From: Michael S. L. <mi...@ha...> - 2008-09-11 20:28:23
|
We're running into a problem here where only one person at a time can connect to our PopTop server if they are sharing the same ISP connection. Previous posters to this list asking about this problem have been told that it's due to poor NATing by the broadband router that the clients are behind. Is this true? If so can someone please suggest a broadband router that does the NATing correctly? The current situation of only one person at a time being able to connect is intolerable for our remote office. |
From: Ali Sadeghi-A. <ali...@ya...> - 2008-09-11 20:38:48
|
Are they also using the same username/passwords? If yes this may be it. Ali Regards, Ali Sadeghi Ardestani --- On Fri, 9/12/08, Michael St. Laurent <mi...@ha...> wrote: From: Michael St. Laurent <mi...@ha...> Subject: [Poptop-server] Multiple PPTP VPN connections from behind same ISP connection To: pop...@li... Date: Friday, September 12, 2008, 12:57 AM We're running into a problem here where only one person at a time can connect to our PopTop server if they are sharing the same ISP connection. Previous posters to this list asking about this problem have been told that it's due to poor NATing by the broadband router that the clients are behind. Is this true? If so can someone please suggest a broadband router that does the NATing correctly? The current situation of only one person at a time being able to connect is intolerable for our remote office. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Poptop-server mailing list Pop...@li... https://lists.sourceforge.net/lists/listinfo/poptop-server |
From: Ali Sadeghi-A. <ali...@ya...> - 2008-09-11 20:44:00
|
Actually I back what I said before, right now as we speak, we are using a single poptop server with multiple clients connecting from the same ISP with the same user name and password, we are using the same valid IP address too and using windows connection sharing as router. Regards, Ali Sadeghi Ardestani --- On Fri, 9/12/08, Ali Sadeghi-Ardestani <ali...@ya...> wrote: From: Ali Sadeghi-Ardestani <ali...@ya...> Subject: Re: [Poptop-server] Multiple PPTP VPN connections from behind same ISP connection To: pop...@li..., "Michael St. Laurent" <mi...@ha...> Date: Friday, September 12, 2008, 1:08 AM Are they also using the same username/passwords? If yes this may be it. Ali Regards, Ali Sadeghi Ardestani --- On Fri, 9/12/08, Michael St. Laurent <mi...@ha...> wrote: From: Michael St. Laurent <mi...@ha...> Subject: [Poptop-server] Multiple PPTP VPN connections from behind same ISP connection To: pop...@li... Date: Friday, September 12, 2008, 12:57 AM We're running into a problem here where only one person at a time can connect to our PopTop server if they are sharing the same ISP connection. Previous posters to this list asking about this problem have been told that it's due to poor NATing by the broadband router that the clients are behind. Is this true? If so can someone please suggest a broadband router that does the NATing correctly? The current situation of only one person at a time being able to connect is intolerable for our remote office. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Poptop-server mailing list Pop...@li... https://lists.sourceforge.net/lists/listinfo/poptop-server ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________ Poptop-server mailing list Pop...@li... https://lists.sourceforge.net/lists/listinfo/poptop-server |
From: Jakob C. <jc...@in...> - 2008-09-11 20:57:03
|
Ali Sadeghi-Ardestani schrieb: > Actually I back what I said before, right now as we speak, we are > using a single poptop server with multiple clients connecting from the > same ISP with the same user name and password, we are using the same > valid IP address too and using windows connection sharing as router. > What do you mean by "valid IP address"? The address you are connecting to (i.e. the Poptop server's external address) or the external address of the place you are connecting from? JC |
From: Jakob C. <jc...@in...> - 2008-09-11 20:44:19
|
Michael St. Laurent schrieb: > We're running into a problem here where only one person at a time can > connect to our PopTop server if they are sharing the same ISP > connection. Previous posters to this list asking about this problem > have been told that it's due to poor NATing by the broadband router that > the clients are behind. Is this true? If so can someone please suggest > a broadband router that does the NATing correctly? The current > situation of only one person at a time being able to connect is > intolerable for our remote office. > This is not a question of the NAT router you are using but a direct consequence of using a layer 2 protocol for the VPN - like PPP. It is impossible for any NAT router to distinguish between the two connections; the later one will always "win". If this is a problem you need to switch to another VPN technology that uses TCP as transport medium, such as IPSec or SSL. These have other drawbacks, though, for example with IPSec it is impossible to route an arbitrary network via the VPN, it transports only the exact networks given in the configuration on both ends. Another solution would be to supply your road warriors with wireless (mobile) card connections so that they do not rely on an existing connection at all. Yours, Jakob Curdes |
