Hi
I've been using linux to give VPN access to my corporate LAN using the following software:
Centos 5.2 x86 kernel 2.6.18-92.1.18.el5xen pptpd (poptop) 1.3.4 ppp 2.4.4
The Centos server has directly connected the Internet Router, on one interface (eth1) and the LAN on another (eth0) and it works as the firewall/VPN server of my LAN. It mostly works, however, if I try to connect using remote desktop (terminal services) to our windows domain controller (for example, it will happen with any windows server) the Centos server will just reboot. I can connect to the windows, authenticate, and work for about 5-10 seconds before the linux reboots. It's not a friendly reboot, it just crashes and restarts. This linux is running virtualized with xenserver express, and the windows domain controller is running as another virtual machine in the same physical computer. I've updated the CentOS server, using yum update but it will still crash. I tried installing pptpd from source, but still crashes the same way. I googled a bit, and somebody said it had a similar issue but solved it lowering the MTU in the WAN interface of the VPN server. I did it, but nothing helped. I've searched bug reports on this, but there seems to be none. Any idea what can I do to fix this? or does anybody know another good VPN server for linux? (I know about openvpn and using ipsec+xl2tpd but these require additional software on the client or are not very linux-friendly). My main requiements for the VPN server are:
- it should require no additional software on the windows clients (Vista and XP currently) - it should work fine with Mac OS X and linux clients - if posible, not very hard to setup ;)
Thanks a lot, and sorry for the long post.
On Mon, Nov 24, 2008, "Germ?n Andr?s Pulido F." wrote:
Hi
I've been using linux to give VPN access to my corporate LAN using the following software:
Centos 5.2 x86 kernel 2.6.18-92.1.18.el5xen pptpd (poptop) 1.3.4 ppp 2.4.4
Headaches deleted.
I would highly recommend using OpenVPN rather than using pptp, OpenVPN doesn't require kernel support as it's built on top of SSL, is far more secure than PPTP (the product of ``Kindergarten Cryptographers'' according to one well-know security paper), and there are clients for all flavors of Windows, Linux, and Mac OS X.
Some of our clients used PPTP when we were using SuSE Enterprise Linux, but we moved them to OpenVPN when we moved to CentOS. I had been trying to get them off PPTP anyway, and CentOS's lack of standard support was the factor that got them to consider OpenVPN. I wrote a couple of scripts to automatically generate the OpenVPN certificates for clients making it easy for unsophisticated clients to install them on their Windows and Macs machines, and they now are much happier than the were with PPTP.
Bill
Bill Campbell wrote:
I would highly recommend using OpenVPN rather than using pptp, OpenVPN doesn't require kernel support as it's built on top of SSL, is far more secure than PPTP (the product of ``Kindergarten Cryptographers'' according to one well-know security paper), and there are clients for all flavors of Windows, Linux, and Mac OS X.
Microsoft has updated PPTP since the only paper I know about was written. Does anyone know if there are still problems with it or if the linux version is updated to match?
But, openvpn is easier to use if you control the clients.
On Mon, 24 Nov 2008, Les Mikesell wrote:
Bill Campbell wrote:
I would highly recommend using OpenVPN rather than using pptp, OpenVPN doesn't require kernel support as it's built on top of SSL, is far more secure than PPTP (the product of ``Kindergarten Cryptographers'' according to one well-know security paper), and there are clients for all flavors of Windows, Linux, and Mac OS X.
Microsoft has updated PPTP since the only paper I know about was written. Does anyone know if there are still problems with it or if the linux version is updated to match?
But, openvpn is easier to use if you control the clients.
If only Apple would add /dev/tun to the iPhone -- then our iPhone users could run OpenVPN and the sysadmin portion of my life would become somewhat less annoying...
Hi,
On Mon, Nov 24, 2008 at 12:56, Les Mikesell lesmikesell@gmail.com wrote:
Microsoft has updated PPTP since the only paper I know about was written. Does anyone know if there are still problems with it or if the linux version is updated to match?
From http://pptpclient.sourceforge.net/protocol-security.phtml:
"PPTP on Linux, and Microsoft's PPTP, both implement fixes for vulnerabilities that were detected years ago in Microsoft's PPTP. *But there remain the design vulnerabilities that cannot be fixed without changing the design.* The changes needed would break interoperability. We can't change the Linux PPTP design, because it would stop working with Microsoft PPTP. They can't change their design, because it would stop working with all the other components out there, such as Nortel and Cisco, embedded routers, ADSL modems and their own Windows installed base."
And POPTOP (http://poptop.sourceforge.net/dox/qna.html#12):
In conclusion: *Poptop suffers the same security vulnerabilities as the NT sever* (this is because it operates with Windows clients). Update: MSCHAPv2 has been released and addresses *some* of the security issues. Poptop works with MSCHAPv2, which is implemented in pppd.
