hallo!
habe hier ein kleines (?) problem mit der vpn einrichtung in einem kleinem netzwerk.
folgendes zur konfiguration:
rechner (name: fernlx2) mit suse 10.2 und MS VPN server pptpd
client ist ein winxp rechner mit sp2.
ziel: eine vpn-verbindung mit fernlx2 aufbauen
folgende probleme treten dabei auf:
auf client: siehe beigefügtes bild
auf fernlx2:
hier der auszug aus /var/log/messages
nach dem neustart des pptd und einem fehlgeschlagenen verbindungsversuches
Code
May 16 15:32:36 fernlx2 kernel: PPP MPPE Compression module registered
May 16 15:32:36 fernlx2 pptpd[7448]: MGR: Manager process started
May 16 15:32:36 fernlx2 pptpd[7448]: MGR: Maximum of 9 connections available
May 16 15:39:52 fernlx2 pptpd[7457]: MGR: Launching /usr/sbin/pptpctrl to handle client
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: local address = 192.168.3.1
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: remote address = 192.168.3.2
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: pppd speed = 115200
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: pppd options file = /etc/ppp/options.ppp0
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: Client 192.168.0.240 control connection started
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: Received PPTP Control Message (type: 1)
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: Made a START CTRL CONN RPLY packet
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: I wrote 156 bytes to the client.
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: Sent packet to client
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: Received PPTP Control Message (type: 7)
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: Set parameters to 100000000 maxbps, 64 window size
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: Made a OUT CALL RPLY packet
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: Starting call (launching pppd, opening GRE)
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: pty_fd = 6
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: tty_fd = 7
May 16 15:39:52 fernlx2 pptpd[7458]: CTRL (PPPD Launcher): program binary = /usr/sbin/pppd
May 16 15:39:52 fernlx2 pptpd[7458]: CTRL (PPPD Launcher): local address = 192.168.3.1
May 16 15:39:52 fernlx2 pptpd[7458]: CTRL (PPPD Launcher): remote address = 192.168.3.2
May 16 15:39:52 fernlx2 pppd[7458]: The remote system (<n>) is required to authenticate itself
May 16 15:39:52 fernlx2 pppd[7458]: but I couldn't find any suitable secret (password) for it to use to do so.
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: I wrote 32 bytes to the client.
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: Sent packet to client
May 16 15:39:52 fernlx2 pptpd[7457]: GRE: read(fd=6,buffer=8059560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: Reaping child PPP[7458]
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: Client 192.168.0.240 control connection finished
May 16 15:39:52 fernlx2 pptpd[7457]: CTRL: Exiting now
May 16 15:39:52 fernlx2 pptpd[7448]: MGR: Reaped child 7457so, und jetzt die config-dateien:
fernlx2:/etc # ls -la pptpd*
-rw-r--r-- 1 root root 2414 2007-05-09 15:17 pptpd.conf
-rw-r--r-- 1 root root 2417 2007-01-19 21:16 pptpd_conf.orig
-rw-r--r-- 1 root root 2481 2007-01-19 21:27 pptpd.conf.rpmsave
fernlx2:/etc # cat pptpd.conf
Code
################################################################################
#
# Sample PoPToP configuration file
#
# for PoPToP version 1.0.0
#
################################################################################
# TAG: speed
#
# Specifies the speed for the PPP daemon to talk at.
# Some PPP daemons will ignore this value.
#
speed 115200
# TAG: option
#
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
#option /this/is/the/options/file
option /etc/ppp/options.ppp0
# TAG: debug
#
# Turns on (more) debugging to syslog.
#
debug
# TAG: localip
# TAG: remoteip
#
# Specifies the local and remote IP address ranges.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than MAX_CONNECTIONS, it will
# start at the beginning of the list and go until it gets
# MAX_CONNECTIONS IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
localip 192.168.3.1
remoteip 192.168.3.2-10
# TAG: ipxnets
#
# This gives the range of IPX networks to allocate to clients. By
# default IPX network number allocation is not handled internally.
# By putting a low and high network number here a pool of IPX networks
# can be defined. If this is done then there must be one IPX network
# per client.
#
# The format is a pair of hex numbers without any 0x prefix separated
# by a hyphen.
#
#ipxnets 00001000-00001FFF
# TAG: listen
#
# Defines the IP address of the local interface on which pptpd
# should listen for connections. The default is to listen on all
# local interfaces (even ones brought up by pptp connections, thus
# permitting pptp tunnels inside the pptp tunnels).
#
#listen 192.168.0.1
# TAG: pidfile
#
# This defines the file name in which pptpd should store its process
# ID (or pid). The default is /var/run/pptpd.pid.
#
pidfile /var/run/pptpd.pidfernlx2:/etc/ppp # ls -la
total 64
drwxr-x--- 5 root dialout 384 2007-05-15 16:01 .
drwxr-xr-x 96 root root 7976 2007-05-09 15:17 ..
