# Connecting to Microsoft VPN with Kernel 2.6.7

## mtombs

I've seen a few threads about connecting to Microsoft VPN using Kernel 2.6.x, so I thought I would shove in my 2p, as I have got it working. This is what I did.

n.b. I'm using kernel 2.6.7-gentoo-r7. 

 Patch the kernel. 

I got the patch from here. Apply the patch and enable the modules like this:

```

Device Drivers --> Networking support -->

<M>  PPP (point-to-point protocol) support

<M>     PPP support for async serial ports

<M>     Microsoft PPP compression / encryption (MPPC/MPPE)

<M>     PPP over ethernet

Cryptographic Options --> 

<M>     ARC4 cipher algorithm

```

Make, make modules_install, reboot. You know the drill.

Install ppp and pptpclient.

I did it by first emerging ppp and pptpclient to get all the dependencies, then  downloading the latest ppp code from here. This already contains the mppe and mppc patches, but needs to be patched for a 'bpf.h not found' error. The patch for this is /usr/portage/net-dialup/ppp/files/2.4.2/pcap.patch. Apply this to the source and configure, make, make install. 

 Configuration.

Remove the gentoo config stuff from /etc/ppp (back it up though!). It doesn't work. 

Make a new directory /etc/ppp/peers.

Make a new options.pptp. Mine looks like this:

```
lock

noauth

nobsdcomp

nodeflate

```

I then used pptp-command to set up the chap-secrets file, which looks something like this:

```
$domain\\$username    PPTP   $password

PPTP    $domain\\$username  $password
```

Then I made /etc/ppp/peers/$connectionname like this:

```
# PPTP Tunnel configuration for tunnel $connectionname

# Server IP: $servername

#

#

# Tags for CHAP secret selection

#

#pty "pptp $servername --nolaunchpppd"

name $domain\$name

remotename PPTP

require-mppe-128

#

# Include the main PPTP configuration file

#

file /etc/ppp/options.pptp

```

I have also added ppp-mppe-mppc and arc4 to /etc/modules.autoload.d/kernel-2.6, but I am sure there is a better way of doing this, in a script for instance.

I can now connect using 

```
pptp-command start $connectionname
```

Then you need to set up your routing. I want to use the vpn server to connect to other machines in the network, so I use

```
route add -net 192.168.120.0 netmask 255.255.255.0 ppp0
```

Works ok for me.  A bit messy I know but if it works...

(edited to add modules and routing info.)

----------

## k2laz

 *Quote:*   

> n.b. I'm using kernel 2.6.7-gentoo-r7.
> 
> Patch the kernel.
> 
> I got the patch from here. Apply the patch and enable the modules like this:
> ...

 

I have kernel 2.6.7-r8 but I could not find the entry for:

<M>     Microsoft PPP compression / encryption (MPPC/MPPE)

Am I missing something?  I would think r8 would have r7, but I could be wrong.  Or is this patch sold separately?  Batteries not included?   :Wink: 

Seriously, I would imagine MPPE would be important to getting VPN client working.  Any help would be appreciated.

--laz

----------

## mtombs

Thats why you have to patch the kernel! mppe support is not in the standard gentoo-dev kernels.

----------

## k2laz

Thanks, I found the patch at: http://www.polbox.com/h/hs001/

I assume that is the "official" version?

Thanks,

--laz

----------

## meulie

Hi!

Does anyone know whether MPPE/MPPC support will be implemented in a package sooner or later? I'd hate to have to patch my Gentoo kernel...     :Cool: 

----------

## theonlymcc

Connected but a little confused. I get the message

```
All routes added.

Tunnel $tunnel is active on ppp0. IP address: 10.1.4.7
```

My IP through my router is 192.168.1.101. What do I need to execute to fully connect to the VPN?

```
route add -net 10.1.0.0 netmask 255.255.0.0 ppp0
```

 I did that and I cannot ping any machines on the VPN. Any advice?

----------

## mtombs

I'm no expert on routing, but I can tell you what I have. PPP creates a new network interface, so ifconfig produces:

```
ppp0      Link encap:Point-to-Point Protocol

          inet addr:192.168.120.11  P-t-P:192.168.120.24  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1496  Metric:1

          RX packets:10 errors:0 dropped:0 overruns:0 frame:0

          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:3

          RX bytes:100 (100.0 b)  TX bytes:94 (94.0 b)

```

192.168.120.11 is the address given to me by the vpn server.  Then the route table is:

```
bash-2.05b# route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.120.24  *               255.255.255.255 UH    0      0        0 ppp0

192.168.0.0     *               255.255.255.0   U     0      0        0 eth0

192.168.120.0   *               255.255.255.0   U     0      0        0 ppp0

loopback        localhost       255.0.0.0       UG    0      0        0 lo

default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0

```

I reckon you need to do 

```
route add -net 10.1.4.0 netmask 255.255.255.0 ppp0
```

 but I could easily be wrong.

