Creating a VPN using PPTP
I’m working for a US based company which has an office here in Ottawa. I also work from home, as
do two other employees here. Until today, I’ve been using a VPN from my W2K box, which is what I usually
use from day to day when accessing the office network. But this morning I found a need to access the office
network using one of my FreeBSD boxes. This article shows how I set that VPN up using a pptp client.
I put this client on my gateway box which enabled my entire network to access the VPN. Which is a good thing.
Installing the client
I knew I wanted pptp (because someone told me that’s what I wanted). This was dictated by the fact that
the office (i.e. the server) was using pptp. So here is how I found my options:
[dan@ns1:] $ cd /usr/ports [dan@ns1:/usr/ports] $ make search key=pptp Port: poptop-1.1.2 Path: /usr/ports/net/poptop Info: Windows 9x compatible PPTP (VPN) server Maint: nsayer@freebsd.org Index: net B-deps: R-deps: Port: pptpclient-1.0.3 Path: /usr/ports/net/pptpclient Info: PPTP client for establishing a VPN link with an NT server Maint: thomas@cuivre.fr.eu.org Index: net B-deps: libgnugetopt-1.1 R-deps: libgnugetopt-1.1 [dan@ns1:/usr/ports] $
Since I wanted a client and did not need a server, I went with net/pptpclient
. Here
is the rather complicated installation process:
cd /usr/ports/net/pptpclient make install
You should read the examples which will be installed at /usr/local/share/examples/pptpclient
.
Configuring the client
If you have configured a PPP client before, this should look familiar. I took the example provided
by the port but saved the existing .conf file.
cd /etc/ppp mv ppp.conf ppp.conf.original cp usr/local/share/examples/pptpclient/ppp.conf . chmod 640 ppp.conf
The chmod ensures that the password contained in the file is not readable by everyone.
If you read the /usr/local/share/examples/pptpclient
you will see that you need to
change a few things in the .conf file. I changed the items shown in bold
.
$ less ppp.conf THEOFFICE: set authname myusername set authkey mypassword set timeout 0 set ifaddr 0 0 add 10.5.9.0/24 HISADDR alias enable yes
The items in bold
are:
THEOFFICE
: This is just a label. Give it a descriptive value. You will
use this value on the command line when you invoke pptp.myusername
: This is the user name assigned to you and which you use to
authenticate at the VPN server.mypassword
: This is the password you use in combination with the user name
above.10.5.9.0/24
: This is the IP address of the VPN which you will be connecting
to. Talk to your VPN administrator to find out what value you should be using. This is the value I will be
using later when I get a static route.
Starting the client
Starting the client is easy:
/usr/local/sbin/pptp a.b.c.d THEOFFICE
where a.b.c.d
is the IP address of VPN Server and
THEOFFICE
is the label you created in the ppp.conf
file. When you’re done, you can just CONTROL-C it away.
Running it all the time
This script appears to do the right thing. There are a few things you should know about this
script:
- It assumes tun0 is the interface you are using for pptp. If you are using
more than one PPP connection, you’ll probably have to be more careful with
this. - While running, you’ll see two instances of pptp running. This appears to be normal.
- After stopping, it can take a little while for those two instances of pptp to stop running.
This also appears normal.
$ less /usr/local/etc/rc.d/pptp.sh #!/bin/sh case "$1" in start) /usr/local/sbin/pptp a.b.c.d THEOFFICE & ;; stop) if [ -f /var/run/tun0.pid ] then kill -TERM `cat /var/run/tun0.pid` fi ;; *) echo "Usage: ^Basename $0 {start|stop}" >&2 ;; esac exit 0
Make sure to do a chmod +x on the script (all files in /usr/local/etc/rc.d/
must be .sh and +x in order to be run at boot time.
Optional – default routes
I have two gateways; one is DSL, the other cable. My main connection is DSL and my network machines
use the DSL gateway as their default route. I wanted to put the office VPN on my cable connection
to spread the load slightly. I achieved this by adding a default route on the DSL gateway which pointed
to the cable gateway. Here is how I did that by modifying /etc/rc.conf
on the DSL box:
static_routes="MyOffice" route_MyOffice="10.5.9.0/24 192.168.0.20"
This will ensure that all traffic arriving at the DSL gateway for the subnet 10.5.9.0/24 will be redirected to
192.168.0.20 (which is my cable gateway and the box which is running the pptp client).
You can create additional routes by adding more entries to static_routes
. For example
you can do this:
static_routes="MyOffice FriendsHouse AnotherPlace"
and for each entry you will need
to create a route_"
entry similar to what you see above for
route_MyOffice
.
I you are looking for a pptp server, check out /usr/ports/mpd. I have been using it for a good year, and it works great. The only problem that I ever had was that I forgot to let in/out gre traffic on my ipfilter firewall which stopped my from connecting. You do have to manually set up each connection, but after that it works well.
–Matt
Yes, mpd is definitly the way to go – the other pptp implementations are too buggy.
