ppp 2.4.3 cvs authentication issue

ppp 2.4.3 cvs authentication issue

[a b]

Hello,

First sorry for my poor English.

I'm trying to set up a pptpd server under Mandrake
10.0 and I think my problem is related to pppd and the
authentication.

server: 10.0.0.178, client 10.0.0.124
ppp-2.4.3-0.cvs_20040527.5mdk
pptpd-server-1.2.1-1mdk
kernel 2.6.3-19mdksecure

server: 
cat /etc/pptpd.conf
option /etc/ppp/options.poptop
stimeout 10
speed 115200
localip 10.0.0.178
remoteip 10.0.1.234-238

cat /etc/ppp/options.poptop 
logfile /tmp/vpn.log
dump
debug
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
require-mschap-v2
lock

cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client        server  secret                  IP
addresses
adrian  *       adrian  *


client:

cat /etc/ppp/peers/pptp0 
logfile /tmp/vpn.log
dump
debug
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
require-mschap-v2
lock
pty "/usr/sbin/pptp 10.0.0.178 --nolaunchpppd"
nodetach

cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client        server  secret                  IP
addresses
adrian  *       adrian  *

cat -A /etc/ppp/chap-secrets
# Secrets for authentication using CHAP$
# client^Iserver^Isecret^I^I^IIP addresses$
adrian^I*^Iadrian^I*$

logs on the server side:
tail -f /tmp/vpn.log -n 100

pppd options in effect:
debug           # (from /etc/ppp/options.poptop)
logfile /tmp/vpn.log            # (from
/etc/ppp/options.poptop)
dump            # (from /etc/ppp/options.poptop)
require-mschap-v2               # (from
/etc/ppp/options.poptop)
refuse-pap              # (from 
etc/ppp/options.poptop)
refuse-chap             # (from
/etc/ppp/options.poptop)
refuse-mschap           # (from
/etc/ppp/options.poptop)
refuse-eap              # (from
/etc/ppp/options.poptop)
115200          # (from command line)
lock            # (from /etc/ppp/options.poptop)
local           # (from command line)
ipparam 10.0.0.124         # (from command line)
10.10.0.178:10.10.1.234           # (from command
line)
using channel 6
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0x140228e> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0xc3c66f9d> <pcomp> <accomp>]
No auth is possible
sent [LCP ConfRej id=0x1 <auth chap MS-v2>]
rcvd [LCP ConfRej id=0x1 <auth chap MS-v2>]
sent [LCP ConfReq id=0x2 <asyncmap 0x0> <magic
0x140228e> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x2 <asyncmap 0x0> <magic
0xc3c66f9d> <pcomp> <accomp>]
sent [LCP ConfAck id=0x2 <asyncmap 0x0> <magic
0xc3c66f9d> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x2 <asyncmap 0x0> <magic
0x140228e> <pcomp> <accomp>]
peer refused to authenticate: terminating link
sent [LCP TermReq id=0x3 "peer refused to
authenticate"]
rcvd [LCP TermReq id=0x3 "peer refused to
authenticate"]
sent [LCP TermAck id=0x3]
rcvd [LCP TermAck id=0x3]
Connection terminated.

Please note that if I simply change two lines on both
sides:

add noauth and comment out require-mschap-v2 I get

logs on the server side:
pppd options in effect:
debug           # (from /etc/ppp/options.poptop)
logfile /tmp/vpn.log            # (from
/etc/ppp/options.poptop)
dump            # (from /etc/ppp/options.poptop)
noauth          # (from /etc/ppp/options.poptop)
refuse-pap              # (from
/etc/ppp/options.poptop)
refuse-chap             # (from
/etc/ppp/options.poptop)
refuse-mschap           # (from
/etc/ppp/options.poptop)
refuse-eap              # (from
/etc/ppp/options.poptop)
115200          # (from command line)
lock            # (from /etc/ppp/options.poptop)
local           # (from command line)
ipparam 10.0.0.124         # (from command line)
10.0.0.178:10.0.1.234           # (from command line)
using channel 8
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic
0x33c51398> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic
0xab1a948b> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic
0xab1a948b> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic
0x33c51398> <pcomp> <accomp>]
Couldn't set pass-filter in kernel: Invalid argument
sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#)
15> <bsd v1 15>]
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr
10.0.1.178>]
rcvd [CCP ConfReq id=0x1 <deflate 15> <deflate(old#)
15> <bsd v1 15>]
sent [CCP ConfAck id=0x1 <deflate 15> <deflate(old#)
15> <bsd v1 15>]
rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr
10.0.0.124>]
sent [IPCP ConfNak id=0x1 <addr 10.0.1.234>]
rcvd [CCP ConfAck id=0x1 <deflate 15> <deflate(old#)
15> <bsd v1 15>]
Deflate (15) compression enabled
rcvd [IPCP ConfAck id=0x1 <compress VJ 0f 01> <addr
10.0.1.178>]
rcvd [IPCP ConfReq id=0x2 <compress VJ 0f 01> <addr
10.0.1.234>]
sent [IPCP ConfAck id=0x2 <compress VJ 0f 01> <addr
10.0.1.234>]
local  IP address 10.0.1.178
remote IP address 10.0.1.234
Script /etc/ppp/ip-up started (pid 4254)
Script /etc/ppp/ip-up finished (pid 4254), status 0x0

ifconfig shows ppp0 alright :
ppp0      Link encap:Point-to-Point Protocol  
          inet addr:10.0.1.178  P-t-P:10.0.1.234 
Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST 
MTU:1500  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0
frame:0
          TX packets:5 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:78 (78.0 b)  TX bytes:72 (72.0 b)

so this seems to work

any ideas ?

Thank you, 

Adrian


	

	
		
Vous manquez d’espace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com

Re: ppp 2.4.3 cvs authentication issue

[carlsonj]

a b writes:
> I'm trying to set up a pptpd server under Mandrake
> 10.0 and I think my problem is related to pppd and the
> authentication.

You're the server side?  Then why is your peer demanding that you
authenticate yourself?

> client:
> 
> cat /etc/ppp/peers/pptp0 
[...]
> refuse-pap
> refuse-eap
> refuse-chap
> refuse-mschap
> require-mschap-v2

There's the misconfiguration.  The client should not have the above
five options.  Instead, it should just have "noauth."  (As long as the
client doesn't have a default route, it won't even need "noauth.")

> Please note that if I simply change two lines on both
> sides:
> 
> add noauth and comment out require-mschap-v2 I get

Don't change both sides.  The server looks fine.  It's the client
that's misconfigured.

You have it set up so that both sides demand authentication and both
sides *refuse* that demand.  What else could possibly be the result?

-- 
James Carlson                                 <carlsonj@workingcode.com>

ppp 2.4.3 cvs authentication issue

[a b]

Hi again,

I'm tring to configure both sides: server AND client.

Ok, I have followed your suggestions and here is the
result:

client: 

logfile /tmp/vpn.log
dump
debug
lock
pty "/usr/sbin/pptp 10.0.0.178 --nolaunchpppd"
nodetach

server:

logfile /tmp/vpn.log
dump
debug
auth
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
require-mschap-v2
lock


server logs: 
tail -f /tmp/vpn.log -n 100

pppd options in effect:
debug           # (from /etc/ppp/options.poptop)
logfile /tmp/vpn.log            # (from
/etc/ppp/options.poptop)
dump            # (from /etc/ppp/options.poptop)
require-mschap-v2               # (from
/etc/ppp/options.poptop)
refuse-pap              # (from
/etc/ppp/options.poptop)
refuse-chap             # (from
/etc/ppp/options.poptop)
refuse-mschap           # (from
/etc/ppp/options.poptop)
refuse-eap              # (from
/etc/ppp/options.poptop)
115200          # (from command line)
lock            # (from /etc/ppp/options.poptop)
local           # (from command line)
ipparam 10.0.0.124         # (from command line)
10.0.1.178:10.0.1.234           # (from command line)
using channel 10
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0xa5e8afe7> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic
0x45ac117b> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic
0x45ac117b> <pcomp> <accomp>]
rcvd [LCP ConfRej id=0x1 <auth chap MS-v2>]
sent [LCP ConfReq id=0x2 <asyncmap 0x0> <magic
0xa5e8afe7> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x2 <asyncmap 0x0> <magic
0xa5e8afe7> <pcomp> <accomp>]
peer refused to authenticate: terminating link
sent [LCP TermReq id=0x3 "peer refused to
authenticate"]
rcvd [CCP ConfReq id=0x1 <deflate 15> <deflate(old#)
15> <bsd v1 15>]
Discarded non-LCP packet when LCP not open
rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr
10.0.0.124>]
Discarded non-LCP packet when LCP not open
rcvd [LCP TermAck id=0x3]
Connection terminated.

