diff options
Diffstat (limited to 'pptpd-1.3.3/html')
22 files changed, 1903 insertions, 0 deletions
diff --git a/pptpd-1.3.3/html/CVS/Entries b/pptpd-1.3.3/html/CVS/Entries new file mode 100644 index 0000000..1b7a3e1 --- /dev/null +++ b/pptpd-1.3.3/html/CVS/Entries @@ -0,0 +1,3 @@ +/HOWTO-PoPToP.txt/1.2/Thu Apr 22 04:54:07 2004// +/setup_pptp_client.html/1.1.1.1/Thu Apr 22 04:54:07 2004// +D/poptop_ads_howto//// diff --git a/pptpd-1.3.3/html/CVS/Repository b/pptpd-1.3.3/html/CVS/Repository new file mode 100644 index 0000000..bf2041d --- /dev/null +++ b/pptpd-1.3.3/html/CVS/Repository @@ -0,0 +1 @@ +poptop/html diff --git a/pptpd-1.3.3/html/CVS/Root b/pptpd-1.3.3/html/CVS/Root new file mode 100644 index 0000000..6f952a5 --- /dev/null +++ b/pptpd-1.3.3/html/CVS/Root @@ -0,0 +1 @@ +:ext:quozl@poptop.cvs.sourceforge.net:/cvsroot/poptop diff --git a/pptpd-1.3.3/html/HOWTO-PoPToP.txt b/pptpd-1.3.3/html/HOWTO-PoPToP.txt new file mode 100644 index 0000000..cb69887 --- /dev/null +++ b/pptpd-1.3.3/html/HOWTO-PoPToP.txt @@ -0,0 +1,873 @@ +PoPToP HOWTO/FAQ +---------------- +Last Updated: 20021024 +Send changes to: Richard de Vroede <r.devroede@linvision.com> + +HOWTO/FAQ mostly compiled from PoPToP help pages and the PoPToP Mailing List +(hosted by Christopher Schulte) by Matthew Ramsay. Large contributions from +Steve Rhodes and Michael Walter. + + +Contents +-------- +1.0 Introduction + 1.1 About PoPToP + 1.2 Credits +2.0 System Requirements +3.0 PPP with MSCHAPv2/MPPE Installation +4.0 PoPToP Installation +5.0 Windows Client Setup +6.0 FAQ + + +1.0 Introduction +---------------- +1.1 About PoPToP +PoPToP is the PPTP Server solution for Linux. PoPToP allows Linux servers to +function seamlessly in the PPTP VPN environment. This enables administrators +to leverage the considerable benefits of both Microsoft and Linux. The +current pre-release version supports Windows 95/98/NT/2000 PPTP clients and +PPTP Linux clients. PoPToP is free GNU software. + +PoPToP Home Page: http://www.moretonbay.com/vpn/pptp.html + +1.2 Credits +PoPToP was originally started by Matthew Ramsay under the control of +Moreton Bay Ventures (http://www.moretonbay.com). Around March 1999 PoPToP +was publically released under the GNU GPL by Moreton Bay/Lineo. + +PoPToP is what it is today due to the help of a number of intelligent and +experienced hackers. More specifically Kevin Thayer, David Luyer and +Peter Galbavy. + +More contributors to PoPToP (in various forms) include Allan Clark, Seth +Vidal, Harald Vogt and Ron O'Hara. + +And finally, credit to all the PoPToP followers who test and report +problems. + +1.3 PopToP migrating from poptop.lineo.com +March 18, 2002 + +The main PoPToP developers left Lineo with the SnapGear spin-out. The ball +is being picked up by Daniel Djamludin. PoPToP has been actively developed +within SnapGear and a number of improvements need to be rolled out. + +Henceforth from this sentence onwards you should refer to "PoPToP" as +"Poptop" for ease of use and typing. + +Lineo have been asked to forward poptop.lineo.com to poptop.sourceforge.net + +The sources are being gathered to go into CVS, new binaries and dev images will follow. + +Source Forge looks like the best neutral ground to smooth out future upheavals. + + +2.0 System Requirements +----------------------- +1. A modern Linux distribution (such as Debian, Red Hat, etc.) with a recent + kernel (2.4.x recommended, 2.2.x should be ok). Note: ports exist for + Solaris, BSD and others but are not supported in this HOWTO at this + time. +2. PPP (2.4.1 recommended, 2.3.11 should be ok) + (and the MSCHAPv2/MPPE patch if you want enhanced Microsoft + compatible authentication and encryption). +3. PoPToP v1.1.3 (or download the latest release at: + http://sourceforge.net/projects/poptop + + +3.0 PoPToP Installation +----------------------- +Check out the documentation at http://sourceforge.net/docman/?group_id=44827 + + +4.0 Windows Client Setup +------------------------ + +Install it using the add-remove programs tool. Go to windows->communications +and install VPN support. + +(If you do above you may *not* need to follow the instructions below as it +will already be installed... ? + +follow the instructions: + + 1.start->settings->control panel->network + 2.Click add + 3.choose adapter + 4.Click add + 5.select microsoft as the Manufactuarer + 6.select Microsoft Virtual Private Networking Adapter + 7.Click ok + 8.Insert any necessary disks + 9.Reboot your Machine + +take a little nap here... + +Once your Machine is back + + 1.go to dial-up networking (usually start->programs->Accessories->communications->Dial-up Networking) YMMV + 2.Click make new connection + 3.Name the Connection whatever you'd like. + 4.Select Microsoft VPN adapter as the device + 5.click next + 6.type in the ip address or hostname of your pptp server + 7.click next + 8.click finish + 9.Right-click on the intranet icon + 10.select properties + 11.choose server types + 12.check require encrypted password + 13.uncheck netbeui, ipx/spx compatible + 14.click tcp/ip settings + 15.turn off use IP header compression + 16.turn off use default gw on remote network + 17.click ok. + 18.start that connection + 19.type in your username and pw (yadda, yadda, yadda) + 20.once it finishes its connection your up. + + +Note that the Win95 routine is similar but requires Dial Up Networking Update 1.3 (free from Microsoft) to be installed first. + + +5.0 FAQ +------- + +Q&A. +INTRODUCTION + +After spending the better part of two weeks developing my configuration +for a pptp sever for remote file access by Windows(tm) clients, I +thought I would pass along these notes to those who may be interested. + +The basic configuration involves a Samba/PoPToP server behind a +firewall, through which clients using Win98 machines will connect using +the VPN facility built into that OS. This is diagrammed below. + + _____ ___ ______ ______ +| | | \ | fire | | file | +| win | ---> / net \ ---> | wall | ---> | srvr | +|_____| \__/\_/ |______| |______| + + +The components of the system consist of the Win98 clients running the +built-in VPN facility dialing in to their ISP's and connecting through +the firewall to the Samba server on the internal network using the pptp +protocol. The firewall uses Network Address Translation to convert an +open Internet IP address to an internal one. Sounds simple enough +right? + +SIMPLE TEST SETUP + +As a starting point, I configured a Win98 box to connect directly to a +PoPToP server without any authentication or encryption. This was just +to get a feel for how pptp works and verify the setup. Using the +pre-packaged rpm's was a big help here. You just rpm the thing onto the +system and fire it up, and you're in business. The diagram below +represents this simple system. + + + 192.168.56.142 192.168.56.11 + _____ ______ + | | | file | + | win | ------------------> | srvr | + |_____| |______| + +Emboldend by my success, I set out to turn on MS authentication and +encrytion, and this is where the fun started. + +AUTHENTICATION AND ENCRYPTION + +This is an area where Microsoft really shows its true colors. Turning +on password and data encryption on the Win98 VPN server configuration +was quite the eye opening experience. First with the authentication, +you will have to go through a somewhat difficult compilation of the +ppp-2.3.8 package. The worst part here is getting all the pieces +together, namely the rc4 files. This process is well documented in this +archive, so I won't go into it here. + +The next realization is that Microsoft prepends the domain name to the +user name when submitting the login credentials. For example, srhodes is +now DBNET\\srhodes. If that wasn't bad enough, I found that the domain +wasn't even the one I was logged into. My best guess is that the first +domain that the computer ever logs into is stuck with it for ever. This +is a real problem if you have multiple domains that you log into. I +modified the pppd.c code to strip out the domain on MSCHAP logins, but +you can just set the user name in chap-secrets to match the windows +version. + +Then I spent a whole day trying to figure out why data encryption does +not work. I tried just about everything I could think of that could be +wrong. That's when I discovered this archive, for which I am truly +grateful. It turns out that the Win9x implementation of encrytpion is +FUBAR! You have to download one of those patches from Microsoft, +MSDUN 1.4 to get the thing to work. + +Windows 95 +http://download.microsoft.com/download/win95/Update/17648/W95/EN-US/dun14-95.exe + +Windows 98 +http://download.microsoft.com/download/win98/Update/17648/W98/EN-US/dun14-98.exe + +Windows 98se +http://download.microsoft.com/download/win98SE/Update/17648/W98/EN-US/dun14-SE.exe + + +FIREWALL CONFIGURATION + +The issue with a firewall in this setup is that you need to cover two +types of protocol communication. There is one connection which is a tcp +connection on port 1723 that handles the control functions and another +connection using IP type 47, or GRE, which handles the actual data +communication. This second connection presents a problem for the +convention linux firewall, ipfwadm. You see, its only set up to handle +tcp, udp and icmp protocols. It doesn't know about GRE. + +The trick around this block is to use one of the new 2.2 kernels, which +employ a new firewall called ipchains. This tool willl handle arbitrary +protocols, which can be specified by their numbers. + + + 192.168.2.142 192.168.56.11 + _____ ______ ______ + | | | fire | 192.168.56.1 | file | + | win | --------------->| wall | --------------> | srvr | + |_____| 192.168.2.1 |______| |______| + + + +You need to remember a few things before getting too deep into this. +The default gateway on win is set to 192.168.2.1, and the default +gateway on file srvr is set to 192.168.56.1. The firewall has the two +network interfaces spanning the two subnets and is configured for +IP forwarding. If you have not yet applied any firewall rules, this +configuration will work as before. The interesing part is to block out +all other access to file srvr by implementing ipchains rules. + +The short story is: + +ipchains -F +ipchains -P forward DENY +ipchains -I forward -p tcp -d 192.168.56.11 1723 -j ACCEPT +ipchains -A forward -p tcp -s 192.168.56.11 1723 -j ACCEPT +ipchains -A forward -p 47 -d 192.168.56.11 -j ACCEPT +ipchains -A forward -p 47 -s 192.168.56.11 -j ACCEPT + + +NETWORK ADDRESS TRANSLATION + +The next hurdle is to configure the firewall so that it can run an open +internet IP address on the outside and allow access to an internal +address on the inside. NAT is very well suited to this task, although +you may hear otherwise from knowledgable sources. It happens to be my +preference, though certainly not the only way to skin this cat. You can +obtain the NAT software and some detailed information from + +http://www.csn.tu-chemnitz.de/HyperNews/get/linux-ip-nat.html + +But again, there is a problem with the GRE protocol of type 47. The +tool for configuring NAT, ipnatadm, like its half-brother ipfwadm, is +not set up to handle arbitrary protocols. Unfortunately, you'll have to +go into the code and make a slight modification if you want to use it +for this purpose. There is a procedure called parse_protocol in the +file routines.c that discriminates the type of protocol to be filtered. +The basic idea is to accept a string representing a number and use that +as the filter. Since you have to recompile the kernel anyway to get the +NAT functionality, maybe it's not so horrible, relatively speaking. + +For those ambitous enough, here is the diff for the routines file, copy +this into a file called routines.diff and use the command patch -p0 < +routines.diff from within the same directory. + + +--- routines.c Thu Mar 25 15:41:58 1999 ++++ /mnt/zip/nat/routines.c Wed Jul 21 21:09:28 1999 +@@ -112,11 +112,18 @@ + else if (strncmp("icmp", s, strlen(s)) == 0) + nat_set.nat.protocol = IPPROTO_ICMP; + else { ++ int number; ++ char * end; ++ number = (int)strtol(s, &end, 10); ++ nat_set.nat.protocol = number; ++ } ++ /* ++ else { + fprintf(stderr, "ipnatadm: invalid protocol \"%s\" +specified\n", s); + exit_tryhelp(2); +- /* make the compiler happy... */ + return; + } ++ */ + } + + void parse_hostnetworkmask(char *name, struct in_addr **addrpp, __u32 +*maskp, int *naddrs) + + + +The patch is actually lifted from ipchains, which was derived from +ipfwadm, which provides the basis for ipnatadm. + +Once you've got all that running, what you want to do is to set up the +NAT rules so that the incoming client thinks its talking to the +firewall, as does the outgoing file server. The short of it is: + +ipnatadm -F +ipnatadm -I -i -P 6 -D 192.168.2.1 1723 -N 192.168.56.11 1723 +ipnatadm -O -i -P 6 -S 192.168.56.11 1723 -M 192.168.2.1 1723 +ipnatadm -I -i -P 47 -D 192.168.2.1 -N 192.168.56.11 +ipnatadm -O -i -P 47 -S 192.168.56.11 -M 192.168.2.1 + + +Here, the -P argument sets the protocol, 6 is tcp and 47 is GRE. +PPTP packets targeting the firewall are translated to the internal host +inbound and vice-versa on the way out. Very slick. + +SAMBA + +Here's a subject so complex you could probably devote a whole career to +it. We don't want to get too bogged down, so I'll be brief. Samba +implements the NetBIOS protocol, which has more quirks than you can +shake a stick at. One of the biggest problems is the use of subnet +broadcasting. Suffice it to say, if you want the best results, you +should set your PoPToP IP addresses to reside within the subnet on which +the file server ethernet is located. I choose 192.168.56.12 for the +server address, and it hands out IP's from 192.168.13-127. +Setting the IP forwarding on the file server to true will give you +access to other machines on the internal network. + +When you go at the samba sever from Win98, you have to use encrypted +password. Look at smbpasswd and related stuff. + +Finding shares on the server is not so easy. The short story here is +that browsing is implemented via broadcast packets, and broadcast +packets will not travel down a PPP link. The only way to get browsing +to work over pptp is to set Samba up as a WINS server and a Domain login +server, and configure the clients to use that WINS server and force them +to login to that Domain. Believe me, I tried just about everything to +avoid that. You will also want to set the samba server as the domain +master and preferred master for the browsing. + +If you can't do that, you can set the ppp/options file to include a +ms-wins setting for the samba server. This will set the client up so +they can at least resolve host names. The only way to find a share +under this configuration is to name it explicitly. You can use the +tools menu from the Win98 file browser and say find -> computer and +enter in the name of the samba server and it will be found. I have +found that setting domain master = yes and preferred master = yes gives +a rather nice boost to the speed of name lookups on the network. + +Here is my abbreviated smb.conf + +[global] + workgroup = VAULT + server string = acer + log file = /var/log/samba/log.%m + max log size = 50 + security = user + encrypt passwords = yes + smb passwd file = /etc/smbpasswd + socket options = TCP_NODELAY + domain master = yes + preferred master = yes + domain logons = yes + wins support = yes + dns proxy = no +[homes] + comment = Home Directories + browseable = no + writable = yes + +You should also use the lmhosts option for nmbd (-H) and set up an +lmhosts file on the samba server. Make sure also the the samba server +can resolve its own name, through either /etc/hosts or DNS. + +In all honesty , I went through the same simple test setup with samba as +I did for PoPToP, although its not shown here explicitly. + +CONCLUSION + +PoPToP is a good program, as is Samba. This configuration can work if +you put a little effort into it. I have seen a lot of questions here +and in other places about these types of systems, so I would think that +there is some demand on the part of users who want this type of +functionality. I hope these notes are useful to you if this is what you +want to do. + +**************************************************************************** +Q&A +I have a pptp server set up on my office LAN. I can connect to the +server and ping to it fine, but I can't ping any other hosts on the +office subnet. I have ip-forwarding turned on and I have proxyarp set +in the ppp/options file. What can be wrong? + +There seem to be a lot of questions floating around about routing and +masq'ing associated with this issue. + +Well, my curiosity got the best of me, so I thought I would check this +out. Shown below is my test setup for investigating this problem. + + +192.168.8.142 192.168.56.10 192.168.56.11 192.168.56.12 + ________ _______ ______ _____ +| | | | | | | | +| client |------->| fire |-------->| pptp |----->| host | +| | | wall | | srvr | | | +|________| |_______| |______| |______| + H H + H 192.168.8.10 H + H H + H===================================H +192.168.5.12 pptp connection 192.168.5.11 + + +For the sake of simplicity, we will ignore address translation issues +associated with the firewall. This assumes that the client at +192.168.8.142 is going to use 192.168.56.11 as its target address for +the pptp connection to pptp_srvr. The firewall will block all access to + +the 192.168.56.0 subnet except for pptp connections associated with +pptp_srvr. This can be implemented with ipchains + +ipchains -P input DENY +ipchains -P forward DENY +ipchains -A input 192.168.56.0/24 -j ACCEPT /* allow connections from + +inside */ +ipchains -A input -p tcp -d 192.168.56.11 1723 -j ACCEPT +ipchains -A input -p 47 -d 192.168.56.11 -j ACCEPT +ipchains -A forward -p tcp -d 192.168.56.11 1723 -j ACCEPT +ipchains -A forward -p tcp -s 192.168.56.11 1723 -j ACCEPT +ipchains -A forward -p 47 -d 192.168.56.11 -j ACCEPT +ipchains -A forward -p 47 -s 192.168.56.11 -j ACCEPT + +When you connect from client to pptp_srvr, you will be able to complete +the connection and ping to pptp_srvr. However, if you attempt to ping +host, at 192.168.56.12, this will fail. + +A clue to this problem can be found in the /var/tmp/messages file on +pptp_srvr. There, in the pppd messages, you will find + +Cannot determine ethernet address for proxy ARP + +This is due to an issue with the pppd program, which attempts to find a +hardware interface on the subnet to which the pppd client has been +assigned. In this case its looking for a hardware interface on the +192.168.5.0 subnet. It will fail to find one, and will drop the +proxyarp request. + +The simplest way around this problem, and the one that is suggested in +the pppd documentation, is to set the pppd client IP assignment to be on + +the local subnet. An example in this case might be 192.168.56.129. +However, it may not be possible to do that. In the case of a fully +loaded subnet, there may not be any addresses to spare. Or there may be + +some security issues with giving out local subnet addresses. What to +do? + +The place to look is in the arp table. If you run tcpdump on host +(192.168.56.12) during the time when client is pinging, you will see +unanswered arp requests from host attempting to find the hardware +address for 192.168.5.12. You need to proxy the hardware address of the + +pptp_srvr for client in order for this request to be fulfilled. This is + +the job of proxyarp. However, proxyarp has let us down in this +instance, and we need to find a workaround. + +This can be done manually using the arp command on pptp_srvr. For +example, if the hardware address of the ethernet card on pptp_srvr is +00:60:08:98:14:14, you could force the arp to proxy the client pptp +address by saying + +arp --set 192.168.5.12 00:60:08:98:14:13 pub + +You should now be able to ping from client to host through the pptp +connection. + +This can be a problem, however, in a dynamic environment when clients +are logging into and out of the pptp server on a continuous basis. One +way around this problem is to write a script that will execute upon the +initiation of each ppp connection. + +The place to do this is in /etc/ppp/ip-up. This script is executed each + +time a new ppp connection is started. It gets some variables passed +into it, one of which is the assigned IP address of the client. Note +that RedHat systems use ip-up.local as the place for you to make the +script. Don't forget to chmod +x ! + + +#! /bin/bash + +REMOTE_IP_ADDRESS=$5 + +date > /var/run/ppp.up +echo "REMOTE_IP_ADDRESS = " $REMOTE_IP_ADDRESS >> /var/run/ppp.up +arp --set $REMOTE_IP_ADDRESS 00:60:08:98:14:14 pub >> /var/run/ppp.up + +exit 0 + + +This should put you in business for accessing the remote subnet under +this scenario. I am a little bit concerned, however, because I also +built a script ip-down.local, that should remove the arp proxy when +client disconnected. It doesn't seem to do anything, however, and if I +try to delete the arp entry manually, it just spits out a cryptic error +message. The arp entries remain persistent, as far as I can tell. If +this is a problem or not, I don't know. The next few clients that log +in are treated well, so I guess its OK. + +**************************************************************************** +Q. +Also, after running pptpd and monitoring its log file and seeing that it +failed to open ttyp1 - I chmod +rw /dev/ttyp[0-9] and it seemed to work +somewhat. But, after I rebooted, I had to do this again. Is this normal? + +A. +pptpd should be running as root (unless you have a system with a setuid +openpty() helper, which isn't very common). If it fails to open a pty/tty +pair as root then that is probably because it is in use. + +Other programs which use pty/tty's will change their permissions back to +the standard ones. + +**************************************************************************** +Q. +sometimes when I make a connection to my pptpd server I +see a message like + +Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-21 +Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-26 +Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-24 +Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-21 +Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-26 +Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-24 +Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-26 +Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-24 +Jul 2 17:30:03 ape modprobe: can't locate module ppp-compress-21 + + +in /var/log/messages on the server. Any idea what I +can do about it? + +A. +yeah, in your /lib/modules/<kernel version>/net/ directory, there should +be files called bsd_comp.o and ppp_deflate.o.. insmod those files and +you'll be good to go. + +**************************************************************************** +Q. +Hi, I'm having trouble getting pptpd & mschap-v2 to work. I downloaded +all of the patches and compiled everything but whenever i try to connect +from my win98 machine, it says: + +Error 691: The computer you have dialed in to has denied access because +the username and/or password is invalid on the domain. + +What is this suppose to mean? + +A. +Error 691 is an authentication problem probably due to the fact that MS +chap uses the domain name and username combo to authenticate. If you +look at the logs you will probably see a message saying that MS chap is +trying to authenticate user "domain\\username". I got it to work by +putting the full domain and user string in the client portion of the +chap-secrets file. + +# Secrets for authentication using CHAP +# client server secret IP +addresses +workgroup\\user server password * + +If anyone knows how to get it to default to a particular domain, I would +like to