1PoPToP HOWTO/FAQ 2---------------- 3Last Updated: 20021024 4Send changes to: Richard de Vroede <r.devroede@linvision.com> 5 6HOWTO/FAQ mostly compiled from PoPToP help pages and the PoPToP Mailing List 7(hosted by Christopher Schulte) by Matthew Ramsay. Large contributions from 8Steve Rhodes and Michael Walter. 9 10 11Contents 12-------- 131.0 Introduction 14 1.1 About PoPToP 15 1.2 Credits 162.0 System Requirements 173.0 PPP with MSCHAPv2/MPPE Installation 184.0 PoPToP Installation 195.0 Windows Client Setup 206.0 FAQ 21 22 231.0 Introduction 24---------------- 251.1 About PoPToP 26PoPToP is the PPTP Server solution for Linux. PoPToP allows Linux servers to 27function seamlessly in the PPTP VPN environment. This enables administrators 28to leverage the considerable benefits of both Microsoft and Linux. The 29current pre-release version supports Windows 95/98/NT/2000 PPTP clients and 30PPTP Linux clients. PoPToP is free GNU software. 31 32PoPToP Home Page: http://www.moretonbay.com/vpn/pptp.html 33 341.2 Credits 35PoPToP was originally started by Matthew Ramsay under the control of 36Moreton Bay Ventures (http://www.moretonbay.com). Around March 1999 PoPToP 37was publically released under the GNU GPL by Moreton Bay/Lineo. 38 39PoPToP is what it is today due to the help of a number of intelligent and 40experienced hackers. More specifically Kevin Thayer, David Luyer and 41Peter Galbavy. 42 43More contributors to PoPToP (in various forms) include Allan Clark, Seth 44Vidal, Harald Vogt and Ron O'Hara. 45 46And finally, credit to all the PoPToP followers who test and report 47problems. 48 491.3 PopToP migrating from poptop.lineo.com 50March 18, 2002 51 52The main PoPToP developers left Lineo with the SnapGear spin-out. The ball 53is being picked up by Daniel Djamludin. PoPToP has been actively developed 54within SnapGear and a number of improvements need to be rolled out. 55 56Henceforth from this sentence onwards you should refer to "PoPToP" as 57"Poptop" for ease of use and typing. 58 59Lineo have been asked to forward poptop.lineo.com to poptop.sourceforge.net 60 61The sources are being gathered to go into CVS, new binaries and dev images will follow. 62 63Source Forge looks like the best neutral ground to smooth out future upheavals. 64 65 662.0 System Requirements 67----------------------- 681. A modern Linux distribution (such as Debian, Red Hat, etc.) with a recent 69 kernel (2.4.x recommended, 2.2.x should be ok). Note: ports exist for 70 Solaris, BSD and others but are not supported in this HOWTO at this 71 time. 722. PPP (2.4.1 recommended, 2.3.11 should be ok) 73 (and the MSCHAPv2/MPPE patch if you want enhanced Microsoft 74 compatible authentication and encryption). 753. PoPToP v1.1.3 (or download the latest release at: 76 http://sourceforge.net/projects/poptop 77 78 793.0 PoPToP Installation 80----------------------- 81Check out the documentation at http://sourceforge.net/docman/?group_id=44827 82 83 844.0 Windows Client Setup 85------------------------ 86 87Install it using the add-remove programs tool. Go to windows->communications 88and install VPN support. 89 90(If you do above you may *not* need to follow the instructions below as it 91will already be installed... ? 92 93follow the instructions: 94 95 1.start->settings->control panel->network 96 2.Click add 97 3.choose adapter 98 4.Click add 99 5.select microsoft as the Manufactuarer 100 6.select Microsoft Virtual Private Networking Adapter 101 7.Click ok 102 8.Insert any necessary disks 103 9.Reboot your Machine 104 105take a little nap here... 106 107Once your Machine is back 108 109 1.go to dial-up networking (usually start->programs->Accessories->communications->Dial-up Networking) YMMV 110 2.Click make new connection 111 3.Name the Connection whatever you'd like. 112 4.Select Microsoft VPN adapter as the device 113 5.click next 114 6.type in the ip address or hostname of your pptp server 115 7.click next 116 8.click finish 117 9.Right-click on the intranet icon 118 10.select properties 119 11.choose server types 120 12.check require encrypted password 121 13.uncheck netbeui, ipx/spx compatible 122 14.click tcp/ip settings 123 15.turn off use IP header compression 124 16.turn off use default gw on remote network 125 17.click ok. 126 18.start that connection 127 19.type in your username and pw (yadda, yadda, yadda) 128 20.once it finishes its connection your up. 129 130 131Note that the Win95 routine is similar but requires Dial Up Networking Update 1.3 (free from Microsoft) to be installed first. 