PPTP

http://doc.pfsense.org/index.php/VPN_Capability_PPTP En este documento se trata la configuracin de una VPN PPTP, incluyendo como conectar un cliente Windows XP a un servidor VPN pfSense mediante PPTP.

Subnetting and VLAN routing

Primero veremos que IP pblica queremos usar para terminar la conexin PPTP. Por simplicidad, no se usar redireccin. Marca la opcin "Enable PPTP server", y configura una IP del firewall en "Server address" field. esta IP se usar como la parte servidor dela red Point2Point. El rango de direcciones remota define el intervalo de direcciones IP que se asignaran a los clientes PPTP. La mascara de subred /28, crea una subred con 14 direcciones disponibles (ms una para la direccion de red, y una ms para la direccin de broadcast). En el ejemplo, definimos una subred con las siguientes caracteristicas: Network: 192.168.1.208/28 11000000.10101000.00000001.1101 0000 HostMin: 192.168.1.209 11000000.10101000.00000001.1101 0001 HostMax: 192.168.1.222 11000000.10101000.00000001.1101 1110 Broadcast: 192.168.1.223 11000000.10101000.00000001.1101 1111 En el ejemplo de VPN PPTP hemos escogido una subred dentro de la LAN , pero fuera del rango de IPs usado por servidores y otros equipos de red. Esto simplifica la configuaracin de reglas. Note that because you can define rules based on the pptp interface, this isn't strictly required. Marcamos la opcin 'require 128bit encryption' to enable the mppe-128 we'll use from the WinXP VPN client. Again for the sake of simplicity I have left the RADIUS options unchecked. If you have an enterprise AAA server, or a ghetto-tech freeradius server you can utilize it here. [edit]

PPTP User setup

Now create usernames and passwords for your PPTP VPN users. If you specify an IP address in the IP address field, make sure the address is within the range you've specified in the Subnetting and VLAN routing section. Hard-coding an IP address for a particular user is good if you want to restrict access to particular resources by user, rather than by the PPTP interface itself.

PPTP Firewall rules

Now go into the firewall rules section and select the PPTP interface. Note that you do not need to manually create the rules required to allow PPTP itself to function. (Pfsense automagically creates the following rules to allow GRE and TCP/1723 to pass inbound to your PPTP termination point). pass quick proto gre all keep state label "allow gre pptpd" pass quick proto tcp from any to any port = pptp keep state label "allow pptpd 127.0.0.1" Note that if you want to manually restrict the PPTP service to only be available from particular subnets or IP addresses you'll need to do it outside the GUI <fixme: how are implied and/or automatic rules handled? where do we modify them?> Now, what we do need to do is create some rules to allow the PPTP users to access the resources they need. In my example I have added (liberal) rules to allow all traffic from the PPTP interface to the LAN and DMZ subnets. Note that the picky amongst us can further restrict the protocol, source and destination parameters as required.

Configuring the PPTP client under Windows XP

Start --> Control Panel --> Network Connections File --> New Connection --> Next Connect to the network at my workplace --> Next Select VPN connection --> Next Enter descriptive name for connection --> Next Do not dial the initial connection --> Next Enter hostname or PUBLIC IP address of the PPTP server --> Next Note that in this example the IP here is RFC1918 private, however thats only because in my lab environment the WAN IP is on a private segment. Select do not use smart card --> Next <Fixme: we should support PKI based auth for PPTP VPN at some point> Click on Finish

That is all that is required. Now, if you will be accessing resources on the VPN network that are not directly connected to the firewall itself, you will probably want to skip this step. If you do skip this step when you connect to the PPTP server, your default gateway for ALL traffic will be via the PPTP VPN. With the current ruleset Ive created in this example, this means that you will be unable to reach any resources outside the LAN or DMZ subnets. To remedy the situation, click on Properties Click on Networking --> Internet Protocol Properties --> Advanced Uncheck use default gateway on remote network Click OK, OK, OK Now enter your username and password (configured during the PPTP User Setup process) Click on Connect Should get Connecting --> Verifying username & password --> Authenticated Now right click on the tray icon for the VPN connection --> Properties --> Details Ensure that we are using MSCHAP v2 and MPPE 128 Now attempt to ping the LAN interface of the firewall:
Pinging 192.168.1.254 with 32 bytes of data: Reply from 192.168.1.254: bytes=32 time=1ms TTL=64 Reply from 192.168.1.254: bytes=32 time=1ms TTL=64

Now attempt to ping a host on the LAN segment (note this requires that the rules for the PPTP interface are configured per my example).
Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time=2ms TTL=254 Reply from 192.168.1.1: bytes=32 time=1ms TTL=254