При попытке коннекта с Виндовой машины к VPN авторизация не проходит и в логах mpd нахожу следующую строчку
#################
billing mpd: [L-2] RADIUS: RadiusGetParams: PANIC no MS-CHAPv2 response received
#################
(Ось FreeBSD 6.3)
Код: Выделить всё
Debug radiusa:##############
rad_recv: Access-Request packet from host 127.0.0.1:57473, id=118, length=186
NAS-Identifier = "billing.voisnet"
NAS-IP-Address = 127.0.0.1
Message-Authenticator = 0xe599c62ecdafd81914dfa19d32ae19ba
NAS-Port = 2
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "10.230.0.5"
User-Name = "admin"
MS-CHAP-Challenge = 0xbb1e68b541f425d340e298c0d873517b
MS-CHAP2-Response = 0x010047f64d2f7bcea726236ded017823d31a0000000000000000d2ddc0589d7bc9d2059f71760036af1666e125daaaee9bec
Exec-Program-Wait: value-pairs: User-Password == "admin1"
Exec-Program: returned: 0
Exec-Program: empty command line.
Exec-Program: returned: 0
rad_recv: Access-Request packet from host 127.0.0.1:57473, id=118, length=186
Sending Access-Reject of id 118 to 127.0.0.1 port 57473
####################################Код: Выделить всё
Log MPD5##############################
Nov 7 21:08:43 billing mpd: [L-2] Accepting PPTP connection
Nov 7 21:08:43 billing mpd: [L-2] link: OPEN event
Nov 7 21:08:43 billing mpd: [L-2] LCP: Open event
Nov 7 21:08:43 billing mpd: [L-2] LCP: state change Initial --> Starting
Nov 7 21:08:43 billing mpd: [L-2] LCP: LayerStart
Nov 7 21:08:43 billing mpd: [L-2] PPTP: attaching to peer's outgoing call
Nov 7 21:08:43 billing mpd: [L-2] link: UP event
Nov 7 21:08:43 billing mpd: [L-2] link: origination is remote
Nov 7 21:08:43 billing mpd: [L-2] LCP: Up event
Nov 7 21:08:43 billing mpd: [L-2] LCP: state change Starting --> Req-Sent
Nov 7 21:08:43 billing mpd: [L-2] LCP: SendConfigReq #1
Nov 7 21:08:43 billing mpd: ACFCOMP
Nov 7 21:08:43 billing mpd: PROTOCOMP
Nov 7 21:08:43 billing mpd: MRU 1500
Nov 7 21:08:43 billing mpd: MAGICNUM 879a13ec
Nov 7 21:08:43 billing mpd: AUTHPROTO CHAP MSOFTv2
Nov 7 21:08:43 billing mpd: MP MRRU 1600
Nov 7 21:08:43 billing mpd: ENDPOINTDISC [802.1] 00 02 44 bf 75 23
Nov 7 21:08:43 billing mpd: [L-2] LCP: rec'd Configure Request #0 (Req-Sent)
Nov 7 21:08:43 billing mpd: MRU 1400
Nov 7 21:08:43 billing mpd: MAGICNUM 458d3345
Nov 7 21:08:43 billing mpd: PROTOCOMP
Nov 7 21:08:43 billing mpd: ACFCOMP
Nov 7 21:08:43 billing mpd: CALLBACK 6
Nov 7 21:08:43 billing mpd: [L-2] LCP: SendConfigRej #0
Nov 7 21:08:43 billing mpd: CALLBACK 6
Nov 7 21:08:43 billing mpd: [L-2] LCP: rec'd Configure Request #1 (Req-Sent)
Nov 7 21:08:43 billing mpd: MRU 1400
Nov 7 21:08:43 billing mpd: MAGICNUM 458d3345
Nov 7 21:08:43 billing mpd: PROTOCOMP
Nov 7 21:08:43 billing mpd: ACFCOMP
Nov 7 21:08:43 billing mpd: [L-2] LCP: SendConfigAck #1
Nov 7 21:08:43 billing mpd: MRU 1400
Nov 7 21:08:43 billing mpd: MAGICNUM 458d3345
Nov 7 21:08:43 billing mpd: PROTOCOMP
Nov 7 21:08:43 billing mpd: ACFCOMP
