1This is a list of Frequently Asked Questions about using ppp-2.x and 2their answers. 3 4 5------------------------------------------------------------------------ 6 7Q: Can you give me an example of how I might set up my machine to dial 8out to an ISP? 9 10A: Here's an example for dialling out to an ISP via a modem on 11/dev/tty02. The modem uses hardware (CTS/RTS) flow control, and the 12serial port is run at 38400 baud. The ISP assigns our IP address. 13 14To configure pppd for this connection, create a file under 15/etc/ppp/peers called (say) my-isp containing the following: 16 17tty02 crtscts 38400 18connect 'chat -v -f /etc/ppp/chat/my-isp' 19defaultroute 20 21The ppp connection is then initiated using the following command: 22 23pppd call my-isp 24 25Of course, if the directory containing pppd is not in your path, you 26will need to give the full pathname for pppd, for example, 27/usr/sbin/pppd. 28 29When you run this, pppd will use the chat program to dial the ISP and 30invoke its ppp service. Chat will read the file specified with -f, 31namely /etc/ppp/chat/my-isp, to find a list of strings to expect to 32receive, and strings to send. This file would contain something like 33this: 34 35ABORT "NO CARRIER" 36ABORT "NO DIALTONE" 37ABORT "ERROR" 38ABORT "NO ANSWER" 39ABORT "BUSY" 40ABORT "Username/Password Incorrect" 41"" "at" 42OK "at&d2&c1" 43OK "atdt2479381" 44"name:" "^Uusername" 45"word:" "\qpassword" 46"annex" "\q^Uppp" 47"Switching to PPP-ppp-Switching to PPP" 48 49You will need to change the details here. The first string on each 50line is a string to expect to receive; the second is the string to 51send. You can add or delete lines according to the dialog required to 52access your ISP's system. This example is for a modem with a standard 53AT command set, dialling out to an Annex terminal server. The \q 54toggles "quiet" mode; when quiet mode is on, the strings to be sent 55are replaced by ?????? in the log. You may need to go through the 56dialog manually using kermit or tip first to determine what should go 57in the script. 58 59To terminate the link, run the following script, called (say) 60kill-ppp: 61 62#!/bin/sh 63unit=ppp${1-0} 64piddir=/var/run 65if [ -f $piddir/$unit.pid ]; then 66 kill -1 `cat $piddir/$unit.pid` 67fi 68 69On some systems (SunOS, Solaris, Ultrix), you will need to change 70/var/run to /etc/ppp. 71 72 73------------------------------------------------------------------------ 74 75Q: Can you give me an example of how I could set up my office machine 76so I can dial in to it from home? 77 78A: Let's assume that the office machine is called "office" and is on a 79local ethernet subnet. Call the home machine "home" and give it an IP 80address on the same subnet as "office". We'll require both machines 81to authenticate themselves to each other. 82 83Set up the files on "office" as follows: 84 85/etc/ppp/options contains: 86 87auth # require the peer to authenticate itself 88lock 89# other options can go here if desired 90 91/etc/ppp/chap-secrets contains: 92 93home office "beware the frub-jub" home 94office home "bird, my son!%&*" - 95 96Set up a modem on a serial port so that users can dial in to the 97modem and get a login prompt. 98 99On "home", set up the files as follows: 100 101/etc/ppp/options contains the same as on "office". 102 103/etc/ppp/chap-secrets contains: 104 105home office "beware the frub-jub" - 106office home "bird, my son!%&*" office 107 108Create a file called /etc/ppp/peers/office containing the following: 109 110tty02 crtscts 38400 111connect 'chat -v -f /etc/ppp/chat/office' 112defaultroute 113 114(You may need to change some of the details here.) 115 116Create the /etc/ppp/chat/office file containing the following: 117 118ABORT "NO CARRIER" 119ABORT "NO DIALTONE" 120ABORT "ERROR" 121ABORT "NO ANSWER" 122ABORT "BUSY" 123ABORT "ogin incorrect" 124"" "at" 125OK "at&d2&c1" 126OK "atdt2479381" 127"name:" "^Uusername" 128"word:" "\qpassword" 129"$" "\q^U/usr/sbin/pppd proxyarp" 130"~" 131 132You will need to change the details. Note that the "$" in the 133second-last line is expecting the shell prompt after a successful 134login - you may need to change it to "%" or something else. 135 136You then initiate the connection (from home) with the command: 137 138pppd call office 139 140------------------------------------------------------------------------ 141 142Q: When I try to establish a connection, the modem successfully dials 143the remote system, but then hangs up a few seconds later. How do I 144find out what's going wrong? 