Still not working ... 

Thank you,

Adrian

 --- carlsonj@workingcode.com a écrit : 
> a b writes:
> > I'm trying to set up a pptpd server under Mandrake
> > 10.0 and I think my problem is related to pppd and
> the
> > authentication.
> 
> You're the server side?  Then why is your peer
> demanding that you
> authenticate yourself?
> 
> > client:
> > 
> > cat /etc/ppp/peers/pptp0 
> [...]
> > refuse-pap
> > refuse-eap
> > refuse-chap
> > refuse-mschap
> > require-mschap-v2
> 
> There's the misconfiguration.  The client should not
> have the above
> five options.  Instead, it should just have
> "noauth."  (As long as the
> client doesn't have a default route, it won't even
> need "noauth.")
> 
> > Please note that if I simply change two lines on
> both
> > sides:
> > 
> > add noauth and comment out require-mschap-v2 I get
> 
> Don't change both sides.  The server looks fine. 
> It's the client
> that's misconfigured.
> 
> You have it set up so that both sides demand
> authentication and both
> sides *refuse* that demand.  What else could
> possibly be the result?
> 
> -- 
> James Carlson                                
> <carlsonj@workingcode.com>
>  


	

	
		
Vous manquez d’espace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com

Re: ppp 2.4.3 cvs authentication issue

[a b]

Hi again,

You were right: I was missing the "user" option ... it
works now with mschap-v2, thank you ... but, next step
is to use mppe, of course:

I add the require-mppe-128 option to the server and
get: 

pppd options in effect:
debug           # (from /etc/ppp/options.poptop)
logfile /tmp/vpn.log            # (from
/etc/ppp/options.poptop)
dump            # (from /etc/ppp/options.poptop)
require-mschap-v2               # (from
/etc/ppp/options.poptop)
refuse-pap              # (from
/etc/ppp/options.poptop)
refuse-chap             # (from
/etc/ppp/options.poptop)
refuse-mschap           # (from
/etc/ppp/options.poptop)
refuse-eap              # (from
/etc/ppp/options.poptop)
115200          # (from command line)
lock            # (from /etc/ppp/options.poptop)
local           # (from command line)
ipparam 192.168.100.124         # (from command line)
10.0.1.178:10.0.1.235           # (from command line)
require-mppe-128                # (from
/etc/ppp/options.poptop)
using channel 15
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0x6abacb92> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic
0x11fc1593> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic
0x11fc1593> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0x6abacb92> <pcomp> <accomp>]
sent [CHAP Challenge id=0xd3
<6efa5d8f23196c829082eaa9456a3865>, name "mypptpdserver.mydomain.com"]
rcvd [CHAP Response id=0xd3
<c809d9e158ba9bd9355aa162dd23741b000000000000000076554555ea86eb4480c7e478076e857ce65b277c44f8fb2a00>,
name = "adrian"]
sent [CHAP Success id=0xd3
"S[4A15FB47B29F113A4708536D079228081E2007 M¬cess
granted"]
Couldn't set pass-filter in kernel: Invalid argument
sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x1 <deflate 15> <deflate(old#)
15> <bsd v1 15>]
MPPE required but peer negotiation failed
sent [LCP TermReq id=0x2 "MPPE required but peer
negotiation failed"]
sent [CCP ConfRej id=0x1 <deflate 15> <deflate(old#)
15> <bsd v1 15>]
rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr
10.0.0.124>]
Discarded non-LCP packet when LCP not open
rcvd [CCP ConfRej id=0x1 <mppe +H -M +S -L -D -C>]
Discarded non-LCP packet when LCP not open
rcvd [LCP TermAck id=0x2]
Connection terminated.
Connect time 0.0 minutes.
Sent 10 bytes, received 31 bytes.

lsmod|grep ppp
ppp_deflate             7104  0 
zlib_deflate           23832  1 ppp_deflate
zlib_inflate           23648  1 ppp_deflate
ppp_mppe               14304  0 [unsafe]
ppp_async              13280  0 
ppp_generic            32752  4
ppp_deflate,bsd_comp,ppp_mppe,ppp_async
slhc                    8224  1 ppp_generic


I might be missing something obvious again...

