From owner-freebsd-net@FreeBSD.ORG Tue Apr 17 09:39:28 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F1AE116A403 for ; Tue, 17 Apr 2007 09:39:28 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: from wmail.teledomenet.gr (wmail.teledomenet.gr [213.142.128.16]) by mx1.freebsd.org (Postfix) with ESMTP id 57B3713C44C for ; Tue, 17 Apr 2007 09:39:28 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: from iris (unknown [192.168.1.71]) by wmail.teledomenet.gr (Postfix) with ESMTP id CB95E1C8970; Tue, 17 Apr 2007 11:35:24 +0300 (EEST) From: Nikos Vassiliadis To: freebsd-net@freebsd.org Date: Tue, 17 Apr 2007 12:12:29 +0300 User-Agent: KMail/1.9.1 References: <1176762905.1901.59.camel@localhost> In-Reply-To: <1176762905.1901.59.camel@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-7" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200704171212.29307.nvass@teledomenet.gr> Cc: Tom McLaughlin Subject: Re: net/mpd4: Unable to pass pass traffic as pptp client X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Apr 2007 09:39:29 -0000 On Tuesday 17 April 2007 01:35, Tom McLaughlin wrote: > Hi all, > > I'm trying to use mpd4 to connect my work's Cisco VPN concentrator. > After fiddling with mpd.conf I can now get past the connection setup > phase and authentication steps. According to the VPN concentrator's > logs I have successfully connected but some bit later I am disconnected > and the logs show no traffic passed in or out on my connection. While > connected I can't ping or reach anything on the work network. After > some googling I've found that others have had routing related issues but > couldn't find exactly how they were resolved. Can anyone lend me a hand > here and point me in the right direction? Below is my mpd.conf along > with mpd's console messages along with my routing table. > > Thanks, > tom > (Please CC me on replies) > > mpd.conf: > ---- > vpn: > new -i ng0 vpn vpn > set iface disable on-demand > set iface idle 0 > # disconnect the client after 8 hours > set iface session 28800 > set iface enable tcpmssfix > > set auth authname "*****" > set auth password "*****" > > set link yes acfcomp protocomp > # If remote machine is NT you need this.. > set link enable no-orig-auth > set link enable keep-ms-domain > set link no pap > set link yes chap-msv1 > set link mtu 1400 > set link mru 1400 > set link keep-alive 10 75 > > set ipcp no vjcomp > set ipcp enable req-pri-dns > set ipcp enable req-sec-dns > set ipcp enable req-pri-nbns > set ipcp enable req-sec-nbns > set ipcp ranges 0.0.0.0/0 208.206.3.5/32 > # > # The five lines below enable Microsoft Point-to-Point encryption > # (MPPE) using the ng_mppc(8) netgraph node type. > # > set bundle disable multilink > set bundle enable compression > # set bundle enable crypt-reqd > set ccp yes mppc > set ccp yes mpp-e40 > set ccp yes mpp-e128 > set ccp yes mpp-stateless > open > > mpd console log: > ---- > [root@bofh tom]# mpd4 > Multi-link PPP daemon for FreeBSD > process 10036 started, version 4.1 (tom@bofh.straycat.dhs.org 08:58 10-Apr-2007) > > CONSOLE: listening on 0.0.0.0 5005 > [vpn] using interface ng0 > [vpn] link: OPEN event > [vpn] LCP: Open event > [vpn] LCP: state change Initial --> Starting > [vpn] LCP: LayerStart > pptp0: connecting to 208.206.3.5 1723 > pptp0: connected to 208.206.3.5 1723 > pptp0: attached to connection with 208.206.3.5 1723 > pptp0-0: outgoing call connected at 10000000 bps > [vpn] PPTP call successful > [vpn] link: UP event > [vpn] link: