CERN VPN pilot setup on CERN Linux 7.2.1/7.3.1¶
Prerequisites
- Read CERN VPN pilot documentation.
- VPN pilot registration (VPN registration page)
-
Kernel support for MPPE protocol (Microsoft Point-to-Point Encryption)
-
PPP daemon support for MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2) and MPPE
- PPTP software (Point-to-Point Tunneling Protocol)
-
Working Internet connection ;-)
We cannot provide that, you must setup it yourself ;-)... (Please note that 33Kbps modem connection will work ... but SLOW, MPPE encryption adds significient overhead ..)
Precompiled (for Red Hat Linux 7.2) kernel, pptp-linux and ppp rpms are available at:
/afs/cern.ch/project/linux/redhat/pilot/vpn-pptp/RPMS/
Source rpms for above are available at:
/afs/cern.ch/project/linux/redhat/pilot/vpn-pptp/SRPMS/.
Patches applied to the standard Red Hat packages are here: /afs/cern.ch/project/linux/redhat/pilot/vpn-pptp/patches/
(In case you would like to try on a system different than CERN Linux 7.2.1/7.3.1)
Setup
so if you are using this distribution please skip to PPTP configuration section.
Once you've downloaded all above software proceed (as root on your machine) to the
Software installation
Install the kernel:
# rpm -ivh yourkernel-version.rpm
(It will be installed in addition to your current kernel)
Install the pppd:
# rpm -Uvh ppp-*.cernmppe.i386.rpm
(It will REPLACE your current ppp software)
Install pptp-linux:
# rpm -ivh pptp-linux*rpm
Don't forget to edit your /etc/modules.conf file: Add a line saying:
alias ppp-compress-18 ppp_mppe
there.
Next reboot your machine and select 2.4.9-31.1.cernmppe kernel on GRUB
boot selection screen. (you can make this kernel the default one editing
/etc/grub.conf).
PPTP configuration
Following is a screen dump of configuration utility. User input is marked in green.
[root@zlom root]# /usr/sbin/pptp-command
1.) start
2.) stop
3.) setup
4.) quit
What task would you like to do?: 3
1.) Manage CHAP secrets
2.) Manage PAP secrets
3.) List PPTP Tunnels
4.) Add a NEW PPTP Tunnel
5.) Delete a PPTP Tunnel
6.) Configure resolv.conf
7.) Select a default tunnel
8.) Quit
?: 1
1.) List CHAP secrets
2.) Add a New CHAP secret
3.) Delete a CHAP secret
4.) Quit
?: 2
Add a NEW CHAP secret.
NOTE: Any backslashes (\) must be doubled (\\).
Local Name:
This is the 'local' identifier for CHAP authentication.
NOTE: If the server is a Windows NT machine, the local name
should be your Windows NT username including domain.
For example:
domain\\username
Local Name: CERN\\nicelogin
Remote Name:
This is the 'remote' identifier for CHAP authentication.
In most cases, this can be left as the default. It must be
set if you have multiple CHAP secrets with the same local name
and different passwords. Just press ENTER to keep the default.
Remote Name [PPTP]:PPTP
Password:
This is the password or CHAP secret for the account specified. The
password will not be echoed.
Password: ************* (your NICE password)
Adding secret CERN\\nicelogin PPTP ***********
1.) List CHAP secrets
2.) Add a New CHAP secret
3.) Delete a CHAP secret
4.) Quit
?: 4
1.) Manage CHAP secrets
2.) Manage PAP secrets
3.) List PPTP Tunnels
4.) Add a NEW PPTP Tunnel
5.) Delete a PPTP Tunnel
6.) Configure resolv.conf
7.) Select a default tunnel
8.) Quit
?: 4
Add a NEW PPTP Tunnel.
1.) Other
Which configuration would you like to use?: 1
Tunnel Name: CERNVPN
Server IP: cernvpn.cern.ch
What route(s) would you like to add when the tunnel comes up?
This is usually a route to your internal network behind the PPTP server.
You can use TUNNEL_DEV and DEF_GW as in /etc/pptp.d/ config file
TUNNEL_DEV is replaced by the device of the tunnel interface.
DEF_GW is replaced by the existing default gateway.
The syntax to use is the same as the route(8) command.
Enter a blank line to stop.
route: add -host cernvpn.cern.ch gw DEF_GW
route: add -net 137.138.0.0 netmask 255.255.0.0 TUNNEL_DEV
route: add -net 128.141.0.0 netmask 255.255.0.0 TUNNEL_DEV
route: add -net 128.142.0.0 netmask 255.255.0.0 TUNNEL_DEV
route: add -net 172.17.0.0 netmask 255.255.0.0 TUNNEL_DEV
route:
Local Name and Remote Name should match a configured CHAP or PAP secret.
