Date: Mon, 3 May 2004 19:34:23 -0400 From: Ed Budd <ebudd@grokking.org> To: freebsd-questions@freebsd.org Subject: Re: need help setting up PPTP VPN using mpd Message-ID: <20040503193423.1202faf9.ebudd@grokking.org> In-Reply-To: <4096D192.5080409@idlemind.net> References: <4096D192.5080409@idlemind.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 03 May 2004 18:11:14 -0500 Brad Tarver <btarver@idlemind.net> wrote: > I'm trying to setup PPTP connectivity in a lab environment before I > attempt to implement in a real-world situation. > > I have two routers and four PCs (two laptops running Windows XP and > two desktops running FreeBSD 5.2.1). > > I haven't configured any ipfw or ipfirewall rules yet to keep my > configuration 'simple'. > > Both FreeBSD boxes are configured to nat the two Windows boxes to my > lab 'internet'. > > Can anyone look at the setup below and tell me what I'm missing? > > Here is my setup: > > > LaptopA > | > | > | 10.1.2.0/24 > | > | .1 > FreebsdA > | .2 > | > | 27.40.15.0/24 > | > | .1 > RouterA > | .25 > | > | 26.215.152.0/24 > | > | .26 > RouterB > | .1 > | > | 28.80.30.0/24 > | > | .2 > FreebsdB > | .1 > | > | 192.168.44.0/24 > | > | > LaptopB > > > I have MPD running on FreebsdA (27.40.15.2). Ipnat is configured on > both freebsd boxes. When I open a new pptp vpn session on my laptopB, > it gets to a 'verifying username and pass' stage and then errors. > Brad: <-- insert big disclaimer here --> I'm certainly no expert on PPTP but I believe you're going to need to set up some kind of "passthrough" functionality to get protocol 47 through NAT. What you describe above may be symptomatic of packets related to tcp 1723 getting through (to initiate authentication) but not protocol 47 (GRE) which is needed for the tunnel itself. I haven't used ipnat in some time but I seem to recall some carefully placed redirect rules as facilitating this. Sorry I can't be more specific. If I find the documentation I'm thinking about I'll post a link. Maybe you should try it first without NAT, just straight routing. Another useful thing might be to enable bpf in the kernel config and run a packet capture at appropriate chokepoints using tcpdump while you're testing. Please post a followup as I'd be interested in hearing (reading) how things go since I unfortunately don't have time to spare right now in trying it myself. Cheers, EB
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040503193423.1202faf9.ebudd>