OK, I have a dilemma…
I have setup mpd on my two hosts similar to this:-
euphoria – calypso – hostname
172.16.3.3 – 172.16.2.3 – internal IP
210.54.x.x – 21.54.x.x – firewall IP
The problem is I am not sure what i need to pinhole on my DSL routers 210.54.x.x etc to allow incomming connections, is it using 1723 and GRE like PPTP or some other protocol we dont know about? I can’t even telnet to the local IP (on port 1723) from a PC on it’s own subnet.
What ports are opened on the box when mpd runs??
I have to be missing the simple answer here.
Cheers
Dan
Dan,
I don’t have a real answer for you, I only run mpd on one end and use windows as the client. mpd on by box opens port 1723 like you say. If you are running ipfilter (maybe ipfw?), you will need to add rules to pass in/out ng device (ng0…), and reload your rules after mpd is running (even if you -HUP mpd). Without reloading the rules I cannot connect at all.
here are a slightly edited config i use for ipfilter
—snip—
pass out quick on ng0
pass in quick on ng0
—snip—
# pptp
pass in quick proto tcp from any to any port = 1723 flags S keep state
# pptp’s gre
pass in quick proto gre from any to any
pass out quick proto gre from any to any
—snip—
Damn, just tested it with my updated ipfilter… no reload is needed now.
-Matt
Cool thanks for that, however currently my kernel has the foloowing line:-
options IPFIREWALL_DEFAULT_TO_ACCEPT
I can connect as far as the firewall (DSL router) and no more. Thought it might be a NAT issue but on trying from internal side it made no difference, port still closed :o(
Thanks in advance
Cheers
Dan
Dan Clark wrote:
>
> Cool thanks for that, however currently my kernel has
> the foloowing line:-
> options IPFIREWALL_DEFAULT_TO_ACCEPT
I prefer default to deny. I prefer to have to explicitly say what is allowed rather than specify what is not allowed. It’s also easier.
I also like using IPFILTER_DEFAULT_BLOCK. Its much easier and more secure in my opinion (less mistake prone anyways). But I don’t use it any longer now that my box is 14 hours away. If I made a mistake in my rules before, the box was just a console cable away, but now not having my rules loaded due to an error is disaster.
For a while I used to set a shutdown for a few minutes and apply my test ruleset from a seperate file, if it failed, it was just a few minutes until the restart. Yeah I know that is not a good practice :), but it worked since the box was not really used for anything important. I pretty sure there is an easier/safer way to do it but I have not looked into it. Any ideas.
–Matt
ipf has two rule sets (active and inactive). Use that like this:
ipf -s -Fa -f /etc/ipf.rules && sleep 10 && ipf -s
The above does this:
swap the rules sets
clear the current rule set
load the rules from that file
sleep
swap the rule sets back
During the sleep, type a few characters and make sure they echo. If they do, press control C. If they don’t, you’ll soon have back the original rule set.
You don’t need to pass in gre. Block that baby. Just
pass it out.
regards,
Jeff
Look for "enable pptp passthrough" or some such on your
firewall configuration. For instance, a linksys has this
option; if it’s turned off, pptp just won’t work.
If your router doesn’t have this option, chuck that baby.
regards,
Jeff
Does mpd support radius for authentication ? perhaps after I look around at the manual I can’t found it
Hi…
I saw this and thought I’d post how I did it – getting PoPToP runnng as a VPN Server for Windows clients. I’ve gotten it running on FreeBSD
4.6-PRERELEASE, and thought I’d share with the group.
1. The first thing I did was of course cvsup my ports tree.
2. Next, cd to /usr/ports/net/poptop and run make all install clean
3. You will now need to edit a number of files to make this work:
—-/usr/local/etc/pptpd.conf——-
speed 115200
option /etc/ppp/options
localip xxx.xxx.xxx.xxx
remoteip xxx.xxx.xxx.yy-zz
pidfile /var/run/pptpd.pid
————————————
You will need to change the local and remote IP’s to match your local configuration.
LocalIP should be an address in your subnet but not the address of your network interface(s).
RemoteIP should be a **range** in your subnet that the PPTP daemon can assign clients for addresses.
For example, if you’re address on interface ep0 is 192.168.1.1, and your subnet mask is 255.255.255.0, localip should be something like 192.168.1.100 and remote ip should be something like 192.168.1.150-200 (written just like that). The PIDFile entry should be obvious.
You will also need to create a /etc/ppp/options file:
—/etc/ppp/options—-
auth
proxyarp
pap
chap
—/etc/ppp/options—-
Don’t worry too much about what these mean, but auth, chap, and proxyarp NEED to be in there (look them up in man ppp for more info.
