PPTP CHAP failure problem

I'm trying to set up a VPN from my RH 8.0 machine to a Windows 2K system
at my work. The Windows 2K side is working with other Windows machines.

I downloaded pptp and pptpconfig and installed them with no problems.
I enter the pertinent information into pptpconfig using the MPPE encryption
option.but when I try to connect I get the following:


Sep 13 19:57:53 ezekiel pppd[13795]: pppd 2.4.2b3 started by jkimble, uid 0
Sep 13 19:57:53 ezekiel pppd[13795]: using channel 32
Sep 13 19:57:53 ezekiel pppd[13795]: Using interface ppp0
Sep 13 19:57:53 ezekiel pppd[13795]: Connect: ppp0 <--> /dev/pts/10
Sep 13 19:57:53 ezekiel pptp[13796]: anon log[mainptp.c:219]: The synchronous
pptp option is NOT activated
Sep 13 19:57:53 ezekiel pptp[13799]: anon log[pptp_dispatch_ctrl_packetptp_ctr
l.c:630]: Client connection established.
Sep 13 19:57:54 ezekiel pppd[13795]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <ma
gic 0xa7c92e95> <pcomp> <accomp>]
Sep 13 19:57:54 ezekiel pptp[13799]: anon log[pptp_dispatch_ctrl_packetptp_ctr
l.c:759]: Outgoing call established (call ID 0, peer's call ID 33767).
Sep 13 19:57:54 ezekiel pptp[13796]: anon log[decaps_hdlcptp_gre.c:217]: PPP m
ode seems to be Asynchronous.
Sep 13 19:57:54 ezekiel pppd[13795]: rcvd [LCP ConfReq id=0x0 <auth chap MS-v2>
<magic 0x391169d6> <pcomp> <accomp> <callback CBCP> <mrru 1614> <endpoint [local
:5d.02.75.8c.54.8f.49.78.80.ec.54.82.e4.5d.72.3c.0 0.00.00.00]> < 17 04 00 36>]
Sep 13 19:57:54 ezekiel pppd[13795]: sent [LCP ConfRej id=0x0 <callback CBCP> <m
rru 1614> < 17 04 00 36>]
Sep 13 19:57:54 ezekiel pppd[13795]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <ma
gic 0xa7c92e95> <pcomp> <accomp>]
Sep 13 19:57:54 ezekiel pppd[13795]: rcvd [LCP ConfReq id=0x1 <auth chap MS-v2>
<magic 0x391169d6> <pcomp> <accomp> <endpoint [local:5d.02.75.8c.54.8f.49.78.80.
ec.54.82.e4.5d.72.3c.00.00.00.00]>]
Sep 13 19:57:54 ezekiel pppd[13795]: sent [LCP ConfAck id=0x1 <auth chap MS-v2>
<magic 0x391169d6> <pcomp> <accomp> <endpoint [local:5d.02.75.8c.54.8f.49.78.80.
ec.54.82.e4.5d.72.3c.00.00.00.00]>]
Sep 13 19:57:54 ezekiel pppd[13795]: rcvd [CHAP Challenge id=0x0 <3239a323ac8c43
f378d1e4b6543b1566>, name = "ISAA200L"]
Sep 13 19:57:54 ezekiel pppd[13795]: sent [CHAP Response id=0x0 <9f463e2b28c94d6
73f04c69b5714d8d20000000000000000f383e7a9e2e80fc20 23230c9503dd5394fe462c5d12956b
700>, name = "WCHSYS1\\jkimble"]
Sep 13 19:58:03 ezekiel last message repeated 3 times
Sep 13 19:58:03 ezekiel pppd[13795]: rcvd [CHAP Failure id=0x0 "E=649 R=0 "]
Sep 13 19:58:03 ezekiel pppd[13795]: Remote message: Unknown authentication fail
ure: E=649 R=0
Sep 13 19:58:03 ezekiel pppd[13795]: CHAP authentication failed
Sep 13 19:58:03 ezekiel pppd[13795]: sent [LCP TermReq id=0x2 "Failed to authent
icate ourselves to peer"]
Sep 13 19:58:03 ezekiel pppd[13795]: rcvd [LCP TermReq id=0x3 "9\021i\3777777772
6\000<\37777777715t\000\000\002\37777777611"]
Sep 13 19:58:03 ezekiel pppd[13795]: sent [LCP TermAck id=0x3]
Sep 13 19:58:03 ezekiel pppd[13795]: rcvd [LCP TermAck id=0x2 "Failed to authent
icate ourselves to peer"]
Sep 13 19:58:03 ezekiel pppd[13795]: Connection terminated.
Sep 13 19:58:03 ezekiel pppd[13795]: Waiting for 1 child processes...
Sep 13 19:58:03 ezekiel pppd[13795]: script pptp 65.41.59.224 --nolaunchpppd,
pid 13796

The problem appears to be a CHAP authentication error. Everything I've read
says this is always a passwork, domain, username problem, or four slashes
in the domain username combiniation <domain>\\\\<username> rather then two.