132 133 1345.0 FAQ 135------- 136 137Q&A. 138INTRODUCTION 139 140After spending the better part of two weeks developing my configuration 141for a pptp sever for remote file access by Windows(tm) clients, I 142thought I would pass along these notes to those who may be interested. 143 144The basic configuration involves a Samba/PoPToP server behind a 145firewall, through which clients using Win98 machines will connect using 146the VPN facility built into that OS. This is diagrammed below. 147 148 _____ ___ ______ ______ 149| | | \ | fire | | file | 150| win | ---> / net \ ---> | wall | ---> | srvr | 151|_____| \__/\_/ |______| |______| 152 153 154The components of the system consist of the Win98 clients running the 155built-in VPN facility dialing in to their ISP's and connecting through 156the firewall to the Samba server on the internal network using the pptp 157protocol. The firewall uses Network Address Translation to convert an 158open Internet IP address to an internal one. Sounds simple enough 159right? 160 161SIMPLE TEST SETUP 162 163As a starting point, I configured a Win98 box to connect directly to a 164PoPToP server without any authentication or encryption. This was just 165to get a feel for how pptp works and verify the setup. Using the 166pre-packaged rpm's was a big help here. You just rpm the thing onto the 167system and fire it up, and you're in business. The diagram below 168represents this simple system. 169 170 171 192.168.56.142 192.168.56.11 172 _____ ______ 173 | | | file | 174 | win | ------------------> | srvr | 175 |_____| |______| 176 177Emboldend by my success, I set out to turn on MS authentication and 178encrytion, and this is where the fun started. 179 180AUTHENTICATION AND ENCRYPTION 181 182This is an area where Microsoft really shows its true colors. Turning 183on password and data encryption on the Win98 VPN server configuration 184was quite the eye opening experience. First with the authentication, 185you will have to go through a somewhat difficult compilation of the 186ppp-2.3.8 package. The worst part here is getting all the pieces 187together, namely the rc4 files. This process is well documented in this 188archive, so I won't go into it here. 189 190The next realization is that Microsoft prepends the domain name to the 191user name when submitting the login credentials. For example, srhodes is 192now DBNET\\srhodes. If that wasn't bad enough, I found that the domain 193wasn't even the one I was logged into. My best guess is that the first 194domain that the computer ever logs into is stuck with it for ever. This 195is a real problem if you have multiple domains that you log into. I 196modified the pppd.c code to strip out the domain on MSCHAP logins, but 197you can just set the user name in chap-secrets to match the windows 198version. 199 200Then I spent a whole day trying to figure out why data encryption does 201not work. I tried just about everything I could think of that could be 202wrong. That's when I discovered this archive, for which I am truly 203grateful. It turns out that the Win9x implementation of encrytpion is 204FUBAR! You have to download one of those patches from Microsoft, 205MSDUN 1.4 to get the thing to work. 206 207Windows 95 208http://download.microsoft.com/download/win95/Update/17648/W95/EN-US/dun14-95.exe 209 210Windows 98 211http://download.microsoft.com/download/win98/Update/17648/W98/EN-US/dun14-98.exe 212 213Windows 98se 214http://download.microsoft.com/download/win98SE/Update/17648/W98/EN-US/dun14-SE.exe 215 216 217FIREWALL CONFIGURATION 218 219The issue with a firewall in this setup is that you need to cover two 220types of protocol communication. There is one connection which is a tcp 221connection on port 1723 that handles the control functions and another 222connection using IP type 47, or GRE, which handles the actual data 223communication. This second connection presents a problem for the 224convention linux firewall, ipfwadm. You see, its only set up to handle 225tcp, udp and icmp protocols. It doesn't know about GRE. 226 227The trick around this block is to use one of the new 2.2 kernels, which 228employ a new firewall called ipchains. This tool willl handle arbitrary 229protocols, which can be specified by their numbers. 