Настройка маршрутизации ppp

sandaksatru · 20 мая 2015, 11:34:19

Цитата: awkaw от 20 мая 2015, 11:10:39А имеются ли какие-то еще клиенты нормальные кроме xl2tpd

Не слышал. И всё же скорей всего дело не в нём, а где-то ещё. Давайте дождёмся логов и дампов.

awkaw · 20 мая 2015, 20:04:15

Логи


Jan  1 12:50:13 radxa pppd[2549]: pppd 2.4.5 started by root, uid 0
Jan  1 12:50:13 radxa pppd[2549]: using channel 15
Jan  1 12:50:13 radxa pppd[2549]: Using interface ppp0
Jan  1 12:50:13 radxa pppd[2549]: Connect: ppp0 <--> /dev/pts/0
Jan  1 12:50:13 radxa pppd[2549]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7cbc48b1> <pcomp> <accomp>]
Jan  1 12:50:13 radxa pppd[2549]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x7cbc48b1> <pcomp> <accomp>]
Jan  1 12:50:16 radxa pppd[2549]: rcvd [LCP ConfReq id=0x1 <mru 1492> <asyncmap 0x0> <auth eap> <magic 0x24d94a31> <pcomp> <accomp>]
Jan  1 12:50:16 radxa pppd[2549]: sent [LCP ConfAck id=0x1 <mru 1492> <asyncmap 0x0> <auth eap> <magic 0x24d94a31> <pcomp> <accomp>]
Jan  1 12:50:16 radxa pppd[2549]: sent [LCP EchoReq id=0x0 magic=0x7cbc48b1]
Jan  1 12:50:16 radxa pppd[2549]: rcvd [LCP EchoReq id=0x0 magic=0x24d94a31]
Jan  1 12:50:16 radxa pppd[2549]: sent [LCP EchoRep id=0x0 magic=0x7cbc48b1]
Jan  1 12:50:16 radxa pppd[2549]: rcvd [EAP Request id=0x0 Identity <Message "Name">]
Jan  1 12:50:16 radxa pppd[2549]: EAP: Identity prompt "Name"
Jan  1 12:50:16 radxa pppd[2549]: sent [EAP Response id=0x0 Identity <Name "home">]
Jan  1 12:50:16 radxa pppd[2549]: rcvd [LCP EchoRep id=0x0 magic=0x24d94a31]
Jan  1 12:50:16 radxa pppd[2549]: rcvd [EAP Request id=0x1 MD5-Challenge <Value 3d 40 b7 74 54 e3 69 cb 4f 5f cc 60 72 98 b7 6e> <Name "site.ru">]
Jan  1 12:50:16 radxa pppd[2549]: sent [EAP Response id=0x1 MD5-Challenge <Value d3 19 60 6b 59 76 fc 40 97 ef ca f2 31 1a 45 20> <Name "home">]
Jan  1 12:50:16 radxa pppd[2549]: rcvd [EAP Success id=0x2]
Jan  1 12:50:16 radxa pppd[2549]: EAP authentication succeeded
Jan  1 12:50:16 radxa pppd[2549]: sent [CCP ConfReq id=0x1 <bsd v1 15>]
Jan  1 12:50:16 radxa pppd[2549]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
Jan  1 12:50:16 radxa pppd[2549]: rcvd [CCP ConfReq id=0x1 <bsd v1 15>]
Jan  1 12:50:16 radxa pppd[2549]: sent [CCP ConfAck id=0x1 <bsd v1 15>]
Jan  1 12:50:16 radxa pppd[2549]: rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 172.16.0.5>]
Jan  1 12:50:16 radxa pppd[2549]: sent [IPCP ConfAck id=0x1 <compress VJ 0f 01> <addr 172.16.0.5>]
Jan  1 12:50:16 radxa pppd[2549]: rcvd [CCP ConfAck id=0x1 <bsd v1 15>]
Jan  1 12:50:16 radxa pppd[2549]: BSD-Compress (15) compression enabled
Jan  1 12:50:16 radxa pppd[2549]: rcvd [IPCP ConfNak id=0x1 <addr 172.16.0.10>]
Jan  1 12:50:16 radxa pppd[2549]: sent [IPCP ConfReq id=0x2 <compress VJ 0f 01> <addr 172.16.0.10>]
Jan  1 12:50:16 radxa pppd[2549]: rcvd [IPCP ConfAck id=0x2 <compress VJ 0f 01> <addr 172.16.0.10>]
Jan  1 12:50:16 radxa pppd[2549]: replacing old default route to eth0 [192.168.1.1]
Jan  1 12:50:16 radxa pppd[2549]: local  IP address 172.16.0.10
Jan  1 12:50:16 radxa pppd[2549]: remote IP address 172.16.0.5
Jan  1 12:50:16 radxa pppd[2549]: Script /etc/ppp/ip-up started (pid 2552)
Jan  1 12:50:16 radxa pppd[2549]: Script /etc/ppp/ip-up finished (pid 2552), status = 0x0
Jan  1 12:51:35 radxa pppd[2549]: rcvd [CCP TermReq id=0x2"Lost compression sync"]
Jan  1 12:51:35 radxa pppd[2549]: CCP terminated by peer (Lost compression sync)
Jan  1 12:51:35 radxa pppd[2549]: sent [CCP TermAck id=0x2]
Jan  1 12:51:35 radxa pppd[2549]: Compression disabled by peer.