know. + +**************************************************************************** +Q. +how do I go about checking who is logged in via tunnel? + +I need some way of writing the pppd data to wtmp/utmp. +(and not sessreg either) + +does anyone know of any way of doing this via ppp? + +A. +pppd syslogs everything to /var/log/messages (that's the default on my box +anyways) and it will say something like : +pppd[15450]: CHAP peer authentication succeeded for <username> + +you could do a tail /var/log/messages -n2000 | grep CHAP if you wanted to +see who has been logging in. + +other than that, there's not much i know of. all the authentication is +provided by pppd (if you don't have an auth or a require-chap (or pap, etc.) +option, it doesn't even ask for a username. + +**************************************************************************** +Q. +My NT client won't connect! + +A. +Try taking header and software compression off. + + +**************************************************************************** +Q. PPTP *client* stops working. + +A. +go to /var/run/pptp/ and look for a socket named x.x.x.x +delete it and try it again. + +**************************************************************************** +Q. +How many clients does PoPToP support? + +A. +The limits under Linux are: + + per-process filedescriptors + - one per client (would limit clients to 256 by default, + or 1024 with kernel recompile, or more with major libc/kernel + hackery) + - no relevant limit + + ttys - currently, with a standard kernel, 256 clients + - with Unix98 ptys and a small amount of coding, 2048 + + ppp devices + - no limit in kernel source for ppp + - limit of 100 in dev_alloc_name() in 2.2.x + + for(i=0;i<100;i++) + { + sprintf(dev->name,name,i); + if(dev_get(dev->name)==NULL) + return i; + } + + best fix is probably to keep a static int ppp_maxdev so you + don't end up doing 2000 dev_get's to allocated the 2001'th + device. + + processes + - 2 per client plus system processes + - standard kernel max = 512 processes, ie 256 clients + - i386 max = 4096 processes, ie 2048 clients + +So it seems that 2048 will be the limit, if you fix a few things and +with a minor kernel mod (I could do all of these pretty easily and send +you a trivial kernel patch). To go above 2048 the easiest approach would +be to combine pptpctrl and pppd in one process, which would get you to +4096. Beyond there, you need to go for a select() based model, which would +be significant coding effort and require large fd-set sizes and so on. +So 4096 is the practical limit, and 2048 the easy limit. + +**************************************************************************** +Q. +What authentication methods (PAP/CHAP) does PoPToP work with? + +A. +PoPToP uses whatever authentication methods your PPPd provides (usually +PAP and CHAP). With PPPd patches you can get MSCHAP and MSCHAPv2 +authentication as well. + +**************************************************************************** +Q. +When running PoPToP I get the following error: + + Jun 11 08:29:04 server pptpd[4875]: MGR: No more free connection slots! + +What does this mean? + +A. +I'd say at a guess you've only configured one IP address and you have +connected a client, and as such there are no more free connection slots should +any more clients wish to connect. + +**************************************************************************** +Q. +Does PoPToP suffer from the same security flaws +(http://www.counterpane.com/pptp.html) as the Windows NT PPTP server? + +A. +An initial look at the article suggests that what the authors hammered was +not the PPTP protocol, but the authentication that the PPTP VPN servers on +NT offered access to via open internet. PPTP seems initially to be just +the path to the weakness, not the weakness itself. Part of their +observance of weakness deals with use of poor passwords as well, a cheap +component, simple enough to fix. + +> While no flaws were found in PPTP itself, several serious flaws were +> found in the Microsoft implementation of it. +> (http://www.counterpane.com/pptp-pressrel.html) + +The authors do not specifically say "this is ONLY effective against NT", +just that NT is affected. This implies that they do not recognize PoPToP, +and it may be included. The fact that PoPToP has to interOp with MS DUN's +VPN client means that it will have the same weaknesses. It can only +protect itself from DoS attacks, have immediate response to out-of-sequence +packets or illogical packets, etc. + +The protocol is not considered weak in this analysis, but the weaknesses +have to be replicated in apparent behavior by PoPToP. The only thing the +developers can do with PoPToP is make it a stronger server per se -- more +able to handle the attacks when the come. + +In conclusion: PoPToP suffers the same security vulnerabilities as the NT +sever (this is because it operates with Windows clients). + +Update: MSCHAPv2 has been released and addresses some of the security +issues. PoPToP works with MSCHAPv2. + +**************************************************************************** +Q. +Does PoPToP support data encryption? + +A. +Yes.. with appropriate PPPd patches. Patches are available for PPPd to +provide Microsoft compatible RC4 data encryption. The PPPd patch supports +40 and 128 bit RC4 encryption. + +**************************************************************************** +Q. +PoPToP or IPsec? Which is better suited to my needs? + +A. +1. The difference between PoPToP and IPsec is that PoPToP is ready NOW.. +and requires *no* third party software on the Windows client end +(Windows comes with a free PPTP client that is trivial to set up). + +2. PoPToP is a completely *free* solution. +Update: Unfortunately not true for Mac *clients* though. The Mac client +software is around $400 US a copy. + +3. PoPToP can be integrated with the latest PPPD patches that take +advantage of MSCHAPv2 and MPPE (Microsoft encryption using RC4 - 40/128 +bits). + +More details follow from Emir Toktar: +(Refs: A Comprehensive Guide to Virtual Private Networks, IBM. +Virtual Private Networking: An Overview White Paper - DRAFT, 3/18/98 +Microsoft.) + +Neither network layer-based (L2TP, PPTP,...) nor application layer-based +(IPSec,SSL,SSH) security techniques are the best choice for all +situations. There will be trade-offs. Network layer security protects the +information created by upper layer protocols, but it requires that IPSec +be implemented in the communications stack. + +With network layer security, there is no need to modify existing upper +layer applications. On the other hand, if security features are already +imbedded within a given application, then the data for that specific +application will be protected while it is in transit, even in the absence +of network layer security. Therefore security functions must be imbedded +on a per-application basis. + +There are still other considerations: +Authentication is provided only for the identity of tunnel endpoints, but +not for each individual packet that flows inside the tunnel. This can +expose the tunnel to man-in-the-middle and spoofing attacks. + +Network layer security gives blanket protection, but this may not be as +fine-grained as would be desired for a given application. It protects +all traffic and is transparent to users and applications. + +Network layer security does not provide protection once the datagram has +arrived at its destination host. That is, it is vulnerable to attack +within the upper layers of the protocol stack at the destination machine. + +Application layer security can protect the information that has been +generated within the upper layers of the stack, but it offers no +protection against several common network layer attacks while the +datagram is in transit. For example, a datagram in transit would be +vulnerable to spoofing attacks against its source or destination address. + +Application layer security is more intelligent (as it knows the +application) but also more complex and slower. + +IPSec provides for tunnel authentication, while PPTP does not. + +<User Authentication> Layer 2 tunneling protocols inherit the user +authentication schemes of PPP, including the EAP methods discussed below. +Many Layer 3 tunneling schemes assume that the endpoints were well +known (and authenticated) before the tunnel was established. An exception +to this is IPSec ISAKMP negotiation, which provides mutual authentication +of the tunnel endpoints. (Note that most IPSec implementations support +machine-based certificates only, rather than user certificates. As a +result, any user with access to one of the endpoint machines can use +the tunnel. This potential security weakness can be eliminated when +IPSec is paired with a Layer 2 protocol such as L2TP. + +<Token card support> Using the Extensible Authentication Protocol +(EAP), Layer 2 tunneling protocols can support a wide variety of +authentication methods, including one-time passwords, cryptographic +calculators, and smart cards. Layer 3 tunneling protocols (IPSec) can +use similar methods; for example, IPSec defines public key certificate +authentication in its ISAKMP/Oakley negotiation. + +<Dynamic address assignment> Layer 2 tunneling supports dynamic +assignment of client addresses based on the Network Control Protocol +(NCP) negotiation mechanism. + +Generally, Layer 3 tunneling schemes assume that an address has already +been assigned prior to initiation of the tunnel. Schemes for assignment +of addresses in IPSec tunnel mode are currently under development and +are not yet available. + +<Data Compression> Layer 2 tunneling protocols support PPP-based +compression schemes. For example, the Microsoft implementations of both +PPTP and L2TP use Microsoft Point-to-Point Compression (MPPC). The IETF +is investigating similar mechanisms (such as IP Compression) for the +Layer 3 tunneling protocols. + +<Data Encryption> Layer 2 tunneling protocols support PPP-based data +encryption mechanisms. Microsoft's implementation of PPTP supports +optional use of Microsoft Point-to-Point Encryption (MPPE), based on +the RSA/RC4 algorithm. Layer 3 tunneling protocols can use similar +methods; for example, IPSec defines several optional data encryption +methods which are negotiated during the ISAKMP/Oakley exchange. + +<Key Management> MPPE, a Layer 2 protocol, relies on the initial key +generated during user authentication, and then refreshes it +periodically. IPSec, explicitly negotiates a common key during the +ISAKMP exchange, and also refreshes it periodically. + +<Multi-protocol support> Layer 2 tunneling supports multiple payload +protocols, which makes it easy for tunneling clients to access their +corporate networks using IP, IPX, NetBEUI, and so forth. In contrast, +Layer 3 tunneling protocols, such as IPSec tunnel mode, typically +support only target networks that use the IP protocol. IPSec is not +multi-protocol. + +IPSec will be suported by Windows 2000. + +Many cases can occur, each of which needs to be examined on its own +merit. It may be desirable to employ a mix of both network layer +security techniques and application layer techniques to achieve the +desired overall level of protection. For example, you could use an upper +layer mechanism such as Secure Sockets Layer (SSL) to encrypt upper +layer data. SSL could then be supplemented with IPSec's AH protocol at +the network layer to provide per-packet data origin authentication and +protection against spoofing attacks. + +**************************************************************************** +Q. +I get a 'createHostSocket: Address already in use' error! what gives? + +A. +Address already in use in createHostSocket means something is already using +TCP port 1723 - maybe another pptp daemon is running? + +**************************************************************************** +Q. +Does