Creating a VPN using PPTP

Creating a VPN using PPTP

I’m working for a US based company which has an office here in Ottawa. I also work from home, as
do two other employees here. Until today, I’ve been using a VPN from my W2K box, which is what I usually
use from day to day when accessing the office network. But this morning I found a need to access the office
network using one of my FreeBSD boxes. This article shows how I set that VPN up using a pptp client.
I put this client on my gateway box which enabled my entire network to access the VPN. Which is a good thing.

Installing the client

I knew I wanted pptp (because someone told me that’s what I wanted). This was dictated by the fact that
the office (i.e. the server) was using pptp. So here is how I found my options:

[dan@ns1:] $ cd /usr/ports
[dan@ns1:/usr/ports] $ make search key=pptp
Port:   poptop-1.1.2
Path:   /usr/ports/net/poptop
Info:   Windows 9x compatible PPTP (VPN) server
Maint:  nsayer@freebsd.org
Index:  net
B-deps:
R-deps:

Port:   pptpclient-1.0.3
Path:   /usr/ports/net/pptpclient
Info:   PPTP client for establishing a VPN link with an NT server
Maint:  thomas@cuivre.fr.eu.org
Index:  net
B-deps: libgnugetopt-1.1
R-deps: libgnugetopt-1.1

[dan@ns1:/usr/ports] $

Since I wanted a client and did not need a server, I went with net/pptpclient. Here
is the rather complicated installation process:

cd /usr/ports/net/pptpclient
make install

You should read the examples which will be installed at /usr/local/share/examples/pptpclient.

Configuring the client

If you have configured a PPP client before, this should look familiar. I took the example provided
by the port but saved the existing .conf file.

cd /etc/ppp
mv ppp.conf ppp.conf.original
cp usr/local/share/examples/pptpclient/ppp.conf .
chmod 640 ppp.conf

The chmod ensures that the password contained in the file is not readable by everyone.

If you read the /usr/local/share/examples/pptpclient you will see that you need to
change a few things in the .conf file. I changed the items shown in bold.

$ less ppp.conf
THEOFFICE:
 set authname myusername
 set authkey mypassword
 set timeout 0
 set ifaddr 0 0
 add 10.5.9.0/24 HISADDR
 alias enable yes

The items in bold are:

  • THEOFFICE: This is just a label. Give it a descriptive value. You will
    use this value on the command line when you invoke pptp.
  • myusername: This is the user name assigned to you and which you use to
    authenticate at the VPN server.
  • mypassword: This is the password you use in combination with the user name
    above.
  • 10.5.9.0/24: This is the IP address of the VPN which you will be connecting
    to. Talk to your VPN administrator to find out what value you should be using. This is the value I will be
    using later when I get a static route.

Starting the client

Starting the client is easy:

/usr/local/sbin/pptp a.b.c.d THEOFFICE

where a.b.c.d is the IP address of VPN Server and
THEOFFICE is the label you created in the ppp.conf
file. When you’re done, you can just CONTROL-C it away.

Running it all the time

This script appears to do the right thing. There are a few things you should know about this
script:

  1. It assumes tun0 is the interface you are using for pptp. If you are using
    more than one PPP connection, you’ll probably have to be more careful with
    this.
  2. While running, you’ll see two instances of pptp running. This appears to be normal.
  3. After stopping, it can take a little while for those two instances of pptp to stop running.
    This also appears normal.
$ less /usr/local/etc/rc.d/pptp.sh
#!/bin/sh

case "$1" in
start)
        /usr/local/sbin/pptp a.b.c.d THEOFFICE &
        ;;

stop)
        if [ -f /var/run/tun0.pid ]
        then
                kill -TERM `cat /var/run/tun0.pid`
        fi
        ;;

*)
        echo "Usage: ^Basename $0 {start|stop}" >&2
        ;;
esac

exit 0

Make sure to do a chmod +x on the script (all files in /usr/local/etc/rc.d/
must be .sh and +x in order to be run at boot time.

Optional – default routes

I have two gateways; one is DSL, the other cable. My main connection is DSL and my network machines
use the DSL gateway as their default route. I wanted to put the office VPN on my cable connection
to spread the load slightly. I achieved this by adding a default route on the DSL gateway which pointed
to the cable gateway. Here is how I did that by modifying /etc/rc.conf on the DSL box:

static_routes="MyOffice"
route_MyOffice="10.5.9.0/24 192.168.0.20"

This will ensure that all traffic arriving at the DSL gateway for the subnet 10.5.9.0/24 will be redirected to
192.168.0.20 (which is my cable gateway and the box which is running the pptp client).

You can create additional routes by adding more entries to static_routes. For example
you can do this:

static_routes="MyOffice FriendsHouse AnotherPlace"

and for each entry you will need
to create a route_" entry similar to what you see above for
route_MyOffice.

52 thoughts on “Creating a VPN using PPTP”

  1. I you are looking for a pptp server, check out /usr/ports/mpd. I have been using it for a good year, and it works great. The only problem that I ever had was that I forgot to let in/out gre traffic on my ipfilter firewall which stopped my from connecting. You do have to manually set up each connection, but after that it works well.