tcpdump -i ppp0 -p icmp -vvnnc6 (от сервера к клиенту)

Код Выделить


tcpdump: listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
13:17:03.364992 IP (tos 0x0, ttl 64, id 41041, offset 0, flags [DF], proto ICMP (1), length 84)
    188.120.242.122 > 172.16.0.10: ICMP echo request, id 12507, seq 1260, length 64
13:17:04.365562 IP (tos 0x0, ttl 64, id 41094, offset 0, flags [DF], proto ICMP (1), length 84)
    188.120.242.122 > 172.16.0.10: ICMP echo request, id 12507, seq 1261, length 64
13:17:05.365205 IP (tos 0x0, ttl 64, id 41246, offset 0, flags [DF], proto ICMP (1), length 84)
    188.120.242.122 > 172.16.0.10: ICMP echo request, id 12507, seq 1262, length 64
13:17:06.365082 IP (tos 0x0, ttl 64, id 41313, offset 0, flags [DF], proto ICMP (1), length 84)
    188.120.242.122 > 172.16.0.10: ICMP echo request, id 12507, seq 1263, length 64
13:17:07.365721 IP (tos 0x0, ttl 64, id 41315, offset 0, flags [DF], proto ICMP (1), length 84)
    188.120.242.122 > 172.16.0.10: ICMP echo request, id 12507, seq 1264, length 64
13:17:08.364945 IP (tos 0x0, ttl 64, id 41433, offset 0, flags [DF], proto ICMP (1), length 84)
    188.120.242.122 > 172.16.0.10: ICMP echo request, id 12507, seq 1265, length 64
6 packets captured
6 packets received by filter
0 packets dropped by kernel

tcpdump -i ppp0 -p icmp -vvnnc6 (от клиента к серверу)

Код Выделить


tcpdump: listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
20:02:41.485910 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    172.16.0.10 > 172.16.0.5: ICMP echo request, id 2920, seq 8, length 64
20:02:41.485947 IP (tos 0x0, ttl 64, id 50176, offset 0, flags [none], proto ICMP (1), length 84)
    172.16.0.5 > 172.16.0.10: ICMP echo reply, id 2920, seq 8, length 64
20:02:42.487788 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    172.16.0.10 > 172.16.0.5: ICMP echo request, id 2920, seq 9, length 64
20:02:42.487826 IP (tos 0x0, ttl 64, id 50415, offset 0, flags [none], proto ICMP (1), length 84)
    172.16.0.5 > 172.16.0.10: ICMP echo reply, id 2920, seq 9, length 64
20:02:43.489455 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    172.16.0.10 > 172.16.0.5: ICMP echo request, id 2920, seq 10, length 64
20:02:43.489502 IP (tos 0x0, ttl 64, id 50617, offset 0, flags [none], proto ICMP (1), length 84)
    172.16.0.5 > 172.16.0.10: ICMP echo reply, id 2920, seq 10, length 64
6 packets captured
6 packets received by filter
0 packets dropped by kernel

sandaksatru · 21 мая 2015, 09:15:47

Цитата: sandaksatru от 20 мая 2015, 10:39:35
Код Выделить Развернуть
172.16.0.10 * 255.255.255.255 UH 0 0 0 ppp0
На сервере должен быть примерно такой маршрут подниматься автоматом при подключении клиента. Он есть?