The last file you need is /etc/ppp/ppp.conf
—/etc/ppp/ppp.conf—-
loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:pptp
set dial
set login
# Server (local) IP address, Range for Clients, and Netmask
set ifaddr 192.168.1.100 192.168.1.150-192.168.1.200 255.255.255.255
set server /tmp/loop "" 0177
loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct
pptp:
load loop
enable chap
enable pap
# Authenticate against /etc/passwd
enable passwdauth
# The next depends on your routing. Proxy arp is an easy way out
enable proxy
accept dns
# DNS Servers to assign client – replace with your own
set dns 1.1.1.1
set device !/etc/ppp/secure
—/etc/ppp/ppp.conf—-
The file above basically needs to stay the way it is, but the line containing set ifaddr needs to have the same info as what you set in pptpd.conf. The first argument should be the value of localip, the second should be the same range as remoteip (just in a slightly different format – you gotta spell out the whole range this time) and the last needs to be 255.255.255.255
Now, start up the daemon with:
/usr/local/sbin/pptpd -d
The remaining setup need to be done on your windows machine. I am assuming you are using Windows XP here, but its pretty much the same as Windows 2000. Go to Start|Settings|Network Connections. Click the new connection wizard. You want to "Connect to the network at my workplace" or something along those lines – whichever one relates to VPNs. Click next. Choose Virtual Private Network Connection. Click Next. In the COmpany Name, type whatever you wish and hot next. The next box will ask you if it should dial your dialup connection before trying to start this one – choose whichever is appropriate and hit next. In the host name, you need to put the IP of your BSD box (the real routable address…dealing with NAT is another issue). The next screen asks who to make this connection for, choose whiever is appropriate. Next. Hit Finish.
Phew! Only a little more to go. Windows will now pop up the connection box for this connection. STOP! SLOW DOWN! DONT CONNECT YET. Breathe. Ok, Ready? Hit Properties. Under security, you need to *disable* "Require data encryption" THis is just a tunnel, not a IPSec encrypted connection. Click OK, and for your username and password enter your username and password on the BSD box. Life should be good.
Have fun with your new VPN.
Why would you ever use PAP these days? You’re asking to have your data stolen if you use PAP…
Brad Tarver wrote:
> Why would you ever use PAP these days? You’re asking to have
> your data stolen if you use PAP…
Please provide references supporting your statement.
—
The Man Behind The Curtain
Dan wrote:
> Brad Tarver wrote:
>
> > Why would you ever use PAP these days? You’re asking to have
> > your data stolen if you use PAP…
>
> Please provide references supporting your statement.
>
Although neither PAP nor CHAP involves encryption. In both cases the username is sent in the clear. With PAP the passwrod is sent in the clear too. With CHAP the authentication is done by a challenge/response, thus preventing a replay attack.
gre does need to be passed in AND out, I just tried having it just in and then just out… got the same result:
[pptp0] LCP: not converging
[pptp0] LCP: parameter negotiation failed
With both passing, it works.
I don’t believe mpd supports radius/tacacs(+)/whatever, or at least I could not find anything on it. mpd.secrets is it I guess.
I have had a stab at this and i have set it up as you suggest but i am getting the following errors.
1) the windows box reports (Server didnt assign IP address)
2)
Warning: Bad label in /etc/ppp/ppp.conf (line 2) – missing colon
Sep 5 23:30:12 sun ppp[38993]: Warning: Bad label in /etc/ppp/ppp.conf (line 12) – missing colon
Sep 5 23:30:12 sun ppp[38993]: Warning: Bad label in /etc/ppp/ppp.conf (line 14) – missing colon
Sep 5 23:30:12 sun pptpd[38992]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Sep 5 23:30:12 sun pptpd[38992]: GRE: read error: Bad file descriptor
Sep 5 23:30:12 sun pptpd[38992]: CTRL: PTY read or GRE write failed (pty,gre)=(-1,-1)
I guess i have messed up something in the ppp.conf file , but i cant think what as its set up just as you say.
Any ideas ?
Anyone have any ideas on why the windows client just hangs up totally when i try to connect to my pptp server ? Only way i can get the client back is to hard poweroff the machine.. running pptpd in debug mode and it’s not showing me anything in any log file… PPTPD starts just fine, no errors, just the win client hangs up .. 🙁
Warning: Bad label in /etc/ppp/ppp.conf (line 12) – missing
this is caused by not having a space before anyline that starts with "set" in the ppp.conf or at least that is how i fixed it on my box.
I initially setup the poptop server to talk to windows clients.. works great, but with no encryption.
so i fired up mpd.. fantastic! mppe encryption + mschapv2. though i know little about networks + security etc, IMHO i would strongly recommend mpd over poptop.
i basically followed the intructions at http://www.itga.com.au/~gnb/vpn/pptp-serv.html
bit of a tangent but i recently found this article aswell :
http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html
some things in there that i hadn’t considered, worth a read.
