From owner-freebsd-questions@FreeBSD.ORG Thu Jun 24 04:41:25 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED1CE16A4CE for ; Thu, 24 Jun 2004 04:41:25 +0000 (GMT) Received: from saturn.okstate.edu (saturn.okstate.edu [139.78.100.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83AA143D49 for ; Thu, 24 Jun 2004 04:41:25 +0000 (GMT) (envelope-from lreid@okstate.edu) Received: from dexter.okstate.edu (dexter.okstate.edu [139.78.100.26]) i5O4fMY208856 for ; Wed, 23 Jun 2004 23:41:24 -0500 Received: from localhost (tools.you.okstate.edu [139.78.102.9]) by dexter.okstate.edu (Sun Internet Mail Server sims.4.0.2001.07.26.11.50.p9) with ESMTP id <0HZS005CHQCXWQ@dexter.okstate.edu> for freebsd-questions@freebsd.org; Wed, 23 Jun 2004 23:41:21 -0500 (CDT) Received: from ip68-97-167-71.ok.ok.cox.net(IMP) with HTTP for ; Thu, 24 Jun 2004 00:04:28 -0500 Date: Thu, 24 Jun 2004 00:04:28 -0500 From: Reid Linnemann To: freebsd-questions@freebsd.org Message-id: <1088053468.40da60dcc9c58@webmail.okstate.edu> MIME-version: 1.0 Content-type: text/plain; charset=windows-1252 Content-transfer-encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.1 Subject: mpd and the evil vpn X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 04:41:26 -0000 I hope some of the readers out there are more experienced with mpd than I.. I'm having some difficulties setting up a little vpn, and I need some fingers pointing in the right direction. Here is the setup - one box is connected to the ISP. Let's call his external ip [extip] and his internal lan ip is 192.168.1.1 The local area network consists of machines numbered 192.168.1.101 to 192.168.1. 110. The subnet mask is 255.255.255.0 The VPN addresses should be assigned 192.168.1.201 to 192.168.1.240 or so, with subnet mask 255.255.255.0 This box also acts as a NAT. Here is the problem, and I will post my configs after stating it. When an XP box (the only test platform so far) attempts to connect to mpd, the client acts like it can't see the pptp server and freaks out, kicking back error 800 - which is the same message if there's no machine at the target address. I have yet to get the 201 host to connect, so I haven't added the other hosts to the config yet. And as promised, my config (names have been changed to protect the innocent): Here is the firewall rule list (no teasing, please): 00100 deny log ip from 127.0.0.1 to any in recv rl0 00200 allow ip from 127.0.0.1 to any 00300 deny log ip from 192.168.1.0/24 to any in recv rl0 00400 deny log ip from 68.97.166.0/23 to any in recv rl1 00500 deny log ip from any to 10.0.0.0/8 via rl0 00600 deny log ip from any to 172.16.0.0/12 via rl0 00700 deny log ip from any to 192.168.0.0/16 via rl0 00800 allow tcp from any to any 1723 00900 allow udp from any to any 1723 01000 allow gre from any to any 01100 divert 8668 ip from any to any via rl0 01200 allow tcp from any to any established 01300 allow ip from any to any frag 01400 allow udp from any to [extip] 8767 01500 allow udp from any to any 14567 01600 allow udp from any to [extip] 22000 01700 allow udp from any to [extip] 23000-23009 01800 allow tcp from any to [extip] 8000 setup 01900 allow tcp from any to [extip] 22 setup 02000 allow tcp from any to 192.168.1.101 22 setup 02100 allow tcp from any to [extip] 2401 setup 02200 allow udp from any to [extip] 2401 02300 allow tcp from [extnet] to [extip] 515 setup 02400 allow tcp from [trustedmachine] to [extip] 515 setup 02500 deny log tcp from any to any in recv rl0 setup 02600 allow tcp from any to any out xmit rl0 setup 02700 allow udp from [extip] to any 53 keep-state 02800 allow udp from [extip] to any 123 keep-state 02900 allow ip from 192.168.1.0/24 to any keep-state 03000 allow ip from [extip] to any keep-state via rl0 65535 allow ip from any to any and mpd.links: pptp: set link type pptp set pptp self 192.168.1.1 #ip address for mpd server set pptp enable incoming set pptp disable originate and mpd.conf pptp: new -i ng0 pptp pptp ## create a new interface of ng0 for the pptp connection set iface disable on-demand ## disable on-deman dialing for this connection set iface enable proxy-arp ## enable the arp proxy for the created interface set bundle disable multilink ## disable multi link options set bundle authname [user_in_mpd_secret]## define the username for this connection set bundle enable encryption ## enable encryption for this connection set link yes acfcomp protocomp ## address control and protocol field compression set link disable pap ## disable PAP authentication for this link set link enable chap ## enable CHAP authentication for this link set link keep-alive 10 60 ## keep alive settings for idle links set ipcp enable vjcomp ## enables header compression for the link set ipcp ranges 192.168.1.1/32 192.168.1.201/32 ## sets IP of PPTP server as well as initial link #set ipcp dns 10.0.0.1 ## sets IP of DNS server to be given to client #set ipcp nbns 10.0.0.20 ## sets IP of the WINS server to be given out set bundle enable compression ## enables tunnel compression set ccp enable mppc ## enables microsoft point-to-point compression set ccp enable mpp-e40 ## 40-bit MPP encryption set ccp enable mpp-e128 ## 128-bit MPP encryption set ccp yes mpp-stateless ## enables stateless mode for faster recovery set bundle enable crypt-reqd ## require client to have encryption or drop link