PPTPD out-of-order on wireless HELP

Yanghwee Tan tanyh at bii.a-star.edu.sg
Mon Feb 3 20:30:18 EST 2003


hi harry,

not too sure how complex do u rank ipsec.
but i've drafted a doc on ipsec over hostap,
get a peek on my "jotterbook" notes, to see
if it can assist ya to use ipsec instead.
here's the url,

  http://pachome2.pacific.net.sg/~yanghwee/sub/jotterbook.html

hope it helps.
btw, PPTP isn't tat secure either.


-Yanghwee-


On Sat, 1 Feb 2003, Harry Westerman wrote:

> Hello everyone,
>
> I use my Debian Linux box as a firewall for the adsl internet connection.
> But also as my wireless acccesspoint using the hostap driver for my Linksys
> WPC11 wifi card. This works ok.
>
> Because WEP is cracked, and ipsec (or even ipsec over l2tp) is WAY too
> complex, I want to use a pptp vpn server to connect my Windows XP laptop to
> the network.
>
> So I patched the kernel, patched pppd, installed pptpd, and everything
> works. I can connect to the vpn, with mppe and mschapv2. BUT: when I start
> to use the connection, it only takes about a minute before the dreaded:
>
> Feb  1 15:13:37 firewall pptpd[28381]: Discarding out-of-order packet 6209,
> already have 406847488
> Feb  1 15:13:37 firewall pptpd[28381]: Discarding out-of-order packet 6210,
> already have 406847488
> Feb  1 15:13:38 firewall pptpd[28381]: Discarding out-of-order packet 6211,
> already have 406847488
> Feb  1 15:13:39 firewall pptpd[28381]: Discarding out-of-order packet 6212,
> already have 406847488
> Feb  1 15:13:40 firewall pptpd[28381]: Discarding out-of-order packet 6213,
> already have 406847488
>
> appear in the syslog of the firewall... Then the connection is killed
> ofcourse, all packets are discarded :-(
>
> The FAQ of pptpd says to play with the mru and mtu sizes in the
> pptpd.options files, but I tried ALL values and nothing works.
>
> I am Using Debian Unstable with:
> ii  pptpd          1.1.2-1.2      PoPToP Point to Point Tunneling Server
>
> Current pptpd-options:
> ---------------------------------------------------------------
> ## SAMPLE ONLY
> ## CHANGE TO SUIT YOUR SYSTEM
>
> ## turn pppd syslog debugging on
> #debug
>
> ## change 'servername' to whatever you specify as your server name in
> chap-secrets
> name firewall
> ## change the domainname to your local domain
> domain poelbos44.org
>
> ## these are reasonable defaults for WinXXXX clients
> ## for the security related settings
> auth
> #require-chap
> #require-chapms
> #require-chapms-v2
> #+chap
>
> ##### ATTENTION #######
> # These options are disabled because the stock Debian kernel as well as the
> # pppd package do not support MPPE encryption. But it is recommended to
> patch
> # your kernel and use a pppd with MPPE support if you use this package.
> Without
> # these options, PPTP can not be considered to be safe.
> +chapms
> +chapms-v2
> mppe-128
> mppe-stateless
>
> ## Fill in your addresses
> ms-dns 192.168.2.1
> ms-wins 192.168.2.1
>
> ## Fill in your netmask
> netmask 255.255.255.0
>
> ## some defaults
> nodefaultroute
> proxyarp
> lock
>
> ipparam PoPToP
> lock
> #mtu 1490
> #mru 1490
> mtu 1400
> mru 1400
> #multilink
> #default-mru
> +chap
> ipcp-accept-local
> ipcp-accept-remote
> lcp-echo-failure 30
> lcp-echo-interval 5
> deflate 0
> require-mppe
> require-mppe-stateless
> -----------------------------------------------------
>
> I have read about some other people having problems with this, but no
> answers so far. Now HOW do you all secure your wireless connection? Are you
> all still relying on WEP or are you guys all using ipsec??
>
> Greetings from the Netherlands,
> Harry Westerman
>
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>





More information about the HostAP mailing list