>> Иногда так умиляют люди, которые не имея опыта (или времени почитать стандарты)
>> категорично заявляют вещи о которых понятия не имеют :))
> Так пишут люди, которые слышали звон да не знают где он :) Ну, у меня в этой связке крутится около десятка VPN серверов (у разных клиентов), так что, я, думаю, что я как бы в теме. Есть ли опыт у вас дерлоймента PPTP VPN'а на организации с 200-300 road warrior'ов, вот в чем вопрос :)) . Я этим на хлеб зарабатываю :).
> ПС. Без приведённых практических примеров доказывать что это возможно - просто троллить.
Ради бога, только чего приводить - все ж просто:
=== accel-ppp.conf ===
[root@vpn ~]# cat /opt/accel-ppp/config/accel-ppp.conf
[modules]
log_syslog
pptp
l2tp
auth_mschap_v2
ippool
sigchld
chap-secrets
logwtmp
[core]
log-error=/var/log/accel-ppp/core.log
thread-count=4
[ppp]
verbose=1
min-mtu=1280
mtu=1400
mru=1400
check-ip=1
single-session=replace
mppe=require
ipv4=require
ipv6=deny
ipv6-intf-id=0:0:0:1
ipv6-peer-intf-id=0:0:0:2
ipv6-accept-peer-intf-id=1
[lcp]
lcp-echo-interval=30
lcp-echo-failure=3
[auth]
#any-login=0
#noauth=0
[pptp]
echo-interval=30
echo-failure=3
verbose=1
[l2tp]
host-name=access-vpn
verbose=1
[dns]
dns1=192.168.70.251
dns2=192.168.70.252
[client-ip-range]
disable
[ip-pool]
gw-ip-address=192.168.99.254
192.168.99.1-253
[log]
log-file=/var/log/accel-ppp/accel-ppp.log
log-emerg=/var/log/accel-ppp/emerg.log
log-fail-file=/var/log/accel-ppp/auth-fail.log
log-debug=/var/log/accel-ppp/debug.log
copy=1
level=3
[chap-secrets]
gw-ip-address=192.168.99.254
chap-secrets=/etc/ppp/chap-secrets
[cli]
telnet=127.0.0.1:2000
tcp=127.0.0.1:2001
[root@vpn ~]#
===
теперь dnsmasq, который обслуживает DHCPINFORM'ы -- я весь конфиг приводить не буду, он очень большой, нам интересен только DHCP там:
===
[root@vpn ~]# grep -E '^dhcp' /etc/dnsmasq.conf
dhcp-range=192.168.82.254,static
dhcp-option=option:router
dhcp-option=121,192.168.70.0/24,192.168.99.254,192.168.75.0/24,192.168.99.254,10.0.0.0/24,192.168.99.254
dhcp-option=249,192.168.70.0/24,192.168.99.254,192.168.75.0/24,192.168.99.254,10.0.0.0/24,192.168.99.254
dhcp-option=vendor:MSFT,2,1i
[root@vpn ~]#
===
Ну и напоследок, как оно выглядит по логам сервера (взял первую попавшуюся сессию, но потом для tcpdump'ов пришлось подымать свою):
===
Apr 24 12:46:44 vpn accel-pppd: ppp0:: connect: ppp0 <--> pptp(121.201.149.246)
Apr 24 12:46:48 vpn accel-pppd: ppp0:ariadna: ariadna: authentication successed
Apr 24 12:46:49 vpn accel-pppd: ppp0:ariadna: IPV6CP: discarding packet
Apr 24 12:46:52 vpn dnsmasq-dhcp[29573]: DHCPINFORM(ppp0) 192.168.99.145 00:00:00:01:00:00
Apr 24 12:46:52 vpn dnsmasq-dhcp[29573]: DHCPACK(ppp0) 192.168.99.145 00:00:00:01:00:00
===
и как оно выглядит со стороны сервера под tcpdump:
===
[root@vpn ~]# tcpdump -nn -i any port 67 or port 68 or port 1723 or proto gre
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
19:46:58.948885 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1a:64:20:3a:e2, length 278
