VPND Frequently Asked Questions $Header: /pack/anoncvs/vpnd/FAQ.TXT,v 1.16 2002/03/21 10:33:49 ast Exp $ Please DO NOT email the developers/FAQ maintainer directly with questions concerning VPND & its operation. Please email the mailing list instead. VPND developers: Andreas Steinmetz - Primary/Original Developer of VPND <firstname.lastname@example.org> (See Website for current list of developers) FAQ Maintainer: Robert Hardy, C.E.O. Webcon, Inc. <email@example.com> Table Of Contents: 1. Introduction 2. Checklist of required elements 3. VPND Return Codes and Debugging 4. Known Good Configurations 5. Known Problems 6. What is a good Linux distribution for use with VPND? 7. Will VPND do this (Fill in blank)? 8. How do I get VPND to handle multiple clients? 9. Where can I get Redhat style init scripts? 10. Does this work with a Windows Box? 11. Can I use this with Microsoft Virtual Private Networking? 12. Can I use this to hookup Windows style LANs (and get browsing working)? 13. Why am I seeing so many overruns on my slip device (Linux specific)? 14. How do I make Windows Neighbourhood Networking work over VPND? 15. How do I connect to a remote network through VPND when the remote peer is part of this network? 1. Introduction: This file will attempt to answer all the frequently asked questions which have gone through the VPND mailing list, attempt to provide solutions to common problems, and provide debugging information for VPND. Please read this document throughly before asking questions on the mailing list. If you are looking for commercial paid consulting, it is available mail the author for details. 2. Checklist of required elements: (elements required for proper operation) -Both zlib & zlib-devel must be installed and be at least version 1.1.4 (1.1.3 will do but has a security flaw!!!). -/dev/random and/or /dev/urandom must be present. -slip & cslip support must either be compiled into the kernel or (perhaps preferably) compiled as modules and loaded for normal operation. -A common encryption key must be present on both client & server -client & server must be separate machines with IP connectivity 3. VPND Return Codes and Debugging: Some of the return codes have an offset of 128 in the source code. Thus return code 105 may show up as 233 in the source code. -If you see "Crypto init failed, reason <TO BE ADDED LATER>" You may be missing /dev/random or /dev/urandom -If you see "Crypto init failed reason 1" it means Key/IV send failed. Could be either a key mismatch or in combination with the above errors point to a bad TCP connection. VPND can do this for several minutes before it successfully brings back up a hung VPND link. Please note that this may be caused by still filled transmission buffers though it isn't clear yet. -If you see "slip link failed, reason 4" it means Connect/Listen failed. This indicates either the client can't reach the server (server not running, server didn't detect connection loss) or the server couldn't bind the socket (e.g. another VPND already running). If I remember correctly this error may occur if the 'suspend' option is used and an automatic disconnect is initiated. It can indicate that you have not properly configured your kernel for SLIP or you are missing CSLIP support in your kernel. If you are using Linux and have compiled your SLIP support as modules make sure they are loaded with lsmod. -If you see "Peer link failed, reason 105" it means Data receive failed. This is typically either a bad TCP connection (lost packets and retransmits exceed time limits, 'rxmax' and 'sendbuf' tuning may help in this case) or a missing zlib (build without zlib, CVS code now does a startup syslog message with version and compression info, the -h command line option gives now compression info, too) on the receiving end. As another test, try disabling compression with the nocompress option (see vpnd.conf). If the problem goes away you are either using an old version of zlib or you are missing part of the zlib package. When using Redhat, this frequently happens if you have the zlib RPM installed but do not have the zlib-devel RPM installed. -If you see "Peer link failed, reason 106" you are seeing a Peer read Data send failed, probably bad TCP connection (see reason 105 above). 4. Known Good Configurations: Redhat 6.2, Kernel V2.2.17, VPND V1.1.1 Suse 6.3, Kernel V2.2.14, VPND V1.1.1 The following operating systems are supported: Linux 1.2.x (1.2.9 tested) Linux 2.0.x (2.0.35 tested) Linux 2.2.x (2.2.1 & 2.2.12-17 tested) FreeBSD (3.3-RELEASE tested) NetBSD (1.4.1 tested) OpenBSD (2.6 tested) 5. Known Problems: You will need to use 'rndcontrol' on FreeBSD systems to be able to generate key files on FreeBSD systems. Version 1.1.0 is the first version for FreeBSD, version 1.1.1 is the first version for NetBSD and OpenBSD, so there may be bugs lurking (serial line functionality is untested for *BSD, please report success/failure). Error recovery can be slow on flaky physical networks. It is sometimes necessary to restart VPND to speed recovery. Diagnostics can be difficult due to the use of cryptic error codes which aren't fully explained here. Fortunately there is always the source and the mailing list. 6. What is a good Linux distribution for use with VPND? I'm sure that this is a religious issue for some but I recommend: The latest stable Redhat distribution along with the latest stable kernel. This is currently, Redhat 6.2 and Linux V2.2.17. See http://www.redhat.com for Redhat Mirrors (or to buy a CD). See you local kernel.org mirror for kernel source see http://www.kernel.org. 7. Will VPND do this (Fill in blank)? Please read this FAQ and if you still don't know the answer to your question, mail the mailing list. See http://sunsite.dk/vpnd/ for details. 