Shorewall users - Jul 2002 - PPTP - PTY read or GRE write failed

Hi Tom:

After following the docs on the PPTP setup and reviewing the support area, I
am at a lost on how to resolve the following error with connecting a Win2k box
to a Shorewall FW with PPTP:

Jul 11 02:05:37 mlserver pptpd[6545]: GRE: read(fd=5,buffer=804d9c0,len=8196)
from PTY failed: status = -1 error = Input/output error
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: PTY read or GRE write failed
(pty,gre)=(5,6)

Any ideas or do you need some additional info.

Thanks again for such a great product!

Regards,

Michael Bush

Digital Minds International
E-Mail:MikeB@DigitalMinds.net
Web: http://www.DigitalMinds.net
Tel: (615) 661-7900
Fax: (615) 661-7949


Jul 11 01:53:22 mlserver pptpd[3272]: MGR: Reaped child 4911
Jul 11 02:05:37 mlserver pptpd[6545]: MGR: Launching /usr/sbin/pptpctrl to
handle client
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: local address = 192.168.0.220
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: remote address = 192.168.1.235
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: pppd speed = 115200
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: pppd options file
/etc/ppp/options.poptop
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: Client xx.xx.xx.xx control
connection started
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: Received PPTP Control Message
(type: 1)
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: Made a START CTRL CONN RPLY packet
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: I wrote 156 bytes to the client.
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: Sent packet to client
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: Received PPTP Control Message
(type: 7)
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: Set parameters to 1525 maxbps, 64
window size
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: Made a OUT CALL RPLY packet
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: Starting call (launching pppd,
opening GRE)
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: pty_fd = 5
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: tty_fd = 6
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: I wrote 32 bytes to the client.
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: Sent packet to client
Jul 11 02:05:37 mlserver pptpd[6546]: CTRL (PPPD Launcher): Connection speed
115200
Jul 11 02:05:37 mlserver pptpd[6546]: CTRL (PPPD Launcher): local address
192.168.0.220
Jul 11 02:05:37 mlserver pptpd[6546]: CTRL (PPPD Launcher): remote address
192.168.1.235
Jul 11 02:05:37 mlserver pptpd[6545]: GRE: read(fd=5,buffer=804d9c0,len=8196)
from PTY failed: status = -1 error = Input/output error
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: PTY read or GRE write failed
(pty,gre)=(5,6)
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: Client xx.xx.xx.xx control
connection finished
Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: Exiting now
Jul 11 02:05:37 mlserver pptpd[3272]: MGR: Reaped child 6545

On Thu, 11 Jul 2002, Michael Bush wrote:
> Hi Tom:
>
> After following the docs on the PPTP setup and reviewing the support area,
I
> am at a lost on how to resolve the following error with connecting a Win2k
box
> to a Shorewall FW with PPTP:
>
> Jul 11 02:05:37 mlserver pptpd[6545]: GRE:
read(fd=5,buffer=804d9c0,len=8196)
> from PTY failed: status = -1 error = Input/output error
> Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: PTY read or GRE write failed
> (pty,gre)=(5,6)
>
> Any ideas or do you need some additional info.
>
Turn on debugging and be sure to set syslogd to direct DAEMON.DEBUG
messages to a separate log file.

While not related, I notice that the remote and local IP are from
different subnetworks -- that NEVER works.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Hi Tom:

Output I sent to the list was generated to the daemon.debug log that I setup
via the syslogd with debug on.  Have I missed something on setting the debug
to daemon.debug log up?  I set it up per your previous post to another user.

With regards to the different subnetworks, I agree.  I briefly tried a
different subnet last night and missed it when posting the log file.  Sorry
for the confusion.

Just let me know what I need to provide you to help solve the issue.

Thanks,

Mike Bush

Digital Minds International
E-Mail:MikeB@DigitalMinds.net
Web: http://www.DigitalMinds.net
Tel: (615) 661-7900
Fax: (615) 661-7949