Nov 7 21:08:43 billing mpd: [L-2] LCP: state change Req-Sent --> Ack-Sent
Nov 7 21:08:45 billing mpd: [L-2] LCP: SendConfigReq #2
Nov 7 21:08:45 billing mpd: ACFCOMP
Nov 7 21:08:45 billing mpd: PROTOCOMP
Nov 7 21:08:45 billing mpd: MRU 1500
Nov 7 21:08:45 billing mpd: MAGICNUM 879a13ec
Nov 7 21:08:45 billing mpd: AUTHPROTO CHAP MSOFTv2
Nov 7 21:08:45 billing mpd: MP MRRU 1600
Nov 7 21:08:45 billing mpd: ENDPOINTDISC [802.1] 00 02 44 bf 75 23
Nov 7 21:08:45 billing mpd: [L-2] LCP: rec'd Configure Reject #2 (Ack-Sent)
Nov 7 21:08:45 billing mpd: MP MRRU 1600
Nov 7 21:08:45 billing mpd: ENDPOINTDISC [802.1] 00 02 44 bf 75 23
Nov 7 21:08:45 billing mpd: [L-2] LCP: SendConfigReq #3
Nov 7 21:08:45 billing mpd: ACFCOMP
Nov 7 21:08:45 billing mpd: PROTOCOMP
Nov 7 21:08:45 billing mpd: MRU 1500
Nov 7 21:08:45 billing mpd: MAGICNUM 879a13ec
Nov 7 21:08:45 billing mpd: AUTHPROTO CHAP MSOFTv2
Nov 7 21:08:45 billing mpd: [L-2] LCP: rec'd Configure Ack #3 (Ack-Sent)
Nov 7 21:08:45 billing mpd: ACFCOMP
Nov 7 21:08:45 billing mpd: PROTOCOMP
Nov 7 21:08:45 billing mpd: MRU 1500
Nov 7 21:08:45 billing mpd: MAGICNUM 879a13ec
Nov 7 21:08:45 billing mpd: AUTHPROTO CHAP MSOFTv2
Nov 7 21:08:45 billing mpd: [L-2] LCP: state change Ack-Sent --> Opened
Nov 7 21:08:45 billing mpd: [L-2] LCP: auth: peer wants nothing, I want CHAP
Nov 7 21:08:45 billing mpd: [L-2] CHAP: sending CHALLENGE len:17
Nov 7 21:08:45 billing mpd: [L-2] LCP: LayerUp
Nov 7 21:08:45 billing mpd: [L-2] LCP: rec'd Ident #2 (Opened)
Nov 7 21:08:45 billing mpd: [L-2] LCP: rec'd Ident #3 (Opened)
Nov 7 21:08:45 billing mpd: [L-2] CHAP: rec'd RESPONSE #1
Nov 7 21:08:45 billing mpd: Name: "admin"
Nov 7 21:08:45 billing mpd: [L-2] AUTH: Auth-Thread started
Nov 7 21:08:45 billing mpd: [L-2] AUTH: Trying RADIUS
Nov 7 21:08:45 billing mpd: [L-2] RADIUS: RadiusAuthenticate for: admin
Nov 7 21:08:47 billing mpd: [L-2] AUTH: Thread already running, dropping this packet
Nov 7 21:08:55 billing mpd: last message repeated 4 times
Nov 7 21:08:55 billing mpd: [L-2] RADIUS: rec'd RAD_ACCESS_REJECT for user admin
Nov 7 21:08:55 billing mpd: [L-2] RADIUS: RadiusGetParams: PANIC no MS-CHAPv2 response received
Nov 7 21:08:55 billing mpd: [L-2] AUTH: RADIUS returned failed
Nov 7 21:08:55 billing mpd: [L-2] AUTH: Trying INTERNAL
Nov 7 21:08:55 billing mpd: OpenConfFile: Can't open file '/usr/local/etc/mpd5/mpd.secret': No such file or directory
Nov 7 21:08:55 billing mpd: AUTH: User "admin" not found in secret file
Nov 7 21:08:55 billing mpd: [L-2] AUTH: INTERNAL returned failed
Nov 7 21:08:55 billing mpd: [L-2] AUTH: ran out of backends
Nov 7 21:08:55 billing mpd: [L-2] AUTH: Auth-Thread finished normally
Nov 7 21:08:55 billing mpd: [L-2] CHAP: ChapInputFinish: status failed
Nov 7 21:08:55 billing mpd: Reply message: E=691 R=0 M=Login incorrect
Nov 7 21:08:55 billing mpd: [L-2] CHAP: sending FAILURE len:27
Nov 7 21:08:55 billing mpd: [L-2] LCP: authorization failed
