Suse 9.3 и VPN

[Dimas]

В 9.2 настроил все работало, перешел на 9.3
запускаю pptp-command start
и вот что вижу:
Connect: ppp0 <--> /dev/pts/3
CHAP authentication succeeded: Welcome!!
MPPE required, but MS-CHAP[v2] auth not performed.
Connection terminated.

В чем проблема то ?

[sash-kan]

MPPE required

↑

перевести? ;-)

[Dimas]

Переведи, единственное, что может я забыл отключить шифрование ( его нужно отключить) но я не помню где, да и как тоже

[sash-kan]

не помню где

↑

а я так даже и не знаю (:
в смысле - как это правильно делать в suse. а там это делать, видимо, нужно эксклюзивными средствами.
короче, смотри туда, где настраивал vpn. в suse, надо думать, это через какой-то фронт-энд делается.
а как сделать ручками - советовать я зарекся (для suse и mandrake). потому что в результате только хуже будет (:
p.s. хотя ручками-то - элементарно. смотришь в man pppd на предмет mppe, а затем в соответствующем конфиге прописываешь нужное.

[shubhar]

короче, смотри туда, где настраивал vpn. в suse, надо думать, это через какой-то фронт-энд делается.

нету там фронтенда для ВПН. Все делается так же как и в MDK - абсолютно тот же самый pptp-command

надо в /etc/ppp/options.pptp закоментить
require-mppe

или наоборот включить это со стороны сервера, чтобы опция отрабатывалась. Это отдельный несвободный модуль ядра, он вроде имеет ограничение на использование в россии, но кого это волнует?

[Dimas]

Для shubhar:
Закоментировал....
pptp запустился , роуты добавились инета нет =(
Сеть работает инет нет, хотя долно быть все наоборот...
Ладно покопаюсь разберусь

Dimas добавил в 10.07.2005 10:00

Народ, а графических vpn настройщиков никто не предложит ? (только webmin не предлагайте)

[Bdfy]

kvpnc под KDE под Гном gnome-ppx ...

[shubhar]

Закоментировал....
pptp запустился , роуты добавились инета нет =(
Сеть работает инет нет, хотя долно быть все наоборот...
Ладно покопаюсь разберусь

/etc/ppp/pptpd.option & /etc/pptp.conf в студию. можно в приват.

[Dimas]

Код:

