Date: Fri, 20 Dec 96 15:42 CST From: uhclem@nemesis.lonestar.org To: FreeBSD-gnats-submit@freebsd.org Subject: bin/2260: PPP logins using PAP to Nortel/Shiva systems fail - FDIV050 Message-ID: <m0vbChc-000uBmC@nemesis.lonestar.org> Resent-Message-ID: <199612202220.OAA12173@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 2260 >Category: bin >Synopsis: PPP logins using PAP to Nortel/Shiva systems fail - FDIV050 >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Dec 20 14:20:01 PST 1996 >Last-Modified: >Originator: Frank Durda IV >Organization: >Release: FreeBSD 2.1.0-RELEASE and 2.1.5-RELEASE >Environment: FreeBSD 2.1.0 or 2.1.5 system (only ones tested), attempting to call into a Nortel Rapport Dialup Switch (Shiva terminal server) using L2F code Beta 4.5b5 96/10/28 >Description: If a PAP-style login is attempted with the user iijPPP client calling the above hardware, the login appears to succeed, and then the session is aborted with an "Administrative Intervention" error. This is 100% repeatable when calling this target system. Shivas initial analysis suggests that the FreeBSD iijPPP client is not waiting long enough for a key handshake. See debug logs below. Note that Windows '95 and other PAP clients are able to login and use this system without incident. This system does not support CHAP, only PAP and script logins. Making this work with these Nortel boxes is important as TELCOs are installing these things and intercepting data calls into these boxes, thenm routing PPP sessions via L2F tunnels to the appropriate ISPs. This is the plan to get data traffic off the PSTN and select TELCOs (such as Southwestern Bell) are installing this in a big way, for use by other ISPs and their own ISP offering. >How-To-Repeat: config file: default: disable lqr deny lqr set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0 OK-AT-OK \\dATDT\\T TIMEOUT 40 CONNECT" # # telnet # set ifilter 0 deny udp dst eq 23 # set ifilter 1 deny tcp dst eq 23 # sunrpc/sunrpc2 set ifilter 0 deny udp dst eq 111 set ifilter 1 deny tcp dst eq 111 # login set ifilter 2 deny udp dst eq 513 set ifilter 3 deny tcp dst eq 513 # shell/cmd set ifilter 4 deny udp dst eq 514 set ifilter 5 deny tcp dst eq 514 # klogin set ifilter 6 deny udp dst eq 543 set ifilter 7 deny tcp dst eq 543 # kshell set ifilter 8 deny udp dst eq 544 set ifilter 9 deny tcp dst eq 544 # eklogin set ifilter 10 deny udp dst eq 2105 set ifilter 11 deny udp dst eq 2105 # set ifilter 12 permit icmp set ifilter 13 permit 0/0 0/0 set ofilter 0 permit 0/0 0/0 # # Don't keep Alive or dial with ICMP, RIP, or NTP packet # # RIP set afilter 1 deny udp src eq 520 set dfilter 1 deny udp src eq 520 set afilter 2 deny udp dst eq 520 set dfilter 2 deny udp dst eq 520 # NTP set afilter 3 deny udp src eq 123 set dfilter 3 deny udp src eq 123 set afilter 4 deny udp dst eq 123 set dfilter 4 deny udp dst eq 123 # RJE # This is for netup to test without bringing up the link set afilter 5 deny tcp dst eq discard set dfilter 5 deny tcp dst eq discard # RWHO set afilter 6 deny udp dst eq 513 set dfilter 6 deny udp dst eq 513 set afilter 7 deny udp src eq 513 set dfilter 7 deny udp src eq 513 # let the rest through set afilter 8 permit 0/0 0/0 set dfilter 8 permit 0/0 0/0 # ICMP set afilter 0 deny icmp set dfilter 0 deny icmp # # If peer reqires to use CHAP, don't forget to supply authname and authkey. # # If you'd like to use CHAP to authentificate peer, comment out the line # ``enable chap'' below. You also need to prepare /etc/ppp.secret. # # If remote system sends its system name within CHAP packet and it is # found in /etc/ppp.secret, then secret key is taken from the file and # value of authkey is ignored. # dial-ia: set device /dev/cuaa2 set speed 38400 set parity none disable lqr deny lqr set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0 OK-AT-OK \\dATS50=7S51=6S2=255S48=0DT\\T TIMEOUT 40 38400" set phone 