1. Introduction
I have cut down the original old document down to the sections which still make sense in today’s environment.
The original document suggests PPTP armoured with IPSEC. In 2001 when the idea originally came about this made sense for a lot of applications. This is no longer the case because the PPTP security fix for MS02-63 made PPTP considerably less stable. While fixing the vulnerability Microsoft obviously „fixed“ something else as well and PPTP connections between a Windows 2000 or XP and FreeBSD system running mpd or poptop started showing frequent stalls and breakage. As a result, the possible applications using this VPN setup became quite limited.
In fact, anyone looking at a VPN solution with Windows clients and a FreeBSD or Linux server should be looking at OpenVPN instead. The only reason why I still have this posted here is that people still come for it from links all over the world despite the fact that it is long obsolete (bloody google). Here are some links to my newer and more actively maintained stuff.
2. Certificate Generation
If you do not have a certificate authority you should set up one. In brief:
Set up the directory structure
setenv SSLHOME /usr/local/openssl/myCA
mkdir ${SSLHOME}/certs
mkdir ${SSLHOME}/crl
mkdir ${SSLHOME}/newcerts
mkdir ${SSLHOME}/private
echo "01" > ${SSLHOME}/serial
touch ${SSLHOME}/index.txt
Edit openssl.conf and set all customizations correctly. After that create a CA certificate and export it as pkcs12.
openssl req -new -x509 -keyout ${SSLHOME}/private/CAkey.pem \
-out ${SSLHOME}/private/CAcert.pem
cd ${SSLHOME}
openssl pkcs12 -export -in private/CAcert.pem \
-inkey private/CAkey.pem -nokeys -out CA.p12
From there on you need to generate certificates for the server and the clients.
For the server:
cd ${SSLHOME}
openssl req -new -keyout server-key-encrypted.pem \ -out server.pem -days 360 cat server.pem server-key-encrypted.pem > server-req.pem openssl ca -policy policy_match -out server-signed.pem -infiles server-req.pem openssl rsa -in server-key-encrypted.pem -out server-key.pem # this decrypts the key
For the client:
openssl req -new -keyout user-key.pem -out user.pem -days 360 cat user.pem user-key.pem > user-req.pem openssl ca -policy policy_match -out user-signed.pem -infiles user-req.pem openssl pkcs12 -export -in user-signed.pem -inkey user-key.pem \ -name "User Name Goes Here" -certfile private/CAcert.pem -out user.p12
Note – pkcs12 does not support long password lengths. 8 is OK. 16 definitely is not.
3. PPTP and IPSEC setup – FreeBSD side
First of all the server kernel must be rebuilt to support IPSEC. A few other options like FIREWALL may also be a good idea. Once it has been rebuilt mpd needs to be installed from the network section of ports.
This was valid for MPD circa version 3.14. I have not followed it since as I have switched to OpenVPN.
default: # this is a list of interfaces which will be initialized on startup
load pptp1
load pptp2
load pptp3
#...repeated many times...
load pptp127
pptp1:
new -i ng1 pptp1 pptp1
load common
pptp2:
new -i ng2 pptp2 pptp2
load common
# ad naseum ...
# newer mpd supports better templating, should be posssible to be more brief
pptp127:
new -i ng127 pptp127 pptp127
load common
common:
set iface disable on-demand
set iface enable proxy-arp
set iface idle 0
set bundle disable multilink # I have run into sporadic problems with XP on this one.
