From: Phil M. <p.m...@im...> - 2006-06-15 19:29:34
|
Seferovic Edvin wrote: > Excuse me ! I am running a network with over 150 clients ( WinXP ) > connecting to ONE poptop server ! Yes, I had those troubles, and always > there was some kind of firewall ( MS or other ) installed on the client > machine and forbidding GRE protocol! I also have seen the same troubles > when winxp firewall apparently was offline – well it wasn’t – do NOT ask > me why and how. Same here. We have ~350 clients, the bulk of which are XP. Poptop is not at fault here, though as Edvin says, MTU and firewall issues abound. There are many reasons you see differences. See below for info. Theoretically Poptop could take server-side measures to prevent them, but it's arguable whether that would be good or bad. Our config follows: /etc/pptpd.conf: option /etc/ppp/options.pptpd logwtmp /etc/ppp/options.pptpd: lock name pptpd asyncmap 0 -chap -mschap +mschap-v2 require-mppe lcp-echo-failure 30 lcp-echo-interval 5 ipcp-accept-local ipcp-accept-remote ms-wins a.b.c.d ms-wins e.f.g.h ms-dns w.x.y.z ms-dns l.m.n.o plugin radius.so ...and TCP MSS clamping iptables rules, which are EXTREMELY IMPORTANT: iptables -A FORWARD -i ppp+ -p tcp -m tcp --tcp-flags SYN SYN \ -m tcpmss --mss 1301:65535 -j TCPMSS --set-mss 1300 iptables -A FORWARD -o ppp+ -p tcp -m tcp --tcp-flags SYN SYN \ -m tcpmss --mss 1301:65535 -j TCPMSS --set-mss 1300 == more info == Things poptop does differently to a win2k VPN server (for example) and win2k VPN clients: 1. The PPP MRU option is negotiated differently, which affects the interface MTU and MSS. 2. The Linux PPP stack (specifically the MPPE code - NOT PART OF POPTOP) can collapse under some circumstances with over-MTU-sized packets - search for posts by me on this and linux-ppp mailing list with "mppe collapse" 3. The windows PPTP stack (both server and client) does not set "dont fragment" - which means over-sized GRE payloads just get fragmented. The GRE socket poptop opens on linux sets "dont fragment", which means over-sized packets are dropped. This is particularly an issue for people on PPPoE or other lower-MTU networks, because winXP stupidly negotiates an MRU of 1400 regardless of underlying link MTU or path MTU discovery to the server. That is - say a client is on a LAN with an upstream MTU of 1400 (there are real cases where this is so). Their XP client does not path MTU the VPN server, and negotiates an MRU of 1400, which gives GRE packets of ~1450 bytes. A poptop/linux server sends these packets with dont-frag, they hit the small-MTU hop, an ICMP error comes back and the connection drops. A windows VPN server sends with frag-ok, the router fragments them (bad - cpu hit, bugs, firewalls) and the data continues to flow. So, as far as I can see the only thing poptop MIGHT be doing wrong (and I'm not even sure it's poptop) is creating a GRE socket with dont-frag. You could try an iptables rule to clear this and see if it helps, but rest assured - the config above DOES WORK. |