230 231 232 192.168.2.142 192.168.56.11 233 _____ ______ ______ 234 | | | fire | 192.168.56.1 | file | 235 | win | --------------->| wall | --------------> | srvr | 236 |_____| 192.168.2.1 |______| |______| 237 238 239 240You need to remember a few things before getting too deep into this. 241The default gateway on win is set to 192.168.2.1, and the default 242gateway on file srvr is set to 192.168.56.1. The firewall has the two 243network interfaces spanning the two subnets and is configured for 244IP forwarding. If you have not yet applied any firewall rules, this 245configuration will work as before. The interesing part is to block out 246all other access to file srvr by implementing ipchains rules. 247 248The short story is: 249 250ipchains -F 251ipchains -P forward DENY 252ipchains -I forward -p tcp -d 192.168.56.11 1723 -j ACCEPT 253ipchains -A forward -p tcp -s 192.168.56.11 1723 -j ACCEPT 254ipchains -A forward -p 47 -d 192.168.56.11 -j ACCEPT 255ipchains -A forward -p 47 -s 192.168.56.11 -j ACCEPT 256 257 258NETWORK ADDRESS TRANSLATION 259 260The next hurdle is to configure the firewall so that it can run an open 261internet IP address on the outside and allow access to an internal 262address on the inside. NAT is very well suited to this task, although 263you may hear otherwise from knowledgable sources. It happens to be my 264preference, though certainly not the only way to skin this cat. You can 265obtain the NAT software and some detailed information from 266 267http://www.csn.tu-chemnitz.de/HyperNews/get/linux-ip-nat.html 268 269But again, there is a problem with the GRE protocol of type 47. The 270tool for configuring NAT, ipnatadm, like its half-brother ipfwadm, is 271not set up to handle arbitrary protocols. Unfortunately, you'll have to 272go into the code and make a slight modification if you want to use it 273for this purpose. There is a procedure called parse_protocol in the 274file routines.c that discriminates the type of protocol to be filtered. 275The basic idea is to accept a string representing a number and use that 276as the filter. Since you have to recompile the kernel anyway to get the 277NAT functionality, maybe it's not so horrible, relatively speaking. 278 279For those ambitous enough, here is the diff for the routines file, copy 280this into a file called routines.diff and use the command patch -p0 < 281routines.diff from within the same directory. 282 283 284--- routines.c Thu Mar 25 15:41:58 1999 285+++ /mnt/zip/nat/routines.c Wed Jul 21 21:09:28 1999 286@@ -112,11 +112,18 @@ 287 else if (strncmp("icmp", s, strlen(s)) == 0) 288 nat_set.nat.protocol = IPPROTO_ICMP; 289 else { 290+ int number; 291+ char * end; 292+ number = (int)strtol(s, &end, 10); 293+ nat_set.nat.protocol = number; 294+ } 295+ /* 296+ else { 297 fprintf(stderr, "ipnatadm: invalid protocol \"%s\" 298specified\n", s); 299 exit_tryhelp(2); 300- /* make the compiler happy... */ 301 return; 302 } 303+ */ 304 } 305 306 void parse_hostnetworkmask(char *name, struct in_addr **addrpp, __u32 307*maskp, int *naddrs) 308 309 310 311The patch is actually lifted from ipchains, which was derived from 312ipfwadm, which provides the basis for ipnatadm. 313 314Once you've got all that running, what you want to do is to set up the 315NAT rules so that the incoming client thinks its talking to the 316firewall, as does the outgoing file server. The short of it is: 317 318ipnatadm -F 319ipnatadm -I -i -P 6 -D 192.168.2.1 1723 -N 192.168.56.11 1723 320ipnatadm -O -i -P 6 -S 192.168.56.11 1723 -M 192.168.2.1 1723 321ipnatadm -I -i -P 47 -D 192.168.2.1 -N 192.168.56.11 322ipnatadm -O -i -P 47 -S 192.168.56.11 -M 192.168.2.1 323 324 325Here, the -P argument sets the protocol, 6 is tcp and 47 is GRE. 326PPTP packets targeting the firewall are translated to the internal host 327inbound and vice-versa on the way out. Very slick. 328 329SAMBA 330 331Here's a subject so complex you could probably devote a whole career to 332it. We don't want to get too bogged down, so I'll be brief. Samba 333implements the NetBIOS protocol, which has more quirks than you can 334shake a stick at. One of the biggest problems is the use of subnet 335broadcasting. Suffice it to say, if you want the best results, you 336should set your PoPToP IP addresses to reside within the subnet on which 337the file server ethernet is located. I choose 192.168.56.12 for the 338server address, and it hands out IP's from 192.168.13-127. 339Setting the IP forwarding on the file server to true will give you 340access to other machines on the internal network. 341 342When you go at the samba sever from Win98, you have to use encrypted 343password. Look at smbpasswd and related stuff. 