VPN PPTP Client Problem

Question

Level 1

10 points

VPN PPTP Client Problem

Hi all,

When I tried to connect to my office's VPN, which is a PPTP built on Poptop, the PPTP client that comes with Tiger said the connection is okay. I was able to ping and locate machines on the VPN.

However, when I try to map a samba drive on the VPN, access CVS, or connect to a WinXP remote desktop server, the connection is stalled and eventually timed out. It seems that some of the data was able to transfer back to my computer, but the I/O is interrupted shortly after the initial transfer.

After doing exhausive google searches, I have found another PPTP client called DigiTunnel, which I can connect to the VPN and work as expected. Therefore, I suspect that I have some mis-configurations on Tiger's PPTP client. Does anyone else encounter this problem?

For your information, I do not have any firewall on my computer. Also, I am behind a router, and the problem persists no matter I use Airport or Ethernet as the connection method to the router.

Helps are appreicated.

MacBook 2GHz Mac OS X (10.4.7) Firewalls are off

Posted on Aug 31, 2006 8:14 PM

Reply

Answer 1

Best reply

Palahala

Level 1

10 points

Sep 5, 2006 12:17 PM in response to guardianblue

I'm using VPN to connect to the office and it is very slow. Pinging using IP addresses takes up to 8 seconds (8,000 ms) for each packet. Microsoft Remote Desktop Protocol (RDP) connections work, but are extremely slow as well.

After having read your post I installed a trial version of DigiTunnel and it works great indeed! Ping times are now below 20ms. I guess I'll purchase it as it also seems to make it easy to route only some specific traffic through VPN. But of course, I'd rather spend my money on something not related to my work, and I'm curious too...

I was able to ping and locate machines on the VPN

Are you using IP addresses or DNS names?

Was the response time allright?

My setup:
- OS X 10.4.7
- no firewall
- VPN using PPTP with IPSEC-IKE
- ADSL modem routes incoming ports 500 TCP/UDP and 1723 TCP to the MacBook
- routing ALL ports to the MacBook did not make it any faster
- office DNS servers listed first in output of scutil --dns
- the same VPN connection works fine on Windows XP
- Wifi with WPA for both tests
- I did not test using ethernet

While testing without DigiTunnel I see an additional "sent" on the 10th line, 3 seconds after the 9th line does not seem to receive a response:

09- sent [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x99187502> <pcomp> <accomp>]
10- sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x62ebdd17> <pcomp> <accomp>]

But eventually both tests show

rcvd [CHAP Success id=0x1 "S=xxx"]

When terminating the connection that does not use DigiTunnel the summary first tells me

PPTP error when sending echo_reply : Network is unreachable

...and next that zero bytes have been received (while writing this I'm not too sure if this logs indeed applies to the ping tests; I'd expect the ping response to be counted as received bytes, even if it takes 8,000 ms):

Sent 10819 bytes, received 0 bytes.

Finally, just in case someone can dechiper it, the log without DigiTunnel:

PPTP connecting to server 'xxx.xxx.xxx.xxx' (xxx.xxx.xxx.xxx)...
PPTP connection established.
using link 0
Using interface ppp0
Connect: ppp0 <--> socket[34:17]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x62ebdd17> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x99187502> <pcomp> <accomp>]
lcp_reqci: returning CONFACK.
sent [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x99187502> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x62ebdd17> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x62ebdd17> <pcomp> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x62ebdd17]
rcvd [CHAP Challenge id=0x1 <9d1c3xxx828cf>, name = "xxx.domain.tld"]
sent [CHAP Response id=0x1 <a5f156xxxd0f00>, name = "loginname"]
rcvd [LCP EchoRep id=0x0 magic=0x99187502]
rcvd [CHAP Success id=0x1 "S=E819F2xxx97D5"]
sent [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
rcvd [IPCP ConfReq id=0x1 <addr 172.17.201.3> <compress VJ 0f 01>]
sent [IPCP TermAck id=0x1]
rcvd [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <mppe +H -M +S -L -D -C> <bsd v1 15>]
sent [CCP ConfRej id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
rcvd [CCP ConfNak id=0x1 <mppe +H -M +S -L -D -C>]
sent [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
sent [CCP ConfAck id=0x2 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfAck id=0x2 <mppe +H -M +S -L -D -C>]
MPPE 128-bit stateless compression enabled
sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
sent [IPV6CP ConfReq id=0x1 <addr xxx::xxx:xxx:xxx>]
sent [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01
rcvd [IPCP ConfNak id=0x1 <addr 172.17.202.4> <ms-dns1 172.17.4.7> <ms-dns3 172.17.4.7>]
sent [IPCP ConfReq id=0x2 <addr 172.17.202.4> <ms-dns1 172.17.4.7> <ms-dns3 172.17.4.7>]
rcvd [LCP ProtRej id=0x2 80 57 01 xxx 28 9d 55]
rcvd [LCP ProtRej id=0x3 82 35 01 xxx 00 00 01]
rcvd [IPCP ConfAck id=0x2 <addr 172.17.202.4> <ms-dns1 172.17.4.7> <ms-dns3 172.17.4.7>]
sent [IPCP ConfReq id=0x2 <addr 172.17.202.4> <ms-dns1 172.17.4.7> <ms-dns3 172.17.4.7>]
rcvd [IPCP ConfReq id=0x1 <addr 172.17.201.3> <compress VJ 0f 01>]
ipcp: returning Configure-REJ
sent [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
rcvd [IPCP ConfAck id=0x2 <addr 172.17.202.4> <ms-dns1 172.17.4.7> <ms-dns3 172.17.4.7>]
rcvd [IPCP ConfReq id=0x2 <addr 172.17.201.3>]
ipcp: returning Configure-ACK
sent [IPCP ConfAck id=0x2 <addr 172.17.201.3>]
ipcp: up
local IP address 172.17.202.4
remote IP address 172.17.201.3
primary DNS address 172.17.4.7
secondary DNS address 172.17.4.7
PPTP error when sending echo_reply : Network is unreachable
PPTP hangup
ipcp: down
MPPE disabled
sent [LCP TermReq id=0x2 "MPPE disabled"]
Connection terminated.
Connect time 1.2 minutes.
Sent 10819 bytes, received 0 bytes.
PPTP disconnecting...
PPTP disconnected

And when using DigitTunnel:

PPTP connecting to server 'xxx.xxx.xxx.xxx' (xxx.xxx.xxx.xxx)...
PPTP connection established.
using link 0
Using interface ppp0
Connect: ppp0 <--> socket[34:17]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xc3b45f11> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x981e46d1> <pcomp> <accomp>]
lcp_reqci: returning CONFACK.
sent [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x981e46d1> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xc3b45f11> <pcomp> <accomp>]
sent [LCP EchoReq id=0x0 magic=0xc3b45f11]
rcvd [CHAP Challenge id=0x1 <5a29fxxxf784d>, name = "xxx.domain.tld"]
sent [CHAP Response id=0x1 <9dfeexxxfba00>, name = "loginname"]
rcvd [LCP EchoRep id=0x0 magic=0x981e46d1]
rcvd [CHAP Success id=0x1 "S=452DBxxx3A15E"]
sent [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
rcvd [IPCP ConfReq id=0x1 <addr 172.17.201.3> <compress VJ 0f 01>]
sent [IPCP TermAck id=0x1]
rcvd [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <mppe +H -M +S -L -D -C> <bsd v1 15>]
sent [CCP ConfRej id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
rcvd [CCP ConfNak id=0x1 <mppe +H -M +S -L -D -C>]
sent [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
sent [CCP ConfAck id=0x2 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfAck id=0x2 <mppe +H -M +S -L -D -C>]
MPPE 128-bit stateless compression enabled
sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
sent [IPV6CP ConfReq id=0x1 <addr xxx::xxx:xxx:xxx>]
sent [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01
rcvd [IPCP ConfNak id=0x1 <addr 172.17.202.4> <ms-dns1 172.17.4.7> <ms-dns3 172.17.4.7>]
sent [IPCP ConfReq id=0x2 <addr 172.17.202.4> <ms-dns1 172.17.4.7> <ms-dns3 172.17.4.7>]
rcvd [LCP ProtRej id=0x2 80 57 01 xxx 28 9d 55]
rcvd [LCP ProtRej id=0x3 82 35 01 xxx 00 00 01]
rcvd [IPCP ConfAck id=0x2 <addr 172.17.202.4> <ms-dns1 172.17.4.7> <ms-dns3 172.17.4.7>]
rcvd [IPCP ConfReq id=0x1 <addr 172.17.201.3> <compress VJ 0f 01>]
ipcp: returning Configure-REJ
sent [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
rcvd [IPCP ConfReq id=0x2 <addr 172.17.201.3>]
ipcp: returning Configure-ACK
sent [IPCP ConfAck id=0x2 <addr 172.17.201.3>]
ipcp: up
local IP address 172.17.202.4
remote IP address 172.17.201.3
primary DNS address 172.17.4.7
secondary DNS address 172.17.4.7
Hangup (SIGHUP)
ipcp: down
MPPE disabled
sent [LCP TermReq id=0x2 "MPPE disabled"]
sent [LCP TermReq id=0x3 "MPPE disabled"]
rcvd [LCP TermAck id=0x3]
Connection terminated.
Connect time 0.6 minutes.
Sent 3986 bytes, received 2256 bytes.
PPTP disconnecting...
PPTP disconnected
PPTP disconnected

