pptp woes

Hi There,

I'm trying to access a couple of sites using a pptp based vpn. I've
got this up and running using a patched 2.4.20 kernel, and pppd 2.4.1.

The problem I've got is rather weird. I've got one site that I connect
to, and it connects with MSCHAP V2/MPPE 128/MPPC compression. I've got
another one, which I can't connect to, and it is using MSCHAP/MPPE
40/No compression. It refuses to authenticate, even though the correct
passwords are in the chap secrets file.

So how come I can connect to the difficult one, but the easy one
fails???

Here's an extract from the log...


Jul 10 16:45:01 linux pptp[23104]:
log[pptp_dispatch_ctrl_packetptp_ctrl.c:580]: Client connection
established.
Jul 10 16:45:03 linux pptp[23104]:
log[pptp_dispatch_ctrl_packetptp_ctrl.c:708]: Outgoing call
established (call ID 0, peer's call ID 58).
Jul 10 16:45:03 linux pppd[23132]: pppd 2.4.1 started by root, uid 0
Jul 10 16:45:03 linux pppd[23132]: using channel 586
Jul 10 16:45:03 linux pppd[23132]: Using interface ppp0
Jul 10 16:45:03 linux pppd[23132]: Connect: ppp0 <--> /dev/pts/3
Jul 10 16:45:03 linux pppd[23132]: sent [LCP ConfReq id=0x1 <mru 1458>
<asyncmap 0x0> <magic 0x67890> <pcomp> <accomp>]
Jul 10 16:45:05 linux pppd[23132]: rcvd [LCP ConfReq id=0x1 <auth chap
m$oft> <magic 0x12345>]
Jul 10 16:45:05 linux pppd[23132]: sent [LCP ConfAck id=0x1 <auth chap
m$oft> <magic 0x12345>]Jul 10 16:45:05 linux pppd[23132]: rcvd [LCP
ConfRej id=0x1 <mru 1458> <asyncmap 0x0> <pcomp> <accomp>]
Jul 10 16:45:05 linux pppd[23132]: sent [LCP ConfReq id=0x2 <magic
0x67890>]
Jul 10 16:45:06 linux pppd[23132]: rcvd [LCP ConfAck id=0x2 <magic
0x67890>]
Jul 10 16:45:06 linux pppd[23132]: sent [LCP EchoReq id=0x0
magic=0x67890]
Jul 10 16:45:06 linux pppd[23132]: cbcp_lowerup
Jul 10 16:45:06 linux pppd[23132]: want: 2
Jul 10 16:45:06 linux pppd[23132]: rcvd [CHAP Challenge id=0x1
<52bdfe0b150>, name = ""]
Jul 10 16:45:06 linux pppd[23132]: sent [CHAP Response id=0x1
<81e0f93...GREAT BIG LONG NUMBER...beb8fe96201>, name = "MyUser"]
Jul 10 16:45:07 linux pppd[23132]: rcvd [LCP EchoRep id=0x0
magic=0x67890]
Jul 10 16:45:07 linux pppd[23132]: rcvd [CHAP Failure id=0x1
"Authentication failed."]
Jul 10 16:45:07 linux pppd[23132]: Remote message: Authentication
failed.
Jul 10 16:45:07 linux pppd[23132]: CHAP authentication failed
Jul 10 16:45:07 linux pppd[23132]: cbcp_lowerdown
Jul 10 16:45:07 linux pppd[23132]: sent [LCP TermReq id=0x3 "Failed to
authenticate ourselves to peer"]
Jul 10 16:45:07 linux pppd[23132]: rcvd [LCP TermReq id=0x2
"Authentication failed"]
Jul 10 16:45:07 linux pppd[23132]: sent [LCP TermAck id=0x2]
Jul 10 16:45:08 linux pppd[23132]: rcvd [LCP TermAck id=0x3]
Jul 10 16:45:08 linux pppd[23132]: Connection terminated.
Jul 10 16:45:09 linux pppd[23132]: Exit.

