1. Introduction

I have cut down the original old document down to the sections which still make sense in today’s environment.

The original document suggests PPTP armoured with IPSEC. In 2001 when the idea originally came about this made sense for a lot of applications. This is no longer the case because the PPTP security fix for MS02-63 made PPTP considerably less stable. While fixing the vulnerability Microsoft obviously „fixed“ something else as well and PPTP connections between a Windows 2000 or XP and FreeBSD system running mpd or poptop started showing frequent stalls and breakage. As a result, the possible applications using this VPN setup became quite limited.

In fact, anyone looking at a VPN solution with Windows clients and a FreeBSD or Linux server should be looking at OpenVPN instead. The only reason why I still have this posted here is that people still come for it from links all over the world despite the fact that it is long obsolete (bloody google). Here are some links to my newer and more actively maintained stuff.

2. Certificate Generation

If you do not have a certificate authority you should set up one. In brief:

Set up the directory structure

setenv SSLHOME /usr/local/openssl/myCA
mkdir ${SSLHOME}/certs 
mkdir ${SSLHOME}/crl 
mkdir ${SSLHOME}/newcerts 
mkdir ${SSLHOME}/private 
echo "01" > ${SSLHOME}/serial 
touch ${SSLHOME}/index.txt

Edit openssl.conf and set all customizations correctly. After that create a CA certificate and export it as pkcs12.

openssl req -new -x509 -keyout ${SSLHOME}/private/CAkey.pem \
   -out ${SSLHOME}/private/CAcert.pem
cd ${SSLHOME} 
openssl pkcs12 -export -in private/CAcert.pem \
   -inkey private/CAkey.pem -nokeys -out CA.p12

From there on you need to generate certificates for the server and the clients.

For the server:

cd ${SSLHOME} 
openssl req -new -keyout server-key-encrypted.pem \
 -out server.pem -days 360 
cat server.pem server-key-encrypted.pem > server-req.pem  
openssl ca -policy policy_match -out server-signed.pem -infiles server-req.pem 
openssl rsa -in server-key-encrypted.pem -out server-key.pem # this decrypts the key

For the client:

openssl req -new -keyout user-key.pem -out user.pem -days 360
cat user.pem user-key.pem > user-req.pem  
openssl ca -policy policy_match -out user-signed.pem -infiles user-req.pem  
openssl pkcs12 -export -in user-signed.pem -inkey user-key.pem \
 -name "User Name Goes Here" -certfile private/CAcert.pem -out user.p12

Note – pkcs12 does not support long password lengths. 8 is OK. 16 definitely is not.

3. PPTP and IPSEC setup – FreeBSD side

First of all the server kernel must be rebuilt to support IPSEC. A few other options like FIREWALL may also be a good idea. Once it has been rebuilt mpd needs to be installed from the network section of ports.

This was valid for MPD circa version 3.14. I have not followed it since as I have switched to OpenVPN.

default: # this is a list of interfaces which will be initialized on startup
  load pptp1
  load pptp2
  load pptp3
  #...repeated many times...
  load pptp127
    new -i ng1 pptp1 pptp1
    load common 
    new -i ng2 pptp2 pptp2
    load common
  # ad naseum ...
  # newer mpd supports better templating, should be posssible to be more brief
    new -i ng127 pptp127 pptp127
load common
    set iface disable on-demand
    set iface enable proxy-arp
    set iface idle 0
    set bundle disable multilink # I have run into sporadic problems with XP on this one. 
    # Check if ICMP is OK while running witing +/- 50 octets 
    # from the MTU
    set link enable acfcomp protocomp 
    # if pap shows up there will be no MPPE
    set link no pap chap 
    set link enable chap
    set link keep-alive 10 60
    set ipcp yes vjcomp
    # right is remote address
    set ipcp ranges
    set ipcp dns
    set ipcp nbns
    # The five lines below will enable Microsoft Point-to-Point encryption
    # (MPPE) using the ng_mppc(8) netgraph node type. uncomment if you
    # want to use it
    #set bundle enable compression
    #set ccp yes mppc
    #set ccp yes mpp-e40
    #set ccp yes mpp-e128
    #set ccp yes mpp-stateless

Note that this does not complete the configuration, you also have to complete the links file mpd.links which describes which links use which addresses.

  set link type pptp
  set pptp self
  set pptp enable incoming
  set pptp disable originate
  set link type pptp
  # Important Caveat as of up to 3.14 !!!
  # if the address here is different from above MPD will not scan to
  # this address when establishing a connection!!! First free link is
  # used regardless of the address so if you want to have for
  # MPPE enabled traffic and for normal traffic you are out of luck
  # it is on the wishlist and one day the feature may be there.
  set pptp
  set pptp enable incoming
  set pptp disable originate
  #...repeated many times...
  set link type pptp 
  set pptp self
  set pptp enable incoming
  set pptp disable originate

It is a good idea to test the PPTP server setup before proceding. Once PPTP works it is necessary to setup IPSEC. In /etc/ipsec.conf

spdadd gre -P out ipsec esp/transport//require;
spdadd gre -P in ipsec esp/transport//require;
spdadd[1723] tcp -P out ipsec esp/transport//require;
spdadd[1723] tcp -P in ipsec esp/transport//require;

In order to perform IKE FreeBSD needs to run an IKE daemon – racoon. It should be compiled from ports/security. The configuration for it is fairly simple as well.

remote anonymous  { 
   exchange_mode main, base; # people using aggressive should be beaten with sticks
   passive on; 
   certificate_type x509 "server-signed.pem" "server-key.pem"; # key must be decrypted
   my_identifier asn1dn; 
   verify_cert on;
   proposal_check obey; # generally a good idea. BSD is adaptable, other systems are not
   proposal { 
     encryption_algorithm 3des; 
     hash_algorithm md5 ; 
     authentication_method rsasig ; 
     dh_group 2 ; 
sainfo anonymous {
   encryption_algorithm 3des, des ; # windows does not support anything better anyway
   authentication_algorithm non_auth, hmac_sha1; 
   # if any clients are coming from across NAT leave this as 
   # non_auth only and remove tcp/1723 from the policy above
   compression_algorithm deflate;  

This completes the server setup.

4. Windows Client Setup

From the windows start menu run „mmc“. Add the following snap-ins certificates and IPSEC. For the certificates snap-in select local computer as the management target.

Using the certificate snap-in import the CA certificate under Trusted Root Certification authorities. Import the user certificate under Personal.

Using the IPSEC snapin configure the following policy:

  • One access list for all traffic going to the IP address of the BSD VPN Gateway.
  • All traffic requires IPSec and is authenticated using a certificate. From the list of authorities choose yours.
  • Disable or remove all other rules and enable the policy.

4.1 Notes

Once again IMO this is obsolete. Its only advantage versus OpenVPN is the speed.

OpenVPN performs a considerable number of context switches. It also has to copy the packet between userland and the kernel more than once. As a result its speed for a single client is limited to around 5-10Mbit. This can be improved by setting PREEMPT and raising HZ into the crazy 2500+ zone. Even in that case it is still slower per single client than IPSEC. While this is a defficiency for a single user connection, it is an advantage for a multiuser gateway because it is never starved on CPU regardless of the client connection speeds.

Compared to that PPTP armoured with IPSEC is considerably faster – up to 25-40Mbit for a single client. This may be handy for securing something like a 802.11g+ wireless LAN for a few users. It scales worse and is considerably harder to support as an end-user service for multiple users.

Статията е взета от

Вашият коментар

Този сайт използва Akismet за намаляване на спама. Научете как се обработват данните ви за коментари.