---------- Original Message -----------
From: Tom Eastep <teastep@shorewall.net>
To: Michael Bush <MikeB@digitalminds.net>
Sent: Thu, 11 Jul 2002 05:59:42 -0700 (Pacific Daylight Time)
Subject: Re: [Shorewall-users] PPTP - PTY read or GRE write failed
> On Thu, 11 Jul 2002, Michael Bush wrote:
> 
> > Hi Tom:
> >
> > After following the docs on the PPTP setup and reviewing the support
area, I
> > am at a lost on how to resolve the following error with connecting a
Win2k box
> > to a Shorewall FW with PPTP:
> >
> > Jul 11 02:05:37 mlserver pptpd[6545]: GRE:
read(fd=5,buffer=804d9c0,len=8196)
> > from PTY failed: status = -1 error = Input/output error
> > Jul 11 02:05:37 mlserver pptpd[6545]: CTRL: PTY read or GRE write
failed
> > (pty,gre)=(5,6)
> >
> > Any ideas or do you need some additional info.
> >
> 
> Turn on debugging and be sure to set syslogd to direct DAEMON.DEBUG
> messages to a separate log file.
> 
> While not related, I notice that the remote and local IP are from
> different subnetworks -- that NEVER works.
> 
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
------- End of Original Message -------

--On Thursday, July 11, 2002 08:19:31 -0500 Michael Bush 
<MikeB@digitalminds.net> wrote:
> Hi Tom:
>
> Output I sent to the list was generated to the daemon.debug log that I
> setup via the syslogd with debug on.  Have I missed something on setting
> the debug to daemon.debug log up?  I set it up per your previous post to
> another user.
Well, you have missed SOMETHING since there''s no pppd debugging output
in
the log that you included in your original report. In fact, there is no 
pppd output at all!!!
>
> With regards to the different subnetworks, I agree.  I briefly tried a
> different subnet last night and missed it when posting the log file.
> Sorry for the confusion.
>
> Just let me know what I need to provide you to help solve the issue.
>
I need to see pppd debugging output. Note that this problem is very OT for 
this list; I''ll take a quick look at your debugging output but will 
probably end up refering you to the PPTP server list.

To get debugging output:

Modify /etc/syslog.conf to add the following:

*.debug				/var/log/debug

Restart syslogd

Modify your /etc/ppp/options file to add the line:

debug

Now try to connect -- /var/log/debug will contain LOTS of output

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom:

Here is the debug file output below.

Thanks for you guidiance.  Just wanting to make sure shorewall is setup
properly for PPTP and I have not missed anything.

Michael Bush

Digital Minds International
E-Mail:MikeB@DigitalMinds.net
Web: http://www.DigitalMinds.net
Tel: (615) 661-7900
Fax: (615) 661-7949

-------/etc/log/debug---------------

Jul 11 08:59:44 mlserver syslogd 1.4.1: restart.
Jul 11 08:59:44 mlserver syslog: syslogd startup succeeded
Jul 11 08:59:44 mlserver kernel: klogd 1.4.1, log source = /proc/kmsg started.
Jul 11 08:59:44 mlserver syslog: klogd startup succeeded
Jul 11 08:59:44 mlserver syslog: syslogd shutdown succeeded
Jul 11 09:00:00 mlserver CROND[7481]: (root) CMD (/usr/bin/mrtg
/etc/mrtg/mrtg.cfg)
Jul 11 09:00:00 mlserver CROND[7482]: (root) CMD (/usr/lib/sa/sa1 1 1)
Jul 11 09:00:00 mlserver pptpd[7484]: MGR: Launching /usr/sbin/pptpctrl to
handle client
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: local address = 192.168.0.221
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: remote address = 192.168.0.236
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: pppd speed = 115200
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: pppd options file
/etc/ppp/options.poptop
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: Client xx.xx.xx.xx control
connection started
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: Received PPTP Control Message
(type: 1)
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: Made a START CTRL CONN RPLY packet
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: I wrote 156 bytes to the client.
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: Sent packet to client
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: Received PPTP Control Message
(type: 7)
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: Set parameters to 1525 maxbps, 64
window size
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: Made a OUT CALL RPLY packet
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: Starting call (launching pppd,
opening GRE)
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: pty_fd = 5
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: tty_fd = 6
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: I wrote 32 bytes to the client.
Jul 11 09:00:00 mlserver pptpd[7485]: CTRL (PPPD Launcher): Connection speed
115200
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: Sent packet to client
Jul 11 09:00:00 mlserver pptpd[7485]: CTRL (PPPD Launcher): local address
192.168.0.221
Jul 11 09:00:00 mlserver pptpd[7485]: CTRL (PPPD Launcher): remote address
192.168.0.236
Jul 11 09:00:00 mlserver pptpd[7484]: GRE: read(fd=5,buffer=804d9c0,len=8196)
from PTY failed: status = -1 error = Input/output error
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: PTY read or GRE write failed
(pty,gre)=(5,6)
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: Client xx.xx.xx.xx control
connection finished
Jul 11 09:00:00 mlserver pptpd[7484]: CTRL: Exiting now
Jul 11 09:00:00 mlserver pptpd[7429]: MGR: Reaped child 7484


