FreeBSD VPN client to a Windows network using MPD
Nick Fishman
bsdlogical at gmail.com
Tue Jun 13 02:22:15 UTC 2006
I recently tried to set up a VPN connection from home to the office
(running Windows Server 2003). I used the mpd port (net/mpd, the 3.x
branch), but found configuration much more difficult than it should be.
Configuration options seemed to lead to dead ends, but I finally found a
working version. I post it here in an effort to dispel confusion and
assist others having the same problem. I urge others to correct me and
clarify things in my explanation, as I've probably neglected to mention
parts. Much configuration and assistance came from a post on this list
by Peter Cornelius on 2003/10/09.
For this installation, MPD requires three files: mpd.conf, mpd.links,
and mpd.secret. They're stored in /usr/local/etc/mpd. Here's my
mpd.links (note that 1.2.3.4 is the address of your VPN gateway):
vpn:
set link type pptp
set pptp peer 1.2.3.4
set pptp enable originate outcall
Here's my mpd.secret (in my case, I used my Windows (Active Directory)
username without specifying the domain. Your installation may be
different; try using "DOMAIN\\username". Note that the quotes are
necessary, and two slashes are needed instead of one):
"username" "password"
Here's my mpd.conf:
default:
load vpn
vpn:
new -i ng0 vpn vpn
# the session value does matter, but I'm not sure why
set iface session 28800
# "username" here should match "username" in mpd.secret
set bundle authname "username"
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e56
set ccp yes mpp-e128
# set this to your correct routing information
set iface route 192.168.0.0/24
open
This is more compact than existing examples on the web, but some options
are key to a working connection. The following lines caused my
connection to fail (don't use them!):
set ccp yes mpp-compress
set bundle enable encryption
Compression is absolutely necessary, but MPPE didn't work in my case.
This may differ for you. Encryption is necessary, but don't use "set
bundle enable encryption". The Windows RDP server switches to MPPE,
which provides encryption.
The following lines didn't visibly affect my connection. After leaving
them out, my connection still worked. Some of these probably matter; it
would help to get some clarification here:
set link yes acfcomp protocomp
set ipcp yes vjcomp
set iface disable on-demand
set iface idle 0
set link keep-alive 61 753
set link mtu 1460
set ccp yes mpp-stateless
set link no pap
set link accept chap
set link enable no-orig-auth
Note that the last line is necessary for NT servers, as recommended by
Peter. The "no pap" and "accept chap" lines appear in various
incarnations in online examples, but aren't necessary for the connection
to succeed. It appears as if MPD switches to MPPE automatically during
negotiation.
I apologize for the long email. I hope this helps others trying to use
FreeBSD as a client for a Windows VPN. Please correct me if I'm wrong on
anything.
Nick
bsdlogical
More information about the freebsd-net
mailing list