From owner-freebsd-security Wed Oct 9 22:24:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF69637B401 for ; Wed, 9 Oct 2002 22:24:41 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 4538F43E75 for ; Wed, 9 Oct 2002 22:24:40 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 36822 invoked by uid 85); 10 Oct 2002 05:35:22 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by south.nanolink.com with SMTP; 10 Oct 2002 05:35:20 -0000 Received: (qmail 87223 invoked by uid 1000); 10 Oct 2002 05:24:33 -0000 Date: Thu, 10 Oct 2002 08:24:33 +0300 From: Peter Pentchev To: Chris McCluskey Cc: freebsd-security@freebsd.org Subject: Re: VPN Solutions for Win 2K/XP -> FreeBSD (Possible FAQ entry) Message-ID: <20021010052433.GZ376@straylight.oblivion.bg> Mail-Followup-To: Chris McCluskey , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Wt10+cXOThorkX0z" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Wt10+cXOThorkX0z Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 09, 2002 at 02:02:29PM -0700, Chris McCluskey wrote: > Where is the FBSD security mailing list FAQ? >=20 > If this question is in the FAQ please excuse the repeat, if it's not then > perhaps it couple be added: >=20 > I'm looking for a solution to allow a Win 2K/XP client to tunnel though a > FreeBSD box to a LAN, meeting the following requirements: >=20 > 1. The VPN server (a FreeBSD machine) is running NAT so the VPN solution > must be compatible. >=20 > 2. I would like to use the stock MS VPN connection tools (PPTP/L2TP) to k= eep > things simple for the MS end users. >=20 > 3. If possible I would like to keep the certificate management down to a > minimum -- possibly using local user level authentication in preference t= o a > preshared CA cert. >=20 > Does anyone have any experience and good stories in this area? I have loo= ked > at a variety of solutions on the Internet, but all that I have found eith= er > requires manual adjustment of security policy > (http://www.wiretapped.net/~fyre/ipsec/) -- which I'm not sure if my MS e= nd > users could do without incident) or others involving complications with N= AT > (http://www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO.html). Any pointers to t= he > "cleanest path" would be appreciated. A very similar question was asked in this list yesterday; the answer, if you really do not mind using Win2K's PPTP implementation with the recently discovered DoS attacks, may well be the same: ports/net/mpd. Build Netgraph into the kernel or load it as a KLD, then run mpd in server mode as shown in the sample config files, click your way through setting up a new VPN/PPTP connection on the Win2K box, and you're on. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am jealous of the first word in this sentence. --Wt10+cXOThorkX0z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD) iD8DBQE9pQ8Q7Ri2jRYZRVMRAu4wAKCc8Qz6TTqqjdfLiT1C4DRSIZUUngCeIqxg UXqrepj0Du9s04OcwL0cDFg= =I3eI -----END PGP SIGNATURE----- --Wt10+cXOThorkX0z-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message