diff options
Diffstat (limited to 'share/examples/ppp')
| -rwxr-xr-x | share/examples/ppp/chap-auth | 96 | ||||
| -rwxr-xr-x | share/examples/ppp/login-auth | 73 | ||||
| -rw-r--r-- | share/examples/ppp/ppp.conf.sample | 788 | ||||
| -rw-r--r-- | share/examples/ppp/ppp.conf.span-isp | 193 | ||||
| -rw-r--r-- | share/examples/ppp/ppp.conf.span-isp.working | 106 | ||||
| -rw-r--r-- | share/examples/ppp/ppp.linkdown.sample | 33 | ||||
| -rw-r--r-- | share/examples/ppp/ppp.linkdown.span-isp | 16 | ||||
| -rw-r--r-- | share/examples/ppp/ppp.linkdown.span-isp.working | 16 | ||||
| -rw-r--r-- | share/examples/ppp/ppp.linkup.sample | 53 | ||||
| -rw-r--r-- | share/examples/ppp/ppp.linkup.span-isp | 16 | ||||
| -rw-r--r-- | share/examples/ppp/ppp.linkup.span-isp.working | 16 | ||||
| -rw-r--r-- | share/examples/ppp/ppp.secret.sample | 40 | ||||
| -rw-r--r-- | share/examples/ppp/ppp.secret.span-isp | 5 | ||||
| -rw-r--r-- | share/examples/ppp/ppp.secret.span-isp.working | 8 |
14 files changed, 1459 insertions, 0 deletions
diff --git a/share/examples/ppp/chap-auth b/share/examples/ppp/chap-auth new file mode 100755 index 000000000000..91778949fea3 --- /dev/null +++ b/share/examples/ppp/chap-auth @@ -0,0 +1,96 @@ +#! /usr/local/bin/wish8.0 -f +# +# Copyright (c) 1999 Brian Somers <brian@Awfulhak.org> +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# + +# +# Display a window to request a users CHAP secret, accepting the relevant +# values from ppp (``set authkey !thisprogram'') and passing the entered +# ``authname'' and ``authkey'' back to ppp. +# + +set pwidth 12; # Prompt field width +set vwidth 20; # Value field width +set fxpad 7; # Value field width +set fypad 3; # Value field width + +wm title . "PPP Authentication"; + +# We expect three lines of input from ppp +set hostname [gets stdin]; +set challenge [gets stdin]; +set authname [gets stdin]; + +proc mkhalfframe { n prompt } { + global pwidth; + + frame .$n; + text .$n.prompt -width $pwidth -height 1 -relief flat; + .$n.prompt insert 1.0 $prompt; + pack .$n.prompt -side left; + .$n.prompt configure -state disabled; +} + +proc mkframe { n prompt value entry } { + global vwidth fxpad fypad; + + mkhalfframe $n $prompt; + text .$n.value -width $vwidth -height 1; + .$n.value insert 1.0 $value; + pack .$n.value -side right; + if ($entry) { + # Allow entry, but don't encourage it + .$n.value configure -state normal -takefocus 0; + bind .$n.value <Return> {done}; + } else { + .$n.value configure -state disabled; + } + pack .$n -side top -padx $fxpad -pady $fypad; +} + +# Dump our fields to stdout and exit +proc done {} { + puts [.n.value get 1.0 {end - 1 char}]; + puts [.k.value get]; + exit 0; +} + +mkframe h "Hostname:" $hostname 0; +mkframe c "Challenge:" $challenge 0; +mkframe n "Authname:" $authname 1; + +mkhalfframe k "Authkey:"; +entry .k.value -show "*" -width $vwidth; +pack .k.value -side right; +bind .k.value <Return> {done}; +focus .k.value; +pack .k -side top -padx $fxpad -pady $fypad; + +frame .b; +button .b.ok -default active -text "Ok" -command {done}; +pack .b.ok -side left; +button .b.cancel -default normal -text "Cancel" -command {exit 1}; +pack .b.cancel -side right; +pack .b -side top -padx $fxpad -pady $fypad; diff --git a/share/examples/ppp/login-auth b/share/examples/ppp/login-auth new file mode 100755 index 000000000000..e3d34f89ddff --- /dev/null +++ b/share/examples/ppp/login-auth @@ -0,0 +1,73 @@ +#! /usr/local/bin/wish8.0 -f +# +# Copyright (c) 1999 Brian Somers <brian@Awfulhak.org> +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# + +# +# Display a window to request a users password, expecting a login name +# as an argument and outputting the password to stdout. +# + +set pwidth 11; # Prompt field width +set vwidth 20; # Value field width +set fxpad 7; # Value field width +set fypad 3; # Value field width + +wm title . "PPP Login"; + +# Dump our password to stdout and exit +proc done {} { + puts [.p.value get]; + exit 0; +} + +frame .l; +text .l.prompt -width $pwidth -height 1 -relief flat; + .l.prompt insert 1.0 "Login:"; +pack .l.prompt -side left; + .l.prompt configure -state disabled; +text .l.value -width $vwidth -height 1; + .l.value insert 1.0 $argv; +pack .l.value -side right; + .l.value configure -state disabled; +pack .l -side top -padx $fxpad -pady $fypad; + +frame .p; +text .p.prompt -width $pwidth -height 1 -relief flat; + .p.prompt insert 1.0 "Password:"; +pack .p.prompt -side left; + .p.prompt configure -state disabled; +entry .p.value -show "*" -width $vwidth; +pack .p.value -side right; +bind .p.value <Return> {done}; +focus .p.value; +pack .p -side top -padx $fxpad -pady $fypad; + +frame .b; +button .b.ok -default active -text "Ok" -takefocus 0 -command {done}; +pack .b.ok -side left; +button .b.cancel -default normal -text "Cancel" -takefocus 0 -command {exit 1}; +pack .b.cancel -side right; +pack .b -side top -padx $fxpad -pady $fypad; diff --git a/share/examples/ppp/ppp.conf.sample b/share/examples/ppp/ppp.conf.sample new file mode 100644 index 000000000000..67df28d23f4f --- /dev/null +++ b/share/examples/ppp/ppp.conf.sample @@ -0,0 +1,788 @@ +################################################################# +# +# PPP Sample Configuration File +# +# Originally written by Toshiharu OHNO +# +# +################################################################# + +# This file is separated into sections. Each section is named with +# a label starting in column 0 and followed directly by a ``:''. The +# section continues until the next label. Blank lines and characters +# after a ``#'' are ignored (a literal ``#'' must be escaped with a ``\'' +# or quoted with ""). All commands inside sections that do not begin +# with ``!'' (e.g., ``!include'') *must* be indented by at least one +# space or tab or they will not be recognized! +# +# Lines beginning with "!include" will ``include'' another file. You +# may want to ``!include ~/.ppp.conf'' for backwards compatibility. +# + +# Default setup. Always executed when PPP is invoked. +# This section is *not* pre-loaded by the ``load'' or ``dial'' commands. +# +# This is the best place to specify your modem device, its DTR rate, +# your dial script and any logging specification. Logging