FAQ - Download as DOC - DOC by pengxiang


									VPND Frequently Asked Questions
$Header: /pack/anoncvs/vpnd/FAQ.TXT,v 1.16 2002/03/21 10:33:49 ast Exp $

Please DO NOT email the developers/FAQ maintainer directly with questions
concerning VPND & its operation. Please email the mailing list instead.

VPND developers: Andreas Steinmetz - Primary/Original Developer of VPND
                 (See Website for current list of developers)
FAQ Maintainer: Robert Hardy, C.E.O. Webcon, Inc. <rhardy@webcon.net>

Table Of Contents:
1. Introduction
2. Checklist of required elements
3. VPND Return Codes and Debugging
4. Known Good Configurations
5. Known Problems
6. What is a good Linux distribution for use with VPND?
7. Will VPND do this (Fill in blank)?
8. How do I get VPND to handle multiple clients?
9. Where can I get Redhat style init scripts?
10. Does this work with a Windows Box?
11. Can I use this with Microsoft Virtual Private Networking?
12. Can I use this to hookup Windows style LANs (and get browsing
13. Why am I seeing so many overruns on my slip device (Linux specific)?
14. How do I make Windows Neighbourhood Networking work over VPND?
15. How do I connect to a remote network through VPND when the
    remote peer is part of this network?

1. Introduction:

   This file will attempt to answer all the frequently asked questions
   have gone through the VPND mailing list, attempt to provide solutions
   common problems, and provide debugging information for VPND.

  Please read this document throughly before asking questions on the
  list. If you are looking for commercial paid consulting, it is
  mail the author for details.

2. Checklist of required elements: (elements required for proper
  -Both zlib & zlib-devel must be installed and be at least version 1.1.4
   (1.1.3 will do but has a security flaw!!!).
  -/dev/random and/or /dev/urandom must be present.
  -slip & cslip support must either be compiled into the kernel or
   (perhaps preferably) compiled as modules and loaded for normal
  -A common encryption key must be present on both client & server
  -client & server must be separate machines with IP connectivity

3. VPND Return Codes and Debugging:

  Some of the return codes have an offset of 128 in the source code.
  Thus return code 105 may show up as 233 in the source code.

  -If you see "Crypto init failed, reason <TO BE ADDED LATER>"
   You may be missing /dev/random or /dev/urandom

  -If you see "Crypto init failed reason 1" it means Key/IV send failed.
   Could be either a key mismatch or in combination with the above errors
   point to a bad TCP connection. VPND can do this for several minutes
   before it successfully brings back up a hung VPND link. Please note
   this may be caused by still filled transmission buffers though it
   clear yet.

  -If you see "slip link failed, reason 4" it means Connect/Listen
   This indicates either the client can't reach the server (server not
   running, server didn't detect connection loss) or the server couldn't
   bind the socket (e.g. another VPND already running). If I remember
   correctly this error may occur if the 'suspend' option is used and an
   automatic disconnect is initiated. It can indicate that you have not
   properly configured your kernel for SLIP or you are missing CSLIP
   in your kernel. If you are using Linux and have compiled your SLIP
   support as modules make sure they are loaded with lsmod.

   -If you see "Peer link failed, reason 105" it means Data receive
    This is typically either a bad TCP connection (lost packets and
    retransmits exceed time limits, 'rxmax' and 'sendbuf' tuning may help
    this case) or a missing zlib (build without zlib, CVS code now does a
    startup syslog message with version and compression info, the -h
    line option gives now compression info, too) on the receiving end. As
    another test, try disabling compression with the nocompress option
    vpnd.conf). If the problem goes away you are either using an old
    of zlib or you are missing part of the zlib package. When using
    this frequently happens if you have the zlib RPM installed but do not
    have the zlib-devel RPM installed.

  -If you see "Peer link failed, reason 106" you are seeing a Peer read
   Data send failed, probably bad TCP connection (see reason 105 above).
4. Known Good Configurations:

  Redhat 6.2, Kernel V2.2.17, VPND V1.1.1
  Suse 6.3, Kernel V2.2.14, VPND V1.1.1

  The following operating systems are supported:

   Linux 1.2.x   (1.2.9 tested)
   Linux 2.0.x   (2.0.35 tested)
   Linux 2.2.x   (2.2.1 & 2.2.12-17 tested)
   FreeBSD       (3.3-RELEASE tested)
   NetBSD        (1.4.1 tested)
   OpenBSD       (2.6 tested)

5. Known Problems:

  You will need to use 'rndcontrol' on FreeBSD systems to be able
  to generate key files on FreeBSD systems.
  Version 1.1.0 is the first version for FreeBSD, version 1.1.1
  is the first version for NetBSD and OpenBSD, so there may be
  bugs lurking (serial line functionality is untested for *BSD,
  please report success/failure).