----------

## dups

Well, I don't know what exactly I did wrong...  I had it working at one point and then something must have happened or I must have changed something because now I can't get this to work again.  It always times out on the connection no matter what connection I try.  I've played with the settings but still cannot get any results.  Tried recompiling and everything.

When I checked the logs though, this is the error I'm getting:

Aug  9 05:27:13 brian pppd[25103]: Using interface ppp0

Aug  9 05:27:13 brian pppd[25103]: Connect: ppp0 <--> /dev/pts/1

Aug  9 05:27:15 brian pptp[25100]: anon log[ctrlp_disp:pptp_ctrl.c:926]: PPTP_SET_LINK_INFO received from peer_callid 0

Aug  9 05:27:15 brian pptp[25100]: anon log[ctrlp_disp:pptp_ctrl.c:929]:   send_accm is 00000000, recv_accm is FFFFFFFF

Aug  9 05:27:15 brian pptp[25100]: anon warn[ctrlp_disp:pptp_ctrl.c:932]: Non-zero Async Control Character Maps are not supported!

Aug  9 05:27:19 brian pppd[25103]: MPPC compression enabled

Aug  9 05:27:19 brian pptp[25100]: anon log[ctrlp_disp:pptp_ctrl.c:926]: PPTP_SET_LINK_INFO received from peer_callid 0

Aug  9 05:27:19 brian pptp[25100]: anon log[ctrlp_disp:pptp_ctrl.c:929]:   send_accm is FFFFFFFF, recv_accm is FFFFFFFF

Aug  9 05:27:19 brian pptp[25100]: anon warn[ctrlp_disp:pptp_ctrl.c:932]: Non-zero Async Control Character Maps are not supported!

Aug  9 05:27:19 brian pppd[25103]: LCP terminated by peer (b.Ux^@<M-Mt^@^@^@^@)

Aug  9 05:27:19 brian pptp[25100]: anon log[ctrlp_disp:pptp_ctrl.c:888]: Received Call Clear Request.

Aug  9 05:27:22 brian pppd[25103]: Connection terminated.

Anybody know what that means by any chance?  Thanks!

----------

## stalcair

I am in a similar situation.  I have used this setup successfully and recently something caused this.  I 

```

Aug 14 14:24:25 hershey pptp[11844]: anon log[main:pptp.c:237]: The synchronous pptp option is NOT activated

Aug 14 14:24:25 hershey pptp[11847]: anon log[ctrlp_rep:pptp_ctrl.c:243]: Sent control packet type is 1 'Start-Control-Connection-Request'

Aug 14 14:24:25 hershey pptp[11847]: anon log[ctrlp_disp:pptp_ctrl.c:714]: Received Start Control Connection Reply

Aug 14 14:24:25 hershey pptp[11847]: anon log[ctrlp_disp:pptp_ctrl.c:748]: Client connection established.

Aug 14 14:24:26 hershey pptp[11847]: anon log[ctrlp_rep:pptp_ctrl.c:243]: Sent control packet type is 7 'Outgoing-Call-Request'

Aug 14 14:24:26 hershey pptp[11847]: anon log[ctrlp_disp:pptp_ctrl.c:834]: Received Outgoing Call Reply.

Aug 14 14:24:26 hershey pptp[11847]: anon log[ctrlp_disp:pptp_ctrl.c:873]: Outgoing call established (call ID 0, peer's call ID 33763).

Aug 14 14:24:26 hershey pppd[11849]: pppd 2.4.2 started by root, uid 0

Aug 14 14:24:26 hershey pppd[11849]: Using interface ppp0

Aug 14 14:24:26 hershey pppd[11849]: Connect: ppp0 <--> /dev/pts/1

Aug 14 14:24:28 hershey pptp[11847]: anon log[ctrlp_disp:pptp_ctrl.c:888]: Received Call Clear Request.

Aug 14 14:24:59 hershey pppd[11849]: LCP: timeout sending Config-Requests

Aug 14 14:24:59 hershey pppd[11849]: Connection terminated.

Aug 14 14:25:00 hershey pppd[11849]: Exit.

Aug 14 14:25:00 hershey pptp[11874]: anon warn[decaps_hdlc:pptp_gre.c:196]: short read (-1): Input/output error

Aug 14 14:25:00 hershey pptp[11874]: anon warn[decaps_hdlc:pptp_gre.c:197]: pppd may have shutdown, see pppd log

Aug 14 14:25:26 hershey pptp[11847]: anon log[pptp_send_ctrl_packet:pptp_ctrl.c:599]: write error: Broken pipe

Aug 14 14:25:26 hershey pptp[11847]: anon log[call_callback:pptp_callmgr.c:77]: Closing connection