specs should +# be done first so that the results of subsequent commands are logged. +# +default: + set log Phase Chat LCP IPCP CCP tun command + set device /dev/cuau1 + set speed 115200 + set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \ + OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" + +# Client side PPP +# +# Although the PPP protocol is a peer to peer protocol, we normally +# consider the side that initiates the connection as the client and +# the side that receives the connection as the server. Authentication +# is required by the server either using a unix-style login procedure +# or by demanding PAP or CHAP authentication from the client. +# + +# An on demand example where we have dynamic IP addresses and wish to +# use a unix-style login script: +# +# If the peer assigns us an arbitrary IP (most ISPs do this) and we +# can't predict what their IP will be either, take a wild guess at +# some IPs that you can't currently route to. Ppp can change this +# when the link comes up. +# +# The /0 bit in "set ifaddr" says that we insist on 0 bits of the +# specified IP actually being correct, therefore, the other side can assign +# any IP number. +# +# The fourth arg to "set ifaddr" makes us send "0.0.0.0" as our requested +# IP number, forcing the peer to make the decision. This is necessary +# when negotiating with some (broken) ppp implementations. +# +# This entry also works with static IP numbers or when not in -auto mode. +# The ``add'' line adds a `sticky' default route that will be updated if +# and when any of the IP numbers are changed in IPCP negotiations. +# The "set ifaddr" is required in -auto mode only. +# It's better to put the ``add'' line in ppp.linkup when not in -auto mode. +# +# Finally, the ``enable dns'' line tells ppp to ask the peer for the +# nameserver addresses that should be used. This isn't always supported +# by the other side, but if it is, ppp will update /etc/resolv.conf with +# the correct nameserver values at connection time. +# +# The login script shown says that you're expecting ``ogin:''. If you +# don't receive that, send a ``\n'' and expect ``ogin:'' again. When +# it's received, send ``ppp'', expect ``word:'' then send ``ppp''. +# You *MUST* customise this login script according to your local +# requirements. +# +pmdemand: + set phone 1234567 + set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" + set timeout 120 + set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 + add default HISADDR + enable dns + +# If you want to use PAP or CHAP instead of using a unix-style login +# procedure, do the following. Note, the peer suggests whether we +# should send PAP or CHAP. By default, we send whatever we're asked for. +# +# You *MUST* customise ``MyName'' and ``MyKey'' below. +# +PAPorCHAPpmdemand: + set phone 1234567 + set login + set authname "MyName" + set authkey "MyKey" + set timeout 120 + set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 + add default HISADDR + enable dns + +# On demand dialup example with static IP addresses: +# Here, the local side uses 192.244.185.226 and the remote side +# uses 192.244.176.44. +# +# # ppp -auto ondemand +# +# With static IP numbers, our setup is similar to dynamic: +# Remember, ppp.linkup is searched for a "192.244.176.44" label, then +# an "ondemand" label, and finally the "MYADDR" label. +# +ondemand: + set phone 1234567 + set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" + set timeout 120 + set ifaddr 192.244.185.226 192.244.176.44 + add default HISADDR + enable dns + +# An on-demand dialup example using an external Terminal Adapter (TA) +# that supports multi-link ppp itself. +# +# This may be specific to the AETHRA TA. +# +TA: + set phone 12345678 # Replace this with your ISPs phone number + + set authname "somename" # Replace these with your login name & password. + set authkey "somepasswd" # This profile assumes you're using PAP or CHAP. + + enable lqr echo + set reconnect 3 5 + set redial 3 10 + set lqrperiod 45 + disable pred1 deflate mppe + deny pred1 deflate mppe + + set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATB41CL2048 \ + OK-AT-OK ATB40&J3E1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" + set login + set logout + set hangup + + set timeout 60 300 # The minimum charge period is 5 minutes, so don't + # hangup before then + + set device /dev/cuau0 # Or whatever + set speed 115200 # Use as high a speed as possible + + enable dns # Ask the peer what to put in resolv.conf + + # Take a wild guess at an IP number and let the other side decide + set ifaddr 172.16.0.1/0 212.0.0.0/0 0 0 + add! default hisaddr + + set mru 1504 # Some extra room for the MP header + + set server /var/run/ppp/ppp-TA "" 0177 # The diagnostic port (-rw-------) + + +# Example segments +# +# The following lines may be included as part of your configuration +# section and aren't themselves complete. They're provided as examples +# of how to achieve different things. + +examples: +# Multi-phone example. Numbers separated by a : are used sequentially. +# Numbers separated by a | are used if the previous dial or login script +# failed. Usually, you will prefer to use only one of | or :, but both +# are allowed. +# + set phone 12345678|12345679:12345670|12345671 +# +# Some phone numbers may include # characters - don't forget to escape +# (or quote) them: +# + set phone "12345##678" +# +# Ppp can accept control instructions from the ``pppctl'' program. +# First, you must set up your control socket. It's safest to use +# a UNIX domain socket, and watch the permissions: +# + set server /var/run/ppp/internet MySecretPassword 0177 +# +# Although a TCP port may be used if you want to allow control +# connections from other machines: +# + set server 6670 MySecretpassword +# +# If you don't like ppp's builtin chat, use an external one: +# + set login "\"!chat \\-f /etc/ppp/ppp.dev.chat\"" +# +# If we have a ``strange'' modem that must be re-initialized when we +# hangup: +# + set hangup "\"\" AT OK-AT-OK ATZ OK" +# +# To adjust logging without blowing away the setting in default: +# + set log -command +tcp/ip +# +# To see log messages on the screen in interactive mode: +# + set log local LCP IPCP CCP +# +# If