AW: [Shorewall-users] Debian pptpd

webmaster@hackenschmiede.com webmaster@hackenschmiede.com
Mon, 1 Jul 2002 16:30:12 +0200


tom has good infos at: http://www.shorewall.net/PPTP.htm

i am running poptop on a suse 7.3

(you must patch ppp and the kernel to get it work with encryption)

no troubles with xp, 2000 and nt4.0 clients.

are you running a personal firewall on you xp system?

my options file:

ipparam PoPToP
lock
mtu 1490
mru 1490
ms-dns 192.168.1.1
ms-dns 192.168.1.2
ms-wins 192.168.1.1
ms-wins 192.168.1.2
multilink
proxyarp
auth
#+chap
#+chapms
+chapms-v2
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 30
lcp-echo-interval 5
deflate 0
mppe-128
mppe-stateless
require-mppe
require-mppe-stateless



let me know if you need my perfekt working shorewall files.

best regards
Wolfgang


-----Ursprungliche Nachricht-----
Von: shorewall-users-admin@shorewall.net
[mailto:shorewall-users-admin@shorewall.net]Im Auftrag von Charles J.
Boening
Gesendet: Montag, 01. Juli 2002 16:02
An: 'j2'
Cc: shorewall-users@shorewall.net
Betreff: RE: [Shorewall-users] Debian pptpd


You don't have to use encryption, but it's not a bad idea.

Make sure you have a rule like this:

ACCEPT   net   $FW   47
ACCEPT   net   $FW   tcp   1723


I think that's right.  The first one is to allow protocol 47 ... GRE
tunnel IIRC (probably wrong .. Been a while) and the second one, tcp
port 1723 is for making the actual connection.  The GRE protocol is
basically how the data is encapsulated.

I run PoPToP (pptpd) (http://www.poptop.org) on a Mandrak 8.2 system.
The only problem I have with XP clients is after disconnect, they have
to reboot to connect again.  Meanwhile, 9x/ME clients can disconnect and
reconnect all day long without rebooting.  It could be something with
the XP configuration, I haven't really looked into it yet.

Also, if you're not using encryption, make sure you turn on the "require
encryption" on you XP clients.  I believe you have to go into the
"advanced" settings in the security tab for the connection and turn
encryption off or make it optional.


Hope this helps.  
Charlie