Greetings,
Ive installed mpd in my freebsd 4.6 (at my work place behind a firewall) and configured it. I tried connecting from my WinXP Pro at home and this what i got at the freebsd side:
[pptp] CHAP: rec’d RESPONSE #2
Name: "vpntest"
Peer name: "vpntest"
Response is valid
[pptp] CHAP: sending SUCCESS
[pptp] LCP: authorization successful
[pptp] LCP: phase shift AUTHENTICATE –> NETWORK
[pptp] up: 1 link, total bandwidth 64000 bps
[pptp] IPCP: Up event
[pptp] IPCP: state change Starting –> Req-Sent
[pptp] IPCP: SendConfigReq #1
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: Open event
[pptp] CCP: state change Initial –> Starting
[pptp] CCP: LayerStart
[pptp] CCP: Up event
[pptp] CCP: state change Starting –> Req-Sent
[pptp] CCP: SendConfigReq #1
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] CCP: rec’d Configure Request #1 link 0 (Req-Sent)
PRED1
Not supported
MPPC
0x000000e0: MPPE, 40 bit, 56 bit, 128 bit
[pptp] CCP: SendConfigRej #1
PRED1
[pptp] IPCP: rec’d Configure Request #1 link 0 (Req-Sent)
IPADDR 192.168.1.100
192.168.1.100 is OK
COMPPROTO VJCOMP, 16 comp. channels, allow comp-cid
[pptp] IPCP: SendConfigAck #1
IPADDR 192.168.1.100
COMPPROTO VJCOMP, 16 comp. channels, allow comp-cid
[pptp] IPCP: state change Req-Sent –> Ack-Sent
[pptp] IPCP: SendConfigReq #2
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #2
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: SendConfigReq #3
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #3
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: SendConfigReq #4
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #4
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: SendConfigReq #5
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #5
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: SendConfigReq #6
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #6
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: SendConfigReq #7
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #7
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: SendConfigReq #8
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #8
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: SendConfigReq #9
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #9
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: SendConfigReq #10
IPADDR 192.168.1.3
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[pptp] CCP: SendConfigReq #10
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] IPCP: state change Ack-Sent –> Stopped
[pptp] IPCP: LayerFinish
[pptp] IPCP: parameter negotiation failed
[pptp] IPCP: LayerFinish
[pptp] CCP: state change Req-Sent –> Stopped
[pptp] CCP: LayerFinish
[pptp] CCP: parameter negotiation failed
[pptp] CCP: Close event
[pptp] CCP: state change Stopped –> Closed
[pptp] CCP: LayerFinish
[pptp] bundle: CLOSE event in state OPENED
[pptp] closing link "pptp"…
[pptp] bundle: CLOSE event in state CLOSED
[pptp] closing link "pptp"…
[pptp] link: CLOSE event
[pptp] LCP: Close event
[pptp] LCP: state change Opened –> Closing
[pptp] LCP: phase shift NETWORK –> TERMINATE
[pptp] up: 0 links, total bandwidth 9600 bps
[pptp] IPCP: Down event
The server can’t seem to connect my winXP. Did i configure my mpd.conf wrong?
mpd.conf:
===========
default:
load pptp
# PPTP Server
pptp:
new -i ng0 pptp pptp
set bundle disable multilink
set bundle enable compression
set bundle enable encryption
set iface disable on-demand
set iface disable proxy-arp
set iface idle 0
set ipcp ranges 192.168.1.3/30 192.168.1.100/30
set ipcp dns 192.168.0.1
set ipcp enable vjcomp
set link enable acfcomp protocomp
set link disable pap
set link enable chap
set link keep-alive 10 60
set ccp enable mppc
set ccp enable mpp-compress
set ccp enable mpp-e40
set ccp enable mpp-e128
set ccp enable mpp-stateless
I cant seem to figure it out. Can anyone help me?
Regards
MC
So is mpd for multilink PPP and PPTP VPNs too?
I am trying to use pptpclient but on my mpd server when I try to send package (such as pinging mpd server) I get those errors on the mpd server. I have no idea why can that be… Any comments
ptp1] rec’d unexpected protocol 0x00b1 on link -1, rejecting
[pptp1] rec’d proto 0xe21d on MP link! (ignoring)
[pptp1] rec’d unexpected protocol 0xa0ab on link -1, rejecting
[pptp1] rec’d unexpected protocol 0x0007 on link -1, rejecting
[pptp1] rec’d unexpected protocol 0x00dd on link -1, rejecting
[pptp1] rec’d unexpected protocol 0x0035 on link -1, rejecting
[pptp1] rec’d unexpected protocol 0x0a8d on link -1, rejecting
[pptp1] rec’d unexpected protocol 0x00b7 on link -1, rejecting
[pptp1] rec’d unexpected protocol 0x56db on link -1, rejecting
[pptp1] rec’d unexpected protocol 0x00df on link -1, rejecting
[pptp1] rec’d unexpected protocol 0xba57 on link -1, rejecting
[pptp1] rec’d unexpected protocol 0x004f on link -1, rejecting
[pptp1] rec’d unexpected protocol 0x0081 on link -1, rejecting
[pptp1] rec’d unexpected protocol CRYPT on link -1, rejecting
[pptp1] rec’d unexpected protocol 0x009d on link -1, rejecting
2 Omer Faruk Sen:
I have the same problem:
2 routers – Win2k Server(RAS) and FreeBSD(mpd). When FBSD connecting to Win i have something like this…
…
[pptp1] rec’d unexpected protocol 0x56db on link -1, rejecting
[pptp1] rec’d unexpected protocol CRYPT on link -1, rejecting
[pptp1] rec’d unexpected protocol 0x009d on link -1, rejecting
…
but when win connecting to FBSD all is right.
When I add the strings:
set link disable pop chap
set link accept chap
in mpd.conf these error messages disapire, but win2k can not connect to FBSD.