Thank you,

Adrian

 --- carlsonj@workingcode.com a écrit : 
> a b writes:
> > rcvd [LCP ConfRej id=0x1 <auth chap MS-v2>]
> 
> Something is still misconfigured on the peer's side.
>  It's refusing to
> authenticate.
> 
> Are you perhaps missing the "user" option on that
> side?
> 
> -- 
> James Carlson                                
> <carlsonj@workingcode.com>
>  


	

	
		
Vous manquez d’espace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com

Re: ppp 2.4.3 cvs authentication issue

[carlsonj]

a b writes:
> require-mschap-v2               # (from
> /etc/ppp/options.poptop)
> refuse-pap              # (from
> /etc/ppp/options.poptop)
> refuse-chap             # (from
> /etc/ppp/options.poptop)
> refuse-mschap           # (from
> /etc/ppp/options.poptop)
> refuse-eap              # (from
> /etc/ppp/options.poptop)

For what it's worth, you likely don't need all of those options.  A
simple "auth" should do it -- and even that is not really required.
pppd automatically detects what credentials you have configured, and
will refuse authentication schemes that don't have appropriate
credentials.

This is by design.  The defaults for the configuration options are
meant to make sense for most users.  Having too many configuration
options specified is itself a symptom of a problem.

> sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
> rcvd [CCP ConfReq id=0x1 <deflate 15> <deflate(old#)
> 15> <bsd v1 15>]
> MPPE required but peer negotiation failed

That looks like a combination of things.  MPPE obviously has a bug --
it should not have just given up there, but rather sent Configure-Nak
first.  The other thing is that the peer apparently isn't configured
to use MPPE.

-- 
James Carlson                                 <carlsonj@workingcode.com>

Re: ppp 2.4.3 cvs authentication issue

[a b]

ok, 
so the server configuration file is now:

logfile /tmp/vpn.log
dump
debug
require-mschap-v2
require-mppe-128
lock

... and the result is the same:

pppd options in effect:
debug           # (from /etc/ppp/options.poptop)
logfile /tmp/vpn.log            # (from
/etc/ppp/options.poptop)
dump            # (from /etc/ppp/options.poptop)
require-mschap-v2               # (from
/etc/ppp/options.poptop)
115200          # (from command line)
lock            # (from /etc/ppp/options.poptop)
local           # (from command line)
ipparam 10.0.0.124         # (from command line)
10.0.1.178:10.0.1.234           # (from command line)
require-mppe-128                # (from
/etc/ppp/options.poptop)
using channel 23
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0xab84c21a> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic
0x4ed872d8> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic
0x4ed872d8> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0xab84c21a> <pcomp> <accomp>]
sent [CHAP Challenge id=0x12
<f87334236c1450368b23170d62aff528>, name "mypptpdserver.mydomain.com"]
rcvd [CHAP Response id=0x12
<7f192ecdc2190ee53ad4939320e4126a000000000000000037dc9c8bb222abbe71b08de33d70112a174b2ea28be0963500>,
name = "adrian"]
sent [CHAP Success id=0x12
"S¼6BDC7B66AC82992857B7F6E9F383E5C517F345 M¬cess
granted"]
Couldn't set pass-filter in kernel: Invalid argument
sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x1 <deflate 15> <deflate(old#)
15> <bsd v1 15>]
MPPE required but peer negotiation failed
sent [LCP TermReq id=0x2 "MPPE required but peer
negotiation failed"]
sent [CCP ConfRej id=0x1 <deflate 15> <deflate(old#)
15> <bsd v1 15>]
rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr
10.0.0.124>]
Discarded non-LCP packet when LCP not open
rcvd [CCP ConfRej id=0x1 <mppe +H -M +S -L -D -C>]
Discarded non-LCP packet when LCP not open
rcvd [LCP TermAck id=0x2]
Connection terminated.
Connect time 0.0 minutes.
Sent 10 bytes, received 31 bytes.