Цитата: awkaw от 20 мая 2015, 20:04:15188.120.242.122 > 172.16.0.10:

Маршрута почему-то нет, или его что-то перебивает. Возможно достаточно просто сменить метрки. Покажите маршруты и подключения с сервера:

Код Выделить

ip a && ip r
Если маршрута нет, попробуйте его добавить вручную:
ip r a 172.16.0.10 dev ppp0 src 172.16.0.5

awkaw · 21 мая 2015, 09:21:35

На сервере есть маршрут. Маршрут на клиенте попробую добавить, но опять же вечером)

sandaksatru · 21 мая 2015, 10:47:02

Цитата: awkaw от 21 мая 2015, 09:21:35На сервере есть маршрут. Маршрут на клиенте попробую добавить, но опять же вечером)

Как раз на клиенте, судя по логам, у вас всё хорошо. А вот на сервере что-то не так. Может конфиг сервера неправильно настроен или netfilter...

Я сейчас посмотрел повнимательней. Если я правильно понял, у вас при пинге клиента с сервера по ppp интерфейсу отправляются пакеты с внешним обратным адресом. Если снять tcpdump по icmp протоколу, то мы увидим, что эти пакеты он получит и отправит ответ на адрес 188.120.242.122 уже через внешний интерфейс, а не по виртуальному туннелю.

Поэтому вам надо разбираться с сервером. Смотрите конфиг xl2tpd, смотрите маршруты, смотрите правила iptables. Собака где-то там...

awkaw · 21 мая 2015, 10:56:15

Так у меня по такой же схеме работает клиент на винде - там теже самые адреса - внешний также присутствует, но все без проблем работает) Еще вчера настроил на андроиде - там тоже все без проблем работает)) Только на debian не работает) Правда еще на ipad не подключается, но пока не понял почему)

mrgoodvin · 21 мая 2015, 12:38:06

Вот была аналогичная ситуация - https://libc6.org/page/l2tp-ipsec-server-howto/. К слежению, решения пока по ссылке тоже нету. Судя по всему, проблема именно с клиентскими машинами на linux.

awkaw · 21 мая 2015, 12:43:45

Да, не ожидал, что в linux могут быть такие камни) Ну хочется все-таки понять, почему так получается) Хочу кстати отметить, что компрессия падает именно тогда, когда с сервера хочу пропинговать)

liuser · 22 мая 2015, 14:55:14

Приветствую, у меня проблема идентичная. ВПН нужен для объединения разных устройств и в разных локалках в одну виртуальную. Выделил для pptp VPN адреса 192.168.10.x. В инет через vpn сервер ходят все нормально. Однако клиенты друг друга не видят. Сервер тоже клиентов не видит. Видится только устройства на Android и Windows. На линь пинга нет в точности Debian, как и из виртуалки, так и из локальной(после подключения к туннелю). Уже голову ломаю неделю.

На сервере pptpd.conf

Код Выделить


###############################################################################
# $Id$
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################

# TAG: ppp
#       Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd

# TAG: option
#       Specifies the location of the PPP options file.
#       By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/pptpd-options

# TAG: debug
#       Turns on (more) debugging to syslog
#
#debug

# TAG: stimeout
#       Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10

# TAG: noipparam
#       Suppress the passing of the client's IP address to PPP, which is
#       done by default otherwise.
#
#noipparam

# TAG: logwtmp
#       Use wtmp(5) to record client connections and disconnections.
#
logwtmp

# TAG: bcrelay <if>
#       Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1

# TAG: delegate
#       Delegates the allocation of client IP addresses to pppd.
#
#       Without this option, which is the default, pptpd manages the list of
#       IP addresses for clients and passes the next free address to pppd.
#       With this option, pptpd does not pass an address, and so pppd may use
#       radius or chap-secrets to allocate an address.
#
#delegate

# TAG: connections
#       Limits the number of client connections that may be accepted.
#
#       If pptpd is allocating IP addresses (e.g. delegate is not
#       used) then the number of connections is also limited by the
#       remoteip option.  The default is 100.
#connections 100