May be this help U too.
ps: sorry for my english. 😉
Hi All,
I have a question about mpd, I have read through a number of howto’s etc, but I have been unable to achieve mpd opening up port 1723 for a pptp vpn.
There are no errors in the log files, it creates the interface ng0, and is running in the background.
Am I missing something obviouse? I can post configs if required.
FreeBSD 4.10 stable
mpd-3.18_2
Regards
Leigh Finch
If the connection dies, I want to restart it automagically. Anyone know how?
Is their an option similar ppp’s
set redial 2 100
–Matt
this is very likely not the best solution:
you could use init (/etc/ttys) to keep it going. in pptp.sh, change the 5th line by removing the ending ‘&’ (no bg). then, in /etc/ttys, add or modify the/a line to something like ‘ttyvc "/usr/local/etc/rc.d/pptp.sh" unknown on secure’. just an idea..
‘init q’ to refresh /etc/ttys
actually, for that to work, you’d have to pass ‘start’ to pptp.sh. so instead of ‘ttyvc "/usr/local/etc/rc.d/pptp.sh" unknown on secure’, it’d be ‘ttyvc "/usr/local/etc/rc.d/pptp.sh start" unknown on secure’
I’m having a problem connecting to a VPN server. Below is the contents of my /var/log/ppp.log file. I’m pretty sure all the settings in my ppp.conf file are correct, which is also included. Can anyone direct me to what the problem might be? If it’s a problem with the server, can you maybe tell me what could be done to fix it? I’ll suggest that to the admin, since he knows nothing about BSD or making the pptp server compatible to BSD.
#pptp ip-addy GSW
ppp.conf:
GSW:
set authname vpn-user
set authkey vpn-user-password
set timeout 0
set ifaddr 0 0
add 10.12.1.252/24 HISADDR
alias enable yes
ppp.log:
May 8 11:41:45 SUN ppp[9143]: Phase: Using interface: tun0
May 8 11:41:45 SUN ppp[9143]: Phase: deflink: Created in closed state
May 8 11:41:45 SUN ppp[9143]: tun0: Command: default: ident user-ppp VERSION (built COMPILATIONDATE)
May 8 11:41:45 SUN ppp[9143]: tun0: Command: default: set device /dev/cuaa1
May 8 11:41:45 SUN ppp[9143]: tun0: Command: default: set speed 115200
May 8 11:41:45 SUN ppp[9143]: tun0: Command: default: set dial ABORT BUSY ABORT NO\sCARRIER TIMEOUT 5 "" AT OK-AT-OK ATE
May 8 11:41:45 SUN ppp[9143]: tun0: Command: default: set timeout 180
May 8 11:41:45 SUN ppp[9143]: tun0: Command: default: enable dns
May 8 11:41:45 SUN ppp[9143]: tun0: Command: GSW: set authname vpn023
May 8 11:41:45 SUN ppp[9143]: tun0: Command: GSW: set authkey ********
May 8 11:41:45 SUN ppp[9143]: tun0: Command: GSW: set timeout 0
May 8 11:41:45 SUN ppp[9143]: tun0: Command: GSW: set ifaddr 0 0
May 8 11:41:45 SUN ppp[9143]: tun0: Command: GSW: add 10.12.1.252/24 HISADDR
May 8 11:41:45 SUN ppp[9143]: tun0: Command: GSW: alias enable yes
May 8 11:41:45 SUN ppp[9143]: tun0: Warning: The alias command is deprecated
May 8 11:41:45 SUN ppp[9143]: tun0: Phase: PPP Started (direct mode).
May 8 11:41:45 SUN ppp[9143]: tun0: Phase: bundle: Establish
May 8 11:41:45 SUN ppp[9143]: tun0: Phase: deflink: closed -> opening
May 8 11:41:45 SUN ppp[9143]: tun0: Phase: deflink: Connected!
