Re: [leaf-user] LEAF PPTP client

Wed, 25 Sep 2002 17:32:48 -0700 

Scott Merrill wrote:
> Thanks, Tom, for pointing me toward your PPTP documentation.
> 
> I copied your config files pretty much verbatim (except the connection and cron 
>scripts), and then manually tried to connect to my Poptop server with:
> pptp <POPTOP IP> user <username> noauth
> 
> I see that it connects for a bit.  'ps a' lists the pptp and pppd processes; 'ip 
>addr' shows the ppp0 link -- although it does _not_ have an IP address assigned.
> 
> After a couple of minutes the connection drops.  Nothing shows up in the LEAF 
>/var/log/syslog.
> 
> Here's what shows up in the Poptop server logs:
> Sep 25 17:15:44 flg2 pptpd[15636]: CTRL: Starting call (launching pppd, opening GRE)
> Sep 25 17:15:44 flg2 pppd[15637]: pppd 2.4.1 started by root, uid 0
> Sep 25 17:15:44 flg2 pppd[15637]: Using interface ppp1
> Sep 25 17:15:44 flg2 pppd[15637]: Connect: ppp1 <--> /dev/pts/1
> Sep 25 17:15:44 flg2 pptpd[15636]: GRE: xmit failed from decaps_hdlc: Operation not 
>permitted
> Sep 25 17:15:44 flg2 pptpd[15636]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6)
> Sep 25 17:15:44 flg2 pptpd[15636]: CTRL: Client 24.208.187.129 control connection 
>finished
> Sep 25 17:15:44 flg2 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=<POPTOP IP> 
>DST=24.208.187.129 LEN=61 TOS=0x00 PREC=0x00 TTL=64 ID=45769 DF PROTO=47
> Sep 25 17:15:44 flg2 pppd[15637]: Modem hangup
> Sep 25 17:15:44 flg2 pppd[15637]: Connection terminated.
> Sep 25 17:15:44 flg2 pppd[15637]: Exit.
> Sep 25 17:15:46 flg2 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
>MAC=00:a0:cc:60:3c:2d:00:4f:4e:09:27:4b:08:00 SRC=24.208.187.129 DST=<POPTOP IP> 
>LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=36117 DF PROTO=47
> 
> The "GRE: xmit failed from decaps_hdlc" bit is new, as is the Shorewall hit -- I've 
>never seen a PPTP client get caught in the packet filters before.
> 
> Both LEAF and the Poptop server have the following entries in /etc/shorewall/rules:
> ACCEPT net FW 47 -
> ACCEPT net FW tcp 1723
> ACCEPT FW net 47 -
> ACCEPT FW net tcp 1723
> 
> Where should I start diagnosing this?

Find out why

        ACCEPT net FW 47 -

doesn't give you an error since the firewall zone is 'fw' (not FW). 
Seriously: If eth0 is your internet interface then you CAN'T have an 
ACCEPT rule for net->fw for protocol 47 and still be seeing the Shorewall 
messages you show above...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ [EMAIL PROTECTED]



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to