-------end of debug---------------------


---------- Original Message -----------
From: Tom Eastep <teastep@shorewall.net>
To: Michael Bush <MikeB@digitalminds.net>,
"shorewall-users@shorewall.net"
<shorewall-users@shorewall.net>
Sent: Thu, 11 Jul 2002 06:47:59 -0700
Subject: Re: [Shorewall-users] PPTP - PTY read or GRE write failed
> --On Thursday, July 11, 2002 08:19:31 -0500 Michael Bush 
> <MikeB@digitalminds.net> wrote:
> 
> > Hi Tom:
> >
> > Output I sent to the list was generated to the daemon.debug log that I
> > setup via the syslogd with debug on.  Have I missed something on
setting
> > the debug to daemon.debug log up?  I set it up per your previous post
to
> > another user.
> 
> Well, you have missed SOMETHING since there''s no pppd debugging 
> output in the log that you included in your original report. In fact,
>  there is no pppd output at all!!!
> 
> >
> > With regards to the different subnetworks, I agree.  I briefly tried a
> > different subnet last night and missed it when posting the log file.
> > Sorry for the confusion.
> >
> > Just let me know what I need to provide you to help solve the issue.
> >
> 
> I need to see pppd debugging output. Note that this problem is very 
> OT for this list; I''ll take a quick look at your debugging output 
> but will probably end up refering you to the PPTP server list.
> 
> To get debugging output:
> 
> Modify /etc/syslog.conf to add the following:
> 
> *.debug	
		/var/log/debug
> 
> Restart syslogd
> 
> Modify your /etc/ppp/options file to add the line:
> 
> debug
> 
> Now try to connect -- /var/log/debug will contain LOTS of output
> 
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
------- End of Original Message -------

--On Thursday, July 11, 2002 09:12:50 -0500 Michael Bush 
<MikeB@digitalminds.net> wrote:
> Tom:
>
> Here is the debug file output below.
>
> Thanks for you guidiance.  Just wanting to make sure shorewall is setup
> properly for PPTP and I have not missed anything.
>
Michael -- DO YOU SEE ANY PPPD MESSAGES IN THE OUTPUT YOU SENT???????

Your problem is that pppd is dying -- until you can send some output that 
shows why it is dying, no one is going to be able to help you. FYI, you 
should see messages like shown below (this is from a /var/log/debug file 
that I just created using the instructions that I provided):