Wikipedia (http://en.wikipedia.org/wiki/PPTP):
PPTP has been made obsolete by Layer 2 Tunneling Protocol (L2TP) and IPSec.
From these sources, I can't tell for sure if the protocol has
vulnerabilities by design or not, but in any case it seems to be agreement that other VPN protocols such as IPSec are much more secure and reliable than PPTP. I would not recommend starting a VPN implementation using PPTP.
L2TP/IPSec seems to be the best alternative regarding client support (built-in support on Windows XP, Mac and the iPhone), only it is very hard to implement on a Linux server, and there are issues with NAT traversal. OpenVPN is easy to implement and seems to work very well with NAT, but clients must be downloaded and installed for most platforms, and are not available, for instance, for the iPhone.
HTH, Filipe
Thanks everyone for your help. I still cannot guess what the problem is with the rebooting of the server, but I'm currently reading about openvpn, it seems to be the best solution for my issue.
Regards.
Filipe Brandenburger wrote:
Hi,
On Mon, Nov 24, 2008 at 12:56, Les Mikesell <lesmikesell@gmail.com mailto:lesmikesell@gmail.com> wrote:
Microsoft has updated PPTP since the only paper I know about was
written.
Does anyone know if there are still problems with it or if the linux version is updated to match?
From http://pptpclient.sourceforge.net/protocol-security.phtml:
"PPTP on Linux, and Microsoft's PPTP, both implement fixes for vulnerabilities that were detected years ago in Microsoft's PPTP. *But there remain the design vulnerabilities that cannot be fixed without changing the design.* The changes needed would break interoperability. We can't change the Linux PPTP design, because it would stop working with Microsoft PPTP. They can't change their design, because it would stop working with all the other components out there, such as Nortel and Cisco, embedded routers, ADSL modems and their own Windows installed base."
And POPTOP (http://poptop.sourceforge.net/dox/qna.html#12):
In conclusion: *Poptop suffers the same security vulnerabilities as the NT sever* (this is because it operates with Windows clients). Update: MSCHAPv2 has been released and addresses *some* of the security issues. Poptop works with MSCHAPv2, which is implemented in pppd.
Wikipedia (http://en.wikipedia.org/wiki/PPTP):
PPTP has been made obsolete by Layer 2 Tunneling Protocol (L2TP) and IPSec.
From these sources, I can't tell for sure if the protocol has vulnerabilities by design or not, but in any case it seems to be agreement that other VPN protocols such as IPSec are much more secure and reliable than PPTP. I would not recommend starting a VPN implementation using PPTP.
L2TP/IPSec seems to be the best alternative regarding client support (built-in support on Windows XP, Mac and the iPhone), only it is very hard to implement on a Linux server, and there are issues with NAT traversal. OpenVPN is easy to implement and seems to work very well with NAT, but clients must be downloaded and installed for most platforms, and are not available, for instance, for the iPhone.
HTH, Filipe
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Nov 24, 2008, at 11:31 PM, "Germán Andrés Pulido F." <gpulido@gtscolombia.c om> wrote:
Thanks everyone for your help. I still cannot guess what the problem is with the rebooting of the server, but I'm currently reading about openvpn, it seems to be the best solution for my issue.
There have been some show stopper bugs in Xen with regard to networking.
Maybe the handling of a large volume of GRE packets in your VM has hit one of those.
Personnally I would give the free ESXi server a go and see how that works it's network handling is more mature.
-Ross
Sorry for the late jump in here, hence the top post (missing earlier posts).
I have a working setup as you described with out the reboot problem. There is one difference, we are using VMWare (free version).
It even authenticates against the domain controller for vpn sessions.
I would be happy to help find the differences in your setup, or help you "copy" ours.
-Jason
_____
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of "Germán Andrés Pulido F." Sent: Monday, November 24, 2008 11:31 PM To: CentOS mailing list Subject: Re: [CentOS] PPTP VPN server
Thanks everyone for your help. I still cannot guess what the problem is with the rebooting of the server, but I'm currently reading about openvpn, it seems to be the best solution for my issue.
Regards.
Filipe Brandenburger wrote:
Hi,
On Mon, Nov 24, 2008 at 12:56, Les Mikesell lesmikesell@gmail.com wrote:
Microsoft has updated PPTP since the only paper I know about was written. Does anyone know if there are still problems with it or if the linux version is updated to match?
From http://pptpclient.sourceforge.net/protocol-security.phtml:
"PPTP on Linux, and Microsoft's PPTP, both implement fixes for vulnerabilities that were detected years ago in Microsoft's PPTP. But there remain the design vulnerabilities that cannot be fixed without changing the design. The changes needed would break interoperability. We can't change the Linux PPTP design, because it would stop working with Microsoft PPTP. They can't change their design, because it would stop working with all the other components out there, such as Nortel and Cisco, embedded routers, ADSL modems and their own Windows installed base."