  Error recovery can be slow on flaky physical networks. It is sometimes
  necessary to restart VPND to speed recovery. Diagnostics can be
  due to the use of cryptic error codes which aren't fully explained
  Fortunately there is always the source and the mailing list.

6. What is a good Linux distribution for use with VPND?

  I'm sure that this is a religious issue for some but I recommend:
  The latest stable Redhat distribution along with the latest stable
  This is currently, Redhat 6.2 and Linux V2.2.17. See
  http://www.redhat.com for Redhat Mirrors (or to buy a CD). See you
  kernel.org mirror for kernel source see http://www.kernel.org.

7. Will VPND do this (Fill in blank)?

  Please read this FAQ and if you still don't know the answer to your
  question, mail the mailing list. See http://sunsite.dk/vpnd/ for

8. How do I get VPND to handle multiple clients?

  The simple answer is, in its current configuration, you don't. VPND in
  current configuration is really a peer to peer system. Please don't
  misunderstand this. You can hook up a large number of machines with
  but it must be done on a point to point basis. We have found that the
  simplest way to plan this out is to assign a port to each circuit in a
  virtual private network. Below is a typical VPN layout. Note that each
  connection requires a client and server VPND process. Also note each
  does not need to know anything about the other peers if it doesn't
  to them (as long as you manage IP conflicts properly).

  VPN Design Documentation

  Client Port          Server Port
  Peer1 30001   <->   Peer2 30001
  Peer1 30002   <->   Peer3 30002
  Peer3 30003   <->   Peer2 30003
  Peer2 30004   <->   Peer4 30004
  Peer3 30005   <->   Peer4 30005

  192.168.0.   ->   Peer1's   Network
  192.168.1.   ->   Peer2's   Network
  192.168.2.   ->   Peer3's   Network
  192.168.3.   ->   Peer4's   Network

  Connection IPs ->    Peer1's    IP ->    Peer2's    Network ->    Peer3's    Network ->    Peer4's    Network

9. Where can I get Redhat style init scripts?

  One or more VPN init script(s) are now available.
  See samples/README.initscripts.

10. Does this work with a Windows Box?

  Yes, but not directly. It is not designed to run on Windows. It is
  designed to run on Unix style server which can be accessed by any
  style client.

   If you want to hook your Windows boxes into your private network, the
   simplest solution seems to be to use Microsoft Virtual Private
   software to connect your Windows workstation to a PoPToP server running
   your server. Your server(s) should still be linked using VPND or VTun.
  PoPToP can be found here: http://www.moretonbay.com/vpn/pptp.html
  VTun can be found here: http://vtun.sourceforge.net/

11. Can I use this with Microsoft Virtual Private Networking?

  While VPND can co-exist with other servers which use Microsoft VPN,
  it is designed to only communicate directly with other VPNDs.
  See PoPToP discussion in 10.

12. Can I use this to hookup Windows style LANs (and get browsing

  Yes. Once VPND is properly configured work-group browsing in Windows
  work properly over VPND. If you are using Samba you may have to use its
  Remote Browse List Synchronization features.

13. Why am I seeing so many overruns on my slip device (Linux specific)?

  What is getting reported as overruns is   probably compressed slip
  Some ifconfig binaries do not label the   fields properly for slip
  To fix the problem, you should find and   install the latest version of
  ifconfig suitable to your kernel (2.0.x   vs. 2.2.x etc.).

14. How do I make Windows Neighborhood networking work over VPND?

  You must setup Linux/Samba so that NetBIOS gets routed properly. If you
  can access a machine on a different, masqueraded network using UNC
  e.g. \\server, but you cannot see it or any machines in your Network
  Neighborhood, then chances are the NetBIOS broadcasts necessary for
  Network Neighborhood to work are not crossing the networks.

  See here for details:

  You will also want the nbfw patch from here:

15. How do I connect to a remote network through VPND when the
    remote peer is part of this network?

  First you must use a VPND routing option (route1 to route9)
  to route all traffic to the remote network through VPND.
  Then you must add a host route to the remote peer to the
  interface connecting you to the Internet to prevent a
  routing loop. There are two ways to do this: If your local system
  has a constant Internet connection, e.g. a leased line or
  a dialup connection attached to a ethernet interface, you
  should use the peerroute configuration option of VPND.
  If you use a demand dialup connection with dynamic IPs,
  let's say e.g. diald and pppd, you will have to add
  a host route to the VPND peer to the diald proxy interface with a
  of 1 and then use the ip-up and ip-down scripts of pppd
  to add/remove a host route to the VPND peer to/from the ppp
  interface with a metric of 0.
  Please note that either way all connections to the remote
  peer will be direct and unencrypted, connections to all
  other systems on the remote network will be encrypted through VPND.
  if you need to reach the remote peer encrypted, you will have
  to assign the remote peer a second IP and use this IP
  for an encrypted connection.

To top