Subject: Re: NetBSD packages for poptop and mppe for testing
To: None <>
From: Scott Ellis <>
List: current-users
Date: 09/30/1999 09:22:41
Speaking of PPTP, has anyone had any any success with a PPTP client (either
via ppp + gre, or the 'pptp for linux' software) connecting to an NT Server?

The pptp client (
builds and seems to run w/o incident, but I can't actually get it to connect
properly.  It runs pppd, which then just times out. ;-/


----- Original Message -----
From: "Darrin B. Jewell" <>
To: <>
Cc: "Darrin B. Jewell" <>
Sent: Thursday, September 30, 1999 1:35 AM
Subject: NetBSD packages for poptop and mppe for testing

> I have created two netbsd `packages' for the poptop pptp server and
> microsoft encryption extensions to ppp.  The NetBSD package system
> allows for simple installation and management of third party software
> on the NetBSD operating system.
> I am making them available at:
>  <URL: >
>  <URL: >
> I am subscribed to and
> It is probably more useful to hold discussion in one of those forums than
> it is to send me personal mail, unless you have something that needs to be
> incorporated into the package.
> Please read the notes below.  In particular, note that the MPPE module
> is not ready for production use.
> Enjoy,
> Darrin
> Darrin B. Jewell <>  1999-09-30T04:30:19-0400
> poptop notes:
>  . The poptop package uses the distribution of poptop pretty much out
>    of the box.  The only significant modification was to accept a
>    configure option to allow the use of an alternate pppd than the one
>    shipped with NetBSD.
>  . Setting POPTOP_USE_MPPE=yes in /etc/mk.conf will cause poptop top use
>    the ppp-mppe package to support microsoft point to point encryption.
>  . Your kernel should not be compiled with any gre(4) devices.  Comment
>    out lines like this from your kernel config file:
>     #pseudo-device gre 2 # generic L3 over IP tunnel
>    It might be useful at some point to have pptpd be able to use the built
>    in netbsd gre(4) driver, but at the moment it will just keep them from
>    getting to the pptpd.
> ppp-mppe notes:
>  . This is not yet ready for production use, but does work well enough
>    I could bring up an encrypted connection from an NT client to a NetBSD
>    Still, it is easy to crash.  Feel free to fix.
>  . Provides a replacement pppd and a loadable kernel module (lkm)
>      which provides the mppe encryption.  Alternately, it could be
>      into the kernel if you know what your are doing and don't want to use
a lkm.
>  . It is based on the linux mppe ppp patches available from the poptop web
>  . It uses ppp-2.3.9 and openssl-0.9.2b
>  . STAC LZS compression is not included.
>  . I test it on a netbsd-1.4.1 server with an NT client, but it should
>       on -current as well.  I don't really use it myself, which is one
>       reason that I'm making it available even though it isn't really
>  . In order to use 128 bit encryption, you probably need to increase the
>      value of CCP_MAX_OPTION_LENGTH from 32 (64 is a good value, but 35
>      should be minimal) in /sys/net/ppp-comp.h and rebuild
>      your kernel.  Otherwise, there isn't enough room to transfer the keys
>      from the pppd to the kernel module.
>  . Your kernel config file should have at least these:
>      options PPP_FILTER # Active filter support for PPP (requires bpf)
>      pseudo-device ppp 2 # Point-to-Point Protocol
>  . The lkm pretty much misuses the ppp compression/decompression hooks
>      to perform its encryption.  This creates a few bugs, some of which
>      security related.  Know that MPPE is not particularly secure.
>  . Doesn't deal correctly with the ppp mtu because MPPE expands the packet
>  . Is easy to crash.  It doesn't successfully recover from lost packets
>      or decryption failure.  I can immediately bring cause it to hang
>      by doing a `ping -s 50000 -c 1 remote-ip'.  Fixes are appreciated,
>      I cannot guarantee that I will address problems myself.
>  . Lacks documentation.  UTSL.
>  . The patches provided in the package are rougly divided into these
>      patch-a* -- sync ppp-2.3.9 to netbsd-current
>      patch-b* -- add mppe to ppp-2.3.9
>      patch-c* -- creates a lkm for mppe that works with the ppp already in
>                   the kernel.
>      patch-d* -- misc tweaks to deal with various netbsd kernel versions,
>                   compiling as a package, and a non-function ppp lkm.
>                   (See source for details.)
>  . requires the kernel source to be present to compile.  This is due to
>      the issues discussed in netbsd PR 5377.
>  . Makes a gross assumption about an internal structure in the pcap
>      to do ppp filtering.  This allows the package to build without the
>      complete netbsd source code tree online.
> References:
>   NetBSD:
>    <URL: >
>   The NetBSD package system:
>    <URL: >
>   The PoPToP pptp server:
>    <URL: >
>   Microsoft VPN software:
>    <URL: >
>   Point to Point Networking standards:
>    <URL: >
>   Unix PPP implementation:
>    <URL: >