From owner-freebsd-questions Wed Sep 4 19:17:12 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88EDC37B400 for ; Wed, 4 Sep 2002 19:17:06 -0700 (PDT) Received: from w2xo.jcdurham.com (18.gibs5.xdsl.nauticom.net [209.195.184.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1FAF743E72 for ; Wed, 4 Sep 2002 19:17:05 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from jimslaptop (jimslaptop.jcdurham.com [192.168.5.14]) by w2xo.jcdurham.com (8.11.6/8.11.6) with ESMTP id g852H2F67705; Thu, 5 Sep 2002 02:17:02 GMT (envelope-from durham@w2xo.pgh.pa.us) Content-Type: text/plain; charset="iso-8859-1" From: Jim Durham To: Subject: Re: VPN - some questions Date: Wed, 4 Sep 2002 22:17:00 -0400 User-Agent: KMail/1.4.2 Cc: References: <003401c2534e$f6b8dce0$0701a8c0@darryl> In-Reply-To: <003401c2534e$f6b8dce0$0701a8c0@darryl> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200209042217.01239.durham@w2xo.pgh.pa.us> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tuesday 03 September 2002 09:36 am, Darryl Hoar wrote: > My home client could be Windows 2000 or Linux. I would > want to connect to my work LAN through the internet. > My Firewall is FreeBSD 4.5. I need: > 1. a tutorial for setting up VPN on my FreeBSD fireall. > 2. Recommendation for VPN client to run on my home > machine (windows 2000 or Linux. My machine is dual boot). > 3. a tutorial for setting up VPN client on my home machine. > > thanks, > Darryl > > > From: Jim Durham [mailto:durham@w2xo.pgh.pa.us] > > >Sent: Friday, August 30, 2002 11:00 PM > >To: darryl@osborne-ind.com > >Subject: Re: VPN - some questions > > > >On Friday 30 August 2002 12:33 pm, Darryl Hoar wrote: > >> Greetings, > >> my LAN is connected to the internet in the following fashion: > >> > >> SMC DSL Modem (static IP address assigned) -> > >> FreeBSD Firewall NIC1 (DHCP assigned IP from DSL Modem) > >> FreeBSD Firewall NIC2 is connected to my LAN. > >> > >> I want to be able to access my LAN from the internet using VPN. > >> If I configure VPN on the Firewall, and use a VPN client on my > >> home computer, should I be able to access my LAN? > >> > >> I looked on FreeBSD.org handbook, and FAQ, but didn't see > >> any VPN. (I also might be blind.). > >> > >> Any pointers on how to set this up? > > > >mpd from the ports collection does well for Windows VPN > >clients and IPSEC > >works well for FreeBSD. You didn't say what OS you wanted to > >use to connect > >via VPN. > > > >IPSEC is a kernel option. mpd uses the netgraph interface in > >the kernel. It > >comes with a sample config file that shows how to set it up > >for Microsoft's > >VPN clients. > > > >-Jim If you are going to use Linux as a client, then you can use IPSEC. I have no idea how to set up the Linux end of it, as I'm not very Linux oriented, but the tutorial for setting up the FreeBSD end of it is www.daemonnews.org/200101/ipsec-howto.html . If you enter "freebsd ipsec" in to the google engine, you will get lots of help. You will also want to install "raccoon" from the ports collection to generate encryption keys for IPSEC. When you have the FreeBSD and the Linux machines set up to use IPSEC, all packets between them are encrypted. If you are going to use a Windows client, then install mpd from the ports collection. There are 3 files to set up. The file "mpd.conf" has a sample PPTP section. You just change the IPs there to those of your outside IP and your LAN ips. You will need one of these entries for each additional concurrent user of the VPN. I call them "pptp1", "pptp2" and so forth. The 2nd file you will have to modify is "mpd.links", which has a corresponding section for each section in "mpd.conf". These entries have the same names as the corresponding entries in "mpd.conf" Finally, you will need to set up "mpd.secret" with your user names and passwords. If you are running a default-to-deny firewall, you may have problems getting the GRE packets through. It's easier to run default-to-accept and block all the ports you don't want to be accessable from the outside. When you have mpd running, just make a new VPN connection in Windows, giving it the host name of the machine that mpd is running on, and log in with the user name and password you put in "mpd.secret". You will find that the mpd server does not do ARP. You'll want to make an ARP entry on the machine running mpd pointing to the mac address of the LAN side of your server so that the machines on your LAN know where to return packets from the VPN clients. Otherwise, the only machine that will be able to communicate with the remote clients will be the server. Read the man page for mpd and, with what I've told you above, you should be able to get it working. Hope this helps.. -Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message