Date: Mon, 12 Jun 2006 22:22:15 -0400 From: Nick Fishman <bsdlogical@gmail.com> To: freebsd-net@freebsd.org Subject: FreeBSD VPN client to a Windows network using MPD Message-ID: <448E2157.7020302@bellsouth.net>
next in thread | raw e-mail | index | archive | help
I recently tried to set up a VPN connection from home to the office (running Windows Server 2003). I used the mpd port (net/mpd, the 3.x branch), but found configuration much more difficult than it should be. Configuration options seemed to lead to dead ends, but I finally found a working version. I post it here in an effort to dispel confusion and assist others having the same problem. I urge others to correct me and clarify things in my explanation, as I've probably neglected to mention parts. Much configuration and assistance came from a post on this list by Peter Cornelius on 2003/10/09. For this installation, MPD requires three files: mpd.conf, mpd.links, and mpd.secret. They're stored in /usr/local/etc/mpd. Here's my mpd.links (note that 1.2.3.4 is the address of your VPN gateway): vpn: set link type pptp set pptp peer 1.2.3.4 set pptp enable originate outcall Here's my mpd.secret (in my case, I used my Windows (Active Directory) username without specifying the domain. Your installation may be different; try using "DOMAIN\\username". Note that the quotes are necessary, and two slashes are needed instead of one): "username" "password" Here's my mpd.conf: default: load vpn vpn: new -i ng0 vpn vpn # the session value does matter, but I'm not sure why set iface session 28800 # "username" here should match "username" in mpd.secret set bundle authname "username" set bundle enable compression set ccp yes mppc set ccp yes mpp-e40 set ccp yes mpp-e56 set ccp yes mpp-e128 # set this to your correct routing information set iface route 192.168.0.0/24 open This is more compact than existing examples on the web, but some options are key to a working connection. The following lines caused my connection to fail (don't use them!): set ccp yes mpp-compress set bundle enable encryption Compression is absolutely necessary, but MPPE didn't work in my case. This may differ for you. Encryption is necessary, but don't use "set bundle enable encryption". The Windows RDP server switches to MPPE, which provides encryption. The following lines didn't visibly affect my connection. After leaving them out, my connection still worked. Some of these probably matter; it would help to get some clarification here: set link yes acfcomp protocomp set ipcp yes vjcomp set iface disable on-demand set iface idle 0 set link keep-alive 61 753 set link mtu 1460 set ccp yes mpp-stateless set link no pap set link accept chap set link enable no-orig-auth Note that the last line is necessary for NT servers, as recommended by Peter. The "no pap" and "accept chap" lines appear in various incarnations in online examples, but aren't necessary for the connection to succeed. It appears as if MPD switches to MPPE automatically during negotiation. I apologize for the long email. I hope this helps others trying to use FreeBSD as a client for a Windows VPN. Please correct me if I'm wrong on anything. Nick bsdlogical
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?448E2157.7020302>