344 345Finding shares on the server is not so easy. The short story here is 346that browsing is implemented via broadcast packets, and broadcast 347packets will not travel down a PPP link. The only way to get browsing 348to work over pptp is to set Samba up as a WINS server and a Domain login 349server, and configure the clients to use that WINS server and force them 350to login to that Domain. Believe me, I tried just about everything to 351avoid that. You will also want to set the samba server as the domain 352master and preferred master for the browsing. 353 354If you can't do that, you can set the ppp/options file to include a 355ms-wins setting for the samba server. This will set the client up so 356they can at least resolve host names. The only way to find a share 357under this configuration is to name it explicitly. You can use the 358tools menu from the Win98 file browser and say find -> computer and 359enter in the name of the samba server and it will be found. I have 360found that setting domain master = yes and preferred master = yes gives 361a rather nice boost to the speed of name lookups on the network. 362 363Here is my abbreviated smb.conf 364 365[global] 366 workgroup = VAULT 367 server string = acer 368 log file = /var/log/samba/log.%m 369 max log size = 50 370 security = user 371 encrypt passwords = yes 372 smb passwd file = /etc/smbpasswd 373 socket options = TCP_NODELAY 374 domain master = yes 375 preferred master = yes 376 domain logons = yes 377 wins support = yes 378 dns proxy = no 379[homes] 380 comment = Home Directories 381 browseable = no 382 writable = yes 383 384You should also use the lmhosts option for nmbd (-H) and set up an 385lmhosts file on the samba server. Make sure also the the samba server 386can resolve its own name, through either /etc/hosts or DNS. 387 388In all honesty , I went through the same simple test setup with samba as 389I did for PoPToP, although its not shown here explicitly. 390 391CONCLUSION 392 393PoPToP is a good program, as is Samba. This configuration can work if 394you put a little effort into it. I have seen a lot of questions here 395and in other places about these types of systems, so I would think that 396there is some demand on the part of users who want this type of 397functionality. I hope these notes are useful to you if this is what you 398want to do. 399 400**************************************************************************** 401Q&A 402I have a pptp server set up on my office LAN. I can connect to the 403server and ping to it fine, but I can't ping any other hosts on the 404office subnet. I have ip-forwarding turned on and I have proxyarp set 405in the ppp/options file. What can be wrong? 406 407There seem to be a lot of questions floating around about routing and 408masq'ing associated with this issue. 409 410Well, my curiosity got the best of me, so I thought I would check this 411out. Shown below is my test setup for investigating this problem. 412 413 414192.168.8.142 192.168.56.10 192.168.56.11 192.168.56.12 415 ________ _______ ______ _____ 416| | | | | | | | 417| client |------->| fire |-------->| pptp |----->| host | 418| | | wall | | srvr | | | 419|________| |_______| |______| |______| 420 H H 421 H 192.168.8.10 H 422 H H 423 H===================================H 424192.168.5.12 pptp connection 192.168.5.11 425 426 427For the sake of simplicity, we will ignore address translation issues 428associated with the firewall. This assumes that the client at 429192.168.8.142 is going to use 192.168.56.11 as its target address for 430the pptp connection to pptp_srvr. The firewall will block all access to 431 432the 192.168.56.0 subnet except for pptp connections associated with 433pptp_srvr. This can be implemented with ipchains 434 435ipchains -P input DENY 436ipchains -P forward DENY 437ipchains -A input 192.168.56.0/24 -j ACCEPT /* allow connections from 438 439inside */ 440ipchains -A input -p tcp -d 192.168.56.11 1723 -j ACCEPT 441ipchains -A input -p 47 -d 192.168.56.11 -j ACCEPT 442ipchains -A forward -p tcp -d 192.168.56.11 1723 -j ACCEPT 443ipchains -A forward -p tcp -s 192.168.56.11 1723 -j ACCEPT 444ipchains -A forward -p 47 -d 192.168.56.11 -j ACCEPT 445ipchains -A forward -p 47 -s 192.168.56.11 -j ACCEPT 446 447When you connect from client to pptp_srvr, you will be able to complete 448the connection and ping to pptp_srvr. However, if you attempt to ping 449host, at 192.168.56.12, this will fail. 450 451A clue to this problem can be found in the /var/tmp/messages file on 452pptp_srvr. There, in the pppd messages, you will find 453 454Cannot determine ethernet address for proxy ARP 455 456This is due to an issue with the pppd program, which attempts to find a 457hardware interface on the subnet to which the pppd client has been 458assigned. In this case its looking for a hardware interface on the 459192.168.5.0 subnet. It will fail to find one, and will drop the 460proxyarp request. 