Date: Tue, 5 Dec 2000 15:33:03 -0800 (PST) From: Andy Hogben <andy@mini.chicago.com> To: freebsd-questions@freebsd.org Subject: mpd (as pptp server) and encryption Message-ID: <200012052333.PAA48532@mini.chicago.com>
next in thread | raw e-mail | index | archive | help
I'm trying to get working a generic pptp scenario - Win NT client
to FreeBSD server. The example configs are great and work pretty
much out of the box. However, in going through the log output to
make sure I'm really setting up a secure link, I'm not sure if
the link is as secure as it can be. Most entries refer to 40 bit.
On the unix side I just have the pptp section from the sample in
mpd.conf and the corresponding section in mpd.links. This includes the
appropriate mpd.conf commands to enable mpp-e40 and mpp-e128. On the
windows side I created a DUN entry using RASPPTPM. In the settings I
changed the security to be 'Accept only Microsoft encrypted authentication'
with only the 'Require data encryption' box checked. Right now I'm
doing this only on the internal LAN so there's no firewall or anything
to worry about.
In the output produced during logon I see a few things that make me
believe things aren't right. Hopefully someone can comment. Because
of the size, I'll cut-n-paste rather than giving the whole log. If
needed, I can post/send the whole thing.
My questions are:
1) Do I need to include the following in mpd.conf or is it implied
(or different than) mpp-eXXX?
set bundle enable encryption
2) [pptp] LCP: state change Ack-Rcvd --> Opened
[pptp] LCP: phase shift ESTABLISH --> AUTHENTICATE
[pptp] LCP: auth: peer wants nothing, I want CHAP [pptp] CHAP: sending CHALLENGE
[pptp] LCP: LayerUp
[pptp] LCP: rec'd Ident #2 link 0 (Opened)
MESG: MSRASV4.00
[pptp] LCP: rec'd Ident #3 link 0 (Opened)
MESG: MSRAS-1-ELAN
[pptp] CHAP: rec'd RESPONSE #1
Name: "andy"
Peer name: "andy"
Response is valid
[pptp] CHAP: sending SUCCESS
[pptp] LCP: authorization successful
[pptp] LCP: phase shift AUTHENTICATE --> NETWORK
Why does it say 'peer wants nothing'? Shouldn't it always be wanting CHAP?
3) [pptp] CCP: SendConfigReq #4
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[pptp] CCP: rec'd Configure Request #4 link 0 (Req-Sent)
MPPC
0x00000031: MPPC MPPE, 40 bit
Bits 0x00000010 not supported
[pptp] CCP: SendConfigNak #4
MPPC
0x00000020: MPPE, 40 bit
[pptp] IPCP: rec'd Configure Request #5 link 0 (Req-Sent)
COMPPROTO VJCOMP, 16 comp. channels, allow comp-cid
. . .
[pptp] CCP: rec'd Configure Nak #1 link 0 (Req-Sent)
MPPC
0x01000020: MPPE, 40 bit, stateless
[pptp] CCP: SendConfigReq #2
MPPC
0x01000020: MPPE, 40 bit, stateless
[pptp] CCP: rec'd Configure Request #6 link 0 (Req-Sent)
MPPC
0x00000020: MPPE, 40 bit
[pptp] CCP: SendConfigAck #6
MPPC
0x00000020: MPPE, 40 bit
[pptp] CCP: state change Req-Sent --> Ack-Sent
[pptp] IPCP: rec'd Configure Request #7 link 0 (Ack-Rcvd)
COMPPROTO VJCOMP, 16 comp. channels, allow comp-cid
IPADDR 0.0.0.0
NAKing with 192.168.100.55
PRIDNS 0.0.0.0
NAKing with 192.168.100.1
[pptp] IPCP: SendConfigNak #7
IPADDR 192.168.100.55
PRIDNS 192.168.100.1
[pptp] CCP: rec'd Configure Ack #2 link 0 (Ack-Sent)
MPPC
0x01000020: MPPE, 40 bit, stateless
[pptp] CCP: state change Ack-Sent --> Opened
[pptp] CCP: LayerUp
Compress using: MPPE, 40 bit
Decompress using: MPPE, 40 bit, stateless
[pptp] IPCP: rec'd Configure Request #8 link 0 (Ack-Rcvd)
I was expecting to see everything referred to as MPPE, 128 bit but I
only see that in the 0x01000060 case, all the others are 40 bit. Is
this correct? Is that as secure as microsoft gets? :-)
4) [pptp] IFACE: Up event
pptp0-0: ignoring SetLinkInfo
[pptp] rec'd proto 0xee5d on MP link! (ignoring)
[pptp] rec'd unexpected protocol 0x624d on link -1, rejecting
[pptp] rec'd unexpected protocol 0x003b on link -1, rejecting
Is this normal behaviour for the case where I have to say 'OK' to the
connection having been made?
Any help would be appreciated.
Andy
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012052333.PAA48532>