PPTP: no proper LCP negotiation?

Hi out there,
I´m trying to (re)build our VPN-gateway for Roadwarriors. First
everything seemed to be fine: win2k and WinXP clients from outside
could connect as usual.
But then the first windows mobile 5 device came knocking on gateways
door and doesn´t come in.

conditions are as follows:
gentoo, kernel 2.6.16 with pptpd 1.2.3, pppd 2.4.2

/var/log/messages says:

Feb 3 13:30:02 vger pppd[15639]: pppd options in effect:
Feb 3 13:30:02 vger pppd[15639]: debug # (from
/etc/ppp/options.pptpd)
Feb 3 13:30:02 vger pppd[15639]: nologfd # (from
/etc/ppp/options.pptpd)
Feb 3 13:30:02 vger pppd[15639]: dump # (from
/etc/ppp/options.pptpd)
Feb 3 13:30:02 vger pppd[15639]: require-mschap-v2 # (from
/etc/ppp/options.pptpd)
Feb 3 13:30:02 vger pppd[15639]: refuse-pap # (from
/etc/ppp/options.pptpd)
Feb 3 13:30:02 vger pppd[15639]: refuse-chap # (from
/etc/ppp/options.pptpd)
Feb 3 13:30:02 vger pppd[15639]: refuse-mschap # (from
/etc/ppp/options.pptpd)
Feb 3 13:30:02 vger pppd[15639]: refuse-eap # (from
/etc/ppp/options.pptpd)
Feb 3 13:30:02 vger pppd[15639]: name vger # (from
/etc/ppp/options.pptpd)
Feb 3 13:30:02 vger pppd[15639]: 115200 # (from command
line)
Feb 3 13:30:02 vger pppd[15639]: lock # (from
/etc/ppp/options.pptpd)
Feb 3 13:30:02 vger pppd[15639]: local # (from command line)
Feb 3 13:30:02 vger pppd[15639]: mru 1500 # (from
/etc/ppp/options)
Feb 3 13:30:02 vger pppd[15639]: mtu 1500 # (from
/etc/ppp/options)
Feb 3 13:30:02 vger pppd[15639]: -vj # (from
/etc/ppp/options)
Feb 3 13:30:02 vger pppd[15639]: ipparam 80.226.250.97 # (from
command line)
Feb 3 13:30:02 vger pppd[15639]: ms-dns xxx # [don't know how to print
value] # (from /etc/ppp/options.pptpd)
Feb 3 13:30:02 vger pppd[15639]: ms-wins xxx # [don't know how to
print value] # (from /etc/ppp/options.pptpd)
Feb 3 13:30:02 vger pppd[15639]: 192.168.1.3:192.168.1.71
# (from command line)
Feb 3 13:30:02 vger pppd[15639]: nobsdcomp # (from
/etc/ppp/options)
Feb 3 13:30:02 vger pppd[15639]: nodeflate # (from
/etc/ppp/options)
Feb 3 13:30:02 vger pppd[15639]: require-mppe-128 # (from
/etc/ppp/options.pptpd)
Feb 3 13:30:02 vger pppd[15639]: mppe-stateful # (from
/etc/ppp/options.pptpd)
Feb 3 13:30:02 vger pppd[15639]: pppd 2.4.2 started by root, uid 0

*(after this MS-Chap v2 authentication works fine - acces granted!)

*But NOW:

Feb 3 13:30:07 vger pppd[15639]: sent [CCP ConfReq id=0x1 <mppe +H -M
+S -L -D -C>]

*The server tells the client +H (stateless) and +S (128bit mppe) -
thats right

Feb 3 13:30:07 vger pppd[15639]: rcvd [IPCP ConfReq id=0x0 <addr
0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins
0.0.0.0>]

*Client "asks" for proper DNS & IP, OK

Feb 3 13:30:07 vger pppd[15639]: sent [IPCP TermAck id=0x0]
Feb 3 13:30:07 vger pppd[15639]: rcvd [IPV6CP ConfReq id=0x0 <addr
fe80::0209:2dff:fe7a:5463>]
Feb 3 13:30:07 vger pppd[15639]: Unsupported protocol 0x8057 received
Feb 3 13:30:07 vger pppd[15639]: sent [LCP ProtRej id=0x2 80 57 01 00
00 0e 01 0a 02 09 2d ff fe 7a 54 63]
************************************************** ************************************
*Feb 3 13:30:07 vger pppd[15639]: rcvd [CCP ConfReq id=0x0 <mppe -H -M
-S -L -D -C>]*
************************************************** ************************************