origination is local > [vpn] LCP: Up event > [vpn] LCP: state change Starting --> Req-Sent > [vpn] LCP: SendConfigReq #1 > ACFCOMP > PROTOCOMP > MRU 1400 > MAGICNUM 74561568 > AUTHPROTO CHAP MSOFT > [vpn] LCP: SendConfigReq #2 > ACFCOMP > PROTOCOMP > MRU 1400 > MAGICNUM 74561568 > AUTHPROTO CHAP MSOFT > [vpn] LCP: rec'd Configure Reject #2 link 0 (Req-Sent) > ACFCOMP > PROTOCOMP > AUTHPROTO CHAP MSOFT > [vpn] LCP: SendConfigReq #3 > MRU 1400 > MAGICNUM 74561568 > [vpn] LCP: rec'd Configure Nak #3 link 0 (Req-Sent) > MRU 1500 > [vpn] LCP: SendConfigReq #4 > MRU 1500 > MAGICNUM 74561568 > [vpn] LCP: rec'd Configure Request #1 link 0 (Req-Sent) > AUTHPROTO CHAP MSOFT > [vpn] LCP: SendConfigAck #1 > AUTHPROTO CHAP MSOFT > [vpn] LCP: state change Req-Sent --> Ack-Sent > [vpn] LCP: rec'd Configure Ack #4 link 0 (Ack-Sent) > MRU 1500 > MAGICNUM 74561568 > [vpn] LCP: state change Ack-Sent --> Opened > [vpn] LCP: auth: peer wants CHAP, I want nothing > [vpn] LCP: LayerUp > [vpn] CHAP: rec'd CHALLENGE #1 > Name: "" > Using authname "*****" > [vpn] CHAP: sending RESPONSE len:70 > [vpn] CHAP: rec'd CHALLENGE #2 > Name: "" > Using authname "*****" > [vpn] CHAP: sending RESPONSE len:70 > [vpn] CHAP: rec'd SUCCESS #2 > [vpn] LCP: authorization successful > [vpn] Bundle up: 1 link, total bandwidth 64000 bps > [vpn] IPCP: Open event > [vpn] IPCP: state change Initial --> Starting > [vpn] IPCP: LayerStart > [vpn] CCP: Open event > [vpn] CCP: state change Initial --> Starting > [vpn] CCP: LayerStart > [vpn] IPCP: Up event > [vpn] IPCP: state change Starting --> Req-Sent > [vpn] IPCP: SendConfigReq #1 > IPADDR 0.0.0.0 > PRIDNS 0.0.0.0 > SECDNS 0.0.0.0 > PRINBNS 0.0.0.0 > SECNBNS 0.0.0.0 > [vpn] CCP: Up event > [vpn] CCP: state change Starting --> Req-Sent > [vpn] CCP: SendConfigReq #1 > MPPC > 0x01000060:MPPE(40, 128 bits), stateless > [vpn] IPCP: rec'd Configure Request #0 link 0 (Req-Sent) > IPADDR 208.206.3.5 > 208.206.3.5 is OK > [vpn] IPCP: SendConfigAck #0 > IPADDR 208.206.3.5 > [vpn] IPCP: state change Req-Sent --> Ack-Sent > [vpn] CCP: rec'd Configure Request #0 link 0 (Req-Sent) > MPPC > 0x01000060:MPPE(40, 128 bits), stateless > [vpn] CCP: SendConfigNak #0 > MPPC > 0x01000040:MPPE(128 bits), stateless > [vpn] CCP: rec'd Configure Request #1 link 0 (Req-Sent) > MPPC > 0x01000040:MPPE(128 bits), stateless > [vpn] CCP: SendConfigAck #1 > MPPC > 0x01000040:MPPE(128 bits), stateless > [vpn] CCP: state change Req-Sent --> Ack-Sent > [vpn] CCP: SendConfigReq #2 > MPPC > 0x01000060:MPPE(40, 128 bits), stateless > [vpn] IPCP: SendConfigReq #2 > IPADDR 0.0.0.0 > PRIDNS 0.0.0.0 > SECDNS 0.0.0.0 > PRINBNS 0.0.0.0 > SECNBNS 0.0.0.0 > [vpn] CCP: rec'd Configure Nak #2 link 0 (Ack-Sent) > MPPC > 0x01000040:MPPE(128 bits), stateless > [vpn] CCP: SendConfigReq #3 > MPPC > 0x01000040:MPPE(128 bits), stateless > [vpn] IPCP: rec'd Configure Nak #2 link 0 (Ack-Sent) > IPADDR 172.30.29.9 > 172.30.29.9 is OK > PRIDNS 172.30.16.2 > SECDNS 172.30.0.2 > PRINBNS 172.30.16.3 > SECNBNS 172.30.0.7 > [vpn] IPCP: SendConfigReq #3 > IPADDR 172.30.29.9 > PRIDNS 172.30.16.2 > SECDNS 172.30.0.2 > PRINBNS 172.30.16.3 > SECNBNS 172.30.0.7 > [vpn] CCP: rec'd Configure Ack #3 link 0 (Ack-Sent) > MPPC > 0x01000040:MPPE(128 bits), stateless > [vpn] CCP: state change Ack-Sent --> Opened > [vpn] CCP: LayerUp > Compress using: mppc (MPPE(128 bits), stateless) > Decompress using: mppc (MPPE(128 bits), stateless) > [vpn] IPCP: rec'd Configure Ack #3 link 0 (Ack-Sent) > IPADDR 172.30.29.9 > PRIDNS 172.30.16.2 > SECDNS 172.30.0.2 > PRINBNS 172.30.16.3 > SECNBNS 172.30.0.7 > [vpn] IPCP: state change Ack-Sent --> Opened > [vpn] IPCP: LayerUp > 172.30.29.9 -> 208.206.3.5 > [vpn] IFACE: Up event > [vpn] LCP: no reply to 1 echo request(s) > [vpn] LCP: no reply to 2 echo request(s) > [vpn] LCP: no reply to 3 echo request(s) > [vpn] LCP: no reply to 4 echo request(s) > [vpn] LCP: no reply to 1 echo request(s) > [vpn] LCP: no reply to 2 echo request(s) > [vpn] LCP: no reply to 3 echo request(s) > [vpn] LCP: no reply to 4 echo request(s) > [vpn] LCP: no reply to 5 echo request(s) > [vpn] LCP: no reply to 6 echo request(s) > [vpn] LCP: no reply to 7 echo request(s) > [vpn] LCP: peer not responding to echo requests > [vpn] LCP: state change Opened --> Stopping > [vpn] AUTH: Accounting data for user : 154 seconds, 260 octets in, 1609 octets out > [vpn] AUTH: Cleanup > [vpn] Bundle up: 0 links, total bandwidth 9600 bps > [vpn] IPCP: Close event > [vpn] IPCP: state change Opened --> Closing > [vpn] IPCP: SendTerminateReq #4 > [vpn] error writing len 8 frame to bypass: Network is down > [vpn] IPCP: LayerDown > [vpn] IFACE: Down event > [vpn] CCP: Close event > [vpn] CCP: state change Opened --> Closing > [vpn] CCP: SendTerminateReq #4 > [vpn] error writing len 8 frame to bypass: Network is down > [vpn] CCP: LayerDown > [vpn] IPCP: Down event > [vpn] IPCP: LayerFinish > [vpn] No NCPs left. Closing links... > [vpn] closing link "vpn"... > [vpn] IPCP: state change Closing --> Initial > [vpn] CCP: Down event > [vpn] CCP: LayerFinish > [vpn] CCP: state change Closing --> Initial > [vpn] LCP: SendTerminateReq #5 > [vpn] LCP: LayerDown > [vpn] link: CLOSE event > [vpn] LCP: Close event > [vpn] LCP: state change Stopping --> Closing > [vpn] LCP: SendTerminateReq #6 > pptp0: read: Connection reset by peer > pptp0: killing connection with 208.206.3.5 1723 > pptp0-0: killing channel > [vpn] PPTP call terminated > [vpn] link: DOWN event > [vpn] LCP: Down event > [vpn] LCP: LayerFinish > [vpn] LCP: state change Closing --> Initial > > > netstat > [root@bofh mpd4]# netstat -r -f inet > Routing tables > > Internet: > Destination Gateway Flags Refs Use Netif Expire > default linksys UGS 0 8516 em0 > localhost localhost UH 0 640 lo0 > 172.30.29.9/32 lo0 US 0 0 lo0 > 192.168.1 link#2 UC 0 0 em0 > linksys 00:06:25:dc:a0:f1 UHLW 2 0 em0 1024 > shorthair 00:09:5b:0b:78:e2 UHLW 1 6401 em0 1180 > COMPASS 00:11:d8:f9:70:aa UHLW 1 73381 em0 1160 > bofh 00:11:25:85:e4:fc UHLW 1 193 lo0 > 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWb 1 84 em0 > 208.206.3.5 172.30.29.9 UH 0 7 ng0 > > > ifconfig > [root@bofh tom]# ifconfig ng0 > ng0: flags=88d1 mtu 1396 > inet 172.30.29.9 --> 208.206.3.5 netmask 0xffffffff > It seems that your external peer address is the same with the internal peer address. You connect to pptp-server-ip through your linksys and then say that pptp-server-ip is reachable through the tunnel. So it routes everything destined for pptp-server-ip through the tunnel. I think that such configuration is valid for other operating systems. I don't know if you can work-around the problem on your own, maybe you have to contact the VPN concentrator's admin. Perhaps you can modify the routing table (the external peer address should be reachable as it was, though linksys) and invent some peer address using "ifconfig ng0 your_address 10.0.0.1 netmask 0xffffffff". But it's not nice... Can you convice the concentrator's administrator to use another address for his internal side? HTH, Nikos