Are there any options that need to be enabled in the
options.pptp/peers file for MSCHAP/MPPE 40 alone? I've got

mppe-40
mppe-128
mppe-stateless

but no specific authentication.

TIA,

Steve

Steve Holdoway <(E-Mail Removed)> wrote:

> I'm trying to access a couple of sites using a pptp based vpn. I've
> got this up and running using a patched 2.4.20 kernel, and pppd 2.4.1.

> The problem I've got is rather weird. I've got one site that I connect
> to, and it connects with MSCHAP V2/MPPE 128/MPPC compression. I've got
> another one, which I can't connect to, and it is using MSCHAP/MPPE
> 40/No compression. It refuses to authenticate, even though the correct
> passwords are in the chap secrets file.

Negotiating MPPE never even began. It's not a part of the authentication
problem. If this pppd 2.4.1 has MPPE capability then it's been modified;
the standard pppd 2.4.1 doesn't have MPPE implemented.

> So how come I can connect to the difficult one, but the easy one
> fails???

> Here's an extract from the log...

> Jul 10 16:45:01 linux pptp[23104]:
> log[pptp_dispatch_ctrl_packetptp_ctrl.c:580]: Client connection
> established.
> Jul 10 16:45:03 linux pptp[23104]:
> log[pptp_dispatch_ctrl_packetptp_ctrl.c:708]: Outgoing call
> established (call ID 0, peer's call ID 58).
> Jul 10 16:45:03 linux pppd[23132]: pppd 2.4.1 started by root, uid 0
> Jul 10 16:45:03 linux pppd[23132]: using channel 586
> Jul 10 16:45:03 linux pppd[23132]: Using interface ppp0
> Jul 10 16:45:03 linux pppd[23132]: Connect: ppp0 <--> /dev/pts/3
> Jul 10 16:45:03 linux pppd[23132]: sent [LCP ConfReq id=0x1 <mru 1458>
> <asyncmap 0x0> <magic 0x67890> <pcomp> <accomp>]

Is requesting an MRU of 1458 a PPTP related thing? Could you have meant
to specify a MTU of 1458 instead? The peer rejected that MRU (along with
everything else except magic numbers) so pppd will use the PPP default
(1500) for it's MTU. I don't think this has anything to do with the
authentication problem, I'm just curious.

> Jul 10 16:45:05 linux pppd[23132]: rcvd [LCP ConfReq id=0x1 <auth chap
> m$oft> <magic 0x12345>]
> Jul 10 16:45:05 linux pppd[23132]: sent [LCP ConfAck id=0x1 <auth chap
> m$oft> <magic 0x12345>]Jul 10 16:45:05 linux pppd[23132]: rcvd [LCP
> ConfRej id=0x1 <mru 1458> <asyncmap 0x0> <pcomp> <accomp>]
> Jul 10 16:45:05 linux pppd[23132]: sent [LCP ConfReq id=0x2 <magic
> 0x67890>]
> Jul 10 16:45:06 linux pppd[23132]: rcvd [LCP ConfAck id=0x2 <magic
> 0x67890>]
> Jul 10 16:45:06 linux pppd[23132]: sent [LCP EchoReq id=0x0
> magic=0x67890]
> Jul 10 16:45:06 linux pppd[23132]: rcvd [CHAP Challenge id=0x1
> <52bdfe0b150>, name = ""]
> Jul 10 16:45:06 linux pppd[23132]: sent [CHAP Response id=0x1
> <81e0f93...GREAT BIG LONG NUMBER...beb8fe96201>, name = "MyUser"]
> Jul 10 16:45:07 linux pppd[23132]: rcvd [LCP EchoRep id=0x0
> magic=0x67890]
> Jul 10 16:45:07 linux pppd[23132]: rcvd [CHAP Failure id=0x1
> "Authentication failed."]
> Jul 10 16:45:07 linux pppd[23132]: Remote message: Authentication
> failed.
> Jul 10 16:45:07 linux pppd[23132]: CHAP authentication failed

