Форум Сайтостроение Администрирование серверов

VPN: соединение есть, а доступа к ресурсам нет

Слава Шевцов
На сайте с 23.07.2005
Offline
370
Слава Шевцов
3369

Пытаюсь собрать VPN между локальной машиной и удалённой сетью. У меня на локалке openSuse. Удалённая сеть, предположительно, на Windows. Коннект происходит успешно. Авторизация - успешно. Выдаётся два айпишника:

local IP address 192.168.100.105 - пинг 0,04 мс - как у локального компа.

remote IP address 192.168.100.109 - пинг 15 мс - как у удалённой машины.

Проблема в том, что нет пинга на внутренние ресурсы сети и локальный софт не видит наличие связи через VPN до удалённых ресурсов. У других пользователей проблем с доступом к ресурсам сети нет. В чём может быть фокус?

На экран выводится:

# pptp-command start server_name
using channel 34
Using interface ppp0
Connect: ppp0 <--> /dev/pts/2
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xdfa46d38> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xdfa46d38> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x0 <mru 1400> <auth chap MS-v2> <magic 0x38f7189c> <pcomp> <accomp> <callback CBCP> <mrru 1614> <endpoint [local:***]> < 17 04 00 37>]
sent [LCP ConfRej id=0x0 <callback CBCP> <mrru 1614> < 17 04 00 37>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xdfa46d38> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <mru 1400> <auth chap MS-v2> <magic 0x38f7189c> <pcomp> <accomp> <endpoint [local:***]>]
sent [LCP ConfAck id=0x1 <mru 1400> <auth chap MS-v2> <magic 0x38f7189c> <pcomp> <accomp> <endpoint [local:***]>]
sent [LCP EchoReq id=0x0 magic=0xdfa46d38]
rcvd [CHAP Challenge id=0x0 <***>, name = "***"]
sent [CHAP Response id=0x0 <***>, name = "username"]
rcvd [LCP EchoRep id=0x0 magic=0x38f7189c]
rcvd [CHAP Success id=0x0 "S=6E0F...6AF56D"]
CHAP authentication succeeded
sent [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
rcvd [CCP ConfReq id=0x3 <mppe +H +M +S +L -D +C>]
sent [CCP ConfNak id=0x3 <mppe +H -M +S -L -D -C>]
rcvd [IPCP ConfReq id=0x4 <addr 192.168.100.109>]
sent [IPCP TermAck id=0x4]
rcvd [CCP ConfNak id=0x1 <mppe +H -M +S -L -D -C>]
sent [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x5 <mppe +H -M +S -L -D -C>]
sent [CCP ConfAck id=0x5 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfAck id=0x2 <mppe +H -M +S -L -D -C>]
MPPE 128-bit stateless compression enabled
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
sent [IPCP ConfReq id=0x2 <addr 0.0.0.0>]
rcvd [IPCP ConfNak id=0x2 <addr 192.168.100.105>]
sent [IPCP ConfReq id=0x3 <addr 192.168.100.105>]
rcvd [IPCP ConfAck id=0x3 <addr 192.168.100.105>]
rcvd [IPCP ConfReq id=0x6 <addr 192.168.100.109>]
sent [IPCP ConfAck id=0x6 <addr 192.168.100.109>]
local IP address 192.168.100.105
remote IP address 192.168.100.109
Script /etc/ppp/ip-up started (pid 16083)
Script ?? finished (pid 16064), status = 0x0
Script /etc/ppp/ip-up finished (pid 16083), status = 0x0
All routes added.
Tunnel server_name is active on ppp0. IP Address: 192.168.100.105
Неизменность точки зрения неизменно порождает иллюзию понимания.
Слава Шевцов
На сайте с 23.07.2005
Offline
370
Слава Шевцов
#1

В лог летит:

22:00:08 suse pppd[16063]: pppd 2.4.5 started by shevtsov, uid 0
22:00:08 suse pppd[16063]: using channel 34
22:00:08 suse pppd[16063]: Using interface ppp0
22:00:08 suse pppd[16063]: Connect: ppp0 <--> /dev/pts/2
22:00:08 suse pppd[16063]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xdfa46d38> <pcomp> <accomp>]
22:00:10 suse pppd[16063]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xdfa46d38> <pcomp> <accomp>]
22:00:10 suse pppd[16063]: rcvd [LCP ConfReq id=0x0 <mru 1400> <auth chap MS-v2> <magic 0x38f7189c> <pcomp> <accomp> <callback CBCP> <mrru 1614> <endpoint [local:***]> < 17 04 00 37>]
22:00:10 suse pppd[16063]: sent [LCP ConfRej id=0x0 <callback CBCP> <mrru 1614> < 17 04 00 37>]
22:00:10 suse pppd[16063]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xdfa46d38> <pcomp> <accomp>]
22:00:10 suse pppd[16063]: rcvd [LCP ConfReq id=0x1 <mru 1400> <auth chap MS-v2> <magic 0x38f7189c> <pcomp> <accomp> <endpoint [local:***]>]
22:00:10 suse pppd[16063]: sent [LCP ConfAck id=0x1 <mru 1400> <auth chap MS-v2> <magic 0x38f7189c> <pcomp> <accomp> <endpoint [local:***]>]
22:00:10 suse pppd[16063]: sent [LCP EchoReq id=0x0 magic=0xdfa46d38]
22:00:10 suse pppd[16063]: rcvd [CHAP Challenge id=0x0 <***>, name = "***"]
22:00:10 suse pppd[16063]: sent [CHAP Response id=0x0 <***>, name = "username"]
22:00:10 suse pppd[16063]: rcvd [LCP EchoRep id=0x0 magic=0x38f7189c]
22:00:10 suse pptp[16068]: anon log[ctrlp_disp:pptp_ctrl.c:950]: PPTP_SET_LINK_INFO received from peer_callid 46971
22:00:10 suse pptp[16068]: anon log[ctrlp_disp:pptp_ctrl.c:953]: send_accm is 00000000, recv_accm is FFFFFFFF
22:00:10 suse pptp[16068]: anon warn[ctrlp_disp:pptp_ctrl.c:956]: Non-zero Async Control Character Maps are not supported!
22:00:10 suse pppd[16063]: rcvd [CHAP Success id=0x0 "S=6E0FC...F56D"]
22:00:10 suse pppd[16063]: CHAP authentication succeeded
22:00:10 suse pppd[16063]: sent [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
22:00:10 suse pppd[16063]: rcvd [CCP ConfReq id=0x3 <mppe +H +M +S +L -D +C>]
22:00:10 suse pppd[16063]: sent [CCP ConfNak id=0x3 <mppe +H -M +S -L -D -C>]
22:00:10 suse pppd[16063]: rcvd [IPCP ConfReq id=0x4 <addr 192.168.100.109>]
22:00:10 suse pppd[16063]: sent [IPCP TermAck id=0x4]
22:00:11 suse pppd[16063]: rcvd [CCP ConfNak id=0x1 <mppe +H -M +S -L -D -C>]
22:00:11 suse pppd[16063]: sent [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
22:00:11 suse pppd[16063]: rcvd [CCP ConfReq id=0x5 <mppe +H -M +S -L -D -C>]
22:00:11 suse pppd[16063]: sent [CCP ConfAck id=0x5 <mppe +H -M +S -L -D -C>]
22:00:11 suse pppd[16063]: rcvd [CCP ConfAck id=0x2 <mppe +H -M +S -L -D -C>]
22:00:11 suse pppd[16063]: MPPE 128-bit stateless compression enabled
22:00:11 suse pppd[16063]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
22:00:11 suse pppd[16063]: rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
22:00:11 suse pppd[16063]: sent [IPCP ConfReq id=0x2 <addr 0.0.0.0>]
22:00:11 suse pppd[16063]: rcvd [IPCP ConfNak id=0x2 <addr 192.168.100.105>]
22:00:11 suse pppd[16063]: sent [IPCP ConfReq id=0x3 <addr 192.168.100.105>]
22:00:12 suse pppd[16063]: rcvd [IPCP ConfAck id=0x3 <addr 192.168.100.105>]
22:00:12 suse pppd[16063]: rcvd [IPCP ConfReq id=0x6 <addr 192.168.100.109>]
22:00:12 suse pppd[16063]: sent [IPCP ConfAck id=0x6 <addr 192.168.100.109>]
22:00:12 suse pppd[16063]: local IP address 192.168.100.105
22:00:12 suse pppd[16063]: remote IP address 192.168.100.109
22:00:12 suse pppd[16063]: Script /etc/ppp/ip-up started (pid 16083)
22:00:13 suse SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
22:00:13 suse SuSEfirewall2: using default zone 'ext' for interface ppp0
22:00:13 suse SuSEfirewall2: Firewall rules successfully set