May 8 11:41:45 SUN ppp[9143]: tun0: Phase: deflink: opening -> carrier
May 8 11:41:46 SUN ppp[9143]: tun0: Phase: deflink: carrier -> lcp
May 8 11:41:46 SUN ppp[9143]: tun0: LCP: FSM: Using "deflink" as a transport
May 8 11:41:46 SUN ppp[9143]: tun0: LCP: deflink: State change Initial –> Closed
May 8 11:41:46 SUN ppp[9143]: tun0: LCP: deflink: State change Closed –> Stopped
May 8 11:41:47 SUN ppp[9143]: tun0: LCP: deflink: LayerStart
May 8 11:41:47 SUN ppp[9143]: tun0: LCP: deflink: SendConfigReq(1) state = Stopped
May 8 11:41:47 SUN ppp[9143]: tun0: LCP: ACFCOMP[2]
May 8 11:41:47 SUN ppp[9143]: tun0: LCP: PROTOCOMP[2]
May 8 11:41:47 SUN ppp[9143]: tun0: LCP: ACCMAP[6] 0x00000000
May 8 11:41:47 SUN ppp[9143]: tun0: LCP: MRU[4] 1500
May 8 11:41:47 SUN ppp[9143]: tun0: LCP: MAGICNUM[6] 0x3dc85b26
May 8 11:41:47 SUN ppp[9143]: tun0: LCP: deflink: State change Stopped –> Req-Sent
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: SendConfigReq(1) state = Req-Sent
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: ACFCOMP[2]
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: PROTOCOMP[2]
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: ACCMAP[6] 0x00000000
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: MRU[4] 1500
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: MAGICNUM[6] 0x3dc85b26
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: RecvConfigReq(1) state = Req-Sent
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: MRU[4] 338
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: AUTHPROTO[5] 0xc223 (CHAP 0x81)
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: MAGICNUM[6] 0xdb765022
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: PROTOCOMP[2]
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: ACFCOMP[2]
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: SendConfigAck(1) state = Req-Sent
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: MRU[4] 338
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: AUTHPROTO[5] 0xc223 (CHAP 0x81)
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: MAGICNUM[6] 0xdb765022
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: PROTOCOMP[2]
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: ACFCOMP[2]
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: State change Req-Sent –> Ack-Sent
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: RecvConfigRej(1) state = Ack-Sent
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: Sending ident magic 3dc85b26 text user-ppp 2.3.3 (built Feb 17 2002)
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: SendIdent(0) state = Ack-Sent
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: ACCMAP[6] 0x00000000
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: SendConfigReq(2) state = Ack-Sent
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: ACFCOMP[2]
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: PROTOCOMP[2]
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: MRU[4] 1500
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: MAGICNUM[6] 0x3dc85b26
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: RecvCodeRej(2) state = Ack-Sent
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: RecvConfigAck(2) state = Ack-Sent
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: State change Ack-Sent –> Opened
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: LayerUp
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: Sending ident magic 3dc85b26 text user-ppp 2.3.3 (built Feb 17 2002)
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: SendIdent(1) state = Opened
May 8 11:41:50 SUN ppp[9143]: tun0: Phase: bundle: Authenticate
May 8 11:41:50 SUN ppp[9143]: tun0: Phase: deflink: his = CHAP 0x81, mine = none
May 8 11:41:50 SUN ppp[9143]: tun0: Phase: Chap Input: CHALLENGE (16 bytes from watchguard)
May 8 11:41:50 SUN ppp[9143]: tun0: Phase: Chap Output: RESPONSE (vpn023)
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: RecvCodeRej(3) state = Opened
May 8 11:41:50 SUN ppp[9143]: tun0: Phase: Chap Input: SUCCESS (S=25dd32c6dbd3184ffd158ee4a03cfa7d63792ab5)
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: LayerDown
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: SendTerminateReq(3) state = Opened
May 8 11:41:50 SUN ppp[9143]: tun0: LCP: deflink: State change Opened –> Closing
May 8 11:41:50 SUN ppp[9143]: tun0: Warning: CHAP81: AuthenticatorResponse: (S=25DD32C6DBD3184FFD158EE4A03CFA7D63792AB5) != ans: (S
May 8 11:41:50 SUN ppp[9143]: tun0: IPCP: deflink: Error: Unexpected IPCP in phase Authenticate (ignored)
May 8 11:41:51 SUN ppp[9143]: tun0: CCP: deflink: Error: Unexpected CCP in phase Authenticate (ignored)
May 8 11:41:51 SUN ppp[9143]: tun0: LCP: deflink: RecvTerminateAck(3) state = Closing
May 8 11:41:51 SUN ppp[9143]: tun0: LCP: deflink: LayerFinish
May 8 11:41:51 SUN ppp[9143]: tun0: LCP: deflink: State change Closing –> Closed
May 8 11:41:51 SUN ppp[9143]: tun0: LCP: deflink: State change Closed –> Initial
May 8 11:41:51 SUN ppp[9143]: tun0: Phase: deflink: Disconnected!
May 8 11:41:51 SUN ppp[9143]: tun0: Phase: deflink: Connect time: 6 secs: 402 octets in, 398 octets out
May 8 11:41:51 SUN ppp[9143]: tun0: Phase: deflink: : 10 packets in, 8 packets out
May 8 11:41:51 SUN ppp[9143]: tun0: Phase: total 133 bytes/sec, peak 150 bytes/sec on Wed May 8 11:41:51 2002
May 8 11:41:51 SUN ppp[9143]: tun0: Phase: deflink: lcp -> closed
May 8 11:41:51 SUN ppp[9143]: tun0: Phase: bundle: Dead
May 8 11:41:51 SUN ppp[9143]: tun0: Phase: PPP Terminated (normal).
Today I got configure that both job, vpn server with win2k and vpn client with FreeBSD. also noted Im using PPPoE instead of PPTP on win2k. just suggest your vpn server admin to install pppoe protocol named raspppoe, this s/w not microsoft proprietary. for freebsd client all you need just edit /etc/ppp.conf (refer to: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/pppoe.html)
this maybe give u clue if you need running vpn client with freebsd anyway.
Hello,
your ppp seems to do not support CHAP81 which correspond to mschapv2.
so you can’t authenticate…
try recompiling ppp, it worked for me
Cybil
Hi,
I have a pc with win98 and would like to know if there is a free l2tp client to install on my PC so I can connect to the LNS in our business network.