Do you need to specify a "domain controller" as a part of your
username for this site? From the README.MSCHAP80 in the standard
pppd source tree:

DialupNT domain\\customer47 foobar
domain\\customer47 DialupNT foobar

and

pppd name 'domain\\customer47' remotename DialupNT <other options>

where the first two lines are in chap-secrets and domain is the name
of the domain controller. DialupNT is an arbitrarily chosen name and
foobar is the secret. Read the above mentioned file for more details.

> Are there any options that need to be enabled in the
> options.pptp/peers file for MSCHAP/MPPE 40 alone? I've got

> mppe-40
> mppe-128
> mppe-stateless

> but no specific authentication.

MPPE has nothing to do with authentication, although a connection can
be expected to fail if MS CCP is requested and is rejected. MS CCP is
patented and requires a license, so it's not implemented. The next
standard pppd version will implement the MPPE part however.

--
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"
PPP-Q&A links, downloads: http://ckite.no-ip.net/

Hi Clifford, thanks for the feedback...

On Fri, 11 Jul 2003 08:01:23 -0500, Clifford Kite
<(E-Mail Removed)> wrote:

>Steve Holdoway <(E-Mail Removed)> wrote:
>
>> I'm trying to access a couple of sites using a pptp based vpn. I've
>> got this up and running using a patched 2.4.20 kernel, and pppd 2.4.1.
>
>> The problem I've got is rather weird. I've got one site that I connect
>> to, and it connects with MSCHAP V2/MPPE 128/MPPC compression. I've got
>> another one, which I can't connect to, and it is using MSCHAP/MPPE
>> 40/No compression. It refuses to authenticate, even though the correct
>> passwords are in the chap secrets file.
>
>Negotiating MPPE never even began. It's not a part of the authentication
>problem. If this pppd 2.4.1 has MPPE capability then it's been modified;
>the standard pppd 2.4.1 doesn't have MPPE implemented.
>
Yes, it's a modified pppd.
>> So how come I can connect to the difficult one, but the easy one
>> fails???
>
>> Here's an extract from the log...
>
>> Jul 10 16:45:01 linux pptp[23104]:
>> log[pptp_dispatch_ctrl_packetptp_ctrl.c:580]: Client connection
>> established.
>> Jul 10 16:45:03 linux pptp[23104]:
>> log[pptp_dispatch_ctrl_packetptp_ctrl.c:708]: Outgoing call
>> established (call ID 0, peer's call ID 58).
>> Jul 10 16:45:03 linux pppd[23132]: pppd 2.4.1 started by root, uid 0
>> Jul 10 16:45:03 linux pppd[23132]: using channel 586
>> Jul 10 16:45:03 linux pppd[23132]: Using interface ppp0
>> Jul 10 16:45:03 linux pppd[23132]: Connect: ppp0 <--> /dev/pts/3
>> Jul 10 16:45:03 linux pppd[23132]: sent [LCP ConfReq id=0x1 <mru 1458>
>> <asyncmap 0x0> <magic 0x67890> <pcomp> <accomp>]
>
>Is requesting an MRU of 1458 a PPTP related thing? Could you have meant
>to specify a MTU of 1458 instead? The peer rejected that MRU (along with
>everything else except magic numbers) so pppd will use the PPP default
>(1500) for it's MTU. I don't think this has anything to do with the
>authentication problem, I'm just curious.
It's a performance thing I read somewhere.
>
>> Jul 10 16:45:05 linux pppd[23132]: rcvd [LCP ConfReq id=0x1 <auth chap
>> m$oft> <magic 0x12345>]
>> Jul 10 16:45:05 linux pppd[23132]: sent [LCP ConfAck id=0x1 <auth chap