PoPToP work with Windows 2000 clients? + +A. +PoPToP v0.9.5 and above should work with Windows 2000 clients. + +**************************************************************************** diff --git a/pptpd-1.3.3/html/poptop_ads_howto/CVS/Entries b/pptpd-1.3.3/html/poptop_ads_howto/CVS/Entries new file mode 100644 index 0000000..43e96a3 --- /dev/null +++ b/pptpd-1.3.3/html/poptop_ads_howto/CVS/Entries @@ -0,0 +1,15 @@ +/diagram1.jpg/1.1/Tue Oct 25 03:08:14 2005// +/poptop_ads_howto_2.htm/1.1/Tue Oct 25 03:08:14 2005// +/poptop_ads_howto_3.htm/1.2/Thu Jan 5 00:21:15 2006// +/poptop_ads_howto_5.htm/1.2/Thu Jan 5 00:21:15 2006// +/poptop_ads_howto_9.htm/1.2/Thu Jan 5 00:21:15 2006// +/poptop_ads_howto_11.htm/1.3/Tue Feb 14 00:15:52 2006// +/poptop_ads_howto_12.htm/1.2/Tue Feb 14 00:15:52 2006// +/poptop_ads_howto_8.htm/1.3/Tue Feb 14 00:15:52 2006// +/poptop_ads_howto_1.htm/1.7/Tue Apr 18 03:02:30 2006// +/poptop_ads_howto_10.htm/1.2/Tue Apr 18 03:02:31 2006// +/poptop_ads_howto_4.htm/1.7/Tue Apr 18 03:02:31 2006// +/poptop_ads_howto_6.htm/1.4/Tue Apr 18 03:02:31 2006// +/poptop_ads_howto_7.htm/1.2/Tue Apr 18 03:02:31 2006// +/test.txt/1.1/Tue Apr 18 03:02:31 2006// +D diff --git a/pptpd-1.3.3/html/poptop_ads_howto/CVS/Repository b/pptpd-1.3.3/html/poptop_ads_howto/CVS/Repository new file mode 100644 index 0000000..c7b8123 --- /dev/null +++ b/pptpd-1.3.3/html/poptop_ads_howto/CVS/Repository @@ -0,0 +1 @@ +poptop/html/poptop_ads_howto diff --git a/pptpd-1.3.3/html/poptop_ads_howto/CVS/Root b/pptpd-1.3.3/html/poptop_ads_howto/CVS/Root new file mode 100644 index 0000000..6f952a5 --- /dev/null +++ b/pptpd-1.3.3/html/poptop_ads_howto/CVS/Root @@ -0,0 +1 @@ +:ext:quozl@poptop.cvs.sourceforge.net:/cvsroot/poptop diff --git a/pptpd-1.3.3/html/poptop_ads_howto/diagram1.jpg b/pptpd-1.3.3/html/poptop_ads_howto/diagram1.jpg Binary files differnew file mode 100644 index 0000000..16490fc --- /dev/null +++ b/pptpd-1.3.3/html/poptop_ads_howto/diagram1.jpg diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_1.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_1.htm new file mode 100644 index 0000000..2a5a969 --- /dev/null +++ b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_1.htm @@ -0,0 +1,123 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" +"http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> +<title>Poptop MSCHAP2 ADS Howto</title> +</head> + +<body> +<h3>PopTop + MSCHAPv2 + Samba + Radius + Microsoft Active Directory + Fedora Howto</h3> +<p align="left">Copyright © 2005 Wing S Kwok </p> +<p align="right">by: Wing S Kwok<br> + email: skwok (at) acnielsen.com.au </p> +<p align="left"><strong>Revision History</strong>:</p> +<dl> + <dt>Release 0.8 - 5 March 2006</dt> + <dd>- Updated information on pptpd, samba version</dd> + <dd>- Updated information on FC4 kernel version</dd> + <dd>- Added info on changing MTU size</dd> + <br> + <dt>Release 0.71 - 3 February 2006</dt> + <dd>- Problem with kernel 2.6.15 and ppp-2.4.3-5 is Gentoo specific. Corrected the document.</dd> + <br> + <dt>Release 0.7 -- 1 February 2006</dt> + <dd>- Section 12.2 has been rewritten.</dd> + <dd>- Updated information on Samba version.</dd> + <dd>- Provided a link to information on problem with kernel 2.6.15 and ppp-2.4.3-5</dd> + <br> + <dt>Release 0.6 -- 5 January 2006</dt> + <dd>- Added a new section on pptp server administration.</dd> + <dd>- Updated information on Samba version. </dd> + <br> + <dt>Release 0.5 -- 17 November 2005</dt> + <dd>- Included info on kernel 2.6.15-rc1 and MPPE support</dd><br> + <dt>Release 0.4 -- 30 October 2005</dt> + <dd>- Updated kernel-ppp-mppe version number</dd><br> + <dt>Release 0.3 -- 23 October 2005</dt> + <dd>- added the Acknowledgements section</dd> + <dd>- added information on problem with FC4 2.6.13 kernel and mppe kernel module </dd> + <dd>- added information on kernel upgrade and dkms_autoinstaller</dd> + <dd>- added information on pptp access control</dd> + <dd>- updated the software version info to reflect the latest available version</dd><br> + <dt>Release 0.2 -- 23 September 2005</dt> + <dd>- Rewrote part of the pptp client configuration section and included split tunneling information.</dd><br> + <dt>Release 0.1 -- 12 September 2005</dt> + <dd>- added Kerberos version information</dd> + <dd>- added the full path of winbindd_privileged directory</dd> + <dd>- fixed the VBScript which had a few lines missing</dd> + <dd>- corrected a few typos </dd> +</dl> +<dl> + <dt>First Release -- 5 September 2005</dt> +</dl> +<p align="left">This document covers how to integrate Poptop with Microsoft Active Directory on Fedora Core 4. Two different implementations are described: a) winbind; and b) freeradius.</p> +<hr> +<a name="toc"></a>Table of Contents +<dl><dt>1. <a href="#introduction">Introduction</a></dt> + <dt>2. <a href="#disclaimer">Disclaimer</a></dt> + <dt>3. <a href="#acknowledgement">Acknowledgements</a></dt> + <dt>4. <a href="poptop_ads_howto_2.htm">The Test Environment</a></dt> + <dt>5. <a href="poptop_ads_howto_3.htm#network">Network Configuration</a></dt> + <dd>5.1 <a href="poptop_ads_howto_3.htm#defaultroute">Default Route and Static Routes</a></dd> + <dd>5.2 <a href="poptop_ads_howto_3.htm#pforward">Enable Packet Forwarding</a></dd> + <dt>6. <a href="poptop_ads_howto_4.htm#mppe">Install MPPE Kernel Module</a></dt> + <dd>6.1 <a href="poptop_ads_howto_4.htm#autoinstaller">Kernel Upgrade and dkms_autoinstaller</a></dd> + <dt>7. <a href="poptop_ads_howto_4.htm#pppd_pptpd">pppd and pptpd</a></dt> + <dd>7.1 <a href="poptop_ads_howto_4.htm#pppd">Upgrade pppd</a></dd> + <dd>7.2 <a href="poptop_ads_howto_4.htm#pptpd">Install pptpd</a></dd> + <dt>8. <a href="poptop_ads_howto_5.htm">Kerberos</a></dt> + <dd>8.1 <a href="poptop_ads_howto_5.htm#krbconf">Configure Kerberos</a></dd> + <dd>8.2 <a href="poptop_ads_howto_5.htm#krbtest">Test Kerberos</a></dd> + <dt>9. <a href="poptop_ads_howto_6.htm">Samba</a></dt> + <dd>9.1 <a href="poptop_ads_howto_6.htm#smbconf">Configure Samba</a></dd> + <dd>9.2 <a href="poptop_ads_howto_6.htm#smbjoin">Join the AD Domain</a></dd> + <dt>10. <a href="poptop_ads_howto_7.htm">pptpd and winbindd</a></dt> + <dd>10.1 <a href="poptop_ads_howto_7.htm#wbtest">Enable and Test winbindd</a></dd> + <dd>10.2 <a href="poptop_ads_howto_7.htm#pptpconf">Configure pptpd</a></dd> + <dd>10.3 <a href="poptop_ads_howto_7.htm#access">PPTP Access Control</a></dd> + <dt>11. <a href="poptop_ads_howto_8.htm">Software for Radius Setup</a></dt> + <dt>12. <a href="poptop_ads_howto_8.htm#rclient">Radiusclient</a></dt> + <dd>12.1 <a href="poptop_ads_howto_8.htm#rclientconf">radiusclient.conf</a></dd> + <dd>12.2 <a href="poptop_ads_howto_8.htm#dict">dictionary.microsoft</a></dd> + <dt>13. <a href="poptop_ads_howto_9.htm">Freeradius</a></dt> + <dd>13.1 <a href="poptop_ads_howto_9.htm#mschap2">Configure Freeradius for MSCHAPv2</a></dd> + <dd>13.2 <a href="poptop_ads_howto_9.htm#access">PPTP Access Control</a></dd> + <dt>14 <a href="poptop_ads_howto_10.htm">pptpd and freeradius</a></dt> + <dd>14.1 <a href="poptop_ads_howto_10.htm#radiusd">Enable freeradius</a></dd> + <dd>14.2 <a href="poptop_ads_howto_10.htm#pptpdradius">Configure pptpd</a></dd> + <dt>15. <a href="poptop_ads_howto_11.htm">pptp Client Installation</a></dt> + <dd>15.1 <a href="poptop_ads_howto_11.htm#splittunnel">Split Tunneling</a></dd> + <dt>16. <a href="poptop_ads_howto_12.htm">pptp Server Administration </a></dt> + <dd>16.1 <a href="poptop_ads_howto_12.htm#whoisonline">Who is Online?</a></dd> + <dd>16.2 <a href="poptop_ads_howto_12.htm#accounting">Accounting</a></dd> + <dd>16.3 <a href="poptop_ads_howto_12.htm#disconnect">Disconnect a User</a></dd> +</dl> + +<hr> +<strong><a name="introduction"></a>1. Introduction</strong> +<p>This document descibes how to build a Linux PPTP server with Poptop and use Microsoft Active Directory to authenticate users. There are a few howtos on this topic, such as the <a href="http://poptop.sourceforge.net/dox/replacing-windows-pptp-with-linux-howto.phtml">Replacing a Windows PPTP Server with Linux Howto</a> maintained by Matt Alexander. Most of them, however, concentrate on Samba and winbind. I followed them and got it working in the test environment. Unfortunately, winbind does not scale very well in a AD setup which has thousands of objects. The AD in my work is a big tree. It spans across all continents and has thousands of users and groups. Winbind simply times out before it can harvest a complete list of users/groups.</p> +<p align="left">The other way of doing it is with radius. Information on how to setup pptpd with radius against Active Directory is scarce. I can only find bits and pieces information from forums but never find any comprehensive documents. I spent days to try to get it configured properly. After countless frustrations and tears, I eventually got a working setup. I therefore decided to make this howto to document it. Hopefully, you will find it useful.</p> +<p align="left">To make this howto complete, I include the winbind configuration as well although it may duplicate Matt's work.</p> +<p align="left"><strong>Note</strong>: this howto is based on Fedora Core 4 and use pre-packaged RPMs whenever possible. If you are using other distributions or like to compile software, you will have to make the necessary adjustments.</p> +<hr> +<strong><a name="disclaimer"></a>2. Disclaimer</strong> +<p>This document is provided as is. I have tried my best to make it as accurate as I can but it may contain wrong information. Use it at your own risk. </p> +<p>I will greatly appreciate any comments on this document. </p> +<hr> +<a name="acknowledgement"></a><strong>3. Acknowledgements +</strong> +<p>Thanks to the following individuals who provided feedback and suggestions to make this document better.</p> +<blockquote> + <p>Peter Mueller - suggested to add information on Kerberos version (R0.1) <br> + Francis Lessard - provided details on implementing pptp access control (R0.3)<br> + James Cameron - provided info on MPPE support on kernel v2.6.15-rc1 (R0.5) <br> + Phil Oester - pointed out the kernel-2.6.15/ppp-2.4.3-5 problem is Gentoo specific (R0.71) </p> +</blockquote> +<hr> + +<a href="poptop_ads_howto_2.htm">Next</a> + <a href="#toc">Content</a> + +</body> +</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_10.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_10.htm new file mode 100644 index 0000000..df14d19 --- /dev/null +++ b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_10.htm @@ -0,0 +1,87 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" +"http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> +<title>Poptop MSCHAP2 ADS Howto</title> +</head> + +<body> +<p><strong>14. pptpd and freeradius </strong></p> +<p>The section covers the configuration of pptpd + freeradius + AD. If you are looking at the integration via winbind. Go to <a href="poptop_ads_howto_7.htm">this section</a>.</p> +<hr> +<a name="radiusd"></a><strong>14.1 Enable freeradius</strong> +<p>To enable radiusd on bootup, use the chkconfig command.</p> +<blockquote> + <pre>[root@pptp ~]# chkconfig radiusd on </pre> +</blockquote> +<p>To start radiusd in daemon mode: +</p> +<blockquote> + <pre>[root@pptp ~]# service radiusd start +Starting RADIUS server: Sun Sep 4 11:26:24 2005 : Info: Starting - reading configuration files ...