*THAT is the problem: The Client tells his capabilities wrong an the
server rejects it now:

Feb 3 13:30:07 vger pppd[15639]: MPPE required but peer negotiation
failed
Feb 3 13:30:07 vger pppd[15639]: sent [LCP TermReq id=0x3 "MPPE
required but peer negotiation failed"]
Feb 3 13:30:07 vger pppd[15639]: sent [CCP ConfRej id=0x0 <mppe -H -M
-S -L -D -C>]

*it does not negotiate with the client and so the nex LCP-answer: +S
128mppe-able is discarded:

Feb 3 13:30:07 vger pppd[15639]: rcvd [CCP ConfNak id=0x1 <mppe -H -M
+S -L -D -C>]
Feb 3 13:30:07 vger pppd[15639]: Discarded non-LCP packet when LCP not
open

*thats it, connection closed.
*****

Coming from a WindowsXp-machine the things are working and differ:

Feb 3 15:37:18 vger pppd[15797]: sent [CHAP Success id=0xf8
"S=7F90195A610EE1044B0DECF838B2E90A9DAE6013 M=Access granted"]

* Authentication OK, and now the server tells the client first its
capabilities:

Feb 3 15:37:18 vger pppd[15797]: sent [CCP ConfReq id=0x1 <mppe +H -M
+S -L -D -C>]
Feb 3 15:37:18 vger pppd[15797]: rcvd [CCP ConfReq id=0x4 <mppe +H +M
+S +L -D +C>]
Feb 3 15:37:18 vger pppd[15797]: sent [CCP ConfNak id=0x4 <mppe +H -M
+S -L -D -C>]
Feb 3 15:37:18 vger pppd[15797]: rcvd [IPCP ConfReq id=0x5 <addr
0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins
0.0.0.0>]
Feb 3 15:37:18 vger pppd[15797]: sent [IPCP TermAck id=0x5]
Feb 3 15:37:18 vger pppd[15797]: rcvd [CCP ConfAck id=0x1 <mppe +H -M
+S -L -D -C>]
Feb 3 15:37:18 vger pppd[15797]: rcvd [CCP ConfReq id=0x6 <mppe +H -M
+S -L -D -C>]
Feb 3 15:37:18 vger pppd[15797]: sent [CCP ConfAck id=0x6 <mppe +H -M
+S -L -D -C>]

*and they do negotiated as long as it becomes suiteable.

Feb 3 15:37:18 vger pppd[15797]: MPPE 128-bit stateless compression
enabled
Feb 3 15:37:18 vger pppd[15797]: sent [IPCP ConfReq id=0x1 <addr
192.168.1.2>]
Feb 3 15:37:18 vger pppd[15797]: rcvd [IPCP ConfAck id=0x1 <addr
192.168.1.2>]
Feb 3 15:37:19 vger pppd[15797]: rcvd [IPCP ConfReq id=0x7 <addr
0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins
0.0.0.0>]
Feb 3 15:37:19 vger pppd[15797]: sent [IPCP ConfNak id=0x7 <addr
192.168.1.70> <ms-dns1 192.168.0.17> <ms-wins 192.168.0.33> <ms-dns3
192.168.0.33> <ms-wins 192.168.0.33>]
Feb 3 15:37:19 vger pppd[15797]: rcvd [IPCP ConfReq id=0x8 <addr
192.168.1.70> <ms-dns1 192.168.0.17> <ms-wins 192.168.0.33> <ms-dns3
192.168.0.33> <ms-wins 192.168.0.33>]
Feb 3 15:37:19 vger pppd[15797]: sent [IPCP ConfAck id=0x8 <addr
192.168.1.70> <ms-dns1 192.168.0.17> <ms-wins 192.168.0.33> <ms-dns3
192.168.0.33> <ms-wins 192.168.0.33>]
Feb 3 15:37:19 vger pppd[15797]: local IP address 192.168.1.2
Feb 3 15:37:19 vger pppd[15797]: remote IP address 192.168.1.70
Feb 3 15:37:19 vger pppd[15797]: Script /etc/ppp/ip-up started (pid
15802)
Feb 3 15:37:19 vger pppd[15797]: Script /etc/ppp/ip-up finished (pid
15802), status = 0x1

*and the connection is stable.