-rw------- 1 root root 1016 2007-03-01 13:18 chap-secrets
-rw-r--r-- 1 root root 449 2006-11-25 20:50 filters
lrwxrwxrwx 1 root root 5 2007-03-12 08:53 ip-down -> ip-up
drwxr-xr-x 2 root root 72 2006-11-25 22:49 ip-down.d
-rwxr-xr-x 1 root root 6175 2006-11-25 13:55 ip-up
drwxr-xr-x 2 root root 72 2006-11-25 22:49 ip-up.d
-rwxr--r-- 1 root root 8254 2007-05-15 16:01 options
-rwxr--r-- 1 root root 7943 2007-03-01 10:59 options.orig
-rwxr--r-- 1 root root 8297 2007-05-15 16:01 options.ppp0
-rw------- 1 root root 1482 2007-03-01 13:18 pap-secrets
drwxr-xr-x 2 root root 192 2007-03-12 08:44 peers
-rwxr-xr-x 1 root root 2851 2006-11-25 13:55 poll.tcpip
fernlx2:/etc/ppp # cat options.ppp0
Code
# /etc/ppp/options
# modif 2007-03-01 mme
#
# Not every option is listed here, see man pppd for more details. This file
# is read by the pppd, it is an error when it is not present.
#
# Use the following command to see the active options:
# grep -v ^# /etc/ppp/options | grep -v ^$
#
# The name of this server. Often, the FQDN is used here.
#name <host>
name fernlx2-vpn
refuse-pap
require-mschap-v2
require-mppe
# require-chap
netmask 255.255.255.0
# Enforce the use of the hostname as the name of the local system for
# authentication purposes (overrides the name option).
#usehostname
# If no local IP address is given, pppd will use the first IP address
# that belongs to the local hostname. If "noipdefault" is given, this
# is disabled and the peer will have to supply an IP address.
noipdefault
# With this option, pppd will accept the peer's idea of our local IP
# address, even if the local IP address was specified in an option.
#ipcp-accept-local
# With this option, pppd will accept the peer's idea of its (remote) IP
# address, even if the remote IP address was specified in an option.
#ipcp-accept-remote
# Run the executable or shell command specified after pppd has terminated
# the link. This script could, for example, issue commands to the modem
# to cause it to hang up if hardware modem control signals were not
# available.
# If mgetty is running, it will reset the modem anyway. So there is no need
# to do it here.
#disconnect "chat -- \d+++\d\c OK ath0 OK"
