Skip to content

CERN VPN pilot setup on CERN Linux 7.2.1/7.3.1

Prerequisites

  • Read CERN VPN pilot documentation.
  • VPN pilot registration (VPN registration page)
  • Kernel support for MPPE protocol (Microsoft Point-to-Point Encryption)
  • PPP daemon support for MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2) and MPPE
  • PPTP software (Point-to-Point Tunneling Protocol)
  • Working Internet connection ;-)
    We cannot provide that, you must setup it yourself ;-)... (Please note that 33Kbps modem connection will work ... but SLOW, MPPE encryption adds significient overhead ..)



Precompiled (for Red Hat Linux 7.2) kernel, pptp-linux and ppp rpms are available at: /afs/cern.ch/project/linux/redhat/pilot/vpn-pptp/RPMS/

Source rpms for above are available at: /afs/cern.ch/project/linux/redhat/pilot/vpn-pptp/SRPMS/.

Patches applied to the standard Red Hat packages are here: /afs/cern.ch/project/linux/redhat/pilot/vpn-pptp/patches/
(In case you would like to try on a system different than CERN Linux 7.2.1/7.3.1)

Setup

Please note: CERN Linux 7.3.1 distribution includes all necessary software
so if you are using this distribution please skip to PPTP configuration section.

Once you've downloaded all above software proceed (as root on your machine) to the

Software installation

Install the kernel:
# rpm -ivh yourkernel-version.rpm
(It will be installed in addition to your current kernel)
Install the pppd:
# rpm -Uvh ppp-.cernmppe.i386.rpm
(It will REPLACE your current ppp software)
Install pptp-linux:
# rpm -ivh pptp-linuxrpm

Don't forget to edit your /etc/modules.conf file: Add a line saying:
alias ppp-compress-18 ppp_mppe
there.
Next reboot your machine and select 2.4.9-31.1.cernmppe kernel on GRUB boot selection screen. (you can make this kernel the default one editing /etc/grub.conf).

PPTP configuration

Following is a screen dump of configuration utility. User input is marked in green.
[root@zlom root]# /usr/sbin/pptp-command
1.) start
2.) stop
3.) setup
4.) quit
What task would you like to do?: 3
1.) Manage CHAP secrets
2.) Manage PAP secrets
3.) List PPTP Tunnels
4.) Add a NEW PPTP Tunnel
5.) Delete a PPTP Tunnel
6.) Configure resolv.conf
7.) Select a default tunnel
8.) Quit
?: 1
1.) List CHAP secrets
2.) Add a New CHAP secret
3.) Delete a CHAP secret
4.) Quit
?: 2
Add a NEW CHAP secret.

NOTE: Any backslashes () must be doubled (\).

Local Name:

This is the 'local' identifier for CHAP authentication.

NOTE: If the server is a Windows NT machine, the local name should be your Windows NT username including domain. For example:

              domain\\username

Local Name: CERN\nicelogin

Remote Name:

This is the 'remote' identifier for CHAP authentication. In most cases, this can be left as the default. It must be set if you have multiple CHAP secrets with the same local name and different passwords. Just press ENTER to keep the default.

Remote Name [PPTP]:PPTP

Password:

This is the password or CHAP secret for the account specified. The password will not be echoed.

Password: *** (your NICE password) Adding secret CERN\nicelogin PPTP ***

1.) List CHAP secrets 2.) Add a New CHAP secret 3.) Delete a CHAP secret 4.) Quit ?: 4 1.) Manage CHAP secrets 2.) Manage PAP secrets 3.) List PPTP Tunnels 4.) Add a NEW PPTP Tunnel 5.) Delete a PPTP Tunnel 6.) Configure resolv.conf 7.) Select a default tunnel 8.) Quit ?: 4

Add a NEW PPTP Tunnel.

1.) Other Which configuration would you like to use?: 1 Tunnel Name: CERNVPN Server IP: cernvpn.cern.ch What route(s) would you like to add when the tunnel comes up? This is usually a route to your internal network behind the PPTP server. You can use TUNNEL_DEV and DEF_GW as in /etc/pptp.d/ config file TUNNEL_DEV is replaced by the device of the tunnel interface. DEF_GW is replaced by the existing default gateway. The syntax to use is the same as the route(8) command. Enter a blank line to stop. route: add -host cernvpn.cern.ch gw DEF_GW route: add -net 137.138.0.0 netmask 255.255.0.0 TUNNEL_DEV route: add -net 128.141.0.0 netmask 255.255.0.0 TUNNEL_DEV route: add -net 128.142.0.0 netmask 255.255.0.0 TUNNEL_DEV route: add -net 172.17.0.0 netmask 255.255.0.0 TUNNEL_DEV route: Local Name and Remote Name should match a configured CHAP or PAP secret. Local Name is probably your NT domain\username. NOTE: Any backslashes () must be doubled (\).