19:47:02.367113 IP 124.185.115.30.1043 > 192.168.75.81.1723: Flags [S], seq 2289777816, win 64240, options [mss 1460,nop,nop,sackOK], length 0
19:47:02.367200 IP 192.168.75.81.1723 > 124.185.115.30.1043: Flags [S.], seq 2009373118, ack 2289777817, win 14600, options [mss 1460,nop,nop,sackOK], length 0
19:47:02.384393 IP 124.185.115.30.1043 > 192.168.75.81.1723: Flags [P.], seq 1:157, ack 1, win 64240, length 156: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) HOSTNAME() VENDOR(Microsoft Windows NT)
19:47:02.384446 IP 192.168.75.81.1723 > 124.185.115.30.1043: Flags [.], ack 157, win 15544, length 0
19:47:02.384694 IP 192.168.75.81.1723 > 124.185.115.30.1043: Flags [P.], seq 1:157, ack 157, win 15544, length 156: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP(AS) BEARER_CAP(DA) MAX_CHAN(1) FIRM_REV(1) HOSTNAME(local) VENDOR(cananian)
19:47:02.396551 IP 124.185.115.30.1043 > 192.168.75.81.1723: Flags [P.], seq 157:325, ack 157, win 64084, length 168: pptp CTRL_MSGTYPE=OCRQ CALL_ID(1043) CALL_SER_NUM(8705) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR()
19:47:02.396710 IP 192.168.75.81.1723 > 124.185.115.30.1043: Flags [P.], seq 157:189, ack 325, win 16616, length 32: pptp CTRL_MSGTYPE=OCRP CALL_ID(36) PEER_CALL_ID(1043) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(100000000) RECV_WIN(64) PROC_DELAY(0) PHY_CHAN_ID(0)
19:47:02.397171 IP 192.168.75.81 > 124.185.115.30: GREv1, call 1043, seq 1, length 35: LCP, Conf-Request (0x01), id 1, length 21
19:47:02.415255 IP 124.185.115.30.1043 > 192.168.75.81.1723: Flags [P.], seq 325:349, ack 189, win 64052, length 24: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(36) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
19:47:02.422925 IP 124.185.115.30 > 192.168.75.81: GREv1, call 36, seq 0, length 37: LCP, Conf-Request (0x01), id 0, length 23
19:47:02.454492 IP 192.168.75.81.1723 > 124.185.115.30.1043: Flags [.], ack 349, win 16616, length 0
19:47:04.617621 IP 124.185.115.30 > 192.168.75.81: GREv1, call 36, seq 1, length 37: LCP, Conf-Request (0x01), id 1, length 23
19:47:04.617762 IP 192.168.75.81 > 124.185.115.30: GREv1, call 1043, seq 2, ack 1, length 31: LCP, Conf-Reject (0x04), id 1, length 13
19:47:04.739135 IP 124.185.115.30 > 192.168.75.81: GREv1, call 36, seq 2, ack 2, length 34: LCP, Conf-Request (0x01), id 2, length 16
19:47:04.739192 IP 192.168.75.81 > 124.185.115.30: GREv1, call 1043, seq 3, ack 2, length 34: LCP, Conf-Ack (0x02), id 2, length 16
19:47:05.397343 IP 192.168.75.81 > 124.185.115.30: GREv1, call 1043, seq 4, length 35: LCP, Conf-Request (0x01), id 1, length 21
19:47:05.429753 IP 124.185.115.30 > 192.168.75.81: GREv1, call 36, seq 3, ack 4, length 39: LCP, Conf-Ack (0x02), id 1, length 21
19:47:05.429915 IP 192.168.75.81 > 124.185.115.30: GREv1, call 1043, seq 5, ack 3, length 41: CHAP, Challenge (0x01), id 1, Value e93c80f0954a4b880f0b117bc8558d82, Name
19:47:05.430662 IP 124.185.115.30.1043 > 192.168.75.81.1723: Flags [P.], seq 349:373, ack 189, win 64052, length 24: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(36) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