    –Matt

    1. OK, I have a dilemma…
      I have setup mpd on my two hosts similar to this:-
      euphoria – calypso – hostname
      172.16.3.3 – 172.16.2.3 – internal IP
      210.54.x.x – 21.54.x.x – firewall IP

      The problem is I am not sure what i need to pinhole on my DSL routers 210.54.x.x etc to allow incomming connections, is it using 1723 and GRE like PPTP or some other protocol we dont know about? I can’t even telnet to the local IP (on port 1723) from a PC on it’s own subnet.

      What ports are opened on the box when mpd runs??
      I have to be missing the simple answer here.

      Cheers
      Dan

    2. Dan,
      I don’t have a real answer for you, I only run mpd on one end and use windows as the client. mpd on by box opens port 1723 like you say. If you are running ipfilter (maybe ipfw?), you will need to add rules to pass in/out ng device (ng0…), and reload your rules after mpd is running (even if you -HUP mpd). Without reloading the rules I cannot connect at all.

      here are a slightly edited config i use for ipfilter
      —snip—
      pass out quick on ng0
      pass in quick on ng0
      —snip—
      # pptp
      pass in quick proto tcp from any to any port = 1723 flags S keep state
      # pptp’s gre
      pass in quick proto gre from any to any
      pass out quick proto gre from any to any
      —snip—

    3. Cool thanks for that, however currently my kernel has the foloowing line:-
      options IPFIREWALL_DEFAULT_TO_ACCEPT

      I can connect as far as the firewall (DSL router) and no more. Thought it might be a NAT issue but on trying from internal side it made no difference, port still closed :o(

      Thanks in advance

      Cheers
      Dan

      1. Dan Langille

        Dan Clark wrote:
        >
        > Cool thanks for that, however currently my kernel has
        > the foloowing line:-
        > options IPFIREWALL_DEFAULT_TO_ACCEPT

        I prefer default to deny. I prefer to have to explicitly say what is allowed rather than specify what is not allowed. It’s also easier.

    4. I also like using IPFILTER_DEFAULT_BLOCK. Its much easier and more secure in my opinion (less mistake prone anyways). But I don’t use it any longer now that my box is 14 hours away. If I made a mistake in my rules before, the box was just a console cable away, but now not having my rules loaded due to an error is disaster.
      For a while I used to set a shutdown for a few minutes and apply my test ruleset from a seperate file, if it failed, it was just a few minutes until the restart. Yeah I know that is not a good practice :), but it worked since the box was not really used for anything important. I pretty sure there is an easier/safer way to do it but I have not looked into it. Any ideas.

      –Matt

      1. Dan Langille

        ipf has two rule sets (active and inactive). Use that like this:

        ipf -s -Fa -f /etc/ipf.rules && sleep 10 && ipf -s

        The above does this:

        swap the rules sets
        clear the current rule set
        load the rules from that file

        sleep

        swap the rule sets back

        During the sleep, type a few characters and make sure they echo. If they do, press control C. If they don’t, you’ll soon have back the original rule set.

    5. Look for "enable pptp passthrough" or some such on your
      firewall configuration. For instance, a linksys has this
      option; if it’s turned off, pptp just won’t work.

      If your router doesn’t have this option, chuck that baby.

      regards,
      Jeff

    6. Hi…

      I saw this and thought I’d post how I did it – getting PoPToP runnng as a VPN Server for Windows clients. I’ve gotten it running on FreeBSD
      4.6-PRERELEASE, and thought I’d share with the group.

      1. The first thing I did was of course cvsup my ports tree.
      2. Next, cd to /usr/ports/net/poptop and run make all install clean
      3. You will now need to edit a number of files to make this work:

      —-/usr/local/etc/pptpd.conf——-
      speed 115200
      option /etc/ppp/options

      localip xxx.xxx.xxx.xxx
      remoteip xxx.xxx.xxx.yy-zz
      pidfile /var/run/pptpd.pid
      ————————————

      You will need to change the local and remote IP’s to match your local configuration.
      LocalIP should be an address in your subnet but not the address of your network interface(s).
      RemoteIP should be a **range** in your subnet that the PPTP daemon can assign clients for addresses.

      For example, if you’re address on interface ep0 is 192.168.1.1, and your subnet mask is 255.255.255.0, localip should be something like 192.168.1.100 and remote ip should be something like 192.168.1.150-200 (written just like that). The PIDFile entry should be obvious.

      You will also need to create a /etc/ppp/options file:

      —/etc/ppp/options—-
      auth
      proxyarp
      pap
      chap
      —/etc/ppp/options—-

      Don’t worry too much about what these mean, but auth, chap, and proxyarp NEED to be in there (look them up in man ppp for more info.

      The last file you need is /etc/ppp/ppp.conf

      —/etc/ppp/ppp.conf—-
      loop:
      set timeout 0
      set log phase chat connect lcp ipcp command
      set device localhost:pptp
      set dial
      set login
      # Server (local) IP address, Range for Clients, and Netmask
      set ifaddr 192.168.1.100 192.168.1.150-192.168.1.200 255.255.255.255
      set server /tmp/loop "" 0177

      loop-in:
      set timeout 0
      set log phase lcp ipcp command
      allow mode direct

      pptp:
      load loop
      enable chap
      enable pap
      # Authenticate against /etc/passwd
      enable passwdauth
      # The next depends on your routing. Proxy arp is an easy way out
      enable proxy
      accept dns
      # DNS Servers to assign client – replace with your own
      set dns 1.1.1.1
      set device !/etc/ppp/secure
      —/etc/ppp/ppp.conf—-