# TAG: localip
# TAG: remoteip
#       Specifies the local and remote IP address ranges.
#
#       These options are ignored if delegate option is set.
#
#       Any addresses work as long as the local machine takes care of the
#       routing.  But if you want to use MS-Windows networking, you should
#       use IP addresses out of the LAN address space and use the proxyarp
#       option in the pppd options file, or run bcrelay.
#
#       You can specify single IP addresses seperated by commas or you can
#       specify ranges, or both. For example:
#
#               192.168.0.234,192.168.0.245-249,192.168.0.254
#
#       IMPORTANT RESTRICTIONS:
#
#       1. No spaces are permitted between commas or within addresses.
#
#       2. If you give more IP addresses than the value of connections,
#          it will start at the beginning of the list and go until it
#          gets connections IPs.  Others will be ignored.
#
#       3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
#          you must type 234-238 if you mean this.
#
#       4. If you give a single localIP, that's ok - all local IPs will
#          be set to the given one. You MUST still give at least one remote
#          IP for each simultaneous client.
#
# (Recommended)
localip 81.4.101.142
remoteip 192.168.10.1-100
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245

/etc/ppp/options

Код Выделить


# /etc/ppp/options
# 
# Originally created by Jim Knoble <jmknoble@mercury.interpath.net>
# Modified for Debian by alvar Bray <alvar@meiko.co.uk>
# Modified for PPP Server setup by Christoph Lameter <clameter@debian.org>
#
# To quickly see what options are active in this file, use this command:
#   egrep -v '#|^ *$' /etc/ppp/options

# Specify which DNS Servers the incoming Win95 or WinNT Connection should use
# Two Servers can be remotely configured
# ms-dns 192.168.1.1
# ms-dns 192.168.1.2

# Specify which WINS Servers the incoming connection Win95 or WinNT should use
# ms-wins 192.168.1.50
# ms-wins 192.168.1.51

# Run the executable or shell command specified after pppd has
# terminated the link.  This script could, for example, issue commands
# to the modem to cause it to hang up if hardware modem control signals
# were not available.
#disconnect "chat -- \d+++\d\c OK ath0 OK"

# async character map -- 32-bit hex; each bit is a character
# that needs to be escaped for pppd to receive it.  0x00000001
# represents '\x01', and 0x80000000 represents '\x1f'.
asyncmap 0

# Require the peer to authenticate itself before allowing network
# packets to be sent or received.
# Please do not disable this setting. It is expected to be standard in
# future releases of pppd. Use the call option (see manpage) to disable
# authentication for specific peers.
auth

# Use hardware flow control (i.e. RTS/CTS) to control the flow of data
# on the serial port.
crtscts

# Use software flow control (i.e. XON/XOFF) to control the flow of data
# on the serial port.
#xonxoff

# Specifies that certain characters should be escaped on transmission
# (regardless of whether the peer requests them to be escaped with its
# async control character map).  The characters to be escaped are
# specified as a list of hex numbers separated by commas.  Note that
# almost any character can be specified for the escape option, unlike
# the asyncmap option which only allows control characters to be
# specified.  The characters which may not be escaped are those with hex
# values 0x20 - 0x3f or 0x5e.
#escape 11,13,ff

# Don't use the modem control lines.
#local

# Specifies that pppd should use a UUCP-style lock on the serial device
# to ensure exclusive access to the device.
lock

# Don't show the passwords when logging the contents of PAP packets.
# This is the default.
hide-password

# When logging the contents of PAP packets, this option causes pppd to
# show the password string in the log message.
#show-password

# Use the modem control lines.  On Ultrix, this option implies hardware
# flow control, as for the crtscts option.  (This option is not fully
# implemented.)
modem

# Set the MRU [Maximum Receive Unit] value to <n> for negotiation.  pppd
# will ask the peer to send packets of no more than <n> bytes. The
# minimum MRU value is 128.  The default MRU value is 1500.  A value of
# 296 is recommended for slow links (40 bytes for TCP/IP header + 256
# bytes of data).
#mru 542

# Set the interface netmask to <n>, a 32 bit netmask in "decimal dot"
# notation (e.g. 255.255.255.0).
#netmask 255.255.255.0

# Disables the default behaviour when no local IP address is specified,
# which is to determine (if possible) the local IP address from the
# hostname. With this option, the peer will have to supply the local IP
# address during IPCP negotiation (unless it specified explicitly on the
# command line or in an options file).
#noipdefault