1. the module kernel seems to be a 2.4.2 alright

modinfo ppp_mppe|grep license
license:        BSD without advertisement clause

My question is: could this be a mppe kernel module
issue, like not the latest version, etc ?

2. you're saying that "the peer apparently isn't
configured to use MPPE."

My question is: is there something to do on the client
side in order to ask for a mppe authentication ?

Sincerely,

Adrian


	

	
		
Vous manquez d’espace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com

Re: ppp 2.4.3 cvs authentication issue

[carlsonj]

a b writes:
> sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]

You ask for MPPE.

> rcvd [CCP ConfReq id=0x1 <deflate 15> <deflate(old#)
> 15> <bsd v1 15>]

The peer asks for the usual suite of freely-available compression
algorithms, but does *NOT* ask for MPPE.

> MPPE required but peer negotiation failed
> sent [LCP TermReq id=0x2 "MPPE required but peer
> negotiation failed"]

Two problems: (1) what I consider to be a design bug in MPPE, as it
should not just shut down, but should try to negotiate first and (2)
peer that is either misconfigured or just doesn't support MPPE.

> 2. you're saying that "the peer apparently isn't
> configured to use MPPE."

Yes.

> My question is: is there something to do on the client
> side in order to ask for a mppe authentication ?

MPPE isn't authentication; it's encryption.

According to the pppd(8) man page:

     nomppe
          Disables MPPE (Microsoft Point  to  Point  Encryption).
          This is the default.
[...]
     require-mppe
          Require the use  of  MPPE  (Microsoft  Point  to  Point
          Encryption).   This  option disables all other compres-
          sion  types.   This  option  enables  both  40-bit  and
          128-bit  encryption.  In order for MPPE to successfully
          come up, you must have authenticated  with  either  MS-
          CHAP  or MS-CHAPv2.  This option is presently only sup-
          ported under Linux, and only if your  kernel  has  been
          configured to include MPPE support.

In other words, I think the peer needs this configuration option as
well in order to use MPPE.

-- 
James Carlson                                 <carlsonj@workingcode.com>

Re: ppp 2.4.3 cvs authentication issue

[a b]

You were right again, 

I had, indeed, to add the require-mppe option on the
pptp-linux client side ... and it works.

You can see it for yourself:

pppd options in effect:
debug           # (from /etc/ppp/options.poptop)
logfile /tmp/vpn.log            # (from
/etc/ppp/options.poptop)
dump            # (from /etc/ppp/options.poptop)
require-mschap-v2               # (from
/etc/ppp/options.poptop)
115200          # (from command line)
lock            # (from /etc/ppp/options.poptop)
local           # (from command line)
ipparam 192.168.100.124         # (from command line)
10.0.1.178:10.0.1.235           # (from command line)
require-mppe-128                # (from
/etc/ppp/options.poptop)
using channel 26
Using interface ppp0
Connect: ppp0 <--> /dev/pts/2
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0x88812f30> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic
0xc2fe6ced> <pcomp> 
<accomp>]
sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic
0xc2fe6ced> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0x88812f30> <pcomp> <accomp>]
sent [CHAP Challenge id=0x98
<d87688dfdee2038f9e012988b3c3b88a>, name "mypptpdserver.mydomain.com"]
rcvd [CHAP Response id=0x98
<d3c4a65bd5ab8ea560fa35f593d6c1650000000000000000abfc36849407b02bdf268090e0ecae2598baf7ab05fcca1e00>,
name = "adrian"]
sent [CHAP Success id=0x98
"S^[317957BFF3AA169F7A84732A4A66D7DB08D792 M¬cess
granted"]
Couldn't set pass-filter in kernel: Invalid argument
sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
sent [CCP ConfNak id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
sent [CCP ConfAck id=0x2 <mppe +H -M +S -L -D -C>]
MPPE 128-bit stateless compression enabled
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr
10.0.1.178>]
rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr
10.0.0.124>]
sent [IPCP ConfNak id=0x1 <addr 10.0.1.235>]
rcvd [IPCP ConfAck id=0x1 <compress VJ 0f 01> <addr
10.0.0.178>]
rcvd [IPCP ConfReq id=0x2 <compress VJ 0f 01> <addr
10.0.1.235>]
sent [IPCP ConfAck id=0x2 <compress VJ 0f 01> <addr
10.0.1.235>]
local  IP address 10.0.1.178
remote IP address 10.0.1.235
Script /etc/ppp/ip-up started (pid 8934)
Script /etc/ppp/ip-up finished (pid 8934), status 0x0