      The file above basically needs to stay the way it is, but the line containing set ifaddr needs to have the same info as what you set in pptpd.conf. The first argument should be the value of localip, the second should be the same range as remoteip (just in a slightly different format – you gotta spell out the whole range this time) and the last needs to be 255.255.255.255

      Now, start up the daemon with:

      /usr/local/sbin/pptpd -d

      The remaining setup need to be done on your windows machine. I am assuming you are using Windows XP here, but its pretty much the same as Windows 2000. Go to Start|Settings|Network Connections. Click the new connection wizard. You want to "Connect to the network at my workplace" or something along those lines – whichever one relates to VPNs. Click next. Choose Virtual Private Network Connection. Click Next. In the COmpany Name, type whatever you wish and hot next. The next box will ask you if it should dial your dialup connection before trying to start this one – choose whichever is appropriate and hit next. In the host name, you need to put the IP of your BSD box (the real routable address…dealing with NAT is another issue). The next screen asks who to make this connection for, choose whiever is appropriate. Next. Hit Finish.

      Phew! Only a little more to go. Windows will now pop up the connection box for this connection. STOP! SLOW DOWN! DONT CONNECT YET. Breathe. Ok, Ready? Hit Properties. Under security, you need to *disable* "Require data encryption" THis is just a tunnel, not a IPSec encrypted connection. Click OK, and for your username and password enter your username and password on the BSD box. Life should be good.

      Have fun with your new VPN.

        1. Brad Tarver wrote:

          > Why would you ever use PAP these days? You’re asking to have
          > your data stolen if you use PAP…

          Please provide references supporting your statement.


          The Man Behind The Curtain

          1. Dan wrote:

            > Brad Tarver wrote:
            >
            > > Why would you ever use PAP these days? You’re asking to have
            > > your data stolen if you use PAP…
            >
            > Please provide references supporting your statement.
            >

            Although neither PAP nor CHAP involves encryption. In both cases the username is sent in the clear. With PAP the passwrod is sent in the clear too. With CHAP the authentication is done by a challenge/response, thus preventing a replay attack.

    7. gre does need to be passed in AND out, I just tried having it just in and then just out… got the same result:

      [pptp0] LCP: not converging
      [pptp0] LCP: parameter negotiation failed

      With both passing, it works.

      I don’t believe mpd supports radius/tacacs(+)/whatever, or at least I could not find anything on it. mpd.secrets is it I guess.

    8. I have had a stab at this and i have set it up as you suggest but i am getting the following errors.

      1) the windows box reports (Server didnt assign IP address)

      2)
      Warning: Bad label in /etc/ppp/ppp.conf (line 2) – missing colon

      Sep 5 23:30:12 sun ppp[38993]: Warning: Bad label in /etc/ppp/ppp.conf (line 12) – missing colon
      Sep 5 23:30:12 sun ppp[38993]: Warning: Bad label in /etc/ppp/ppp.conf (line 14) – missing colon
      Sep 5 23:30:12 sun pptpd[38992]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
      Sep 5 23:30:12 sun pptpd[38992]: GRE: read error: Bad file descriptor
      Sep 5 23:30:12 sun pptpd[38992]: CTRL: PTY read or GRE write failed (pty,gre)=(-1,-1)

      I guess i have messed up something in the ppp.conf file , but i cant think what as its set up just as you say.

      Any ideas ?

    9. Anyone have any ideas on why the windows client just hangs up totally when i try to connect to my pptp server ? Only way i can get the client back is to hard poweroff the machine.. running pptpd in debug mode and it’s not showing me anything in any log file… PPTPD starts just fine, no errors, just the win client hangs up .. 🙁

    10. Warning: Bad label in /etc/ppp/ppp.conf (line 12) – missing

      this is caused by not having a space before anyline that starts with "set" in the ppp.conf or at least that is how i fixed it on my box.

    11. I initially setup the poptop server to talk to windows clients.. works great, but with no encryption.

      so i fired up mpd.. fantastic! mppe encryption + mschapv2. though i know little about networks + security etc, IMHO i would strongly recommend mpd over poptop.

      i basically followed the intructions at http://www.itga.com.au/~gnb/vpn/pptp-serv.html

      bit of a tangent but i recently found this article aswell :

      http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html

      some things in there that i hadn’t considered, worth a read.

    12. Greetings,

      Ive installed mpd in my freebsd 4.6 (at my work place behind a firewall) and configured it. I tried connecting from my WinXP Pro at home and this what i got at the freebsd side:

      [pptp] CHAP: rec’d RESPONSE #2
      Name: "vpntest"
      Peer name: "vpntest"
      Response is valid
      [pptp] CHAP: sending SUCCESS
      [pptp] LCP: authorization successful
      [pptp] LCP: phase shift AUTHENTICATE –> NETWORK
      [pptp] up: 1 link, total bandwidth 64000 bps
      [pptp] IPCP: Up event
      [pptp] IPCP: state change Starting –> Req-Sent
      [pptp] IPCP: SendConfigReq #1
      IPADDR 192.168.1.3
      COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
      [pptp] CCP: Open event
      [pptp] CCP: state change Initial –> Starting
      [pptp] CCP: LayerStart
      [pptp] CCP: Up event
      [pptp] CCP: state change Starting –> Req-Sent
      [pptp] CCP: SendConfigReq #1
      MPPC
      0x01000060: MPPE, 40 bit, 128 bit, stateless
      [pptp] CCP: rec’d Configure Request #1 link 0 (Req-Sent)
      PRED1
      Not supported
      MPPC
      0x000000e0: MPPE, 40 bit, 56 bit, 128 bit
      [pptp] CCP: SendConfigRej #1
      PRED1
      [pptp] IPCP: rec’d Configure Request #1 link 0 (Req-Sent)
      IPADDR 192.168.1.100
      192.168.1.100 is OK
      COMPPROTO VJCOMP, 16 comp. channels, allow comp-cid
      [pptp] IPCP: SendConfigAck #1
      IPADDR 192.168.1.100
      COMPPROTO VJCOMP, 16 comp. channels, allow comp-cid
      [pptp] IPCP: state change Req-Sent –> Ack-Sent
      [pptp] IPCP: SendConfigReq #2
      IPADDR 192.168.1.3
      COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
      [pptp] CCP: SendConfigReq #2
      MPPC
      0x01000060: MPPE, 40 bit, 128 bit, stateless
      [pptp] IPCP: SendConfigReq #3
      IPADDR 192.168.1.3
      COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
      [pptp] CCP: SendConfigReq #3
      MPPC
      0x01000060: MPPE, 40 bit, 128 bit, stateless
      [pptp] IPCP: SendConfigReq #4
      IPADDR 192.168.1.3
      COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
      [pptp] CCP: SendConfigReq #4
      MPPC
      0x01000060: MPPE, 40 bit, 128 bit, stateless
      [pptp] IPCP: SendConfigReq #5
      IPADDR 192.168.1.3
      COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
      [pptp] CCP: SendConfigReq #5
      MPPC
      0x01000060: MPPE, 40 bit, 128 bit, stateless
      [pptp] IPCP: SendConfigReq #6
      IPADDR 192.168.1.3
      COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
      [pptp] CCP: SendConfigReq #6
      MPPC
      0x01000060: MPPE, 40 bit, 128 bit, stateless
      [pptp] IPCP: SendConfigReq #7
      IPADDR 192.168.1.3
      COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
      [pptp] CCP: SendConfigReq #7
      MPPC
      0x01000060: MPPE, 40 bit, 128 bit, stateless
      [pptp] IPCP: SendConfigReq #8
      IPADDR 192.168.1.3
      COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
      [pptp] CCP: SendConfigReq #8
      MPPC
      0x01000060: MPPE, 40 bit, 128 bit, stateless
      [pptp] IPCP: SendConfigReq #9
      IPADDR 192.168.1.3
      COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
      [pptp] CCP: SendConfigReq #9
      MPPC
      0x01000060: MPPE, 40 bit, 128 bit, stateless
      [pptp] IPCP: SendConfigReq #10
      IPADDR 192.168.1.3
      COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
      [pptp] CCP: SendConfigReq #10
      MPPC
      0x01000060: MPPE, 40 bit, 128 bit, stateless
      [pptp] IPCP: state change Ack-Sent –> Stopped
      [pptp] IPCP: LayerFinish
      [pptp] IPCP: parameter negotiation failed
      [pptp] IPCP: LayerFinish
      [pptp] CCP: state change Req-Sent –> Stopped
      [pptp] CCP: LayerFinish
      [pptp] CCP: parameter negotiation failed
      [pptp] CCP: Close event
      [pptp] CCP: state change Stopped –> Closed
      [pptp] CCP: LayerFinish
      [pptp] bundle: CLOSE event in state OPENED
      [pptp] closing link "pptp"…
      [pptp] bundle: CLOSE event in state CLOSED
      [pptp] closing link "pptp"…
      [pptp] link: CLOSE event
      [pptp] LCP: Close event
      [pptp] LCP: state change Opened –> Closing
      [pptp] LCP: phase shift NETWORK –> TERMINATE
      [pptp] up: 0 links, total bandwidth 9600 bps
      [pptp] IPCP: Down event

      The server can’t seem to connect my winXP. Did i configure my mpd.conf wrong?

      mpd.conf:
      ===========
      default:
      load pptp

      # PPTP Server
      pptp:
      new -i ng0 pptp pptp

      set bundle disable multilink
      set bundle enable compression
      set bundle enable encryption

      set iface disable on-demand
      set iface disable proxy-arp
      set iface idle 0

      set ipcp ranges 192.168.1.3/30 192.168.1.100/30
      set ipcp dns 192.168.0.1
      set ipcp enable vjcomp

      set link enable acfcomp protocomp
      set link disable pap
      set link enable chap
      set link keep-alive 10 60

      set ccp enable mppc
      set ccp enable mpp-compress
      set ccp enable mpp-e40
      set ccp enable mpp-e128
      set ccp enable mpp-stateless

      I cant seem to figure it out. Can anyone help me?

