[CentOS] VPN via PPTP and MPPE

Tue Nov 8 16:30:27 UTC 2005
James B. Byrne <ByrneJB at Harte-Lyne.ca>

On 1 Nov 2005 at 11:25, Joe Pruett wrote:

> as for your local traffic, the vpn only sets up a route for the
> natural netmask of the remote end.  so if the vpn server is
> 192.168.1.4, then a route for 192.168.1.0/24 will be installed.
> you can see what routes get setup via 'route print' at a dos
> prompt.  if you need other routes setup, then you have to do it
> manually after the vpn is running.  i seem to recall there might
> be a way to invoke the vpn from a command script, so you might be
> able to start it and add the routes from a .bat file. 

Thank you for the assistance.  I have reached the point where I 
seem to have resolved all the firewall issues that were 
contributing to my problems and I can now reliably connect a vpn 
between my MS-W2K box on one C class to a CentOS4.2 box running 
PopTop pptpd with 128 bit MPPE. As you anticipated, now I am down 
to routing problems.

I have set up the pptpd server to supply a non-routable address in 
the range 192.168.209.194-254 as the client side IP and a routable 
address from the remote C block as the server side.  

I have very little knowledge and even less experience with this so 
please bear with me.  Here is what I want to do:

Case 1. Typical:
>From any arbitrary external IP address, establish a VPN to a pptpd 
server inside our firewall that will route all traffic consigned to 
our internal network over that VPN while all other traffic goes 
over the gateway established before the VPN is set up.

I cannot seem to get this to work with the MS network connection 
client.  I have turned off the "use default gateway on remote 
network" option in the tcp/ip advanced networking options in the MS 
client, but the only effect that seems to have is that no traffic 
goes over the VPN at all.  I have confirmed via tracert that the 
destination IP of the VPN tunnel is recognized on the eth0 
interface and responds to ping and traceroute, but the routing from 
my test workstation is invariantly over the public gateway and not 
via the vpn.  

Case 2.
All traffic is routed over the VPN and then, if necessary, out onto 
the Internet via our own gateway.  I need to get case 1. working 
before I do this, but this will be a another requirement that will 
have to be available in addition to case 1. for some users.

What I need is a way of configuring vpn clients on Windows 2K and 
XPpro so that these two cases work automatically from some sort of 
simple to deploy client install script.  I am open to using 
alternative vpn client software if that is required.

As this is evidently a client side problem I understand that it is 
not strictly CentOS related.  However, this issue naturally falls 
on the server end to provide an answer and I hope that someone here 
has gone through this already and can provide me with some advice 
or referrals to other venues for help.

Presently, this is what I get on the MS-W2K client when I establish 
a VPN between netblock A and netblock B:

====================================================================
=======
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 48 54 8c 2a fb ...... NDIS 5.0 driver

0x2000004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
====================================================================
=======
====================================================================
=======
Active Routes:
Network Destination     Netmask         Gateway       Interface    
Metric
        0.0.0.0         0.0.0.0             A.1            A.77     
  1
      127.0.0.0       255.0.0.0       127.0.0.1       127.0.0.1     
  1
  192.168.209.0   255.255.255.0 192.168.209.214 192.168.209.214     
  1
192.168.209.214 255.255.255.255       127.0.0.1       127.0.0.1     
  1
192.168.209.255 255.255.255.255 192.168.209.214 192.168.209.214     
  1
           B.21 255.255.255.255             A.1            A.77     
  1
            A.0   255.255.255.0            A.77            A.77     
  1
           A.77 255.255.255.255        127.0.0.1       127.0.0.1    
  1
          A.255 255.255.255.255             A.77            A.77    
  1
      224.0.0.0       224.0.0.0  192.168.209.214  192.168.209.214   
  1
      224.0.0.0       224.0.0.0             A.77             A.77   
  1
255.255.255.255 255.255.255.255             A.77             A.77   
  1
Default Gateway:      A.1
====================================================================
=======
Persistent Routes:
  None


The only route to the B network seems to go through the usual 
gateway A.1 and not over the VPN.

If I do NOT clear the use default GW option then all traffic goes 
from the client on A.77 over the VPN Default Gateway 
(192.168.209.214), reaches the IP at the server end (B.214), but 
then is not routed off the pptpd server (forwarding is enabled):

# cat /proc/sys/net/ipv4/ip_forward
1


Regards,
Jim

--   
     *** e-mail is not a secure channel ***
mailto:byrnejb.<token>@harte-lyne.ca
James B. Byrne                Harte & Lyne Limited
vox: +1 905 561 1241          9 Brockley Drive
fax: +1 905 561 0757          Hamilton, Ontario
<token> = hal                 Canada L8E 3C3