IP stack of 
either the FreeBSD box or the Windows one.  Both MPD and PPTP handle the 
routing issues for you.  Leave each box pointing to their usual default 
gateway.

The way this works is that when the PPTP client connects to MPD it is actually 
given an IP address within the secure segment of your network.  Packets route 
through MPD rather than through the normal IP stack.

It is REALLY important that you find the setting in Windows to turn off
"Use
remote gateway by default" in the PPTP properties.  This is on by default, 
and will cause you problems.

Also be sure to turn off software compression in the PPTP properties.  Even if 
turned on in MPD it will not work, and will very likely mess up your 
connection.
> ========================>
>
> I network looks as follows
>
> Freebsd 4.6
> IP 10.77.1.1/24
>
>
> fxp0:10.77.1.2/24
> Freebsd 4.8 (DELL2) (only 1 network card)
> ng0: 10.77.13
>
>
> Windows XP machine with tunnel.
> 10.77.1.50
>
>
>
> =================> Config files for Dell 2:
> DELL2# ifconfig -a
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 129.197.244.10 netmask 0xfffffff0 broadcast 129.197.244.15
>         inet 10.0.0.249 netmask 0xffffff00 broadcast 10.0.0.255
>         inet 10.77.1.2 netmask 0xffffff00 broadcast 10.77.1.255
>         inet 10.77.2.2 netmask 0xffffff00 broadcast 10.77.2.255
>         inet 10.77.3.2 netmask 0xffffff00 broadcast 10.77.3.255
>         inet 10.77.4.2 netmask 0xffffff00 broadcast 10.77.4.255
>         inet 10.77.5.2 netmask 0xffffff00 broadcast 10.77.5.255
>         ether 00:07:e9:87:ca:4f
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
> lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>         inet 127.0.0.1 netmask 0xff000000
> lo1: flags=8008<LOOPBACK,MULTICAST> mtu 16384
> ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
> faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
> ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu
1256
>         inet 10.77.1.2 --> 10.77.1.50 netmask 0xffffffff
> ng1: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1500
> ng2: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1500
> ng3: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1500
> ng4: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1500
>
> ==============>
> DELL2# pwd
> /usr/local/etc/mpd
> DELL2# cat mpd.conf
> default:
>         load client1
>         load client2
>         load client3
>         load client4
>         load client5
>
> pptp_common_settings:
>     set link type pptp
>     set pptp enable incoming
>     set pptp disable originate
>         set iface disable on-demand
>         set iface enable proxy-arp
> #       set iface idle 1800
>         set bundle enable multilink
>         set link yes acfcomp protocomp
>         set link no pap chap
>         set link enable chap
> #       set link keep-alive 10 60
>         set link mtu 1260
As stated, the max XP MTP is 1400.  Use it.  1260 is too darn small for a 
reasonably fast connection.
>         set ipcp yes vjcomp
> #       set ipcp ranges 10.77.1.1/32 10.77.1.50/32
> #       set ipcp dns 10.77.1.1
> #       set ipcp nbns 10.77.1.1
>         set bundle enable compression
>         set ccp yes mppc
>         set ccp yes mpp-e40
> #       set ccp yes mpp-e128
Turn off the 40, turn on the 128.  Only Windows 98 and older need 40-bit 
encryption.  For older versions of Windows you just need to download the 
latest DUN.  I believe it's at 1.4.  It is still very much available from
the
Microsoft web site.
>         set ccp yes mpp-stateless
>
> client1:
>         new -i ng0 pptp1 pptp1
>         set ipcp range 10.77.1.2/24 10.77.1.50/24
>         load pptp_common_settings


And now my mpd.conf.  The first 3 octets replaced with x.x.x for security 
reasons.  The 254 address is my secure interface port.

I've only shown 2 clients here, though my config actually has over 20.  
Figured this would be enough for you to get the gist of things.

=========================================================================default:
        load client00
        load client01

client00:
        new -i ng0 pptp0 pptp0
        set ipcp ranges x.x.x.254/32 x.x.x.210/25
        load clientStandard

client01:
        new -i ng1 pptp1 pptp1
        set ipcp ranges x.x.x.254/32 x.x.x.211/25
        load clientStandard

clientStandard:
        set iface disable on-demand
        set iface enable proxy-arp
        set iface idle 3600
        set iface mtu 1400

        set bundle disable multilink
        set bundle enable compression
        set bundle yes crypt-reqd

        set link mtu 1400
        set link no pap chap
        set link enable chap
        set link keep-alive 10 60
        set link yes acfcomp protocomp

        set ipcp dns x.x.x.253
        set ipcp nbns x.x.x.253

        set ipcp yes vjcomp

        set ccp yes mppc
        # set ccp yes mpp-e40
        set ccp yes mpp-e128
        set ccp yes mpp-stateless
        set ccp enable mpp-compress
=========================================================================
Yes, I know some of this goes against some of my earlier advice.  This is 
pretty much where I just stopped tweaking on the darn thing.  This config 
file does work, as I have outside users coming through it every day now.  
Gotta love a world with FreeBSD in it! :)

Let me know how it goes!

Later on,
-- 
"Always listen to experts.  They'll tell you what can't be done,
and why.
Then do it."
- Robert A. Heinlein

Apparently Analagous Threads

Search for more reasonably related threads

freebsd security - Jun 2003 - Fw: VPN setup problem - proxy arp I think

Fw: VPN setup problem - proxy arp I think

Fw: VPN setup problem - proxy arp I think

Apparently Analagous Threads