you're seeing a lot of magic number problems and failed connections, +# try this (see the man page): +# + set openmode active 5 +# +# For noisy lines, we may want to reconnect (up to 20 times) after loss +# of carrier, with 3 second delays between each attempt: +# + set reconnect 3 20 +# +# When playing server for M$ clients, tell them who our NetBIOS name +# servers are: +# + set nbns 10.0.0.1 10.0.0.2 +# +# Inform the client if they ask for our DNS IP numbers: +# + enable dns +# +# If you don't want to tell them what's in your /etc/resolv.conf file +# with `enable dns', override the values: +# + set dns 10.0.0.1 10.0.0.2 +# +# Some people like to prioritize DNS packets: +# + set urgent udp +53 +# +# If we're using the -nat switch, redirect ftp and http to an internal +# machine: +# + nat port tcp 10.0.0.2:ftp ftp + nat port tcp 10.0.0.2:http http +# +# or don't trust the outside at all +# + nat deny_incoming yes +# +# I trust user brian to run ppp, so this goes in the `default' section: +# + allow user brian +# +# But label `internet' contains passwords that even brian can't have, so +# I empty out the user access list in that section so that only root can +# have access: +# + allow users +# +# I also may wish to set up my ppp login script so that it asks the client +# for the label they wish to use. I may only want user ``dodgy'' to access +# their own label in direct mode: +# +dodgy: + allow user dodgy + allow mode direct +# +# We don't want certain packets to keep our connection alive +# + set filter alive 0 deny udp src eq 520 # routed + set filter alive 1 deny udp dst eq 520 # routed + set filter alive 2 deny udp src eq 513 # rwhod + set filter alive 3 deny udp src eq 525 # timed + set filter alive 4 deny udp src eq 137 # NetBIOS name service + set filter alive 5 deny udp src eq 138 # NetBIOS datagram service + set filter alive 6 deny tcp src eq 139 # NetBIOS session service + set filter alive 7 deny udp dst eq 137 # NetBIOS name service + set filter alive 8 deny udp dst eq 138 # NetBIOS datagram service + set filter alive 9 deny tcp dst eq 139 # NetBIOS session service + set filter alive 10 deny 0/0 MYADDR icmp # Ping to us from outside + set filter alive 11 permit 0/0 0/0 +# +# And in auto mode, we don't want certain packets to cause a dialup +# + set filter dial 0 deny udp src eq 513 # rwhod + set filter dial 1 deny udp src eq 525 # timed + set filter dial 2 deny udp src eq 137 # NetBIOS name service + set filter dial 3 deny udp src eq 138 # NetBIOS datagram service + set filter dial 4 deny tcp src eq 139 # NetBIOS session service + set filter dial 5 deny udp dst eq 137 # NetBIOS name service + set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service + set filter dial 7 deny tcp dst eq 139 # NetBIOS session service + set filter dial 8 deny tcp finrst # Badly closed TCP channels + set filter dial 9 permit 0 0 +# +# Once the line's up, allow these connections +# + set filter in 0 permit tcp dst eq 113 # ident + set filter out 0 permit tcp src eq 113 # ident + set filter in 1 permit tcp src eq 23 estab # telnet + set filter out 1 permit tcp dst eq 23 # telnet + set filter in 2 permit tcp src eq 21 estab # ftp + set filter out 2 permit tcp dst eq 21 # ftp + set filter in 3 permit tcp src eq 20 dst gt 1023 # ftp-data + set filter out 3 permit tcp dst eq 20 # ftp-data + set filter in 4 permit udp src eq 53 # DNS + set filter out 4 permit udp dst eq 53 # DNS + set filter in 5 permit 192.244.191.0/24 0/0 # Where I work + set filter out 5 permit 0/0 192.244.191.0/24 # Where I work + set filter in 6 permit icmp # pings + set filter out 6 permit icmp # pings + set filter in 7 permit udp dst gt 33433 # traceroute + set filter out 7 permit udp dst gt 33433 # traceroute + +# +# ``dodgynet'' is an example intended for an autodial configuration which +# is connecting a local network to a host on an untrusted network. +dodgynet: + set log Phase # Log link uptime + allow mode auto # For autoconnect only + set device /dev/cuau1 # Define modem device and speed + set speed 115200 + deny lqr # Don't support LQR + set phone 0W1194 # Remote system phone number, + set authname "pppLogin" # login + set authkey "MyPassword" # and password + set dial "ABORT BUSY ABORT NO\\sCARRIER \ # Chat script to dial the peer + TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ + ATE1Q0M0 OK \\dATDT\\T \ + TIMEOUT 40 CONNECT" + set login "TIMEOUT 10 \"\" \"\" \ # And to login to remote system + gin:--gin: \\U word: \\P" + + # Drop the link after 15 minutes of inactivity + # Inactivity is defined by the `set filter alive' line below + set timeout 900 + + # Hard-code remote system to appear within local subnet and use proxy arp + # to make this system the gateway for the rest of the local network + set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0 + enable proxy + + # Allow any TCP packet to keep the link alive + set filter alive 0 permit tcp + + # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or + # private TCP ports 24 and 4000 + set filter dial 0 7 0 0 tcp dst eq http + set filter dial 1 7 0 0 tcp dst eq login + set filter dial 2 7 0 0 tcp dst eq shell + set filter dial 3 7 0 0 tcp dst eq telnet + set filter dial 4 7 0 0 tcp dst eq ftp + set filter dial 5 7 0 0 tcp dst eq 24 + set filter dial 6 deny ! 0 0 tcp dst eq 4000 + + # From hosts on a couple of local subnets to the remote peer + # If the remote host allowed IP forwarding and we wanted to use it, the + # following rules could be split into two groups to separately validate + # the source and destination addresses. + set filter dial 7 permit 172.17.16.0/20 172.17.20.248 + set filter dial 8 permit 172.17.36.0/22 172.17.20.248 + set filter dial 9 permit 172.17.118.0/26 172.17.20.248 + set filter dial 10 permit 10.123.5.0/24 172.17.20.248 + + # Once the link's up, limit outgoing access to the specified hosts + set filter out 0 4 172.17.16.0/20 172.17.20.248 + set filter out 1 4 172.17.36.0/22 172.17.20.248 + set filter out 2 4 172.17.118.0/26 172.17.20.248 + set filter out 3 deny ! 