>> m$oft> <magic 0x12345>]Jul 10 16:45:05 linux pppd[23132]: rcvd [LCP
>> ConfRej id=0x1 <mru 1458> <asyncmap 0x0> <pcomp> <accomp>]
>> Jul 10 16:45:05 linux pppd[23132]: sent [LCP ConfReq id=0x2 <magic
>> 0x67890>]
>> Jul 10 16:45:06 linux pppd[23132]: rcvd [LCP ConfAck id=0x2 <magic
>> 0x67890>]
>> Jul 10 16:45:06 linux pppd[23132]: sent [LCP EchoReq id=0x0
>> magic=0x67890]
>> Jul 10 16:45:06 linux pppd[23132]: rcvd [CHAP Challenge id=0x1
>> <52bdfe0b150>, name = ""]
>> Jul 10 16:45:06 linux pppd[23132]: sent [CHAP Response id=0x1
>> <81e0f93...GREAT BIG LONG NUMBER...beb8fe96201>, name = "MyUser"]
>> Jul 10 16:45:07 linux pppd[23132]: rcvd [LCP EchoRep id=0x0
>> magic=0x67890]
>> Jul 10 16:45:07 linux pppd[23132]: rcvd [CHAP Failure id=0x1
>> "Authentication failed."]
>> Jul 10 16:45:07 linux pppd[23132]: Remote message: Authentication
>> failed.
>> Jul 10 16:45:07 linux pppd[23132]: CHAP authentication failed
>
>Do you need to specify a "domain controller" as a part of your
>username for this site? From the README.MSCHAP80 in the standard
>pppd source tree:
>
> DialupNT domain\\customer47 foobar
> domain\\customer47 DialupNT foobar
>
>and
>
> pppd name 'domain\\customer47' remotename DialupNT <other options>
>
>where the first two lines are in chap-secrets and domain is the name
>of the domain controller. DialupNT is an arbitrarily chosen name and
>foobar is the secret. Read the above mentioned file for more details.
>
I'm trying to cross-reference from the MS vpn client which works, and
that has no domain defined.
>> Are there any options that need to be enabled in the
>> options.pptp/peers file for MSCHAP/MPPE 40 alone? I've got
>
>> mppe-40
>> mppe-128
>> mppe-stateless
>
>> but no specific authentication.
>
>MPPE has nothing to do with authentication, although a connection can
>be expected to fail if MS CCP is requested and is rejected. MS CCP is
>patented and requires a license, so it's not implemented. The next
>standard pppd version will implement the MPPE part however.
I'm still confused. If I don't specify a domain, will the client pick
up the first entry in the secrets file that matches the user,
regardless of domain??

If I stick on debugging, this is what I get...

Jul 10 13:51:36 linux pppd[14360]: sent [CHAP Challenge id=0x1
<a94003f89dc365a8>, name = "MyUser"]
Jul 10 13:51:36 linux pppd[14360]: rcvd [CHAP Challenge id=0x1
<207078f28ffb6aaf>, name = ""]
Jul 10 13:51:36 linux pppd[14360]: sent [CHAP Response id=0x1
<longnumber>, name = "MyUser"]
Jul 10 13:51:36 linux pppd[14360]: rcvd [LCP EchoRep id=0x0
magic=0x5a2fd441]
Jul 10 13:51:36 linux pppd[14360]: rcvd [CHAP Response id=0x1
<anotherlongnumber>, name = ""]
Jul 10 13:51:36 linux pppd[14360]: sent [CHAP Failure id=0x1 "I don't
like you. Go 'way."]
Jul 10 13:51:36 linux pppd[14360]: MSCHAP peer authentication failed
for remote host

....which looks like I'm telling the server to go 'way! Am I right??


Steve

Steve Holdoway <(E-Mail Removed)> wrote:
> On Fri, 11 Jul 2003 08:01:23 -0500, Clifford Kite
> <(E-Mail Removed)> wrote:
>>Steve Holdoway <(E-Mail Removed)> wrote:

>>> 40/No compression. It refuses to authenticate, even though the correct
>>> passwords are in the chap secrets file.

