Re: FreeBSD mpd PPTP client connection to SnapGearLITE+
Quoting Daniel O'Connor [EMAIL PROTECTED]: On Tue, 5 Apr 2005 08:37, Walentyn wrote: -- # cat /usr/local/etc/mpd/mpd.conf # Any reason you are using mpd? I have only done it with ppp.. No native FreeBSD ppp MPPE support (for example with PPTP-Client). Thanks for your interest! -- Walentyn ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD mpd PPTP client connection to SnapGearLITE+
Quoting Michael Bretterklieber [EMAIL PROTECTED]: Hi, ... Perhaps GRE is blocked somewhere (Firewall)? bye, -- --- -- Michael Bretterklieber - http://www.bretterklieber.com -- -- I thought the follwing ipfilter rules would have done the trick: -- # allow PPTP client pass in log quick on xl0 proto gre from [SGL server IP]/32 to any pass out log quick on xl0 proto gre from any to any pass in log quick on xl0 proto tcp from [SGL server IP]/32 port = 1723 to any pass out log quick on xl0 proto tcp from any to any port = 1723 -- Perhaps I missed something, however, the firewall log does show p (pass) for all entries during attempted negotiation. I'm starting to think that FreeBSD's mpd PPTP may be incompatible with SnapGearLITE's UCLinux PPTP interpretation (although SGL works like a champ with XP and Linux clients). Unfortunately, the appliance in question has been discontinued and the company taken over (and forgotten?) by Cyberguard. Thanks! -- Walentyn ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD mpd PPTP client connection to SnapGearLITE+
On Tue, 5 Apr 2005 18:55, Walentyn wrote: Any reason you are using mpd? I have only done it with ppp.. No native FreeBSD ppp MPPE support (for example with PPTP-Client). Err yes it does.. From ppp(8) Supports MPPE (draft-ietf-pppext-mppe) MPPE is Microsoft Point to Point Encryption scheme. It is possible to configure ppp to participate in Microsoft's Windows VPN. For now, ppp can only get encryption keys from CHAP 81 authentication. ppp must be compiled with DES for MPPE to oper- ate. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au The nice thing about standards is that there are so many of them to choose from. -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C pgp5ayQQp7n5l.pgp Description: PGP signature
Re: FreeBSD mpd PPTP client connection to SnapGearLITE+
Quoting Daniel O'Connor [EMAIL PROTECTED]: On Tue, 5 Apr 2005 18:55, Walentyn wrote: Any reason you are using mpd? I have only done it with ppp.. No native FreeBSD ppp MPPE support (for example with PPTP-Client). Err yes it does.. From ppp(8) Supports MPPE (draft-ietf-pppext-mppe) MPPE is Microsoft Point to Point Encryption scheme. It is possible to configure ppp to participate in Microsoft's Windows VPN. For now, ppp can only get encryption keys from CHAP 81 authentication. ppp must be compiled with DES for MPPE to oper- ate. I stand corrected. From my previous reading, it looked like there were a whole bunch of disparate patches to give ppp MMPE functionality. From the quoted manual section, it seems that it has rudimentary functionality if you compile it yourself. (I prefer NOT to roll my own.) Also from what I read, it would appear that netgraph/mpd, etc. is a more integrated more cleanly coded implementation that should work very well -- if you can get it to work, that is. :) I'll tinker with my set up for another day or two. If I'm able to get it working I'll report. Otherwise, I found that SnapGear may be dead as a company but Cyberguard still supports it and has come out with some very interesting new products, in particular a PCI NIC firewall/VPN (see URL below) which might just be what I need. http://www.cyberguard.com/products/firewall/SG_Family/SG630.html?lang=de_EN Thank you for all your suggestions! -- Walentyn ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD mpd PPTP client connection to SnapGearLITE+
On Tuesday, 5. April 2005 16:12, Walentyn wrote: patches to give ppp MMPE functionality. From the quoted manual section, it seems that it has rudimentary functionality if you compile it yourself. (I prefer NOT to roll my own.) No, DES is enabled by default. The manpage mentions it because the NO_OPENSSL/NOCRYPT switches can turn it off. -- ,_, | Michael Nottebrock | [EMAIL PROTECTED] (/^ ^\) | FreeBSD - The Power to Serve | http://www.freebsd.org \u/ | K Desktop Environment on FreeBSD | http://freebsd.kde.org pgpwf0HicQkyF.pgp Description: PGP signature
Re: FreeBSD mpd PPTP client connection to SnapGearLITE+