10.123.5.0/24 172.17.20.248 + + # Allow established TCP connections + set filter out 4 permit 0 0 tcp estab + + # And new connections to http, rlogin, rsh, telnet, ftp and ports + # 24 and 4000 + set filter out 5 permit 0 0 tcp dst eq http + set filter out 6 permit 0 0 tcp dst eq login + set filter out 7 permit 0 0 tcp dst eq shell + set filter out 8 permit 0 0 tcp dst eq telnet + set filter out 9 permit 0 0 tcp dst eq ftp + set filter out 10 permit 0 0 tcp dst eq 24 + set filter out 11 permit 0 0 tcp dst eq 4000 + + # And outgoing icmp + set filter out 12 permit 0 0 icmp + + # Once the link's up, limit incoming access to the specified hosts + set filter in 0 4 172.17.20.248 172.17.16.0/20 + set filter in 1 4 172.17.20.248 172.17.36.0/22 + set filter in 2 4 172.17.20.248 172.17.118.0/26 + set filter in 3 deny ! 172.17.20.248 10.123.5.0/24 + + # Established TCP connections and non-PASV FTP + set filter in 4 permit 0/0 0/0 tcp estab + set filter in 5 permit 0/0 0/0 tcp src eq 20 + + # Useful ICMP messages + set filter in 6 permit 0/0 0/0 icmp src eq 3 + set filter in 7 permit 0/0 0/0 icmp src eq 4 + set filter in 8 permit 0/0 0/0 icmp src eq 11 + set filter in 9 permit 0/0 0/0 icmp src eq 12 + + # Echo reply (local systems can ping the remote host) + set filter in 10 permit 0/0 0/0 icmp src eq 0 + + # And the remote host can ping the local gateway (only) + set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8 + + +# Server side PPP +# +# If you want the remote system to authenticate itself, you must insist +# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and +# PAP are disabled by default. You may enable either or both. If both +# are enabled, CHAP is requested first. If the client doesn't agree, PAP +# will then be requested. +# +# Note: If you use the getty/login process to authenticate users, you +# don't need to enable CHAP or PAP, but the user that has logged +# in *MUST* be a member of the ``network'' group (in /etc/group). +# +# Note: Chap80 and chap81 are Microsoft variations of standard chap (05). +# +# If you wish to allow any user in the passwd database ppp access, you +# can ``enable passwdauth'', but this will only work with PAP. +# +# When the peer authenticates itself, we use ppp.secret for verification +# (although refer to the ``set radius'' command below for an alternative). +# +# Note: We may supply a third field in ppp.secret specifying the IP +# address for that user, a fourth field to specify the +# ppp.link{up,down} label to use and a fifth field to specify +# callback characteristics. +# +# The easiest way to allow transparent LAN access to your dialin users +# is to assign them a number from your local LAN and tell ppp to make a +# ``proxy'' arp entry for them. In this example, we have a local LAN +# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our +# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to +# override the dynamic IP number with a static IP number specified in +# ppp.secret. +# +# Ppp is launched with: +# # ppp -direct server +# +server: + enable chap chap80 chap81 pap passwdauth + enable proxy + set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 + accept dns + +# Example of a RADIUS configuration: +# If there are one or more radius servers available, we can use them +# instead of the ppp.secret file. Simply put then in a radius +# configuration file (usually /etc/radius.conf) and give ppp the +# file name. +# Ppp will use the FRAMED characteristics supplied by the radius server +# to configure the link. + +radius-server: + load server # load in the server config from above + set radius /etc/radius.conf + + +# Example to connect using a null-modem cable: +# The important thing here is to allow the lqr packets on both sides. +# Without them enabled, we can't tell if the line's dropped - there +# should always be carrier on a direct connection. +# Here, the server sends lqr's every 10 seconds and quits if five in a +# row fail. +# +# Make sure you don't have "deny lqr" in your default: on the client ! +# If the peer denies LQR, we still send ECHO LQR packets at the given +# lqrperiod interval (ppp-style-pings). +# +direct-client: + set dial + set device /dev/cuau0 + set sp 115200 + set timeout 900 + set lqrperiod 10 + set log Phase Chat LQM + set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO" + set ifaddr 10.0.4.2 10.0.4.1 + enable lqr echo + accept lqr + +direct-server: + set timeout 0 + set lqrperiod 10 + set log Phase LQM + set ifaddr 10.0.4.1 10.0.4.2 + enable lqr echo + accept lqr + + +# Example to connect via compuserve +# Compuserve insists on 7 bits even parity during the chat phase. Modem +# parity is always reset to ``none'' after the link has been established. +# +compuserve: + set phone 1234567 + set parity even + set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \ + word: XXXXXXXX PPP" + set timeout 300 + set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 + delete ALL + add default HISADDR + + +# Example for PPP over TCP. +# We assume that inetd on tcpsrv.mynet has been +# configured to run "ppp -direct tcp-server" when it gets a connection on +# port 1234 with an entry something like this in /etc/inetd.conf.: +# +# ppp stream tcp nowait root /usr/sbin/ppp ppp -direct tcp-server +# +# with this in /etc/services: +# +# ppp 6671/tcp +# +# Read the man page for further details. +# +# Note, we assume we're using a binary-clean connection. If something +# such as `rlogin' is involved, you may need to ``set escape 0xff'' +# +tcp-client: + set device tcpsrv.mynet:6671 + set dial + set login + set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 + +tcp-server: + set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 + + +# Using UDP is also possible with this in /etc/inetd.conf: +# +# ppp dgram udp wait root /usr/sbin/ppp ppp -direct udp-server +# +# and this in /etc/services: +# +# ppp 6671/udp +# +udp-client: + set device udpsrv.mynet:6671/udp + set dial + set login + set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 + +udp-server: + set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 + + +# Example for PPP testing. +# If you want to test ppp, do it through the loopback interface: +# +# Requires a line in /etc/services: +# ppploop 6671/tcp # loopback ppp daemon +# +# and a line in /etc/inetd.conf: +# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct inet-loop-in +# +inet-loop: + set timeout 