These things are not the problem here. Can anyone make any other suggestions??

One thing I don't understand is how the MS machine can authenticate by
machine name when I'm not giving my machine name. Does it default to the
hostname of my home machine and is that why I'm not getting past CHAP? If
that's the case how do I make it see a different machine name?

If the machine name is not necassary for VPN what else could be going on?

Any help would be greatly appreciated.

James Kimble

In article <(E-Mail Removed) >,
James Kimble wrote:
> I downloaded pptp and pptpconfig and installed them with no problems.
> I enter the pertinent information into pptpconfig using the MPPE encryption

Did you apply all the patches to support MPPE? I guess they have RPM's
with patched binaries. Poptop and pptpclient documentation is so Red-
Hat-centric as to be useless for anyone else, but I guess since you're
using Red Hat it must be good for you. Anyway, did you follow their
steps to verify that you have MPPE support both in the kernel and in
pppd?

(Look that up ... I've never used pptpclient so I'm not sure that it
requires kernel support.)

> Sep 13 19:57:54 ezekiel pppd[13795]: sent [LCP ConfAck id=0x1 <auth chap MS-v2>

Okay, this looks like your pppd understands chapms-v2.

> Sep 13 19:57:54 ezekiel pppd[13795]: rcvd [CHAP Challenge id=0x0 <3239a323ac8c43
> f378d1e4b6543b1566>, name = "ISAA200L"]
> Sep 13 19:57:54 ezekiel pppd[13795]: sent [CHAP Response id=0x0 <9f463e2b28c94d6
> 73f04c69b5714d8d20000000000000000f383e7a9e2e80fc20 23230c9503dd5394fe462c5d12956b
> 700>, name = "WCHSYS1\\jkimble"]

Here's the authentication dialogue. You're sending the username
"WCHSYS1\\jkimble" to the remote. Is it configured to allow access for
such a user? Password double-checked?

Yes, in Windows terms "WCHSYS1\\jkimble" translates to "WCHSYS1\jkimble"
(NT domain "WCHSYS1", username "jkimble".)

> Sep 13 19:58:03 ezekiel pppd[13795]: Remote message: Unknown authentication fail
> ure: E=649 R=0

Here's the server's error code. You could try searching the MS Knowledge
Base for that. Or ... call MS Product Support.

> The problem appears to be a CHAP authentication error. Everything I've read
> says this is always a passwork, domain, username problem, or four slashes
> in the domain username combiniation <domain>\\\\<username> rather then two.

Yes. I think the correct number of backslashes is two, because the first
quotes (escapes) the second, sending one for real.

> These things are not the problem here. Can anyone make any other suggestions??

On the client end you know you're being rejected for CHAP authentication
failure. Perhaps the problem is on the server?

I don't know anything at all about running a Windows PPTP server. I do,
however, run numerous pptpd's on Linux. Of course if you had Linux on
the other end you wouldn't be stuck using PPTP at all!

> One thing I don't understand is how the MS machine can authenticate by
> machine name when I'm not giving my machine name. Does it default to the

You have
name "WCHSYS1\\jkimble"
in your pppd options and in your /etc/ppp/chap-secrets, correct?

> hostname of my home machine and is that why I'm not getting past CHAP? If
> that's the case how do I make it see a different machine name?

Edit your pppd options and chap-secrets; send a "name" associated with a
username and password which will be accepted on the server.

> If the machine name is not necassary for VPN what else could be going on?

Again I would not know what the Windows server wants. You might get some
help there in a microsoft.* newsgroup.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

James Kimble <(E-Mail Removed)> wrote:
> I'm trying to set up a VPN from my RH 8.0 machine to a Windows 2K system
> at my work. The Windows 2K side is working with other Windows machines.