Nov 7 21:08:55 billing mpd: [L-2] LCP: parameter negotiation failed
Nov 7 21:08:55 billing mpd: [L-2] LCP: state change Opened --> Stopping
Nov 7 21:08:55 billing mpd: [L-2] AUTH: Cleanup
Nov 7 21:08:55 billing mpd: [L-2] LCP: SendTerminateReq #4
Nov 7 21:08:55 billing mpd: [L-2] LCP: LayerDown
Nov 7 21:08:55 billing mpd: [L-2] LCP: rec'd Terminate Ack #4 (Stopping)
Nov 7 21:08:55 billing mpd: [L-2] LCP: state change Stopping --> Stopped
Nov 7 21:08:55 billing mpd: [L-2] LCP: LayerFinish
Nov 7 21:08:55 billing mpd: [L-2] PPTP call terminated
Nov 7 21:08:55 billing mpd: [L-2] link: DOWN event
Nov 7 21:08:55 billing mpd: [L-2] LCP: Close event
Nov 7 21:08:55 billing mpd: [L-2] LCP: state change Stopped --> Closed
Nov 7 21:08:55 billing mpd: [L-2] LCP: Down event
Nov 7 21:08:55 billing mpd: [L-2] LCP: state change Closed --> Initial
Nov 7 21:08:55 billing mpd: [L-2] link: SHUTDOWN event
#####################################Код: Выделить всё
Config Radiusa##############
# FreeRADIUS Version 1.1.5, for host i386-portbld-freebsd6.2
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
#user = nobody
#group = nobody
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven't indexed the database. See your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
# to be handled, then maybe the server should delete it.
#
# If you're running in threaded, or thread pool mode, this setting
# should probably be 'no'. Setting it to 'yes' when using a threaded
# server MAY cause the server to crash!
#
delete_blocked_requests = no
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 2048
bind_address = *
port = 0
#listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
# ipaddr = *
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
# port = 0
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
#
# type = auth
#}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
#$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
#$INCLUDE ${confdir}/snmp.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5
# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
#
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
#
max_servers = 32
# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10
# There may be memory leaks or resource allocation problems with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
}
modules {
exec pre_auth {
wait = yes
program = "/usr/abills/libexec/rauth.pl pre_auth"
input_pairs = request
output_pairs = config
}
exec post_auth {
wait = yes
program = "/usr/abills/libexec/rauth.pl post_auth"
input_pairs = request
output_pairs = config
}
perl {
module = /usr/abills/libexec/rlm_perl.pl
func_authorize = authorize
func_accounting = accounting
func_authenticate = authenticate
func_preacct = preacct
func_checksimul = checksimul
func_xlat = xlat
}
pap {
auto_header = yes
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
#$INCLUDE ${confdir}/eap.conf
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
ntlm_auth = ""
