Bob Miller wrote: > >PPTP is not a secure protocol. Here's a good reference. > http://www.counterpane.com/pptp.html > Yeah I know, I found that link while looking for HOWTOs. However, it's what they are using at my office, and I don't think I'll be able to talk them into something better like IPSec because it's working now and why fix what's not broken (or what's perceived not to be broken anyway)...
> >In the Windows example, you got a client IP of 206.163.164.206, >which I think the server allocated for you. I think that should >be the address you assign to ppp0. > The problem is that I am getting that IP address dynamically so I can't rely on it being 206. It can be anything from 203 to 212. However, I figured this out. I simply wan't telling pppd that it should get the IP configured from the server. You need a 'noipdefault' option to be passed to pppd, in this case it went into /etc/ppp/peers/ori-tunnel, which is the options file set up by pptp-command. I actually remember this option now but alas, it had been so long since I'd manually configured a ppp connection (with the advent of all those whiz-bang GUI tools) that I had forgotten that I needed it. >>Is it a different protocol than TCP or UDP? >> > >Ask a packet sniffer (on another box) what it sees. > Good idea. I looked at ethereal and it looks like GRE is IP protocol 47. I haven't tried fixing it yet because I have it working now on the client behind the NAT, but I'm sure if I allowed packets in and out on that protocol, it would work. Something like 'iptables -A INPUT -i eth0 -s <IP of VPN Server> -p 47 -j ACCEPT' (and the corresponding rule for the OUTPUT table) would probably do the trick. So, my remaining problem is getting the routes set up. There are a couple class C subnets (206.163.164.0 and 192.68.202.0)behind the VPN, so I figured if I just set routes for those networks to go through ppp0, I'd be fine. This seems to work for the 192.68.202 network, when I do route add -net 192.68.202.0 netmask 255.255.255.0 dev ppp0, I can telnet to hosts on that network , woohoo! When I try the same with the other network (which is also the same network my PPP connection is on), it creates a circular route. I try to ping anything behind the VPN and my CPU utilization gets pegged to 100% and the packet goes nowhere. So obviously, something more sophisticated is needed. So here's another request for help. I'll search around in the meantime and let you know if I figure it out... Thanks for the ideas, Kahli