From: Michael S. L. <mi...@ha...> - 2008-09-11 21:18:17
|
Yes, it does actually. If the NAT is smart enough to masquerade the call number then Poptop can tell the two data streams apart. -----Original Message----- From: Jakob Curdes [mailto:jc...@in...] Sent: Thursday, September 11, 2008 1:44 PM To: Michael St. Laurent Cc: pop...@li... Subject: Re: [Poptop-server] Multiple PPTP VPN connections from behind same ISP connection Michael St. Laurent schrieb: > We're running into a problem here where only one person at a time can > connect to our PopTop server if they are sharing the same ISP > connection. Previous posters to this list asking about this problem > have been told that it's due to poor NATing by the broadband router that > the clients are behind. Is this true? If so can someone please suggest > a broadband router that does the NATing correctly? The current > situation of only one person at a time being able to connect is > intolerable for our remote office. > This is not a question of the NAT router you are using but a direct consequence of using a layer 2 protocol for the VPN - like PPP. It is impossible for any NAT router to distinguish between the two connections; the later one will always "win". If this is a problem you need to switch to another VPN technology that uses TCP as transport medium, such as IPSec or SSL. These have other drawbacks, though, for example with IPSec it is impossible to route an arbitrary network via the VPN, it transports only the exact networks given in the configuration on both ends. Another solution would be to supply your road warriors with wireless (mobile) card connections so that they do not rely on an existing connection at all. Yours, Jakob Curdes |
From: James C. <jam...@hp...> - 2008-09-12 04:57:43
|
On Thu, Sep 11, 2008 at 02:17:53PM -0700, Michael St. Laurent wrote: > Yes, it does actually. If the NAT is smart enough to masquerade the > call number then Poptop can tell the two data streams apart. Depends on the kernel providing the GRE packet to all instances of pptpd ... the relevant code is here in pptpd: pptpgre.c:369 if (header->call_id != GET_VALUE(PAC, gre.call_id_pair)) { /* * Discard silently to allow more than one GRE tunnel from * the same IP address in case clients are behind the * firewall. * * syslog(LOG_ERR, "GRE: Discarding for incorrect call"); */ return 0; } -- James Cameron http://quozl.netrek.org/ HP Open Source, Volunteer http://opensource.hp.com/ PPTP Client Project, Release Engineer http://pptpclient.sourceforge.net/ |
From: James C. <jam...@hp...> - 2008-09-12 06:22:18
|
On Fri, Sep 12, 2008 at 08:19:11AM +0200, Jakob Curdes wrote: > So what is necessary to have that functionality in a linux kernel? Isn't it already there? I don't know, myself. -- James Cameron http://quozl.netrek.org/ HP Open Source, Volunteer http://opensource.hp.com/ PPTP Client Project, Release Engineer http://pptpclient.sourceforge.net/ |
From: Jakob C. <jc...@in...> - 2008-09-12 06:58:42
|
James Cameron schrieb: > On Fri, Sep 12, 2008 at 08:19:11AM +0200, Jakob Curdes wrote: > >> So what is necessary to have that functionality in a linux kernel? >> > > Isn't it already there? I don't know, myself. > > I just know that I never managed to get such a double NAT connection working from any router. I always saw this as a principal problem. JC |
From: MSN <ms...@vt...> - 2008-09-12 09:20:52
|
Here is what i got. 1. same ISP and different public IP address which is means that different lines, works fine 2. same ISP and Same public IP address which is means that you are using some sort of router or firewall which can NATing your private IP address, depends on your router or firewall. if you are suffering #2 reason, you have to check your routers. some of poor NATing machine can not pass through the VPN packet correctly, even can not pass it at all. ----- Original Message ----- From: "James Cameron" <jam...@hp...> To: <pop...@li...> Sent: Friday, September 12, 2008 3:21 PM Subject: Re: [Poptop-server] Multiple PPTP VPN connections from behindsame ISP connection > On Fri, Sep 12, 2008 at 08:19:11AM +0200, Jakob Curdes wrote: >> So what is necessary to have that functionality in a linux kernel? > > Isn't it already there? I don't know, myself. > > -- > James Cameron http://quozl.netrek.org/ > HP Open Source, Volunteer http://opensource.hp.com/ > PPTP Client Project, Release Engineer http://pptpclient.sourceforge.net/ > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Poptop-server mailing list > Pop...@li... > https://lists.sourceforge.net/lists/listinfo/poptop-server > |