0 + set log phase chat connect lcp ipcp command + set device localhost:ppploop + set dial + set login + set ifaddr 127.0.0.2 127.0.0.3 + set server /var/run/ppp/loop "" 0177 + +inet-loop-in: + set timeout 0 + set log phase lcp ipcp command + allow mode direct + +# Example of a VPN. +# If you're going to create a tunnel through a public network, your VPN +# should be set up something like this: +# +# You should already have set up ssh using ssh-agent & ssh-add. +# +sloop: + load inet-loop + # Passive mode allows ssh plenty of time to establish the connection + set openmode passive + set device "!ssh whatevermachine /usr/sbin/ppp -direct inet-loop-in" + + +# or a better VPN solution (which doesn't run IP over a reliable +# protocol like tcp) may be: +# +vpn-client: + set device udpsrv.mynet:1234/udp # PPP over UDP + set dial + set login + set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 + disable deflate pred1 + deny deflate pred1 + enable MPPE # With encryption + accept MPPE + +vpn-server: + set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 + disable deflate pred1 + deny deflate pred1 + enable MPPE + accept MPPE + enable chap81 # Required for MPPE + +# Example of non-PPP callback. +# If you wish to connect to a server that will dial back *without* using +# the ppp callback facility (rfc1570), take advantage of the fact that +# ppp doesn't look for carrier 'till `set login' is complete: +# +# Here, we expect the server to say DIALBACK then disconnect after +# we've authenticated ourselves. When this has happened, we wait +# 60 seconds for a RING. +# +# Note, it's important that we tell ppp not to expect carrier, otherwise +# we'll drop out at the ``NO CARRIER'' stage. +# +dialback: + set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ + ATDT\\T TIMEOUT 60 CONNECT" + set cd off + set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \ + \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT" + +# Example of PPP callback. +# Alternatively, if the peer is using the PPP callback protocol, we're +# happy either with ``auth'' style callback where the server dials us +# back based on what we authenticate ourselves with, ``cbcp'' style +# callback (invented by Microsoft but not agreed by the IETF) where +# we negotiate callback *after* authentication or E.164 callback where +# we specify only a phone number. I would recommend only ``auth'' and/or +# ``cbcp'' callback methods. +# For ``cbcp'', we insist that we choose ``1234567'' as the number that +# the server must call back. +# +callback: + load pmdemand # load in the pmdemand config + set callback auth cbcp e.164 1234567 + set cbcp 1234567 + +# If we're running a ppp server that wants to only call back microsoft +# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field): +# +callback-server: + load server + set callback cbcp + set cbcp + set log +cbcp + set redial 3 1 + set device /dev/cuau0 + set speed 115200 + set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT" + +# Or if we want to allow authenticated clients to specify their own +# callback number: +# +callback-server-client-decides: + load callback-server + set cbcp * + +# Multilink mode is available (rfc1990). +# To enable multi-link capabilities, you must specify a MRRU. 1500 is +# a reasonable value. To create new links, use the ``clone'' command +# to duplicate an existing link. If you already have more than one +# link, you must specify which link you wish to run the command on via +# the ``link'' command. +# +# It's worth increasing your MTU and MRU slightly in multi-link mode to +# prevent full packets from being fragmented. +# +# You can now ``dial'' specific links, or even dial all links at the +# same time. The `dial' command may also be prefixed with a specific +# link that should do the dialing. +# +mloop: + load loop + set device /dev/cuau0 /dev/cuau1 /dev/cuau2 # Use any of these devices + set mode interactive + set mrru 1500 + set mru 1504 # Room for the MP header + clone 1 2 3 + link deflink remove + # dial + # link 2 dial + # link 3 dial + +mloop-in: + set timeout 0 # No idle timer + set log tun phase + allow mode direct + set mrru 1500 + set mru 1504 # Room for the MP header + +# User supplied authentication: +# It's possible to run ppp in the background while specifying a +# program to use to obtain authentication details on demand. +# This program would usually be a simple GUI that presents a +# prompt to a known user. The ``chap-auth'' program is supplied +# as an example (and requires tcl version 8.0). +# +CHAPprompt: + load PAPorCHAPpmdemand + set authkey !/usr/share/examples/ppp/chap-auth + +# It's possible to do the same sort of thing at the login prompt. +# Here, after sending ``brian'' in response to the ``name'' prompt, +# we're prompted with ``code:''. A window is then displayed on the +# ``keep:0.0'' display and the typed response is sent to the peer +# as the password. We then expect to see ``MTU'' and ``.'' in the +# servers response. +# +loginprompt: + load pmdemand + set authname "brian" + set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \ + code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \ + AUTHNAME\" MTU \\c ." + +# ppp supports ppp over ethernet (PPPoE). Beware, many PPP servers cache +# the MAC address that connects to them, making it impossible to switch +# your PPPoE connection between machines. +# +# The current implementation requires Netgraph, so it doesn't work with +# OpenBSD or NetBSD. +# +# The client should be something like this: +# +pppoe: + set device PPPoE:de0:pppoe-in + enable lqr echo + set cd 5 + set dial + set login + set redial 0 0 + +# And the server should be running +# +# /usr/libexec/pppoed -p pppoe-in fxp0 +# +# See rc.conf(5) +# +pppoe-in: + allow mode direct # Only for use on server-side + enable lqr echo proxy # Enable LQR and proxy-arp + enable chap pap passwdauth # Force client authentication + set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 # Hand out up to 100 IP numbers + accept dns # Allow DNS negotiation + +# It's possible to run ppp back-to-back with itself. This is useful +# for testing. +# +# When testing scalability and concurrency, the following profile might +# be used. +# +# Note, you'll