# Enables the "passive" option in the LCP.  With this option, pppd will
# attempt to initiate a connection; if no reply is received from the
# peer, pppd will then just wait passively for a valid LCP packet from
# the peer (instead of exiting, as it does without this option).
#passive

# With this option, pppd will not transmit LCP packets to initiate a
# connection until a valid LCP packet is received from the peer (as for
# the "passive" option with old versions of pppd).
#silent

# Don't request or allow negotiation of any options for LCP and IPCP
# (use default values).
#-all

# Disable Address/Control compression negotiation (use default, i.e.
# address/control field disabled).
#-ac

# Disable asyncmap negotiation (use the default asyncmap, i.e. escape
# all control characters).
#-am

# Don't fork to become a background process (otherwise pppd will do so
# if a serial device is specified).
#-detach

# Disable IP address negotiation (with this option, the remote IP
# address must be specified with an option on the command line or in
# an options file).
#-ip

# Disable IPCP negotiation and IP communication. This option should
# only be required if the peer is buggy and gets confused by requests
# from pppd for IPCP negotiation.
#noip

# Disable magic number negotiation.  With this option, pppd cannot
# detect a looped-back line.
#-mn

# Disable MRU [Maximum Receive Unit] negotiation (use default, i.e.
# 1500).
#-mru

# Disable protocol field compression negotiation (use default, i.e.
# protocol field compression disabled).
#-pc

# Require the peer to authenticate itself using PAP.
#+pap

# Don't agree to authenticate using PAP.
#-pap

# Require the peer to authenticate itself using CHAP [Cryptographic
# Handshake Authentication Protocol] authentication.
#+chap

# Don't agree to authenticate using CHAP.
#-chap

# Disable negotiation of Van Jacobson style IP header compression (use
# default, i.e. no compression).
#-vj

# Increase debugging level (same as -d).  If this option is given, pppd
# will log the contents of all control packets sent or received in a
# readable form.  The packets are logged through syslog with facility
# daemon and level debug. This information can be directed to a file by
# setting up /etc/syslog.conf appropriately (see syslog.conf(5)).  (If
# pppd is compiled with extra debugging enabled, it will log messages
# using facility local2 instead of daemon).
#debug

# Append the domain name <d> to the local host name for authentication
# purposes.  For example, if gethostname() returns the name porsche,
# but the fully qualified domain name is porsche.Quotron.COM, you would
# use the domain option to set the domain name to Quotron.COM.
#domain <d>

# Enable debugging code in the kernel-level PPP driver.  The argument n
# is a number which is the sum of the following values: 1 to enable
# general debug messages, 2 to request that the contents of received
# packets be printed, and 4 to request that the contents of transmitted
# packets be printed.
#kdebug n

# Set the MTU [Maximum Transmit Unit] value to <n>. Unless the peer
# requests a smaller value via MRU negotiation, pppd will request that
# the kernel networking code send data packets of no more than n bytes
# through the PPP network interface.
#mtu <n>

# Set the name of the local system for authentication purposes to <n>.
# This is a privileged option. With this option, pppd will use lines in the
# secrets files which have <n> as the second field when looking for a
# secret to use in authenticating the peer. In addition, unless overridden
# with the user option, <n> will be used as the name to send to the peer
# when authenticating the local system to the peer. (Note that pppd does
# not append the domain name to <n>.)
#name <n>

# Enforce the use of the hostname as the name of the local system for
# authentication purposes (overrides the name option).
#usehostname

# Set the assumed name of the remote system for authentication purposes
# to <n>.
#remotename <n>

# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.
#proxyarp

# Use the system password database for authenticating the peer using
# PAP. Note: mgetty already provides this option. If this is specified
# then dialin from users using a script under Linux to fire up ppp wont work.
# login

# If this option is given, pppd will send an LCP echo-request frame to the
# peer every n seconds. Normally the peer should respond to the echo-request
# by sending an echo-reply. This option can be used with the
# lcp-echo-failure option to detect that the peer is no longer connected.
lcp-echo-interval 30

# If this option is given, pppd will presume the peer to be dead if n
# LCP echo-requests are sent without receiving a valid LCP echo-reply.
# If this happens, pppd will terminate the connection.  Use of this
# option requires a non-zero value for the lcp-echo-interval parameter.
# This option can be used to enable pppd to terminate after the physical
# connection has been broken (e.g., the modem has hung up) in
# situations where no hardware modem control lines are available.
lcp-echo-failure 4