```

I am checking what I installed since my last successful use of pptp for conflicts, nothing concrete yet.  It could be some strung out chain of libs where one had a change.  Here are some interesting things that were installed after the last time I had pptpclient working:

dev-libs/libgpg-error-0.6

dev-libs/libgcrypt-1.1.94

dev-libs/glib-2.4.4

dunno yet, but I have re-emerged ppp and pptpclient with no change.  BTW, I am using a modified ppp ebuild that uses the most recent packages from http://www.polbox.com/h/hs001/ (which ironically can't be reached at this time).  Is VPN really this much of a problem in the 2.6 Kernels for everyone else.  (I fought for a long time to get the few weeks of connectivity I did have)

Any known work-arounds and setups outside of what "vpn for 2.6.x kernels" posts already have?

----------

## dups

I actually have resolved my problem on my own.  I was using one patch for the Kernel version and then there was a corresponding patch for pppd that I wasn't applying.  The most recent version of ppp has MPPE support already in it, but I had a patch that needed to go with my kernel patch to make it all tie together correctly.  Plus, I determined it is best to have MPPE/MPPC installed as a module instead of being built in.  Just my experience.

----------

## stalcair

I've actually rebuilt the kernel (after performing a 'make distclean'), ppp, and pptpclient and had no changes.  I also have noticed some other problems that appear to be either missing or incompatable libraries since that time as well (things that ldconfig are not solving).

I'm hoping there one magic bullet to all this and not complete overhaul  :Smile: 

I am going to be modifying my router soon to be the VPN tunnel so I can get to work and avoid using XP.  Yup, giving up... only so much time to spend on fixing stuff these days   :Rolling Eyes: 

----------

## macgyver

I have it working after several tries and lots of struggle. I realized that some information has already been mentioned before, but I would like to offer a reproducable recipe to see if that helps you. 

Here's how I did it:

(I am trying to get this info on pptpclient's website as well instead of the dated gentoo howto)

Update your portage tree:

```
$ emerge sync
```

In order to connect to windows servers you wil probably need MPPE/MPPC. The ppp-2.4.2-r2 I used is already patched for this, the kernel isn't

Let's start by emerging ppp and pptpclient (I used ~x86):

```
$ ACCEPT_KEYWORDS="~x86" emerge ppp

$ ACCEPT_KEYWORDS="~x86" emerge pptpclient
```

After that you need to patch your kernel. Start by getting the patch  from the site below.

http://www.polbox.com/h/hs001/

After unzipping the patch, apply it:

```
/usr/src/linux $ patch -p1 < /path/to/patchfile
```

You'll need these options in your kernel:

Device Drivers --> Networking support --> 

<M> PPP (point-to-point protocol) support 

<M> PPP support for async serial ports 

<M> Microsoft PPP compression / encryption (MPPC/MPPE) 

<M> PPP over ethernet 

Cryptographic Options --> 

<M> ARC4 cipher algorithm 

Then to the setup. You will need the following variables:

the IP address or host name of the server ($SERVER),

the name you wish to use to refer to the tunnel ($TUNNEL), 

the authentication domain name ($DOMAIN), 

the username you are to use ($USERNAME), 

the password you are to use ($PASSWORD), 

whether encryption is required.

In the steps below, substitute these values manually. For example, replace $PASSWORD with your password.

create the /etc/ppp/options.pptp file, which sets options common to all tunnels:

```
lock noauth nobsdcomp nodeflate
```

create or add lines to the /etc/ppp/chap-secrets file, which holds usernames and passwords:

```
$DOMAIN\\$USERNAME PPTP $PASSWORD *

 PPTP $DOMAIN\\$USERNAME $PASSWORD *
```

Note: if you are using a PPTP Server that does not require a domain name, omit the slashes as well as the domain name.