And POPTOP (http://poptop.sourceforge.net/dox/qna.html#12):
In conclusion: Poptop suffers the same security vulnerabilities as the NT sever (this is because it operates with Windows clients). Update: MSCHAPv2 has been released and addresses some of the security issues. Poptop works with MSCHAPv2, which is implemented in pppd.
Wikipedia (http://en.wikipedia.org/wiki/PPTP):
PPTP has been made obsolete by Layer 2 Tunneling Protocol (L2TP) and IPSec.
From these sources, I can't tell for sure if the protocol has vulnerabilities
by design or not, but in any case it seems to be agreement that other VPN protocols such as IPSec are much more secure and reliable than PPTP. I would not recommend starting a VPN implementation using PPTP.
L2TP/IPSec seems to be the best alternative regarding client support (built-in support on Windows XP, Mac and the iPhone), only it is very hard to implement on a Linux server, and there are issues with NAT traversal. OpenVPN is easy to implement and seems to work very well with NAT, but clients must be downloaded and installed for most platforms, and are not available, for instance, for the iPhone.
HTH, Filipe
_____
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Hi!
Thanks for your help. The free version of vmware is ESXi, that's what you are using right? I also authenticate VPN sessions against the domain controller, that also works beautifully. Only issue is the reboot of the server. However, I found that terminal services is not the only think that produces the reboot, once I managed to reboot it while just browsing some of our internal web servers (plain HTTP) so the bug is not strictly related to Terminal Services. Now, the fact that you have the same configuration running seems to imply that the issue is with something specific to my installation. Now, a quick question: did you compile pptpd yourself? or you used RPMs from the official web site?
Thanks again.
Jason Pyeron wrote:
Sorry for the late jump in here, hence the top post (missing earlier posts).
I have a working setup as you described with out the reboot problem. There is one difference, we are using VMWare (free version).
It even authenticates against the domain controller for vpn sessions.
I would be happy to help find the differences in your setup, or help you "copy" ours.
-Jason
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of "Germán Andrés Pulido F." Sent: Tuesday, November 25, 2008 11:46 AM To: CentOS mailing list Subject: Re: [CentOS] PPTP VPN server
Hi!
Thanks for your help. The free version of vmware is ESXi,
http://www.vmware.com/download/server/ (using 1.x series)
that's what you are using right? I also authenticate VPN sessions against the domain controller, that also works beautifully. Only issue is the reboot of the server. However, I found that terminal services is not the only think that produces the reboot, once I managed to reboot it while just
What is the uptime on the VM host?
browsing some of our internal web servers (plain HTTP) so the bug is not strictly related to Terminal Services. Now, the fact that you have the same configuration running seems to imply that the issue is with something specific to my installation. Now, a quick question: did you compile pptpd yourself? or you used RPMs from the official web site?
No compiling here, we have no time... Direct from a CentOS yum repo near you.
[root@XXXXXXXXXXXXXX ~]# cat /etc/issue CentOS release 5 (Final) Kernel \r on an \m [root@XXXXXXXXXXXXXX ~]# rpm -qf /usr/sbin/pptpd pptpd-1.3.4-1.rhel5.1 [root@XXXXXXXXXXXXXX ~]# uname -a Linux XXXXXXXXXXXXXX.ZZZZZZZZZZZZZZZZZZZZZZ 2.6.18-53.1.14.el5 #1 SMP Wed Mar 5 11:36:49 EST 2008 i686 athlon i386 GNU/Linux [root@XXXXXXXXXXXXXX ~]#
Thanks again.
Jason Pyeron wrote:
Sorry for the late jump in here, hence the top post
(missing earlier
posts).
I have a working setup as you described with out the reboot
problem.
There is one difference, we are using VMWare (free version).
It even authenticates against the domain controller for vpn
sessions.
I would be happy to help find the differences in your
setup, or help
you "copy" ours.
-Jason
--
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
Hi!
Thanks everyone who helped me. In the end, it seems the problem is the virtualizing software, since I installed openvpn, configured it, and the exact same thing happens. Is there any log i can look to have any clue about this kind of reboots?
Thanks!
Jason Pyeron wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of "Germán Andrés Pulido F." Sent: Tuesday, November 25, 2008 11:46 AM To: CentOS mailing list Subject: Re: [CentOS] PPTP VPN server
Hi!
Thanks for your help. The free version of vmware is ESXi,
http://www.vmware.com/download/server/ (using 1.x series)
that's what you are using right? I also authenticate VPN sessions against the domain controller, that also works beautifully. Only issue is the reboot of the server. However, I found that terminal services is not the only think that produces the reboot, once I managed to reboot it while just
What is the uptime on the VM host?
browsing some of our internal web servers (plain HTTP) so the bug is not strictly related to Terminal Services. Now, the fact that you have the same configuration running seems to imply that the issue is with something specific to my installation. Now, a quick question: did you compile pptpd yourself? or you used RPMs from the official web site?
