'Fraid not. See this from the ASL Known Issues List:
ID598 o 4.008 Incoming PPTP connections may fail ------------------------------------------------ Description: Some incoming PPTP connections may fail due to a problem in one of the kernel-nat-modules Workaround: --- Fix: ---
I guess this would be why I get "no answer". Any idea what I am doing wrong?
doh. I just realized that is blocking 1726. is that my problem?
ok I looked at the logs before I tried to telnet. I found 1726 and it was throwing me off. I can telnet to 1723 without a problem. I will assume that it's a ms pptp client problem. I don't have a computer with sp2 on it, so I will build on and confirm and post back here.
I'm using Win2k sp4 and can connect reliably to my ASL which is 4.015. I originally installed 4.000 ran all the updates through 4.008, experienced the PPTP problem, applied the pptp_patch, restarted ASL, updated through to 4.015. All is well.
My Win2k PPTP setup is as follows... Options Tab: Display Progress while connecting - Checked Prompt for name/password,etc. - Checked Include Windows logon domain - Un-Checked Redial attempts - 3 Time between attemps - 10 Sec Idle time before hangup - Never Redial if dropped - Checked
Security Tab: Advanced Menu: Data Encryption - Maximun Strength Allow these protocols - Selected Microsoft CHAP (MS-CHAP) - Checked Microsoft CHAP Version 2 (MS-CHAP v2) - Checked
Networking Tab: Type of VPN Server: PPTP Settings - All 3 boxes checked Components- TCP/IP - Checked Properties - Assign IP and DNS automatically
curses! That didn't work. My machine here at work is Win2k SP3 and my box at home I tried is SP4 (I think). I will check the settings against yours when I get home.
Are you even able to connect? How far does the PPTP client get? Do you get the 619 error?
Have you assigned users that can login via PPTP Roadwarrior access?
You don't need to create ANY filter rules involving PPTP. That's only required when using a VPN server behing ASL, not ASL itself. ASL creates these automatically.
You just need to create packet filter rules that allow traffic where PPTP_Pool is the Source IP for whatever services you like.
Example: From: PPTP_Pool Service: HTTP To: Any Allow
Will allow you to surf the web while VPNed to your ASL.
I don't get any errors other than "no answer" in my windows client. I can telnet to port 1723, but I can't do anything else. nothing shows up in the logs as being dropped nor is there anything interesting in the PPTP log. It never even tries to authenticate.
If you'd like to see logs, let me know which ones.
Can you email me your VPN server address so that I might try to connect using a bogus user_id and password to see how far it gets? Have you tried disabling and then re-enabling Roadwarrior VPN? I'm really reaching here now.
emailed. I disabled and re-enabled. at home, win2k Pro sp4. same settings as your previous post, I can telnet to port 1723 on both my internal and external interface, but I can't create a connection. I still get "no answer".
Even tried restarting and I still get "no answer".
Have you tried it momentarily without a firewall on the Windows client side?? I found that a misconfigured PC firewall can mess up your PPTP quite good...
You might want to do a public service and configure a ZoneAlarm HowTo doc and submit it to Astaro; the configuration should be as 'tight' as possible. For firewall gods such as ourselves, it's not a big deal, but considering that Astaro will be getting so many ZoneAlarm/Norton Personal Firewall novices with this problem, it will save everybody a lot of headaches...
You might want to do a public service and configure a ZoneAlarm HowTo doc and submit it to Astaro; the configuration should be as 'tight' as possible. For firewall gods such as ourselves, it's not a big deal, but considering that Astaro will be getting so many ZoneAlarm/Norton Personal Firewall novices with this problem, it will save everybody a lot of headaches...
I can't seem to locate the executable for the pptp client. I found this: c:\winnt\system32\drivers\raspptp.sys
I tried to add this to list of programs that are allowed, but this didn't work.
I found a MS knowledge base article that says to basically turn off zoneAlarm if you want to use the pptp client. It says that this problem is fixed in ZA 2.76 and up, however I am using zonealarm 3.79, but I assure it the problem isn't resolved.
If someone knows the executable of the pptp client, that wouold be the proper way to fix it, but I can't seem to find it.