9,**0000,8858800 set login "TIMEOUT 4 login:-\\r\\d\\c-login:-\\r\\c-login: \\d\\U word: \\P" deny pap disable pap accept chap set authname gburditt set authkey passwordxx set timeout 300 set debug chat phase # ############################################################################ ############################################################################ # Internet America # Dial-on-demand # Worldblazer ############################################################################ ############################################################################ # dmd-ia-wb: set device /dev/cuaa2 set speed 38400 set parity none set mru 584 disable lqr deny lqr set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0 OK-AT-OK \\dATS50=7S51=6S2=255S48=0DT\\T TIMEOUT 40 38400" set phone 9,**0000,8858800 set login "TIMEOUT 4 login:-\\r\\d\\c-login:-\\r\\c-login: \\d\\U word: \\P" deny pap disable pap accept chap set authname gburditt set authkey passwordxx set ifaddr 206.66.15.76/3 206.66.15.0/3 set timeout 300 set debug chat phase add 0 0 206.66.15.0 ############################################################################ ############################################################################ # Internet America # Dial-on-demand # USR Sportster ############################################################################ ############################################################################ # dmd-ia-usr: set device /dev/cuaa1 set speed 57600 set parity none set mru 584 disable lqr deny lqr set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0 OK-AT-OK \\dAT&F1DT\\T TIMEOUT 40 CONNECT" set phone 9,**0000,8858800 set login "TIMEOUT 4 login:-\\r\\d\\c-login:-\\r\\c-login: \\d\\U word: \\P" deny pap disable pap accept chap set authname gburditt set authkey passwordxx set ifaddr 206.66.15.76/3 206.66.15.0/3 set timeout 300 set debug chat phase add 0 0 206.66.15.0 ############################################################################ ############################################################################ # Internet America # Dial-on-demand - Magellan # USR Sportster ############################################################################ ############################################################################ # magellan: set device /dev/cuaa1 set speed 57600 set parity none set mru 584 disable lqr accept lqr set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0 OK-AT-OK \\dAT&F1DT\\T TIMEOUT 40 CONNECT" # set phone 9,**0000,884xxxx set phone 9,**0000,885xxxx deny pred1 accept pap disable pap accept chap disable chap set authname gburditt set authkey password set timeout 300 set debug chat phase lcp ipcp set openmode active add 0 0 HISADDR magellan-script: set device /dev/cuaa1 set speed 57600 set parity none set mru 584 disable lqr deny lqr set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0 OK-AT-OK \\dAT&F1DT\\T TIMEOUT 40 CONNECT" set phone 9,**0000,884xxxx set login "TIMEOUT 4 login:-\\r\\d\\c-login:-\\r\\c-login: \\d\\U word: \\P" deny pred1 accept pap disable pap accept chap disable chap set authname gburditt set authkey password set timeout 300 set debug chat phase lcp ipcp set ifaddr 206.66.15.76/3 206.66.15.0/3 add 0 0 206.66.15.0 Debug log output (password x'd out). Note "L2F Administrative intervention" below. 12-17 20:07:16 [18510] Using interface: tun0 12-17 20:07:16 [18510] PPP Started. 12-17 20:07:29 [18510] Expecting 12-17 20:07:29 [18510] sending: ATE1Q0 12-17 20:07:29 [18510] Expecting OK-AT-OK 12-17 20:07:29 [18510] Wait for (5): OK --> OK 12-17 20:07:29 [18510] got: ATE1Q0 OK 12-17 20:07:30 [18510] sending: AT&F1DT9,**0000,884xxxx 12-17 20:07:30 [18510] Expecting CONNECT 12-17 20:07:30 [18510] Wait for (40): CONNECT --> CONNECT 12-17 20:07:56 [18510] got: AT&F1DT9,**0000,884xxxx CONNECT 12-17 20:07:56 [18510] *Connected! 