<br>[ OK ]</pre> +</blockquote> +<p></p> +<hr> +<a name="pptpdradius"></a><strong>14.2 Configure pptpd </strong> +<p>There are two configuration files for pptpd. The first one is /etc/pptpd.conf. You can very much keep it as it is except the ip address range for the ppp connections. Edit the file and add two lines at the bottom to specify the local ip address and the ip address pool for the remote connections. </p> +<blockquote> + <pre>localip 10.0.0.10<br>remoteip 10.0.0.101-200 </pre> +</blockquote> +<p>10.0.0.10 is the ip address of the internal network card eth0. The remoteip is the address pool for the remote connections. </p> +<p>The second configuration file is /etc/ppp/options.pptpd. I stripped off all remarks from my options.pptpd and it is like this:</p> +<blockquote> + <pre>name pptpd +refuse-pap<br>refuse-chap<br>refuse-mschap<br>require-mschap-v2<br>require-mppe-128 +ms-dns 10.0.0.1 +ms-wins 10.0.0.1 +proxyarp +lock +nobsdcomp +novj +novjccomp +nologfd +auth +nodefaultroute +plugin radius.so +plugin radattr.so</pre> +</blockquote> +<p>There are two plugins we used in here. The first one radius.so is required while the second one radattr.so is optional. Radattr.so basically records the parameters passed from radius to pppd in a file. Check the man page of pppd-radattr for details. </p> +<p>Then, we need to fix the permission of a winbind directory.</p> +<blockquote> + <pre>[root@pptp ~]# chgrp radiusd /var/cache/samba/winbindd_privileged/</pre> +</blockquote> +<p>If you have Windows XP clients, you may want to reduce the MTU size. Add the line, /sbin/ifconfig $1 mtu 1400, to /etc/ppp/ip-up as shown in the following list.</p> +<blockquote> + <pre>[root@pptp ppp]# cat ip-up +#!/bin/bash +# This file should not be modified -- make local changes to +# /etc/ppp/ip-up.local instead + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +export PATH + +LOGDEVICE=$6 +REALDEVICE=$1 + +[ -f /etc/sysconfig/network-scripts/ifcfg-${LOGDEVICE} ] && /etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE} + +/etc/ppp/ip-up.ipv6to4 ${LOGDEVICE} + +[ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@" + +<strong>/sbin/ifconfig $1 mtu 1400</strong> +exit 0</pre> +</blockquote> +<p>The above example reduces the MTU size to 1400. In my environment, I found that XP will connect the VPN and ping all servers without problems, however, it cannot connect to the Microsoft Exchange server properly. Reduce the MTU size to 1400 fixed the problem.</p> +<p>After fixing the files and permission, we can start pptpd and connect to it from remote client. To start it:</p> +<blockquote> + <pre>[root@pptp ~]# chkconfig pptpd on<br><br>[root@pptp ~]# service pptpd start<br>Starting pptpd: [ OK ] </pre> +</blockquote> +<p>That's all on the server side. </p> +<p><strong>Note</strong>: The client PCs require special configurations. It will be discussed in <a href="poptop_ads_howto_11.htm">here</a>.</p> +<hr> +<a href="poptop_ads_howto_11.htm">Next</a> <a href="poptop_ads_howto_9.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a> +<p> </p> +</body> +</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_11.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_11.htm new file mode 100644 index 0000000..868dcc9 --- /dev/null +++ b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_11.htm @@ -0,0 +1,83 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" +"http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> +<title>Poptop MSCHAP2 ADS Howto</title> +</head> + +<body> +<p><strong>15. pptp Client Installation</strong></p> +<p>I will only describe the Windows XP pptp client installation. For other operating system, please see the documents in <a href="http://poptop.sourceforge.net/dox/">here</a>. </p> +<ul> + <li>Start -> Settings -> Control Panels -> Network Connections.</li> + <li>Click on "Create a new connection" on the left pane. </li> + <li>A Winzard starts. Click on Next.</li> + <li>Choose "Connect to the network at my workplace". Next.</li> + <li> Choose "Virtual Private Network Connection". Next.</li> + <li>Key in the company name. Next.</li> + <li>Choose "Do not dial the initial connection". Next</li> + <li>Type in the external IP address of Hostname of the pptpd gateway. Next.</li> + <li>Choose "Anyone's use". Next</li> + <li>Check the "Add a shortcut to this connection to my desktop". Finish.</li> + <li>A new icon appears on the Network Connections under the header Virtual Private Network. Right click on it and choose Properties.</li> + <li>Click on the Security tab. Check "Advanced (custom settings)" and then click the Settings button.</li> + <li> Choose "Maximum strength encryption (disconnect if server declines)" on Data Encryption.</li> + <li>In the same tab, choose "Allow these protocols" and undo all except "Microsoft CHAP Version 2 (MS-CHAP v2)". Click OK and click OK again to close the window.</li> +</ul> +<p>That's all for a standard configuration. All traffic from the PC will pipe through the pptp tunnel except those for the local attached network segment. This is the recommended way of implementing VPN for security reasons.</p> +<hr> +<strong><a name="splittunnel"></a>15.1 Split Tunneling</strong> +<p>Split Tunneling allows you to configure the network so that only selected traffic is directed to the VPN tunnel. For instance, you want browsing traffic to go to the Internet directly but corporate traffic goes via the VPN, then you will need split tunneling. It is also important if your ISP requires a heatbeat from your machine to keep the connection alive. </p> +<p>While split tunneling provides convenience, it causes security problems because <span name="intelliTxt" id="intelliTxt">it essentially renders the VPN vulnerable to attack as it is accessible through the public, non-secure network. Check your company security policy before inplementing split tunneling. </span></p> +<p>To set up split tunneling:</p> +<ul> + <li>Right click on the icon which you created in section 15 and choose Properties.</li> + <li>Choose the Networking tab. Highligth the Internet Protocol (TCP/IP) and click on the Properties button.</li> + <li>Click on the Advanced Button and then deselect "Use default gateway on remote network". Click OK. Click OK and then click OK.</li> +</ul> +<p>If you have a simple private network which has only one single segment, you have finished the configuration. Take a break and enjoy you day.</p> +<p>If you have multiple subnets in the private network, there are still works to do. By not using the PPP as the default gateway, we introduce another problem. The PPP client will set up routing only to the subnet that is directly attached to the pptp gateway. Traffic will not route to the other subnets. In our test environment, you can only access 10.0.0.0 but not 172.16.0.0. To resolve this problem, I created a VBScript to add the extra routes. </p> +<p>The VBScript is listed here: </p> +<blockquote> + <pre>Option Explicit<br>Dim IP_Address<br>Dim TmpFile : TmpFile = "c:\ip.txt"<br>Dim route1 + +<strong>route1 = "route add 172.16.0.0 mask 255.255.255.0 "</strong> + +SaveIP<br>IP_Address = GetIP()<br>route1 = route1 & IP_Address<br>AddRoute + +Sub SaveIP<br> Dim ws : Set ws = CreateObject("WScript.Shell")<br> ws.run "%comspec% /c ipconfig > " & TmpFile, 0, True<br> Set ws = Nothing<br>End Sub + +Function GetIP()<br> Dim fso : Set fso = CreateObject("Scripting.FileSystemObject")<br> Dim re : Set re = New RegExp<br> re.Global = TRUE + + Dim file, fileline, matches<br> Dim pppsection : pppsection = FALSE + + If fso.FileExists(TmpFile) Then<br> Set file = fso.OpenTextFile(TmpFile)<br> + Do While Not file.AtEndOfStream<br> fileline = file.ReadLine + + If Not pppsection Then + If left(fileline,3) = "PPP" Then + pppsection = TRUE + End If + Else + re.Pattern = "IP Address[\. ]+: " + If re.Test(fileline) Then + matches = split(fileline,":") + GetIP = right(matches(1),len(matches(1))-1) + End If + End If + + Loop<br> file.Close<br> End If + + Set re = Nothing<br> Set fso = Nothing<br>End Function + +Sub AddRoute<br> Dim ws : Set ws = CreateObject("WScript.Shell")<br> ws.run "%comspec% /c " & route1, 0, True<br> Set ws = Nothing<br>End Sub +</pre> +</blockquote> +<p>Create the VBScript file somewhere in your PC and create a shortcut on the desktop. When the PPP connects, double click on the shortcut will add the route accordingly.</p> +<p><strong>Note</strong>: you will need to modify the line in bold for your environment. </p> +<hr> +<a href="poptop_ads_howto_12.htm">Next</a> <a href="poptop_ads_howto_10.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a><p> </p> +<p> </p> +</body> +</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_12.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_12.htm new file mode 100644 index 0000000..eeaa16b --- /dev/null +++ b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_12.htm @@ -0,0 +1,70 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" +"http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> +<title>Poptop MSCHAP2 ADS Howto</title> +</head> + +<body> +<p><strong>16. pptp Server Administration </strong></p> +<p>This section covers a few tricks on pptp server management. It is far from a complete guide. Any suggestions are welcome.</p> +<p>The packages <strong>psacct</strong> and <strong>SysVinit</strong> are required for the utilities used in here. They should be installed by default. If they are not, please install them through yum.</p> +<blockquote> + <pre>[root@pptp ~]# yum install psacct SysVinit </pre> +</blockquote><p></p> +<hr> +<strong><a name="whoisonline"></a>16.1 Who is Online?</strong> +<p>To check who is online, the "last" command is used:</p> +<blockquote> + <pre>[root@pptp ~]# last | grep ppp | grep still +James ppp3 202.xx.xxx.xxx Sat Nov 19 17:38 still logged in <br>Andrew ppp1 220.xxx.xxx.xx Sat Nov 19 17:23 still logged in <br>Mary ppp2 1.2.3.4 Sat Nov 19 16:59 still logged in <br>Sue ppp0 202.xx.xxx.xxx Sat Nov 19 16:43 still logged in <br>Mark ppp7 203.xxx.xxx.xxx Sat Nov 19 14:59 still logged in</pre> +</blockquote> +<p><strong><em>last</em></strong> is from SysVinit. It reads the information from /var/log/wtmp. </p> +<p><strong>Note:</strong> for <em><strong>last</strong></em> to work properly, the logwtmp option in the /etc/pptpd.conf must be enabled. If you are sure there are pptp connections but see no output from the above mentioned command, check the logwtmp option in the pptpd.conf file is enabled. </p> +<hr> +<strong><a name="accounting"></a>16.2 Accounting </strong> +<p>The "ac" utility from package psacct will provide a report on the connection time.</p> +<blockquote> + <pre>[root@pptp ~]# ac -d -p + Amy 3.77 + George 0.08 + Mark 1.78 + Richard 0.35 + Lee 3.66 + Simon 5.78 + Nicole 1.05 +Nov 1 total 16.46 + Amy 2.43 + Nicole 8.61 + Richard 4.77 + Mark 0.90 + Lee 4.68 + Keith 1.84 +Nov 2 total 23.23</pre> +</blockquote> +<p>The <em><strong>ac</strong></em> command reads the information from /var/log/wtmp. It has a lot of options. Read the man page for details. </p> +<p><strong>Note</strong>: <br> + 1. +If you want the statistics from older version of wtmp, use the -f parameter in "ac" to specify the file. <br> +2. If users use shell to log in the server as well, the ac will return the connection time of both pptp and shell connections. +</p> +<hr> +<strong><a name="disconnect"></a>16.3 Disconnect a User</strong> +<p>To disconnect an active connection, you will have to kill the pppd process associate with it. Firstly, run the command in section 16.1 to find out the remote ip address of the user. Say you want to disconnect Mary, her ip address in the above example is 1.2.3.4. Then, find the PID of the pppd process. +</p> +<blockquote> + <pre>[root@pptp /]# ps -ef | grep 1.2.3.4 | grep pppd +root 8672 8671 0 16:59 ? 00:00:00 /usr/sbin/pppd local file /etc/ppp/options.pptpd 115200 + 10.0.0.10:10.0.0.124 ipparam 1.2.3.4. + plugin /usr/lib/pptpd/pptpd-logwtmp.so + pptpd-original-ip 1.2.3.4</pre> +</blockquote> +<p>The second field of the output, 8672 in our example, is the PID of the pppd process. Kill the process will disconnect the user.</p> +<blockquote> + <pre>[root@pptp /]# kill 8672</pre> +</blockquote><br> +<hr> +<a href="poptop_ads_howto_11.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a> +</body> +</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_2.