      Regards
      MC

    13. Omer Faruk Sen

      I am trying to use pptpclient but on my mpd server when I try to send package (such as pinging mpd server) I get those errors on the mpd server. I have no idea why can that be… Any comments

      ptp1] rec’d unexpected protocol 0x00b1 on link -1, rejecting
      [pptp1] rec’d proto 0xe21d on MP link! (ignoring)
      [pptp1] rec’d unexpected protocol 0xa0ab on link -1, rejecting
      [pptp1] rec’d unexpected protocol 0x0007 on link -1, rejecting
      [pptp1] rec’d unexpected protocol 0x00dd on link -1, rejecting
      [pptp1] rec’d unexpected protocol 0x0035 on link -1, rejecting
      [pptp1] rec’d unexpected protocol 0x0a8d on link -1, rejecting
      [pptp1] rec’d unexpected protocol 0x00b7 on link -1, rejecting
      [pptp1] rec’d unexpected protocol 0x56db on link -1, rejecting
      [pptp1] rec’d unexpected protocol 0x00df on link -1, rejecting
      [pptp1] rec’d unexpected protocol 0xba57 on link -1, rejecting
      [pptp1] rec’d unexpected protocol 0x004f on link -1, rejecting
      [pptp1] rec’d unexpected protocol 0x0081 on link -1, rejecting
      [pptp1] rec’d unexpected protocol CRYPT on link -1, rejecting
      [pptp1] rec’d unexpected protocol 0x009d on link -1, rejecting

      1. 2 Omer Faruk Sen:
        I have the same problem:
        2 routers – Win2k Server(RAS) and FreeBSD(mpd). When FBSD connecting to Win i have something like this…


        [pptp1] rec’d unexpected protocol 0x56db on link -1, rejecting
        [pptp1] rec’d unexpected protocol CRYPT on link -1, rejecting
        [pptp1] rec’d unexpected protocol 0x009d on link -1, rejecting

        but when win connecting to FBSD all is right.

        When I add the strings:
        set link disable pop chap
        set link accept chap
        in mpd.conf these error messages disapire, but win2k can not connect to FBSD.

        May be this help U too.

        ps: sorry for my english. 😉

    14. Hi All,
      I have a question about mpd, I have read through a number of howto’s etc, but I have been unable to achieve mpd opening up port 1723 for a pptp vpn.

      There are no errors in the log files, it creates the interface ng0, and is running in the background.

      Am I missing something obviouse? I can post configs if required.

      FreeBSD 4.10 stable
      mpd-3.18_2

      Regards
      Leigh Finch

    1. this is very likely not the best solution:

      you could use init (/etc/ttys) to keep it going. in pptp.sh, change the 5th line by removing the ending ‘&’ (no bg). then, in /etc/ttys, add or modify the/a line to something like ‘ttyvc "/usr/local/etc/rc.d/pptp.sh" unknown on secure’. just an idea..

      ‘init q’ to refresh /etc/ttys

    2. actually, for that to work, you’d have to pass ‘start’ to pptp.sh. so instead of ‘ttyvc "/usr/local/etc/rc.d/pptp.sh" unknown on secure’, it’d be ‘ttyvc "/usr/local/etc/rc.d/pptp.sh start" unknown on secure’

  2. Aaron Wright

    I’m having a problem connecting to a VPN server. Below is the contents of my /var/log/ppp.log file. I’m pretty sure all the settings in my ppp.conf file are correct, which is also included. Can anyone direct me to what the problem might be? If it’s a problem with the server, can you maybe tell me what could be done to fix it? I’ll suggest that to the admin, since he knows nothing about BSD or making the pptp server compatible to BSD.

    #pptp ip-addy GSW

    ppp.conf:
    GSW:
    set authname vpn-user
    set authkey vpn-user-password
    set timeout 0
    set ifaddr 0 0
    add 10.12.1.252/24 HISADDR
    alias enable yes