# Check if ICMP is OK while running witing +/- 50 octets
# from the MTU
set link enable acfcomp protocomp
# if pap shows up there will be no MPPE
set link no pap chap
set link enable chap
set link keep-alive 10 60
set ipcp yes vjcomp
# right is remote address
set ipcp ranges 1.2.3.4/32 2.3.4.5/24
set ipcp dns 1.2.3.5 1.2.3.6
set ipcp nbns 1.2.3.5 1.2.3.6
#
# The five lines below will enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type. uncomment if you
# want to use it
#set bundle enable compression
#set ccp yes mppc
#set ccp yes mpp-e40
#set ccp yes mpp-e128
#set ccp yes mpp-stateless
Note that this does not complete the configuration, you also have to complete the links file mpd.links which describes which links use which addresses.
pptp1: set link type pptp set pptp self 3.4.5.6 set pptp enable incoming set pptp disable originate pptp2: set link type pptp # Important Caveat as of up to 3.14 !!! # if the address here is different from above MPD will not scan to # this address when establishing a connection!!! First free link is # used regardless of the address so if you want to have 3.4.5.6 for # MPPE enabled traffic and 3.4.5.7 for normal traffic you are out of luck # it is on the wishlist and one day the feature may be there. set pptp self 3.4.5.6 set pptp enable incoming set pptp disable originate #...repeated many times... pptp127: set link type pptp set pptp self 3.4.5.6 set pptp enable incoming set pptp disable originate
It is a good idea to test the PPTP server setup before proceding. Once PPTP works it is necessary to setup IPSEC. In /etc/ipsec.conf
spdadd 3.4.5.6/32 0.0.0.0/0 gre -P out ipsec esp/transport//require; spdadd 0.0.0.0/0 3.4.5.6/32 gre -P in ipsec esp/transport//require; spdadd 3.4.5.6/32[1723] 0.0.0.0/0 tcp -P out ipsec esp/transport//require; spdadd 0.0.0.0/0 3.4.5.6/32[1723] tcp -P in ipsec esp/transport//require;
In order to perform IKE FreeBSD needs to run an IKE daemon – racoon. It should be compiled from ports/security. The configuration for it is fairly simple as well.
remote anonymous {
exchange_mode main, base; # people using aggressive should be beaten with sticks
passive on;
certificate_type x509 "server-signed.pem" "server-key.pem"; # key must be decrypted
my_identifier asn1dn;
verify_cert on;
proposal_check obey; # generally a good idea. BSD is adaptable, other systems are not
proposal {
encryption_algorithm 3des;
hash_algorithm md5 ;
authentication_method rsasig ;
dh_group 2 ;
}
sainfo anonymous {
encryption_algorithm 3des, des ; # windows does not support anything better anyway
authentication_algorithm non_auth, hmac_sha1;
# if any clients are coming from across NAT leave this as
# non_auth only and remove tcp/1723 from the policy above
compression_algorithm deflate;
}
This completes the server setup.
4. Windows Client Setup
From the windows start menu run „mmc“. Add the following snap-ins certificates and IPSEC. For the certificates snap-in select local computer as the management target.
Using the certificate snap-in import the CA certificate under Trusted Root Certification authorities. Import the user certificate under Personal.
Using the IPSEC snapin configure the following policy:
- One access list for all traffic going to the IP address of the BSD VPN Gateway.
- All traffic requires IPSec and is authenticated using a certificate. From the list of authorities choose yours.
- Disable or remove all other rules and enable the policy.
4.1 Notes
Once again IMO this is obsolete. Its only advantage versus OpenVPN is the speed.
OpenVPN performs a considerable number of context switches. It also has to copy the packet between userland and the kernel more than once. As a result its speed for a single client is limited to around 5-10Mbit. This can be improved by setting PREEMPT and raising HZ into the crazy 2500+ zone. Even in that case it is still slower per single client than IPSEC. While this is a defficiency for a single user connection, it is an advantage for a multiuser gateway because it is never starved on CPU regardless of the client connection speeds.
Compared to that PPTP armoured with IPSEC is considerably faster – up to 25-40Mbit for a single client. This may be handy for securing something like a 802.11g+ wireless LAN for a few users. It scales worse and is considerably harder to support as an end-user service for multiple users.
Статията е взета от http://www.sigsegv.cx/FreeBSD-WIN2K-VPN-HOWTO-revised.html