Ситуация - ставлю Абілс... все настроил... но вот при попытке залогиниться из винды ошибка 734...
И вот что пишет МПД[L-1] Accepting PPTP connection
[L-1] link: OPEN event
[L-1] LCP: Open event
[L-1] LCP: state change Initial --> Starting
[L-1] LCP: LayerStart
[L-1] PPTP: attaching to peer's outgoing call
[L-1] link: UP event
[L-1] link: origination is remote
[L-1] LCP: Up event
[L-1] LCP: state change Starting --> Req-Sent
[L-1] LCP: SendConfigReq #1
ACFCOMP
PROTOCOMP
MRU 1500
MAGICNUM 46e73799
AUTHPROTO CHAP MSOFTv2
MP MRRU 1600
ENDPOINTDISC [802.1] 00 15 f2 60 31 ce
[L-1] LCP: rec'd Configure Request #0 (Req-Sent)
MRU 1400
MAGICNUM 0a891978
PROTOCOMP
ACFCOMP
CALLBACK 6
[L-1] LCP: SendConfigRej #0
CALLBACK 6
[L-1] LCP: rec'd Configure Request #1 (Req-Sent)
MRU 1400
MAGICNUM 0a891978
PROTOCOMP
ACFCOMP
[L-1] LCP: SendConfigAck #1
MRU 1400
MAGICNUM 0a891978
PROTOCOMP
ACFCOMP
[L-1] LCP: state change Req-Sent --> Ack-Sent
[L-1] LCP: SendConfigReq #2
ACFCOMP
PROTOCOMP
MRU 1500
MAGICNUM 46e73799
AUTHPROTO CHAP MSOFTv2
MP MRRU 1600
ENDPOINTDISC [802.1] 00 15 f2 60 31 ce
[L-1] LCP: rec'd Configure Reject #2 (Ack-Sent)
MP MRRU 1600
ENDPOINTDISC [802.1] 00 15 f2 60 31 ce
[L-1] LCP: SendConfigReq #3
ACFCOMP
PROTOCOMP
MRU 1500
MAGICNUM 46e73799
AUTHPROTO CHAP MSOFTv2
[L-1] LCP: rec'd Configure Ack #3 (Ack-Sent)
ACFCOMP
PROTOCOMP
MRU 1500
MAGICNUM 46e73799
AUTHPROTO CHAP MSOFTv2
[L-1] LCP: state change Ack-Sent --> Opened
[L-1] LCP: auth: peer wants nothing, I want CHAP
[L-1] CHAP: sending CHALLENGE len:17
[L-1] LCP: LayerUp
[L-1] LCP: rec'd Ident #2 (Opened)
[L-1] LCP: rec'd Ident #3 (Opened)
[L-1] CHAP: rec'd RESPONSE #1
Name: "user"
[L-1] AUTH: Auth-Thread started
[L-1] AUTH: Trying RADIUS
[L-1] RADIUS: RadiusAuthenticate for: user
[L-1] RADIUS: rec'd RAD_ACCESS_ACCEPT for user user
[L-1] AUTH: RADIUS returned authenticated
[L-1] AUTH: Auth-Thread finished normally
[L-1] CHAP: ChapInputFinish: status authenticated
Reply message: S=6DDBB7E7A74CCD77F7C807045E5F94AC662A7634
[L-1] CHAP: sending SUCCESS len:42
[L-1] LCP: authorization successful
[L-1] Matched link action 'bundle "B" ""'
[L-1] Creating new bundle using template "B".