    ppp.log:
    May 8 11:41:45 SUN ppp[9143]: Phase: Using interface: tun0
    May 8 11:41:45 SUN ppp[9143]: Phase: deflink: Created in closed state
    May 8 11:41:45 SUN ppp[9143]: tun0: Command: default: ident user-ppp VERSION (built COMPILATIONDATE)
    May 8 11:41:45 SUN ppp[9143]: tun0: Command: default: set device /dev/cuaa1
    May 8 11:41:45 SUN ppp[9143]: tun0: Command: default: set speed 115200
    May 8 11:41:45 SUN ppp[9143]: tun0: Command: default: set dial ABORT BUSY ABORT NO\sCARRIER TIMEOUT 5 "" AT OK-AT-OK ATE
    May 8 11:41:45 SUN ppp[9143]: tun0: Command: default: set timeout 180
    May 8 11:41:45 SUN ppp[9143]: tun0: Command: default: enable dns
    May 8 11:41:45 SUN ppp[9143]: tun0: Command: GSW: set authname vpn023
    May 8 11:41:45 SUN ppp[9143]: tun0: Command: GSW: set authkey ********
    May 8 11:41:45 SUN ppp[9143]: tun0: Command: GSW: set timeout 0
    May 8 11:41:45 SUN ppp[9143]: tun0: Command: GSW: set ifaddr 0 0
    May 8 11:41:45 SUN ppp[9143]: tun0: Command: GSW: add 10.12.1.252/24 HISADDR
    May 8 11:41:45 SUN ppp[9143]: tun0: Command: GSW: alias enable yes
    May 8 11:41:45 SUN ppp[9143]: tun0: Warning: The alias command is deprecated
    May 8 11:41:45 SUN ppp[9143]: tun0: Phase: PPP Started (direct mode).
    May 8 11:41:45 SUN ppp[9143]: tun0: Phase: bundle: Establish
    May 8 11:41:45 SUN ppp[9143]: tun0: Phase: deflink: closed -> opening
    May 8 11:41:45 SUN ppp[9143]: tun0: Phase: deflink: Connected!
    May 8 11:41:45 SUN ppp[9143]: tun0: Phase: deflink: opening -> carrier
    May 8 11:41:46 SUN ppp[9143]: tun0: Phase: deflink: carrier -> lcp
    May 8 11:41:46 SUN ppp[9143]: tun0: LCP: FSM: Using "deflink" as a transport
    May 8 11:41:46 SUN ppp[9143]: tun0: LCP: deflink: State change Initial –> Closed
    May 8 11:41:46 SUN ppp[9143]: tun0: LCP: deflink: State change Closed –> Stopped
    May 8 11:41:47 SUN ppp[9143]: tun0: LCP: deflink: LayerStart
    May 8 11:41:47 SUN ppp[9143]: tun0: LCP: deflink: SendConfigReq(1) state = Stopped
    May 8 11:41:47 SUN ppp[9143]: tun0: LCP: ACFCOMP[2]
    May 8 11:41:47 SUN ppp[9143]: tun0: LCP: PROTOCOMP[2]
    May 8 11:41:47 SUN ppp[9143]: tun0: LCP: ACCMAP[6] 0x00000000
    May 8 11:41:47 SUN ppp[9143]: tun0: LCP: MRU[4] 1500
    May 8 11:41:47 SUN ppp[9143]: tun0: LCP: MAGICNUM[6] 0x3dc85b26
    May 8 11:41:47 SUN ppp[9143]: tun0: LCP: deflink: State change Stopped –> Req-Sent
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: SendConfigReq(1) state = Req-Sent
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: ACFCOMP[2]
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: PROTOCOMP[2]
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: ACCMAP[6] 0x00000000
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: MRU[4] 1500
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: MAGICNUM[6] 0x3dc85b26
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: RecvConfigReq(1) state = Req-Sent
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: MRU[4] 338
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: AUTHPROTO[5] 0xc223 (CHAP 0x81)
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: MAGICNUM[6] 0xdb765022
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: PROTOCOMP[2]
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: ACFCOMP[2]
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: SendConfigAck(1) state = Req-Sent
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: MRU[4] 338
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: AUTHPROTO[5] 0xc223 (CHAP 0x81)
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: MAGICNUM[6] 0xdb765022
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: PROTOCOMP[2]
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: ACFCOMP[2]
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: State change Req-Sent –> Ack-Sent
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: RecvConfigRej(1) state = Ack-Sent
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: Sending ident magic 3dc85b26 text user-ppp 2.3.3 (built Feb 17 2002)
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: SendIdent(0) state = Ack-Sent
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: ACCMAP[6] 0x00000000
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: SendConfigReq(2) state = Ack-Sent
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: ACFCOMP[2]
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: PROTOCOMP[2]
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: MRU[4] 1500
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: MAGICNUM[6] 0x3dc85b26
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: RecvCodeRej(2) state = Ack-Sent
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: RecvConfigAck(2) state = Ack-Sent
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: State change Ack-Sent –> Opened
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: LayerUp
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: Sending ident magic 3dc85b26 text user-ppp 2.3.3 (built Feb 17 2002)
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: SendIdent(1) state = Opened
    May 8 11:41:50 SUN ppp[9143]: tun0: Phase: bundle: Authenticate
    May 8 11:41:50 SUN ppp[9143]: tun0: Phase: deflink: his = CHAP 0x81, mine = none
    May 8 11:41:50 SUN ppp[9143]: tun0: Phase: Chap Input: CHALLENGE (16 bytes from watchguard)
    May 8 11:41:50 SUN ppp[9143]: tun0: Phase: Chap Output: RESPONSE (vpn023)
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: RecvCodeRej(3) state = Opened
    May 8 11:41:50 SUN ppp[9143]: tun0: Phase: Chap Input: SUCCESS (S=25dd32c6dbd3184ffd158ee4a03cfa7d63792ab5)
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: LayerDown
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: SendTerminateReq(3) state = Opened
    May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: State change Opened –> Closing
    May 8 11:41:50 SUN ppp[9143]: tun0: Warning: CHAP81: AuthenticatorResponse: (S=25DD32C6DBD3184FFD158EE4A03CFA7D63792AB5) != ans: (S
    May 8 11:41:50 SUN ppp[9143]: tun0: IPCP: deflink: Error: Unexpected IPCP in phase Authenticate (ignored)
    May 8 11:41:51 SUN ppp[9143]: tun0: CCP: deflink: Error: Unexpected CCP in phase Authenticate (ignored)
    May 8 11:41:51 SUN ppp[9143]: tun0: LCP: deflink: RecvTerminateAck(3) state = Closing
    May 8 11:41:51 SUN ppp[9143]: tun0: LCP: deflink: LayerFinish
    May 8 11:41:51 SUN ppp[9143]: tun0: LCP: deflink: State change Closing –> Closed
    May 8 11:41:51 SUN ppp[9143]: tun0: LCP: deflink: State change Closed –> Initial
    May 8 11:41:51 SUN ppp[9143]: tun0: Phase: deflink: Disconnected!
    May 8 11:41:51 SUN ppp[9143]: tun0: Phase: deflink: Connect time: 6 secs: 402 octets in, 398 octets out
    May 8 11:41:51 SUN ppp[9143]: tun0: Phase: deflink: : 10 packets in, 8 packets out
    May 8 11:41:51 SUN ppp[9143]: tun0: Phase: total 133 bytes/sec, peak 150 bytes/sec on Wed May 8 11:41:51 2002
    May 8 11:41:51 SUN ppp[9143]: tun0: Phase: deflink: lcp -> closed
    May 8 11:41:51 SUN ppp[9143]: tun0: Phase: bundle: Dead
    May 8 11:41:51 SUN ppp[9143]: tun0: Phase: PPP Terminated (normal).