On Tue, 5 Apr 2005 23:42, Walentyn wrote: Supports MPPE (draft-ietf-pppext-mppe) MPPE is Microsoft Point to Point Encryption scheme. It is possible to configure ppp to participate in Microsoft's Windows VPN. For now, ppp can only get encryption keys from CHAP 81 authentication. ppp must be compiled with DES for MPPE to oper- ate. I stand corrected. From my previous reading, it looked like there were a whole bunch of disparate patches to give ppp MMPE functionality. From the quoted manual section, it seems that it has rudimentary functionality if you compile it yourself. (I prefer NOT to roll my own.) Only if you build world with -DNO_CRYPTO does PPP not have DES support. I have had userland ppp as both a client and server for doing MPPE with. Also from what I read, it would appear that netgraph/mpd, etc. is a more integrated more cleanly coded implementation that should work very well -- if you can get it to work, that is. :) shrugs Try ppp and see if it works. I'll tinker with my set up for another day or two. If I'm able to get it working I'll report. Otherwise, I found that SnapGear may be dead as a company but Cyberguard still supports it and has come out with some very interesting new products, in particular a PCI NIC firewall/VPN (see URL below) which might just be what I need. http://www.cyberguard.com/products/firewall/SG_Family/SG630.html?lang=de_EN Looks kind of neat but IMO a bit of a waste of money :) -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au The nice thing about standards is that there are so many of them to choose from. -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C pgpstE9GkzDYW.pgp Description: PGP signature
Re: FreeBSD mpd PPTP client connection to SnapGearLITE+
Quoting Daniel O'Connor [EMAIL PROTECTED]: I've done Windows - FreeBSD PopTop server without any big issues. So have I, but I'm going from FreeBSD client to SnapGearLITE UCLinux PopTop server appliance It would be helpful if you supplied log files and configs to download somewhere. (Please see below.) PS PPTP encryption sucks, use openvpn or IPSec :) Unfortunately, have no choice in the matter. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au The nice thing about standards is that there are so many of them to choose from. -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C Thank you! -- Walentyn -- # cat /usr/local/etc/mpd/mpd.conf # default: load vpn vpn: new -i ng0 vpn vpn set iface disable on-demand set iface enable proxy-arp set bundle disable multilink set bundle authname [remote username] set bundle password [password] set link yes acfcomp protocomp set link mtu 1400 set link mru 1400 set link no pap chap set link enable chap set link keep-alive 60 180 set ipcp yes vjcomp set bundle enable compression set ccp yes mppc set ccp yes mpp-e40 set ccp no mpp-e40 set ccp yes mpp-e128 set ccp yes mpp-stateless set bundle yes crypt-reqd open -- # cat /usr/local/etc/mpd/mpd.links # vpn: set link type pptp set pptp self [FBSD client IP] set pptp peer [SGL server IP] set pptp enable originate outcall set pptp disable incoming -- Console output: # mpd Multi-link PPP for FreeBSD, by Archie L. Cobbs. Based on iij-ppp, by Toshiharu OHNO. mpd: pid 12394, version 3.18 ([EMAIL PROTECTED] 08:48 21-Mar-2005) [vpn] ppp node is mpd12394-vpn [vpn] using interface ng0 [vpn] IFACE: Open event [vpn] IPCP: Open event [vpn] IPCP: state change Initial -- Starting [vpn] IPCP: LayerStart [vpn:vpn] [vpn] bundle: OPEN event in state CLOSED [vpn] opening link vpn... [vpn] link: OPEN event [vpn] LCP: Open event [vpn] LCP: state change Initial -- Starting [vpn] LCP: LayerStart [vpn] device: OPEN event in state DOWN pptp0: connecting to [SGL server IP]:1723 [vpn] device is now in state OPENING pptp0: connected to [SGL server IP]:1723 pptp0: attached to connection with [SGL server IP]:1723 pptp0-0: outgoing call connected at 64000 bps [vpn] PPTP call successful [vpn] device: UP event in state OPENING [vpn] device is now in state UP [vpn] link: UP event [vpn] link: origination is local [vpn] LCP: Up event [vpn] LCP: state change Starting -- Req-Sent [vpn] LCP: phase shift DEAD -- ESTABLISH [vpn] LCP: SendConfigReq #1 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 1dcbdb30 AUTHPROTO CHAP MSOFTv2 [vpn] LCP: SendConfigReq #2 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 1dcbdb30 AUTHPROTO CHAP MSOFTv2 [vpn] LCP: SendConfigReq #3 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 1dcbdb30 AUTHPROTO CHAP MSOFTv2 [vpn] LCP: SendConfigReq #4 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 1dcbdb30 AUTHPROTO CHAP MSOFTv2 [vpn] LCP: SendConfigReq #5 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 1dcbdb30 AUTHPROTO CHAP MSOFTv2 [vpn] LCP: SendConfigReq #6 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 1dcbdb30 AUTHPROTO CHAP MSOFTv2 [vpn] LCP: SendConfigReq #7 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 1dcbdb30 AUTHPROTO CHAP MSOFTv2 [vpn] LCP: SendConfigReq #8 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 1dcbdb30 AUTHPROTO CHAP MSOFTv2 [vpn] LCP: SendConfigReq #9 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 1dcbdb30 AUTHPROTO CHAP MSOFTv2 [vpn] LCP: SendConfigReq #10 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 1dcbdb30 AUTHPROTO CHAP MSOFTv2 [vpn] LCP: state change Req-Sent -- Stopped [vpn] LCP: LayerFinish [vpn] LCP: parameter negotiation failed [vpn] LCP: LayerFinish [vpn] device: CLOSE event in state UP pptp0-0: clearing call [vpn] device is now in state CLOSING [vpn] device: CLOSE event in