# Increase debugging level (same as -d). The debug output is written
# to syslog LOG_LOCAL2.
#
debug
# Enable debugging code in the kernel-level PPP driver. The argument n
# is a number which is the sum of the following values: 1 to enable
# general debug messages, 2 to request that the contents of received
# packets be printed, and 4 to request that the contents of transmitted
# packets be printed.
#kdebug n
# noauth means do not require the peer to authenticate itself, this must
# be set if you want to use pppd to connect to the internet. In this case
# *you* must authenicate yourself to the peer(internet provider), so do
# not disable this setting unless you are the dial-in server which where
# the peer has to autenticate to.
auth
# Use hardware flow control (i.e. RTS/CTS) to control the flow of data
# on the serial port.
crtscts
# Specifies that pppd should use a UUCP-style lock on the serial device
# to ensure exclusive access to the device.
lock
# Use the modem control lines.(is default)
# modem
# The opposite: local
#
# Description:
# Don't use the modem control lines. With this option, pppd will ignore the
# state of the CD (Carrier Detect) signal from the modem and will not change
# the state of the DTR (Data Terminal Ready) signal.
#
# You need to disable modem and enable local if you want to connect to anoter
# system without using a modem:
#
local
# async character map -- 32-bit hex; each bit is a character
# that needs to be escaped for pppd to receive it. 0x00000001
# represents '\x01', and 0x80000000 represents '\x1f'.
# To allow pppd to work over a rlogin/telnet connection, ou should escape
# XON (^Q), XOFF (^S) and ^]: (The peer should use "escape ff".)
#asyncmap 200a0000
asyncmap 0
# needed for some ISDN Terminaladaters, namely ELSA, those seem to have
# problems with asyncmap negotiation, so you can turn off this procedure
# in case your ISDN box has trouble with it, by enabling this option.
# You have to disable the asyncmap <x> option to be sure to have it
# active. If you use wvdial, set the ISDN parameter in /etc/wvdial.conf
# instead.
#default-asyncmap
# Set the MRU [Maximum Receive Unit] value to <n> for negotiation. pppd
# will ask the peer to send packets of no more than <n> bytes. The
# minimum MRU value is 128. The default MRU value is 1500. A value of
# 296 is recommended for slow links (40 bytes for TCP/IP header + 256
# bytes of data). The value 1492 is for DSL connections (PPP Default -
# PPPoE Header: 1500 - 8 = 1492)
# mru 1492
# Set the MTU [Maximum Transmit Unit] value to <n>. Unless the peer
# requests a smaller value via MRU negotiation, pppd will request that
# the kernel networking code send data packets of no more than n bytes
# through the PPP network interface. The value 1492 is for DSL connections
# (PPP Default - PPPoE Header: 1500 - 8 = 1492)
# mtu 1492
# Set the interface netmask to <n>, a 32 bit netmask in "decimal dot"
# notation (e.g. 255.255.255.0).
netmask 255.255.255.0
# Don't fork to become a background process (otherwise pppd will do so
# if a serial device is specified).
nodetach
# If this option is given, pppd will send an LCP echo-request frame to
# the peer every n seconds. Under Linux, the echo-request is sent when
# no packets have been received from the peer for n seconds. Normally
# the peer should respond to the echo-request by sending an echo-reply.
# This option can be used with the lcp-echo-failure option to detect
# that the peer is no longer connected.
lcp-echo-interval 30
# If this option is given, pppd will presume the peer to be dead if n
# LCP echo-requests are sent without receiving a valid LCP echo-reply.
# If this happens, pppd will terminate the connection. Use of this
# option requires a non-zero value for the lcp-echo-interval parameter.
# This option can be used to enable pppd to terminate after the physical
# connection has been broken (e.g., the modem has hung up) in
# situations where no hardware modem control lines are available.
lcp-echo-failure 4
# Send up to 60 LCP configure-request during negotiation. With a value
# of 2 for lcp-restart below, this might take up to 2 minutes.
lcp-max-configure 60
# Resend unanswered LCP requests after 2 seconds.
lcp-restart 2
# Specifies that pppd should disconnect if the link is idle for n seconds.
idle 600
# Specifies the maximal number of attempts to connect to the server. This
# is useful for dial on demand. Default value is 10.
#maxfail 3
# Disable the IPXCP and IPX protocols.
noipx
# In the file /etc/ppp/filters are some active-filter rules. See man pppd
# and man tcpdump for more informations.
file /etc/ppp/filters
#-------------------------------------------------------------------------
# The next two options are only interesting for you if you are admin of
# a system with other users that use ppp, and those users are normally
# never allowed to add default route, or you do not want users to
# replace the default route.
#-------------------------------------------------------------------------
# enable this to prevent users from attempting to add a default route.
# Use this option with caution: If the user needs to use a program like
# wvdial, he will not be able to connect because wvdial forces defaulroute
# but this is rejected by this option and the user will not be able to
# connect to the internet.
#nodefaultroute
# enable this to prevent users from replacing an existing default route.
#noreplacedefaultroute
#-------------------------------------------------------------------------
# All options below only make sense if you configure pppd to be a dial-in
# server, so don't touch these if you want dial into your provider with
# PPP!
#-------------------------------------------------------------------------
# Set the assumed name of the remote system for authentication purposes
# to <n>.
#
remotename <n>
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. {proxyarp,noproxyarp}
proxyarp
# Use the system password database for authenticating the peer using
# PAP. Note: mgetty already provides this option. If this is specified
# then dialin from users using a script under Linux to fire up ppp wont work.
#login
# Specify which DNS Servers the incoming Win95 or WinNT Connection should use
# Two Servers can be remotely configured
#ms-dns 192.168.1.1
#ms-dns 192.168.1.2
# Specify which WINS Servers the incoming connection Win95 or WinNT should use
#ms-wins 192.168.1.50
#ms-wins 192.168.1.51
# added mme
lock
# mtu 1450
# mru 1450
proxyarp
auth
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 3
lcp-echo-interval 5
deflate 0
# Handshake Auth Method
# +chap
# +mschap-v2
# Data Encryption Methods
# mppe requiredfernlx2:/etc/ppp # cat options
Code
# /etc/ppp/options
# modif 2007-03-01 mme
#
# Not every option is listed here, see man pppd for more details. This file
# is read by the pppd, it is an error when it is not present.
#
# Use the following command to see the active options:
# grep -v ^# /etc/ppp/options | grep -v ^$
#
# The name of this server. Often, the FQDN is used here.
#name <host>
name fernlx2-vpn
auth
require-mschap-v2
# require-chap
refuse-pap
# Enforce the use of the hostname as the name of the local system for
# authentication purposes (overrides the name option).
#usehostname
# If no local IP address is given, pppd will use the first IP address
# that belongs to the local hostname. If "noipdefault" is given, this
# is disabled and the peer will have to supply an IP address.
noipdefault
# With this option, pppd will accept the peer's idea of our local IP
# address, even if the local IP address was specified in an option.
#ipcp-accept-local
# With this option, pppd will accept the peer's idea of its (remote) IP
# address, even if the remote IP address was specified in an option.
#ipcp-accept-remote
# Run the executable or shell command specified after pppd has terminated
# the link. This script could, for example, issue commands to the modem
# to cause it to hang up if hardware modem control signals were not
# available.
# If mgetty is running, it will reset the modem anyway. So there is no need
# to do it here.
#disconnect "chat -- \d+++\d\c OK ath0 OK"