145 146A: There are a number of possible problems here. The first thing to 147do is to ensure that pppd's messages are visible. Pppd uses the 148syslog facility to log messages which help to identify specific 149problems. Messages from pppd have facility "daemon" and levels 150ranging from "debug" to "error". 151 152Usually it is useful to see messages of level "notice" or higher on 153the console. To see these, find the line in /etc/syslog.conf which 154has /dev/console on the right-hand side, and add "daemon.notice" in 155the list on the left. The line will end up looking something like 156this: 157 158*.err;kern.debug;auth.notice;mail.crit;daemon.notice /dev/console 159 160Note that the whitespace is tabs, *not* spaces. 161 162If you are having problems, it may be useful to see messages of level 163"info" as well, in which case you would change "daemon.notice" to 164"daemon.info". 165 166In addition, it is useful to collect pppd's debugging output in a 167file - the debug option to pppd causes it to log the contents of all 168control packets sent and received in human-readable form. To do this, 169add a line like this to /etc/syslog.conf: 170 171daemon,local2.debug /etc/ppp/log 172 173and create an empty /etc/ppp/log file. 174 175When you change syslog.conf, you will need to send a HUP signal to 176syslogd to causes it to re-read syslog.conf. You can do this with a 177command like this (as root): 178 179 kill -HUP `cat /etc/syslogd.pid` 180 181(On some systems, you need to use /var/run/syslog.pid instead of 182/etc/syslogd.pid.) 183 184After setting up syslog like this, you can use the -v flag to chat and 185the `debug' option to pppd to get more information. Try initiating 186the connection again; when it fails, inspect /etc/ppp/log to see what 187happened and where the connection failed. 188 189 190------------------------------------------------------------------------ 191 192Q: When I try to establish a connection, I get an error message saying 193"Serial link is not 8-bit clean". Why? 194 195A: The most common cause is that your connection script hasn't 196successfully dialled out to the remote system and invoked ppp service 197there. Instead, pppd is talking to something (a shell or login 198process on the remote machine, or maybe just the modem) which is only 199outputting 7-bit characters. 200 201This can also arise with a modem which uses an AT command set if the 202dial command is issued before pppd is invoked, rather than within a 203connect script started by pppd. If the serial port is set to 7 204bits/character plus parity when the last AT command is issued, the 205modem serial port will be set to the same setting. 206 207Note that pppd *always* sets the local serial port to 8 bits per 208character, with no parity and 1 stop bit. So you shouldn't need to 209issue an stty command before invoking pppd. 210 211 212------------------------------------------------------------------------ 213 214Q: When I try to establish a connection, I get an error message saying 215"Serial line is looped back". Why? 216 217A: Probably your connection script hasn't successfully dialled out to 218the remote system and invoked ppp service there. Instead, pppd is 219talking to something which is just echoing back the characters it 220receives. The -v option to chat can help you find out what's going 221on. It can be useful to include "~" as the last expect string to 222chat, so chat won't return until it's seen the start of the first PPP 223frame from the remote system. 224 225Another possibility is that your phone connection has dropped for some 226obscure reason and the modem is echoing the characters it receives 227from your system. 228 229 230------------------------------------------------------------------------ 231 232Q: I installed pppd successfully, but when I try to run it, I get a 233message saying something like "peer authentication required but no 234authentication files accessible". 235 236A: When pppd is used on a machine which already has a connection to 237the Internet (or to be more precise, one which has a default route in 238its routing table), it will require all peers to authenticate 239themselves. The reason for this is that if you don't require 240authentication, you have a security hole, because the peer can 241basically choose any IP address it wants, even the IP address of some 242trusted host (for example, a host mentioned in some .rhosts file). 