state CLOSING [vpn] device is now in state CLOSING [vpn] device: DOWN event in state CLOSING [vpn] device is now in state DOWN [vpn] link: DOWN event [vpn] LCP: Down event [vpn] LCP: state change Stopped -- Starting [vpn] LCP: phase shift ESTABLISH -- DEAD [vpn] LCP: LayerStart [vpn] device: OPEN event in state DOWN [vpn] pausing 9 seconds before open [vpn] device is now in state DOWN [vpn] device: OPEN event in state DOWN [vpn] device is now in state DOWN pptp0-0: peer call disconnected res=disconnect request err=none pptp0-0: killing channel pptp0: closing connection with [SGL server IP]:1723 pptp0: killing connection with [SGL server IP]:1723 [vpn] device: OPEN event in state DOWN -- SnapGearLITE corresponding log entries: Apr 04 22:48:32 pptpd[10188]: CTRL: Client [FBSD client IP] control
Re: FreeBSD mpd PPTP client connection to SnapGearLITE+
On Tue, 5 Apr 2005 08:37, Walentyn wrote: -- # cat /usr/local/etc/mpd/mpd.conf # Any reason you are using mpd? I have only done it with ppp.. Looking at the log messages I would guess it's failing to negotiate MSChap properly, although never having used mpd I coudln't really offer any suggestions.. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au The nice thing about standards is that there are so many of them to choose from. -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C pgpEVWkjxoM79.pgp Description: PGP signature
Re: FreeBSD mpd PPTP client connection to SnapGearLITE+
Hi, Walentyn wrote: Multi-link PPP for FreeBSD, by Archie L. Cobbs. Based on iij-ppp, by Toshiharu OHNO. mpd: pid 12394, version 3.18 ([EMAIL PROTECTED] 08:48 21-Mar-2005) [vpn] ppp node is mpd12394-vpn [vpn] using interface ng0 [vpn] IFACE: Open event [vpn] IPCP: Open event [vpn] IPCP: state change Initial -- Starting [vpn] IPCP: LayerStart [vpn:vpn] [vpn] bundle: OPEN event in state CLOSED [vpn] opening link vpn... [vpn] link: OPEN event [vpn] LCP: Open event [vpn] LCP: state change Initial -- Starting [vpn] LCP: LayerStart [vpn] device: OPEN event in state DOWN pptp0: connecting to [SGL server IP]:1723 [vpn] device is now in state OPENING pptp0: connected to [SGL server IP]:1723 pptp0: attached to connection with [SGL server IP]:1723 pptp0-0: outgoing call connected at 64000 bps [vpn] PPTP call successful [vpn] device: UP event in state OPENING [vpn] device is now in state UP [vpn] link: UP event [vpn] link: origination is local [vpn] LCP: Up event [vpn] LCP: state change Starting -- Req-Sent [vpn] LCP: phase shift DEAD -- ESTABLISH [vpn] LCP: SendConfigReq #1 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 1dcbdb30 AUTHPROTO CHAP MSOFTv2 [vpn] LCP: SendConfigReq #2 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 1dcbdb30 AUTHPROTO CHAP MSOFTv2 [vpn] LCP: SendConfigReq #3 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 1dcbdb30 AUTHPROTO CHAP MSOFTv2 [vpn] LCP: SendConfigReq #4 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 1dcbdb30 AUTHPROTO CHAP MSOFTv2 [vpn] LCP: SendConfigReq #5 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 1dcbdb30 AUTHPROTO CHAP MSOFTv2 [vpn] LCP: SendConfigReq #6 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 1dcbdb30 AUTHPROTO CHAP MSOFTv2 it looks like that the server is not responding to LCP config requests. Perhaps GRE is blocked somewhere (Firewall)? bye, -- --- -- Michael Bretterklieber - http://www.bretterklieber.com -- -- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD mpd PPTP client connection to SnapGearLITE+
The SnapGearLITE+ is (was?) an inexpensive (about $200 when purchased) firewall/VPN appliance running embedded UCLinux. It has builtin PopTop servers and clients and IPSec. Been using it as a firewall and PopTop server for the last three years +/-. Very happy with it. Setting up a PopTop VPN server is very simple. XP and Linux clients work well with it. No joy, though, when trying to connect to it from FreeBSD 5.3 Stable by using the mpd port. I'd rather not go through all the client settings at this point. Has any one been able to successfully connect a FreeBSD mpd PPTP client to a SGL PopTop server? If so, any special mpd configuration options or gotchas to watch out for? Thank you. -- Walentyn ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD mpd PPTP client connection to SnapGearLITE+
On Mon, 4 Apr 2005 09:30, Walentyn wrote: I'd rather not go through all the client settings at this point. Has any one been able to successfully connect a FreeBSD mpd PPTP client to a SGL PopTop server? If so, any special mpd configuration options or gotchas to watch out for? I've done Windows - FreeBSD PopTop server without any big issues. It would be helpful if you supplied log files and configs to download somewhere. PS PPTP encryption sucks, use openvpn or IPSec :) -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au The nice thing about standards is that there are so many of them to choose from. -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C pgpX5Hud0bNBG.pgp Description: PGP signature