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_2.htm new file mode 100644 index 0000000..0bda62f --- /dev/null +++ b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_2.htm @@ -0,0 +1,46 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" +"http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> +<title>Poptop MSCHAP2 ADS Howto</title> +</head> + +<body> +<p><a name="test"></a><strong>4. The Test Environment</strong></p> +<p>I have built a test environment as shown in the diagram. In the rest of the howto, the configurations of software are based on this topology. </p> +<p><img src="diagram1.jpg"></p> +<p>A Windows 2003 SP1 Server is set up as the AD domain controller, DNS server and WINS server. The pptp gateway is the Linux box which has 2 network cards. One connects to the internal network, 10.0.0.0/24, and the other one connects to the Internet with ip address 192.168.0.10/24. The internal network has two subnets, 10.0.0.0/24 and 172.16.0.0/24. </p> +<p>The domain name of the Windows AD domain is EXAMPLENET.ORG and the corresponding netbios name is EXAMPLE. </p> +<p><strong>Windows Domain Summary</strong>:</p> +<table width="558" border="0"> + <tr> + <td width="266">Domain Controller Name </td> + <td width="282">dc1.examplenet.org</td> + </tr> + <tr> + <td>Domain Controller IP Address </td> + <td>10.0.0.1</td> + </tr> + <tr> + <td>DNS IP Address </td> + <td>10.0.0.1</td> + </tr> + <tr> + <td>WINS IP Address </td> + <td>10.0.0.1</td> + </tr> + <tr> + <td>AD Domain Name </td> + <td>examplenet.org</td> + </tr> + <tr> + <td>AD Netbios Domain Name</td> + <td>example</td> + </tr> +</table> + +</p> +<hr> +<a href="poptop_ads_howto_3.htm">Next</a> <a href="poptop_ads_howto_1.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a></body> +</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_3.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_3.htm new file mode 100644 index 0000000..591f993 --- /dev/null +++ b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_3.htm @@ -0,0 +1,58 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" +"http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> +<title>Poptop MSCHAP2 ADS Howto</title> +<style type="text/css"> +<!-- +.style1 { + font-family: "Courier New", Courier, mono; + font-size: 12px; +} +--> +</style> +</head> + +<body> +<p><a name="network"><strong>5. Network Configuration </strong></a></p> +<p>Microsoft AD depends heavily on DNS. You should have the DNS server working first. </p> +<p>The pptp gateway should use the Active Directory DNS server instead of the one provided by your ISP. Otherwise, the gateway may have problems to locate the domain controller. Here is the /etc/resolv.conf in my test gateway. </p> +<blockquote> +<pre>search examplenet.org +nameserver 10.0.0.1</pre> +</blockquote><p></p> +<hr> +<a name="defaultroute"><strong>5.1 Default Gateway and Static Routes</strong></a> +<p>The pptp gateway has two network cards. It is important that the default gateway is pointing to the Internet, your ISP router. Make sure that the internal network card does not have a default gateway address configured. Check the network card configuration files in /etc/sysconfig/network-scripts. </p> +<p>In my test setup, eth0 is the internal card and eth1 is the external one. In the /etc/sysconfig/network-scripts/ifcfg-eth0, it does not have the line GATEWAY="x.x.x.x". In the ifcfg-eth1, it has an entry GATEWAY="x.x.x.x" pointing to the ISP router ip address.</p> +<p>My test internal network has multiple subnets, static routes are set up to direct traffic correctly. If you have a simple single segment internal network, you can skip the following step and go to <a href="#pforward">step 5.2</a>.</p> +<p>To set up static routes in FC4, create a file static-routes in /etc/sysconfig directory. My static-routes file has one line: </p> +<blockquote> + <pre>any net 172.16.0.0 netmask 255.255.255.0 dev eth0</pre> +</blockquote> +<p>The syntax of the line is important. The line must start with the word "any".</p> +<p>Check your routing table with the netstat command.</p> +<blockquote> + <pre class="style1">[root@pptp sysconfig]# netstat -nr<br>Kernel IP routing table<br>Destination Gateway Genmask Flags MSS Window irtt Iface +192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1<br>172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0<br>10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0<br>169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0<br>0.0.0.0 192.168.0.2 0.0.0.0 UG 0 0 0 eth1</pre> +</blockquote> +<p><hr> +<strong><a name="pforward"></a>5.2 Enable Packet Forwarding</strong> +<p>For ppp to work, the packet forwarding must be enabled. Edit /etc/sysctl.conf with your favourite editor and change the line:</p> +<blockquote> + <pre>net.ipv4.ip_forward = 0</pre><p></p> +</blockquote> +<p>to</p> +<blockquote> + <pre>net.ipv4.ip_forward = 1 </pre> +</blockquote> +<p>The change will be effective on the next reboot. To enable it immediately:</p> +<blockquote> + <pre>[root@pptp etc]# sysctl -p</pre> +</blockquote><p></p> +<hr> +<a href="poptop_ads_howto_4.htm">Next</a> <a href="poptop_ads_howto_2.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a> +</body> + +</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_4.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_4.htm new file mode 100644 index 0000000..bc9bcc0 --- /dev/null +++ b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_4.htm @@ -0,0 +1,56 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" +"http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> +<title>Poptop MSCHAP2 ADS Howto</title> +</head> + +<body> +<p><strong><a name="mppe"></a>6. Install MPPE Kernel Module </strong></p> +<p>MPPE support is required for MSCHAPv2. Depending on the kernel version, you may or may not require to perform this step. Kernel version 2.6.15 or above has MPPE built-in. If you are using the latest FC4 2.6.15 kernel, you can go to <a href="#pppd_pptpd">step 7</a> now. If you are using an older kernel which does not support MPPE, you will have to add this feature to it. </p> +<p>To test if your kernel supports MPPE:</p> +<blockquote> + <pre>[root@pptp ~]# modprobe ppp-compress-18 && echo ok</pre> +</blockquote> +<p>If it returns an "ok", you can safely skip this step and move to <a href="#pppd_pptpd">step 7</a>. If you see "FATAL: Module ppp_mppe not found.", install MPPE support as described in the following procedure:</p> +<p> Download the MPPE module builder in rpm format from <a href="http://sourceforge.net/project/showfiles.php?group_id=44827">here</a>. The required RPMs are::</p> +<blockquote> + <pre>dkms-2.0.6-1.noarch.rpm +kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm</pre> +</blockquote> +<p>Install them with command "rpm -ivh".</p> +<blockquote> + <pre>[root@pptp ~]# rpm -ivh dkms-2.0.6-1.noarch.rpm +[root@pptp ~]# rpm -ivh kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm </pre> +</blockquote> +<p>If you upgrade your kernel to 2.6.13 or above, kernel_ppp_mppe version 1.0.2 or above must be used. Otherwise, the pptp tunnel will not connect and you will see error message "This system lacks kernel support for PPP." in /var/log/messages.</p> +<dt><strong>Note:</strong></dt> +<dd>(1) Fedora Extra provides also a dkms rpm, dkms-2.0.6-3.fc4.noarch.rpm. I have not tested it. You may want to use the one I mentioned above to make sure the installation will work. </dd> +<br><hr> +<strong><a name="autoinstaller"></a>6.1 Kernel Upgrade and dkms_autoinstaller</strong> +<p>If you upgrade your kernel after installing dkms, thanks to the dkms_autoinstaller service, you will not have to worry about the dkms kernel module. dkms_autoinstaller runs on every bootup. It checks the dkms module to ensure it match the kernel version. If a mismatch is found, it will create a proper one for the boot kernel. </p> +<p>For dkms_autoinstaller to work, you will need the correct kernel-devel version installed in your system. It is always a good idea to install the kernel-devel rpm alongside with your new kernel. </p> +<hr> +<strong><a name="pppd_pptpd" id="pppd_pptpd"></a>7. pppd and pptpd</strong> +<p><a name="pppd"><strong>7.1 Upgrade pppd </strong></a></p> +<p>FC4 comes with ppp-2.4.2-7. It is required to be upgraded to a patched version which supports MPPE. The patched version can be found in <a href="http://sourceforge.net/project/showfiles.php?group_id=44827">here</a>. Download the rpm for FC4. At the time of writing, the latest version is 2.4.3-5. Get the FC4 rpm: </p> +<blockquote> + <pre>ppp-2.4.3-5.fc4.i386.rpm</pre> +</blockquote> +<p>Upgrade the ppp with the downloaded version:</p> +<blockquote> + <pre>[root@pptp ~]# rpm -Uvh ppp-2.4.3-5.fc4.i386.rpm</pre> +</blockquote> +<p><strong>Note</strong>: If you are a Gentoo user, and are using kernel v2.6.15, the ppp-2.4.3-5 does NOT work because of MPPC. You may find more information from <a href="http://kernel-bugs.osdl.org/show_bug.cgi?id=5827">here</a>.</p> +<hr> +<a name="pptpd"></a><strong>7.2 Install pptpd</strong> +<p>In the <a href="http://sourceforge.net/project/showfiles.php?group_id=44827">same page</a> download the pptpd rpm, pptpd-1.3.1-0.i386.rpm, and install it.</p> +<blockquote> + <pre>[root@pptp ~]# rpm -ivh pptpd-1.3.1-0.i386.rpm</pre> +</blockquote> +<p><strong>Note</strong>: pptpd-1.3.1 is an experimental version. The stable version is 1.3.0. Both versions work fine for me. It is up to you to choose which one to use. </p> +<hr> +<a href="poptop_ads_howto_5.htm">Next</a> <a href="poptop_ads_howto_3.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a> +</body> +</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_5.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_5.htm new file mode 100644 index 0000000..c038a30 --- /dev/null +++ b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_5.htm @@ -0,0 +1,66 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" +"http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> +<title>Poptop MSCHAP2 ADS Howto</title> +</head> + +<body> +<p><strong>8. Kerberos</strong></p> +<p>There are two different versions of the Kerberos client, version 4 from KTH and 5 from MIT. As Microsoft uses version 5, you should use the MIT version. FC4 includes the MIT one so you will be ok to use the stock standard one.</p> +<p>Packages krb5-lib and krb5-workstation are required. They are installed by default. If they are not, please get the latest version from yum.</p> +<hr> +<a name="krbconf"></a><strong>8.1 Configure Kerberos</strong> +<p>The configuration file of Kerberos is /etc/krb5.conf. To connect to AD, the settings must match the domain configuration.</p> +<blockquote> + <pre>[logging]<br> default = FILE:/var/log/krb5libs.log<br> kdc = FILE:/var/log/krb5kdc.log<br> admin_server = FILE:/var/log/kadmind.log</pre> + <p>[libdefaults]<br> + <strong>default_realm = EXAMPLENET.ORG</strong><br> + dns_lookup_realm = false<br> + dns_lookup_kdc = false<br> + ticket_lifetime = 24h<br> + forwardable = yes</p> + <p>[realms]<br> + <strong>EXAMPLENET.ORG = {</strong><br> + <strong>kdc = dc1.examplenet.org:88</strong><br> + # admin_server = kerberos.example.com:749<br> + <strong>default_domain = examplenet.org</strong><br> + }</p> + <p>[domain_realm]<br> + <strong>.examplenet.org = EXAMPLENET.ORG<br> + examplenet.org = EXAMPLENET.ORG</strong></p> + <p>[kdc]<br> + profile = /var/kerberos/krb5kdc/kdc.conf</p> + <p>[appdefaults]<br> + pam = {<br> + debug = false<br> + ticket_lifetime = 36000<br> + renew_lifetime = 36000<br> + forwardable = true<br> + krb4_convert = false<br> + }</p> +</blockquote> +<p>Lines shown in bold are the ones you should pay attention to. Use uppercase as shown. </p> +<hr> +<a name="krbtest"></a><strong>8.2 Test Kerberos</strong> +<p>Before trying to connect to AD, the AD DNS should have a A record for the pptp server. To add the A record, on your Windows DNS server, click Start -> Administrative Tools -> DNS. The dnsmgmt window pops up. Click on the "+" of "Forward Lookup Zones". Right click on AD Domain name, in our test environment is EXAMPLENET.ORG, and choose "New Host (A)...". Put in the server name and ip address and then press the "Add Host" button.