22:00:13 suse pppd[16063]: Script ?? finished (pid 16064), status = 0x0
22:00:13 suse pppd[16063]: Script /etc/ppp/ip-up finished (pid 16083), status = 0x0
22:01:07 suse pptp[16068]: anon log[logecho:pptp_ctrl.c:677]: Echo Request received.
22:01:07 suse pptp[16068]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 6 'Echo-Reply'
22:02:07 suse pptp[16068]: anon log[logecho:pptp_ctrl.c:677]: Echo Request received.
22:02:07 suse pptp[16068]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 6 'Echo-Reply'
22:03:07 suse pptp[16068]: anon log[logecho:pptp_ctrl.c:677]: Echo Request received.
22:03:07 suse pptp[16068]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 6 'Echo-Reply'
22:04:07 suse pptp[16068]: anon log[logecho:pptp_ctrl.c:677]: Echo Request received.
22:04:07 suse pptp[16068]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 6 'Echo-Reply'
22:05:07 suse pptp[16068]: anon log[logecho:pptp_ctrl.c:677]: Echo Request received.
22:05:07 suse pptp[16068]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 6 'Echo-Reply'
22:06:07 suse pptp[16068]: anon log[logecho:pptp_ctrl.c:677]: Echo Request received.
22:06:07 suse pptp[16068]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 6 'Echo-Reply'
22:07:07 suse pptp[16068]: anon log[logecho:pptp_ctrl.c:677]: Echo Request received.
22:07:07 suse pptp[16068]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 6 'Echo-Reply'
22:08:07 suse pptp[16068]: anon log[logecho:pptp_ctrl.c:677]: Echo Request received.
22:08:07 suse pptp[16068]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 6 'Echo-Reply'
22:09:07 suse pptp[16068]: anon log[logecho:pptp_ctrl.c:677]: Echo Request received.
22:09:07 suse pptp[16068]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 6 'Echo-Reply'
22:10:07 suse pptp[16068]: anon log[logecho:pptp_ctrl.c:677]: Echo Request received.
22:10:07 suse pptp[16068]: anon log[logecho:pptp_ctrl.c:679]: no more Echo Reply/Request packets will be reported.
22:10:12 suse pppd[16063]: Terminating connection due to lack of activity.
22:10:12 suse pppd[16063]: Connect time 10.0 minutes.
22:10:12 suse pppd[16063]: Sent 0 bytes, received 0 bytes.
22:10:12 suse pppd[16063]: Script /etc/ppp/ip-down started (pid 16421)
22:10:12 suse pppd[16063]: MPPE disabled
22:10:12 suse pppd[16063]: sent [LCP TermReq id=0x2 "MPPE disabled"]
22:10:12 suse pppd[16063]: sent [LCP TermReq id=0x3 "MPPE disabled"]
22:10:12 suse pptp[16068]: anon log[ctrlp_disp:pptp_ctrl.c:950]: PPTP_SET_LINK_INFO received from peer_callid 46971
22:10:12 suse pptp[16068]: anon log[ctrlp_disp:pptp_ctrl.c:953]: send_accm is FFFFFFFF, recv_accm is FFFFFFFF
22:10:12 suse pptp[16068]: anon warn[ctrlp_disp:pptp_ctrl.c:956]: Non-zero Async Control Character Maps are not supported!
22:10:12 suse pppd[16063]: rcvd [LCP TermAck id=0x2 "MPPE disabled"]
22:10:12 suse pppd[16063]: Connection terminated.
22:10:12 suse avahi-daemon[602]: Withdrawing workstation service for ppp0.
22:10:13 suse SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
22:10:13 suse SuSEfirewall2: Firewall rules successfully set
22:10:13 suse pppd[16063]: Script /etc/ppp/ip-down finished (pid 16421), status = 0x0
22:10:13 suse pppd[16063]: Exit.
22:10:13 suse pptp[16080]: anon warn[decaps_hdlc:pptp_gre.c:204]: short read (-1): Input/output error
22:10:13 suse pptp[16080]: anon warn[decaps_hdlc:pptp_gre.c:216]: pppd may have shutdown, see pppd log
22:10:13 suse pptp[16068]: anon log[callmgr_main:pptp_callmgr.c:234]: Closing connection (unhandled)
22:10:13 suse pptp[16068]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12 'Call-Clear-Request'
22:10:13 suse pptp[16068]: anon log[call_callback:pptp_callmgr.c:79]: Closing connection (call state)

