* Re: ppp 2.4.3 cvs authentication issue
2004-10-28 12:45 ppp 2.4.3 cvs authentication issue a b
@ 2004-10-28 12:54 ` carlsonj
2004-10-28 13:10 ` a b
` (12 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: carlsonj @ 2004-10-28 12:54 UTC (permalink / raw)
To: linux-ppp
a b writes:
> I'm trying to set up a pptpd server under Mandrake
> 10.0 and I think my problem is related to pppd and the
> authentication.
You're the server side? Then why is your peer demanding that you
authenticate yourself?
> client:
>
> cat /etc/ppp/peers/pptp0
[...]
> refuse-pap
> refuse-eap
> refuse-chap
> refuse-mschap
> require-mschap-v2
There's the misconfiguration. The client should not have the above
five options. Instead, it should just have "noauth." (As long as the
client doesn't have a default route, it won't even need "noauth.")
> Please note that if I simply change two lines on both
> sides:
>
> add noauth and comment out require-mschap-v2 I get
Don't change both sides. The server looks fine. It's the client
that's misconfigured.
You have it set up so that both sides demand authentication and both
sides *refuse* that demand. What else could possibly be the result?
--
James Carlson <carlsonj@workingcode.com>
^ permalink raw reply [flat|nested] 15+ messages in thread* ppp 2.4.3 cvs authentication issue
2004-10-28 12:45 ppp 2.4.3 cvs authentication issue a b
2004-10-28 12:54 ` carlsonj
@ 2004-10-28 13:10 ` a b
2004-10-28 13:45 ` a b
` (11 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: a b @ 2004-10-28 13:10 UTC (permalink / raw)
To: linux-ppp
Hi again,
I'm tring to configure both sides: server AND client.
Ok, I have followed your suggestions and here is the
result:
client:
logfile /tmp/vpn.log
dump
debug
lock
pty "/usr/sbin/pptp 10.0.0.178 --nolaunchpppd"
nodetach
server:
logfile /tmp/vpn.log
dump
debug
auth
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
require-mschap-v2
lock
server logs:
tail -f /tmp/vpn.log -n 100
pppd options in effect:
debug # (from /etc/ppp/options.poptop)
logfile /tmp/vpn.log # (from
/etc/ppp/options.poptop)
dump # (from /etc/ppp/options.poptop)
require-mschap-v2 # (from
/etc/ppp/options.poptop)
refuse-pap # (from
/etc/ppp/options.poptop)
refuse-chap # (from
/etc/ppp/options.poptop)
refuse-mschap # (from
/etc/ppp/options.poptop)
refuse-eap # (from
/etc/ppp/options.poptop)
115200 # (from command line)
lock # (from /etc/ppp/options.poptop)
local # (from command line)
ipparam 10.0.0.124 # (from command line)
10.0.1.178:10.0.1.234 # (from command line)
using channel 10
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0xa5e8afe7> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic
0x45ac117b> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic
0x45ac117b> <pcomp> <accomp>]
rcvd [LCP ConfRej id=0x1 <auth chap MS-v2>]
sent [LCP ConfReq id=0x2 <asyncmap 0x0> <magic
0xa5e8afe7> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x2 <asyncmap 0x0> <magic
0xa5e8afe7> <pcomp> <accomp>]
peer refused to authenticate: terminating link
sent [LCP TermReq id=0x3 "peer refused to
authenticate"]
rcvd [CCP ConfReq id=0x1 <deflate 15> <deflate(old#)
15> <bsd v1 15>]
Discarded non-LCP packet when LCP not open
rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr
10.0.0.124>]
Discarded non-LCP packet when LCP not open
rcvd [LCP TermAck id=0x3]
Connection terminated.
Still not working ...
Thank you,
Adrian
--- carlsonj@workingcode.com a écrit :
> a b writes:
> > I'm trying to set up a pptpd server under Mandrake
> > 10.0 and I think my problem is related to pppd and
> the
> > authentication.
>
> You're the server side? Then why is your peer
> demanding that you
> authenticate yourself?
>
> > client:
> >
> > cat /etc/ppp/peers/pptp0
> [...]