</p> +<p>When the DNS is ready, it is time to test Kerberos. Please note that the domain name must be in capital. </p> +<blockquote> + <pre>[root@pptp etc]# kinit -V skwok@EXAMPLENET.ORG<br>Password for skwok@EXAMPLENET.ORG: <br>Authenticated to Kerberos v5 </pre> +</blockquote> +<p>To check the Kerberos tickets:</p> +<blockquote> + <pre>[root@pptp etc]# klist<br>Ticket cache: FILE:/tmp/krb5cc_0<br>Default principal: skwok@EXAMPLENET.ORG</pre> + <pre>Valid starting Expires Service principal + 09/03/05 14:43:47 09/04/05 00:43:04 krbtgt/EXAMPLENET.ORG@EXAMPLENET.ORG + renew until 09/04/05 14:43:47</pre> + <pre>Kerberos 4 ticket cache: /tmp/tkt0 + klist: You have no tickets cached</pre> +</blockquote> +<p></p> +<hr> +<a href="poptop_ads_howto_6.htm">Next</a> <a href="poptop_ads_howto_4.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a> +<p> </p> +</body> +</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_6.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_6.htm new file mode 100644 index 0000000..7346959 --- /dev/null +++ b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_6.htm @@ -0,0 +1,93 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" +"http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> +<title>Poptop MSCHAP2 ADS Howto</title> +</head> + +<body> +<p><strong>9. Samba +</strong></p> +<p>FC4 comes with samba v3.0.14a. The samba project released v3.0.20 on 20 August 2005. Here is a quote from the v3.0.20 release note about winbind.</p> +<blockquote> + <p>-- quote --<br> + Winbindd has been completely rewritten in this release to support +an almost completely non-blocking, asynchronous request/reply +model. This means that winbindd will scale much better in +large domain environments and on high latency networks.<br> +-- quote -- + </p> +</blockquote> +<p>It is highly recommended to upgrade samba to v3.0.20 or above. The latest samba v3.0.21c rpms for FC4 can be found in <a href="http://us5.samba.org/samba/ftp/Binary_Packages/Fedora/RPMS/i386/core/4/">here</a>. Download a copy and then update samba with command "rpm -Uvh samba*.rpm". </p> +<p><strong>Note: </strong> +Samba v3.0.21 has a bug on the oplock code. Avoid this version. Use v3.0.21a or above. </p> +<hr> +<strong><a name="smbconf"></a>9.1 Configure Samba</strong> +<p>No matter you choose to use winbind or freeradius to connect to Active Directory, you will have to configure samba properly. The configuration file of samba is in /etc/samba and is called smb.conf. The file should have at least the following lines. </p> +<blockquote> + <pre>[global] +# define the netbios name of the domain +<strong>workgroup = EXAMPLE</strong> +# define the pptp server netbios name +<strong>netbios name = PPTPDSVR</strong> +# define the AD domain name +<strong>realm = EXAMPLENET.ORG</strong> +# server description +server string = pptpd Server +# printer stuff +printcap name = /etc/printcap +load printers = no +cups options = raw +# log file stuff +log file = /var/log/samba/%m.log +max log size = 50 +# must set to ads +<strong>security = ads</strong> +# address of domain controller +<strong>password server = 10.0.0.1</strong> +# enable encrypt passwords +<strong>encrypt passwords = yes</strong> +# default setting +socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 +# not to be a master browser +domain master = no +preferred master = no +# address of the WINS server +<strong>wins server = 10.0.0.1</strong> +dns proxy = no +# require this line to join the domain +<strong>client use spnego = yes</strong> +# winbind stuff +<strong>idmap uid = 50001-550000 +idmap gid = 50001-550000 +winbind separator = + +winbind nested groups = Yes +winbind enum users=yes +winbind enum groups=yes</strong> +template shell = /bin/false +winbind use default domain = no</pre> +</blockquote> +<p>The lines in bold are the important ones that you should pay attention to. Execute "testparm" to check the configuration. Correct any errors before proceeding to the next step.</p> +<hr> +<a name="smbjoin"></a><strong>9.2 Join the AD Domain</strong> +<p>Once the Kerberos and Samba are configured, it's time to add the pptpd server to the AD domain.</p> +<blockquote> + <pre>[root@pptp ~]# net ads join -U skwok@EXAMPLENET.ORG "Asiapac/Australia/Sydney/Servers"<br>skwok@EXAMPLENET.ORG's password: <br>Using short domain name -- EXAMPLE<br>Joined 'PPTPDSVR' to realm 'EXAMPLENET.ORG' +</pre> +</blockquote> +<p>The above net ads join command create the server in the container</p> +<p>"OU=Servers,OU=Sydney,OU=Australia,OU=Asiapac,DC=EXAMPLENET,DC=ORG"</p> +<p>The user must have admin right on the container to create the server object. If the operation is successful, you will see a new server object created in the AD.</p> +<p>Another test to see if the trust between the pptpd server and the domain is working is smbclient.</p> +<blockquote> + <pre>[root@pptp ~]# smbclient //dc1/c$ -k<br>OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Server 2003 5.2]<br>smb: \> dir<br> AUTOEXEC.BAT A 0 Wed Jul 20 10:53:47 2005<br> boot.ini AHSR 208 Fri Jul 22 10:41:57 2005<br> CONFIG.SYS A 0 Wed Jul 20 10:53:47 2005<br> Documents and Settings D 0 Fri Jul 22 16:25:51 2005<br> download D 0 Thu Aug 4 17:31:28 2005<br> IO.SYS AHSR 0 Wed Jul 20 10:53:47 2005<br> MSDOS.SYS AHSR 0 Wed Jul 20 10:53:47 2005<br> NTDETECT.COM AHSR 47772 Fri Jul 22 10:16:32 2005<br> ntldr AHSR 295536 Fri Jul 22 10:16:32 2005<br> pagefile.sys AHS 805306368 Fri Aug 12 11:24:27 2005<br> Program Files DR 0 Wed Jul 20 10:51:09 2005<br> shared1 D 0 Thu Jul 21 17:06:28 2005<br> System Volume Information DHS 0 Fri Jul 22 10:52:09 2005<br> WINDOWS D 0 Tue Aug 16 14:33:36 2005<br> wmpub D 0 Wed Jul 20 10:55:13 2005</pre> + <p> 39064 blocks of size 524288. 31129 blocks available<br> + smb: \> </p> +</blockquote> +<p><strong>Note</strong>: With Samba v3.0.14a or v3.0.20, everytime I run "net ads join", the command crash at the end with message "*** glibc detected *** net: free(): invalid pointer: 0x001cddb0 ***" and then a dump to the screen. The join seems to be working fine though. Samba v3.0.21a does not have this problem. </p> +<hr> +<a href="poptop_ads_howto_7.htm">Next</a> <a href="poptop_ads_howto_5.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a> +<p> </p> +</body> +</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_7.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_7.htm new file mode 100644 index 0000000..54536f1 --- /dev/null +++ b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_7.htm @@ -0,0 +1,93 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" +"http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> +<title>Poptop MSCHAP2 ADS Howto</title> +</head> + +<body> +<p><strong>10. pptpd and winbindd </strong></p> +<p>The section covers how to configure pptpd + winbindd + AD. If you are working on the freeradius configuration, you may skip this section and go to the <a href="poptop_ads_howto_8.htm">next one</a>. </p> +<p>Most of the hard work has been done in the previous sections. You are very close to the final stage.</p> +<hr> +<strong><a name="wbtest"></a>10.1 Enable and Test winbindd</strong> +<p>pptpd requires only winbindd but not smbd. If you are not using the pptpd server as a samba file server, you will not need to run smbd. Start winbindd with the "service" command.</p> +<blockquote> + <pre>[root@pptp ~]# service winbind start<br>Starting Winbind services: [ OK ] </pre> +</blockquote> +<p>Winbind starts and spawns two threads. </p> +<blockquote> + <pre>[root@pptp ~]# ps -ef | grep winbind | grep -v grep<br>root 18762 1 0 15:59 ? 00:00:00 winbindd<br>root 18763 18762 0 15:59 ? 00:00:00 winbindd</pre> +</blockquote> +<p>Wait a few minutes for winbindd to contact the domain controller. Then we can test if winbindd is working fine. If you see no error messages from the wbinfo command, you are in business. </p> +<blockquote> + <pre>[root@acna-pptp etc]# wbinfo -t<br>checking the trust secret via RPC calls succeeded +<br>[root@acna-pptp etc]# wbinfo -u<br>EXAMPLE+Administrator<br>EXAMPLE+Guest<br>EXAMPLE+SUPPORT_388945a0<br>EXAMPLE+DC1$<br>EXAMPLE+krbtgt<br>EXAMPLE+skwok<br>EXAMPLE+ldapuser<br>EXAMPLE+pptpdsvr$ +</pre> +</blockquote> +<p>To enable winbind on bootup, use the chkconfig command.</p> +<blockquote> + <pre>[root@pptp ~]# chkconfig winbind on </pre> +</blockquote><p></p> +<hr> +<strong><a name="pptpconf"></a>10.2 Configure pptpd </strong> +<p>There are two configuration files for pptpd. The first one is /etc/pptpd.conf. You can very much keep it as it is except the ip address range for the ppp connections. Edit the file and add two lines at the bottom to specify the local ip address and the ip address pool for the remote connections. </p> +<blockquote> + <pre>localip 10.0.0.10<br>remoteip 10.0.0.101-200 </pre> +</blockquote> +<p>10.0.0.10 is the ip address of the internal network card eth0. The remoteip is the address pool for the remote connections. </p> +<p>The second configuration file is /etc/ppp/options.pptpd. I stripped off all remarks from my options.pptpd and it is like this:</p> +<blockquote> + <pre>name pptpd +refuse-pap<br>refuse-chap<br>refuse-mschap<br>require-mschap-v2<br>require-mppe-128 +ms-dns 10.0.0.1 +ms-wins 10.0.0.1 +proxyarp +lock +nobsdcomp +novj +novjccomp +nologfd +auth +nodefaultroute +plugin winbind.so +ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"</pre> +</blockquote> +<p>If you have Windows XP clients, you may want to reduce the MTU size. Add the line, /sbin/ifconfig $1 mtu 1400, to /etc/ppp/ip-up as shown in the following list.</p> +<blockquote> + <pre>[root@pptp ppp]# cat ip-up +#!/bin/bash +# This file should not be modified -- make local changes to +# /etc/ppp/ip-up.local instead + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +export PATH + +LOGDEVICE=$6 +REALDEVICE=$1 + +[ -f /etc/sysconfig/network-scripts/ifcfg-${LOGDEVICE} ] && /etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE} + +/etc/ppp/ip-up.ipv6to4 ${LOGDEVICE} + +[ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@" + +<strong>/sbin/ifconfig $1 mtu 1400</strong> +exit 0</pre> +</blockquote> +<p>The above example reduces the MTU size to 1400. In my environment, I found that XP will connect the VPN and ping all servers without problems, however, it cannot connect to the Microsoft Exchange server properly. Reduce the MTU size to 1400 fixed the problem.</p> +<p>After fixing the files, we can start pptpd and connect to it from remote client. To start it:</p> +<blockquote> + <pre>[root@pptp ~]# chkconfig pptpd on<br><br>[root@pptp ~]# service pptpd start<br>Starting pptpd: [ OK ]</pre> +</blockquote><p></p> +<hr> +<strong><a name="access"></a>10.3 PPTP Access Control </strong> +<p>The above configuration allows everyone with a valid userID in the AD to connect to the pptpd server. If you want to restrict access to a group of users, you can create a group, say VPN_Allowed, in the AD. Add users to the group and modify the ntml_auth-helper line in the /etc/ppp/options.pptpd:</p> +<blockquote> + <pre>ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 <span class="790285904-18102005">--require-membership-of=EXAMPLE+VPN-Allowed</span>" </pre> +</blockquote> +<p>That's all on the server side. If winbind works for you, you can proceed to configure the client. The client PCs require special configurations and is discussed in <a href="poptop_ads_howto_11.htm">here</a>.</p> +<hr> +<a href="poptop_ads_howto_8.htm">Next</a> <a href="poptop_ads_howto_6.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a></body> +</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_8.