[size=18]platinum版主请进:Redhat 9(kernel 2.6.6)下MPPE/MPPC的PPTP VPN服务器的问题[/size]
我的环境:
os:Redhat 9.0 kernel 2.6.6 打了linux-2.6.6-mppe-mppc-1.3.patch补丁,内核重新编译加进去了PPP BSD-Compress compression
和Microsoft PPP compression/encryption (MPPC/MPPE)模块,以模块的方式加载,并且 在 Cryptographic options 内把SHA1 、RC4等以模块的方式加载。
ppp:ppp-2.4.3 打了ppp-2.4.3-mppe-mppc-1.1.patc补丁
pptp:pptp-1.1.4
按照
[color=red]http://bbs.chinaunix.net/forum/viewtopic.php?t=470094&show_type=new[/color]
tjyihui老大的方法一步一步做出现如下提示:
#/etc/ppp/pptpd.conf
option /etc/ppp/options.pptpd
debug
Logwtmp
localip 10.0.0.100
remoteip 10.0.0.150-200
#/etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
test pptpd test "*"
#/etc/ppp/options.pptpd
###############################################################################
# $Id: options.pptpd,v 1.5 2004/04/23 07:11:33 quozl Exp $
#
# Sample Poptop PPP options file /etc/ppp/options.pptpd
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################
# Authentication
# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd
# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain
# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.)
#_________________________________
# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe
# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o
# {{{
#-chap
#-chapms
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
#+chapms-v2
# Require MPPE encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#mppe-40 # enable either 40-bit or 128-bit, not both
#mppe-128
#mppe-stateless
# }}}
# Network and Routing
# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients. The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
#ms-dns 10.0.0.1
#ms-dns 10.0.0.2
# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp
# Logging
# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
#debug
# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump
# Miscellaneous
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock
# Disable BSD-Compress compression
#nobsdcomp
cat /var/log/message
......
May 6 17:16:38 server atd: atd startup succeeded
May 6 17:16:38 server kernel: CSLIP: code copyright 1989 Regents of the University of California
May 6 17:16:38 server kernel: PPP generic driver version 2.4.2
May 6 17:16:38 server kernel: MPPE/MPPC encryption/compression module registered
May 6 17:16:39 server rc: Starting webmin: succeeded
May 6 17:16:48 server sshd(pam_unix)[1536]: session opened for user root by (uid=0)
May 6 17:17:15 server pptpd[1852]: MGR: Manager process started
May 6 17:17:15 server pptpd[1852]: MGR: Maximum of 51 connections available
May 6 17:17:32 server pptpd[1872]: CTRL: Client 10.0.0.205 control connection started
May 6 17:17:32 server pptpd[1872]: CTRL: Starting call (launching pppd, opening GRE)
May 6 17:17:32 server pppd[1873]: In file /etc/ppp/options.pptpd: unrecognized option 'refuse-mschap'
May 6 17:17:32 server pptpd[1872]: GRE: read(fd=4,buffer=804d560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
May 6 17:17:52 server pptpd[1901]: GRE: read(fd=4,buffer=804d560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
May 6 17:17:52 server pptpd[1901]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5)
May 6 17:17:52 server pptpd[1901]: CTRL: Client 10.0.0.205 control connection finished
......
May 6 17:17:58 server pptpd[1917]: CTRL: Client 10.0.0.205 control connection started
May 6 17:17:58 server pptpd[1917]: CTRL: Starting call (launching pppd, opening GRE)
May 6 17:17:58 server pppd[1918]: In file /etc/ppp/options.pptpd: unrecognized option 'refuse-mschap'
May 6 17:17:58 server pptpd[1917]: GRE: read(fd=4,buffer=804d560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
May 6 17:17:58 server pptpd[1917]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5)
May 6 17:17:58 server pptpd[1917]: CTRL: Client 10.0.0.205 control connection finished
......
[u]May 6 17:16:38 server kernel: MPPE/MPPC [/u]按理说MPPE/MPPC模块已经,内核补丁已经成功了,但是为何出现In file /etc/ppp/options.pptpd: unrecognized option 'refuse-mschap'
?
还有什么地方没讲清楚的吗?
