Re: need help setting up PPTP VPN using mpd

2004-05-04 Thread Mark 
On Mon, May 03, 2004 at 06:11:14PM -0500, Brad Tarver wrote:
> I'm trying to setup PPTP connectivity in a lab environment before I 
> attempt to implement in a real-world situation.
> 
> I have two routers and four PCs (two laptops running Windows XP and two 
> desktops running FreeBSD 5.2.1).
> 
> I haven't configured any ipfw or ipfirewall rules yet to keep my 
> configuration 'simple'.
> 
> Both FreeBSD boxes are configured to nat the two Windows boxes to my lab 
> 'internet'.
> 

> 
> Here is my setup:
> 

-snip - snip
< disclaimer yada yada >
 
Here is a working setup of mine with ipfw rules. The bsd comp has static ip but 
the  MS comps are dynamic ip so things are loose.
( I also run samba and setup an account for the roaming computers, they have access to
 the lan, the password for mpd must match tha samba password and the user account on 
freebsd)

allow tcp from any to any 1723 keep-state
allow gre from any to x.x.x.x in recv dc0 # server ip
allow gre from any to any out xmit dc0
allow ip from any to any via ng0
allow ip from any to any via ng1
allow ip from any to any via ng2


#  
mpd.conf

default:
load pptp0
load pptp1
load pptp2
pptp0:

   new -i ng0 pptp0 pptp0
   set iface disable on-demand
   set iface enable proxy-arp
   set iface idle 1800
   # set bundle disable multilink
   set link yes acfcomp protocomp
   set link no pap chap
   set link enable chap
   set link keep-alive 10 60
   set link mtu 1460
   set ipcp yes vjcomp
   set ipcp ranges 192.168.1.2/32 192.168.1.50/32
   set ipcp dns 10.1.146.80
   set ipcp nbns 192.168.1.2
   set bundle enable compression
   set ccp yes mppc
   set ccp yes mpp-e40
   set ccp yes mpp-e128
   set ccp yes mpp-stateless

pptp1:

   new -i ng1 pptp1 pptp1
   set iface disable on-demand
   set iface enable proxy-arp
   set iface idle 1800
   # set bundle disable multilink
   set link yes acfcomp protocomp
   set link no pap chap
   set link enable chap
   set link keep-alive 10 60
   set link mtu 1460
   set ipcp yes vjcomp
   set ipcp ranges 192.168.1.2/32 192.168.1.51/32
   set ipcp dns 10.1.146.80
   set ipcp nbns 192.168.1.2
   set bundle enable compression
   set ccp yes mppc
   set ccp yes mpp-e40
   set ccp yes mpp-e128
   set ccp yes mpp-stateless

pptp2:

   new -i ng2 pptp2 pptp2
   set iface disable on-demand
   set iface enable proxy-arp
   set iface idle 1800
   # set bundle disable multilink
   set link yes acfcomp protocomp
   set link no pap chap
   set link enable chap
   set link keep-alive 10 60
   set link mtu 1460
   set ipcp yes vjcomp
   set ipcp ranges 192.168.1.2/32 192.168.1.52/32
   set ipcp dns 10.1.146.80
   set ipcp nbns 192.168.1.2
   set bundle enable compression
   set ccp yes mppc
   set ccp yes mpp-e40
   set ccp yes mpp-e128
   set ccp yes mpp-stateless

# end  ###


-- 
--
**
The information contained in this communication is confidential, private,
proprietary, or otherwise privileged and is intended only for the use of the
addressee.  Unauthorized use, disclosure, distribution or copying is strictly
prohibited and may be unlawful.  If you have received this communication in
error, please notify the sender immediately.
**
==

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: need help setting up PPTP VPN using mpd

2004-05-03 Thread Ed Budd 
On Mon, 03 May 2004 18:11:14 -0500
Brad Tarver <[EMAIL PROTECTED]> wrote:

> I'm trying to setup PPTP connectivity in a lab environment before I 
> attempt to implement in a real-world situation.
> 
> I have two routers and four PCs (two laptops running Windows XP and
> two desktops running FreeBSD 5.2.1).
> 
> I haven't configured any ipfw or ipfirewall rules yet to keep my 
> configuration 'simple'.
> 
> Both FreeBSD boxes are configured to nat the two Windows boxes to my
> lab 'internet'.
> 
> Can anyone look at the setup below and tell me what I'm missing?
> 
> Here is my setup:
> 
> 
> LaptopA
>|
>|
>| 10.1.2.0/24
>|
>| .1
> FreebsdA
>| .2
>|
>| 27.40.15.0/24
>|
>| .1
> RouterA
>| .25
>|
>| 26.215.152.0/24
>|
>| .26
> RouterB
>| .1
>|
>| 28.80.30.0/24
>|
>| .2
> FreebsdB
>| .1
>|
>| 192.168.44.0/24
>|
>|
> LaptopB
> 
> 
> I have MPD running on FreebsdA (27.40.15.2). Ipnat is configured on
> both freebsd boxes. When I open a new pptp vpn session on my laptopB,
> it gets to a 'verifying username and pass' stage and then errors.
> 


Brad:

<-- insert big disclaimer here -->

I'm certainly no expert on PPTP but I believe you're going to need to
set up some kind of "passthrough" functionality to get protocol 47
through NAT. What you describe above may be symptomatic of packets
related to tcp 1723 getting through (to initiate authentication) but not
protocol 47 (GRE) which is needed for the tunnel itself. I haven't used
ipnat in some time but I seem to recall some carefully placed redirect
rules as facilitating this. Sorry I can't be more specific. If I find
the documentation I'm thinking about I'll post a link.

Maybe you should try it first without NAT, just straight routing.
Another useful thing might be to enable bpf in the kernel config and run
a packet capture at appropriate chokepoints using tcpdump while you're
testing.

Please post a followup as I'd be interested in hearing (reading) how
things go since I unfortunately don't have time to spare right now in
trying it myself.

Cheers,

EB
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"