461 462The simplest way around this problem, and the one that is suggested in 463the pppd documentation, is to set the pppd client IP assignment to be on 464 465the local subnet. An example in this case might be 192.168.56.129. 466However, it may not be possible to do that. In the case of a fully 467loaded subnet, there may not be any addresses to spare. Or there may be 468 469some security issues with giving out local subnet addresses. What to 470do? 471 472The place to look is in the arp table. If you run tcpdump on host 473(192.168.56.12) during the time when client is pinging, you will see 474unanswered arp requests from host attempting to find the hardware 475address for 192.168.5.12. You need to proxy the hardware address of the 476 477pptp_srvr for client in order for this request to be fulfilled. This is 478 479the job of proxyarp. However, proxyarp has let us down in this 480instance, and we need to find a workaround. 481 482This can be done manually using the arp command on pptp_srvr. For 483example, if the hardware address of the ethernet card on pptp_srvr is 48400:60:08:98:14:14, you could force the arp to proxy the client pptp 485address by saying 486 487arp --set 192.168.5.12 00:60:08:98:14:13 pub 488 489You should now be able to ping from client to host through the pptp 490connection. 491 492This can be a problem, however, in a dynamic environment when clients 493are logging into and out of the pptp server on a continuous basis. One 494way around this problem is to write a script that will execute upon the 495initiation of each ppp connection. 496 497The place to do this is in /etc/ppp/ip-up. This script is executed each 498 499time a new ppp connection is started. It gets some variables passed 500into it, one of which is the assigned IP address of the client. Note 501that RedHat systems use ip-up.local as the place for you to make the 502script. Don't forget to chmod +x ! 503 504 505#! /bin/bash 506 507REMOTE_IP_ADDRESS=$5 508 509date > /var/run/ppp.up 510echo "REMOTE_IP_ADDRESS = " $REMOTE_IP_ADDRESS >> /var/run/ppp.up 511arp --set $REMOTE_IP_ADDRESS 00:60:08:98:14:14 pub >> /var/run/ppp.up 512 513exit 0 514 515 516This should put you in business for accessing the remote subnet under 517this scenario. I am a little bit concerned, however, because I also 518built a script ip-down.local, that should remove the arp proxy when 519client disconnected. It doesn't seem to do anything, however, and if I 520try to delete the arp entry manually, it just spits out a cryptic error 521message. The arp entries remain persistent, as far as I can tell. If 522this is a problem or not, I don't know. The next few clients that log 523in are treated well, so I guess its OK. 524 525**************************************************************************** 526Q. 527Also, after running pptpd and monitoring its log file and seeing that it 528failed to open ttyp1 - I chmod +rw /dev/ttyp[0-9] and it seemed to work 529somewhat. But, after I rebooted, I had to do this again. Is this normal? 530 531A. 532pptpd should be running as root (unless you have a system with a setuid 533openpty() helper, which isn't very common). If it fails to open a pty/tty 534pair as root then that is probably because it is in use. 535 536Other programs which use pty/tty's will change their permissions back to 537the standard ones. 538 539**************************************************************************** 540Q. 541sometimes when I make a connection to my pptpd server I 542see a message like 543 544Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-21 545Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-26 546Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-24 547Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-21 548Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-26 549Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-24 550Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-26 551Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-24 552Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-21 553 554 555in /var/log/messages on the server. Any idea what I 556can do about it? 557 558A. 559yeah, in your /lib/modules/<kernel version>/net/ directory, there should 560be files called bsd_comp.o and ppp_deflate.o.. insmod those files and 561you'll be good to go. 562 563**************************************************************************** 564Q. 565Hi, I'm having trouble getting pptpd & mschap-v2 to work. I downloaded 566all of the patches and compiled everything but whenever i try to connect 567from my win98 machine, it says: 568 569Error 691: The computer you have dialed in to has denied access because 570the username and/or password is invalid on the domain. 