From: Charlie B. <cha...@e-...> - 2008-09-16 21:04:46
|
On Fri, 12 Sep 2008, James Cameron wrote: > On Thu, Sep 11, 2008 at 02:17:53PM -0700, Michael St. Laurent wrote: > > Yes, it does actually. If the NAT is smart enough to masquerade the > > call number then Poptop can tell the two data streams apart. > > Depends on the kernel providing the GRE packet to all instances of pptpd > ... the relevant code is here in pptpd: > pptpgre.c:369 > > if (header->call_id != GET_VALUE(PAC, gre.call_id_pair)) { > /* > * Discard silently to allow more than one GRE tunnel from > * the same IP address in case clients are behind the > * firewall. > * > * syslog(LOG_ERR, "GRE: Discarding for incorrect call"); > */ > return 0; > } My expectation is that each of the pptpd instances which has a GRE socket open with the same source and destination address will be competing to read the packets. Each will discard the packets which aren't intended for it. I've often wondered whether the linux socket filter (http://www.linuxjournal.com/article/4659) could be used to select which incoming packets are present to which instance of the socket, but I've never tried it, and it looks like the filter installs too low down in the protocol stack. This article http://www.planet-lab.org/doc/vnet suggests that sin_port can be used with bind() to associate a call-id with a particular GRE socket. I notice that we don't do that, and use 0: ... addr.sin_family = AF_INET; addr.sin_addr = inetaddrs[0]; addr.sin_port = 0; if (bind(gre_fd, (struct sockaddr *) &addr, sizeof(addr)) < 0) { syslog(LOG_ERR, "GRE: bind() failed: %s", strerror(errno)); syslog(LOG_ERR, "GRE: continuing, but may not work if multi-homed"); } ... |
From: Michael S. L. <mi...@ha...> - 2008-09-16 21:55:58
|
> > On Thu, Sep 11, 2008 at 02:17:53PM -0700, Michael St. Laurent wrote: > > > Yes, it does actually. If the NAT is smart enough to masquerade the > > > call number then Poptop can tell the two data streams apart. > > > > Depends on the kernel providing the GRE packet to all instances of pptpd > > ... the relevant code is here in pptpd: > > pptpgre.c:369 > > > > if (header->call_id != GET_VALUE(PAC, gre.call_id_pair)) { > > /* > > * Discard silently to allow more than one GRE tunnel > from > > * the same IP address in case clients are behind the > > * firewall. > > * > > * syslog(LOG_ERR, "GRE: Discarding for incorrect > call"); > > */ > > return 0; > > } > > My expectation is that each of the pptpd instances which has a GRE socket > open with the same source and destination address will be competing to > read the packets. Each will discard the packets which aren't intended for > it. > > I've often wondered whether the linux socket filter > (http://www.linuxjournal.com/article/4659) could be used to select which > incoming packets are present to which instance of the socket, but I've > never tried it, and it looks like the filter installs too low down in the > protocol stack. > > This article http://www.planet-lab.org/doc/vnet suggests that sin_port can > be used with bind() to associate a call-id with a particular GRE socket. I > notice that we don't do that, and use 0: > > .. > addr.sin_family = AF_INET; > addr.sin_addr = inetaddrs[0]; > addr.sin_port = 0; > if (bind(gre_fd, (struct sockaddr *) &addr, sizeof(addr)) < 0) { > syslog(LOG_ERR, "GRE: bind() failed: %s", > strerror(errno)); > syslog(LOG_ERR, "GRE: continuing, but may not work if > multi-homed"); > } > .. I'm willing to do testing if you folks come up with anything... |
From: Michael S. L. <mi...@ha...> - 2008-09-30 16:34:53
|
> > On Thu, Sep 11, 2008 at 02:17:53PM -0700, Michael St. Laurent wrote: > > > Yes, it does actually. If the NAT is smart enough to masquerade the > > > call number then Poptop can tell the two data streams apart. > > > > Depends on the kernel providing the GRE packet to all instances of pptpd > > ... the relevant code is here in pptpd: > > pptpgre.c:369 > > > > if (header->call_id != GET_VALUE(PAC, gre.call_id_pair)) { > > /* > > * Discard silently to allow more than one GRE tunnel > from > > * the same IP address in case clients are behind the > > * firewall. > > * > > * syslog(LOG_ERR, "GRE: Discarding for incorrect > call"); > > */ > > return 0; > > } > > My expectation is that each of the pptpd instances which has a GRE socket > open with the same source and destination address will be competing to > read the packets. Each will discard the packets which aren't intended for > it. > > I've often