困惑!不解! :?:
:em16: 汗!
platinum 回复于:2005-05-08 22:45:48
In file /etc/ppp/options.pptpd: unrecognized option 'refuse-mschap'
这个参数没认
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe
换成下面的,这样一定这却,且看着更直观
-pap
-chap
-mschap
+mschap-v2
mppe required
之后加载模块
modprobe ppp_mppe_mppc
然后试试看?
platinum 回复于:2005-05-08 22:54:52
我贴一下我的简化配置出来大家参考一下
/etc/pptpd.conf
option /etc/ppp/options.pptpd
debug
logwtmp
localip 10.1.39.254
remoteip 10.1.39.101-200
/etc/ppp/options.pptpd
name PLATINUM
debug
logfile /var/log/ppp-pptpd.log
lock
-pap
-chap
-mschap
+mschap-v2
mppe required
ms-dns 202.106.46.151
ms-dns 202.106.0.20
其中options.pptpd里面加了debug,信息输出到/var/log/ppp-pptpd.log,为了查问题方便
欢迎大家继续探讨^_^
ljily000 回复于:2005-05-09 11:25:41
Thanks!
我的/etc/ppp/options.pptpd
name pptpd
debug
lock
-pap
-chap
-mschap
+mschap-v2
mppe required
为什么还是有这样的错误
May 6 17:17:58 server pppd[1918]: In file /etc/ppp/options.pptpd: unrecognized option '-mschap'
May 6 17:17:58 server pptpd[1917]: GRE: read(fd=4,buffer=804d560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
May 6 17:17:58 server pptpd[1917]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5)
May 6 17:17:58 server pptpd[1917]: CTRL: Client 10.0.0.205 control connection finished
何故?难道pptpd不认mschap?
我把mppc/mppe编进了内核,也是这样。
我用modprobe -l | grep ppp没有找到ppp_mppe_mppc,是否该模块没有加载,但是系统启动时有提示:
May 6 17:16:38 server kernel: CSLIP: code copyright 1989 Regents of the University of California
May 6 17:16:38 server kernel: PPP generic driver version 2.4.2
May 6 17:16:38 server kernel: MPPE/MPPC encryption/compression module registered
谢谢!
platinum 回复于:2005-05-09 23:05:34
depmod -a
然后试试看?
感觉好像你的ppp没有认出ppp_mppe_mppc补丁
你确定ppp打过ppp_mppe_mppc补丁了?
updatedb
locate ppp|grep bin
看看是不是有2个,如果是,你需要替换,虽然你安装了新的ppp,但是系统可能仍然调用的老ppp
ljily000 回复于:2005-05-09 23:29:47
对,确定打了ppp_mppe_mppc补丁!如果没有在make menuconfig时
不会有ppp_mppe_mppc的模块选项,再说在系统启动时
May 6 17:16:38 server kernel: MPPE/MPPC encryption/compression module registered
有 MPPE/MPPC encryption/compression的体示,应该是加载了呀!
先用updatedb
locate ppp|grep bin
看看!
谢谢你,白金大哥!你的回帖就是对我的鼓励,我想我一定能解决这个问题的!
platinum 回复于:2005-05-10 08:00:31
不不不,我说的是2个补丁,你说的kernel是一个,还一个针对ppp的MPPE-MPPC补丁
你的这个状况,非常像没有给ppp打补丁,虽然提示MPPE-MPPC已经注册,但是那个是kernel的信息,而不是ppp提示的信息
一个正常的连接/断开信息应该是这样的
引用:
May 10 08:02:12 WITHSUN pptpd[7794]: CTRL: Client 221.217.250.219 control connection started
May 10 08:02:12 WITHSUN pptpd[7794]: CTRL: Starting call (launching pppd, opening GRE)
May 10 08:02:13 WITHSUN pppd[7795]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
May 10 08:02:13 WITHSUN pppd[7795]: pptpd-logwtmp: $Version$
May 10 08:02:13 WITHSUN pppd[7795]: pppd 2.4.3 started by root, uid 0
May 10 08:02:13 WITHSUN pppd[7795]: Using interface ppp6
May 10 08:02:13 WITHSUN pppd[7795]: Connect: ppp6 <-->; /dev/pts/6
May 10 08:02:13 WITHSUN pptpd[7794]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
May 10 08:02:13 WITHSUN /etc/hotplug/net.agent: assuming ppp6 is already up
May 10 08:02:14 WITHSUN pppd[7795]: MPPC/MPPE 128-bit stateful compression enabled
May 10 08:02:15 WITHSUN pppd[7795]: local IP address 10.1.39.254
May 10 08:02:15 WITHSUN pppd[7795]: remote IP address 10.1.39.1
May 10 08:02:15 WITHSUN pppd[7795]: pptpd-logwtmp.so ip-up ppp6 baijin 221.217.250.219
May 10 08:02:33 WITHSUN pppd[7795]: LCP terminated by peer (1M-.+M-^M^@<M-Mt^@^@^@^@)
May 10 08:02:33 WITHSUN pppd[7795]: pptpd-logwtmp.so ip-down ppp6
May 10 08:02:33 WITHSUN pppd[7795]: Connect time 0.3 minutes.
