40# or by demanding PAP or CHAP authentication from the client.
41#
42
43# An on demand example where we have dynamic IP addresses and wish to
44# use a unix-style login script:
45#
46# If the peer assigns us an arbitrary IP (most ISPs do this) and we
47# can't predict what their IP will be either, take a wild guess at
48# some IPs that you can't currently route to. Ppp can change this
49# when the link comes up.
50#
51# The /0 bit in "set ifaddr" says that we insist on 0 bits of the
52# specified IP actually being correct, therefore, the other side can assign
53# any IP number.
54#
55# The forth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
56# IP number, forcing the peer to make the decision. This is necessary
57# when negotiating with some (broken) ppp implementations.
58#
59# This entry also works with static IP numbers or when not in -auto mode.
60# The ``add'' line adds a `sticky' default route that will be updated if
61# and when any of the IP numbers are changed in IPCP negotiations.
62# The "set ifaddr" is required in -auto mode.
63#
64# Finally, the ``enable dns'' line tells ppp to ask the peer for the
65# nameserver addresses that should be used. This isn't always supported
66# by the other side, but if it is, ppp will update /etc/resolv.conf with
67# the correct nameserver values at connection time.
68#
69# The login script shown says that you're expecting ``ogin:''. If you
70# don't receive that, send a ``\n'' and expect ``ogin:'' again. When
71# it's received, send ``ppp'', expect ``word:'' then send ``ppp''.
72# You *MUST* customise this login script according to your local
73# requirements.
74#
75pmdemand:
76 set phone 1234567
77 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
78 set timeout 120
79 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
80 add default HISADDR
81 enable dns
82
83# If you want to use PAP or CHAP instead of using a unix-style login
| 40# or by demanding PAP or CHAP authentication from the client.
41#
42
43# An on demand example where we have dynamic IP addresses and wish to
44# use a unix-style login script:
45#
46# If the peer assigns us an arbitrary IP (most ISPs do this) and we
47# can't predict what their IP will be either, take a wild guess at
48# some IPs that you can't currently route to. Ppp can change this
49# when the link comes up.
50#
51# The /0 bit in "set ifaddr" says that we insist on 0 bits of the
52# specified IP actually being correct, therefore, the other side can assign
53# any IP number.
54#
55# The forth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
56# IP number, forcing the peer to make the decision. This is necessary
57# when negotiating with some (broken) ppp implementations.
58#
59# This entry also works with static IP numbers or when not in -auto mode.
60# The ``add'' line adds a `sticky' default route that will be updated if
61# and when any of the IP numbers are changed in IPCP negotiations.
62# The "set ifaddr" is required in -auto mode.
63#
64# Finally, the ``enable dns'' line tells ppp to ask the peer for the
65# nameserver addresses that should be used. This isn't always supported
66# by the other side, but if it is, ppp will update /etc/resolv.conf with
67# the correct nameserver values at connection time.
68#
69# The login script shown says that you're expecting ``ogin:''. If you
70# don't receive that, send a ``\n'' and expect ``ogin:'' again. When
71# it's received, send ``ppp'', expect ``word:'' then send ``ppp''.
72# You *MUST* customise this login script according to your local
73# requirements.
74#
75pmdemand:
76 set phone 1234567
77 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
78 set timeout 120
79 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
80 add default HISADDR
81 enable dns
82
83# If you want to use PAP or CHAP instead of using a unix-style login
|
85# should send PAP or CHAP. By default, we send whatever we're asked for.
86#
87# You *MUST* customise ``MyName'' and ``MyKey'' below.
88#
89PAPorCHAPpmdemand:
90 set phone 1234567
91 set login
92 set authname MyName
93 set authkey MyKey
94 set timeout 120
95 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
96 add default HISADDR
97 enable dns
98
99# On demand dialup example with static IP addresses:
100# Here, the local side uses 192.244.185.226 and the remote side
101# uses 192.244.176.44.
102#
103# # ppp -auto ondemand
104#
105# With static IP numbers, our setup is similar to dynamic:
106# Remember, ppp.linkup is searched for a "192.244.176.44" label, then
107# a "ondemand" label, and finally the "MYADDR" label.
