[CentOS] VPN via PPTP and MPPE
James B. Byrne
ByrneJB at Harte-Lyne.ca
Tue Nov 8 16:30:27 UTC 2005
On 1 Nov 2005 at 11:25, Joe Pruett wrote:
> as for your local traffic, the vpn only sets up a route for the
> natural netmask of the remote end. so if the vpn server is
> 192.168.1.4, then a route for 192.168.1.0/24 will be installed.
> you can see what routes get setup via 'route print' at a dos
> prompt. if you need other routes setup, then you have to do it
> manually after the vpn is running. i seem to recall there might
> be a way to invoke the vpn from a command script, so you might be
> able to start it and add the routes from a .bat file.
Thank you for the assistance. I have reached the point where I
seem to have resolved all the firewall issues that were
contributing to my problems and I can now reliably connect a vpn
between my MS-W2K box on one C class to a CentOS4.2 box running
PopTop pptpd with 128 bit MPPE. As you anticipated, now I am down
to routing problems.
I have set up the pptpd server to supply a non-routable address in
the range 192.168.209.194-254 as the client side IP and a routable
address from the remote C block as the server side.
I have very little knowledge and even less experience with this so
please bear with me. Here is what I want to do:
Case 1. Typical:
>From any arbitrary external IP address, establish a VPN to a pptpd
server inside our firewall that will route all traffic consigned to
our internal network over that VPN while all other traffic goes
over the gateway established before the VPN is set up.
I cannot seem to get this to work with the MS network connection
client. I have turned off the "use default gateway on remote
network" option in the tcp/ip advanced networking options in the MS
client, but the only effect that seems to have is that no traffic
goes over the VPN at all. I have confirmed via tracert that the
destination IP of the VPN tunnel is recognized on the eth0
interface and responds to ping and traceroute, but the routing from
my test workstation is invariantly over the public gateway and not
via the vpn.
All traffic is routed over the VPN and then, if necessary, out onto
the Internet via our own gateway. I need to get case 1. working
before I do this, but this will be a another requirement that will
have to be available in addition to case 1. for some users.
What I need is a way of configuring vpn clients on Windows 2K and
XPpro so that these two cases work automatically from some sort of
simple to deploy client install script. I am open to using
alternative vpn client software if that is required.
As this is evidently a client side problem I understand that it is
not strictly CentOS related. However, this issue naturally falls
on the server end to provide an answer and I hope that someone here
has gone through this already and can provide me with some advice
or referrals to other venues for help.
Presently, this is what I get on the MS-W2K client when I establish
a VPN between netblock A and netblock B:
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 48 54 8c 2a fb ...... NDIS 5.0 driver
0x2000004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
Network Destination Netmask Gateway Interface
0.0.0.0 0.0.0.0 A.1 A.77
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
192.168.209.0 255.255.255.0 192.168.209.214 192.168.209.214
192.168.209.214 255.255.255.255 127.0.0.1 127.0.0.1
192.168.209.255 255.255.255.255 192.168.209.214 192.168.209.214
B.21 255.255.255.255 A.1 A.77
A.0 255.255.255.0 A.77 A.77
A.77 255.255.255.255 127.0.0.1 127.0.0.1
A.255 255.255.255.255 A.77 A.77
126.96.36.199 188.8.131.52 192.168.209.214 192.168.209.214
184.108.40.206 220.127.116.11 A.77 A.77
255.255.255.255 255.255.255.255 A.77 A.77
Default Gateway: A.1
The only route to the B network seems to go through the usual
gateway A.1 and not over the VPN.
If I do NOT clear the use default GW option then all traffic goes
from the client on A.77 over the VPN Default Gateway
(192.168.209.214), reaches the IP at the server end (B.214), but
then is not routed off the pptpd server (forwarding is enabled):
# cat /proc/sys/net/ipv4/ip_forward
*** e-mail is not a secure channel ***
James B. Byrne Harte & Lyne Limited
vox: +1 905 561 1241 9 Brockley Drive
fax: +1 905 561 0757 Hamilton, Ontario
<token> = hal Canada L8E 3C3
More information about the CentOS