    1. Today I got configure that both job, vpn server with win2k and vpn client with FreeBSD. also noted Im using PPPoE instead of PPTP on win2k. just suggest your vpn server admin to install pppoe protocol named raspppoe, this s/w not microsoft proprietary. for freebsd client all you need just edit /etc/ppp.conf (refer to: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/pppoe.html)

      this maybe give u clue if you need running vpn client with freebsd anyway.

    2. Hello,
      your ppp seems to do not support CHAP81 which correspond to mschapv2.
      so you can’t authenticate…
      try recompiling ppp, it worked for me

      Cybil

    3. Hi,

      I have a pc with win98 and would like to know if there is a free l2tp client to install on my PC so I can connect to the LNS in our business network.

  3. Hi,
    I’m running the PPTP client for OpenBSD 3.1 as root and recieve "echo rqst" and "echo reply" messages from the pptp call manager despite running pptp as a background process. Is there any workaround for this?
    Thanks,
    -Brian

    1. The only people who are going to read your message are those reading the article. If you want help, please post your question in the <A HREF="/phorum/">support phorum</A>.

      1. I don’t think that /var/run/tun0.pid is executable. This file exists only while pptp is running, that’s why it’s better use -f( -x is not working in this case either ).

  4. Jose M. Perales

    A question: if the use is possible of pptpclient in a connection ADSL with ip-address fixed (Permanent, dedicated).
    I do not use pppoe, my ethernet is xl0 (ethernet 3Com 3c950) as an interface of normal connection to router.

    Thanks && regards

  5. Hi,
    Does anyone know if this freebsd pptp supports nt authentication, or of a way to add support for it? I am planning on using pptp on my freebsd router to link my network to a friends, but he is running a .net domain, so i tihnk nt authentication will be required.
    Regards,
    Paul Lakin

    1. hi guys, sorry to interrupt, but I am wondering how can i enable mppe in ppp? can you explain in detail, thanks. I am new to VPN…

      I am using fbsd4.8-release, pptpclient1.3.1, nomatter what i do, just can’ t get through the VPN authentication.

      in the log file, I got this in the middle of a singal connect

      chap input:success
      deflink: lcp -> open
      bundle: network
      deflink: open -> lcp
      bundle: Terminate
      deflink: disconnected!
      deflink: connect time 5 sec …….

      wondering what seems to be the problem?

  6. I just got this to work, everything went real smoothly except it took me a little while to figure out why I was getting this error:

    Oct 28 18:15:32 aynlaptop pptp[80308]: log[decaps_hdlc:pptp_gre.c:129]: short read (0): Invalid argument

    Turned out that we have to escape anything outta the ordinary, the most obvious is the ‘\’ in NT_DOMAIN\username, also if you have anything weird in your password, you need to escape those as well.

    Just thought I should add this in case somebody out there are wasting time figuring out that same error.

    –Andrew

  7. ppp.conf:

    vpn:
    set authname AUTHNAME
    set authkey PASSWORD
    set timeout 0
    set ifaddr 0 0
    add 10.1.1.1/24 HISADDR
    alias enable yes

    pptp 10.1.1.1 vpn

    ppp.log:

    Nov 30 14:57:30 ppp[1116]: Warning: Label vpn rejected -direct connection: /etc/ppp/ppp.conf : File not found
    Nov 30 14:57:53 ppp[1122]: Phase: Using interface: tun0
    Nov 30 14:57:53 ppp[1122]: Phase: deflink: Created in closed state
    Nov 30 14:57:53 ppp[1122]: Warning: The alias command is deprecated
    Nov 30 14:57:53 ppp[1122]: Phase: PPP Started (direct mode).
    Nov 30 14:57:53 ppp[1122]: Phase: bundle: Establish
    Nov 30 14:57:53 ppp[1122]: Phase: deflink: closed -> opening
    Nov 30 14:57:53 ppp[1122]: Phase: deflink: Connected!
    Nov 30 14:57:53 ppp[1122]: Phase: deflink: opening -> carrier
    Nov 30 14:57:54 ppp[1122]: Phase: deflink: carrier -> lcp
    Nov 30 14:57:55 ppp[1122]: Phase: bundle: Authenticate
    Nov 30 14:57:55 ppp[1122]: Phase: deflink: his = CHAP 0x05, mine = none
    Nov 30 14:57:55 ppp[1122]: Phase: Chap Input: CHALLENGE (16 bytes)
    Nov 30 14:57:55 ppp[1122]: Phase: Chap Output: RESPONSE (krezapostol)
    Nov 30 14:57:55 ppp[1122]: Phase: Chap Input: SUCCESS (Welcome!!)
    Nov 30 14:57:55 ppp[1122]: Phase: deflink: lcp -> open
    Nov 30 14:57:55 ppp[1122]: Phase: bundle: Network
    Nov 30 14:57:55 ppp[1122]: Error: rt_Set: Cannot add a route with gateway 0.0.0.0
    Nov 30 14:57:55 ppp[1122]: Phase: Signal 15, terminate.
    Nov 30 14:57:55 ppp[1122]: Phase: deflink: read (0): Got zero bytes
    Nov 30 14:57:55 ppp[1122]: Phase: deflink: open -> lcp
    Nov 30 14:57:55 ppp[1122]: Phase: bundle: Terminate
    Nov 30 14:57:55 ppp[1122]: Phase: deflink: Disconnected!
    Nov 30 14:57:55 ppp[1122]: Phase: deflink: Connect time: 2 secs: 896 octets in, 625 octets out
    Nov 30 14:57:55 ppp[1122]: Phase: deflink: 10 packets in, 18 packets out
    Nov 30 14:57:55 ppp[1122]: Phase: total 760 bytes/sec, peak 0 bytes/sec on Sun Nov 30 14:57:53 2003
    Nov 30 14:57:55 ppp[1122]: Phase: deflink: lcp -> closed
    Nov 30 14:57:55 ppp[1122]: Phase: bundle: Dead
    Nov 30 14:57:55 ppp[1122]: Phase: PPP Terminated (normal).