[B-1] using interface ng0
[B-1] Bundle up: 1 link, total bandwidth 64000 bps
[B-1] IPCP: Open event
[B-1] IPCP: state change Initial --> Starting
[B-1] IPCP: LayerStart
[B-1] CCP: Open event
[B-1] CCP: state change Initial --> Starting
[B-1] CCP: LayerStart
[B-1] IPCP: Up event
[B-1] IPCP: state change Starting --> Req-Sent
[B-1] IPCP: SendConfigReq #1
IPADDR 10.0.16.10
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[B-1] CCP: Up event
[B-1] CCP: state change Starting --> Req-Sent
[B-1] CCP: SendConfigReq #1
MPPC
0x01000060:MPPE(40, 128 bits), stateless
[B-1] CCP: rec'd Configure Request #4 (Req-Sent)
MPPC
0x01000001:MPPC, stateless
[B-1] CCP: SendConfigNak #4
MPPC
0x01000060:MPPE(40, 128 bits), stateless
[B-1] IPCP: rec'd Configure Request #5 (Req-Sent)
IPADDR 0.0.0.0
NAKing with 10.0.16.130
PRIDNS 0.0.0.0
NAKing with 10.0.31.1
PRINBNS 0.0.0.0
SECDNS 0.0.0.0
SECNBNS 0.0.0.0
[B-1] IPCP: SendConfigRej #5
PRINBNS 0.0.0.0
SECDNS 0.0.0.0
SECNBNS 0.0.0.0
[B-1] IPCP: rec'd Configure Reject #1 (Req-Sent)
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[B-1] IPCP: SendConfigReq #2
IPADDR 10.0.16.10
[B-1] CCP: rec'd Configure Nak #1 (Req-Sent)
MPPC
0x01000040:MPPE(128 bits), stateless
[B-1] CCP: SendConfigReq #2
MPPC
0x01000040:MPPE(128 bits), stateless
[B-1] CCP: rec'd Configure Request #6 (Req-Sent)
MPPC
0x01000040:MPPE(128 bits), stateless
[B-1] CCP: SendConfigAck #6
MPPC
0x01000040:MPPE(128 bits), stateless
[B-1] CCP: state change Req-Sent --> Ack-Sent
[B-1] IPCP: rec'd Configure Request #7 (Req-Sent)
IPADDR 0.0.0.0
NAKing with 10.0.16.130
PRIDNS 0.0.0.0
NAKing with 10.0.31.1
[B-1] IPCP: SendConfigNak #7
IPADDR 10.0.16.130
PRIDNS 10.0.31.1
[B-1] IPCP: rec'd Configure Ack #2 (Req-Sent)
IPADDR 10.0.16.10
[B-1] IPCP: state change Req-Sent --> Ack-Rcvd
[B-1] CCP: rec'd Configure Ack #2 (Ack-Sent)
MPPC
0x01000040:MPPE(128 bits), stateless
[B-1] CCP: state change Ack-Sent --> Opened
[B-1] CCP: LayerUp
Compress using: mppc (MPPE(128 bits), stateless)
Decompress using: mppc (MPPE(128 bits), stateless)
[B-1] IPCP: rec'd Configure Request #8 (Ack-Rcvd)
IPADDR 10.0.16.130
10.0.16.130 is OK
PRIDNS 10.0.31.1
[B-1] IPCP: SendConfigAck #8
IPADDR 10.0.16.130
PRIDNS 10.0.31.1
[B-1] IPCP: state change Ack-Rcvd --> Opened
[B-1] IPCP: LayerUp
10.0.16.10 -> 10.0.16.130
[L-1] AUTH: Accounting-Thread started
[L-1] RADIUS: RadiusAccount for: user (Type: 1)
[L-1] RADIUS: rec'd RAD_ACCOUNTING_RESPONSE for user user
[L-1] RADIUS: RadiusGetParams: WARNING no MPPE-Keys received, MPPE will not work
[B-1] IFACE: Up event
[B-1] IPCP: rec'd Terminate Request #9 (Opened)
[B-1] IPCP: state change Opened --> Stopping
[B-1] IPCP: SendTerminateAck #3
[B-1] IPCP: LayerDown
[B-1] IFACE: Down event
[L-1] AUTH: Accounting-Thread finished normally
[B-1] IPCP: rec'd Terminate Request #10 (Stopping)
[B-1] IPCP: SendTerminateAck #4
[B-1] IPCP: state change Stopping --> Stopped
[B-1] IPCP: LayerFinish
[B-1] No NCPs left. Closing links...