То есть как бы всё хорошо, кроме ничего не значащей "Non-zero Async Control Character Maps are not supported!".

Оптимизайка
На сайте с 11.03.2012
Offline
396
Оптимизайка
#2

А что за /etc/sysconfig/SuSEfirewall2 - не мешает ли оно случайно?

После установления соединения покажите выхлоп

ifconfig

route -n

iptables -L

iptables -t nat -L

⭐ BotGuard (https://botguard.net) ⭐ — защита вашего сайта от вредоносных ботов, воровства контента, клонирования, спама и хакерских атак!
Слава Шевцов
На сайте с 23.07.2005
Offline
370
Слава Шевцов
#3
Оптимизайка:
А что за /etc/sysconfig/SuSEfirewall2 - не мешает ли оно случайно?

Встроенный фаервол, настроенный по умолчанию при установке системы. Остановил его - не помогло.

Оптимизайка:

После установления соединения покажите выхлоп
ifconfig


# ifconfig
eth0      Link encap:Ethernet  HWaddr D4:3D:7E:35:9C:D9  
          inet addr:192.168.0.100  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: f*0::d*d:7*f:f*5:9*9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:323489 errors:0 dropped:0 overruns:0 frame:0
          TX packets:379920 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:175606969 (167.4 Mb)  TX bytes:177556779 (169.3 Mb)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1034888 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1034888 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:348273238 (332.1 Mb)  TX bytes:348273238 (332.1 Mb)

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:192.168.100.101  P-t-P:192.168.100.109  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1396  Metric:1
          RX packets:9 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:90 (90.0 b)  TX bytes:90 (90.0 b)
Оптимизайка:
route -n

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
x.x.x.x         192.168.0.1     255.255.255.255 UGH   0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.100.109 0.0.0.0         255.255.255.255 UH    0      0        0 ppp0

x.x.x.x - IP сервера, на который пробрасывается VPN

Оптимизайка:
iptables -L

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             ctstate RELATED
input_ext  all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET "
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING "

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain forward_ext (0 references)
target     prot opt source               destination         

Chain input_ext (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
LOG        tcp  --  anywhere             anywhere             limit: avg 3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
LOG        tcp  --  anywhere             anywhere             limit: avg 3/min burst 5 tcp dpt:https flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere             udp dpt:https
DROP       all  --  anywhere             anywhere             PKTTYPE = multicast
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
LOG        tcp  --  anywhere             anywhere             limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
LOG        icmp --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
LOG        udp  --  anywhere             anywhere             limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
DROP       all  --  anywhere             anywhere            

Chain reject_func (0 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable
Оптимизайка:
iptables -t nat -L

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
Слава Шевцов
На сайте с 23.07.2005
Offline
370
Слава Шевцов
#4

Дело было в отсутствии роутинга для всей подсети 192.168.100.* в ppp0. После добавления роутинга IP-шники внутри сети стали пинговаться. Но внутренние адреса типа comp1.vds.local до сих пор не пингуются :(

Оптимизайка
На сайте с 11.03.2012
Offline
396
Оптимизайка
#5

Перед тем, как пинговаться, эти имена должны быть преобразованы в адреса. Этим занимается DNS, также могут быть статически прописаны имена в /etc/hosts, а также в Windows этим может заниматься WINS.

Смотрите /etc/resolv.conf до и после установления соединения - не меняются ли адреса DNS серверов - а они должны.

Слава Шевцов
На сайте с 23.07.2005
Offline
370
Слава Шевцов
#6

Не меняются. Там как сидел 192.168.0.1, так и сидит.

Авторизуйтесь или зарегистрируйтесь, чтобы оставить комментарий