The solution that I came up with was to go into the firewall settings and to add a zone. Basically you add the IP Address of the PPTP end point (this would be your external interfaceif you want to the vpn in from the internet). Once this is done, you set this as a trusted network.
Kerio shows the application that attempts an outbound connection with protocol 47 (used for PPTP) when I try to establish a VPN connection to my ASL as "tcpip kernel driver".
What kind of hardware are you running this on?
Are you geting something like this in your PPTP Roadwarior logs? GRE: read(fd=5,buffer=804d5a0,len=8196) from PTY failed: status = -1 error = Input/output error PTY read or GRE write failed (pty,gre)=(5,6) CTRL: Closing child BCrelay with pid 0 CTRL: Closing child ppp with pid 6584 CTRL: Client 64.83.8.216 control connection finished
There is no executable; it is part of the OS (remember? they wanted to be clever and get away from modular design after the court case)
So you can try opening ports for either the Services and Controller, or SvcHost.
I have a 4X version of Zone that appears to know how to handle Windows PPTP connections; I remember older versions of Zone could not (and PGP queries for Email were problematic too!!)
What you did is exactly what I would have fallen back to.
Oct 14 21:14:29 (none) pptpd[11191]: GRE: read(fd=5,buffer=804dbe0,len=8196) from PTY failed: status = -1 error =
Input/output error
Oct 14 21:14:29 (none) pptpd[11191]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6)
Oct 14 21:14:29 (none) pptpd[11191]: CTRL: Closing child ppp with pid 11192
Oct 14 21:14:29 (none) pptpd[11191]: CTRL: Client 172.16.0.10 control connection finished
Oct 14 21:14:29 (none) pptpd[11191]: CTRL: Exiting now
It's running on an older dell desktop machine (GX1). The nic for the outside interface is a 309x 3Com onboard network adapter.
I haven't tried to connect to the external interface. I am using PPTP for securing my wireless connection. I try to connect from work today and see how it goes. I'll also check out kerio.
I tried to connect to the external interface and I get the same error you do as well. When connecting at home on an interface that is designated as a wireless DMZ it works fine. the card is a linksys. I'm not sure which model. It's the same one they are selling at bestbuy. Is there an issue with the 3Com card?
AppSec:
I know services is set to allow. I got tired of it complaining all the time. I'll check the other two and see what I can come up with.
I get those errors once in a while. I guess sometimes connecting to VPN is a little flaky (rarely). When it does decide to act up, those are the errors I get. For the most part, It's reliable. I only use it to connect to for remote administration of internal computers. I'm using an old IBM PC300XL, PII-400, 128 MB RAM with an Intel onboard NIC, RTL-8139, and a 3C905 (I think). I.d like to get this straightened out. I guess Dan Martin's suggestion of staying with 4.007 is a good idea until you get other, configuration related, issues resolved. Can someone from ASL pop in here with some advice on the posted error text?
Perhaps I spoke (or wrote) too soon. I was VPNed to my home network and all was working fine. My connection got dropped and cannot get re-established. I always blamed it on other things, but this is rediculous. As soon as I can get reconnected, I'll post the logs.
Is this an issue that Astaro is looking into?
Usually it works and then it gets flaky sometimes.
Perhaps I'll set up another ASL machine (4.007) behind my DSL router to handle VPN connections until my primary ASL (4.015) gets the next Up2Date.
I recant my prior statements that my VPN works fine.
You got it! It's unstable!! It will work reliably for a long time for a few users, and then one day it goes up and whoop! Not working. Reboot of the client (as windows tells you to do) does not help!! Try permutations of MS's advanced PPTP settings -might work once, then it stops working. This is a job for tcpdump! Anybody wanting to trade notes on the dump analysis offline, let me know (I think that will be a bit much for this board!).
I was reading a post elsewhere where other Linuxes are having this problem too (reliably interoperating with Windows PPTP). I am slated to really start chopping away at the problem for a client. A key tool I will be using is pptp ping (a Windows utility).
One guy (on Debian?) said it required a number of MS-CHAP patches for Linux, and he had to recompile the kernel. The first thing I will try though is a step-down to 4.007 (!). If that fixes it, I know where to look for the problem (what in the patches throws things a-kilter??)
Never was able to reconnect last night. Sometimes it would go as far as "Connecting to home_vpn", other times it would hang at "authenticating username and password".