}
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
# with the attribute name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco or Quintum NAS, you don't
# need this hack.
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
# preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
#suppress {
# User-Password
#}
}
# detail auth_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
# detail reply_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
expr {
}
exec {
wait = yes
input_pairs = request
}
}
instantiate {
exec
expr
}
authorize {
preprocess
#Use if 'files' mode and mschap auth
pre_auth
chap
mschap
#eap
# don't use simultaneously 'perl' and files
# perl
files
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
# don't use simultaneously 'perl' and files
# perl
#eap
}
preacct {
preprocess
acct_unique
files
}
accounting {
# don't use simultaneously 'perl' and files
# perl
detail
}
session {
# radutmp
# sql
}
post-auth {
Post-Auth-Type REJECT {
# don't use simultaneously 'perl' and files
# perl
post_auth
}
}
##################################Код: Выделить всё
И наконец
#################################################################
#
# MPD configuration file
#
# This file defines the configuration for mpd: what the
# bundles are, what the links are in those bundles, how
# the interface should be configured, various PPP parameters,
# etc. It contains commands just as you would type them
# in at the console. Lines without padding are labels. Lines
# starting with a "#" are comments.
#
# $Id: mpd.conf.sample,v 1.41 2007/10/05 17:42:52 amotin Exp $
#
#################################################################
startup:
# configure the console
set console self 127.0.0.1 5005
set console user foo bar
set console user foo1 bar1
set console open
# configure the web server
set web self 0.0.0.0 5006
set web user foo bar
set web open
set user admin admin admin
set netflow peer 127.0.0.1 9996
set netflow self 127.0.0.1 9990
set netflow timeouts 15 15
set netflow hook 9000
#
# Default configuration is "dialup"
default:
load dialup
load pptp_server
dialup:
#
# Example of a simple PPP dialup account using modem device.
# This will connect whenever there is outgoing demand (DoD), and hangup
# after a 15 minute idle time. It also connects and disconnects
# when signals SIGUSR1 and SIGUSR2 are received, respectively.
#
# Note the "set iface addrs ..." is needed because we're doing
# dial-on-demand and therefore can't wait for the peer to assign
# us IP addresses for the interface. These can be completely phoney
# IP addresses.
#
# We also enable the idle-script "Ringback", which means if we're
# not connected and we detect an incoming call, we don't answer it
# BUT we do initiate a call to the ISP to get connected. This is
# nice to connect yourself when you're away from home, etc.
#
# Create static modem link named L1
create link static L1 modem
# Configure modem
set modem device /dev/cuad0
set modem var $DialPrefix "DT"
set modem var $Telephone "1-415-555-1212"
set modem script DialPeer
set modem idle-script Ringback
# We expect to be authenticated by peer using any protocol.
set link disable chap pap
set link accept chap pap
# Configure the account name. Password will be taken from mpd.secret.
set auth authname MyLogin
# To make Ringback work we should specify how to handle "incoming"
# calls originated by it.
set link action bundle B1
set link enable incoming
# Create static bundle named B1
create bundle static B1
# Enumerate links participating in DoD
set bundle links L1
# Configure the interface: dial on demand, default route, idle timeout.
set iface addrs 1.1.1.1 2.2.2.2
set iface route default
set iface enable on-demand
set iface idle 900
# "Open" interface (but don't actually dial until there's demand)
open iface
dialin:
#
# This setup answers incoming calls from a remote peer,
# but is not intended for dialing out.
#
# The local IP address is 1.1.1.1 and the remote is 2.2.2.2.
#
create bundle static B1
set iface idle 900
set ipcp ranges 1.1.1.1/32 2.2.2.2/32
create link static L1 modem
# Set bundle to use
set link action bundle B1
# Authenticate peer with chap-md5
set link no chap pap eap
set link enable chap-md5
# Configure modem
set modem device /dev/cuad0
set modem var $DialPrefix "DT"
set modem idle-script AnswerCall
# Permit incoming calls using this link
set link enable incoming
multi_dialup:
#
# Example of a multi-link dialup setup, using links "usr1" and "usr2"
# Similar to the first example, but uses two links together, and
# does not do dial-on-demand.
#
# Create clonable bundle template
create bundle template B
set iface route default
set iface idle 900
# Create links and open them
create link static L1 modem
load common
set modem device /dev/cuad0
open
create link static L2 modem
load common
set modem device /dev/cuad1
open
common:
# Enable multilink protocol
set link enable multilink
# Set bundle template to use
set link action bundle B
# Allow peer to authenticate us
set link disable chap pap
set link accept chap pap
set auth authname MyLogin
# Set inifinite redial attempts
set link max-redial 0
set modem var $DialPrefix "DT"
set modem var $Telephone "1-415-555-1212"
set modem script DialPeer
sync:
#
# Dedicated synchronous line using netgraph link.
# The remote router is connected to the 192.168.2.0/24 subnet.
# No authentication required.
#
create bundle static B1
set iface route 192.168.2.0/24
set ipcp ranges 192.168.1.153/32 192.168.2.1/24
create link static L1 ng
set link action bundle B1
set link max-redial 0
set link no chap pap
set ng node sr0:
set ng hook rawdata
open
pptp_server:
#
# Mpd as a PPTP server compatible with Microsoft Dial-Up Networking clients.
#
# Suppose you have a private Office LAN numbered 192.168.1.0/24 and the
# machine running mpd is at 192.168.1.1, and also has an externally visible
# IP address of 1.2.3.4.
#
# We want to allow a client to connect to 1.2.3.4 from out on the Internet
# via PPTP. We will assign that client the address 192.168.1.50 and proxy-ARP
# for that address, so the virtual PPP link will be numbered 192.168.1.1 local
# and 192.168.1.50 remote. From the client machine's perspective, it will
# appear as if it is actually on the 192.168.1.0/24 network, even though in
# reality it is somewhere far away out on the Internet.
#
# Our DNS server is at 192.168.1.3 and our NBNS (WINS server) is at 192.168.1.4.
# If you don't have an NBNS server, leave that line out.
#
# Define dynamic IP address pool.
set ippool add pool1 10.230.0.0 10.230.255.255
# Create clonable bundle template named B
create bundle template B
set iface enable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
set ipcp yes vjcomp
set iface enable netflow-in
set iface enable netflow-out
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges 10.220.0.3/16 pool pool1
set ipcp dns 10.220.0.1
set ipcp nbns 192.168.1.4
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set mppc yes stateless
set bundle yes crypt-reqd
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set ccp yes mpp-stateless
# Create clonable link template named L
create link template L pptp
# Multilink adds some overhead, but gives full 1500 MTU.
set link action bundle B
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link yes crypt-reqd
# We can use use RADIUS authentication/accounting by including
# another config section with label 'radius'.
# load radius
set link keep-alive 10 60
# We reducing link mtu to avoid GRE packet fragmentation.
set link mtu 1460
# Configure PPTP
set pptp self 10.230.0.4
# Allow to accept calls
set link enable incoming
# You can use radius.conf(5), its useful, because you can share the
# same config with userland-ppp and other apps.
#set radius config /etc/radius.conf
# or specify the server directly here
set radius server 127.0.0.1 radsecret 1812 1813
set radius retries 3
set radius timeout 10
# send the given IP in the RAD_NAS_IP_ADDRESS attribute to the server.
set radius me 127.0.0.1
# send accounting updates every 5 minutes
set auth acct-update 300
# enable RADIUS, and fallback to mpd.secret, if RADIUS auth failed
set auth enable radius-auth
# enable RADIUS accounting
set auth enable radius-acct
# protect our requests with the message-authenticator
set radius enable message-authentic
Login failed:PPP authorization failed
pptp_vpn:
#
# Mpd using PPTP for LAN to LAN VPN, always connected.
#
# Suppose you have a private Office LAN numbered 192.168.1.0/24 and another
# remote private Office LAN numbered 192.168.2.0/24, and you wanted to route
# between these two private networks using a PPTP VPN over the Internet.
#
# You run mpd on dual-homed machines on either end. Say the local machine
# has internal address 192.168.1.1 and externally visible address 1.2.3.4,
# and the remote machine has internal address 192.168.2.1 and externally
# visible address 2.3.4.5.
#
# Note: mpd does not support the peer's "inside" IP address being the same
# as its "outside" IP address. In the above example, this means that
# 192.168.2.1 != 2.3.4.5.
#
# The "inside" IP addresses are configured by "set ipcp ranges ..."
# (in mpd.conf) while the "outside" IP addreses are configured by
# "set pptp self ..." and "set pptp peer ...".
#
create bundle static B1
set ipcp ranges 192.168.1.1/32 192.168.2.1/32
set iface route 192.168.2.0/24
# Enable Microsoft Point-to-Point encryption (MPPE)
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set bundle enable crypt-reqd
set ccp yes mpp-stateless
create link static L1 pptp
set link action bundle B1
# Enable both sides to authenticat each other with CHAP
set link no pap
set link yes chap
set auth authname "VpnLogin"
set auth password "VpnPassword"
set link mtu 1460
set link keep-alive 10 75
set link max-redial 0
# Configure PPTP and open link
set pptp self 1.2.3.4
set pptp peer 2.3.4.5
set link enable incoming
open
pptp_client:
#
# PPTP client: only outgoing calls, auto reconnect,
# ipcp-negotiated address, one-sided authentication,
# default route points on ISP's end
#
create bundle static B1
set iface route default
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
create link static L1 pptp
set link action bundle B1
set auth authname MyLogin
set auth password MyPass
set link max-redial 0
set link mtu 1460
set link keep-alive 20 75
set pptp peer 1.2.3.4
set pptp disable windowing
open
pppoe_server:
#
# Multihomed multilink PPPoE server
#
# Create clonable bundle template
create bundle template B
# Set IP addresses. Peer address will be later replaced by RADIUS.
set ipcp ranges 192.168.0.1/32 127.0.0.2/32
# Create link template with common info
create link template common pppoe
# Enable multilink protocol
set link enable multilink
# Set bundle template to use
set link action bundle B
# Enable peer authentication
set link disable chap pap eap
set link enable pap
load radius
set pppoe service "superisp"
# Create templates for ifaces to listen using 'common' template and let them go
create link template fxp0 common
set pppoe iface fxp0
set link enable incoming
create link template fxp1 common
set pppoe iface fxp1
set link enable incoming
pppoe_client:
#
# PPPoE client: only outgoing calls, auto reconnect,
# ipcp-negotiated address, one-sided authentication,
# default route points on ISP's end
#
create bundle static B1
set iface route default
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
create link static L1 pppoe
set link action bundle B1
set auth authname MyLogin
set auth password MyPass
set link max-redial 0
set link mtu 1460
set link keep-alive 10 60
set pppoe iface fxp0
set pppoe service ""
open
radius:
# You can use radius.conf(5), its useful, because you can share the
# same config with userland-ppp and other apps.
#set radius config /etc/radius.conf
# or specify the server directly here
set radius server 127.0.0.1 radsecret 1812 1813
set radius retries 3
set radius timeout 10
# send the given IP in the RAD_NAS_IP_ADDRESS attribute to the server.
set radius me 127.0.0.1
# send accounting updates every 5 minutes
set auth acct-update 300
# enable RADIUS, and fallback to mpd.secret, if RADIUS auth failed
set auth enable radius-auth
# enable RADIUS accounting
set auth enable radius-acct
# protect our requests with the message-authenticator
set radius enable message-authentic
simple_lac:
#
# This is a simple L2TP access concentrator which receives PPPoE calls
# and forwards them to LNS on 1.2.3.4
#
create link template L1 pppoe
set pppoe iface fxp0
set link action forward L2
set link enable incoming
#########################################
Инфы в нете по этой строчке понятной не нашёл особенно в связке с использованием MPD
Большая просьба ткнуть в то что делаю не верно
P.S. dictionary.microsft проинклюжен...........даже пробовал копировать его содержание в файл /raddb/dictionary
P.P.S Сорри за большой пост
Заранее большое спасибо