freebsd stable - Apr 2005 - FreeBSD mpd PPTP client connection to SnapGearLITE+

The SnapGearLITE+ is (was?) an inexpensive (about $200 when purchased)
firewall/VPN appliance running embedded UCLinux.  It has builtin PopTop servers
and clients and IPSec.

Been using it as a firewall and PopTop server for the last three years +/-.
Very happy with it.

Setting up a PopTop VPN server is very simple. XP and Linux clients work well
with it.

No joy, though, when trying to connect to it from FreeBSD 5.3 Stable by using
the mpd port.

I'd rather not go through all the client settings at this point.

Has any one been able to successfully connect a FreeBSD mpd PPTP client to a SGL
PopTop server?

If so, any special mpd configuration options or gotchas to watch out for?

Thank you.

--
Walentyn

On Mon, 4 Apr 2005 09:30, Walentyn wrote:
> I'd rather not go through all the client settings at this point.
>
> Has any one been able to successfully connect a FreeBSD mpd PPTP client to
> a SGL PopTop server?
>
> If so, any special mpd configuration options or gotchas to watch out for?
I've done Windows -> FreeBSD PopTop server without any big issues.

It would be helpful if you supplied log files and configs to download 
somewhere.

PS PPTP encryption sucks, use openvpn or IPSec :)

-- 
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050404/719add04/attachment.bin

Quoting Michael Bretterklieber <mbretter@inode.at>:
> Hi,
> ...
>
> Perhaps GRE is blocked somewhere (Firewall)?
>
> bye,
> --
> ------------------------------- ----------------------------------
> Michael Bretterklieber          - http://www.bretterklieber.com
> ------------------------------ ----------------------------------
>
>
>
I thought the follwing ipfilter rules would have done the trick:

----------------------------------------------------------------------
# allow PPTP client
pass in  log quick on xl0 proto gre from [SGL server IP]/32 to any
pass out log quick on xl0 proto gre from any to any
pass in  log quick on xl0 proto tcp from [SGL server IP]/32 port = 1723 to any
pass out log quick on xl0 proto tcp from any to any port = 1723
----------------------------------------------------------------------

Perhaps I missed something, however, the firewall log does show "p"
(pass) for
all entries during attempted negotiation.

I'm starting to think that FreeBSD's mpd PPTP may be incompatible with
SnapGearLITE's UCLinux PPTP interpretation (although SGL works like a champ
with XP and Linux clients).  Unfortunately, the appliance in question has been
discontinued and the company taken over (and forgotten?) by Cyberguard.

Thanks!

--
Walentyn

Quoting Daniel O'Connor <doconnor@gsoft.com.au>:
> On Tue, 5 Apr 2005 18:55, Walentyn wrote:
> > > Any reason you are using mpd? I have only done it with ppp..
> >
> > No native FreeBSD ppp MPPE support (for example with PPTP-Client).
>
> Err yes it does..
> From ppp(8)
>      Supports MPPE (draft-ietf-pppext-mppe)  MPPE is Microsoft Point to
Point
>      Encryption scheme.  It is possible to configure ppp to participate in
>      Microsoft's Windows VPN.  For now, ppp can only get encryption
keys from
>      CHAP 81 authentication.  ppp must be compiled with DES for MPPE to
oper-
>      ate.
>
I stand corrected.
>From my previous reading, it looked like there were a whole bunch of
disparate
patches to give ppp MMPE functionality.  From the quoted manual section, it
seems that it has rudimentary functionality if you compile it yourself.  (I
prefer NOT to roll my own.)

Also from what I read, it would appear that netgraph/mpd, etc. is a more
integrated more cleanly coded implementation that should work very well -- if
you can get it to work, that is.  :)

I'll tinker with my set up for another day or two.  If I'm able to get
it
working I'll report.  Otherwise, I found that SnapGear may be dead as a
company
but Cyberguard still supports it and has come out with some very interesting
new products, in particular a PCI NIC firewall/VPN (see URL below) which might
just be what I need.

http://www.cyberguard.com/products/firewall/SG_Family/SG630.html?lang=de_EN

Thank you for all your suggestions!

--
Walentyn

On Tuesday, 5. April 2005 16:12, Walentyn wrote:
> patches to give ppp MMPE functionality.  From the quoted manual section, it
> seems that it has rudimentary functionality if you compile it yourself.  (I
> prefer NOT to roll my own.)
No, DES is enabled by default. The manpage mentions it because  the 
NO_OPENSSL/NOCRYPT switches can turn it off.

-- 
   ,_,   | Michael Nottebrock               | lofi@freebsd.org
 (/^ ^\) | FreeBSD - The Power to Serve     | http://www.freebsd.org
   \u/   | K Desktop Environment on FreeBSD | http://freebsd.kde.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050405/bd66b7df/attachment.bin