No compiling here, we have no time... Direct from a CentOS yum repo near you.
[root@XXXXXXXXXXXXXX ~]# cat /etc/issue CentOS release 5 (Final) Kernel \r on an \m [root@XXXXXXXXXXXXXX ~]# rpm -qf /usr/sbin/pptpd pptpd-1.3.4-1.rhel5.1 [root@XXXXXXXXXXXXXX ~]# uname -a Linux XXXXXXXXXXXXXX.ZZZZZZZZZZZZZZZZZZZZZZ 2.6.18-53.1.14.el5 #1 SMP Wed Mar 5 11:36:49 EST 2008 i686 athlon i386 GNU/Linux [root@XXXXXXXXXXXXXX ~]#
Thanks again.
Jason Pyeron wrote:
Sorry for the late jump in here, hence the top post
(missing earlier
posts).
I have a working setup as you described with out the reboot
problem.
There is one difference, we are using VMWare (free version).
It even authenticates against the domain controller for vpn
sessions.
I would be happy to help find the differences in your
setup, or help
you "copy" ours.
-Jason
--
--
-- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of "Germán Andrés Pulido F." Sent: Wednesday, November 26, 2008 12:08 AM To: CentOS mailing list Subject: Re: [CentOS] PPTP VPN server
Hi!
Thanks everyone who helped me. In the end, it seems the problem is the virtualizing software, since I installed openvpn, configured it, and the exact same thing happens. Is there any log i can look to have any clue about this kind of reboots?
Everytime we have had this problem, it was the powersupply. That does not mean it is the power supply, but that is the first thing we check.
Thanks!
Jason Pyeron wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of "Germán
Andrés Pulido
F." Sent: Tuesday, November 25, 2008 11:46 AM To: CentOS mailing list Subject: Re: [CentOS] PPTP VPN server
Hi!
Thanks for your help. The free version of vmware is ESXi,
http://www.vmware.com/download/server/ (using 1.x series)
that's what you are using right? I also authenticate VPN sessions against the domain controller, that also works beautifully. Only issue is the reboot of the server. However, I found that terminal services is not the only think that produces the reboot, once I managed to reboot it while just
What is the uptime on the VM host?
browsing some of our internal web servers (plain HTTP) so
the bug is
not strictly related to Terminal Services. Now, the fact that you have the same configuration running seems to imply that
the issue is
with something specific to my installation. Now, a quick question: did you compile pptpd yourself? or you used RPMs from the official web site?
No compiling here, we have no time... Direct from a CentOS
yum repo near you.
[root@XXXXXXXXXXXXXX ~]# cat /etc/issue CentOS release 5 (Final) Kernel \r on an \m [root@XXXXXXXXXXXXXX ~]# rpm -qf /usr/sbin/pptpd pptpd-1.3.4-1.rhel5.1 [root@XXXXXXXXXXXXXX ~]# uname -a Linux XXXXXXXXXXXXXX.ZZZZZZZZZZZZZZZZZZZZZZ
2.6.18-53.1.14.el5 #1 SMP
Wed Mar 5 11:36:49 EST 2008 i686 athlon i386 GNU/Linux
[root@XXXXXXXXXXXXXX ~]#
Thanks again.
Jason Pyeron wrote:
Sorry for the late jump in here, hence the top post
(missing earlier
posts).
I have a working setup as you described with out the reboot
problem.
There is one difference, we are using VMWare (free version).
It even authenticates against the domain controller for vpn
sessions.
I would be happy to help find the differences in your
setup, or help
you "copy" ours.
-Jason
--
--
-- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
--
Cordialmente,
GERMAN ANDRES PULIDO F. Ingeniero de Proyectos GLOBAL TECHNOLOGY SERVICES - GTS S.A.
Tel: (571) 658 34 10 ext 110 Carrera 7b No. 123-46 Bogotá-Colombia Sitio Web: www.gtscolombia.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
2008/11/25 Les Mikesell lesmikesell@gmail.com:
Microsoft has updated PPTP since the only paper I know about was written. Does anyone know if there are still problems with it or if the linux version is updated to match?
In addition to Filipe's detailed reply - when I was looking at details for a new VPN server options in the last few days I noticed that PPTP support was always mentioned as "PPTP+IPSEC", which doesn't gives an impression like people who use or sell PPTP don't have much confidence in its security when used stand-alone.
Cheers,
--Amos
-
"Germán Andrés Pulido F." -
Amos Shapira -
Bill Campbell -
Filipe Brandenburger -
Jason Pyeron -
Les Mikesell -
Paul Heinlein -
Ross Walker