108#
109ondemand:
110 set phone 1234567
111 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
112 set timeout 120
113 set ifaddr 192.244.185.226 192.244.176.44
114 add default HISADDR
115 enable dns
116
117# Example segments
118#
119# The following lines may be included as part of your configuration
120# section and aren't themselves complete. They're provided as examples
121# of how to achieve different things.
122
123examples:
124# Multi-phone example. Numbers separated by a : are used sequentially.
125# Numbers separated by a | are used if the previous dial or login script
126# failed. Usually, you will prefer to use only one of | or :, but both
127# are allowed.
128#
129 set phone 12345678|12345679:12345670|12345671
130#
131# Ppp can accept control instructions from the ``pppctl'' program.
132# First, you must set up your control socket. It's safest to use
133# a UNIX domain socket, and watch the permissions:
134#
135 set server /var/tmp/internet MySecretPassword 0177
136#
137# Although a TCP port may be used if you want to allow control
138# connections from other machines:
139#
140 set server 6670 MySecretpassword
141#
142# If you don't like ppp's builtin chat, use an external one:
143#
144 set login "\"!chat \\\\-f /etc/ppp/ppp.dev.chat\""
145#
146# If we have a ``strange'' modem that must be re-initialized when we
147# hangup:
148#
149 set hangup "\"\" AT OK-AT-OK ATZ OK"
150#
151# To adjust logging withouth blasting the setting in default:
152#
153 set log -command +tcp/ip
154#
155# To see log messages on the screen in interactive mode:
156#
157 set log local LCP IPCP CCP
158#
159# If you're seeing a lot of magic number problems and failed connections,
160# try this (see the man page):
161#
162 set openmode active 5
163#
164# For noisy lines, we may want to reconnect (up to 20 times) after loss
165# of carrier, with 3 second delays between each attempt:
166#
167 set reconnect 3 20
168#
169# When playing server for M$ clients, tell them who our NetBIOS name
170# servers are:
171#
172 set nbns 10.0.0.1 10.0.0.2
173#
174# Inform the client if they ask for our DNS IP numbers:
175#
176 enable dns
177#
178# If you don't want to tell them what's in your /etc/resolf.conf file
179# with `enable dns', override the values:
180#
181 set dns 10.0.0.1 10.0.0.2
182#
183# If we're using the -alias switch, redirect ftp and http to an internal
184# machine:
185#
186 alias port 10.0.0.2:ftp ftp
187 alias port 10.0.0.2:http http
188#
189# or don't trust the outside at all
190#
191 alias deny_incoming yes
192#
193# I trust user brian to run ppp, so this goes in the `default' section:
194#
195 allow user brian
196#
197# But label `internet' contains passwords that even brian can't have, so
198# I empty out the user access list in that section so that only root can
199# have access:
200#
201 allow users
202#
203# I also may wish to set up my ppp login script so that it asks the client
204# for the label they wish to use. I may only want user ``dodgy'' to access
205# their own label in direct mode:
206#
207dodgy:
208 allow user dodgy
209 allow mode direct
210#
211# If we don't want ICMP and DNS packets to keep the connection alive:
212#
213 set filter alive 0 deny icmp
214 set filter alive 1 deny udp src eq 53
215 set filter alive 2 deny udp dst eq 53
216 set filter alive 3 permit 0 0
217#
218# And we don't want ICMPs to cause a dialup:
219#
220 set filter dial 0 deny icmp
221 set filter dial 1 permit 0 0
222#
223# or any TCP SYN or RST packets (badly closed TCP channels):
224#
225 set filter dial 2 deny 0 0 tcp syn finrst
226#
227# Once the line's up, allow connections for ident (113), telnet (23),
228# ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24),
229# ICMP (ping) and traceroute (>33433).
230#
231# Anything else is blocked by default
232#
233 set filter in 0 permit tcp dst eq 113
234 set filter out 0 permit tcp src eq 113
235 set filter in 1 permit tcp src eq 23 estab
236 set filter out 1 permit tcp dst eq 23
237 set filter in 2 permit tcp src eq 21 estab
238 set filter out 2 permit tcp dst eq 21
239 set filter in 3 permit tcp src eq 20 dst gt 1023
240 set filter out 3 permit tcp dst eq 20
241 set filter in 4 permit udp src eq 53
242 set filter out 4 permit udp dst eq 53
243 set filter in 5 permit 192.244.191.0/24 0/0
244 set filter out 5 permit 0/0 192.244.191.0/24
245 set filter in 6 permit icmp
246 set filter out 6 permit icmp
247 set filter in 7 permit udp dst gt 33433
248 set filter out 7 permit udp dst gt 33433
249
250
251# Server side PPP
252#
253# If you want the remote system to authenticate itself, you must insist
254# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and
255# PAP are disabled by default. You may enable either or both. If both
256# are enabled, CHAP is requested first. If the client doesn't agree, PAP
257# will then be requested.