# /etc/ppp/options # # Not every option is listed here, see man pppd for more details. This file # is read by the pppd, it is an error when it is not present. # # Use the following command to see the active options: # grep -v ^# /etc/ppp/options | grep -v ^$ # # The name of this server. Often, the FQDN is used here. #name <host> # Enforce the use of the hostname as the name of the local system for # authentication purposes (overrides the name option). #usehostname # If no local IP address is given, pppd will use the first IP address # that belongs to the local hostname. If "noipdefault" is given, this # is disabled and the peer will have to supply an IP address. noipdefault # With this option, pppd will accept the peer's idea of our local IP # address, even if the local IP address was specified in an option. #ipcp-accept-local # With this option, pppd will accept the peer's idea of its (remote) IP # address, even if the remote IP address was specified in an option. #ipcp-accept-remote # Run the executable or shell command specified after pppd has terminated # the link. This script could, for example, issue commands to the modem # to cause it to hang up if hardware modem control signals were not # available. # If mgetty is running, it will reset the modem anyway. So there is no need # to do it here. #disconnect "chat -- \d+++\d\c OK ath0 OK" # Increase debugging level (same as -d). The debug output is written # to syslog LOG_LOCAL2. #debug # Enable debugging code in the kernel-level PPP driver. The argument n # is a number which is the sum of the following values: 1 to enable # general debug messages, 2 to request that the contents of received # packets be printed, and 4 to request that the contents of transmitted # packets be printed. #kdebug n # noauth means do not require the peer to authenticate itself, this must # be set if you want to use pppd to connect to the internet. In this case # *you* must authenicate yourself to the peer(internet provider), so do # not disable this setting unless you are the dial-in server which where # the peer has to autenticate to. noauth # Use hardware flow control (i.e. RTS/CTS) to control the flow of data # on the serial port. crtscts # Specifies that pppd should use a UUCP-style lock on the serial device # to ensure exclusive access to the device. lock # Use the modem control lines.(is default) modem # The opposite: local # # Description: # Don't use the modem control lines. With this option, pppd will ignore the # state of the CD (Carrier Detect) signal from the modem and will not change # the state of the DTR (Data Terminal Ready) signal. # # You need to disable modem and enable local if you want to connect to anoter # system without using a modem: #local # async character map -- 32-bit hex; each bit is a character # that needs to be escaped for pppd to receive it. 0x00000001 # represents '\x01', and 0x80000000 represents '\x1f'. # To allow pppd to work over a rlogin/telnet connection, ou should escape # XON (^Q), XOFF (^S) and ^]: (The peer should use "escape ff".) #asyncmap 200a0000 asyncmap 0 # needed for some ISDN Terminaladaters, namely ELSA, those seem to have # problems with asyncmap negotiation, so you can turn off this procedure # in case your ISDN box has trouble with it, by enabling this option. # You have to disable the asyncmap <x> option to be sure to have it # active. If you use wvdial, set the ISDN parameter in /etc/wvdial.conf # instead. #default-asyncmap # Set the MRU [Maximum Receive Unit] value to <n> for negotiation. pppd # will ask the peer to send packets of no more than <n> bytes. The # minimum MRU value is 128. The default MRU value is 1500. A value of # 296 is recommended for slow links (40 bytes for TCP/IP header + 256 # bytes of data). The value 1492 is for DSL connections (PPP Default - # PPPoE Header: 1500 - 8 = 1492) # mru 1492 # Set the MTU [Maximum Transmit Unit] value to <n>. Unless the peer # requests a smaller value via MRU negotiation, pppd will request that # the kernel networking code send data packets of no more than n bytes # through the PPP network interface. The value 1492 is for DSL connections # (PPP Default - PPPoE Header: 1500 - 8 = 1492) # mtu 1492 # Set the interface netmask to <n>, a 32 bit netmask in "decimal dot" # notation (e.g. 255.255.255.0). #netmask 255.255.255.0 # Don't fork to become a background process (otherwise pppd will do so # if a serial device is specified). nodetach # If this option is given, pppd will send an LCP echo-request frame to # the peer every n seconds. Under Linux, the echo-request is sent when # no packets have been received from the peer for n seconds. Normally # the peer should respond to the echo-request by sending an echo-reply. # This option can be used with the lcp-echo-failure option to detect # that the peer is no longer connected. lcp-echo-interval 30 # If this option is given, pppd will presume the peer to be dead if n # LCP echo-requests are sent without receiving a valid LCP echo-reply. # If this happens, pppd will terminate the connection. Use of this # option requires a non-zero value for the lcp-echo-interval parameter. # This option can be used to enable pppd to terminate after the physical # connection has been broken (e.g., the modem has hung up) in # situations where no hardware modem control lines are available. lcp-echo-failure 4 # Send up to 60 LCP configure-request during negotiation. With a value # of 2 for lcp-restart below, this might take up to 2 minutes. lcp-max-configure 60 # Resend unanswered LCP requests after 2 seconds. lcp-restart 2 # Specifies that pppd should disconnect if the link is idle for n seconds. idle 600 # Specifies the maximal number of attempts to connect to the server. This # is useful for dial on demand. Default value is 10. #maxfail 3 # Disable the IPXCP and IPX protocols. noipx # In the file /etc/ppp/filters are some active-filter rules. See man pppd # and man tcpdump for more informations. file /etc/ppp/filters #------------------------------------------------------------------------- # The next two options are only interesting for you if you are admin of # a system with other users that use ppp, and those users are normally # never allowed to add default route, or you do not want users to # replace the default route. #------------------------------------------------------------------------- # enable this to prevent users from attempting to add a default route. # Use this option with caution: If the user needs to use a program like # wvdial, he will not be able to connect because wvdial forces defaulroute # but this is rejected by this option and the user will not be able to # connect to the internet. #nodefaultroute # enable this to prevent users from replacing an existing default route. #noreplacedefaultroute #------------------------------------------------------------------------- # All options below only make sense if you configure pppd to be a dial-in # server, so don't touch these if you want dial into your provider with # PPP! #------------------------------------------------------------------------- # Set the assumed name of the remote system for authentication purposes # to <n>. #remotename <n> # Add an entry to this system's ARP [Address Resolution Protocol] # table with the IP address of the peer and the Ethernet address of this # system. {proxyarp,noproxyarp} #proxyarp # Use the system password database for authenticating the peer using # PAP. Note: mgetty already provides this option. If this is specified # then dialin from users using a script under Linux to fire up ppp wont work. #login # Specify which DNS Servers the incoming Win95 or WinNT Connection should use # Two Servers can be remotely configured #ms-dns 192.168.1.1 #ms-dns 192.168.1.2 # Specify which WINS Servers the incoming connection Win95 or WinNT should use #ms-wins 192.168.1.50 #ms-wins 192.168.1.51