Hi,
I’m running the PPTP client for OpenBSD 3.1 as root and recieve "echo rqst" and "echo reply" messages from the pptp call manager despite running pptp as a background process. Is there any workaround for this?
Thanks,
-Brian
The only people who are going to read your message are those reading the article. If you want help, please post your question in the <A HREF="/phorum/">support phorum</A>.
Hello,
In the script for pptp, page: http://www.freebsddiary.org/pptp.php
Should "if [ -x /var/run/tun0.pid ] "
be "if [ -f /var/run/tun0.pid ] " ?
(it works fine with it…)
a+
Cyb
The -f just checks to see if the file exists. The -x ensures it is executable. See man test <http://www.freebsd.org/cgi/man.cgi?query=test&apropos=0&sektion=0&manpath=FreeBSD+4.6-stable&format=html>.
I don’t think that /var/run/tun0.pid is executable. This file exists only while pptp is running, that’s why it’s better use -f( -x is not working in this case either ).
Makes sense to me.
A question: if the use is possible of pptpclient in a connection ADSL with ip-address fixed (Permanent, dedicated).
I do not use pppoe, my ethernet is xl0 (ethernet 3Com 3c950) as an interface of normal connection to router.
Thanks && regards
It’s a question. It belongs in the support forum. Not in the article comments. *sigh*
Hi,
Does anyone know if this freebsd pptp supports nt authentication, or of a way to add support for it? I am planning on using pptp on my freebsd router to link my network to a friends, but he is running a .net domain, so i tihnk nt authentication will be required.
Regards,
Paul Lakin
I think that will work if you just use
set mppe
as a ppp option
Ah, excellent. Thanks, that appears to have sorted it out. Perhaps that should be in the article somewhere?
paul
hi guys, sorry to interrupt, but I am wondering how can i enable mppe in ppp? can you explain in detail, thanks. I am new to VPN…
I am using fbsd4.8-release, pptpclient1.3.1, nomatter what i do, just can’ t get through the VPN authentication.
in the log file, I got this in the middle of a singal connect
chap input:success
deflink: lcp -> open
bundle: network
deflink: open -> lcp
bundle: Terminate
deflink: disconnected!
deflink: connect time 5 sec …….
wondering what seems to be the problem?
I just got this to work, everything went real smoothly except it took me a little while to figure out why I was getting this error:
Oct 28 18:15:32 aynlaptop pptp[80308]: log[decaps_hdlc:pptp_gre.c:129]: short read (0): Invalid argument
Turned out that we have to escape anything outta the ordinary, the most obvious is the ‘\’ in NT_DOMAIN\username, also if you have anything weird in your password, you need to escape those as well.
Just thought I should add this in case somebody out there are wasting time figuring out that same error.
–Andrew
Thank you.
ppp.conf:
vpn:
set authname AUTHNAME
set authkey PASSWORD
set timeout 0
set ifaddr 0 0
add 10.1.1.1/24 HISADDR
alias enable yes
pptp 10.1.1.1 vpn
ppp.log:
Nov 30 14:57:30 ppp[1116]: Warning: Label vpn rejected -direct connection: /etc/ppp/ppp.conf : File not found
Nov 30 14:57:53 ppp[1122]: Phase: Using interface: tun0
Nov 30 14:57:53 ppp[1122]: Phase: deflink: Created in closed state
Nov 30 14:57:53 ppp[1122]: Warning: The alias command is deprecated
Nov 30 14:57:53 ppp[1122]: Phase: PPP Started (direct mode).
Nov 30 14:57:53 ppp[1122]: Phase: bundle: Establish
Nov 30 14:57:53 ppp[1122]: Phase: deflink: closed -> opening
Nov 30 14:57:53 ppp[1122]: Phase: deflink: Connected!
Nov 30 14:57:53 ppp[1122]: Phase: deflink: opening -> carrier
Nov 30 14:57:54 ppp[1122]: Phase: deflink: carrier -> lcp
Nov 30 14:57:55 ppp[1122]: Phase: bundle: Authenticate
Nov 30 14:57:55 ppp[1122]: Phase: deflink: his = CHAP 0x05, mine = none
Nov 30 14:57:55 ppp[1122]: Phase: Chap Input: CHALLENGE (16 bytes)
Nov 30 14:57:55 ppp[1122]: Phase: Chap Output: RESPONSE (krezapostol)
Nov 30 14:57:55 ppp[1122]: Phase: Chap Input: SUCCESS (Welcome!!)
Nov 30 14:57:55 ppp[1122]: Phase: deflink: lcp -> open
Nov 30 14:57:55 ppp[1122]: Phase: bundle: Network
Nov 30 14:57:55 ppp[1122]: Error: rt_Set: Cannot add a route with gateway 0.0.0.0
Nov 30 14:57:55 ppp[1122]: Phase: Signal 15, terminate.