258#
259# Note: If you use the getty/login process to authenticate users, you
260# don't need to enable CHAP or PAP, but the user that has logged
261# in *MUST* be a member of the ``network'' group (in /etc/group).
262#
263# If you wish to allow any user in the passwd database ppp access, you
264# can ``enable passwdauth''.
265#
266# When the peer authenticates itself, we use ppp.secret for verification
267# (although refer to the ``set radius'' command below for an alternative).
268#
269# Note: We may supply a third field in ppp.secret specifying the IP
270# address for that user, a forth field to specify the
271# ppp.link{up,down} label to use and a fifth field to specify
272# callback characteristics.
273#
274# The easiest way to allow transparent LAN access to your dialin users
275# is to assign them a number from your local LAN and tell ppp to make a
276# ``proxy'' arp entry for them. In this example, we have a local LAN
277# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our
278# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to
279# override the dynamic IP number with a static IP number specified in
280# ppp.secret.
281#
282# Ppp is launched with:
283# # ppp -direct server
284#
285server:
286 enable chap
287 enable pap
288 enable passwdauth
289 enable proxy
290 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199
291 accept dns
292
293# Example of a RADIUS configuration:
294# If there are one or more radius servers available, we can use them
295# instead of the ppp.secret file. Simply put then in a radius
296# configuration file (usually /etc/radius.conf) and give ppp the
297# file name.
298# Ppp will use the FRAMED characteristics supplied by the radius server
299# to configure the link.
300
301radius-server:
302 load server
303 set radius /etc/radius.conf
304
305
306# Example to connect using a null-modem cable:
307# The important thing here is to allow the lqr packets on both sides.
308# Without them enabled, we can't tell if the line's dropped - there
309# should always be carrier on a direct connection.
310# Here, the server sends lqr's every 10 seconds and quits if five in a
311# row fail.
312#
313# Make sure you don't have "deny lqr" in your default: on the client !
314# If the peer denies LQR, we still send ECHO LQR packets at the given
315# lqrperiod interval (ppp-style-pings).
316#
317direct-client:
318 set dial ""
319 set device /dev/cuaa0
320 set sp 115200
321 set timeout 900
322 set lqrperiod 10
323 set log Phase Chat LQM
324 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
325 set ifaddr 10.0.4.2 10.0.4.1
326 enable lqr
327 accept lqr
328
329direct-server:
330 set timeout 0
331 set lqrperiod 10
332 set log Phase LQM
333 set ifaddr 10.0.4.1 10.0.4.2
334 enable lqr
335 accept lqr
336
337
338# Example to connect via compuserve
339# Compuserve insists on 7 bits even parity during the chat phase. Modem
340# parity is always reset to ``none'' after the link has been established.
341#
342compuserve:
343 set phone 1234567
344 set parity even
345 set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \
346 word: XXXXXXXX PPP"
347 set timeout 300
348 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
349 delete ALL
350 add default HISADDR
351
352
353# Example for PPP over TCP.
354# We assume that inetd on tcpsrv.mynet has been
355# configured to run "ppp -direct tcp-server" when it gets a connection on
356# port 1234. Read the man page for further details
357#
358# Note, we assume we're using a binary-clean connection. If something
359# such as `rlogin' is involved, you may need to ``set escape 0xff''
360#
361tcp-client:
362 set device tcpsrv.mynet:1234
363 set dial
364 set login
365 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
366
367tcp-server:
368 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
369
370# Example for PPP testing.
371# If you want to test ppp, do it through the loopback interface:
372#
373# Requires a line in /etc/services:
374# ppploop 6671/tcp # loopback ppp daemon
375#
376# and a line in /etc/inetd.conf:
377# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in
378#
379loop:
380 set timeout 0
381 set log phase chat connect lcp ipcp command
382 set device localhost:ppploop
383 set dial
384 set login
385 set ifaddr 127.0.0.2 127.0.0.3
386 set server /var/tmp/loop "" 0177
387
388loop-in:
389 set timeout 0
390 set log phase lcp ipcp command
391 allow mode direct
392
393# Example of a VPN.
