Testing the Connection Creating a VPN with PPP and SSH
8.5 Troubleshooting Problems
Now let us assume that everything didnt go as smoothly as planned. There are several points of failure along the way, but fortunately there are some good ways to pinpoint the problem.8.5.1 Errors from the VPN Script
The following are errors that might occur when you execute the VPN script. All of these errors should appear directly on the screen. When looking at these errors, its important to remember the essentials of what the VPN script does: it redirects a pseudo-terminal, launches the PPP daemon on the slave using SSH, launches the PPP daemon on the master, and sets up routing on both the master and slave. FAILED If you see this message, pty-redir failed to get a valid pseudo-terminal. You should check the contents of the tmpdevice file and see if its empty. If it exists but is empty, and you actually saw pty-redir spit out a device name when you ran it by hand earlier, STDERR output may not be redirected to that file. You will have to add a 2 as we showed under Section 8.4.2.7 . SIOCADDR: Network is unreachable This is a message from one of the route commands. It can mean there is a mistake either in one of the IP addresses or networks in the VPN script settings, or in the slaves route script. Or it could mean that a PPP connection was never successfully started, in which case youll need to check the logs see Section 8.5.2 . SIOCADDRT: Operation not permitted This is also a message from one of the route commands. It means that youre not allowed to execute the route command in order to add a route, and is probably taking place on the slave. You should double-check your sudoers file on the slave to make sure that your master account has permission to execute the route command as root.8.5.2 Connection Problems
If you get the Network is unreachable error from the VPN script, you might want to look at a process list on the slave using the ps command to see if the PPP daemon is running. If it isnt, either the SSH connection wasnt completely successful, or the PPP daemon failed to start up. The best place to look for problems with both of these is in varadmmessages on the slave. A normal ssh and pppd startup on the slave should look like this in the logs: Jun 6 04:01:40 slave-lan sshd[18745]: log: Connection from 1.0.0.1 port 1 Jun 6 04:01:41 slave-lan sshd[18745]: log: RSA authentication for vpn1 accepted Jun 6 04:01:41 slave-lan sshd[18747]: log: executing remote command as user vpn1 141 Jun 6 04:01:41 slave-lan sudo: vpn1 : TTY=ttyp1 ; PWD=homevpn1 ; USER=root Jun 6 04:01:41 slave-lan pppd[18747]: pppd 2.2.0 started by vpn1, uid 0 Jun 6 04:01:41 slave-lan pppd[18747]: Using interface ppp0 Jun 6 04:01:41 slave-lan pppd[18747]: Connect: ppp0 -- devttyp1 Jun 6 04:01:53 slave-lan pppd[18747]: local IP address 192.168.1.2 Jun 6 04:01:53 slave-lan pppd[18747]: remote IP address 192.168.1.1 As you can see, the SSH daemon output says that authentication is accepted, and sudo successfully launches the PPP daemon as root for vpn1. The PPP daemon is started up on the slave, then its started up on the master communicating with ttyp1, which is the SSH connection, which also assigns IP addresses.8.5.2.1 Debugging an SSH connection
A failed SSH connection will give you the following error in the messages log: fatal: Connection closed by remote host . If this log indicates problems with the SSH connection, try connecting to the master from the slave using ssh -l vpn1 -v . That will give you verbose output of whats going on when you attempt to connect. Here are some common errors: Server refused our key This means that the public key of the account on the master attempting to make the connection e.g., root doesnt exist in the authorized_keys file of the account on the slave e.g., vpn1. The solution is to copy the public key from roots identity.pub file into vpn1s authorized_keys file. Server refused our rhosts authentication or host key This means that the server isnt in the .rhosts file or found in a known_hosts file. Add the server to either one, or both. As we said earlier in Section 8.2 , some implementations of shadow passwords may not work with SSH. Although its compatible with most of the major methods, including those used by Solaris, Ultrix, SCO, Irix, and Linux, there may be some that it doesnt recognize or know how to handle. You may not notice any problems at compile time, and will only see them when you attempt to make a connection using password authentication and are denied login. At this point your two options are to attempt to add the appropriate code yourself found in the configure.in and auth-passwd.c files, or to send a query to the SSH mailing list or the programs author. See the upcoming Section 8.5.3 for more on this.8.5.2.2 Debugging a PPP connection
If it looks like SSH has started successfully, but PPP never starts, there are two things you need to check: sudo and pppd. The first thing to do is see if sudo executed successfully in the messages file. If you need more information, check for failures in syslog, which will typically look like this:Parts
» Virtual Private Networks 2nd 1999
» How VPNs relate to Intranets
» What Are We Protecting with Our VPN?