Local Name: CERN\nicelogin Remote Name [PPTP]: PPTP Adding CERNVPN - cernvpn.cern.ch - CERN\nicelogin - PPTP Added tunnel CERNVPN 1.) Manage CHAP secrets 2.) Manage PAP secrets 3.) List PPTP Tunnels 4.) Add a NEW PPTP Tunnel 5.) Delete a PPTP Tunnel 6.) Configure resolv.conf 7.) Select a default tunnel 8.) Quit ?: 7 1.) CERNVPN 2.) cancel Which tunnel do you want to be the default?: 1 1.) Manage CHAP secrets 2.) Manage PAP secrets 3.) List PPTP Tunnels 4.) Add a NEW PPTP Tunnel 5.) Delete a PPTP Tunnel 6.) Configure resolv.conf 7.) Select a default tunnel 8.) Quit ?: 8 [root@zlom root]#

Notes:
  • Above configuration encrypts and routes through the tunnel ONLY your communication channels to certain CERN networks.Please make sure you route to all CERN networks that have services you are interested in. The full list of CERN networks can be found on the IT-CS groub web page.
    All other traffic from your machines goes unencrypted over your internet connection to the provider.

  • some of the CERN networks use the non-routed reserved IP address blocks (10.X.X.X, 192.168.X.X). These may overlap with the IP address assigned to you by your ISP, and we recommend against adding them to your list above as results will be unpredictable.
  • Your NICE password is stored in CLEARTEXT in /etc/ppp/chap-secrets. (This could be a security problem on multiuser machines)

Test it

Run
[root@zlom root]# /usr/sbin/pptp-command start
You should see the output similar to the following:
Route: add -host 137.138.143.164 gw 80.13.182.1 added
Route: add -net 137.138.0.0 netmask 255.255.0.0 ppp1 added
Route: add -net 128.141.0.0 netmask 255.255.0.0 ppp1 added
Route: add -net 128.142.0.0 netmask 255.255.0.0 ppp1 added
All routes added.
Tunnel CERNVPN is active on ppp1.  IP Address: 137.138.143.183
To verify that your tunnel is running you may try:
root@zlom root]# /usr/sbin/traceroute www.cern.ch
traceroute to webr2.cern.ch (137.138.28.230), 30 hops max, 38 byte packets
 1  cernvpn01-001.cern.ch (137.138.143.180)  66.175 ms  68.493 ms  71.940 ms
 2  b513-c-rca86-2-ip72.cern.ch (137.138.143.129)  71.880 ms  68.527 ms  74.645 ms
 3  b513-b-rca86-1-bb2.cern.ch (194.12.131.9)  77.874 ms  67.394 ms  76.174 ms
 4  b513-c-rca86-1-bb1.cern.ch (194.12.131.6)  71.495 ms  68.100 ms  75.457 ms
 5  webr2.cern.ch (137.138.28.230)  74.147 ms  68.103 ms  73.500 ms
Your first hop on the route should be named cernvpn01-XXX.
To stop the tunnel use:
[root@zlom root]# /usr/sbin/pptp-command stop
Sending HUP signal to PPTP processes...
[root@zlom root]#
To see the tunnel state use:
[root@zlom root]# /usr/sbin/pptp-command status
There is probably not a pptp tunnel up
[root@zlom root]#
(As you may see even on the above output the detection is somehow flaky ...)
NOTE:pptp-command is not very clever: watchout for multiple starting of the tunnel ...

Troubleshooting

- Are you registered ?
- Have you supplied correct NICE userid and password ?
- Is your underlying internet connection working ?
- Remeber: VPN pilot server serves only a COUPLE of connections simultaneously: retry later ..
- Maybe the server isn't working at the time you try ? REMEMBER: this is PILOT not regular service
- Debug your connection attempts:
Add debug keyword in /etc/ppp/options.pptp
Edit your /etc/syslog.conf to contain line: *.* /var/log/messages
restart syslog: /sbin/service syslog restart
Watch the debug output:tail -f /var/log/messages
during subsequent attempts

- Consult the documentation: http://pptpclient.sourceforge.net.
- What works over the tunnel?: Everything using IP should work - let me know about any exceptions you find ..

Support

In case of problems please report to linux.support@cern.ch - and please include output from /var/log/messages - after switching on debugging following the recipe above !):