12-17 20:07:56 [18510] LCP: state change Initial --> Closed 12-17 20:07:56 [18510] LCP: SendConfigReq 12-17 20:07:56 [18510] ACFCOMP 12-17 20:07:56 [18510] PROTOCOMP 12-17 20:07:56 [18510] ACCMAP [6] 00000000 12-17 20:07:56 [18510] MRU [4] 584 12-17 20:07:56 [18510] MAGICNUM [6] b2f70e56 12-17 20:07:56 [18510] LCP: state change Closed --> Req-Sent 12-17 20:07:56 [18510] LCP: Received Configure Request (1) state = Req-Sent (6) 12-17 20:07:56 [18510] MRU 1522 12-17 20:07:56 [18510] ACCMAP 000a0000 12-17 20:07:56 [18510] AUTHPROTO proto = c023 12-17 20:07:56 [18510] MAGICNUM 8691d629 12-17 20:07:56 [18510] ACFCOMP 12-17 20:07:56 [18510] LCP: SendConfigAck(Req-Sent) 12-17 20:07:56 [18510] MRU 1522 12-17 20:07:56 [18510] ACCMAP 000a0000 12-17 20:07:56 [18510] AUTHPROTO proto = c023 12-17 20:07:56 [18510] MAGICNUM 8691d629 12-17 20:07:56 [18510] ACFCOMP 12-17 20:07:56 [18510] LCP: state change Req-Sent --> Ack-Sent 12-17 20:07:56 [18510] LCP: Received Configure Ack (1) state = Ack-Sent (8) 12-17 20:07:56 [18510] LCP: state change Ack-Sent --> Opend 12-17 20:07:56 [18510] LCP: LayerUp 12-17 20:07:56 [18510] Phase: Authenticate 12-17 20:07:56 [18510] his = c023, mine = 0 12-17 20:07:56 [18510] PAP: gburditt (xxxxxxxx) 12-17 20:07:59 [18510] PAP: gburditt (xxxxxxxx) 12-17 20:08:00 [18510] PapInput: ACK 12-17 20:08:00 [18510] Received PAP_ACK (Welcome) 12-17 20:08:00 [18510] Phase: Network 12-17 20:08:00 [18510] IPCP: state change Initial --> Closed 12-17 20:08:00 [18510] IPCP Up event!! 12-17 20:08:00 [18510] IPCP: SendConfigReq 12-17 20:08:00 [18510] IPADDR [6] 192.168.2.2 12-17 20:08:00 [18510] COMPPROTO [6] 002d0f00 12-17 20:08:00 [18510] IPCP: state change Closed --> Req-Sent 12-17 20:08:00 [18510] CCP: state change Initial --> Closed 12-17 20:08:00 [18510] CCP Up event!! 12-17 20:08:00 [18510] CCP: SendConfigReq 12-17 20:08:00 [18510] CCP: state change Closed --> Req-Sent 12-17 20:08:01 [18510] PapInput: NAK ************** 12-17 20:08:01 [18510] Received PAP_NAK (L2F administrative intervention.) ************** 12-17 20:08:01 [18510] LCP: LayerDown 12-17 20:08:01 [18510] Phase: Terminate 12-17 20:08:01 [18510] LCP: SendTerminateReq. 12-17 20:08:01 [18510] LCP: state change Opend --> Closing 12-17 20:08:02 [18510] LCP: Received Echo Reply (2) state = Closing (4) 12-17 20:08:02 [18510] LCP: Received Terminate Ack (3) state = Closing (4) 12-17 20:08:02 [18510] LCP: state change Closing --> Closed 12-17 20:08:02 [18510] LCP: LayerFinish 12-17 20:08:02 [18510] Disconnected! 12-17 20:08:02 [18510] Connect time: 6 secs 12-17 20:08:02 [18510] Phase: Dead 12-17 20:08:02 [18510] LCP: state change Closed --> Initial 12-17 20:08:02 [18510] Phase: Dead 12-17 20:08:03 [18510] IPCP: SendConfigReq 12-17 20:08:03 [18510] IPADDR [6] 192.168.2.2 12-17 20:08:03 [18510] COMPPROTO [6] 002d0f00 12-17 20:08:03 [18510] CCP: SendConfigReq 12-17 20:08:06 [18510] IPCP: SendConfigReq 12-17 20:08:06 [18510] IPADDR [6] 192.168.2.2 12-17 20:08:06 [18510] COMPPROTO [6] 002d0f00 12-17 20:08:06 [18510] CCP: SendConfigReq 12-17 20:08:09 [18510] IPCP: SendConfigReq 12-17 20:08:09 [18510] IPADDR [6] 192.168.2.2 12-17 20:08:09 [18510] COMPPROTO [6] 002d0f00 12-17 20:08:09 [18510] CCP: SendConfigReq 12-17 20:08:12 [18510] IPCP: SendConfigReq 12-17 20:08:12 [18510] IPADDR [6] 192.168.2.2 12-17 20:08:12 [18510] COMPPROTO [6] 002d0f00 12-17 20:08:12 [18510] CCP: SendConfigReq 12-17 20:08:15 [18510] IPCP: state change Req-Sent --> Stopped 12-17 20:08:15 [18510] IPCP: LayerFinish. 12-17 20:08:15 [18510] Phase: Terminate 12-17 20:08:15 [18510] CCP: state change Req-Sent --> Stopped 12-17 20:08:15 [18510] CCP: LayerFinish. 12-17 20:08:24 [18510] PPP Terminated. >Fix: Use script login instead of PAP when connecting to Nortel/Shiva terminal servers, or use a different PPP client. In some areas, script logins are not available using the Nortel/Shiva system, so a different client may be necessary. >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m0vbChc-000uBmC>