[B-1] closing link "L-1"...
[L-1] link: CLOSE event
[L-1] LCP: Close event
[L-1] LCP: state change Opened --> Closing
[L-1] AUTH: Accounting data for user user: 5 seconds, 180 octets in, 150 octets out
[B-1] Bundle up: 0 links, total bandwidth 9600 bps
[B-1] IPCP: Close event
[B-1] IPCP: state change Stopped --> Closed
[B-1] CCP: Close event
[B-1] CCP: state change Opened --> Closing
[B-1] CCP: SendTerminateReq #3
[B-1] error writing len 8 frame to bypass: Network is down
[B-1] CCP: LayerDown
[B-1] IPCP: Down event
[B-1] IPCP: state change Closed --> Initial
[B-1] CCP: Down event
[B-1] CCP: LayerFinish
[B-1] CCP: state change Closing --> Initial
[B-1] Bundle shutdown
[L-1] AUTH: Cleanup
[L-1] LCP: SendTerminateReq #4
[L-1] LCP: LayerDown
[L-1] AUTH: Accounting-Thread started
[L-1] RADIUS: RadiusAccount for: user (Type: 2)
[L-1] RADIUS: Termination cause: Protocol error, RADIUS: 15
[L-1] LCP: rec'd Terminate Ack #4 (Closing)
[L-1] LCP: state change Closing --> Closed
[L-1] LCP: LayerFinish
[L-1] PPTP call terminated
[L-1] link: DOWN event
[L-1] LCP: Down event
[L-1] LCP: state change Closed --> Initial
[L-1] link: SHUTDOWN event
[L-1] RADIUS: rec'd RAD_ACCOUNTING_RESPONSE for user user
[L-1] RADIUS: RadiusGetParams: WARNING no MPPE-Keys received, MPPE will not work
[L-1] AUTH: Accounting-Thread finished normallyа вот что радиус
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 2048
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded perl
perl: module = "/usr/abills/libexec/rlm_perl.pl"
perl: func_authorize = "authorize"
perl: func_authenticate = "authenticate"
perl: func_accounting = "accounting"
perl: func_preacct = "preacct"
perl: func_checksimul = "checksimul"
perl: func_detach = "detach"
perl: func_xlat = "xlat"
perl: func_pre_proxy = "pre_proxy"
perl: func_post_proxy = "post_proxy"
perl: func_post_auth = "post_auth"
perl: perl_flags = "(null)"
perl: func_start_accounting = "(null)"
perl: func_stop_accounting = "(null)"
Subroutine access_deny redefined at /usr/abills/libexec/rauth.pl line 254.