> I downloaded pptp and pptpconfig and installed them with no problems.
> I enter the pertinent information into pptpconfig using the MPPE encryption
> option.but when I try to connect I get the following:

> Sep 13 19:57:53 ezekiel pppd[13795]: pppd 2.4.2b3 started by jkimble, uid 0
> Sep 13 19:57:53 ezekiel pppd[13795]: using channel 32
> Sep 13 19:57:53 ezekiel pppd[13795]: Using interface ppp0
> Sep 13 19:57:53 ezekiel pppd[13795]: Connect: ppp0 <--> /dev/pts/10

[some of log elided]

> Sep 13 19:57:54 ezekiel pppd[13795]: sent [LCP ConfAck id=0x1
> <auth chap MS-v2> <magic 0x391169d6> <pcomp> <accomp> <endpoint
> [local:5d.02.75.8c.54.8f.49.78.80.ec.54.82.e4.5d.72 .3c.00.00.00.00]>]
> Sep 13 19:57:54 ezekiel pppd[13795]: rcvd [CHAP Challenge id=0x0
> <3239a323ac8c43f378d1e4b6543b1566>, name = "ISAA200L"]
> Sep 13 19:57:54 ezekiel pppd[13795]: sent [CHAP Response id=0x0
> <9f463e2b28c94d673f04c69b5714d8d2000000000000000 0
> f383e7a9e2e80fc2023230c9503dd5394fe462c5d12956b700 >,
> name = "WCHSYS1\\jkimble"]
> Sep 13 19:58:03 ezekiel last message repeated 3 times
> Sep 13 19:58:03 ezekiel pppd[13795]: rcvd [CHAP Failure id=0x0 "E=649 R=0 "]

Curious, the message should read " E=649 No dialin permission" for
2.4.2b3, at least according to the README.MSCHAP81 in the source
package of that pppd version. (That README refers the reader to
http://www.ietf.org/rfc/rfc2759.txt for "details of MS-CHAPv2.")

[more of log elided]

> The problem appears to be a CHAP authentication error. Everything
> I've read says this is always a passwork, domain, username
> problem, or four slashes in the domain username combiniation
> <domain>\\\\<username> rather then two.

> These things are not the problem here. Can anyone make any other
> suggestions??

How do you know that none of them is the problem? I don't know where you
read that but using 4 '\'s would be unusual, and the secrets file should
be of the form mentioned in the README-MSCHAP80. In particular, using
domain\\customer for the "client" in one of the lines in the chap-secrets
file. In case you haven't read that README here is an extract:

If your RAS server is not the domain controller and is not a 'stand-alone'
server then it must make a query to the domain controller for your domain.

You need to specify the domain name with the user name when you attempt to
use this type of a configuration. The domain name is specified with the
local name in the chap-secrets file and with the option for the 'name'
parameter.

For example, the previous example would become:

DialupNT domain\\customer47 foobar
domain\\customer47 DialupNT foobar

and

pppd name 'domain\\customer47' remotename DialupNT <other options>

or add:

name domain\\customer47
remotename DialupNT

when the Windows NT domain name is simply called 'domain'.

(I have my doubts about the necessity of the first secrets line - at
least for MS-CHAP version 1, but not any about doubts about the second
one or the remotename option for that version.)

Version 1 of MS-CHAP the Challenge did not include the name of the
challenger, but that seems to have changed in version 2. So

domain\\customer47 ISAA200L <Your_secret>

may be necessary, and perhaps sans the "remotename ISAA200L" option.

The new authentication process for version 2 is more complex than for
version 1. You might want to checkout rfc2795 yourself. It looks like
rfc2759 uses the word password to mean the secret.

> One thing I don't understand is how the MS machine can authenticate by
> machine name when I'm not giving my machine name. Does it default to the

I think that WCHSYS1\\jkimble *is* your machine name as far as the remote
is concerned - but take that with a grain or more of salt, I know little
of MS ways.

I hope someone who has actually used version 2 successfully replies to
your post so we both can find out just what is required...