394# If you're going to create a tunnel through a public network, your VPN
395# should be set up something like this:
396#
397# You should already have set up ssh using ssh-agent & ssh-add.
398#
399sloop:
400 load loop
401 set device "!ssh whatevermachine /usr/sbin/ppp -direct loop-in"
402
403# Example of non-PPP callback.
404# If you wish to connect to a server that will dial back *without* using
405# the ppp callback facility (rfc1570), take advantage of the fact that
406# ppp doesn't look for carrier 'till `set login' is complete:
407#
408# Here, we expect the server to say DIALBACK then disconnect after
409# we've authenticated ourselves. When this has happened, we wait
410# 60 seconds for a RING.
411#
412dialback:
413 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
414 ATDT\\T TIMEOUT 60 CONNECT"
415 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
416 \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"
417
418# Example of PPP callback.
419# Alternatively, if the peer is using the PPP callback protocol, we're
420# happy either with ``auth'' style callback where the server dials us
421# back based on what we authenticate ourselves with, ``cbcp'' style
422# callback (invented by Microsoft but not agreed by the IETF) where
423# we negotiate callback *after* authentication or E.164 callback where
424# we specify only a phone number. I would recommend only ``auth'' and/or
425# ``cbcp'' callback methods.
426# For ``cbcp'', we insist that we choose ``1234567'' as the number that
427# the server must call back.
428#
429callback:
430 load pmdemand
431 set callback auth cbcp e.164 1234567
432 set cbcp 1234567
433
434# If we're running a ppp server that wants to only call back microsoft
435# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
436#
437callback-server:
438 load server
439 set callback cbcp
440 set cbcp
441 set log +cbcp
442 set redial 3 1
443 set device /dev/cuaa0
444 set speed 115200
445 set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"
446
447# Or if we want to allow authenticated clients to specify their own
448# callback number:
449#
450callback-server-client-decides:
451 load callback-server
452 set cbcp *
453
454# Multilink mode is available (rfc1990).
455# To enable multilink capabilities, you must specify a MRRU. 1500 is
456# a reasonable value. To create new links, use the ``clone'' command
457# to duplicate an existing link. If you already have more than one
458# link, you must specify which link you wish to run the command on via
459# the ``link'' command.
460#
461# You can now ``dial'' specific links, or even dial all links at the
462# same time. The `dial' command may also be prefixed with a specific
463# link that should do the dialing.
464#
465mloop:
466 load loop
467 set mode interactive
468 set mrru 1500
469 clone 1 2 3
470 link deflink remove
471 # dial
472 # link 2 dial
473 # link 3 dial
474
475mloop-in:
476 set timeout 0
477 set log tun phase
478 allow mode direct
479 set mrru 1500
480
481# User supplied authentication:
482# It's possible to run ppp in the background while specifying a
483# program to use to obtain authentication details on demand.
484# This program would usually be a simple GUI that presents a
485# prompt to a known user. The ``chap-auth'' program is supplied
486# as an example (and requires tcl version 8.0).
487#
488CHAPprompt:
489 load PAPorCHAPpmdemand
490 set authkey !/usr/share/examples/ppp/chap-auth
491
492# It's possible to do the same sort of thing at the login prompt.
493# Here, after sending ``brian'' in response to the ``name'' prompt,
494# we're prompted with ``code:''. A window is then displayed on the
495# ``keep:0.0'' display and the typed response is sent to the peer
496# as the password. We then expect to see ``MTU'' and ``.'' in the
497# servers response.
498#
499loginprompt:
500 load pmdemand
501 set authname brian
502 set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \
503 code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \
504 AUTHNAME\" MTU \\c ."
| 85# should send PAP or CHAP. By default, we send whatever we're asked for.
86#
87# You *MUST* customise ``MyName'' and ``MyKey'' below.
88#
89PAPorCHAPpmdemand:
90 set phone 1234567
91 set login
92 set authname MyName
93 set authkey MyKey
94 set timeout 120
95 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
96 add default HISADDR
97 enable dns
98
99# On demand dialup example with static IP addresses:
100# Here, the local side uses 192.244.185.226 and the remote side
101# uses 192.244.176.44.
