From owner-freebsd-net@FreeBSD.ORG Tue Jun 13 02:22:15 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B44F216A418 for ; Tue, 13 Jun 2006 02:22:15 +0000 (UTC) (envelope-from bsdlogical@gmail.com) Received: from wx-out-0102.google.com (wx-out-0102.google.com [66.249.82.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D1AC43D45 for ; Tue, 13 Jun 2006 02:22:15 +0000 (GMT) (envelope-from bsdlogical@gmail.com) Received: by wx-out-0102.google.com with SMTP id i31so997418wxd for ; Mon, 12 Jun 2006 19:22:14 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:user-agent:x-accept-language:mime-version:to:subject:x-enigmail-version:content-type:content-transfer-encoding:from; b=PJLLDEInQ3CkDm/ZocSQMkBmVoz21JgrUK0gXhkpelqi5yoEOOkI34h3X7d5D3bsoLRQ0maqHsEGuGjtQQNeLE6wzFogoMQIg5QNVIUO+FvrzYvb3wHYzKhQpQxbk2tE8UGtkcvaTBcVYt7VXUtdODXwR04iJ3260I4ySMD+2wM= Received: by 10.70.116.11 with SMTP id o11mr4586635wxc; Mon, 12 Jun 2006 19:22:14 -0700 (PDT) Received: from ?192.168.1.15? ( [68.18.109.121]) by mx.gmail.com with ESMTP id i39sm5994345wxd.2006.06.12.19.22.13; Mon, 12 Jun 2006 19:22:13 -0700 (PDT) Message-ID: <448E2157.7020302@bellsouth.net> Date: Mon, 12 Jun 2006 22:22:15 -0400 User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051208) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org X-Enigmail-Version: 0.93.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit From: Nick Fishman Subject: FreeBSD VPN client to a Windows network using MPD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jun 2006 02:22:15 -0000 I recently tried to set up a VPN connection from home to the office (running Windows Server 2003). I used the mpd port (net/mpd, the 3.x branch), but found configuration much more difficult than it should be. Configuration options seemed to lead to dead ends, but I finally found a working version. I post it here in an effort to dispel confusion and assist others having the same problem. I urge others to correct me and clarify things in my explanation, as I've probably neglected to mention parts. Much configuration and assistance came from a post on this list by Peter Cornelius on 2003/10/09. For this installation, MPD requires three files: mpd.conf, mpd.links, and mpd.secret. They're stored in /usr/local/etc/mpd. Here's my mpd.links (note that 1.2.3.4 is the address of your VPN gateway): vpn: set link type pptp set pptp peer 1.2.3.4 set pptp enable originate outcall Here's my mpd.secret (in my case, I used my Windows (Active Directory) username without specifying the domain. Your installation may be different; try using "DOMAIN\\username". Note that the quotes are necessary, and two slashes are needed instead of one): "username" "password" Here's my mpd.conf: default: load vpn vpn: new -i ng0 vpn vpn # the session value does matter, but I'm not sure why set iface session 28800 # "username" here should match "username" in mpd.secret set bundle authname "username" set bundle enable compression set ccp yes mppc set ccp yes mpp-e40 set ccp yes mpp-e56 set ccp yes mpp-e128 # set this to your correct routing information set iface route 192.168.0.0/24 open This is more compact than existing examples on the web, but some options are key to a working connection. The following lines caused my connection to fail (don't use them!): set ccp yes mpp-compress set bundle enable encryption Compression is absolutely necessary, but MPPE didn't work in my case. This may differ for you. Encryption is necessary, but don't use "set bundle enable encryption". The Windows RDP server switches to MPPE, which provides encryption. The following lines didn't visibly affect my connection. After leaving them out, my connection still worked. Some of these probably matter; it would help to get some clarification here: set link yes acfcomp protocomp set ipcp yes vjcomp set iface disable on-demand set iface idle 0 set link keep-alive 61 753 set link mtu 1460 set ccp yes mpp-stateless set link no pap set link accept chap set link enable no-orig-auth Note that the last line is necessary for NT servers, as recommended by Peter. The "no pap" and "accept chap" lines appear in various incarnations in online examples, but aren't necessary for the connection to succeed. It appears as if MPD switches to MPPE automatically during negotiation. I apologize for the long email. I hope this helps others trying to use FreeBSD as a client for a Windows VPN. Please correct me if I'm wrong on anything. Nick bsdlogical