    1. Beeborat wrote:

      > ppp.conf:
      >
      > vpn:
      > set authname AUTHNAME
      > set authkey PASSWORD

      I changed your post so it includes a fake authname and authkey setting, just in case those were your real values.

      > set timeout 0
      > set ifaddr 0 0
      > add 10.1.1.1/24 HISADDR
      > alias enable yes
      >
      > pptp 10.1.1.1 vpn
      >
      > ppp.log:
      >
      > Nov 30 14:57:30 ppp[1116]: Warning: Label vpn rejected -direct
      > connection: /etc/ppp/ppp.conf : File not found

      I think that you should solve this problem first. I don’t have any suggestions.

      > Nov 30 14:57:53 ppp[1122]: Phase: Using interface: tun0
      > Nov 30 14:57:53 ppp[1122]: Phase: deflink: Created in closed
      > state
      > Nov 30 14:57:53 ppp[1122]: Warning: The alias command is
      > deprecated

      Looks like alias is deprecated. Read the man page. Perhaps the replacements is nat.

      > Nov 30 14:57:53 ppp[1122]: Phase: PPP Started (direct mode).
      > Nov 30 14:57:53 ppp[1122]: Phase: bundle: Establish
      > Nov 30 14:57:53 ppp[1122]: Phase: deflink: closed -> opening
      > Nov 30 14:57:53 ppp[1122]: Phase: deflink: Connected!
      > Nov 30 14:57:53 ppp[1122]: Phase: deflink: opening -> carrier
      >
      > Nov 30 14:57:54 ppp[1122]: Phase: deflink: carrier -> lcp
      > Nov 30 14:57:55 ppp[1122]: Phase: bundle: Authenticate
      > Nov 30 14:57:55 ppp[1122]: Phase: deflink: his = CHAP 0x05,
      > mine = none
      > Nov 30 14:57:55 ppp[1122]: Phase: Chap Input: CHALLENGE (16
      > bytes)
      > Nov 30 14:57:55 ppp[1122]: Phase: Chap Output: RESPONSE
      > (krezapostol)
      > Nov 30 14:57:55 ppp[1122]: Phase: Chap Input: SUCCESS
      > (Welcome!!)
      > Nov 30 14:57:55 ppp[1122]: Phase: deflink: lcp -> open
      > Nov 30 14:57:55 ppp[1122]: Phase: bundle: Network
      > Nov 30 14:57:55 ppp[1122]: Error: rt_Set: Cannot add a route
      > with gateway 0.0.0.0

      That’s interesting too.

      > Nov 30 14:57:55 ppp[1122]: Phase: Signal 15, terminate.
      > Nov 30 14:57:55 ppp[1122]: Phase: deflink: read (0): Got zero
      > bytes
      > Nov 30 14:57:55 ppp[1122]: Phase: deflink: open -> lcp
      > Nov 30 14:57:55 ppp[1122]: Phase: bundle: Terminate
      > Nov 30 14:57:55 ppp[1122]: Phase: deflink: Disconnected!
      > Nov 30 14:57:55 ppp[1122]: Phase: deflink: Connect time: 2
      > secs: 896 octets in, 625 octets out
      > Nov 30 14:57:55 ppp[1122]: Phase: deflink: 10 packets in, 18
      > packets out
      > Nov 30 14:57:55 ppp[1122]: Phase: total 760 bytes/sec, peak 0
      > bytes/sec on Sun Nov 30 14:57:53 2003
      > Nov 30 14:57:55 ppp[1122]: Phase: deflink: lcp -> closed
      > Nov 30 14:57:55 ppp[1122]: Phase: bundle: Dead
      > Nov 30 14:57:55 ppp[1122]: Phase: PPP Terminated (normal).

      I don’t use pptp often enough to know what’s going on.


      The Man Behind The Curtain

  8. Hello

    I have the following configuration:

    vpn:
    set authname username
    set authkey password
    set timeout 0
    set ifaddr 0 0
    add ip_address/24 HISADDR
    alias enable yes

    So, here is ok.

    When I started the service occure the error:
    warn[open_inetsock:pptp_callmgr.c:312]:connect: Connection refused
    fatal[callmgr_main:pptp_callmgr.c:121]: Could not open control connection to ip_address
    fatal[open_callmgr:pptp.c:379]: Call manager exited with error 256

    Any idea about what cause this errors?

    Thanks

Leave a Comment

Scroll to Top