FreeBSD VPN client to a Windows network using MPD

Nick Fishman bsdlogical at gmail.com
Tue Jun 13 02:22:15 UTC 2006 

I recently tried to set up a VPN connection from home to the office
(running Windows Server 2003). I used the mpd port (net/mpd, the 3.x
branch), but found configuration much more difficult than it should be.
Configuration options seemed to lead to dead ends, but I finally found a
working version. I post it here in an effort to dispel confusion and
assist others having the same problem. I urge others to correct me and
clarify things in my explanation, as I've probably neglected to mention
parts. Much configuration and assistance came from a post on this list
by Peter Cornelius on 2003/10/09.

For this installation, MPD requires three files: mpd.conf, mpd.links,
and mpd.secret. They're stored in /usr/local/etc/mpd. Here's my
mpd.links (note that 1.2.3.4 is the address of your VPN gateway):
vpn:
 set link type pptp
 set pptp peer 1.2.3.4
 set pptp enable originate outcall

Here's my mpd.secret (in my case, I used my Windows (Active Directory)
username without specifying the domain. Your installation may be
different; try using "DOMAIN\\username". Note that the quotes are
necessary, and two slashes are needed instead of one):
 "username"     "password"

Here's my mpd.conf:
default:
 load vpn
vpn:
 new -i ng0 vpn vpn
 # the session value does matter, but I'm not sure why
 set iface session 28800
 # "username" here should match "username" in mpd.secret
 set bundle authname "username"
 set bundle enable compression
 set ccp yes mppc
 set ccp yes mpp-e40
 set ccp yes mpp-e56
 set ccp yes mpp-e128
 # set this to your correct routing information
 set iface route 192.168.0.0/24
 open

This is more compact than existing examples on the web, but some options
are key to a working connection. The following lines caused my
connection to fail (don't use them!):
 set ccp yes mpp-compress
 set bundle enable encryption
Compression is absolutely necessary, but MPPE didn't work in my case.
This may differ for you. Encryption is necessary, but don't use "set
bundle enable encryption". The Windows RDP server switches to MPPE,
which provides encryption.

The following lines didn't visibly affect my connection. After leaving
them out, my connection still worked. Some of these probably matter; it
would help to get some clarification here:
 set link yes acfcomp protocomp
 set ipcp yes vjcomp
 set iface disable on-demand
 set iface idle 0
 set link keep-alive 61 753
 set link mtu 1460
 set ccp yes mpp-stateless
 set link no pap
 set link accept chap
 set link enable no-orig-auth
 
Note that the last line is necessary for NT servers, as recommended by
Peter. The "no pap" and "accept chap" lines appear in various
incarnations in online examples, but aren't necessary for the connection
to succeed. It appears as if MPD switches to MPPE automatically during
negotiation.

I apologize for the long email. I hope this helps others trying to use
FreeBSD as a client for a Windows VPN. Please correct me if I'm wrong on
anything.

Nick
bsdlogical

More information about the freebsd-net mailing list