243 244On machines which don't have a default route, pppd does not require 245the peer to authenticate itself. The reason is that such machines 246would mostly be using pppd to dial out to an ISP which will refuse to 247authenticate itself. In that case the peer can use any IP address as 248long as the system does not already have a route to that address. 249For example, if you have a local ethernet network, the peer can't use 250an address on that network. (In fact it could if it authenticated 251itself and it was permitted to use that address by the pap-secrets or 252chap-secrets file.) 253 254There are 3 ways around the problem: 255 2561. If possible, arrange for the peer to authenticate itself, and 257create the necessary secrets files (/etc/ppp/pap-secrets and/or 258/etc/ppp/chap-secrets). 259 2602. If the peer refuses to authenticate itself, and will always be 261using the same IP address, or one of a small set of IP addresses, you 262can create an entry in the /etc/ppp/pap-secrets file like this: 263 264 "" * "" his-ip.his-domain his-other-ip.other-domain 265 266(that is, using the empty string for the client name and password 267fields). Of couse, you replace the 4th and following fields in the 268example above with the IP address(es) that the peer may use. You can 269use either hostnames or numeric IP addresses. 270 2713. You can add the `noauth' option to the /etc/ppp/options file. 272Pppd will then not ask the peer to authenticate itself. If you do 273this, I *strongly* recommend that you remove the set-uid bit from the 274permissions on the pppd executable, with a command like this: 275 276 chmod u-s /usr/sbin/pppd 277 278Then, an intruder could only use pppd maliciously if they had already 279become root, in which case they couldn't do any more damage using pppd 280than they could anyway. 281 282 283------------------------------------------------------------------------ 284 285Q: What do I need to put in the secrets files? 286 287A: Three things: 288 - secrets (i.e. passwords) to use for authenticating this host to 289 other hosts (i.e., for proving our identity to others); 290 - secrets which other hosts can use for authenticating themselves 291 to us (i.e., so that they can prove their identity to us); and 292 - information about which IP addresses other hosts may use, once 293 they have authenticated themselves. 294 295There are two authentication files: /etc/ppp/pap-secrets, which 296contains secrets for use with PAP (the Password Authentication 297Protocol), and /etc/ppp/chap-secrets, which contains secrets for use 298with CHAP (the Challenge Handshake Authentication Protocol). Both 299files have the same simple format, which is as follows: 300 301- The file contains a series of entries, each of which contains a 302secret for authenticating one machine to another. 303 304- Each entry is contained on a single logical line. A logical line 305may be continued across several lines by placing a backslash (\) at 306the end of each line except the last. 307 308- Each entry has 3 or more fields, separated by whitespace (spaces 309and/or tabs). These fields are, in order: 310 * The name of the machine that is authenticating itself 311 (the "client"). 312 * The name of the machine that is authenticating the client 313 (the "server"). 314 * The secret to be used for authenticating that client to that 315 server. If this field begins with the at-sign `@', the rest 316 of the field is taken as the name of a file containing the 317 actual secret. 318 * The 4th and any following fields list the IP address(es) 319 that the client may use. 320 321- The file may contain comments, which begin with a `#' and continue 322to the end of the line. 323 324- Double quotes `"' should be used around a field if it contains 325characters with special significance, such as space, tab, `#', etc. 326 327- The backslash `\' may be used before characters with special 328significance (space, tab, `#', `\', etc.) to remove that significance. 329 330Some important points to note: 331 332* A machine can be *both* a "client" and a "server" for the purposes 333of authentication - this happens when both peers require the other to 334authenticate itself. So A would authenticate itself to B, and B would 335also authenticate itself to A (possibly using a different 336authentication protocol). 