May 10 08:02:33 WITHSUN pppd[7795]: Sent 0 bytes, received 3020 bytes.
May 10 08:02:33 WITHSUN pppd[7795]: Modem hangup
May 10 08:02:33 WITHSUN pppd[7795]: Connection terminated.
May 10 08:02:33 WITHSUN /etc/hotplug/net.agent: NET unregister event not supported
May 10 08:02:33 WITHSUN pppd[7795]: Exit.
May 10 08:02:33 WITHSUN pptpd[7794]: CTRL: Client 221.217.250.219 control connection finished
你现在是这样的情况——虽然kernel能加载MPPE-MPPC模块
但是pptpd起来以后,有人连TCP/1723进来,系统会自动起一个ppp进程,同时打开GRE通道
你的问题就在这里,你的ppp可能不是PATCH过的,至少系统调用的ppp不是,因此log里会提示有参数没确认
所以,我让你扫描一下硬盘里所有有关ppp的文件所在路径,看是否把真正patch过mppe-mppc补丁的ppp一套东西替换到系统中了
万事开头难,你会成功的 ^_^
ljily000 回复于:2005-05-10 14:04:50
谢谢白金大哥,白金大哥的这种精神让我为之感动:em16:,受教!
我的ppp-2.4.2是这样装的。
tar xzvf ppp-2.4.2.tar.gz
gunzip ppp-2.4.2-mppc-mppe.patch.gz (文件名我记得不太清楚,反正就是ppp的mppc-mppe的补丁)
cp ppp-2.4.2-mppc-mppe.patch ppp-2.4.2
patch -p1 <ppp-2.4.2-mppc-mppe.patch(执行后好像patch了5个文件,不知道这个对不?)
./configure --prefix=/
make all
make install
晚上回家测试一下!
看白金大哥的log和我的对比,
May 10 08:02:14 WITHSUN pppd[7795]: MPPC/MPPE 128-bit stateful compression enabled
我感觉好像我的是差那么一点东西,晚上回去好好试试!
ljily000 回复于:2005-05-10 22:20:48
谢谢!
如下是我的结果
[root@server root]# depmod -a
[root@server root]# updatedb
[root@server root]# locate ppp|grep bin
/root/file/ppp-2.4.3/pppd/plugins/winbind.c
/root/file/ppp-2.4.3/pppd/plugins/winbind.so
/usr/sbin/ipppd
/usr/sbin/ipppstats
/usr/sbin/pppd
/usr/sbin/pppdump
/usr/sbin/pppstats
/usr/sbin/pppoe-server
/usr/sbin/pppoe
/usr/sbin/pppoe-relay
/usr/sbin/pppoe-sniff
/usr/share/doc/isdn4k-utils-3.1/pppbind.txt
/usr/local/lib/pppd/2.4.3/winbind.so
/usr/local/sbin/pppoe-discovery
/usr/local/sbin/pppd
/usr/local/sbin/pppstats
/usr/local/sbin/pppdump
/sbin/ppp-watch
/sbin/ipppd
/sbin/ipppstats
/sbin/pppoe
/sbin/pppoe-relay
/sbin/pppoe-server
/sbin/pppoe-sniff
[root@server root]#
引用:所以,我让你扫描一下硬盘里所有有关ppp的文件所在路径,看是否把真正patch过mppe-mppc补丁的ppp一套东西替换到系统中了
应该怎么确认mppe-mppc补丁的ppp一套东西替换到系统中了?
platinum 回复于:2005-05-11 00:28:48
你有没有发现,/usr/sbin 和 /sbin 下面都有 pppoe 的信息
你看一下 /usr/sbin/pppd 的日期,是不是最新的你编译出来的?