# Increase debugging level (same as -d). The debug output is written
# to syslog LOG_LOCAL2.
#debug
# Enable debugging code in the kernel-level PPP driver. The argument n
# is a number which is the sum of the following values: 1 to enable
# general debug messages, 2 to request that the contents of received
# packets be printed, and 4 to request that the contents of transmitted
# packets be printed.
#kdebug n
# noauth means do not require the peer to authenticate itself, this must
# be set if you want to use pppd to connect to the internet. In this case
# *you* must authenicate yourself to the peer(internet provider), so do
# not disable this setting unless you are the dial-in server which where
# the peer has to autenticate to.
auth
# Use hardware flow control (i.e. RTS/CTS) to control the flow of data
# on the serial port.
crtscts
# Specifies that pppd should use a UUCP-style lock on the serial device
# to ensure exclusive access to the device.
lock
# Use the modem control lines.(is default)
# modem
# The opposite: local
#
# Description:
# Don't use the modem control lines. With this option, pppd will ignore the
# state of the CD (Carrier Detect) signal from the modem and will not change
# the state of the DTR (Data Terminal Ready) signal.
#
# You need to disable modem and enable local if you want to connect to anoter
# system without using a modem:
#
local
# async character map -- 32-bit hex; each bit is a character
# t0hat needs to be escaped for pppd to receive it. 0x00000001
# represents '\x01', and 0x80000000 represents '\x1f'.
# To allow pppd to work over a rlogin/telnet connection, ou should escape
# XON (^Q), XOFF (^S) and ^]: (The peer should use "escape ff".)
#asyncmap 200a0000
asyncmap 0
# needed for some ISDN Terminaladaters, namely ELSA, those seem to have
# problems with asyncmap negotiation, so you can turn off this procedure
# in case your ISDN box has trouble with it, by enabling this option.
# You have to disable the asyncmap <x> option to be sure to have it
# active. If you use wvdial, set the ISDN parameter in /etc/wvdial.conf
# instead.
#default-asyncmap
# Set the MRU [Maximum Receive Unit] value to <n> for negotiation. pppd
# will ask the peer to send packets of no more than <n> bytes. The
# minimum MRU value is 128. The default MRU value is 1500. A value of
# 296 is recommended for slow links (40 bytes for TCP/IP header + 256
# bytes of data). The value 1492 is for DSL connections (PPP Default -
# PPPoE Header: 1500 - 8 = 1492)
# mru 1492
# Set the MTU [Maximum Transmit Unit] value to <n>. Unless the peer
# requests a smaller value via MRU negotiation, pppd will request that
# the kernel networking code send data packets of no more than n bytes
# through the PPP network interface. The value 1492 is for DSL connections
# (PPP Default - PPPoE Header: 1500 - 8 = 1492)
# mtu 1492
# Set the interface netmask to <n>, a 32 bit netmask in "decimal dot"
# notation (e.g. 255.255.255.0).
netmask 255.255.255.0
# Don't fork to become a background process (otherwise pppd will do so
# if a serial device is specified).
nodetach
# If this option is given, pppd will send an LCP echo-request frame to
# the peer every n seconds. Under Linux, the echo-request is sent when
# no packets have been received from the peer for n seconds. Normally
# the peer should respond to the echo-request by sending an echo-reply.
# This option can be used with the lcp-echo-failure option to detect
# that the peer is no longer connected.
lcp-echo-interval 30
# If this option is given, pppd will presume the peer to be dead if n
# LCP echo-requests are sent without receiving a valid LCP echo-reply.
# If this happens, pppd will terminate the connection. Use of this
# option requires a non-zero value for the lcp-echo-interval parameter.
# This option can be used to enable pppd to terminate after the physical
# connection has been broken (e.g., the modem has hung up) in
# situations where no hardware modem control lines are available.
lcp-echo-failure 4