571 572What is this suppose to mean? 573 574A. 575Error 691 is an authentication problem probably due to the fact that MS 576chap uses the domain name and username combo to authenticate. If you 577look at the logs you will probably see a message saying that MS chap is 578trying to authenticate user "domain\\username". I got it to work by 579putting the full domain and user string in the client portion of the 580chap-secrets file. 581 582# Secrets for authentication using CHAP 583# client server secret IP 584addresses 585workgroup\\user server password * 586 587If anyone knows how to get it to default to a particular domain, I would 588like to know. 589 590**************************************************************************** 591Q. 592how do I go about checking who is logged in via tunnel? 593 594I need some way of writing the pppd data to wtmp/utmp. 595(and not sessreg either) 596 597does anyone know of any way of doing this via ppp? 598 599A. 600pppd syslogs everything to /var/log/messages (that's the default on my box 601anyways) and it will say something like : 602pppd[15450]: CHAP peer authentication succeeded for <username> 603 604you could do a tail /var/log/messages -n2000 | grep CHAP if you wanted to 605see who has been logging in. 606 607other than that, there's not much i know of. all the authentication is 608provided by pppd (if you don't have an auth or a require-chap (or pap, etc.) 609option, it doesn't even ask for a username. 610 611**************************************************************************** 612Q. 613My NT client won't connect! 614 615A. 616Try taking header and software compression off. 617 618 619**************************************************************************** 620Q. PPTP *client* stops working. 621 622A. 623go to /var/run/pptp/ and look for a socket named x.x.x.x 624delete it and try it again. 625 626**************************************************************************** 627Q. 628How many clients does PoPToP support? 629 630A. 631The limits under Linux are: 632 633 per-process filedescriptors 634 - one per client (would limit clients to 256 by default, 635 or 1024 with kernel recompile, or more with major libc/kernel 636 hackery) 637 - no relevant limit 638 639 ttys - currently, with a standard kernel, 256 clients 640 - with Unix98 ptys and a small amount of coding, 2048 641 642 ppp devices 643 - no limit in kernel source for ppp 644 - limit of 100 in dev_alloc_name() in 2.2.x 645 646 for(i=0;i<100;i++) 647 { 648 sprintf(dev->name,name,i); 649 if(dev_get(dev->name)==NULL) 650 return i; 651 } 652 653 best fix is probably to keep a static int ppp_maxdev so you 654 don't end up doing 2000 dev_get's to allocated the 2001'th 655 device. 656 657 processes 658 - 2 per client plus system processes 659 - standard kernel max = 512 processes, ie 256 clients 660 - i386 max = 4096 processes, ie 2048 clients 661 662So it seems that 2048 will be the limit, if you fix a few things and 663with a minor kernel mod (I could do all of these pretty easily and send 664you a trivial kernel patch). To go above 2048 the easiest approach would 665be to combine pptpctrl and pppd in one process, which would get you to 6664096. Beyond there, you need to go for a select() based model, which would 667be significant coding effort and require large fd-set sizes and so on. 668So 4096 is the practical limit, and 2048 the easy limit. 669 670**************************************************************************** 671Q. 672What authentication methods (PAP/CHAP) does PoPToP work with? 673 674A. 675PoPToP uses whatever authentication methods your PPPd provides (usually 676PAP and CHAP). With PPPd patches you can get MSCHAP and MSCHAPv2 677authentication as well. 678 679**************************************************************************** 680Q. 681When running PoPToP I get the following error: 682 683 Jun 11 08:29:04 server pptpd[4875]: MGR: No more free connection slots! 684 685What does this mean? 686 687A. 688I'd say at a guess you've only configured one IP address and you have 689connected a client, and as such there are no more free connection slots should 690any more clients wish to connect. 