# Set the LCP restart interval (retransmission timeout) to <n> seconds
# (default 3).
#lcp-restart <n>

# Set the maximum number of LCP terminate-request transmissions to <n>
# (default 3).
#lcp-max-terminate <n>

# Set the maximum number of LCP configure-request transmissions to <n>
# (default 10).
#lcp-max-configure <n>

# Set the maximum number of LCP configure-NAKs returned before starting
# to send configure-Rejects instead to <n> (default 10).
#lcp-max-failure <n>

# Set the IPCP restart interval (retransmission timeout) to <n>
# seconds (default 3).
#ipcp-restart <n>

# Set the maximum number of IPCP terminate-request transmissions to <n>
# (default 3).
#ipcp-max-terminate <n>

# Set the maximum number of IPCP configure-request transmissions to <n>
# (default 10).
#ipcp-max-configure <n>

# Set the maximum number of IPCP configure-NAKs returned before starting
# to send configure-Rejects instead to <n> (default 10).
#ipcp-max-failure <n>

# Set the PAP restart interval (retransmission timeout) to <n> seconds
# (default 3).
#pap-restart <n>

# Set the maximum number of PAP authenticate-request transmissions to
# <n> (default 10).
#pap-max-authreq <n>

# Set the maximum time that pppd will wait for the peer to authenticate
# itself with PAP to <n> seconds (0 means no limit).
#pap-timeout <n>

# Set the CHAP restart interval (retransmission timeout for
# challenges) to <n> seconds (default 3).
#chap-restart <n>

# Set the maximum number of CHAP challenge transmissions to <n>
# (default 10).
#chap-max-challenge

# If this option is given, pppd will rechallenge the peer every <n>
# seconds.
#chap-interval <n>

# With this option, pppd will accept the peer's idea of our local IP
# address, even if the local IP address was specified in an option.
#ipcp-accept-local

# With this option, pppd will accept the peer's idea of its (remote) IP
# address, even if the remote IP address was specified in an option.
#ipcp-accept-remote

# Disable the IPXCP and IPX protocols.
# To let pppd pass IPX packets comment this out --- you'll probably also
# want to install ipxripd, and have the Internal IPX Network option enabled
# in your kernel.  /usr/doc/HOWTO/IPX-HOWTO.gz contains more info.
noipx

# Exit once a connection has been made and terminated. This is the default,
# unless the `persist' or `demand' option has been specified.
#nopersist

# Do not exit after a connection is terminated; instead try to reopen
# the connection.
#persist

# Terminate after n consecutive failed connection attempts.
# A value of 0 means no limit. The default value is 10.
#maxfail <n>

# Initiate the link only on demand, i.e. when data traffic is present. 
# With this option, the remote IP address must be specified by the user on
# the command line or in an options file.  Pppd will initially configure
# the interface and enable it for IP traffic without connecting to the peer. 
# When traffic is available, pppd will connect to the peer and perform
# negotiation, authentication, etc.  When this is completed, pppd will
# commence passing data packets (i.e., IP packets) across the link.
#demand

# Specifies that pppd should disconnect if the link is idle for <n> seconds.
# The link is idle when no data packets (i.e. IP packets) are being sent or
# received.  Note: it is not advisable to use this option with the persist
# option without the demand option.  If the active-filter option is given,
# data packets which are rejected by the specified activity filter also
# count as the link being idle.
#idle <n>

# Specifies how many seconds to wait before re-initiating the link after
# it terminates.  This option only has any effect if the persist or demand
# option is used.  The holdoff period is not applied if the link was
# terminated because it was idle.
#holdoff <n>

# Wait for up n milliseconds after the connect script finishes for a valid
# PPP packet from the peer.  At the end of this time, or when a valid PPP
# packet is received from the peer, pppd will commence negotiation by
# sending its first LCP packet.  The default value is 1000 (1 second).
# This wait period only applies if the connect or pty option is used.
#connect-delay <n>

# Packet filtering: for more information, see pppd(8)
# Any packets matching the filter expression will be interpreted as link
# activity, and will cause a "demand" connection to be activated, and reset
# the idle connection timer. (idle option)
# The filter expression is akin to that of tcpdump(1)
#active-filter <filter-expression>

# ---<End of File>---

/etc/ppp/pptp-options

Код Выделить


###############################################################################
# $Id$
#
# Sample Poptop PPP options file /etc/ppp/pptpd-options
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection.  See "man pppd".
#
# You are expected to change this file to suit your system.  As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################


# Authentication

# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd

# Optional: domain name to use for authentication
# domain mydomain.net

# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain


# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.)


# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}




# Network and Routing

# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients.  The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
# Attention! This information may not be taken into account by a Windows
# client. See KB311218 in Microsoft's knowledge base for more information.
ms-dns 8.8.8.8
ms-dns 8.8.4.4

# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients.  The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4

# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.  This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp

# Normally pptpd passes the IP address to pppd, but if pptpd has been
# given the delegate option in pptpd.conf or the --delegate command line
# option, then pppd will use chap-secrets or radius to allocate the
# client IP address.  The default local IP address used at the server
# end is often the same as the address of the server.  To override this,
# specify the local IP address here.
# (you must not use this unless you have used the delegate option)
#10.8.0.100

# Debian: do not replace the default route
nodefaultroute


# Logging

# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
debug

# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump


# Miscellaneous

# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock

# Disable BSD-Compress compression
nobsdcomp

# Disable Van Jacobson compression
# (needed on some networks with Windows 9x/ME/XP clients, see posting to
# poptop-server on 14th April 2005 by Pawel Pokrywka and followups,
# http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 )
novj
novjccomp

# turn off logging to stderr, since this may be redirected to pptpd,
# which may trigger a loopback
nologfd

# put plugins here
# (putting them higher up may cause them to sent messages to the pty)

sandaksatru · 22 мая 2015, 15:45:07

Цитата: liuser от 22 мая 2015, 14:55:14localip 81.4.101.142
remoteip 192.168.10.1-100

В поле localip нужно указывать внутренний адрес для pptp интерфейса, лучше из одной подсети с клиентским диапазоном, а не внешний адрес сервера. Например, 192.168.10.254.

awkaw · 22 мая 2015, 15:48:01

sandaksatru, не смог попробовать Вашу рекомендацию вчера. Я до этого тестировал без IpSec. а вот вчера решил поставить. linux вообще перестал подключаться, но я думаю ближайшие дни разберусь с этим. Винда и Андроид - норм подключаются и все прекрасно работает.

liuser · 22 мая 2015, 16:16:30

Цитата: sandaksatru от 22 мая 2015, 15:45:07
Цитата: liuser от 22 мая 2015, 14:55:14localip 81.4.101.142
remoteip 192.168.10.1-100
В поле localip нужно указывать внутренний адрес для pptp интерфейса, лучше из одной подсети с клиентским диапазоном, а не внешний адрес сервера. Например, 192.168.10.254.

Поменял на localip 192.168.10.0
Перенаправил: iptables -t nat -I POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 81.4.101.142
Перезапустил: service restart pptpd
Однако ситуация к сожалению не изменилась. Думаю собака зарыта на стороне клиента Лини. Ибо вин и андроид нормально видятся и нормально работают с подсетью как с локальной, как и с виртуальной.

sandaksatru · 23 мая 2015, 20:37:35

Цитата: liuser от 22 мая 2015, 16:16:30Перенаправил: iptables -t nat -I POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 81.4.101.142

А зачем? Вы хотели предоставить VPN пользователям доступ в интернет через ваш шлюз? Тогда вам нужно ещё указать исходящий интерфейс ( -o ethX), иначе посылая icmp пакет клиенту, он снова уходит с обратным внешним адресом. А клиенту он должен поступить с обратным адресом внутреннего ppp-интерфейса. Почему с виндовыми клиентами такая схема работает - не могу сказать, не являюсь специалистом маздая. Но Linux не терпит ошибок системного оператора. Зато он податлив и дружелюбен =)

awkaw · 25 мая 2015, 21:17:32

ip route add 172.16.0.10 dev ppp0 src 172.16.0.5

Код Выделить

RTNETLINK answers: Invalid argument

Как правильно прописать?)

sandaksatru · 26 мая 2015, 09:25:07

Цитата: awkaw от 25 мая 2015, 21:17:32ip route add 172.16.0.10 dev ppp0 src 172.16.0.5

Да вроде правильно прописываете, но перед этим должен быть поднят интерфейс ppp0 и ему назначен адрес 172.16.0.5