 Note: if the passwords contain any special characters, quote them. See man pppd for more details.

create a /etc/ppp/peers/$TUNNEL file:

```
pty "pptp $SERVER --nolaunchpppd"

name $DOMAIN\\$USERNAME

# PPTP links to PPTP in chap-secrets

remotename PPTP

# indicate wether we need mschap-v2 (v1 is the default)

require-mschap-v2

# force 128-bit mppe encryption

require-mppe-128

# force 40-bit mppe encryption

require-mppe-40

# windows seems to like stateless mppe connections

nomppe-statefull

# include options.pptp

file /etc/ppp/options.pptp

```

you *should* now be able to get your tunnel up and running using

```
$ pon $TUNNEL
```

This did the trick for me, but in case it doesn't for you, you can get a bit more output by doing

```
$ pon $TUNNEL debug dump logfd 2 nodetach
```

you can then diagnose problems at http://pptpclient.sourceforge.net/howto-diagnosis.phtml

Good luck!

----------

## FreeFly42

Just FYI since I've seen a number of entries here with separate route commands...  You can imbed special routing commands within the peers file for the tunnel as follows:

```
# Server IP: 2.2.2.2

# Route: add -host 172.16.32.1 dev TUNNEL_DEV

# Route: add -net 172.0.0.0 netmask 255.0.0.0 172.16.32.1 gw 172.16.32.1 dev TUNNEL_DEV

# Route: add -net 192.168.1.0 netmask 255.255.255.0 dev TUNNEL_DEV
```

More keyword substitions are possible, see the pptp documentation for details.

----------

## mtombs

Just a quick one. The option

```
nomppe-statefull 
```

should be

```
nomppe-stateful
```

(note only one l)

bye

----------

## zaai

Excellent guide  :Smile: 

I tried following the step-by-step guide by McGyver because it uses the Gentoo ppp emerge. A very similar guide can be found here:

http://pptpclient.sourceforge.net/howto-gentoo.phtml

However I get an error running: pon myvpn

 *Quote:*   

> /usr/sbin/pppd: In file /etc/ppp/peers/myvpn: unrecognized option 'require-mppe-128'

 

I did patch the kernel, selected the right option, rebuild, installed it with the modules and rebooted. Portage's ppp-2.4.2-r9 already has the mppe-mppc patch, correct?

lsmod includes:

```
arc4                    1920  0

ppp_mppe_mppc          15620  0

ppp_generic            29460  1 ppp_mppe_mppc
```

Any ideas?

ps: disabling this option I get the error "No auth is possible", which is as expected.

----------

## FreeFly42

The options you want to use are:

```
mppe required

mppe stateless
```

require-mppe-128 was from a previous version of ppp/mppe

I don't believe the portage ppp includes the mppe patch, I had to patch it myself.

----------

## zaai

Thanks FreeFly42, I gave it a try with the standard portage ppp-2.4.2.

There is no more warning about options and a connection attempt is made. The attempt fails with "No auth is possible". 

I'll try a patched ppp tomorrow.

macgyver wrote: *Quote:*   

> 
> 
> In order to connect to windows servers you wil probably need MPPE/MPPC. The ppp-2.4.2-r2 I used is already patched for this, the kernel isn't

 

macgyver,  did you use the portage version of ppp?

update

It works, portage's ppp is already patched with mppe/mppc  :Smile: 

FreeFly you're right, with the options "mppe required" and "mppe stateless" in the peers/$TUNNEL file it works. The option "require-mppe-128", "mppe-128", "require-mppe" as are mentioned at different places are not recognized. All these different options about enabling mppe are very confusing. It seems that every version of ppp does it differently.

The guide from mtombs has one typo: the file /etc/ppp/peers/$connectionname has the option "name $domain\$name". this must be a double-backslash: "name $domain\\$name"

So to summarize:

- Both the mtombs and macgyver guides are great, however I had to make changes for it to work.

- On Gentoo using kernel 2.6.8 or 2.6.9 the kernel needs to be patched (would be nice if the standard kernel came pre-patched  :Wink: )

- On Gentoo using ppp-2.4.2-r2 and up, ppp does not need to be patched any more. This is great, a thank-you for the ppp (ebuild) maintainer!

- the /etc/ppp/options.pptp file is fine as described by both guides

- the option 'require-mppe-128' in /etc/ppp/peers/$TUNNEL file does NOT work for me. I had to use "mppe required" and "mppe stateless". Thanks FreeFly for the tip.

- if you don't need a domain name to logon then leave out the domainname in both /etc/ppp/chap-secrets and /etc/ppp/peers/$TUNNEL.

Thanks everyone for the guides and tips   :Exclamation: 

----------