337 338* If both the "client" and the "server" are running ppp-2.x, they need 339to have a similar entry in the appropriate secrets file; the first two 340fields are *not* swapped on the client, compared to the server. So 341the client might have an entry like this: 342 343 ay bee "our little secret" - 344 345and the corresponding entry on the server could look like this: 346 347 ay bee "our little secret" 123.45.67.89 348 349 350------------------------------------------------------------------------ 351 352Q: Explain about PAP and CHAP? 353 354PAP stands for the Password Authentication Protocol. With this 355protocol, the "client" (the machine that needs to authenticate itself) 356sends its name and a password, in clear text, to the "server". The 357server returns a message indicating whether the name and password are 358valid. 359 360CHAP stands for the Challenge Handshake Authentication Protocol. It 361is designed to address some of the deficiencies and vulnerabilities of 362PAP. Like PAP, it is based on the client and server having a shared 363secret, but the secret is never passed in clear text over the link. 364Instead, the server sends a "challenge" - an arbitrary string of 365bytes, and the client must prove it knows the shared secret by 366generating a hash value from the challenge combined with the shared 367secret, and sending the hash value back to the server. The server 368also generates the hash value and compares it with the value received 369from the client. 370 371At a practical level, CHAP can be slightly easier to configure than 372PAP because the server sends its name with the challenge. Thus, when 373finding the appropriate secret in the secrets file, the client knows 374the server's name. In contrast, with PAP, the client has to find its 375password (i.e. the shared secret) before it has received anything from 376the server. Thus, it may be necessary to use the `remotename' option 377to pppd when using PAP authentication so that it can select the 378appropriate secret from /etc/ppp/pap-secrets. 379 380Microsoft also has a variant of CHAP which uses a different hashing 381arrangement from normal CHAP. There is a client-side (authenticatee) 382implementation of Microsoft's CHAP in ppp-2.3; see README.MSCHAP80. 383In ppp-2.4.2, server-side (authenticator) support was added as well as 384support for Microsoft CHAP v2; see README.MSCHAP81. 385 386 387------------------------------------------------------------------------ 388 389Q: When the modem hangs up, without the remote system having 390terminated the connection properly, pppd does not notice the hangup, 391but just keeps running. How do I get pppd to notice the hangup and 392exit? 393 394A: Pppd detects modem hangup by looking for an end-of-file indication 395from the serial driver, which should be generated when the CD (carrier 396detect) signal on the serial port is deasserted. For this to work: 397 398- The modem has to be set to assert CD when the connection is made and 399deassert it when the phone line hangs up. Usually the AT&C1 modem 400command sets this mode. 401 402- The cable from the modem to the serial port must connect the CD 403signal (on pin 8). 404 405- Some serial drivers have a "software carrier detect" mode, which 406must be *disabled*. The method of doing this varies between systems. 407Under SunOS, use the ttysoftcar command. Under NetBSD, edit /etc/ttys 408to remove the "softcar" flag from the line for the serial port, and 409run ttyflags. 410 411 412------------------------------------------------------------------------ 413 414Q: Why should I use PPP compression (BSD-Compress or Deflate) when my 415modem already does V.42 compression? Won't it slow the CPU down a 416lot? 417 418A: Using PPP compression is preferable, especially when using modems 419over phone lines, for the following reasons: 420 421- The V.42 compression in the modem isn't very strong - it's an LZW 422technique (same as BSD-Compress) with a 10, 11 or 12 bit code size. 423With BSD-Compress you can use a code size of up to 15 bits and get 424much better compression, or you can use Deflate and get even better 425compression ratios. 426 427- I have found that enabling V.42 compression in my 14.4k modem 428increases the round-trip time for a character to be sent, echoed and 429returned by around 40ms, from 160ms to 200ms (with error correction 430enabled). This is enough to make it feel less responsive on rlogin or 431telnet sessions. Using PPP compression adds less than 5ms (small 432enough that I couldn't measure it reliably). I admit my modem is a 433cheapie and other modems may well perform better. 