I missed this. Does this mean that the site is supposed to authenticate
itself to you, rather than you authenticate yourself to it? I always
assume that if you are initiating the connection then the peer will want
you to authenticate yourself to it. It doesn't have to be that way, but
for a regular PPP connection to an ISP it always is.

>>Negotiating MPPE never even began. It's not a part of the authentication
>>problem. If this pppd 2.4.1 has MPPE capability then it's been modified;
>>the standard pppd 2.4.1 doesn't have MPPE implemented.
>>
> Yes, it's a modified pppd.



>>Is requesting an MRU of 1458 a PPTP related thing? Could you have meant
>>to specify a MTU of 1458 instead? The peer rejected that MRU (along with
>>everything else except magic numbers) so pppd will use the PPP default
>>(1500) for it's MTU. I don't think this has anything to do with the
>>authentication problem, I'm just curious.
> It's a performance thing I read somewhere.

Thanks.

>>Do you need to specify a "domain controller" as a part of your
>>username for this site?
> I'm trying to cross-reference from the MS vpn client which works, and
> that has no domain defined.

Okay, I've got no experience VPN much less MS VPN, which I guess must
use pppd-mppe/PPTP, so whatever is specific to that is beyond my ken.
In particular I have no idea what "cross-reference from the MS vpn
client which works" means.

> I'm still confused. If I don't specify a domain, will the client pick
> up the first entry in the secrets file that matches the user,
> regardless of domain??

Now I'm confused too. If by "client" you mean a side authenticating
itself to the other side and by "user" you mean the name by which the
other side knows the client, then yes. I know that "domain controller"
is a MS RAS thing but not much more. If there is no MS RAS involved
then there is likely no domain to specify.

> If I stick on debugging, this is what I get...

> Jul 10 13:51:36 linux pppd[14360]: sent [CHAP Challenge id=0x1
> <a94003f89dc365a8>, name = "MyUser"]

This is from pppd.

> Jul 10 13:51:36 linux pppd[14360]: rcvd [CHAP Challenge id=0x1
> <207078f28ffb6aaf>, name = ""]

This is from the other side. Note the absence of a name (name = "").

Each side is requesting that the other side authenticate itself with
MS CHAP.

> Jul 10 13:51:36 linux pppd[14360]: sent [CHAP Response id=0x1
> <longnumber>, name = "MyUser"]
> Jul 10 13:51:36 linux pppd[14360]: rcvd [LCP EchoRep id=0x0
> magic=0x5a2fd441]
> Jul 10 13:51:36 linux pppd[14360]: rcvd [CHAP Response id=0x1
> <anotherlongnumber>, name = ""]
> Jul 10 13:51:36 linux pppd[14360]: sent [CHAP Failure id=0x1 "I don't
> like you. Go 'way."]
> Jul 10 13:51:36 linux pppd[14360]: MSCHAP peer authentication failed
> for remote host

> ...which looks like I'm telling the server to go 'way! Am I right??

Correct. But you refer to the other end as "the server" and to me
that strongly suggests that it would not authenticate itself to you,
as explained above - despite that it tried to do so is implied by
the CHAP Response from it above.

The chap-secrets file configured with

OtherSide your_username foobar
your_username OtherSide foobar

and using

pppd name your_username remotename OtherSide <other options>

should work, provided the pppd option "require-mschap" is removed.
That this option is used is implied by the CHAP Challenge from pppd.

Your account name at the other side replaces your_username, the real
secret replaces foobar, and OtherSide is an arbitrarily chosen string.

---
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"
PPP-Q&A links, downloads: http://ckite.no-ip.net/
/* "PPPoE has many advantages for DSL service providers, and
practically none for DSL consumers."
- David F. Skoll */