I still have questions, of course:

Next step will be to use pam because I saw that there
is a ppp pam module coming with the ppp package.

According to the man page I simply need to use the
"login" option and it will automatically look for the
local system auth ?

Then, I will probably have a look at the radius
plugin.

Any tricky option that I should be aware of ? :o)

Thanks alot,

Adrian


	

	
		
Vous manquez d’espace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com

Re: ppp 2.4.3 cvs authentication issue

[carlsonj]

a b writes:
> Next step will be to use pam because I saw that there
> is a ppp pam module coming with the ppp package.
> 
> According to the man page I simply need to use the
> "login" option and it will automatically look for the
> local system auth ?

As far as I know, PAM works only with PAP authentication.  This is
because all of the other authentication methods use cryptographic
hashes instead of simple passwords, and PAM expects to see the raw
password on the server (authenticator) side.

> Then, I will probably have a look at the radius
> plugin.

RADIUS ought to work with any of the authentication mechanisms, but I
haven't personally tried it.  Perhaps someone else here has ...

-- 
James Carlson                                 <carlsonj@workingcode.com>

Re: ppp 2.4.3 cvs authentication issue

[a b]

Thank you very much for your answers, Jason 

have a nice day, 

- Adrian



	

	
		
Vous manquez d’espace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com

Re: ppp 2.4.3 cvs authentication issue

[carlsonj]

a b writes:
> Thank you very much for your answers, Jason 

Who is Jason?

> have a nice day, 

You, too.  Glad to hear things are working.

-- 
James Carlson                                 <carlsonj@workingcode.com>

Re: ppp 2.4.3 cvs authentication issue

[Bill Unruh]

On Thu, 28 Oct 2004, a b wrote:

> Hello,
> 
> First sorry for my poor English.
> 
> I'm trying to set up a pptpd server under Mandrake
> 10.0 and I think my problem is related to pppd and the
> authentication.

Probably. 

> 
> server: 10.0.0.178, client 10.0.0.124
> ppp-2.4.3-0.cvs_20040527.5mdk
> pptpd-server-1.2.1-1mdk
> kernel 2.6.3-19mdksecure
> 
> server: 
> cat /etc/pptpd.conf
> option /etc/ppp/options.poptop
> stimeout 10
> speed 115200
> localip 10.0.0.178
> remoteip 10.0.1.234-238
> 
> cat /etc/ppp/options.poptop 
> logfile /tmp/vpn.log
> dump
> debug
> refuse-pap
> refuse-eap
> refuse-chap
> refuse-mschap
> require-mschap-v2

Why in the world you would require mschap-v2 on a machine that runs pppd
is completely beyond me. It would be like demanding running boards on a
Ferrari. Remove these all. IF you are going to require anything make it
eap, but if you communicate with anything but a pppd client that will
not work. chap and pap are far better options. 


> lock
> 
> cat /etc/ppp/chap-secrets
> # Secrets for authentication using CHAP
> # client        server  secret                  IP
> addresses
> adrian  *       adrian  *
> 
> 
> client:
> 
> cat /etc/ppp/peers/pptp0 
> logfile /tmp/vpn.log
> dump
> debug
> refuse-pap
> refuse-eap
> refuse-chap
> refuse-mschap
> require-mschap-v2

Now you are getting completely silly. This says that you are demanding
that the server authenticate itself to the client using mschapv2. 
REmove all of these "refuse/require" entries. I think you are very
confused as to what they mean. 