19:47:05.430686 IP 192.168.75.81.1723 > 124.185.115.30.1043: Flags [.], ack 373, win 16616, length 0
19:47:05.431411 IP 124.185.115.30 > 192.168.75.81: GREv1, call 36, seq 4, length 34: LCP, Ident (0x0c), id 3, length 20
19:47:05.431892 IP 124.185.115.30 > 192.168.75.81: GREv1, call 36, seq 5, length 40: LCP, Ident (0x0c), id 4, length 26
19:47:05.443616 IP 124.185.115.30 > 192.168.75.81: GREv1, call 36, seq 6, ack 5, length 80: CHAP, Response (0x02), id 1, Value b3158deadbeefdeadbeefdeadadfb6d80000000000000000125efeadeadbeefdeadbeefdeadbeefdeadbeef6c6a377b100, Name galaxy
19:47:05.444028 IP 192.168.75.81 > 124.185.115.30: GREv1, call 1043, seq 6, ack 6, length 93: CHAP, Success (0x03), id 1, Msg S=0673ADEADBEEFDEADBEEFDEADBEED679400BED7A M=Authentication successed
19:47:05.444108 IP 192.168.75.81 > 124.185.115.30: GREv1, call 1043, seq 7, length 26: unknown ctrl-proto (0x80fd), Conf-Request (0x01), id 1, length 12
19:47:05.444142 IP 192.168.75.81 > 124.185.115.30: GREv1, call 1043, seq 8, length 26: IPCP, Conf-Request (0x01), id 1, length 12
19:47:05.459052 IP 124.185.115.30 > 192.168.75.81: GREv1, call 36, seq 7, ack 7, length 30: unknown ctrl-proto (0x80fd), Conf-Request (0x01), id 5, length 12
19:47:05.459148 IP 192.168.75.81 > 124.185.115.30: GREv1, call 1043, seq 9, ack 7, length 30: unknown ctrl-proto (0x80fd), Conf-Nack (0x03), id 5, length 12
19:47:05.459856 IP 124.185.115.30 > 192.168.75.81: GREv1, call 36, seq 8, length 50: IPCP, Conf-Request (0x01), id 6, length 36
19:47:05.459917 IP 192.168.75.81 > 124.185.115.30: GREv1, call 1043, seq 10, ack 8, length 36: IPCP, Conf-Reject (0x04), id 6, length 18
19:47:05.460630 IP 124.185.115.30 > 192.168.75.81: GREv1, call 36, seq 9, length 26: IPCP, Conf-Ack (0x02), id 1, length 12
19:47:05.461744 IP 124.185.115.30 > 192.168.75.81: GREv1, call 36, seq 10, length 26: unknown ctrl-proto (0x80fd), Conf-Ack (0x02), id 1, length 12
19:47:05.469229 IP 124.185.115.30 > 192.168.75.81: GREv1, call 36, seq 11, ack 9, length 30: unknown ctrl-proto (0x80fd), Conf-Request (0x01), id 7, length 12
19:47:05.469319 IP 192.168.75.81 > 124.185.115.30: GREv1, call 1043, seq 11, ack 11, length 30: unknown ctrl-proto (0x80fd), Conf-Ack (0x02), id 7, length 12
19:47:05.471197 IP 124.185.115.30 > 192.168.75.81: GREv1, call 36, seq 12, ack 10, length 42: IPCP, Conf-Request (0x01), id 8, length 24
19:47:05.471257 IP 192.168.75.81 > 124.185.115.30: GREv1, call 1043, seq 12, ack 12, length 42: IPCP, Conf-Nack (0x03), id 8, length 24
19:47:05.483238 IP 124.185.115.30 > 192.168.75.81: GREv1, call 36, seq 13, ack 12, length 42: IPCP, Conf-Request (0x01), id 9, length 24
19:47:05.483405 IP 192.168.75.81 > 124.185.115.30: GREv1, call 1043, seq 13, ack 13, length 42: IPCP, Conf-Ack (0x02), id 9, length 24
19:47:05.553417 IP 124.185.115.30 > 192.168.75.81: GREv1, call 36, seq 14, length 60: compressed PPP data