If I disable "require-mppe-128" the mobile device works fine but
unencrypted.

*before teaching me that there is something wrong in Windows Mobile
PPP-Client (of course it would be helpful to force that client to offer
mppe128 first) I have some remarks:

*- why doesn´t the server negotiate?
*- as you can see, the client has the needed capabilities (mppe +H -M
+S -L -D -C), indeed.
*- why does it work with pppd 2.4.1 on gentoo 2.4.21 as shown below
here:

*optins.pptp:
lock
debug
name vyger
proxyarp
bsdcomp 0
+chapms-v2
mppe-128
mppe-stateless

*/var/log/messages on the old and working gateway during handshake with
windows mobile 5:

12:49:56 vyger pppd[9165]: pppd 2.4.1 started by root, uid 0
Feb 3 12:49:56 vyger pppd[9165]: using channel 246
Feb 3 12:49:56 vyger pppd[9165]: Using interface ppp1
Feb 3 12:49:56 vyger pppd[9165]: Connect: ppp1 <--> /dev/pts/1
Feb 3 12:49:56 vyger pppd[9165]: sent [LCP ConfReq id=0x1 <asyncmap
0x0> <auth chap 81> <magic 0xb7738278> <pcomp> <accomp>]
Feb 3 12:49:57 vyger pptpd[9164]: GRE: Discarding duplicate packet
Feb 3 12:49:57 vyger pppd[9165]: rcvd [LCP ConfAck id=0x1 <asyncmap
0x0> <auth chap 81> <magic 0xb7738278> <pcomp> <accomp>]
Feb 3 12:49:59 vyger pppd[9165]: sent [LCP ConfReq id=0x1 <asyncmap
0x0> <auth chap 81> <magic 0xb7738278> <pcomp> <accomp>]
Feb 3 12:50:00 vyger pppd[9165]: rcvd [LCP ConfReq id=0x0 <mru 1400>
<asyncmap 0x0> <pcomp> <accomp>]
Feb 3 12:50:00 vyger pppd[9165]: sent [LCP ConfAck id=0x0 <mru 1400>
<asyncmap 0x0> <pcomp> <accomp>]
Feb 3 12:50:00 vyger pppd[9165]: rcvd [LCP ConfAck id=0x1 <asyncmap
0x0> <auth chap 81> <magic 0xb7738278> <pcomp> <accomp>]
Feb 3 12:50:00 vyger pppd[9165]: cbcp_lowerup
Feb 3 12:50:00 vyger pppd[9165]: want: 2
Feb 3 12:50:00 vyger pppd[9165]: sent [CHAP Challenge id=0x1
<152208217a3b3eb242daa21d249e5394>, name = "vyger"]
Feb 3 12:50:00 vyger pptpd[9164]: CTRL: Received PPTP Control Message
(type: 15)
Feb 3 12:50:00 vyger pptpd[9164]: CTRL: Ignored a SET LINK INFO packet
with real ACCMs!
Feb 3 12:50:01 vyger pppd[9165]: rcvd [CHAP Response id=0x1 <xyz...>,
name = "name"]
Feb 3 12:50:01 vyger pppd[9165]: sent [CHAP Success id=0x1
"S=ACC359085FFFF1CB03216EECD2993024256185B4"]
Feb 3 12:50:01 vyger pppd[9165]: sent [IPCP ConfReq id=0x1 <addr
192.168.1.1> <compress VJ 0f 01>]
Feb 3 12:50:01 vyger pppd[9165]: sent [CCP ConfReq id=0x1 <deflate 15>
<deflate(old#) 15> <mppe 1 0 0 40>]
Feb 3 12:50:01 vyger pppd[9165]: MSCHAP-v2 peer authentication
succeeded for name
Feb 3 12:50:02 vyger pppd[9165]: rcvd [IPCP ConfReq id=0x0 <addr