» Firewalls How VPNs Solve Internet Security Issues
» Authentication How VPNs Solve Internet Security Issues
» Encryption How VPNs Solve Internet Security Issues
» Tunneling How VPNs Solve Internet Security Issues
» A Note on IP Address and Domain Name Conventions Used in This Book
» Packet restriction or packet filtering routers
» Bastion host What Types of Firewalls Are There?
» DMZ or perimeter zone network
» Proxy servers What Types of Firewalls Are There?
» A Brief History of Cryptography
» Cryptography: How to Keep a Secret
» Cryptography in Network Communications
» Hash algorithms Cryptographic Algorithms
» Secret key systems Cryptographic Algorithms
» Public key cryptosystems Cryptographic Algorithms
» Use of Cryptosystems and Authentication in a VPN
» ESP Encapsulating Security Payload
» AH Authentication Header VPN Protocols
» Internet Key Exchange, ISAMKPOakley
» ISO X.509 v.3 Digital Certificates
» LDAP Lightweight Directory Access Protocol Radius
» PPTP Point-to-Point Tunneling Protocol
» Basic Firewalling Methodologies for Compromising VPNs
» Ciphertext-only attack Cryptographic Assaults
» Known plaintext attack Cryptographic Assaults
» Chosen plaintext attack Cryptographic Assaults
» Chosen ciphertext attack Cryptographic Assaults
» Brute force attacks Cryptographic Assaults
» Password guessers and dictionary attacks
» Social engineering Cryptographic Assaults
» Address spoofing Network Compromises and Attacks
» Session hijacking Network Compromises and Attacks
» Man-in-the-middle attack Network Compromises and Attacks
» Replay attack Network Compromises and Attacks
» Detection and cleanup Network Compromises and Attacks
» Patents and Legal Ramifications
» General WAN, RAS, and VPN Concepts
» Telco Small to Medium Solutions
» Security, scalability, and stability
» Hardwaresoftware Small to Medium Solutions
» Administration Small to Medium Solutions
» Hardwaresoftware Administration Security, scalability, and stability
» Differences Between PPTP, L2F, and L2TP
» Dialing into an ISP That Supports PPTP
» Dialing into an ISP That Doesnt Support PPTP
» Where PPTP Fits into Our Scenario
» The encapsulation process Dissecting a PPTP Packet
» Accept encrypted authentication RAS authentication methods
» Accept Microsoft encrypted authentication
» Accept any authentication, including clear text
» Data encryption PPTP Security
» Availability Features of PPTP
» Easy Implementation Features of PPTP
» Multiprotocol Tunneling Features of PPTP
» Ability to Use Corporate and UnregisteredIP Addresses
» Choosing the protocols to tunnel
» Choosing your authentication method
» IP address negotiation using DHCP
» Outbound authentication using PPTP filtering
» Filtering caveats PPTP Filtering
» Installing PPTP Filtering by IP Address
» Configuring Users for Dial-up Access
» Configuring PPTP for Dial-up Networking on a Windows NT Client
» Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client
» Setting up global PPTP parameters Setting up a port for PPTP
» Configuring PPTP on an Ascend MAX 4004
» Making the Calls Configuring and Testing Layer 2 Connections
» The Event Viewer Login problems
» The Dial-Up Networking Monitor
» ping and traceroute Connectivity Testing
» Fixed IP addresses How to Allow PPTP Through Firewalls
» How PPTP Can Bypass a Proxy Server
» Three-part encryption technique Security
» Support for an emerging security standard
» Support for Security Dynamics SecureID
» Accessibility Flexibility Advantages of the AltaVista Tunnel System
» Platform Limitations AltaVista Tunnel Limitations
» Extranet server System Considerations
» Telecommuter client System Considerations
» Planning How the AltaVista Tunnel Works