Jul 11 06:42:41 gateway syslog: syslogd shutdown succeeded
Jul 11 06:44:19 gateway pptpd[4858]: CTRL: Client 206.124.146.180 control 
connection started
Jul 11 06:44:19 gateway pptpd[4858]: CTRL: Starting call (launching pppd, 
opening GRE)
Jul 11 06:44:19 gateway pppd[4859]: The remote system is required to 
authenticate itself
Jul 11 06:44:19 gateway pppd[4859]: but I couldn''t find any suitable
secret
(password) for it to use to do so.
Jul 11 06:44:19 gateway pppd[4859]: (None of the available passwords would 
let it use an IP address.)
Jul 11 06:44:19 gateway pptpd[4858]: Error reading from pppd: Input/output 
error
Jul 11 06:44:19 gateway pptpd[4858]: CTRL: GRE read or PTY write failed 
(gre,pty)=(6,5)
Jul 11 06:44:19 gateway pptpd[4858]: CTRL: Client 206.124.146.180 control 
connection finished
Jul 11 06:45:12 gateway ucd-snmp[3953]: Connection from 206.124.146.177
Jul 11 06:45:13 gateway last message repeated 30 times
Jul 11 06:45:30 gateway pptpd[4862]: CTRL: Client 206.124.146.180 control 
connection started
Jul 11 06:45:30 gateway pptpd[4862]: CTRL: Starting call (launching pppd, 
opening GRE)
Jul 11 06:45:30 gateway pppd[4863]: pppd 2.4.1 started by root, uid 0
Jul 11 06:45:30 gateway pppd[4863]: using channel 1
Jul 11 06:45:30 gateway pppd[4863]: Connect:  <--> /dev/pts/1
Jul 11 06:45:30 gateway pppd[4863]: sent [LCP ConfReq id=0x1 <mru 1490> 
<asyncmap 0x0> <auth chap 81> <magic 0xf0f3683a> <pcomp>
<accomp> <mrru
1614> <endpoint [MAC:02:00:08:e3:fa:55]>]
Jul 11 06:45:30 gateway pppd[4863]: rcvd [LCP ConfReq id=0x0 <mru 1400> 
<magic 0xdc3283f> <pcomp> <accomp> < 0d 03 06> <mrru
1614> <endpoint
[local:f0.b4.1b.fc.af.8f.40.24.bd.df.e8.e5.9c.78.fa.72.00.00.00.04]>]
Jul 11 06:45:30 gateway pppd[4863]: sent [LCP ConfRej id=0x0 < 0d 03 06>]
Jul 11 06:45:30 gateway pppd[4863]: rcvd [LCP ConfAck id=0x1 <mru 1490> 
<asyncmap 0x0> <auth chap 81> <magic 0xf0f3683a> <pcomp>
<accomp> <mrru
1614> <endpoint [MAC:02:00:08:e3:fa:55]>]
Jul 11 06:45:30 gateway pppd[4863]: rcvd [LCP ConfReq id=0x1 <mru 1400> 
<magic 0xdc3283f> <pcomp> <accomp> <mrru 1614>
<endpoint
[local:f0.b4.1b.fc.af.8f.40.24.bd.df.e8.e5.9c.78.fa.72.00.00.00.04]>]
Jul 11 06:45:30 gateway pppd[4863]: sent [LCP ConfAck id=0x1 <mru 1400> 
<magic 0xdc3283f> <pcomp> <accomp> <mrru 1614>
<endpoint
[local:f0.b4.1b.fc.af.8f.40.24.bd.df.e8.e5.9c.78.fa.72.00.00.00.04]>]
Jul 11 06:45:30 gateway pppd[4863]: sent [LCP EchoReq id=0x0 
magic=0xf0f3683a]
Jul 11 06:45:30 gateway pppd[4863]: sent [CHAP Challenge id=0x1 
<8347ce148bc9cc3fba8cd7bb59556a0a>, name =
"gateway.shorewall.net"]
Jul 11 06:45:30 gateway pptpd[4862]: CTRL: Ignored a SET LINK INFO packet 
with real ACCMs!
Jul 11 06:45:30 gateway pppd[4863]: rcvd [LCP code=0xc id=0x2 0d c3 28 3f 
4d 53 52 41 53 56 35 2e 31 30]
Jul 11 06:45:30 gateway pppd[4863]: sent [LCP CodeRej id=0x2 0c 02 00 12 0d 
c3 28 3f 4d 53 52 41 53 56 35 2e 31 30]
Jul 11 06:45:30 gateway pppd[4863]: rcvd [LCP code=0xc id=0x3 0d c3 28 3f 
4d 53 52 41 53 2d 31 2d 45 41 53 54 45 50 54 31]
...



-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

--On Thursday, July 11, 2002 09:59:20 -0500 Michael Bush 
<MikeB@digitalminds.net> wrote:
> Tom:
>
> Thanks.  I just sent what was in the debug file.
>
Then I don''t understand what''s happening on your system --
it''s as though
your pppd doesn''t log at all. When you try to connect, do you see ANY 
messages from pppd in /var/log/messages?

Here''s an example of what I see on my gateway:

Jul 11 07:50:58 gateway pptpd[8080]: CTRL: Client 206.124.146.180 control 
connection started
Jul 11 07:50:58 gateway pptpd[8080]: CTRL: Starting call (launching pppd, 
opening GRE)
Jul 11 07:50:58 gateway pppd[8081]: pppd 2.4.1 started by root, uid 0
Jul 11 07:50:58 gateway pppd[8081]: Connect:  <--> /dev/pts/1
Jul 11 07:51:01 gateway pptpd[8080]: CTRL: Ignored a SET LINK INFO packet 
with real ACCMs!
Jul 11 07:51:01 gateway pppd[8081]: Using interface ppp0
Jul 11 07:51:01 gateway pppd[8081]: New bundle ppp0 created
Jul 11 07:51:01 gateway pppd[8081]: MSCHAP-v2 peer authentication succeeded 
for TEastep
Jul 11 07:51:01 gateway pppd[8081]: MPPE 128 bit, stateless compression 
enabled
Jul 11 07:51:01 gateway pppd[8081]: stateless MPPE enforced
Jul 11 07:51:01 gateway pppd[8081]: found interface eth2 for proxy arp
Jul 11 07:51:01 gateway pppd[8081]: local  IP address 192.168.1.254
Jul 11 07:51:01 gateway pppd[8081]: remote IP address 192.168.1.7

Notice that once pptpd has launched pppd, it is pppd that logs all of the 
messages.

Where did you get your pppd binary?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net