691 692**************************************************************************** 693Q. 694Does PoPToP suffer from the same security flaws 695(http://www.counterpane.com/pptp.html) as the Windows NT PPTP server? 696 697A. 698An initial look at the article suggests that what the authors hammered was 699not the PPTP protocol, but the authentication that the PPTP VPN servers on 700NT offered access to via open internet. PPTP seems initially to be just 701the path to the weakness, not the weakness itself. Part of their 702observance of weakness deals with use of poor passwords as well, a cheap 703component, simple enough to fix. 704 705> While no flaws were found in PPTP itself, several serious flaws were 706> found in the Microsoft implementation of it. 707> (http://www.counterpane.com/pptp-pressrel.html) 708 709The authors do not specifically say "this is ONLY effective against NT", 710just that NT is affected. This implies that they do not recognize PoPToP, 711and it may be included. The fact that PoPToP has to interOp with MS DUN's 712VPN client means that it will have the same weaknesses. It can only 713protect itself from DoS attacks, have immediate response to out-of-sequence 714packets or illogical packets, etc. 715 716The protocol is not considered weak in this analysis, but the weaknesses 717have to be replicated in apparent behavior by PoPToP. The only thing the 718developers can do with PoPToP is make it a stronger server per se -- more 719able to handle the attacks when the come. 720 721In conclusion: PoPToP suffers the same security vulnerabilities as the NT 722sever (this is because it operates with Windows clients). 723 724Update: MSCHAPv2 has been released and addresses some of the security 725issues. PoPToP works with MSCHAPv2. 726 727**************************************************************************** 728Q. 729Does PoPToP support data encryption? 730 731A. 732Yes.. with appropriate PPPd patches. Patches are available for PPPd to 733provide Microsoft compatible RC4 data encryption. The PPPd patch supports 73440 and 128 bit RC4 encryption. 735 736**************************************************************************** 737Q. 738PoPToP or IPsec? Which is better suited to my needs? 739 740A. 7411. The difference between PoPToP and IPsec is that PoPToP is ready NOW.. 742and requires *no* third party software on the Windows client end 743(Windows comes with a free PPTP client that is trivial to set up). 744 7452. PoPToP is a completely *free* solution. 746Update: Unfortunately not true for Mac *clients* though. The Mac client 747software is around $400 US a copy. 748 7493. PoPToP can be integrated with the latest PPPD patches that take 750advantage of MSCHAPv2 and MPPE (Microsoft encryption using RC4 - 40/128 751bits). 752 753More details follow from Emir Toktar: 754(Refs: A Comprehensive Guide to Virtual Private Networks, IBM. 755Virtual Private Networking: An Overview White Paper - DRAFT, 3/18/98 756Microsoft.) 757 758Neither network layer-based (L2TP, PPTP,...) nor application layer-based 759(IPSec,SSL,SSH) security techniques are the best choice for all 760situations. There will be trade-offs. Network layer security protects the 761information created by upper layer protocols, but it requires that IPSec 762be implemented in the communications stack. 763 764With network layer security, there is no need to modify existing upper 765layer applications. On the other hand, if security features are already 766imbedded within a given application, then the data for that specific 767application will be protected while it is in transit, even in the absence 768of network layer security. Therefore security functions must be imbedded 769on a per-application basis. 770 771There are still other considerations: 772Authentication is provided only for the identity of tunnel endpoints, but 773not for each individual packet that flows inside the tunnel. This can 774expose the tunnel to man-in-the-middle and spoofing attacks. 775 776Network layer security gives blanket protection, but this may not be as 777fine-grained as would be desired for a given application. It protects 778all traffic and is transparent to users and applications. 779 780Network layer security does not provide protection once the datagram has 781arrived at its destination host. That is, it is vulnerable to attack 782within the upper layers of the protocol stack at the destination machine. 