have to make some other machine adjustments: +# +# o Bump maxusers in your kernel configuration to about 256 so that there +# are enough process table slots. +# o Bump system file descriptors with ``sysctl kern.maxfiles=20480''. You'll +# need 3 descriptors per ppp process (assuming no server socket). +# +# You can now create 2000 processes (1000 pairs) with: +# +# n=0 +# while [ $n -lt 1000 ]; do ppp -b loop; n=$(($n + 1)); done +# +# If you want to test concurrency, try using ``ppp -dd loop'' instead. +# +loop: + set timeout 0 + set log + set device "!ppp -direct loop-in" + set dial + set login + set ifaddr 10.0.1.1/0 10.0.10.1-10.0.19.255 + disable deflate pred1 mppe + deny deflate pred1 mppe + +loop-in: + set timeout 0 + set log + allow mode direct + set ifaddr 10.0.10.1/0 10.0.1.1-10.0.9.255 + disable deflate pred1 mppe + deny deflate pred1 mppe diff --git a/share/examples/ppp/ppp.conf.span-isp b/share/examples/ppp/ppp.conf.span-isp new file mode 100644 index 000000000000..b1c3a143c633 --- /dev/null +++ b/share/examples/ppp/ppp.conf.span-isp @@ -0,0 +1,193 @@ + +# This advanced ppp configuration file explains how to implement +# the following: +# +# ------------- ------------- ------------- +# | host1 | | host2 | | host3 | +# ------------- ------------- ------------- +# | | | +# |---------------------- LAN ----------------------| +# | +# ------------- +# | Gateway | +# ------------- +# | +# ----------------------------------- +# | | | | +# isp1 isp2 isp3 ispN +# | | | | +# ----------------------------------- +# | +# ------------ +# | Receiver | +# ------------ +# | +# Internet +# +# The connection is implemented so that any ISP connection can go down +# without loss of connectivity between the LAN and the Internet. It is +# of course also possible to shut down any link manually. +# +# There is a working example in ppp.*.span-isp.working that can be tested +# on a single machine ! +# +# +# Prerequisites: +# +# o The Receiver machine must be in the outside world and must be willing +# to accept a multilink ppp connection over UDP, assigning a routable IP +# number to the Gateway machine. This probably means that it must be +# a *BSD box as I know of no other ppp implementations that can use UDP +# as a transport. +# +# o The Receiver machine must be multi-homed with at least N+1 addresses +# where N is the maximun number of ISPs that you wish to use +# simultaneously. We assume the IP numbers to be RIP1, RIP2 ... RIPN. +# REAL-LOCAL-IP is the real IP number of the Receiver machine (and must +# not be the same as any of the RIP* numbers). +# +# o Both the Gateway and the Receiver machines must have several tun +# interfaces configured into the kernel (see below). +# +# o Both the Gateway and the Receiver machines must have the following +# entry in /etc/services: +# +# ppp 6671/udp +# +# The port number isn't important, but it must be consistent across +# machines. +# +# o The Receiver machine must have the following entry in +# /etc/inetd.conf: +# +# ppp dgram udp wait root /usr/sbin/ppp ppp -direct vpn-in +# +# Note: Because inetd ``wait''s for ppp to finish, a single ppp +# invocation receives all incoming packets. This creates +# havoc with LQR magic number checks, so LQR *must not* be +# enabled. +# Also, -direct invocations of ppp do sendto()s using the +# address that was last recvfrom()d. This means that the +# returning traffic is a bit unbalanced. Perhaps ppp should +# be smart enough to automatically clone an existing link +# when it detects a new incoming address.... tricky ! +# +# If you use ppp to connect to your ISPs, the isp* profiles shold be used, +# resulting in the vpn* profiles being called from ppp.linkup.span-isp. +# These invocations will bond together into a MP ppp invocation. +# +# If the link to your ISP is via another type of interface (cable modem +# etc), simply configure the interface with a netmask of 0xffffffff and +# add a route to RIPN via the interface address (no default). You can +# then start ppp using the vpn-nic label. +# +# The Receiver machine should have N tun interfaces (where N is the maximum +# number of ISPs that you wish to use simultaneously). The Gateway machine +# requires N interfaces plus an additional N interfaces (total 2 * N) if +# you're using ppp to talk to the ISPs. + +# Using ppp to connect to your ISPs (PPP over UDP over PPP): +# +# When we connect to our ISPs using ppp, we start the MP ppp invocation +# from ppp.linkup (see ppp.linkup.span-isp) for each link. We also remove +# the link from ppp.linkdown (see ppp.linkdown.span-isp). This is necessary +# because relying on our LQR strategy (dropping the link after 5 missing +# replies) is just too slow to be practical in this environment. +# +# This works because the MP invocations are smart enough to recognise that +# another process is already running and to pass the link over to that +# running version. +# +# Only the ISP links should be started manually. When they come up, they'll +# start the MP invocation. + +default: + set speed 115200 + set device /dev/cuau0 /dev/cuau1 /dev/cuau2 /dev/cuau3 + set dial "ABORT BUSY ABORT NO\\sCARRIER ABORT NO\\sDIAL\\sTONE TIMEOUT 4 \ + \"\" ATZ OK-ATZ-OK ATDT\\T TIMEOUT 60 CONNECT \\c \\n" + set login + set redial 3 5 + set timeout 0 + enable lqr echo + set lqrperiod 15 + +isp1: + set phone "1234567" + set authname "isp1name" + set authkey "isp1key" + add! RIP1/32 HISADDR + +isp2: + set phone "2345678" + set authname "isp2name" + set authkey "isp2key" + add! RIP2/32 HISADDR + +ispN: + set phone "3456789" + set authname "ispNname" + set authkey "ispNkey" + add! RIPN/32 HISADDR + + +# Our MP version of ppp. vpn is a generic label used by each of the +# other vpn invocations by envoking ppp with both labels (see +# ppp.linkup.span-isp). +# Each ``set device'' command tells ppp to use UDP packets destined for +# the given IP/port as the link (transport). The routing table will +# ensure that these UDP packets use the correct ISP connection. + +vpn: + set enddisc LABEL + set speed sync + set mrru 1500 + set mru 1504 # Room for the MP header + nat enable yes + set authname "vpnname" + set authkey "vpnkey" + add! default HISADDR + disable deflate pred1 lqr + deny