In article <(E-Mail Removed) .com>, Stefan wrote:
> Sorry if this was beaten to death somewhere else. Tried searching and
> can't find anything definite.
>
> I'm trying to connect a FC3 box at home to our PIX VPN at work. I've
> followed the instructions at
> http://pptpclient.sourceforge.net/ho...a-core-3.phtml verbatim.
> Everything seems to load alright, but whenever I try to connect I get
> this error in the status window:
>
> LCP: timeout sending Config-Requests
> Connection terminated.
This sounds very similar, if not exactly the same, as the problem I've
been having trying to complete a pptp connection from my FC4 system
at home to the MS pptp vpn server at work. pptp is new for me and
I'm not familiar with PIX (just looked it up - looks like it's a CISCO
firewall product that works with pptp (?)), but I am getting the same LCP:
timeout ... event, which happens after 10 or so unanswered LCP requests
(I think it's exactly 10, actually) to the server. The client then
apparently sends the server a "call-clear-request", the server responds
with a "call-disconnect-notify", then another "call-clear-request"
from the client, a TCP (protocol) response from the server, then a
"stop-control-connection-request" from the client, then a
"stop-control-connection-reply" from the server (then a few TCP packets
before the dialog is ended).
The server appears willing to begin setting up the connection - responding
to the client's "Start-Control-Connection-Request" with a
"Start-Control-Connection-Reply" and to a "Outgoing-Call-Request" with a
"Outgoing-Call-Reply". But then the server appears to refuse to respond to
the LCP configuration requests.
The symptoms sound the same as what you're getting, and I wonder if the
cause might be the same.
My next step was going to be to look at the vpn server logs, but I have to
wait 'til my ithelp request is addressed by the windows admin, blah, blah,
so it will take a while to get this info. I'm hoping this will give
further clues as to what is happening.
It sounds to me, though, that you're suspecting it's a firewall - PIX -
configuration problem, rather than a problem with the pptp server. Is that
right?
I'll continue to monitor this topic on this ng and will try to post if
I find out anything helpful, but if you feel like emailing me so that
we can share knowledge of a possible common cause and/or a possible
common solution, feel free to mail me at
(E-Mail Removed) - either
include "non-spam" in the subject line (See my sig.) or remove
"ensional" from my address to reach the unfiltered address.
> At http://pptpclient.sourceforge.net/ho...ml#lcp_timeout
> they listed possible reasons relating to GRE packets. I did a
> tcpdump/grep while trying to connect. There are numerous
> gre-ppp-payload packets going to and from the server; Followed by 10
> gre-ppp-payload going to the server with no response. Don't have a
> clue on what to check from there.
>
> Now I do have access to the PIX config (cannot change anything.) The
> relevant config lines would be:
>
> vpdn group VPN_USER accept dialin pptp
> vpdn group VPN_USER ppp authentication pap
> vpdn group VPN_USER ppp authentication chap
> vpdn group VPN_USER ppp authentication mschap
> vpdn group VPN_USER ppp encryption mppe 40 (I guess there is a license
> problem for 128?)
> ...
>
> My options.pptp looks like this:
>
> lock
> noauth
> refuse-eap
> refuse-pap
> refuse-chap
> refuse-mschap
> nobsdcomp
> nodeflate
> require-mppe
>
> I also allowed mschap auth in the config and I got this error while
> connecting:
>
> CHAP authentication succeeded
> Disabling 40-bit MPPE; MS-CHAP LM not supported
> MPPE required but peer negotiation failed
> Connection terminated.
>
> So, do I need to use mschap instead of v2? But what gives with the
> encryption? Do I not have 40bit capability? How do I check and fix?
>
> I don't know what to try now... Any help would be greatly appreciated!
>
--
Jim Cochrane;
(E-Mail Removed)
[When responding by email, include the term non-spam in the subject line to
get through my spam filter.]
Similar Threads
Linear Mode
