From owner-freebsd-hackers Thu May 2 13:18:34 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from dignus.com (sdsl-64-32-254-102.dsl.iad.megapath.net [64.32.254.102]) by hub.freebsd.org (Postfix) with ESMTP id AB77937B9D9; Thu, 2 May 2002 13:16:37 -0700 (PDT) Received: from lakes.dignus.com (lakes.dignus.com [10.0.0.3]) by dignus.com (8.11.6/8.11.3) with ESMTP id g42KCHA48619; Thu, 2 May 2002 16:12:17 -0400 (EDT) (envelope-from rivers@dignus.com) Received: (from rivers@localhost) by lakes.dignus.com (8.11.6/8.11.3) id g42KDoc50328; Thu, 2 May 2002 16:13:50 -0400 (EDT) (envelope-from rivers) Date: Thu, 2 May 2002 16:13:50 -0400 (EDT) From: Thomas David Rivers Message-Id: <200205022013.g42KDoc50328@lakes.dignus.com> To: archie@dellroad.org, rivers@dignus.com Subject: Re: Anyone using pptp? Cc: freebsd-hackers@FreeBSD.ORG, freebsd-net@FreeBSD.ORG, K.J.Koster@kpn.com In-Reply-To: <200205021949.g42JnXq97404@arch20m.dellroad.org> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Archie Cobbs wrote: > > Thomas David Rivers writes: > > > > enable MSChapV2 > > > > in /etc/ppp/ppp.conf - then our ppp client requires that the > > > > peer (the Microsoft VPN server) authenticate using MSChapV2. But, > > > > the Microsoft VPN peer refuses that (it's configured to not use > > > > MSChapV2. > > > > > > Don't you want something like "allow MSChapV2" and "disable MSChapV2" ? > > > > Something like that... but - that's the default setting. With the > > default setting, it seems to pass through CHAP (0x80) Authentication. > > > > But - then, the MPPE encryption is not allowed - because MPPE > > compression requires MSChapV2 (0x81) Authentication... and, the > > VPN server doesn't authenticate that way. > > > > I notice there is a line in the ppp man page: > > > > For now, ppp can only get encryption keys from CHAP 81 > > authentication. > > > > But - the (Microsoft Win2000) VPN server I'm trying to talk do doesn't > > allow CHAP 81 authentication, but wants to use MPPE... > > In that case you need to use mpd I guess. > > -Archie > Yes - after some other investigation - I arrived at the same idea. mpd fails as well... with something very similar... it seems to send a CCP configuration request and simply gets no answer back from the Microsoft server. From the VPN log (you can see toward the bottom that both IPCP and CCP complain that parameter negotiation failed): [vpn] LCP: authorization successful [vpn] LCP: phase shift AUTHENTICATE --> NETWORK [vpn] up: 1 link, total bandwidth 64000 bps [vpn] IPCP: Up event [vpn] IPCP: state change Starting --> Req-Sent [vpn] IPCP: SendConfigReq #1 IPADDR 192.168.1.1 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid [vpn] CCP: Open event [vpn] CCP: state change Initial --> Starting [vpn] CCP: LayerStart [vpn] CCP: Up event [vpn] CCP: state change Starting --> Req-Sent [vpn] CCP: SendConfigReq #1 MPPC 0x01000060: MPPE, 40 bit, 128 bit, stateless [vpn] IPCP: SendConfigReq #2 IPADDR 192.168.1.1 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid [vpn] CCP: SendConfigReq #2 MPPC 0x01000060: MPPE, 40 bit, 128 bit, stateless [vpn] IPCP: SendConfigReq #3 IPADDR 192.168.1.1 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid [vpn] CCP: SendConfigReq #3 MPPC 0x01000060: MPPE, 40 bit, 128 bit, stateless [vpn] IPCP: SendConfigReq #4 IPADDR 192.168.1.1 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid [vpn] CCP: SendConfigReq #4 MPPC 0x01000060: MPPE, 40 bit, 128 bit, stateless [vpn] IPCP: SendConfigReq #5 IPADDR 192.168.1.1 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid [vpn] CCP: SendConfigReq #5 MPPC 0x01000060: MPPE, 40 bit, 128 bit, stateless [vpn] IPCP: SendConfigReq #6 IPADDR 192.168.1.1 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid [vpn] CCP: SendConfigReq #6 MPPC 0x01000060: MPPE, 40 bit, 128 bit, stateless [vpn] IPCP: SendConfigReq #7 IPADDR 192.168.1.1 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid [vpn] CCP: SendConfigReq #7 MPPC 0x01000060: MPPE, 40 bit, 128 bit, stateless [vpn] IPCP: SendConfigReq #8 IPADDR 192.168.1.1 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid [vpn] CCP: SendConfigReq #8 MPPC 0x01000060: MPPE, 40 bit, 128 bit, stateless [vpn] IPCP: SendConfigReq #9 IPADDR 192.168.1.1 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid [vpn] CCP: SendConfigReq #9 MPPC 0x01000060: MPPE, 40 bit, 128 bit, stateless [vpn] IPCP: SendConfigReq #10 IPADDR 192.168.1.1 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid [vpn] CCP: SendConfigReq #10 MPPC 0x01000060: MPPE, 40 bit, 128 bit, stateless [vpn] IPCP: state change Req-Sent --> Stopped [vpn] IPCP: LayerFinish [vpn] IPCP: parameter negotiation failed [vpn] IPCP: LayerFinish [vpn] CCP: state change Req-Sent --> Stopped [vpn] CCP: LayerFinish [vpn] CCP: parameter negotiation failed [vpn] CCP: Close event [vpn] CCP: state change Stopped --> Closed [vpn] CCP: encryption required, but MPPE was not negotiated in both directions [vpn] CCP: failed to negotiate required encryption [vpn] CCP: Close event [vpn] CCP: LayerFinish [vpn] IPCP: failed to negotiate required encryption [vpn] IPCP: LayerFinish [vpn] CCP: LayerFinish [vpn] bundle: CLOSE event in state OPENED [vpn] closing link "vpn"... [vpn] bundle: CLOSE event in state CLOSED [vpn] closing link "vpn"... [vpn] link: CLOSE event [vpn] LCP: Close event [vpn] LCP: state change Opened --> Closing [vpn] LCP: phase shift NETWORK --> TERMINATE [vpn] up: 0 links, total bandwidth 9600 bps [vpn] IPCP: Down event [vpn] IPCP: state change Stopped --> Starting [vpn] IPCP: LayerStart [vpn] CCP: Down event [vpn] CCP: state change Closed --> Initial [vpn] CCP: Close event [vpn] closing link "vpn"... [vpn] LCP: SendTerminateReq #4 [vpn] LCP: LayerDown [vpn] bundle: CLOSE event in state CLOSED [vpn] link: CLOSE event [vpn] LCP: Close event [vpn] bundle: OPEN event in state CLOSED [vpn] opening link "vpn"... [vpn] link: CLOSE event [vpn] LCP: Close event [vpn] link: OPEN event [vpn] LCP: Open event [vpn] LCP: state change Closing --> Stopping pptp0: CID 0xdac8 in SetLinkInfo not found [vpn] LCP: rec'd Terminate Ack #4 link 0 (Stopping) [vpn] LCP: state change Stopping --> Stopped [vpn] LCP: phase shift TERMINATE --> ESTABLISH [vpn] LCP: LayerFinish [vpn] device: CLOSE event in state UP pptp0-0: clearing call [vpn] device is now in state CLOSING [vpn] device: DOWN event in state CLOSING [vpn] device is now in state DOWN [vpn] link: DOWN event [vpn] LCP: Down event [vpn] LCP: state change Stopped --> Starting [vpn] LCP: phase shift ESTABLISH --> DEAD [vpn] LCP: LayerStart [vpn] device: OPEN event in state DOWN [vpn] pausing 7 seconds before open [vpn] device is now in state DOWN [vpn] device: OPEN event in state DOWN [vpn] device is now in state DOWN pptp0-0: peer call disconnected res=zero? err=none pptp0-0: killing channel pptp0: closing connection with 157.189.4.10:1723 pptp0: invalid length 16 for type 4 pptp0: killing connection with 157.189.4.10:1723 ^Cmpd: caught fatal signal int mpd: fatal error, exiting [vpn] IPCP: Down event [vpn] IFACE: Close event [vpn] IPCP: Close event [vpn] IPCP: state change Starting --> Initial [vpn] IPCP: LayerFinish mpd: process 3199 terminated office# ^Dexit Script done on Thu May 2 11:03:31 2002 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message