VPN - What protocol is used to connect to Windows Server?

Hello,

At the moment I'm working on an application that uses a different
authentication protocol to set up a VPN connection. In order to do this, I
need to talk to a standard, out-of-the-box Windows Server installation, much
like the standard VPN client shipped with Windows XP would do. Unfortunately,
I've been unable to find specifications on how to establish a connection.
Could somebody give me some pointers?
I've already tried logging all the packages send by the standard VPN client
and simply 'replaying' them. However, I got no further than establishing the
TCP connection; the server refuses to respond after I send the first package
with actual data (according to the log I made, the server should reply with a
package containing a couple hundred bytes of data).

Thank you,
Rob van Wijk


(Note: I asked the same question previously in
microsoft.public.win32.programmer.networks but was referred here.)

Rob,

Its been a bit since i reviewed in detail rfc 2637 (PPTP).

Are you replaying the packet from the original machine where the cloned
packet came from? I assume your a examine the data inside the packet your
are sending.


0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | PPTP Message Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Magic Cookie |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Control Message Type | Reserved0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol Version | Reserved1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Framing Capabilities |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Bearer Capabilities |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Maximum Channels | Firmware Revision |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Host Name (64 octets) +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Vendor String (64 octets) +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


The PPTP message type field should be 1 and the control message type field
should be 1 (Start control connection request) the server should respond
with a PPTP message type 1 and control message type 2 (Start control
connection request).

Let me know if this is helping


"Rob van Wijk" wrote:

>
> Hej Alex,
>
> Thank you for your advice. However, that was not really the area where the
> problem was. The thing that isn't working for me is getting the VPN server to
> respond when I sent it packets. When I log the packets going out/coming in
> over the network, it shows the server _will_ establish a TCP connection, but
> (once the TCP connection is established) it refuses to do anything more (it
> _won't_ send data to me over the TCP connection).
>
> At first I thought it wouldn't matter, but on second thought,the following
> might be important information. I will not be able to use IPSec, it has to be
> PPTP with PAP authentication. (Yes, I'm very well aware that PPTP is
> trivially broken and PAP has no encryption to begin with; however, even after
> explaining this to my boss, he still insists we take this approach. *sigh*)
>
> Grtz,
> Rob van Wijk
>
>
> "alexk" wrote:
>
> > Rob,
> >
> > not sure how much i can help you - VPNs are complex- you first have to
> > decide which tunnel you want to use- for starters if your looking at a new
> > one application- I would use the L2TP protocol with IPSEC. I would review
> > the following link for help setting up the protocol fields.
> >
> > http://www.ietf.org/rfc/rfc3193.txt?number=3193
> >
> > Feel free to respond. With windows the ISAKMP for IPSec is negotiated first
> > with L2TP data tunneled inside of a PPP packet.
> >
>

Hej Alex,

Thank you for your advice. However, that was not really the area where the
problem was. The thing that isn't working for me is getting the VPN server to
respond when I sent it packets. When I log the packets going out/coming in
over the network, it shows the server _will_ establish a TCP connection, but
(once the TCP connection is established) it refuses to do anything more (it
_won't_ send data to me over the TCP connection).

At first I thought it wouldn't matter, but on second thought,the following
might be important information. I will not be able to use IPSec, it has to be
PPTP with PAP authentication. (Yes, I'm very well aware that PPTP is
trivially broken and PAP has no encryption to begin with; however, even after
explaining this to my boss, he still insists we take this approach. *sigh*)

Grtz,
Rob van Wijk


"alexk" wrote:

> Rob,
>
> not sure how much i can help you - VPNs are complex- you first have to
> decide which tunnel you want to use- for starters if your looking at a new
> one application- I would use the L2TP protocol with IPSEC. I would review
> the following link for help setting up the protocol fields.
>
> http://www.ietf.org/rfc/rfc3193.txt?number=3193
>
> Feel free to respond. With windows the ISAKMP for IPSec is negotiated first
> with L2TP data tunneled inside of a PPP packet.
>

Rob,

not sure how much i can help you - VPNs are complex- you first have to
decide which tunnel you want to use- for starters if your looking at a new
one application- I would use the L2TP protocol with IPSEC. I would review
the following link for help setting up the protocol fields.

http://www.ietf.org/rfc/rfc3193.txt?number=3193

Feel free to respond. With windows the ISAKMP for IPSec is negotiated first
with L2TP data tunneled inside of a PPP packet.



"Rob van Wijk" wrote:

> Hello,
>
> At the moment I'm working on an application that uses a different
> authentication protocol to set up a VPN connection. In order to do this, I
> need to talk to a standard, out-of-the-box Windows Server installation, much
> like the standard VPN client shipped with Windows XP would do. Unfortunately,
> I've been unable to find specifications on how to establish a connection.
> Could somebody give me some pointers?
> I've already tried logging all the packages send by the standard VPN client
> and simply 'replaying' them. However, I got no further than establishing the
> TCP connection; the server refuses to respond after I send the first package
> with actual data (according to the log I made, the server should reply with a
> package containing a couple hundred bytes of data).
>
> Thank you,
> Rob van Wijk
>
>
> (Note: I asked the same question previously in
> microsoft.public.win32.programmer.networks but was referred here.)

Hej Alex,

That sure looks promising. I'm not sure how it's possible, but I didn't find
that specific RFC... I did send it from the same machine, but I didn't really
know what I was sending actually meant. However, that hostname and version
string sure seem familiar. It's friday night for me now, I'll continue work
on monday. Once I know if it's works I'll let you know.

Thank you very much,
Rob van Wijk


"alexk" wrote:

> Rob,
>
> Its been a bit since i reviewed in detail rfc 2637 (PPTP).
>
> Are you replaying the packet from the original machine where the cloned
> packet came from? I assume your a examine the data inside the packet your
> are sending.
>
> The PPTP message type field should be 1 and the control message type field
> should be 1 (Start control connection request) the server should respond
> with a PPTP message type 1 and control message type 2 (Start control
> connection request).
>
> Let me know if this is helping
>