deflate pred1 + +vpn1: + rename 1 + set device RIP1:ppp/udp + +vpn2: + rename 2 + set device RIP2:ppp/udp + +vpnN: + rename N + set device RIPN:ppp/udp + +vpn-nic: + load vpn + clone 1 2 N + link deflink rm + link 1 set device RIP1:ppp/udp + link 2 set device RIP2:ppp/udp + link N set device RIPN:ppp/udp + +# The Receiver profile is a bit more straight forward, as it doesn't need +# to get bogged down with sublinks. Replace REAL-ASSIGNED-IP with the +# IP number to be assigned to the Gateway machine. Replace REAL-LOCAL-IP +# with the real IP number of the Receiver machine. +# +# No other entries are required on the Receiver machine, and this entry +# is not required on the Gateway machine. The Receiver machine also +# requires the contents of ppp.secret.span-isp. +# +# Of course it's simple to assign an IP block to the client with a simple +# ``add'' command, and then have the client use those IP numbers on its +# LAN rather than using ``nat enable yes''. + +vpn-in: + set enddisc label + set speed sync + set mrru 1500 + set mru 1504 # Room for the MP header + enable chap + disable lqr + set ifaddr REAL-LOCAL-IP REAL-ASSIGNED-IP diff --git a/share/examples/ppp/ppp.conf.span-isp.working b/share/examples/ppp/ppp.conf.span-isp.working new file mode 100644 index 000000000000..312a1de4c401 --- /dev/null +++ b/share/examples/ppp/ppp.conf.span-isp.working @@ -0,0 +1,106 @@ + +# This is a working example of ppp.conf.span-isp that uses ppp connections +# to the same machine through 3 null-modem serial cables. +# +# cuaD03 <-> cuaD04 +# cuaD01 <-> cuaD06 +# cuaD00 <-> cuaD07 +# +# with gettys running on cuaD04, cuaD06 and cuaD07. The gettytab entry +# for these devices has a pp= capability that references a script that +# says: +# +# #! /bin/sh +# tty=$(tty) +# exec /usr/sbin/pppin -direct isp-in-${tty#${tty%?}} +# +# The whole thing is brought up with these commands: +# +# ppp -b isp1 +# ppp -b isp2 +# ppp -b isp3 +# +# Something rather strange happens here. +# If you connect to the vpn-in diagnostic socket with ``pppctl +# /var/run/ppp/vpn-in'' and do a ``show links'', only a single link shows up. +# If you connect to the vpn diagnostic socket (which is created in +# ppp.linkup.span-isp.working, you see three links. This is because inetd +# is told to ``wait'' for ppp to finish and the receiving ppp gets to +# handle all incoming packets on the first descriptor. +# +# This is why enabling LQR won't work - VPN-IN has magic number problems, +# fails to reply to LQRs and the VPN invocations end up shutting down. +# +# If anyone can come up with a better way of doing PPP over UDP I'd be +# interrested to hear it. Currently, the server doesn't connect() or +# bind().... but the client connect()s. Is there any other way ? +# +# Answers on a postcard please ! (to brian@Awfulhak.org) +# + +default: + set speed 115200 + set device /dev/cuaD00 /dev/cuaD01 /dev/cuaD03 + set dial + set login + set redial 3 5 + set timeout 0 + enable lqr echo + set lqrperiod 15 + +isp1: + set authname "isp1name" + set authkey "isp1key" + +isp2: + set authname "isp2name" + set authkey "isp2key" + +isp3: + set authname "isp3name" + set authkey "isp3key" + + +vpn: + set enddisc LABEL + set speed sync + set mrru 1500 + set mru 1504 # Room for the MP header + set authname "vpnname" + set authkey "vpnkey" + add! default HISADDR + disable deflate pred1 lqr + deny deflate pred1 + +vpn1: + rename 1 + set device 127.0.2.7:ppp/udp + +vpn2: + rename 2 + set device 127.0.2.6:ppp/udp + +vpn3: + rename 3 + set device 127.0.2.4:ppp/udp + + +vpn-in: + set enddisc label + set speed sync + set mrru 1500 + set mru 1504 # Room for the MP header + enable chap + disable lqr + set ifaddr 127.0.0.2 127.0.0.3 + set server /var/run/ppp/vpn-in "" 0177 + + +isp-in-7: + set ifaddr 127.0.2.7 127.0.3.7 + +isp-in-6: + set ifaddr 127.0.2.6 127.0.3.6 + +isp-in-4: + set ifaddr 127.0.2.4 127.0.3.4 diff --git a/share/examples/ppp/ppp.linkdown.sample b/share/examples/ppp/ppp.linkdown.sample new file mode 100644 index 000000000000..1507f8c7c543 --- /dev/null +++ b/share/examples/ppp/ppp.linkdown.sample @@ -0,0 +1,33 @@ +######################################################################### +# +# Example of ppp.linkdown file +# +# This file is checked when ppp closes a connection. +# ppp searches the labels in this file as follows: +# +# 1) The label that matches the IP number assigned to our side. +# +# 2) The label specified on the command line to ppp. +# +# 3) If no label has been found, use MYADDR if it exists. +# +# +# +######################################################################### + +# We don't really need to do much here. If we have notified a DNS +# of our temporary IP number, we may want to ``un-notify'' them. +# +# If you're into sound effects when the link goes down, you can run +# ``auplay'' (assuming NAS is installed and configured). +# +MYADDR: + !bg /usr/local/bin/auplay /etc/ppp/linkdown.au + +# If you're running ``ppp -auto -nat dynamic-nat-auto'', and are +# assigned a dynamic IP number by the peer, this may be worth while +# to keep the interface aliases to a minimum (see ``enable iface-alias'' +# in the man page): +# +dynamic-nat-auto: + iface clear diff --git a/share/examples/ppp/ppp.linkdown.span-isp b/share/examples/ppp/ppp.linkdown.span-isp new file mode 100644 index 000000000000..a9cdcfc8d488 --- /dev/null +++ b/share/examples/ppp/ppp.linkdown.span-isp @@ -0,0 +1,16 @@ + +# Refer to ppp.conf.span-isp for a description of what this file is for. +# This file is only required on the Gateway machine. + +# The ISP links start our MP version of ppp as they come up +isp1: + !bg pppctl /var/run/ppp/vpn link 1 close + +isp2: + !bg pppctl /var/run/ppp/vpn link 2 close + +ispN: + !bg pppctl /var/run/ppp/vpn link N close + +vpn: + set server none diff --git a/share/examples/ppp/ppp.linkdown.span-isp.working b/share/examples/ppp/ppp.linkdown.span-isp.working new file mode 100644 index 000000000000..29ce3924e95c --- /dev/null +++ b/share/examples/ppp/ppp.linkdown.span-isp.working @@ -0,0 +1,16 @@ + +# This is a working example of ppp.linkdown.span-isp that uses ppp connections +# to the same machine through 3 null-modem serial cables. + +# The ISP links start our MP