wondered whether the linux socket filter > (http://www.linuxjournal.com/article/4659) could be used to select which > incoming packets are present to which instance of the socket, but I've > never tried it, and it looks like the filter installs too low down in the > protocol stack. > > This article http://www.planet-lab.org/doc/vnet suggests that sin_port can > be used with bind() to associate a call-id with a particular GRE socket. I > notice that we don't do that, and use 0: > > .. > addr.sin_family = AF_INET; > addr.sin_addr = inetaddrs[0]; > addr.sin_port = 0; > if (bind(gre_fd, (struct sockaddr *) &addr, sizeof(addr)) < 0) { > syslog(LOG_ERR, "GRE: bind() failed: %s", > strerror(errno)); > syslog(LOG_ERR, "GRE: continuing, but may not work if > multi-homed"); > } > .. I was just wondering if anyone is playing with this one? If so I can do any testing needed... |
From: Michael S. L. <mi...@ha...> - 2008-10-01 18:15:07
|
> > > > Yes, it does actually. If the NAT is smart enough to masquerade > the > > > > call number then Poptop can tell the two data streams apart. > > > > > > Depends on the kernel providing the GRE packet to all instances of > pptpd > > > ... the relevant code is here in pptpd: > > > pptpgre.c:369 > > > > > > if (header->call_id != GET_VALUE(PAC, gre.call_id_pair)) { > > > /* > > > * Discard silently to allow more than one GRE > tunnel > > from > > > * the same IP address in case clients are behind > the > > > * firewall. > > > * > > > * syslog(LOG_ERR, "GRE: Discarding for incorrect > > call"); > > > */ > > > return 0; > > > } > > > > My expectation is that each of the pptpd instances which has a GRE > socket > > open with the same source and destination address will be competing to > > read the packets. Each will discard the packets which aren't intended > for > > it. > > > > I've often wondered whether the linux socket filter > > (http://www.linuxjournal.com/article/4659) could be used to select > which > > incoming packets are present to which instance of the socket, but I've > > never tried it, and it looks like the filter installs too low down in > the > > protocol stack. > > > > This article http://www.planet-lab.org/doc/vnet suggests that sin_port > can > > be used with bind() to associate a call-id with a particular GRE > socket. I > > notice that we don't do that, and use 0: > > > > .. > > addr.sin_family = AF_INET; > > addr.sin_addr = inetaddrs[0]; > > addr.sin_port = 0; > > if (bind(gre_fd, (struct sockaddr *) &addr, sizeof(addr)) < 0) > { > > syslog(LOG_ERR, "GRE: bind() failed: %s", > > strerror(errno)); > > syslog(LOG_ERR, "GRE: continuing, but may not work if > > multi-homed"); > > } > > .. > > I was just wondering if anyone is playing with this one? If so I can do > any testing needed... Since nobody is answering I take it the answer is "No." Which leads me to my next question: Can you be bribed? ;) |
From: Michael S. L. <mi...@ha...> - 2008-09-12 16:49:27
|
Hmmm, the kernel in use is kernel-2.6.18-92.1.6.el5, the currently available one for Red Hat Enterprise Linux 5 (repackaged as CentOS 5). The PoPToP version is 1.3.4. I checked the pptpgre.c source code file and it have the lines you indicated. -----Original Message----- From: pop...@li... [mailto:pop...@li...] On Behalf Of James Cameron Sent: Thursday, September 11, 2008 9:57 PM To: pop...@li... Subject: Re: [Poptop-server] Multiple PPTP VPN connections from behindsame ISP connection On Thu, Sep 11, 2008 at 02:17:53PM -0700, Michael St. Laurent wrote: > Yes, it does actually. If the NAT is smart enough to masquerade the > call number then Poptop can tell the two data streams apart. Depends on the kernel providing the GRE packet to all instances of pptpd . the relevant code is here in pptpd: pptpgre.c:369 if (header->call_id != GET_VALUE(PAC, gre.call_id_pair)) { /* * Discard silently to allow more than one GRE tunnel from * the same IP address in case clients are behind the * firewall. * * syslog(LOG_ERR, "GRE: Discarding for incorrect call"); */ return 0; } -- James Cameron http://quozl.netrek.org/ HP Open Source, Volunteer http://opensource.hp.com/ PPTP Client Project, Release Engineer http://pptpclient.sourceforge.net/ ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Poptop-server mailing list Pop...@li... https://lists.sourceforge.net/lists/listinfo/poptop-server |
From: Jakob C. <jc...@in...> - 2008-09-12 06:19:09
|
James Cameron schrieb: > On Thu, Sep 11, 2008 at 02:17:53PM -0700, Michael St. Laurent wrote: > >> Yes, it does actually. If the NAT is smart enough to masquerade the >> call number then Poptop can tell the two data streams apart. >> > > Depends on the kernel providing the GRE packet to all instances of pptpd > ... the relevant code is here in pptpd: > > So what is necessary to have that functionality in a linux kernel? JC |