102#
103# # ppp -auto ondemand
104#
105# With static IP numbers, our setup is similar to dynamic:
106# Remember, ppp.linkup is searched for a "192.244.176.44" label, then
107# a "ondemand" label, and finally the "MYADDR" label.
108#
109ondemand:
110 set phone 1234567
111 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
112 set timeout 120
113 set ifaddr 192.244.185.226 192.244.176.44
114 add default HISADDR
115 enable dns
116
117# Example segments
118#
119# The following lines may be included as part of your configuration
120# section and aren't themselves complete. They're provided as examples
121# of how to achieve different things.
122
123examples:
124# Multi-phone example. Numbers separated by a : are used sequentially.
125# Numbers separated by a | are used if the previous dial or login script
126# failed. Usually, you will prefer to use only one of | or :, but both
127# are allowed.
128#
129 set phone 12345678|12345679:12345670|12345671
130#
131# Ppp can accept control instructions from the ``pppctl'' program.
132# First, you must set up your control socket. It's safest to use
133# a UNIX domain socket, and watch the permissions:
134#
135 set server /var/tmp/internet MySecretPassword 0177
136#
137# Although a TCP port may be used if you want to allow control
138# connections from other machines:
139#
140 set server 6670 MySecretpassword
141#
142# If you don't like ppp's builtin chat, use an external one:
143#
144 set login "\"!chat \\\\-f /etc/ppp/ppp.dev.chat\""
145#
146# If we have a ``strange'' modem that must be re-initialized when we
147# hangup:
148#
149 set hangup "\"\" AT OK-AT-OK ATZ OK"
150#
151# To adjust logging withouth blasting the setting in default:
152#
153 set log -command +tcp/ip
154#
155# To see log messages on the screen in interactive mode:
156#
157 set log local LCP IPCP CCP
158#
159# If you're seeing a lot of magic number problems and failed connections,
160# try this (see the man page):
161#
162 set openmode active 5
163#
164# For noisy lines, we may want to reconnect (up to 20 times) after loss
165# of carrier, with 3 second delays between each attempt:
166#
167 set reconnect 3 20
168#
169# When playing server for M$ clients, tell them who our NetBIOS name
170# servers are:
171#
172 set nbns 10.0.0.1 10.0.0.2
173#
174# Inform the client if they ask for our DNS IP numbers:
175#
176 enable dns
177#
178# If you don't want to tell them what's in your /etc/resolf.conf file
179# with `enable dns', override the values:
180#
181 set dns 10.0.0.1 10.0.0.2
182#
183# If we're using the -alias switch, redirect ftp and http to an internal
184# machine:
185#
186 alias port 10.0.0.2:ftp ftp
187 alias port 10.0.0.2:http http
188#
189# or don't trust the outside at all
190#
191 alias deny_incoming yes
192#
193# I trust user brian to run ppp, so this goes in the `default' section:
194#
195 allow user brian
196#
197# But label `internet' contains passwords that even brian can't have, so
198# I empty out the user access list in that section so that only root can
199# have access:
200#
201 allow users
202#
203# I also may wish to set up my ppp login script so that it asks the client
204# for the label they wish to use. I may only want user ``dodgy'' to access
205# their own label in direct mode:
206#
207dodgy:
208 allow user dodgy
209 allow mode direct
210#
211# If we don't want ICMP and DNS packets to keep the connection alive:
212#
213 set filter alive 0 deny icmp
214 set filter alive 1 deny udp src eq 53
215 set filter alive 2 deny udp dst eq 53
216 set filter alive 3 permit 0 0
217#
218# And we don't want ICMPs to cause a dialup:
219#
220 set filter dial 0 deny icmp
221 set filter dial 1 permit 0 0
222#
223# or any TCP SYN or RST packets (badly closed TCP channels):
224#
225 set filter dial 2 deny 0 0 tcp syn finrst
226#
227# Once the line's up, allow connections for ident (113), telnet (23),
228# ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24),
229# ICMP (ping) and traceroute (>33433).