Local Name is probably your NT domain\username.
NOTE: Any backslashes (\) must be doubled (\\).
Local Name: CERN\\nicelogin
Remote Name [PPTP]: PPTP
Adding CERNVPN - cernvpn.cern.ch - CERN\\nicelogin - PPTP
Added tunnel CERNVPN
1.) Manage CHAP secrets
2.) Manage PAP secrets
3.) List PPTP Tunnels
4.) Add a NEW PPTP Tunnel
5.) Delete a PPTP Tunnel
6.) Configure resolv.conf
7.) Select a default tunnel
8.) Quit
?: 7
1.) CERNVPN
2.) cancel
Which tunnel do you want to be the default?: 1
1.) Manage CHAP secrets
2.) Manage PAP secrets
3.) List PPTP Tunnels
4.) Add a NEW PPTP Tunnel
5.) Delete a PPTP Tunnel
6.) Configure resolv.conf
7.) Select a default tunnel
8.) Quit
?: 8
[root@zlom root]#
Notes:
- Above configuration encrypts and routes through the tunnel
ONLY your communication channels to certain CERN networks.Please make sure
you route to all CERN networks that have services you are interested in.
The full list of CERN networks can be found on the
IT-CS groub web page.
All other traffic from your machines goes unencrypted over your internet connection to the provider. - some of the CERN networks use the non-routed reserved IP address blocks (10.X.X.X, 192.168.X.X). These may overlap with the IP address assigned to you by your ISP, and we recommend against adding them to your list above as results will be unpredictable.
- Your NICE password is stored in CLEARTEXT in /etc/ppp/chap-secrets. (This could be a security problem on multiuser machines)
Test it
Run
[root@zlom root]# /usr/sbin/pptp-command start
You should see the output similar to the following:
Route: add -host 137.138.143.164 gw 80.13.182.1 added Route: add -net 137.138.0.0 netmask 255.255.0.0 ppp1 added Route: add -net 128.141.0.0 netmask 255.255.0.0 ppp1 added Route: add -net 128.142.0.0 netmask 255.255.0.0 ppp1 added All routes added. Tunnel CERNVPN is active on ppp1. IP Address: 137.138.143.183
To verify that your tunnel is running you may try:
root@zlom root]# /usr/sbin/traceroute www.cern.ch traceroute to webr2.cern.ch (137.138.28.230), 30 hops max, 38 byte packets 1 cernvpn01-001.cern.ch (137.138.143.180) 66.175 ms 68.493 ms 71.940 ms 2 b513-c-rca86-2-ip72.cern.ch (137.138.143.129) 71.880 ms 68.527 ms 74.645 ms 3 b513-b-rca86-1-bb2.cern.ch (194.12.131.9) 77.874 ms 67.394 ms 76.174 ms 4 b513-c-rca86-1-bb1.cern.ch (194.12.131.6) 71.495 ms 68.100 ms 75.457 ms 5 webr2.cern.ch (137.138.28.230) 74.147 ms 68.103 ms 73.500 ms
Your first hop on the route should be named cernvpn01-XXX.
To stop the tunnel use:
[root@zlom root]# /usr/sbin/pptp-command stop Sending HUP signal to PPTP processes... [root@zlom root]#
To see the tunnel state use:
[root@zlom root]# /usr/sbin/pptp-command status There is probably not a pptp tunnel up [root@zlom root]#
(As you may see even on the above output the detection is somehow flaky ...)
NOTE:pptp-command is not very clever: watchout for multiple starting
of the tunnel ...
Troubleshooting
- Are you registered ?
- Have you supplied correct NICE userid and password ?
- Is your underlying internet connection working ?
- Remeber: VPN pilot server serves only a COUPLE of connections simultaneously: retry later ..
- Maybe the server isn't working at the time you try ? REMEMBER: this is PILOT not regular service
- Debug your connection attempts:
Add debug keyword in /etc/ppp/options.pptp
Edit your /etc/syslog.conf to contain line: . /var/log/messages
restart syslog: /sbin/service syslog restart
Watch the debug output:tail -f /var/log/messages
during subsequent attempts
-
Consult the documentation: http://pptpclient.sourceforge.net.
-
What works over the tunnel?: Everything using IP should work - let me know about any exceptions you find ..
Support
In case of problems please report to linux.support@cern.ch - and please include output from /var/log/messages - after switching on debugging following the recipe above !):