[NoCat] PPTPD out-of-order on wireless HELP

Harry Westerman hwesterman at cistron.nl
Sat Feb 1 09:28:02 EST 2003 

Hello everyone,

I use my Debian Linux box as a firewall for the adsl internet connection.
But also as my wireless acccesspoint using the hostap driver for my Linksys
WPC11 wifi card. This works ok.

Because WEP is cracked, and ipsec (or even ipsec over l2tp) is WAY too
complex, I want to use a pptp vpn server to connect my Windows XP laptop to
the network.

So I patched the kernel, patched pppd, installed pptpd, and everything
works. I can connect to the vpn, with mppe and mschapv2. BUT: when I start
to use the connection, it only takes about a minute before the dreaded:

Feb  1 15:13:37 firewall pptpd[28381]: Discarding out-of-order packet 6209,
already have 406847488
Feb  1 15:13:37 firewall pptpd[28381]: Discarding out-of-order packet 6210,
already have 406847488
Feb  1 15:13:38 firewall pptpd[28381]: Discarding out-of-order packet 6211,
already have 406847488
Feb  1 15:13:39 firewall pptpd[28381]: Discarding out-of-order packet 6212,
already have 406847488
Feb  1 15:13:40 firewall pptpd[28381]: Discarding out-of-order packet 6213,
already have 406847488

appear in the syslog of the firewall... Then the connection is killed
ofcourse, all packets are discarded :-(

The FAQ of pptpd says to play with the mru and mtu sizes in the
pptpd.options files, but I tried ALL values and nothing works.

I am Using Debian Unstable with:
ii  pptpd          1.1.2-1.2      PoPToP Point to Point Tunneling Server

Current pptpd-options:
---------------------------------------------------------------
## SAMPLE ONLY
## CHANGE TO SUIT YOUR SYSTEM

## turn pppd syslog debugging on
#debug

## change 'servername' to whatever you specify as your server name in
chap-secrets
name firewall
## change the domainname to your local domain
domain poelbos44.org

## these are reasonable defaults for WinXXXX clients
## for the security related settings
auth
#require-chap
#require-chapms
#require-chapms-v2
#+chap

##### ATTENTION #######
# These options are disabled because the stock Debian kernel as well as the
# pppd package do not support MPPE encryption. But it is recommended to
patch
# your kernel and use a pppd with MPPE support if you use this package.
Without
# these options, PPTP can not be considered to be safe.
+chapms
+chapms-v2
mppe-128
mppe-stateless

## Fill in your addresses
ms-dns 192.168.2.1
ms-wins 192.168.2.1

## Fill in your netmask
netmask 255.255.255.0

## some defaults
nodefaultroute
proxyarp
lock

ipparam PoPToP
lock
#mtu 1490
#mru 1490
mtu 1400
mru 1400
#multilink
#default-mru
+chap
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 30
lcp-echo-interval 5
deflate 0
require-mppe
require-mppe-stateless
-----------------------------------------------------

I have read about some other people having problems with this, but no
answers so far. Now HOW do you all secure your wireless connection? Are you
all still relying on WEP or are you guys all using ipsec??

Greetings from the Netherlands,
Harry Westerman


_______________________________________________
NoCat mailing list
NoCat at lists.nocat.net
http://lists.nocat.net/mailman/listinfo/nocat

More information about the HostAP mailing list