434 435- While compression and decompression do require some CPU time, they 436reduce the amount of time spent in the serial driver to transmit a 437given amount of data. Many machines require an interrupt for each 438character sent or received, and the interrupt handler can take a 439significant amount of CPU time. So the increase in CPU load isn't as 440great as you might think. My measurements indicate that a system with 441a 33MHz 486 CPU should be able to do Deflate compression for serial 442link speeds of up to 100kb/s or more. It depends somewhat on the type 443of data, of course; for example, when compressing a string of nulls 444with Deflate, it's hard to get a high output data rate from the 445compressor, simply because it compresses strings of nulls so well that 446it has to eat a very large amount of input data to get each byte of 447output. 448 449 450------------------------------------------------------------------------ 451 452Q: I get messages saying "Unsupported protocol (...) received". What do 453these mean? 454 455A: If you only get one or two when pppd starts negotiating with the 456peer, they mean that the peer wanted to negotiate some PPP protocol 457that pppd doesn't understand. This doesn't represent a problem, it 458simply means that there is some functionality that the peer supports 459that pppd doesn't, so that functionality can't be used. 460 461If you get them sporadically while the link is operating, or if the 462protocol numbers (in parentheses) don't correspond to any valid PPP 463protocol that the peer might be using, then the problem is probably 464that characters are getting corrupted on the receive side, or that 465extra characters are being inserted into the receive stream somehow. 466If this is happening, most packets that get corrupted should get 467discarded by the FCS (Frame Check Sequence, a 16-bit CRC) check, but a 468small number may get through. 469 470One possibility may be that you are receiving broadcast messages on 471the remote system which are being sent over your serial link. Another 472possibility is that your modem is set for XON/XOFF (software) flow 473control and is inserting ^Q and ^S characters into the receive data 474stream. 475 476 477------------------------------------------------------------------------ 478 479Q: I get messages saying "Protocol-Reject for unsupported protocol ...". 480What do these mean? 481 482A: This is the other side of the previous question. If characters are 483getting corrupted on the way to the peer, or if your system is 484inserting extra bogus characters into the transmit data stream, the 485peer may send protocol-reject messages to you, resulting in the above 486message (since your pppd doesn't recognize the protocol number 487either.) 488 489 490------------------------------------------------------------------------ 491 492Q: I get a message saying something like "ioctl(TIOCSETD): Operation 493not permitted". How do I fix this? 494 495A: This is because pppd is not running as root. If you have not 496installed pppd setuid-root, you will have to be root to run it. If 497you have installed pppd setuid-root and you still get this message, it 498is probably because your shell is using some other copy of pppd than 499the installed one - for example, if you are in the pppd directory 500where you've just built pppd and your $PATH has . before /usr/sbin (or 501wherever pppd gets installed). 502 503 504------------------------------------------------------------------------ 505 506Q: Has your package been ported to HP/UX or IRIX or AIX? 507 508A: No. I don't have access to systems running HP/UX or AIX. No-one 509has volunteered to port it to HP/UX. I had someone who did a port for 510AIX 4.x, but who is no longer able to maintain it. And apparently AIX 5113.x is quite different, so it would need a separate port. 512 513IRIX includes a good PPP implementation in the standard distribution, 514as far as I know. 515 516 517------------------------------------------------------------------------ 518 519Q: Under SunOS 4, when I try to modload the ppp modules, I get the 520message "can't open /dev/vd: No such device". 521 522A: First check in /dev that there is an entry like this: 523 524crw-r--r-- 1 root 57, 0 Oct 2 1991 vd 525 526If not, make one (mknod /dev/vd c 57 0). If the problem still exists, 527probably your kernel has been configured without the vd driver 528included. The vd driver is needed for loadable module support. 529 530First, identify the config file that was used. When you boot your 531machine, or if you run /etc/dmesg, you'll see a line that looks 532something like this: 533 534SunOS Release 4.1.3_U1 (CAP_XBOX) #7: Thu Mar 21 15:31:56 EST 1996 535 ^^^^^^^^ 536 this is the config file name 537 538The config file will be in the /sys/`arch -k`/conf directory (arch -k 539should return sun4m for a SparcStation 10, sun3x for a Sun 3/80, 540etc.). Look in there for a line saying "options VDDRV". If that line 541isn't present (or is commented out), add it (or uncomment it). 