Reply-Message = "Unknow server ''"
Module: Instantiated perl (perl)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
exec: wait = yes
exec: program = "/usr/abills/libexec/rauth.pl pre_auth"
exec: input_pairs = "request"
exec: output_pairs = "config"
exec: packet_type = "(null)"
Module: Instantiated exec (pre_auth)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
exec: wait = yes
exec: program = "/usr/abills/libexec/rauth.pl post_auth"
exec: input_pairs = "request"
exec: output_pairs = "config"
exec: packet_type = "(null)"
Module: Instantiated exec (post_auth)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:60138, id=147, length=194
NAS-Identifier = "kvhoit02.delta.internal"
NAS-IP-Address = 127.0.0.1
Message-Authenticator = 0xaf8ae6e997dfe682431a9fee61ca472b
NAS-Port = 1
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "10.0.16.130"
User-Name = "user"
MS-CHAP-Challenge = 0xbb1e68e5f9f7e4075717f80a8b357f6c
MS-CHAP2-Response = 0x010088f0b2f0147130c86acfc4a2720fceb90000000000000000f31d540213dbeb829e8d7c30249d93f0a18c14bfbce5fd0a
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
modcall[authorize]: module "mschap" returns ok for request 0
Exec-Program output: User-Password == "1234567890"
Exec-Program-Wait: value-pairs: User-Password == "1234567890"
Exec-Program: returned: 0
modcall[authorize]: module "pre_auth" returns ok for request 0
Using perl at 0x2040c136
User-Password == "1234567890"rlm_perl: Added pair Session-Timeout = 7400
rlm_perl: Added pair MS-MPPE-Encryption-Types = 0x00000006
rlm_perl: Added pair Framed-IP-Address = 10.0.16.130
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.0
rlm_perl: Added pair MS-CHAP2-SUCCESS = 0x01533d33443836384642353943373731363832373033413345424542313032464630324331333133393835
rlm_perl: Added pair MS-MPPE-Encryption-Policy = 0x00000001
rlm_perl: Added pair User-Password = 1234567890
rlm_perl: Added pair Auth-Type = MS-CHAP
modcall[authorize]: module "perl" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 0
rlm_mschap: Told to do MS-CHAPv2 for user with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module "mschap" returns ok for request 0
modcall: leaving group MS-CHAP (returns ok) for request 0
Sending Access-Accept of id 147 to 127.0.0.1 port 60138
Session-Timeout = 7400
MS-MPPE-Encryption-Types = 0x00000006
Framed-IP-Address = 10.0.16.130
Framed-IP-Netmask = 255.255.255.0
MS-CHAP2-Success = 0x01533d33443836384642353943373731363832373033413345424542313032464630324331333133393835
MS-MPPE-Encryption-Policy = 0x00000001
MS-CHAP2-Success = 0x01533d33443836384642353943373731363832373033413345424542313032464630324331333133393835
MS-MPPE-Recv-Key = 0x2cf8a29211b4c2d80283be320f6fd808
MS-MPPE-Send-Key = 0x83e7cc6d4768a3aea8dafe7abbb08b3e
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 127.0.0.1:62272, id=57, length=150
NAS-Identifier = "kvhoit02.delta.internal"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "10.0.16.130"
Acct-Status-Type = Start
Framed-IP-Address = 10.0.16.130
Framed-IP-Netmask = 255.255.255.0
User-Name = "user"
Acct-Session-Id = "7130413-L-1"
Acct-Multi-Session-Id = "7130413-B-1"
Acct-Link-Count = 1
Acct-Authentic = RADIUS
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 1
modcall[preacct]: module "preprocess" returns noop for request 1
rlm_acct_unique: Hashing 'NAS-Port = 1,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = "7130413-L-1",User-Name = "user"'
rlm_acct_unique: Acct-Unique-Session-ID = "bc54217738bcfa2b".
modcall[preacct]: module "acct_unique" returns ok for request 1
modcall: leaving group preacct (returns ok) for request 1
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 1
Using perl at 0x2040c136
modcall[accounting]: module "perl" returns ok for request 1
modcall: leaving group accounting (returns ok) for request 1
Sending Accounting-Response of id 57 to 127.0.0.1 port 62272
Finished request 1
Going to the next request
Cleaning up request 1 ID 57 with timestamp 4924862d
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 127.0.0.1:53892, id=33, length=198
NAS-Identifier = "kvhoit02.delta.internal"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "10.0.16.130"
Framed-IP-Address = 10.0.16.130
Framed-IP-Netmask = 255.255.255.0
User-Name = "user"
Acct-Session-Id = "7130413-L-1"
Acct-Multi-Session-Id = "7130413-B-1"
Acct-Link-Count = 1
Acct-Authentic = RADIUS
Acct-Status-Type = Stop
Acct-Terminate-Cause = Service-Unavailable
Acct-Session-Time = 5
Acct-Input-Octets = 180
Acct-Input-Packets = 11
Acct-Output-Octets = 150
Acct-Output-Packets = 11
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 2
modcall[preacct]: module "preprocess" returns noop for request 2
rlm_acct_unique: Hashing 'NAS-Port = 1,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = "7130413-L-1",User-Name = "user"'
rlm_acct_unique: Acct-Unique-Session-ID = "bc54217738bcfa2b".