如果不是,把编译出来的替换过去
我怀疑ppp那套东西还是旧的,新的可能在 /sbin 里面
我忘记哪个是真正的目录了,你再查一下,我猜和这个有关
另外,小声问一下,你的kernel-mppe-mppc补丁的版本与kernel的版本一样吧?
还有,你换ppp-2.4.3试试?我的是2.4.3
ljily000 回复于:2005-05-11 13:54:06
谢谢!
引用:另外,小声问一下,你的kernel-mppe-mppc补丁的版本与kernel的版本一样吧?
还有,你换ppp-2.4.3试试?我的是2.4.3
对,kernel-mppe-mppc补丁的版本与kernel的版本是一致的,要是不一样patch打不上去的。
ppp-2.4.3也用过的,还有1.1.4的也试过了,按tjyihui老大的说法,1.1.4的就行,哪我想2.4.2的也肯定行!
我比较赞同你的这个想法引用:你有没有发现,/usr/sbin 和 /sbin 下面都有 pppoe 的信息
你看一下 /usr/sbin/pppd 的日期,是不是最新的你编译出来的?
如果不是,把编译出来的替换过去
我怀疑ppp那套东西还是旧的,新的可能在 /sbin 里面
我忘记哪个是真正的目录了,你再查一下,我猜和这个有关
我也认同!现在我倒觉得内核的原因应该不是很大,主要是ppp!
谢谢你,platinum大哥,我觉得我该请你吃饭。 :em02:
我觉得我离成功不远了!
platinum 回复于:2005-05-11 16:54:36
引用:
努力成就梦想!
照你的签名努力吧!^_^
ljily000 回复于:2005-05-11 22:35:20
[root@server root]# ls /usr/sbin/pppd -al
-rwxr-xr-x 1 root root 184412 Jan 25 2003 /usr/sbin/pppd
[root@server root]# date
Wed May 11 22:32:20 CST 2005
[root@server root]#
果然是这样的,我该如何替换呢?
ljily000 回复于:2005-05-11 22:52:37
我把编译的替换过去了,直接拷贝覆盖的,
[root@server sbin]# ./pppd -V
./pppd: unrecognized option '-V'
pppd version 2.4.3
Usage: ./pppd [ options ], where options are:
<device>; Communicate over the named device
<speed>; Set the baud rate to <speed>;
<loc>;:<rem>; Set the local and/or remote interface IP
addresses. Either one may be omitted.
asyncmap <n>; Set the desired async map to hex <n>;
auth Require authentication from peer
connect <p>; Invoke shell command <p>; to set up the serial line
crtscts Use hardware RTS/CTS flow control
defaultroute Add default route through interface
file <f>; Take options from file <f>;
modem Use modem control lines
mru <n>; Set MRU value to <n>; for negotiation
See pppd(8) for more options.
但是好像还是有这个问题
May 11 22:43:27 server pptpd[2032]: CTRL: Starting call (launching pppd, opening GRE)
May 11 22:43:27 server pppd[2033]: In file /etc/ppp/options.pptpd: unrecognized option 'refuse-mschap'
May 11 22:43:27 server pptpd[2032]: GRE: read(fd=4,buffer=804d560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
May 11 22:43:27 server pptpd[2032]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5)
May 11 22:43:27 server pptpd[2032]: CTRL: Client 10.0.0.205 control connection finished
只替换了2个文件 pppd 和pppdump,还有什么是需要替换的呢?
platinum 回复于:2005-05-11 23:12:37
你可以这样,编译的时候--prefix=/usr/local/ppp-2.4.3
然后安装
之后所有的东西都在/usr/local/ppp-2.4.3里面,包括所有二进制文件和lib库,都需要替换的
ljily000 回复于:2005-05-12 10:38:54
嗯,好办法!