options.pptp

Код:

# # Lock the port # lock # # We don't need the tunnel server to authenticate itself # noauth # # Turn off transmission protocols we know won't be used # nobsdcomp nodeflate # # We want MPPE # #require-mppe # # We want a sane mtu/mru # mtu 1000 mru 1000 # # Time this thing out of it goes poof # lcp-echo-failure 10 lcp-echo-interval 10

[shubhar]

у меня так:

/etc/pptpd.conf:
-------------------------
option /etc/ppp/options.pptpd
speed 115200
localip 192.168.100.1
remoteip 192.168.100.2-200

/etc/ppp/options:
-----------------------
login
auth
netmask 255.255.255.0
modem
crtscts
refuse-chap
require-pap
mtu 576
mru 576
proxyarp
ms-dns 10.0.0.1
name myorg

/etc/ppp/options.pptpd:
---------------------------lock
mtu 1490
mru 1490
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 3
lcp-echo-interval 5
deflate 0
auth
+chap
-pap
proxyarp
ms-dns 10.0.0.1
nobsdcomp
nodeflate
nodefaultroute

/etc/ppp/у меня так:

/etc/pptpd.conf:
-------------------------
option /etc/ppp/options.pptpd
speed 115200
localip 192.168.22.1
remoteip 192.168.22.2-200

/etc/ppp/options:
-----------------------
login
auth
netmask 255.255.255.0
modem
crtscts
refuse-chap
require-pap
mtu 576
mru 576
proxyarp
ms-dns 10.0.0.1
name myorg

/etc/ppp/options.pptpd:
---------------------------lock
mtu 1490
mru 1490
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 3
lcp-echo-interval 5
deflate 0
auth
+chap
-pap
proxyarp
ms-dns 10.0.0.1
nobsdcomp
nodeflate
nodefaultroute

/etc/ppp/chap-secrets:
user1 * PLaiNPaSSwOrd 192.168.100.14
...
...
..

на клиентской машине:
/etc/ppp/options.pptp:
lock
noauth
nobsdcomp
nodeflate

----------------------------
чтоб был Инет, надо делать NAT для VPN-нных клиентских адресов (192.168.100.14..... по...см. диапазон из /etc/pptpd.conf)
или если Сквид, то эти адреса прописать в ACL.

Локальные ethernet-адреса уже не надо описывать для доступа куда-либо. Главное чтобы с локальных ethernet-IP можно было видеть VPN-сервер и DNS-server. После установки VPN-соединения переписать default-router как route add default gw ppp0 (или на какой интерфейс забиндиться VPN - бывает так что после подыхания предыдущей сессии не освобождается таблица девайсов и туннель повеситься на ppp1... ppp2 etc... - такие глюки бывают)

[daemonBSD_DualXeon]

собратья по ясту все можно сделать гораздо проще
и в графическом интерфейсе
в смысле поднять VPN
изучаем все:
http://pptpclient.sourceforge.net/
качаем и работаем)
как я сейчас