modcall[preacct]: module "acct_unique" returns ok for request 2
modcall: leaving group preacct (returns ok) for request 2
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 2
Using perl at 0x2040c136
modcall[accounting]: module "perl" returns ok for request 2
modcall: leaving group accounting (returns ok) for request 2
Sending Accounting-Response of id 33 to 127.0.0.1 port 53892
Finished request 2
Going to the next request
--- Walking the entire request list ---
Cleaning up request 2 ID 33 with timestamp 49248630
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 147 with timestamp 4924862d
Nothing to do. Sleeping until we see a request.
Я там понимаю соединение збрасывает МПД... почему? Помогите
все как написано здесь зделал... не помогло (http://www.abills.net.ua/wiki/doku.php?id=abills:docs:mschap...)
Вот конфиги радиуса и мпд...MPD -
#################################################################
#
# MPD configuration file
#
# This file defines the configuration for mpd: what the
# bundles are, what the links are in those bundles, how
# the interface should be configured, various PPP parameters,
# etc. It contains commands just as you would type them
# in at the console. Lines without padding are labels. Lines
# starting with a "#" are comments.
#
# $Id: mpd.conf.sample,v 1.41 2007/10/05 17:42:52 amotin Exp $
#
#################################################################startup:
# configure the console
# enable TCP-Wrapper (hosts_access(5)) to block unfriendly clients
set global enable tcp-wrapper
set console self 10.0.16.10 5005
set console user pahan admin
#set console user foo1 bar1
set console open
# configure the web server
#set web self 0.0.0.0 5006
#set web user foo bar
#set web open####################################################################
#Netflow options
# set netflow peer %MPD_NETFLOW_IP% %MPD_NETFLOW_PORT%
# set netflow self %MPD_NETFLOW_SOURCE_IP% %MPD_NETFLOW_SOURCE_PORT%
# set netflow timeouts 15 15
# set netflow hook 9000
# #set netflow node netflow#####################################################################
#
# Default configuration is "dialup"default:
load pptp_serverdialup:
#
# Example of a simple PPP dialup account using modem device.
# This will connect whenever there is outgoing demand (DoD), and hangup
# after a 15 minute idle time. It also connects and disconnects
# when signals SIGUSR1 and SIGUSR2 are received, respectively.
#
# Note the "set iface addrs ..." is needed because we're doing
# dial-on-demand and therefore can't wait for the peer to assign
# us IP addresses for the interface. These can be completely phoney
# IP addresses.
#
# We also enable the idle-script "Ringback", which means if we're
# not connected and we detect an incoming call, we don't answer it
# BUT we do initiate a call to the ISP to get connected. This is
# nice to connect yourself when you're away from home, etc.
# Create static modem link named L1
# create link static L1 modem
# Configure modem
set modem device /dev/cuad0
set modem var $DialPrefix "DT"
set modem var $Telephone "1-415-555-1212"
set modem script DialPeer
set modem idle-script Ringback
# We expect to be authenticated by peer using any protocol.
set link disable chap pap
set link accept chap pap
# Configure the account name. Password will be taken from mpd.secret.
set auth authname MyLogin
# To make Ringback work we should specify how to handle "incoming"
# calls originated by it.
set link action bundle B1
set link enable incoming# Create static bundle named B1
create bundle static B1
# Enumerate links participating in DoD
set bundle links L1
# Configure the interface: dial on demand, default route, idle timeout.
set iface addrs 1.1.1.1 2.2.2.2
set iface route default
set iface enable on-demand
set iface idle 900# "Open" interface (but don't actually dial until there's demand)
open ifacedialin:
#
# This setup answers incoming calls from a remote peer,
# but is not intended for dialing out.
#
# The local IP address is 1.1.1.1 and the remote is 2.2.2.2.
## create bundle static B1
set iface idle 900
set ipcp ranges 1.1.1.1/32 2.2.2.2/32create link static L1 modem
# Set bundle to use
set link action bundle B1
# Authenticate peer with chap-md5
set link no chap pap eap
set link enable chap-md5
# Configure modem
set modem device /dev/cuad0
set modem var $DialPrefix "DT"
set modem idle-script AnswerCall
# Permit incoming calls using this link
set link enable incomingmulti_dialup:
#
# Example of a multi-link dialup setup, using links "usr1" and "usr2"
# Similar to the first example, but uses two links together, and
# does not do dial-on-demand.
## Create clonable bundle template
create bundle template B
set iface route default
set iface idle 900# Create links and open them
create link static L1 modem
load common
set modem device /dev/cuad0
opencreate link static L2 modem
load common
set modem device /dev/cuad1
opencommon:
# Enable multilink protocol
set link enable multilink
# Set bundle template to use
set link action bundle B
# Allow peer to authenticate us
set link disable chap pap
set link accept chap pap
set auth authname MyLogin
# Set inifinite redial attempts
set link max-redial 0
set modem var $DialPrefix "DT"
set modem var $Telephone "1-415-555-1212"
set modem script DialPeersync:
#
# Dedicated synchronous line using netgraph link.
# The remote router is connected to the 192.168.2.0/24 subnet.
# No authentication required.
#create bundle static B1
set iface route 192.168.2.0/24
set ipcp ranges 192.168.1.153/32 192.168.2.1/24create link static L1 ng
set link action bundle B1
set link max-redial 0
set link no chap pap
set ng node sr0:
set ng hook rawdata
openpptp_server:
#
# Mpd as a PPTP server compatible with Microsoft Dial-Up Networking clients.
#
# Suppose you have a private Office LAN numbered 192.168.1.0/24 and the
# machine running mpd is at 192.168.1.1, and also has an externally visible
# IP address of 1.2.3.4.
#
# We want to allow a client to connect to 1.2.3.4 from out on the Internet
# via PPTP. We will assign that client the address 192.168.1.50 and proxy-ARP
# for that address, so the virtual PPP link will be numbered 192.168.1.1 local
# and 192.168.1.50 remote. From the client machine's perspective, it will
# appear as if it is actually on the 192.168.1.0/24 network, even though in
# reality it is somewhere far away out on the Internet.
#
# Our DNS server is at 192.168.1.3 and our NBNS (WINS server) is at 192.168.1.4.
# If you don't have an NBNS server, leave that line out.
## Define dynamic IP address pool.
set ippool add pool1 10.1.0.1 10.1.255.255# Create clonable bundle template named B
create bundle template B
set iface enable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
set iface up-script "/usr/abills/libexec/linkupdown mpd up"
set iface down-script "/usr/abills/libexec/linkupdown mpd down"
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges 10.1.100.1/32 ippool pool1
set ipcp dns 10.0.31.1
# set ipcp nbns 192.168.1.4
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set ccp yes mpp-stateless# Create clonable link template named L
create link template L pptp
# Set bundle template to use
set link action bundle B
# Multilink adds some overhead, but gives full 1500 MTU.
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
# We can use use RADIUS authentication/accounting by including
# another config section with label 'radius'.
load radius
set link keep-alive 10 60
# We reducing link mtu to avoid GRE packet fragmentation.
set link mtu 1460
# Configure PPTP
set pptp self 10.0.16.10
# Allow to accept calls
set link enable incoming
pptp_vpn:
#
# Mpd using PPTP for LAN to LAN VPN, always connected.
#
# Suppose you have a private Office LAN numbered 192.168.1.0/24 and another
# remote private Office LAN numbered 192.168.2.0/24, and you wanted to route
# between these two private networks using a PPTP VPN over the Internet.
#
# You run mpd on dual-homed machines on either end. Say the local machine
# has internal address 192.168.1.1 and externally visible address 1.2.3.4,
# and the remote machine has internal address 192.168.2.1 and externally
# visible address 2.3.4.5.
#
# Note: mpd does not support the peer's "inside" IP address being the same
# as its "outside" IP address. In the above example, this means that
# 192.168.2.1 != 2.3.4.5.
#
# The "inside" IP addresses are configured by "set ipcp ranges ..."
# (in mpd.conf) while the "outside" IP addreses are configured by
# "set pptp self ..." and "set pptp peer ...".
#create bundle static B1
set ipcp ranges 192.168.1.1/32 192.168.2.1/32
set iface route 192.168.2.0/24
# Enable Microsoft Point-to-Point encryption (MPPE)
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set bundle enable crypt-reqd
set ccp yes mpp-statelesscreate link static L1 pptp
set link action bundle B1
# Enable both sides to authenticat each other with CHAP
set link no pap
set link yes chap
set auth authname "VpnLogin"
set auth password "VpnPassword"
set link mtu 1460
set link keep-alive 10 75
set link max-redial 0
# Configure PPTP and open link
set pptp self 1.2.3.4
set pptp peer 2.3.4.5
set link enable incoming
openpptp_client:
#
# PPTP client: only outgoing calls, auto reconnect,
# ipcp-negotiated address, one-sided authentication,
# default route points on ISP's end
#create bundle static B1
set iface route default
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
create link static L1 pptp
set link action bundle B1
set auth authname MyLogin
set auth password MyPass
set link max-redial 0
set link mtu 1460
set link keep-alive 20 75
set pptp peer 1.2.3.4
set pptp disable windowing
openpppoe_server:
#
# Multihomed multilink PPPoE server
## Create clonable bundle template
create bundle template B
# Set IP addresses. Peer address will be later replaced by RADIUS.
set ipcp ranges 10.1.16.0/32 10.1.16.400/32# Create link template with common info
create link template common pppoe
# Enable multilink protocol
set link enable multilink
# Set bundle template to use
set link action bundle B
# Enable peer authentication
set link disable chap pap eap
set link enable pap
load radius
set pppoe service "superisp"# Create templates for ifaces to listen using 'common' template and let them go
create link template fxp0 common
set pppoe iface fxp0
set link enable incomingcreate link template fxp1 common
set pppoe iface fxp1
set link enable incomingpppoe_client:
#
# PPPoE client: only outgoing calls, auto reconnect,
# ipcp-negotiated address, one-sided authentication,
# default route points on ISP's end
#create bundle static B1
set iface route default
set ipcp ranges 0.0.0.0/0 0.0.0.0/0create link static L1 pppoe
set link action bundle B1
set auth authname MyLogin
set auth password MyPass
set link max-redial 0
set link mtu 1460
set link keep-alive 10 60
set pppoe iface fxp0
set pppoe service ""
openradius:
# You can use radius.conf(5), its useful, because you can share the
# same config with userland-ppp and other apps.
set radius config /etc/radiusd.conf
# or specify the server directly here
set radius server 127.0.0.1 radsecret 1812 1813
set radius retries 3
set radius timeout 10
# send the given IP in the RAD_NAS_IP_ADDRESS attribute to the server.
set radius me 127.0.0.1
# send accounting updates every 5 minutes
set auth acct-update 300
# enable RADIUS, and fallback to mpd.secret, if RADIUS auth failed
set auth enable radius-auth
# enable RADIUS accounting
set auth enable radius-acct
# protect our requests with the message-authenticator
set radius enable message-authenticsimple_lac:
#
# This is a simple L2TP access concentrator which receives PPPoE calls
# and forwards them to LNS on 1.2.3.4
#create link template L1 pppoe
set pppoe iface fxp0
set link action forward L2
set link enable incomingcreate link template L2 l2tp
set l2tp peer 1.2.3.4complete_lac:
#
# This is more complicated L2TP access concentrator which receives PPPoE calls
# and if peer auth name includes @corp1.net forwards them to LNS on 1.2.3.4,
# if peer auth name includes @corp2.net forwards them to LNS on 2.3.4.5
# all other connections processes itself localy using internal auth and
# assigning dynamic IP from specified pool.
#set ippool add pool1 192.168.1.50 192.168.1.99
create link template L1 pppoe
set pppoe iface fxp0
# We must ask authentication to get peer login
set link no pap chap eap
set link enable pap
set link action forward L2 "@corp1\\.net$"
set link action forward L3 "@corp2\\.net$"
set link action bundle B1
set link enable incomingcreate link template L2 l2tp
set l2tp peer 1.2.3.4
set l2tp secret corp1secretcreate link template L3 l2tp
set l2tp peer 2.3.4.5
set l2tp secret corp2secretcreate bundle template B1
set ipcp ranges 192.168.1.1/32 ippool pool1
Freeradius -
# FreeRADIUS Version 1.1.5, for host i386-portbld-freebsd6.2
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.loglibdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
#user = nobody
#group = nobody# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven't indexed the database. See your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 30# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
# to be handled, then maybe the server should delete it.
#
# If you're running in threaded, or thread pool mode, this setting
# should probably be 'no'. Setting it to 'yes' when using a threaded
# server MAY cause the server to crash!
#
delete_blocked_requests = no# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 2048
bind_address = *
port = 0#listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
# ipaddr = *# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
# port = 0# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
#
# type = auth
#}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkradsecurity {
max_attributes = 200
reject_delay = 1
status_server = no
}proxy_requests = no
#$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
#$INCLUDE ${confdir}/snmp.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
#
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
#
max_servers = 32# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10# There may be memory leaks or resource allocation problems with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
}modules {
exec pre_auth {
wait = yes
program = "/usr/abills/libexec/rauth.pl pre_auth"
input_pairs = request
output_pairs = config
}
exec post_auth {
wait = yes
program = "/usr/abills/libexec/rauth.pl post_auth"
input_pairs = request
output_pairs = config
}
perl {
module = /usr/abills/libexec/rlm_perl.pl
func_authorize = authorize
func_accounting = accounting
func_authenticate = authenticate
func_preacct = preacct
func_checksimul = checksimul
func_xlat = xlat
}
pap {
auto_header = yes
}
chap {
authtype = CHAP
}pam {
pam_auth = radiusd
}
#$INCLUDE ${confdir}/eap.confmschap {
#use_mppe = no
#require_encryption = yes
#require_strong = yes
#with_ntdomain_hack = no
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
}preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
# with the attribute name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco or Quintum NAS, you don't
# need this hack.
with_cisco_vsa_hack = no
}# files {
# usersfile = ${confdir}/users
# acctusersfile = ${confdir}/acct_users
# preproxy_usersfile = ${confdir}/preproxy_users
# compat = no
# }detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
#suppress {
# User-Password
#}
}# detail auth_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
# detail reply_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}# attr_filter {
# attrsfile = ${confdir}/attrs
# }expr {
}exec {
wait = yes
input_pairs = request
}}
instantiate {
exec
expr
}
authorize {
preprocess
pre_auth
mschap
# files
#eap
perl
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
# don't use simultaneously 'perl' and files
perl
#eap
}
preacct {
preprocess
acct_unique
}accounting {
# don't use simultaneously 'perl' and files
perl
#detail
}session {
# radutmp
# sql
}
post-auth {
Post-Auth-Type REJECT {
post_auth
}}
:up
>:updown
set bundle enable compression
попробуй отключить компрессию, у самого просто была похожая фигня, помогло отключение.