8. How do I get VPND to handle multiple clients? The simple answer is, in its current configuration, you don't. VPND in its current configuration is really a peer to peer system. Please don't misunderstand this. You can hook up a large number of machines with VPND but it must be done on a point to point basis. We have found that the simplest way to plan this out is to assign a port to each circuit in a virtual private network. Below is a typical VPN layout. Note that each connection requires a client and server VPND process. Also note each peer does not need to know anything about the other peers if it doesn't connect to them (as long as you manage IP conflicts properly). VPN Design Documentation Client Port Server Port Peer1 30001 <-> Peer2 30001 Peer1 30002 <-> Peer3 30002 Peer3 30003 <-> Peer2 30003 Peer2 30004 <-> Peer4 30004 Peer3 30005 <-> Peer4 30005 Networks 192.168.0. -> Peer1's Network 192.168.1. -> Peer2's Network 192.168.2. -> Peer3's Network 192.168.3. -> Peer4's Network Connection IPs 192.168.0.1 -> Peer1's IP 192.168.0.2 -> Peer2's Network 192.168.0.3 -> Peer3's Network 192.168.0.4 -> Peer4's Network 9. Where can I get Redhat style init scripts? One or more VPN init script(s) are now available. See samples/README.initscripts. 10. Does this work with a Windows Box? Yes, but not directly. It is not designed to run on Windows. It is designed to run on Unix style server which can be accessed by any TCP/IP style client. If you want to hook your Windows boxes into your private network, the simplest solution seems to be to use Microsoft Virtual Private Networking software to connect your Windows workstation to a PoPToP server running on your server. Your server(s) should still be linked using VPND or VTun. PoPToP can be found here: http://www.moretonbay.com/vpn/pptp.html VTun can be found here: http://vtun.sourceforge.net/ 11. Can I use this with Microsoft Virtual Private Networking? While VPND can co-exist with other servers which use Microsoft VPN, it is designed to only communicate directly with other VPNDs. See PoPToP discussion in 10. 12. Can I use this to hookup Windows style LANs (and get browsing working)? Yes. Once VPND is properly configured work-group browsing in Windows should work properly over VPND. If you are using Samba you may have to use its Remote Browse List Synchronization features. 13. Why am I seeing so many overruns on my slip device (Linux specific)? What is getting reported as overruns is probably compressed slip packets. Some ifconfig binaries do not label the fields properly for slip devices. To fix the problem, you should find and install the latest version of ifconfig suitable to your kernel (2.0.x vs. 2.2.x etc.). 14. How do I make Windows Neighborhood networking work over VPND? You must setup Linux/Samba so that NetBIOS gets routed properly. If you can access a machine on a different, masqueraded network using UNC naming, e.g. \\server, but you cannot see it or any machines in your Network Neighborhood, then chances are the NetBIOS broadcasts necessary for Network Neighborhood to work are not crossing the networks. See here for details: http://www.linuxplanet.com/linuxplanet/tutorials/1159/1/ You will also want the nbfw patch from here: http://malt-whisky.student.utwente.nl/nbfw/download.html 15. How do I connect to a remote network through VPND when the remote peer is part of this network? First you must use a VPND routing option (route1 to route9) to route all traffic to the remote network through VPND. Then you must add a host route to the remote peer to the interface connecting you to the Internet to prevent a routing loop. There are two ways to do this: If your local system has a constant Internet connection, e.g. a leased line or a dialup connection attached to a ethernet interface, you should use the peerroute configuration option of VPND. If you use a demand dialup connection with dynamic IPs, let's say e.g. diald and pppd, you will have to add a host route to the VPND peer to the diald proxy interface with a metric of 1 and then use the ip-up and ip-down scripts of pppd to add/remove a host route to the VPND peer to/from the ppp interface with a metric of 0. Please note that either way all connections to the remote peer will be direct and unencrypted, connections to all other systems on the remote network will be encrypted through VPND. if you need to reach the remote peer encrypted, you will have to assign the remote peer a second IP and use this IP for an encrypted connection.
Pages to are hidden for
"FAQ - Download as DOC - DOC"Please download to view full document