--
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"
PPP-Q&A links, downloads: http://ckite.no-ip.net/
/* Better is the enemy of good enough. */

After fighting this silly thing for several days I went back to the MS Domain
server (NT) and checked my User profile. I didn't have dial in privileges so
I was not authenticated when I connected. We have a Shiva dial up server that
logs us into the local TCP/IP network and I just telnet to the UNIX box (where
I live) so I never realized I wasn't authenticated on the M$ network (didn't
care either). After giving myself dial-up priviledges everything worked
great. Thanks for all your suggestions,

James Kimble




Clifford Kite <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> James Kimble <(E-Mail Removed)> wrote:
> > I'm trying to set up a VPN from my RH 8.0 machine to a Windows 2K system
> > at my work. The Windows 2K side is working with other Windows machines.
>
> > I downloaded pptp and pptpconfig and installed them with no problems.
> > I enter the pertinent information into pptpconfig using the MPPE encryption
> > option.but when I try to connect I get the following:
>
> > Sep 13 19:57:53 ezekiel pppd[13795]: pppd 2.4.2b3 started by jkimble, uid 0
> > Sep 13 19:57:53 ezekiel pppd[13795]: using channel 32
> > Sep 13 19:57:53 ezekiel pppd[13795]: Using interface ppp0
> > Sep 13 19:57:53 ezekiel pppd[13795]: Connect: ppp0 <--> /dev/pts/10
>
> [some of log elided]
>
> > Sep 13 19:57:54 ezekiel pppd[13795]: sent [LCP ConfAck id=0x1
> > <auth chap MS-v2> <magic 0x391169d6> <pcomp> <accomp> <endpoint
> > [local:5d.02.75.8c.54.8f.49.78.80.ec.54.82.e4.5d.72 .3c.00.00.00.00]>]
> > Sep 13 19:57:54 ezekiel pppd[13795]: rcvd [CHAP Challenge id=0x0
> > <3239a323ac8c43f378d1e4b6543b1566>, name = "ISAA200L"]
> > Sep 13 19:57:54 ezekiel pppd[13795]: sent [CHAP Response id=0x0
> > <9f463e2b28c94d673f04c69b5714d8d2000000000000000 0
> > f383e7a9e2e80fc2023230c9503dd5394fe462c5d12956b700 >,
> > name = "WCHSYS1\\jkimble"]
> > Sep 13 19:58:03 ezekiel last message repeated 3 times
> > Sep 13 19:58:03 ezekiel pppd[13795]: rcvd [CHAP Failure id=0x0 "E=649 R=0 "]
>
> Curious, the message should read " E=649 No dialin permission" for
> 2.4.2b3, at least according to the README.MSCHAP81 in the source
> package of that pppd version. (That README refers the reader to
> http://www.ietf.org/rfc/rfc2759.txt for "details of MS-CHAPv2.")
>
> [more of log elided]
>
> > The problem appears to be a CHAP authentication error. Everything
> > I've read says this is always a passwork, domain, username
> > problem, or four slashes in the domain username combiniation
> > <domain>\\\\<username> rather then two.
>
> > These things are not the problem here. Can anyone make any other
> > suggestions??
>
> How do you know that none of them is the problem? I don't know where you
> read that but using 4 '\'s would be unusual, and the secrets file should
> be of the form mentioned in the README-MSCHAP80. In particular, using
> domain\\customer for the "client" in one of the lines in the chap-secrets
> file. In case you haven't read that README here is an extract:
>
> If your RAS server is not the domain controller and is not a 'stand-alone'
> server then it must make a query to the domain controller for your domain.
>
> You need to specify the domain name with the user name when you attempt to
> use this type of a configuration. The domain name is specified with the
> local name in the chap-secrets file and with the option for the 'name'
> parameter.
>
> For example, the previous example would become:
>
> DialupNT domain\\customer47 foobar
> domain\\customer47 DialupNT foobar
>
> and
>
> pppd name 'domain\\customer47' remotename DialupNT <other options>
>
> or add:
>
> name domain\\customer47
> remotename DialupNT
>
> when the Windows NT domain name is simply called 'domain'.
>
> (I have my doubts about the necessity of the first secrets line - at
> least for MS-CHAP version 1, but not any about doubts about the second
> one or the remotename option for that version.)
>
> Version 1 of MS-CHAP the Challenge did not include the name of the
> challenger, but that seems to have changed in version 2. So
>
> domain\\customer47 ISAA200L <Your_secret>
>
> may be necessary, and perhaps sans the "remotename ISAA200L" option.
>
> The new authentication process for version 2 is more complex than for
> version 1. You might want to checkout rfc2795 yourself. It looks like
> rfc2759 uses the word password to mean the secret.
>
> > One thing I don't understand is how the MS machine can authenticate by
> > machine name when I'm not giving my machine name. Does it default to the
>
> I think that WCHSYS1\\jkimble *is* your machine name as far as the remote
> is concerned - but take that with a grain or more of salt, I know little
> of MS ways.
>
> I hope someone who has actually used version 2 successfully replies to
> your post so we both can find out just what is required...