> lock
> pty "/usr/sbin/pptp 10.0.0.178 --nolaunchpppd"
> nodetach
> 
> cat /etc/ppp/chap-secrets
> # Secrets for authentication using CHAP
> # client        server  secret                  IP
> addresses
> adrian  *       adrian  *
> 
> cat -A /etc/ppp/chap-secrets
> # Secrets for authentication using CHAP$
> # client^Iserver^Isecret^I^I^IIP addresses$
> adrian^I*^Iadrian^I*$
> 
> logs on the server side:
> tail -f /tmp/vpn.log -n 100
> 
> pppd options in effect:
> debug           # (from /etc/ppp/options.poptop)
> logfile /tmp/vpn.log            # (from
> /etc/ppp/options.poptop)
> dump            # (from /etc/ppp/options.poptop)
> require-mschap-v2               # (from
> /etc/ppp/options.poptop)
> refuse-pap              # (from 
> etc/ppp/options.poptop)
> refuse-chap             # (from
> /etc/ppp/options.poptop)
> refuse-mschap           # (from
> /etc/ppp/options.poptop)
> refuse-eap              # (from
> /etc/ppp/options.poptop)
> 115200          # (from command line)
> lock            # (from /etc/ppp/options.poptop)
> local           # (from command line)
> ipparam 10.0.0.124         # (from command line)
> 10.10.0.178:10.10.1.234           # (from command
> line)
> using channel 6
> Using interface ppp0
> Connect: ppp0 <--> /dev/pts/1
> sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap
> MS-v2> <magic 0x140228e> <pcomp> <accomp>]
> rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap
> MS-v2> <magic 0xc3c66f9d> <pcomp> <accomp>]
> No auth is possible
> sent [LCP ConfRej id=0x1 <auth chap MS-v2>]
> rcvd [LCP ConfRej id=0x1 <auth chap MS-v2>]
> sent [LCP ConfReq id=0x2 <asyncmap 0x0> <magic
> 0x140228e> <pcomp> <accomp>]
> rcvd [LCP ConfReq id=0x2 <asyncmap 0x0> <magic
> 0xc3c66f9d> <pcomp> <accomp>]
> sent [LCP ConfAck id=0x2 <asyncmap 0x0> <magic
> 0xc3c66f9d> <pcomp> <accomp>]
> rcvd [LCP ConfAck id=0x2 <asyncmap 0x0> <magic
> 0x140228e> <pcomp> <accomp>]
> peer refused to authenticate: terminating link

That should be pretty clear.


> sent [LCP TermReq id=0x3 "peer refused to
> authenticate"]
> rcvd [LCP TermReq id=0x3 "peer refused to
> authenticate"]
> sent [LCP TermAck id=0x3]
> rcvd [LCP TermAck id=0x3]
> Connection terminated.
> 
> Please note that if I simply change two lines on both
> sides:
> 
> add noauth and comment out require-mschap-v2 I get

Yes. YOu SHOULD have noauth on the client side, unless you really want
them to authenticate to each other.

You also it seems do not use the "user" option on the client side. You
have to do so.
man pppd


> any ideas ?

man pppd

Re: ppp 2.4.3 cvs authentication issue

[Bill Unruh]

> 
> server:
> 
> logfile /tmp/vpn.log
> dump
> debug
> auth
> refuse-pap
> refuse-eap
> refuse-chap
> refuse-mschap
> require-mschap-v2

Again, why mschap? Get rid ofall the refuse lines. ALL of them. Put in
one line
require-chap

You seem to be under the impression that anything with bigger numbers or
a longer name is better. It is not. 

> peer refused to authenticate: terminating link

AGain I think you forgot the user option on the client.

Re: ppp 2.4.3 cvs authentication issue

[Bill Unruh]

On Thu, 28 Oct 2004, a b wrote:

> Hi again,
> 
> You were right: I was missing the "user" option ... it
> works now with mschap-v2, thank you ... but, next step
> is to use mppe, of course:

Why would you want to use mppe? Now you want to put a semitrailer air
deflector on top of your ferrari.
The only reason mppe should be in pppd is because of stupid MS machines
which demand it. 

Re: ppp 2.4.3 cvs authentication issue

[a b]

> Who is Jason?

ouups, I meant James, sorry

> 
> > have a nice day, 
> 
> You, too.  Glad to hear things are working.

They are, for now ... :o)

thanks again,

- Adrian


	

	
		
Vous manquez d’espace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com