783 784Application layer security can protect the information that has been 785generated within the upper layers of the stack, but it offers no 786protection against several common network layer attacks while the 787datagram is in transit. For example, a datagram in transit would be 788vulnerable to spoofing attacks against its source or destination address. 789 790Application layer security is more intelligent (as it knows the 791application) but also more complex and slower. 792 793IPSec provides for tunnel authentication, while PPTP does not. 794 795<User Authentication> Layer 2 tunneling protocols inherit the user 796authentication schemes of PPP, including the EAP methods discussed below. 797Many Layer 3 tunneling schemes assume that the endpoints were well 798known (and authenticated) before the tunnel was established. An exception 799to this is IPSec ISAKMP negotiation, which provides mutual authentication 800of the tunnel endpoints. (Note that most IPSec implementations support 801machine-based certificates only, rather than user certificates. As a 802result, any user with access to one of the endpoint machines can use 803the tunnel. This potential security weakness can be eliminated when 804IPSec is paired with a Layer 2 protocol such as L2TP. 805 806<Token card support> Using the Extensible Authentication Protocol 807(EAP), Layer 2 tunneling protocols can support a wide variety of 808authentication methods, including one-time passwords, cryptographic 809calculators, and smart cards. Layer 3 tunneling protocols (IPSec) can 810use similar methods; for example, IPSec defines public key certificate 811authentication in its ISAKMP/Oakley negotiation. 812 813<Dynamic address assignment> Layer 2 tunneling supports dynamic 814assignment of client addresses based on the Network Control Protocol 815(NCP) negotiation mechanism. 816 817Generally, Layer 3 tunneling schemes assume that an address has already 818been assigned prior to initiation of the tunnel. Schemes for assignment 819of addresses in IPSec tunnel mode are currently under development and 820are not yet available. 821 822<Data Compression> Layer 2 tunneling protocols support PPP-based 823compression schemes. For example, the Microsoft implementations of both 824PPTP and L2TP use Microsoft Point-to-Point Compression (MPPC). The IETF 825is investigating similar mechanisms (such as IP Compression) for the 826Layer 3 tunneling protocols. 827 828<Data Encryption> Layer 2 tunneling protocols support PPP-based data 829encryption mechanisms. Microsoft's implementation of PPTP supports 830optional use of Microsoft Point-to-Point Encryption (MPPE), based on 831the RSA/RC4 algorithm. Layer 3 tunneling protocols can use similar 832methods; for example, IPSec defines several optional data encryption 833methods which are negotiated during the ISAKMP/Oakley exchange. 834 835<Key Management> MPPE, a Layer 2 protocol, relies on the initial key 836generated during user authentication, and then refreshes it 837periodically. IPSec, explicitly negotiates a common key during the 838ISAKMP exchange, and also refreshes it periodically. 839 840<Multi-protocol support> Layer 2 tunneling supports multiple payload 841protocols, which makes it easy for tunneling clients to access their 842corporate networks using IP, IPX, NetBEUI, and so forth. In contrast, 843Layer 3 tunneling protocols, such as IPSec tunnel mode, typically 844support only target networks that use the IP protocol. IPSec is not 845multi-protocol. 846 847IPSec will be suported by Windows 2000. 848 849Many cases can occur, each of which needs to be examined on its own 850merit. It may be desirable to employ a mix of both network layer 851security techniques and application layer techniques to achieve the 852desired overall level of protection. For example, you could use an upper 853layer mechanism such as Secure Sockets Layer (SSL) to encrypt upper 854layer data. SSL could then be supplemented with IPSec's AH protocol at 855the network layer to provide per-packet data origin authentication and 856protection against spoofing attacks. 857 858**************************************************************************** 859Q. 860I get a 'createHostSocket: Address already in use' error! what gives? 861 862A. 863Address already in use in createHostSocket means something is already using 864TCP port 1723 - maybe another pptp daemon is running? 865 866**************************************************************************** 867Q. 868Does PoPToP work with Windows 2000 clients? 869 870A. 871PoPToP v0.9.5 and above should work with Windows 2000 clients. 872 873**************************************************************************** 874