ljily000 回复于:2005-05-12 22:18:20
我全部替换了,可是还是这样呀,
May 12 22:10:15 server pptpd[1910]: CTRL: Client 10.0.0.205 control connection started
May 12 22:10:15 server pptpd[1910]: CTRL: Starting call (launching pppd, opening GRE)
May 12 22:10:15 server pppd[1911]: In file /etc/ppp/options.pptpd: unrecognized option 'require-mppe'
May 12 22:10:15 server pptpd[1910]: GRE: read(fd=4,buffer=804d560,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
May 12 22:10:15 server pptpd[1910]: CTRL: PTY read or GRE write failed (pty,gre)=(4,5)
May 12 22:10:15 server pptpd[1910]: CTRL: Client 10.0.0.205 control connection finished
晕!
看来我得全部重来一遍了!
再重编内核开始!
platinum 回复于:2005-05-12 22:32:21
如果你方便的话,我能否进到你的系统看一下
ljily000 回复于:2005-05-13 11:50:02
谢谢!如果是这样真的太好了,我的是一个小区的电信的ADSL宽带,使用ADSL宽带共享器,共享器(房东的)上我没办法做端口影射 ,所以你可能进不来。你的精神真的非常令人感动敬佩!简直就是新网络时代的雷锋!
platinum 回复于:2005-05-13 13:09:49
哈,你可以想办法播到一个VPN上面,我也播上去,这样你就可以跳过房东的限制,与我建立一条P2P通道了
问题是
1、我不会用Linux播VPN
2、即使你会,可能也用Linux播不上来,因为我的VPN只能用MPPE来验证并加密,用MPPC来压缩数据的,你的Linux如果真的是内核问题,可能还不支持MPPE和MPPC,那么你就播不上来了
你可以找个WIN播上来,然后把TCP/22映射给你的LINUX
如果你能播上VPN,且能使Linux的TCP/22暴露在VPN地址上,我就给你一个帐号
ljily000 回复于:2005-05-13 17:56:16
晕!
靠!敲了好半天都费了,无效的会话!
本来好不容易画了一个图,都费了。唉!
谢谢你白金大哥,这个想法倒是可以,但是在M$的WIN下做端口影射我可不会哟,不像linux那样一个iptables搞定,M$把我们当成了傻瓜。
我的qq:83246680
ljily000 回复于:2005-05-15 21:16:44
白金大哥,我已经加你了。
这几天在外地,明天回也把这个事情落实一下
ljily000 回复于:2005-05-17 14:03:42
重新安装系统,全部重做后,问题已解决!
操作系统装的是FC2,Kernel是2.6.6,pppd 2.4.3,pptpd 1.2.1。
完全按tjyihui 老大的做法!
但是有几点是要注意的:
1、FC2默认装的是pppd2.4.1要 rpm -e pppd-2.4.1卸干净(rpm自己不会给你完全卸掉的)然后再 locate ppp|grep 2.4.1看看,把这些东西完全删掉,否则,总是提示我以前的错误!(我可吃了苦头,汗!!!)
2、内核编译了好几遍才成功,我的感受是把file system里面全部*
3、正确的options.pptpd是非常必要的,请看白金大哥的贴子(谢谢白金大哥了)
4、以上都完了后再根据log排错,好像是pppd的安装路径不对,我是./configure &make &make install这样直接安装的有这个问题,要把/usr/local/sbin和/usr/local/lib的文件cp 到/usr/sbin和/usr/lib,这步都比较简单,按log的 提示就行了。
还有就是tjyihui 老大的帖子上有个地方有出入(可能是笔误吧) //给ppp打补丁
#patch –p0 –i ppp-2.4.3-mppe-mppc-1.1.patch.gz
......
//给内核文件打补丁
#patch –p0 –i linux-2.6.6-mppe-mppc-1.0.patch.gz
正确的应该是把patch后的.gz去掉吧,要不然怎么patch,新手就要注意了,老鸟当然一看就知道。
汗......!
谢谢白金大哥!
吃饭去了!
ljily000 回复于:2005-05-17 14:27:03
还有一个问题请教一下,就是pptpd启动后,为什么显示最大支持6个客户端,以前没做MPPE-MPPC时可以支持51个客户端,在什么地方可以修改的?
怎么修改最大的客户数?
| 