version of ppp as they come up +isp1: + !bg pppctl /var/run/ppp/vpn link 1 close + +isp2: + !bg pppctl /var/run/ppp/vpn link 2 close + +isp3: + !bg pppctl /var/run/ppp/vpn link 3 close + +vpn: + set server none diff --git a/share/examples/ppp/ppp.linkup.sample b/share/examples/ppp/ppp.linkup.sample new file mode 100644 index 000000000000..bce44414e880 --- /dev/null +++ b/share/examples/ppp/ppp.linkup.sample @@ -0,0 +1,53 @@ +######################################################################### +# +# Example of ppp.linkup file +# +# This file is checked when ppp establishes a connection. +# ppp searches the labels in this file as follows: +# +# 1) The label that matches the IP number assigned to our side. +# +# 2) The label specified on the command line to ppp. +# +# 3) If no label has been found, use MYADDR if it exists. +# +# +# +######################################################################### + +# It is no longer necessary to re-add the default route here as our +# ppp.conf route is `sticky' (see the man page). +# If you're into sound effects when the link comes up, you can run +# ``auplay'' (assuming NAS is installed and configured). +# +MYADDR: + !bg /usr/X11R6/bin/auplay /etc/ppp/linkup.au + +# If we've got 192.244.176.32 as our address, then regard peer as a gateway +# to 192.244.176.0 network. This may also be done in ppp.conf instead. +# +192.244.176.32: + add 192.244.176.0 0 HISADDR + +# You may want to execute a script after connecting. This script can do +# nice things such as kick off "sendmail -q", "popclient my.isp" and +# "slurp -d news". It can be passed MYADDR, HISADDR and INTERFACE +# as arguments too - useful for informing a DNS of your assigned IP. +# +# NOTE: It's vital that you use ``!bg'' rather than ``!'' if the program +# you're running will take some time or will require network +# connectivity. Using ``!'' will delay ppp 'till the completion +# of the program being run! +# +# You may also want some sound effects.... +# +pmdemand: + !bg /etc/ppp/ppp.etherup.pmdemand + ! sh -c "cat /etc/ppp/linkup.au >/dev/audio" + +# If your minimum call charge is 5 minutes, you may as well stay on +# the line for that amount of time. If we want a 60 second subsequent +# timeout, set your timeout to 300 in ppp.conf and then do this: +# +min5minutes: + !bg sh -c "sleep 240; pppctl -p mypassword 3000 set timeout 60" diff --git a/share/examples/ppp/ppp.linkup.span-isp b/share/examples/ppp/ppp.linkup.span-isp new file mode 100644 index 000000000000..819604d7fd22 --- /dev/null +++ b/share/examples/ppp/ppp.linkup.span-isp @@ -0,0 +1,16 @@ + +# Refer to ppp.conf.span-isp for a description of what this file is for. +# This file is only required on the Gateway machine. + +# The ISP links start our MP version of ppp as they come up +isp1: + !bg ppp -background vpn1 vpn + +isp2: + !bg ppp -background vpn2 vpn + +ispN: + !bg ppp -background vpnN vpn + +vpn: + set server /var/run/ppp/vpn "" 0177 diff --git a/share/examples/ppp/ppp.linkup.span-isp.working b/share/examples/ppp/ppp.linkup.span-isp.working new file mode 100644 index 000000000000..6c451a94ba20 --- /dev/null +++ b/share/examples/ppp/ppp.linkup.span-isp.working @@ -0,0 +1,16 @@ + +# This is a working example of ppp.linkup.span-isp that uses ppp connections +# to the same machine through 3 null-modem serial cables. + +# The ISP links start our MP version of ppp as they come up +isp1: + !bg ppp -background vpn1 vpn + +isp2: + !bg ppp -background vpn2 vpn + +isp3: + !bg ppp -background vpn3 vpn + +vpn: + set server /var/run/ppp/vpn "" 0177 diff --git a/share/examples/ppp/ppp.secret.sample b/share/examples/ppp/ppp.secret.sample new file mode 100644 index 000000000000..8104872b0456 --- /dev/null +++ b/share/examples/ppp/ppp.secret.sample @@ -0,0 +1,40 @@ +################################################## +# +# Example of ppp.secret file +# +# This file is used to authenticate incoming connections. +# You must ``enable'' either PAP or CHAP in your ppp.conf file. +# The peer may then use any of the Authname/Authkey pairs listed. +# Additionally, if ``passwdauth'' is enabled and an entry isn't +# found in this file, the passwd(5) database is used. +# +# If the password is specified as "*", look it up in passwd(5). +# This doesn't work for CHAP connections as ppp must have access +# to the unencrypted password for CHAP. +# +# If an IP address or address range is given as the third field, it +# will be assigned to the peer. A ``*'' or an empty field may be +# used as a placeholder if you do not wish to override the IP +# address, but wish to specify further fields. +# +# If a label is given as the forth field, it is used when reading +# the ppp.linkup and ppp.linkdown files. A ``*'' or an empty field +# can be used as a placeholder if you do not wish to override the +# label, but wish to specify further fields. +# +# If a phone number or list of phone numbers is given as the fifth +# field, these numbers will be used to call back the client if +# ``auth'' or ``cbcp'' callback is enabled (see ``set callback''). +# A ``*'' specifies that the client must specify the number. +# +# +################################################## + +# Authname Authkey Peer's IP address Label Callback + +oscar OurSecretKey 192.2.18.34 +BigBird X4dWg9327 192.2.18.33/32 +fred * * fred +subnet * 192.2.18.35-192.2.18.70 subnet +admin * * * * +homeworker * * * 1234567 diff --git a/share/examples/ppp/ppp.secret.span-isp b/share/examples/ppp/ppp.secret.span-isp new file mode 100644 index 000000000000..480933753e84 --- /dev/null +++ b/share/examples/ppp/ppp.secret.span-isp @@ -0,0 +1,5 @@ + +# Refer to ppp.conf.span-isp for a description of what this file is for. +# This file is only required on the Receiver machine. + +vpnname vpnkey diff --git a/share/examples/ppp/ppp.secret.span-isp.working b/share/examples/ppp/ppp.secret.span-isp.working new file mode 100644 index 000000000000..8b76d1560812 --- /dev/null +++ b/share/examples/ppp/ppp.secret.span-isp.working @@ -0,0 +1,8 @@ + +# This is a working example of ppp.secret.span-isp that uses ppp connections +# to the same machine through 3 null-modem serial cables. + +isp1name isp1key +isp2name isp2key +isp3name isp3key +vpnname vpnkey |