230#
231# Anything else is blocked by default
232#
233 set filter in 0 permit tcp dst eq 113
234 set filter out 0 permit tcp src eq 113
235 set filter in 1 permit tcp src eq 23 estab
236 set filter out 1 permit tcp dst eq 23
237 set filter in 2 permit tcp src eq 21 estab
238 set filter out 2 permit tcp dst eq 21
239 set filter in 3 permit tcp src eq 20 dst gt 1023
240 set filter out 3 permit tcp dst eq 20
241 set filter in 4 permit udp src eq 53
242 set filter out 4 permit udp dst eq 53
243 set filter in 5 permit 192.244.191.0/24 0/0
244 set filter out 5 permit 0/0 192.244.191.0/24
245 set filter in 6 permit icmp
246 set filter out 6 permit icmp
247 set filter in 7 permit udp dst gt 33433
248 set filter out 7 permit udp dst gt 33433
249
250
251# Server side PPP
252#
253# If you want the remote system to authenticate itself, you must insist
254# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and
255# PAP are disabled by default. You may enable either or both. If both
256# are enabled, CHAP is requested first. If the client doesn't agree, PAP
257# will then be requested.
258#
259# Note: If you use the getty/login process to authenticate users, you
260# don't need to enable CHAP or PAP, but the user that has logged
261# in *MUST* be a member of the ``network'' group (in /etc/group).
262#
263# If you wish to allow any user in the passwd database ppp access, you
264# can ``enable passwdauth''.
265#
266# When the peer authenticates itself, we use ppp.secret for verification
267# (although refer to the ``set radius'' command below for an alternative).
268#
269# Note: We may supply a third field in ppp.secret specifying the IP
270# address for that user, a forth field to specify the
271# ppp.link{up,down} label to use and a fifth field to specify
272# callback characteristics.
273#
274# The easiest way to allow transparent LAN access to your dialin users
275# is to assign them a number from your local LAN and tell ppp to make a
276# ``proxy'' arp entry for them. In this example, we have a local LAN
277# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our
278# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to
279# override the dynamic IP number with a static IP number specified in
280# ppp.secret.
281#
282# Ppp is launched with:
283# # ppp -direct server
284#
285server:
286 enable chap
287 enable pap
288 enable passwdauth
289 enable proxy
290 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199
291 accept dns
292
293# Example of a RADIUS configuration:
294# If there are one or more radius servers available, we can use them
295# instead of the ppp.secret file. Simply put then in a radius
296# configuration file (usually /etc/radius.conf) and give ppp the
297# file name.
298# Ppp will use the FRAMED characteristics supplied by the radius server
299# to configure the link.
300
301radius-server:
302 load server
303 set radius /etc/radius.conf
304
305
306# Example to connect using a null-modem cable:
307# The important thing here is to allow the lqr packets on both sides.
308# Without them enabled, we can't tell if the line's dropped - there
309# should always be carrier on a direct connection.
310# Here, the server sends lqr's every 10 seconds and quits if five in a
311# row fail.
312#
313# Make sure you don't have "deny lqr" in your default: on the client !
314# If the peer denies LQR, we still send ECHO LQR packets at the given
315# lqrperiod interval (ppp-style-pings).
316#
317direct-client:
318 set dial ""
319 set device /dev/cuaa0
320 set sp 115200
321 set timeout 900
322 set lqrperiod 10
323 set log Phase Chat LQM
324 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
325 set ifaddr 10.0.4.2 10.0.4.1
326 enable lqr
327 accept lqr
328
329direct-server:
330 set timeout 0
331 set lqrperiod 10
332 set log Phase LQM
333 set ifaddr 10.0.4.1 10.0.4.2
334 enable lqr
335 accept lqr
336
337
338# Example to connect via compuserve
339# Compuserve insists on 7 bits even parity during the chat phase. Modem
340# parity is always reset to ``none'' after the link has been established.
341#
342compuserve:
343 set phone 1234567
344 set parity even
345 set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \
346 word: XXXXXXXX PPP"
347 set timeout 300
348 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
349 delete ALL
350 add default HISADDR
351
352
353# Example for PPP over TCP.
354# We assume that inetd on tcpsrv.mynet has been
355# configured to run "ppp -direct tcp-server" when it gets a connection on
356# port 1234. Read the man page for further details
357#
358# Note, we assume we're using a binary-clean connection. If something
359# such as `rlogin' is involved, you may need to ``set escape 0xff''
360#
361tcp-client:
362 set device tcpsrv.mynet:1234
363 set dial
364 set login
365 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
366
367tcp-server:
368 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
369
370# Example for PPP testing.