Yes, DigiTunnel shows the last line twice...

MacBook white 2GHz Mac OS X (10.4.7)

Reply

Answer 2

guardianblue Author

Level 1

10 points

Sep 13, 2006 10:09 AM in response to Palahala

I ping another machine with its machine name, which is defined in the DNS of my office's LAN.

The response time is normal.

I suspect MacOSX's implementation does not take care of some packet, which causes the problem

Reply

Answer 3

Nov 26, 2006 5:26 PM in response to guardianblue

I am having apparently the same problem. Just moved to MacBook from Dell Windows machine and attempting to use a longstanding VPN connection into office network.

The connection is apparently made but no access (mail and file servers) happens and connection times out.

I think there is a clear bug in the Mac implementation.

Reply

Answer 4

Palahala

Level 1

10 points

Nov 27, 2006 1:00 AM in response to guardianblue

It did NOT help me, but I've also tried smaller MTU sizes. Furthermore disabling the built-in Airport and using ethernet did not solve the problem. The Cisco VPN client was not able to connect at all, which might be an issue with wrong settings.

So, just for your information:

I noticed a MTU setting of 700 in the DigiTunnel settings. I'm connecting to a Speedtouch Wifi access point. This interface uses a MTU of 1500. Google gave me some hints that applications might not be aware of the additional VPN overhead, so lowering the MTU of the VPN PPP connection might avoid too large packages to be sent by applications.

To show the settings use

ifconfig -L

Ethernet is probably en0 (search for 10baseT/UTP), while the Airport is then en1. The VPN connection is only shown when connected. In my case:

en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::217:f2ff:fe46:7a6d%en1 prefixlen 64 scopeid 0x5
inet 192.168.1.64 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:17:f2:46:7a:6d
media: autoselect status: active
supported media: autoselect
[..]
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1440
inet x.x.x.202.3 --> x.x.201.3 netmask 0xffff0000

Next, while connected, using

sudo ifconfig ppp0 mtu 700

did NOT solve the very slow VPN connection while using the OS X VPN client.

The Cisco client, which was not able to connect at all, reported

Privilege Separation: restoring MTU on primary interface.

So, I also tried lowering the MTU of the Airport connection somewhat, to no avail. However, I also noticed the Cisco client is trying to use port 500 and 4500, while the server at work does not use 4500 at all, and this port is not forwarded in my router, which might cause the Cisco client to fail in my case.

I've not investigated settings in the Speedtouch access point (modem/router) as the same settings work fine when using Windows or DigiTunnel.

Maybe the above helps people to investigate more.

Palahala.

MacBook white 2GHz Mac OS X (10.4.8)

Reply

Answer 5

Feb 16, 2007 10:38 AM in response to leadfromfront

Just curious about one thing. I have an iMac and connect using the built-in VPN client with no issue, and used the Cisco client before that. However, when I tried with my powerbook I could not connect at all.

After some searching I found out that at least with the VPN endpoint I was connecting to, I had to restart my router when I wanted to connect with a different machine. Something to do with the router needing to recognize the different MAC address.

Reply