# Send up to 60 LCP configure-request during negotiation. With a value
# of 2 for lcp-restart below, this might take up to 2 minutes.
lcp-max-configure 60
# Resend unanswered LCP requests after 2 seconds.
lcp-restart 2
# Specifies that pppd should disconnect if the link is idle for n seconds.
idle 600
# Specifies the maximal number of attempts to connect to the server. This
# is useful for dial on demand. Default value is 10.
#maxfail 3
# Disable the IPXCP and IPX protocols.
noipx
# In the file /etc/ppp/filters are some active-filter rules. See man pppd
# and man tcpdump for more informations.
file /etc/ppp/filters
#-------------------------------------------------------------------------
# The next two options are only interesting for you if you are admin of
# a system with other users that use ppp, and those users are normally
# never allowed to add default route, or you do not want users to
# replace the default route.
#-------------------------------------------------------------------------
# enable this to prevent users from attempting to add a default route.
# Use this option with caution: If the user needs to use a program like
# wvdial, he will not be able to connect because wvdial forces defaulroute
# but this is rejected by this option and the user will not be able to
# connect to the internet.
#nodefaultroute
# enable this to prevent users from replacing an existing default route.
#noreplacedefaultroute
#-------------------------------------------------------------------------
# All options below only make sense if you configure pppd to be a dial-in
# server, so don't touch these if you want dial into your provider with
# PPP!
#-------------------------------------------------------------------------
# Set the assumed name of the remote system for authentication purposes
# to <n>.
#remotename <n>
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. {proxyarp,noproxyarp}
proxyarp
# Use the system password database for authenticating the peer using
# PAP. Note: mgetty already provides this option. If this is specified
# then dialin from users using a script under Linux to fire up ppp wont work.
#login
# Specify which DNS Servers the incoming Win95 or WinNT Connection should use
# Two Servers can be remotely configured
#ms-dns 192.168.1.1
#ms-dns 192.168.1.2
# Specify which WINS Servers the incoming connection Win95 or WinNT should use
#ms-wins 192.168.1.50
#ms-wins 192.168.1.51
# added mme
lock
mtu 1450
mru 1450
proxyarp
auth
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 3
lcp-echo-interval 5
deflate 0
# Handshake Auth Method
+chap
+mschap-v2
# Data Encryption Methods
mppe requiredfernlx2:/etc/ppp # cat chap-secrets
Code
# Secrets for authentication using CHAP
# client server secret IP addresses
# modif mme 2007-03-01
# OUTBOUND CONNECTIONS
# Here you should add your PPP Login and PPP password to connect to your
# provider via pap. The * means that the entry(login and passoword may be
# used for ANY host you connect to.
# Thus you do not have to worry about the foreign machine name. Just
# replace password with your password.
#hostname * password
# PREDIFINED CONNECTIONS
# These are user and password entries for publically accessible call-by-call
# Internet providers in Germany. If they confict with your config, remove them.
# READ_IN_CALLBYCALL_SECRETS
# INBOUND CONNECTIONS
#client hostname <password> 192.168.1.1
mme fernlx2-vpn +++++++ 192.168.3.2
daniel fernlx2-vpn +++++++ 192.168.3.3
robert fernlx2-vpn +++++++ 192.168.3.4
buchhaltung fernlx2-vpn +++++++ 192.168.3.5
---------------
anm die pwds's habe ich hier durch "+++++++ " ersetztan all jene die bis hierher alles bzw. das meiste verstanden haben :thumb: : kann der fehler eindeutig festgestellt werden? fehlen irgendwelche angaben?
gibt es eine wirklich >>>>gute<<<<< anleitung um vpn einzurichten?
man braucht doch keine zusätzliche software auf dem client zu installieren, oder?
vielen dank für anregungen, tips oder lösungen 
!
mfg
ethernet