542 543You then need to rebuild the kernel as described in the SunOS 544manuals. Basically you need to run config and make like this: 545 546 /usr/etc/config CAP_XBOX 547 cd ../CAP_XBOX 548 make 549 550(replacing the string CAP_XBOX by the name of the config file for your 551kernel, of course). 552 553Then copy the new kernel to /: 554 555 mv /vmunix /vmunix.working 556 cp vmunix / 557 558and reboot. Modload should then work. 559 560 561------------------------------------------------------------------------ 562 563Q: I'm running Linux (or NetBSD or FreeBSD), and my system comes with 564PPP already. Should I consider installing this package? Why? 565 566A: The PPP that is already installed in your system is (or is derived 567from) some version of this PPP package. You can find out what version 568of this package is already installed with the command "pppd --help". 569If this is older than the latest version, you may wish to install the 570latest version so that you can take advantage of the new features or 571bug fixes. 572 573 574------------------------------------------------------------------------ 575 576Q: I'm running pppd in demand mode, and I find that pppd often dials 577out unnecessarily when I try to make a connection within my local 578machine or with a machine on my local LAN. What can I do about this? 579 580A: Very often the cause of this is that a program is trying to contact 581a nameserver to resolve a hostname, and the nameserver (specified in 582/etc/resolv.conf, usually) is on the far side of the ppp link. You 583can try executing a command such as `ping myhost' (where myhost is the 584name of the local machine, or some other machine on a local LAN), to 585see whether that starts the ppp link. If it does, check the setup of 586your /etc/hosts file to make sure you have the local machine and any 587hosts on your local LAN listed, and /etc/resolv.conf and/or 588/etc/nsswitch.conf files to make sure you resolve hostnames from 589/etc/hosts if possible before trying to contact a nameserver. 590 591 592------------------------------------------------------------------------ 593 594Q: Since I installed ppp-2.3.6, dialin users to my server have been 595getting this message when they run pppd: 596 597peer authentication required but no suitable secret(s) found for 598authenticating any peer to us (ispserver) 599 600A: In 2.3.6, the default is to let an unauthenticated peer only use IP 601addresses to which the machine doesn't already have a route. So on a 602machine with a default route, everyone has to authenticate. If you 603really don't want that, you can put `noauth' in the /etc/ppp/options 604file. Note that there is then no check on who is using which IP 605address. IMHO, this is undesirably insecure, but I guess it may be 606tolerable as long as you don't use any .rhosts files or anything like 607that. I recommend that you require dialin users to authenticate, even 608if just with PAP using their login password (using the `login' option 609to pppd). If you do use `noauth', you should at least have a pppusers 610group and set the permissions on pppd to allow only user and group to 611execute it. 612 613------------------------------------------------------------------------ 614 615Q: When running pppd as a dial-in server, I often get the message 616"LCP: timeout sending Config-Requests" from pppd. It seems to be 617random, but dial-out always works fine. What is wrong? 618 619A: Most modern modems auto-detects the speed of the serial line 620between the modem and the computer. This auto-detection occurs when 621the computer sends characters to the modem, when the modem is in 622command mode. It does not occur when the modem is in data mode. 623Thus, if you send commands to the modem at 2400 bps, and then change 624the serial port speed to 115200 bps, the modem will not detect this 625change until something is transmitted from the computer to the modem. 626When running pppd in dial-in mode (i.e. without a connect script), 627pppd sets the speed of the serial port, but does not transmit 628anything. If the modem was already running at the specified speed, 629everything is fine, but if not, you will just receive garbage from the 630modem. To cure this, use an init script such as the following: 631 632 pppd ttyS0 115200 modem crtscts init "chat '' AT OK" 633 634To reset the modem and enable auto-answer, use: 635 636 pppd ttyS0 115200 modem crtscts init "chat '' ATZ OK ATS0=1 OK" 637