mpd and the evil vpn

Reid Linnemann lreid at okstate.edu
Wed Jun 23 21:41:26 PDT 2004


I hope some of the readers out there are more experienced with mpd than I.. I'm 
having some difficulties setting up a little vpn, and I need some fingers 
pointing in the right direction.

Here is the setup -

one box is connected to the ISP. Let's call his external ip [extip] and his 
internal lan ip is 192.168.1.1

The local area network consists of machines numbered 192.168.1.101 to 192.168.1.
110. The subnet mask is 255.255.255.0

The VPN addresses should be assigned 192.168.1.201 to 192.168.1.240 or so, with 
subnet mask 255.255.255.0

This box also acts as a NAT.

Here is the problem, and I will post my configs after stating it.

When an XP box (the only test platform so far) attempts to connect to mpd, the 
client acts like it can't see the pptp server and freaks out, kicking back error 
800 - which is the same message if there's no machine at the target address. I 
have yet to get the 201 host to connect, so I haven't added the other hosts to 
the config yet.

And as promised, my config (names have been changed to protect the innocent):

Here is the firewall rule list (no teasing, please):

00100 deny log ip from 127.0.0.1 to any in recv rl0
00200 allow ip from 127.0.0.1 to any
00300 deny log ip from 192.168.1.0/24 to any in recv rl0
00400 deny log ip from 68.97.166.0/23 to any in recv rl1
00500 deny log ip from any to 10.0.0.0/8 via rl0
00600 deny log ip from any to 172.16.0.0/12 via rl0
00700 deny log ip from any to 192.168.0.0/16 via rl0
00800 allow tcp from any to any 1723
00900 allow udp from any to any 1723
01000 allow gre from any to any
01100 divert 8668 ip from any to any via rl0
01200 allow tcp from any to any established
01300 allow ip from any to any frag
01400 allow udp from any to [extip] 8767
01500 allow udp from any to any 14567
01600 allow udp from any to [extip] 22000
01700 allow udp from any to [extip] 23000-23009
01800 allow tcp from any to [extip] 8000 setup
01900 allow tcp from any to [extip] 22 setup
02000 allow tcp from any to 192.168.1.101 22 setup
02100 allow tcp from any to [extip] 2401 setup
02200 allow udp from any to [extip] 2401
02300 allow tcp from [extnet] to [extip] 515 setup
02400 allow tcp from [trustedmachine] to [extip] 515 setup
02500 deny log tcp from any to any in recv rl0 setup
02600 allow tcp from any to any out xmit rl0 setup
02700 allow udp from [extip] to any 53 keep-state
02800 allow udp from [extip] to any 123 keep-state
02900 allow ip from 192.168.1.0/24 to any keep-state
03000 allow ip from [extip] to any keep-state via rl0
65535 allow ip from any to any

and mpd.links:
pptp:
        set link type pptp
        set pptp self 192.168.1.1 #ip address for mpd server
        set pptp enable incoming
        set pptp disable originate

and mpd.conf
pptp:
        new -i ng0 pptp pptp                    ## create a new interface of ng0 
for the pptp connection
        set iface disable on-demand             ## disable on-deman dialing for 
this connection
        set iface enable proxy-arp              ## enable the arp proxy for the 
created interface
        set bundle disable multilink            ## disable multi link options
        set bundle authname [user_in_mpd_secret]## define the username for this 
connection
        set bundle enable encryption            ## enable encryption for this 
connection
        set link yes acfcomp protocomp          ## address control and protocol 
field compression
        set link disable pap                    ## disable PAP authentication 
for this link
        set link enable chap                    ## enable CHAP authentication 
for this link
        set link keep-alive 10 60               ## keep alive settings for idle 
links
        set ipcp enable vjcomp                  ## enables header compression 
for the link
        set ipcp ranges 192.168.1.1/32 192.168.1.201/32 ## sets IP of PPTP 
server as well as initial link
        #set ipcp dns 10.0.0.1                   ## sets IP of DNS server to be 
given to client
        #set ipcp nbns 10.0.0.20                 ## sets IP of the WINS server 
to be given out
        set bundle enable compression           ## enables tunnel compression
        set ccp enable mppc                     ## enables microsoft 
point-to-point compression
        set ccp enable mpp-e40                  ## 40-bit MPP encryption
        set ccp enable mpp-e128                 ## 128-bit MPP encryption
        set ccp yes mpp-stateless               ## enables stateless mode for 
faster recovery
        set bundle enable crypt-reqd            ## require client to have 
encryption or drop link




More information about the freebsd-questions mailing list