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_8.htm new file mode 100644 index 0000000..68f6608 --- /dev/null +++ b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_8.htm @@ -0,0 +1,91 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" +"http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> +<title>Poptop MSCHAP2 ADS Howto</title> +</head> + +<body> +<p><strong>11. Software for R</strong><strong>adius Setup</strong></p> +<p>In additional to the software we installed in the previous sections, we need two more. Freeradius is one of them. FC4 comes with freeradius-1.0.2-2 but it is broken. At the time of writing, the latest one is freeradius-1.0.4-1.FC4.1. Get it from yum as it has quite a few dependences. yum will resolve all required dependences automagically.</p> +<blockquote> + <pre>[root@pptp ~]# yum install freeradius </pre> +</blockquote> +<p>The second software you will need is radiusclient. Get the FC4 rpm, radiusclient-0.3.2-0.2.fc4.rf.i386.rpm, from <a href="http://rpmforge.net/user/packages/radiusclient/">RPMforge</a>. Install it with "rpm -ivh".</p> +<hr> +<p><strong><a name="rclient"></a>12. Radiusclient</strong></p> +<p>Radiusclient is required because the pppd radius plugin relies on it. There are a few configuration files in /etc/radiusclient to look at. The first one is /etc/radiusclient/servers which specify the radius server name and key. We have the radius server in the same box. So the file is like this:</p> +<blockquote> + <pre>#Server Name or Client/Server pair Key<br>#---------------- ---------------<br>localhost testing123 </pre> +</blockquote> +<p>The key is the secret of the radius server which is specified in /etc/raddb/clients.conf. The default is testing123. Of course, it is a bad idea to use the default.</p> +<hr> +<a name="rclientconf"></a><strong>12.1 radiusclient.conf</strong> +<p>The main configuration file for radiusclient is /etc/radiusclient/radiusclient.conf. Here is how it should be when all remarks are stripped off:</p> +<blockquote> + <pre>auth_order radius +login_tries 4 +login_timeout 60 +nologin /etc/nologin +issue /etc/radiusclient/issue +authserver localhost +acctserver localhost +servers /etc/radiusclient/servers +dictionary /etc/radiusclient/dictionary +login_radius /usr/sbin/login.radius +seqfile /var/run/radius.seq +mapfile /etc/radiusclient/port-id-map +default_realm +radius_timeout 10 +radius_retries 3</pre> +</blockquote> +<p>Basically, all of the lines are default. I have not changed anything.</p> +<hr> +<strong><a name="dict"></a>12.2 dictionary.microsoft</strong> +<p>In /etc/radiusclient, there is a file called dictionary. Add the following line to the end of the file.</p> +<blockquote> + <pre>INCLUDE /etc/radiusclient/dictionary.microsoft</pre> +</blockquote> +<p>The file, dictionary.microsoft, is not included in the radiusclient. We can modify the one from freeradius so that it can be used by pppd.</p> +<p>First of all, copy the freeradius one, /usr/share/freeradius/dictionary.microsoft, to /etc/radiusclient. Then change the word "octets" to "string" in the file. Add the word Microsoft to all attributes. Here is my version: </p> +<blockquote> + <pre>#<br># Microsoft's VSA's, from RFC 2548<br>#<br># $Id: poptop_ads_howto_8.htm,v 1.3 2006/02/01 22:13:34 wskwok Exp $<br># + +VENDOR Microsoft 311 Microsoft + +ATTRIBUTE MS-CHAP-Response 1 string Mircosoft<br>ATTRIBUTE MS-CHAP-Error 2 string Mircosoft<br>ATTRIBUTE MS-CHAP-CPW-1 3 string Mircosoft<br>ATTRIBUTE MS-CHAP-CPW-2 4 string Mircosoft<br>ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Mircosoft<br>ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Mircosoft<br>ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft<br># This is referred to as both singular and plural in the RFC.<br># Plural seems to make more sense.<br>ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft<br>ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft<br>ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft<br>ATTRIBUTE MS-CHAP-Domain 10 string Mircosoft<br>ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft<br>ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft encrypt=1<br>ATTRIBUTE MS-BAP-Usage 13 integer Microsoft<br>ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft<br>ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft<br>ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft<br>ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft<br>ATTRIBUTE MS-RAS-Version 18 string Microsoft<br>ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft<br>ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft<br>ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft + +ATTRIBUTE MS-Filter 22 string Mircosoft<br>ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft<br>ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft<br> +ATTRIBUTE MS-CHAP2-Response 25 string Microsoft<br>ATTRIBUTE MS-CHAP2-Success 26 string Microsoft<br>ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft + +ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr<br>ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr<br>ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr<br>ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr + +#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft + +#<br># Integer Translations<br># + +# MS-BAP-Usage Values + +VALUE MS-BAP-Usage Not-Allowed 0<br>VALUE MS-BAP-Usage Allowed 1<br>VALUE MS-BAP-Usage Required 2 + +# MS-ARAP-Password-Change-Reason Values + +VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1<br>VALUE MS-ARAP-PW-Change-Reason Expired-Password 2<br>VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3<br>VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4 + +# MS-Acct-Auth-Type Values + +VALUE MS-Acct-Auth-Type PAP 1<br>VALUE MS-Acct-Auth-Type CHAP 2<br>VALUE MS-Acct-Auth-Type MS-CHAP-1 3<br>VALUE MS-Acct-Auth-Type MS-CHAP-2 4<br>VALUE MS-Acct-Auth-Type EAP 5 + +# MS-Acct-EAP-Type Values + +VALUE MS-Acct-EAP-Type MD5 4<br>VALUE MS-Acct-EAP-Type OTP 5<br>VALUE MS-Acct-EAP-Type Generic-Token-Card 6<br>VALUE MS-Acct-EAP-Type TLS 13 + +END-VENDOR Microsoft +</pre> +</blockquote><p></p> +<hr> +<a href="poptop_ads_howto_9.htm">Next</a> <a href="poptop_ads_howto_7.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a> +<p></p> +</body> +</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_9.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_9.htm new file mode 100644 index 0000000..8b9c023 --- /dev/null +++ b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_9.htm @@ -0,0 +1,52 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" +"http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> +<title>Poptop MSCHAP2 ADS Howto</title> +</head> + +<body> +<p><strong>13. Freeradius</strong></p> +<p>Freeradius has a massive 57KB configuration file. Fortunately, we only have to change a few lines. </p> +<hr> +<a name="mschap2"></a><strong>13.1 Configure Freeradius for MSCHAPv2 +</strong> +<p>Edit /etc/raddb/radiusd.conf to enable MSCAHP2. Open the file and locate the module section and then the mschap subsection.</p> +<blockquote> + <pre>modules {<br> + ....[snip]....<br> + mschap { + authtype = MS-CHAP + use_mppe = yes + require_encryption = yes + require_strong = yes + ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"<br> }<br> + ....[snip]....<br> +}</pre> +</blockquote> +<p>Save the file. The mschap option in the authorize and authenticate sections is enabled by default. If they are not, enable them accordingly. </p> +<p>The radius server has a secret key for security. The default key for freeradius is testing123. It is a good idea to change it for obvious security reasons. The key is in /etc/raddb/clients.conf. </p> +<blockquote> + <pre>client 127.0.0.1 {<br> #<br> # The shared secret use to "encrypt" and "sign" packets between<br> # the NAS and FreeRADIUS. You MUST change this secret from the<br> # default, otherwise it's not a secret any more!<br> #<br> # The secret can be any string, up to 32 characters in length.<br> #<br> secret = testing123 + + ....[snip].... +</pre> +</blockquote> +<p><strong>Note</strong>: if you change the secret key, you must modify the /etc/radiusclient/servers so that they match each other. +</p> +<hr> +<p><strong><a name="access"></a>13.2 PPTP Access Control </strong></p> +<p>The above configuration allows everyone with a valid userID in the AD to connect to the pptpd server. If you want to restrict access to a group of users, you can create a group, say VPN_Allowed, in the AD. Add users to the group and modify the ntml_auth line in /etc/raddb/radius.conf to include the parameter "--require-membership-of=EXAMPLE+VPN_Allowed". </p> +<p>In the example, I split the line into multiple lines for clarity. It should be one continuous line in the configuration file. </p> +<blockquote> + <pre>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key + --username=%{Stripped-User-Name:-%{User-Name:-None}} + --challenge=%{mschap:Challenge:-00} + --nt-response=%{mschap:NT-Response:-00} + --require-membership-of=EXAMPLE+VPN_Allowed"</pre> +</blockquote><p></p> +<hr> +<a href="poptop_ads_howto_10.htm">Next</a> <a href="poptop_ads_howto_8.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a><p> </p> +</body> +</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/test.txt b/pptpd-1.3.3/html/poptop_ads_howto/test.txt new file mode 100644 index 0000000..9daeafb --- /dev/null +++ b/pptpd-1.3.3/html/poptop_ads_howto/test.txt @@ -0,0 +1 @@ +test diff --git a/pptpd-1.3.3/html/setup_pptp_client.html b/pptpd-1.3.3/html/setup_pptp_client.html new file mode 100644 index 0000000..6e2f6f1 --- /dev/null +++ b/pptpd-1.3.3/html/setup_pptp_client.html @@ -0,0 +1,89 @@ +<HTML> +<HEAD> +<TITLE>Setting up a Linux PPTP Client with WinNT PPTP Server</TITLE> +</HEAD> +<BODY BGCOLOR="#FFFFFF"> +<H1>Setting up the Linux PPTP 1.0.2 client (and PPP 2.3.5) with Windows NT PPTP Server</H1> + +<HR> +<A NAME="aboutsys"></A> +<H2>About the systems</H2> +<P> +This document assumes the following: +<ul> +<li>remote machine name = orge +<li>domain remote machine belongs to = gnoll +<li>username on remote machine = billybob +<li>password for billybob = bobbybill +</ul> +We want to connect our local machine to the remote machine using PPTP. The +remote machine is a <I>Windows NT</I> box while our local machine is a +<I>Linux box</I>. +</P> + +<HR> + +<A NAME="chapsecrets"></A> +<H2>PPP chap-secrets file</H2> +<P> +Find the <I>chap-secrets</I> file which should be in <I>/etc/ppp/</I>. This +file should look like this: +</P> +<P> +<TABLE> +<TR><TD># chap-secrets</TD></TR><TR> +<TD># client</TD><TD>server</TD><TD>secret</TD><TD>IP adresses</TD></TR><TR> +<TD>gnoll\\billybob</TD><TD>orge</TD><TD>bobbybill</TD><TD></TD></TR> +</TABLE> +</P> + +<HR> +<A NAME="debugging"></A> +<H2>Setting up PPP debugging</H2> +<P> +PPP debugging is handled by <I>syslogd</I>. To setup debugging open +<I>syslog.conf</I> which should be found in <I>/etc/</I> and add the following +entry: +</P> +<P> +<B>daemon.debug /var/log/pppd.log</B> +</P> + +<HR> +<A NAME="launchpptp"></A> +<H2>Launching PPTP</H2> +<P> +The following command is issued on the linux box to connect to the remote NT +machine. +</P> +<P> +<B>pptp orge debug name gnoll\\billybob remotename orge</B> +</P> + +<HR> +<A NAME="errors"></A> +<H2>Errors</H2> +<P> +<B>E=691</B><BR> +This error occurs when you supply an incorrect username/password to the remote +NT machine. Check the chap-secrets file and the command line where PPTP is +launched. +</P> + +<HR> +<A NAME="testing"></A> +<H2>Testing</H2> +<P> +<ul> +<li> run 'ifconfig' and check that a ppp0 interface exists +<li> find P-t-P: xxx.xxx.xxx.xxx from the output of ifconfig +<li> run 'netstat -i' and record the RX-OK and TX-OK values for ppp0 +<li> type 'ping xxx.xxx.xxx.xxx' +<li> run 'netstat -i' again and see if the values for RX and TX increased.. if yes then it would appear to be working ok....... in theory anyway. +</ul> + +<HR> +<A HREF="http://www.moretonbay.com/vpn/pptp.html">PoPToP Home Page</a> +</BODY> +</HTML> + |