0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins
0.0.0.0>]
Feb 3 12:50:02 vyger pppd[9165]: sent [IPCP ConfNak id=0x0 <addr
192.168.1.129> <ms-dns1 192.168.0.33> <ms-wins 192.168.0.33> <ms-dns3
192.168.0.33> <ms-wins 192.168.0.33>]
Feb 3 12:50:02 vyger pppd[9165]: rcvd [proto=0x8057] 01 00 00 0e 01 0a
02 09 2d ff fe 7a 54 63
Feb 3 12:50:02 vyger pppd[9165]: Unsupported protocol 0x8057 received
Feb 3 12:50:02 vyger pppd[9165]: sent [LCP ProtRej id=0x2 80 57 01 00
00 0e 01 0a 02 09 2d ff fe 7a 54 63]
Feb 3 12:50:02 vyger pppd[9165]: rcvd [IPCP ConfRej id=0x1 <compress
VJ 0f 01>]
Feb 3 12:50:02 vyger pppd[9165]: sent [IPCP ConfReq id=0x2 <addr
192.168.1.1>]
Feb 3 12:50:02 vyger pppd[9165]: rcvd [CCP ConfReq id=0x0 <mppe 0 0 0
0>]
Feb 3 12:50:02 vyger pppd[9165]: sent [CCP ConfRej id=0x0 <mppe 0 0 0
0>]
Feb 3 12:50:02 vyger pppd[9165]: rcvd [CCP ConfRej id=0x1 <deflate 15>
<deflate(old#) 15>]
Feb 3 12:50:02 vyger pppd[9165]: sent [CCP ConfReq id=0x2 <mppe 1 0 0
40>]
Feb 3 12:50:02 vyger pppd[9165]: rcvd [IPCP ConfReq id=0x1 <addr
192.168.1.129> <ms-dns1 192.168.0.33> <ms-wins 192.168.0.33> <ms-dns3
192.168.0.33> <ms-wins 192.168.0.33>]
Feb 3 12:50:02 vyger pppd[9165]: sent [IPCP ConfAck id=0x1 <addr
192.168.1.129> <ms-dns1 192.168.0.33> <ms-wins 192.168.0.33> <ms-dns3
192.168.0.33> <ms-wins 192.168.0.33>]
Feb 3 12:50:02 vyger pppd[9165]: rcvd [IPCP ConfAck id=0x2 <addr
192.168.1.1>]
Feb 3 12:50:02 vyger pppd[9165]: Cannot determine ethernet address for
proxy ARP
Feb 3 12:50:02 vyger pppd[9165]: local IP address 192.168.1.1
Feb 3 12:50:02 vyger pppd[9165]: remote IP address 192.168.1.129
Feb 3 12:50:02 vyger pppd[9165]: Script /etc/ppp/ip-up started (pid
9169)
Feb 3 12:50:02 vyger pppd[9165]: rcvd [CCP ConfReq id=0x1]
Feb 3 12:50:02 vyger pppd[9165]: sent [CCP ConfAck id=0x1]
Feb 3 12:50:02 vyger pppd[9165]: Script /etc/ppp/ip-up finished (pid
9169), status = 0x0
Feb 3 12:50:02 vyger pppd[9165]: rcvd [CCP ConfNak id=0x2 <mppe 0 0 0
40>]
Feb 3 12:50:02 vyger pppd[9165]: sent [CCP ConfReq id=0x3 <mppe 0 0 0
40>]
Feb 3 12:50:03 vyger pppd[9165]: rcvd [CCP ConfAck id=0x3 <mppe 0 0 0
40>]
Feb 3 12:50:03 vyger pppd[9165]: MPPE 128 bit, non-stateless receive
compression enabled

*btw: I did not compile pppd with "USE mppe-mppc"

Any idea?

Thanx a lot -
Christian Reichhoff

Hi,
nobody out there with any idea?

So sad - Chris

gpf0815 <(E-Mail Removed)> wrote:
> Hi,
> nobody out there with any idea?

Maybe. Check out this:

http://marc.theaimsgroup.com/?l=linu...1559509914&w=2

--
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"