371# If you want to test ppp, do it through the loopback interface:
372#
373# Requires a line in /etc/services:
374# ppploop 6671/tcp # loopback ppp daemon
375#
376# and a line in /etc/inetd.conf:
377# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in
378#
379loop:
380 set timeout 0
381 set log phase chat connect lcp ipcp command
382 set device localhost:ppploop
383 set dial
384 set login
385 set ifaddr 127.0.0.2 127.0.0.3
386 set server /var/tmp/loop "" 0177
387
388loop-in:
389 set timeout 0
390 set log phase lcp ipcp command
391 allow mode direct
392
393# Example of a VPN.
394# If you're going to create a tunnel through a public network, your VPN
395# should be set up something like this:
396#
397# You should already have set up ssh using ssh-agent & ssh-add.
398#
399sloop:
400 load loop
401 set device "!ssh whatevermachine /usr/sbin/ppp -direct loop-in"
402
403# Example of non-PPP callback.
404# If you wish to connect to a server that will dial back *without* using
405# the ppp callback facility (rfc1570), take advantage of the fact that
406# ppp doesn't look for carrier 'till `set login' is complete:
407#
408# Here, we expect the server to say DIALBACK then disconnect after
409# we've authenticated ourselves. When this has happened, we wait
410# 60 seconds for a RING.
411#
412dialback:
413 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
414 ATDT\\T TIMEOUT 60 CONNECT"
415 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
416 \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"
417
418# Example of PPP callback.
419# Alternatively, if the peer is using the PPP callback protocol, we're
420# happy either with ``auth'' style callback where the server dials us
421# back based on what we authenticate ourselves with, ``cbcp'' style
422# callback (invented by Microsoft but not agreed by the IETF) where
423# we negotiate callback *after* authentication or E.164 callback where
424# we specify only a phone number. I would recommend only ``auth'' and/or
425# ``cbcp'' callback methods.
426# For ``cbcp'', we insist that we choose ``1234567'' as the number that
427# the server must call back.
428#
429callback:
430 load pmdemand
431 set callback auth cbcp e.164 1234567
432 set cbcp 1234567
433
434# If we're running a ppp server that wants to only call back microsoft
435# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
436#
437callback-server:
438 load server
439 set callback cbcp
440 set cbcp
441 set log +cbcp
442 set redial 3 1
443 set device /dev/cuaa0
444 set speed 115200
445 set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"
446
447# Or if we want to allow authenticated clients to specify their own
448# callback number:
449#
450callback-server-client-decides:
451 load callback-server
452 set cbcp *
453
454# Multilink mode is available (rfc1990).
455# To enable multilink capabilities, you must specify a MRRU. 1500 is
456# a reasonable value. To create new links, use the ``clone'' command
457# to duplicate an existing link. If you already have more than one
458# link, you must specify which link you wish to run the command on via
459# the ``link'' command.
460#
461# You can now ``dial'' specific links, or even dial all links at the
462# same time. The `dial' command may also be prefixed with a specific
463# link that should do the dialing.
464#
465mloop:
466 load loop
467 set mode interactive
468 set mrru 1500
469 clone 1 2 3
470 link deflink remove
471 # dial
472 # link 2 dial
473 # link 3 dial
474
475mloop-in:
476 set timeout 0
477 set log tun phase
478 allow mode direct
479 set mrru 1500
480
481# User supplied authentication:
482# It's possible to run ppp in the background while specifying a
483# program to use to obtain authentication details on demand.
484# This program would usually be a simple GUI that presents a
485# prompt to a known user. The ``chap-auth'' program is supplied
486# as an example (and requires tcl version 8.0).
487#
488CHAPprompt:
489 load PAPorCHAPpmdemand
490 set authkey !/usr/share/examples/ppp/chap-auth
491
492# It's possible to do the same sort of thing at the login prompt.
493# Here, after sending ``brian'' in response to the ``name'' prompt,
494# we're prompted with ``code:''. A window is then displayed on the
495# ``keep:0.0'' display and the typed response is sent to the peer
496# as the password. We then expect to see ``MTU'' and ``.'' in the
497# servers response.
498#
499loginprompt:
500 load pmdemand
501 set authname brian
502 set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \
503 code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \
504 AUTHNAME\" MTU \\c ."
|