> > refuse-pap
> > refuse-eap
> > refuse-chap
> > refuse-mschap
> > require-mschap-v2
>
> There's the misconfiguration. The client should not
> have the above
> five options. Instead, it should just have
> "noauth." (As long as the
> client doesn't have a default route, it won't even
> need "noauth.")
>
> > Please note that if I simply change two lines on
> both
> > sides:
> >
> > add noauth and comment out require-mschap-v2 I get
>
> Don't change both sides. The server looks fine.
> It's the client
> that's misconfigured.
>
> You have it set up so that both sides demand
> authentication and both
> sides *refuse* that demand. What else could
> possibly be the result?
>
> --
> James Carlson
> <carlsonj@workingcode.com>
>
Vous manquez d’espace pour stocker vos mails ?
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/
Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: ppp 2.4.3 cvs authentication issue
2004-10-28 12:45 ppp 2.4.3 cvs authentication issue a b
2004-10-28 12:54 ` carlsonj
2004-10-28 13:10 ` a b
@ 2004-10-28 13:45 ` a b
2004-10-28 14:08 ` carlsonj
` (10 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: a b @ 2004-10-28 13:45 UTC (permalink / raw)
To: linux-ppp
Hi again,
You were right: I was missing the "user" option ... it
works now with mschap-v2, thank you ... but, next step
is to use mppe, of course:
I add the require-mppe-128 option to the server and
get:
pppd options in effect:
debug # (from /etc/ppp/options.poptop)
logfile /tmp/vpn.log # (from
/etc/ppp/options.poptop)
dump # (from /etc/ppp/options.poptop)
require-mschap-v2 # (from
/etc/ppp/options.poptop)
refuse-pap # (from
/etc/ppp/options.poptop)
refuse-chap # (from
/etc/ppp/options.poptop)
refuse-mschap # (from
/etc/ppp/options.poptop)
refuse-eap # (from
/etc/ppp/options.poptop)
115200 # (from command line)
lock # (from /etc/ppp/options.poptop)
local # (from command line)
ipparam 192.168.100.124 # (from command line)
10.0.1.178:10.0.1.235 # (from command line)
require-mppe-128 # (from
/etc/ppp/options.poptop)
using channel 15
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0x6abacb92> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic
0x11fc1593> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic
0x11fc1593> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0x6abacb92> <pcomp> <accomp>]
sent [CHAP Challenge id=0xd3
<6efa5d8f23196c829082eaa9456a3865>, name "mypptpdserver.mydomain.com"]
rcvd [CHAP Response id=0xd3
<c809d9e158ba9bd9355aa162dd23741b000000000000000076554555ea86eb4480c7e478076e857ce65b277c44f8fb2a00>,
name = "adrian"]
sent [CHAP Success id=0xd3
"S[4A15FB47B29F113A4708536D079228081E2007 M¬cess
granted"]
Couldn't set pass-filter in kernel: Invalid argument
sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x1 <deflate 15> <deflate(old#)
15> <bsd v1 15>]
MPPE required but peer negotiation failed
sent [LCP TermReq id=0x2 "MPPE required but peer
negotiation failed"]
sent [CCP ConfRej id=0x1 <deflate 15> <deflate(old#)
15> <bsd v1 15>]
rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr
10.0.0.124>]
Discarded non-LCP packet when LCP not open
rcvd [CCP ConfRej id=0x1 <mppe +H -M +S -L -D -C>]
Discarded non-LCP packet when LCP not open
rcvd [LCP TermAck id=0x2]
Connection terminated.
Connect time 0.0 minutes.
Sent 10 bytes, received 31 bytes.
lsmod|grep ppp
ppp_deflate 7104 0
zlib_deflate 23832 1 ppp_deflate
zlib_inflate 23648 1 ppp_deflate
ppp_mppe 14304 0 [unsafe]
ppp_async 13280 0
ppp_generic 32752 4
ppp_deflate,bsd_comp,ppp_mppe,ppp_async
slhc 8224 1 ppp_generic
I might be missing something obvious again...
Thank you,
Adrian
--- carlsonj@workingcode.com a écrit :
> a b writes:
> > rcvd [LCP ConfRej id=0x1 <auth chap MS-v2>]
>
> Something is still misconfigured on the peer's side.
> It's refusing to
> authenticate.
>
> Are you perhaps missing the "user" option on that
> side?
>
> --
> James Carlson
> <carlsonj@workingcode.com>
>
Vous manquez d’espace pour stocker vos mails ?
