Fw: VPN setup problem - proxy arp I think
metrol at metrol.net
Tue Jul 1 17:28:05 PDT 2003
Couple of notes included within your config. A few comments to follow, along
with a version of my working mpd.conf file. Moving along....
On Monday 30 June 2003 07:12 pm, Koroush Saraf wrote:
> Hi all,
> I read the setup at http://www.blackh0le.net/articles/vpn-dun-howto.html to
> setup my VPN. However, I'm having a problem which I think is proxy-ARP not
> working. I like to ask you to see if you know what's going on. When I
> ping 10.77.1.1 from windows XP machine the packets get to the 10.77.1.1
> machine, but they don't have a return path to get back. When I do ping the
> windows machine from 10.77.1.1 I get: ping: sendto: Host is down
> When I add static route to 10.77.1.1 the machines can talk to each other.
> (route add 10.77.1.50/32 10.77.1.2)
> But I don't think I need to setup a static route if Proxy ARP worked!
> I've included my config files in this email. Please note that the I get a
> message back saying "[pptp1] no interface to proxy arp on for 10.77.1.50"
> could this be my problem? how can I fix it? Thanks very much,
A couple of points I don't believe the article in question addresses. First
off, several folks on this list and around web sites recommended changes to
the MTU. Usually the recommendation was to increase it to larger than 1400.
This can no longer be done. XP will not recognize anything above 1400, and
making it smaller fixes nothing.
You should not need to add any static routing information to the IP stack of
either the FreeBSD box or the Windows one. Both MPD and PPTP handle the
routing issues for you. Leave each box pointing to their usual default
The way this works is that when the PPTP client connects to MPD it is actually
given an IP address within the secure segment of your network. Packets route
through MPD rather than through the normal IP stack.
It is REALLY important that you find the setting in Windows to turn off "Use
remote gateway by default" in the PPTP properties. This is on by default,
and will cause you problems.
Also be sure to turn off software compression in the PPTP properties. Even if
turned on in MPD it will not work, and will very likely mess up your
> I network looks as follows
> Freebsd 4.6
> IP 10.77.1.1/24
> Freebsd 4.8 (DELL2) (only 1 network card)
> ng0: 10.77.13
> Windows XP machine with tunnel.
> Config files for Dell 2:
> DELL2# ifconfig -a
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 220.127.116.11 netmask 0xfffffff0 broadcast 18.104.22.168
> inet 10.0.0.249 netmask 0xffffff00 broadcast 10.0.0.255
> inet 10.77.1.2 netmask 0xffffff00 broadcast 10.77.1.255
> inet 10.77.2.2 netmask 0xffffff00 broadcast 10.77.2.255
> inet 10.77.3.2 netmask 0xffffff00 broadcast 10.77.3.255
> inet 10.77.4.2 netmask 0xffffff00 broadcast 10.77.4.255
> inet 10.77.5.2 netmask 0xffffff00 broadcast 10.77.5.255
> ether 00:07:e9:87:ca:4f
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet 127.0.0.1 netmask 0xff000000
> lo1: flags=8008<LOOPBACK,MULTICAST> mtu 16384
> ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
> faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
> ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1256
> inet 10.77.1.2 --> 10.77.1.50 netmask 0xffffffff
> ng1: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1500
> ng2: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1500
> ng3: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1500
> ng4: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1500
> DELL2# pwd
> DELL2# cat mpd.conf
> load client1
> load client2
> load client3
> load client4
> load client5
> set link type pptp
> set pptp enable incoming
> set pptp disable originate
> set iface disable on-demand
> set iface enable proxy-arp
> # set iface idle 1800
> set bundle enable multilink
> set link yes acfcomp protocomp
> set link no pap chap
> set link enable chap
> # set link keep-alive 10 60
> set link mtu 1260
As stated, the max XP MTP is 1400. Use it. 1260 is too darn small for a
reasonably fast connection.
> set ipcp yes vjcomp
> # set ipcp ranges 10.77.1.1/32 10.77.1.50/32
> # set ipcp dns 10.77.1.1
> # set ipcp nbns 10.77.1.1
> set bundle enable compression
> set ccp yes mppc
> set ccp yes mpp-e40
> # set ccp yes mpp-e128
Turn off the 40, turn on the 128. Only Windows 98 and older need 40-bit
encryption. For older versions of Windows you just need to download the
latest DUN. I believe it's at 1.4. It is still very much available from the
Microsoft web site.
> set ccp yes mpp-stateless
> new -i ng0 pptp1 pptp1
> set ipcp range 10.77.1.2/24 10.77.1.50/24
> load pptp_common_settings
And now my mpd.conf. The first 3 octets replaced with x.x.x for security
reasons. The 254 address is my secure interface port.
I've only shown 2 clients here, though my config actually has over 20.
Figured this would be enough for you to get the gist of things.
new -i ng0 pptp0 pptp0
set ipcp ranges x.x.x.254/32 x.x.x.210/25
new -i ng1 pptp1 pptp1
set ipcp ranges x.x.x.254/32 x.x.x.211/25
set iface disable on-demand
set iface enable proxy-arp
set iface idle 3600
set iface mtu 1400
set bundle disable multilink
set bundle enable compression
set bundle yes crypt-reqd
set link mtu 1400
set link no pap chap
set link enable chap
set link keep-alive 10 60
set link yes acfcomp protocomp
set ipcp dns x.x.x.253
set ipcp nbns x.x.x.253
set ipcp yes vjcomp
set ccp yes mppc
# set ccp yes mpp-e40
set ccp yes mpp-e128
set ccp yes mpp-stateless
set ccp enable mpp-compress
Yes, I know some of this goes against some of my earlier advice. This is
pretty much where I just stopped tweaking on the darn thing. This config
file does work, as I have outside users coming through it every day now.
Gotta love a world with FreeBSD in it! :)
Let me know how it goes!
"Always listen to experts. They'll tell you what can't be done, and why.
Then do it."
- Robert A. Heinlein
More information about the freebsd-security