19:47:05.650250 IP 124.185.115.30 > 192.168.75.81: GREv1, call 36, seq 15, length 348: compressed PPP data
19:47:05.650284 IP 192.168.99.151.68 > 255.255.255.255.67: BOOTP/DHCP, Request, length 300
19:47:05.650510 IP 192.168.99.254.67 > 192.168.99.151.68: BOOTP/DHCP, Reply, length 305
19:47:05.650532 IP 192.168.75.81 > 124.185.115.30: GREv1, call 1043, seq 14, ack 15, length 357: compressed PPP data
19:47:06.494779 IP 124.185.115.30 > 192.168.75.81: GREv1, call 36, seq 16, length 60: compressed PPP data
^C
45 packets captured
45 packets received by filter
0 packets dropped by kernel
[root@vpn ~]#
===
и наконец (я инициировал соедиение еще раз, чтобы поймать только DHCP) самое вкусное:
===
[root@vpn ~]# tcpdump -nnv -i any port 67 or port 68
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
19:54:46.715522 IP (tos 0x0, ttl 128, id 5523, offset 0, flags [none], proto UDP (17), length 328)
192.168.99.153.68 > 255.255.255.255.67: BOOTP/DHCP, Request, length 300, htype 8, hlen 6, xid 0xa27cfc5f, secs 1536, Flags [none]
Client-IP 192.168.99.153
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Inform
Client-ID Option 61, length 7: hardware-type 8, 00:53:45:00:00:00
Hostname Option 12, length 8: "intruder"
Vendor-Class Option 60, length 8: "MSFT 5.0"
Parameter-Request Option 55, length 6:
Domain-Name-Server, Netbios-Name-Server, Vendor-Option, Subnet-Mask
Classless-Static-Route-Microsoft, Domain-Name
Vendor-Option Option 43, length 3: 220.1.0
19:54:46.716113 IP (tos 0x0, ttl 64, id 10142, offset 0, flags [none], proto UDP (17), length 333)
192.168.99.254.67 > 192.168.99.153.68: BOOTP/DHCP, Reply, length 305, htype 8, hlen 6, xid 0xa27cfc5f, secs 1536, Flags [none]
Client-IP 192.168.99.153
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 192.168.99.254
Domain-Name Option 15, length 18: "vpn.server.tld"
Classless-Static-Route-Microsoft Option 249, length 24: (192.168.70.0/24:192.168.99.254),(192.168.75.0/24:192.168.99.254),(10.0.0.0/24:192.168.99.254)
Vendor-Option Option 43, length 7: 2.4.0.0.0.1.255
19:54:47.325798 IP (tos 0x0, ttl 128, id 50260, offset 0, flags [DF], proto UDP (17), length 306)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1a:64:20:3a:c1, length 278, xid 0x64203adb, Flags [Broadcast]
Client-Ethernet-Address 00:1a:64:20:3a:c1
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Lease-Time Option 51, length 4: 4294967295
Hostname Option 12, length 8: "64203AC1"
Parameter-Request Option 55, length 3:
Subnet-Mask, Default-Gateway, Domain-Name-Server
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
[root@vpn ~]#
===
Короче, я обычно не вступаю в такие дискусии, так как я знаю то, что я знаю и меня ради моих знаний и нанимают, но в данном случае, я думаю, это может быть полезно для кого-нибудь, кто настраивает PPTP впервый раз.
С option 121 и option 249 - это работает как минимум на Win XP и выше, Mac OS X 10.7 и выше (ниже у нас тут просто нет), на всякий раутерах с поддержкой PPTP (типа Cisco, DLink, Netgear, etc.).
Признаем, что оно работает? :) Или все еще "никак нельзя"?