» AltaVista Tunnel Extranet server
» Security procedures The Guts
» AltaVista Tunnel Telecommuter Client
» Sample configuration Implementing a LAN-to-LAN Tunnel
» Tunnel server configuration Implementing a LAN-to-LAN Tunnel
» Firewall configuration Host configuration
» Sample configuration Implementing Single Connections-to-LAN Tunnels
» Tunnel server configuration Implementing Single Connections-to-LAN Tunnels
» Firewall configuration Implementing Single Connections-to-LAN Tunnels
» Local host configuration Implementing Single Connections-to-LAN Tunnels
» Remote PC configuration Implementing Single Connections-to-LAN Tunnels
» Sample configuration Implementing PC-to-WAN Tunnels
» Tunnel server configuration Implementing PC-to-WAN Tunnels
» Tracing the packets Implementing PC-to-WAN Tunnels
» Preparing to Install Installing the AltaVista Tunnel
» Windows NT 4.0 Installing the AltaVista Tunnel Extranet Serverfor Windows NT
» Installing the AltaVista Tunnel Telecommuter Client for Windows
» Installing the AltaVista Tunnel Telecommuter Client for MacOS
» Initial configuration Adding Routes and Dynamic Addresses
» Managing routes and dynamic IPs
» Group configuration Adding Tunnel Groups
» Tunnel client information Adding Tunnel Groups
» Tools for Tunnel Management Changing Port Settings
» Rekey Interval and Minimum Encryption Settings
» Configuring Unix-to-Windows NT Tunnel Connections
» Getting Busy Configuring the AltaVista Telecommuter Client
» Tunnel Server and Client Configuration Checks
» Local Network and Internet Gateway Configuration Checks
» Encryption Capabilities The SSH Software
» Useful sshd parameters for our purposes
» Understanding SSH authentication ssh
» Useful ssh parameters for our purposes
» The VPN Components Creating a VPN with PPP and SSH
» Setting up the master and slave Linux systems
» Creating a user account on the slave
» Setting up SSH authentication
» Configuring sudo on the slave
» Putting pty-redir on the master
» Setting up the slaves scripts
» Testing the Connection Creating a VPN with PPP and SSH
» A Performance Evaluation Creating a VPN with the Unix Secure Shell
» ISP Assigned Addresses Global Pool
» Hardware solution Advantages of the PIX Firewall
» Superior to Unix and other router firewalls
» Single point of controlfailure
» Dynamic address translation Advantages of the PIX Firewall
» PIX acts like a proxy server
» Ease of configuration and maintenance
» High-speed access Advantages of the PIX Firewall
» Links Advantages of the PIX Firewall
» Hardware solution Limitations of the PIX Firewall
» Dynamic address use Limitations of the PIX Firewall
» Budgetary considerations Limitations of the PIX Firewall
» Maintenance Limitations of the PIX Firewall
» A Sample Configuration Configuring the PIX as a Gateway
» Firewall Configuration on the PIX
» debug xlate Testing, Tracing, and Debugging
» arp Testing, Tracing, and Debugging
» show interface Testing, Tracing, and Debugging
» Offering Services to the Internet Through Conduits and the static Command
» Tunneling with the link Directive
» Choosing an ISP Managing and Maintaining Your VPN
» Connectivity Problems Solving VPN Problems
» Authentication Errors Solving VPN Problems
» Routing Problems Dealing with an ISP
» Compatibility with Other Products
» Delivering Quality of Service
» Restrict What VPN Users Can Get To
» Avoid Public DNS Information for VPN Servers and Routers
» Keeping Yourself Up-to-Date Managing and Maintaining Your VPN
» Network Connections Hardware and Operating System VPN Package
» Connection Hardware and Operating System VPN Package
» Connection Hardware and Operating System
» VPN Package Remote Access Users
Show more