Nov 30 14:57:55 ppp[1122]: Phase: deflink: read (0): Got zero bytes
Nov 30 14:57:55 ppp[1122]: Phase: deflink: open -> lcp
Nov 30 14:57:55 ppp[1122]: Phase: bundle: Terminate
Nov 30 14:57:55 ppp[1122]: Phase: deflink: Disconnected!
Nov 30 14:57:55 ppp[1122]: Phase: deflink: Connect time: 2 secs: 896 octets in, 625 octets out
Nov 30 14:57:55 ppp[1122]: Phase: deflink: 10 packets in, 18 packets out
Nov 30 14:57:55 ppp[1122]: Phase: total 760 bytes/sec, peak 0 bytes/sec on Sun Nov 30 14:57:53 2003
Nov 30 14:57:55 ppp[1122]: Phase: deflink: lcp -> closed
Nov 30 14:57:55 ppp[1122]: Phase: bundle: Dead
Nov 30 14:57:55 ppp[1122]: Phase: PPP Terminated (normal).
Beeborat wrote:
> ppp.conf:
>
> vpn:
> set authname AUTHNAME
> set authkey PASSWORD
I changed your post so it includes a fake authname and authkey setting, just in case those were your real values.
> set timeout 0
> set ifaddr 0 0
> add 10.1.1.1/24 HISADDR
> alias enable yes
>
> pptp 10.1.1.1 vpn
>
> ppp.log:
>
> Nov 30 14:57:30 ppp[1116]: Warning: Label vpn rejected -direct
> connection: /etc/ppp/ppp.conf : File not found
I think that you should solve this problem first. I don’t have any suggestions.
> Nov 30 14:57:53 ppp[1122]: Phase: Using interface: tun0
> Nov 30 14:57:53 ppp[1122]: Phase: deflink: Created in closed
> state
> Nov 30 14:57:53 ppp[1122]: Warning: The alias command is
> deprecated
Looks like alias is deprecated. Read the man page. Perhaps the replacements is nat.
> Nov 30 14:57:53 ppp[1122]: Phase: PPP Started (direct mode).
> Nov 30 14:57:53 ppp[1122]: Phase: bundle: Establish
> Nov 30 14:57:53 ppp[1122]: Phase: deflink: closed -> opening
> Nov 30 14:57:53 ppp[1122]: Phase: deflink: Connected!
> Nov 30 14:57:53 ppp[1122]: Phase: deflink: opening -> carrier
>
> Nov 30 14:57:54 ppp[1122]: Phase: deflink: carrier -> lcp
> Nov 30 14:57:55 ppp[1122]: Phase: bundle: Authenticate
> Nov 30 14:57:55 ppp[1122]: Phase: deflink: his = CHAP 0x05,
> mine = none
> Nov 30 14:57:55 ppp[1122]: Phase: Chap Input: CHALLENGE (16
> bytes)
> Nov 30 14:57:55 ppp[1122]: Phase: Chap Output: RESPONSE
> (krezapostol)
> Nov 30 14:57:55 ppp[1122]: Phase: Chap Input: SUCCESS
> (Welcome!!)
> Nov 30 14:57:55 ppp[1122]: Phase: deflink: lcp -> open
> Nov 30 14:57:55 ppp[1122]: Phase: bundle: Network
> Nov 30 14:57:55 ppp[1122]: Error: rt_Set: Cannot add a route
> with gateway 0.0.0.0
That’s interesting too.
> Nov 30 14:57:55 ppp[1122]: Phase: Signal 15, terminate.
> Nov 30 14:57:55 ppp[1122]: Phase: deflink: read (0): Got zero
> bytes
> Nov 30 14:57:55 ppp[1122]: Phase: deflink: open -> lcp
> Nov 30 14:57:55 ppp[1122]: Phase: bundle: Terminate
> Nov 30 14:57:55 ppp[1122]: Phase: deflink: Disconnected!
> Nov 30 14:57:55 ppp[1122]: Phase: deflink: Connect time: 2
> secs: 896 octets in, 625 octets out
> Nov 30 14:57:55 ppp[1122]: Phase: deflink: 10 packets in, 18
> packets out
> Nov 30 14:57:55 ppp[1122]: Phase: total 760 bytes/sec, peak 0
> bytes/sec on Sun Nov 30 14:57:53 2003
> Nov 30 14:57:55 ppp[1122]: Phase: deflink: lcp -> closed
> Nov 30 14:57:55 ppp[1122]: Phase: bundle: Dead
> Nov 30 14:57:55 ppp[1122]: Phase: PPP Terminated (normal).
I don’t use pptp often enough to know what’s going on.
—
The Man Behind The Curtain
Hello
I have the following configuration:
vpn:
set authname username
set authkey password
set timeout 0
set ifaddr 0 0
add ip_address/24 HISADDR
alias enable yes
So, here is ok.
When I started the service occure the error:
warn[open_inetsock:pptp_callmgr.c:312]:connect: Connection refused
fatal[callmgr_main:pptp_callmgr.c:121]: Could not open control connection to ip_address
fatal[open_callmgr:pptp.c:379]: Call manager exited with error 256
Any idea about what cause this errors?
Thanks
Add route to host
see this up on this page
and check this route
ping ip_addres_of_vpn