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/
Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: ppp 2.4.3 cvs authentication issue
2004-10-28 12:45 ppp 2.4.3 cvs authentication issue a b
` (2 preceding siblings ...)
2004-10-28 13:45 ` a b
@ 2004-10-28 14:08 ` carlsonj
2004-10-28 14:52 ` a b
` (9 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: carlsonj @ 2004-10-28 14:08 UTC (permalink / raw)
To: linux-ppp
a b writes:
> require-mschap-v2 # (from
> /etc/ppp/options.poptop)
> refuse-pap # (from
> /etc/ppp/options.poptop)
> refuse-chap # (from
> /etc/ppp/options.poptop)
> refuse-mschap # (from
> /etc/ppp/options.poptop)
> refuse-eap # (from
> /etc/ppp/options.poptop)
For what it's worth, you likely don't need all of those options. A
simple "auth" should do it -- and even that is not really required.
pppd automatically detects what credentials you have configured, and
will refuse authentication schemes that don't have appropriate
credentials.
This is by design. The defaults for the configuration options are
meant to make sense for most users. Having too many configuration
options specified is itself a symptom of a problem.
> sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
> rcvd [CCP ConfReq id=0x1 <deflate 15> <deflate(old#)
> 15> <bsd v1 15>]
> MPPE required but peer negotiation failed
That looks like a combination of things. MPPE obviously has a bug --
it should not have just given up there, but rather sent Configure-Nak
first. The other thing is that the peer apparently isn't configured
to use MPPE.
--
James Carlson <carlsonj@workingcode.com>
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: ppp 2.4.3 cvs authentication issue
2004-10-28 12:45 ppp 2.4.3 cvs authentication issue a b
` (3 preceding siblings ...)
2004-10-28 14:08 ` carlsonj
@ 2004-10-28 14:52 ` a b
2004-10-28 15:00 ` carlsonj
` (8 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: a b @ 2004-10-28 14:52 UTC (permalink / raw)
To: linux-ppp
ok,
so the server configuration file is now:
logfile /tmp/vpn.log
dump
debug
require-mschap-v2
require-mppe-128
lock
... and the result is the same:
pppd options in effect:
debug # (from /etc/ppp/options.poptop)
logfile /tmp/vpn.log # (from
/etc/ppp/options.poptop)
dump # (from /etc/ppp/options.poptop)
require-mschap-v2 # (from
/etc/ppp/options.poptop)
115200 # (from command line)
lock # (from /etc/ppp/options.poptop)
local # (from command line)
ipparam 10.0.0.124 # (from command line)
10.0.1.178:10.0.1.234 # (from command line)
require-mppe-128 # (from
/etc/ppp/options.poptop)
using channel 23
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0xab84c21a> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic
0x4ed872d8> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic
0x4ed872d8> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0xab84c21a> <pcomp> <accomp>]
sent [CHAP Challenge id=0x12
<f87334236c1450368b23170d62aff528>, name "mypptpdserver.mydomain.com"]
rcvd [CHAP Response id=0x12
<7f192ecdc2190ee53ad4939320e4126a000000000000000037dc9c8bb222abbe71b08de33d70112a174b2ea28be0963500>,
name = "adrian"]
sent [CHAP Success id=0x12
"S¼6BDC7B66AC82992857B7F6E9F383E5C517F345 M¬cess
granted"]
Couldn't set pass-filter in kernel: Invalid argument
sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x1 <deflate 15> <deflate(old#)
15> <bsd v1 15>]
MPPE required but peer negotiation failed
sent [LCP TermReq id=0x2 "MPPE required but peer
negotiation failed"]
sent [CCP ConfRej id=0x1 <deflate 15> <deflate(old#)
15> <bsd v1 15>]
rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr
10.0.0.124>]
Discarded non-LCP packet when LCP not open
rcvd [CCP ConfRej id=0x1 <mppe +H -M +S -L -D -C>]
Discarded non-LCP packet when LCP not open
rcvd [LCP TermAck id=0x2]
Connection terminated.
Connect time 0.0 minutes.
Sent 10 bytes, received 31 bytes.
1. the module kernel seems to be a 2.4.2 alright
modinfo ppp_mppe|grep license
license: BSD without advertisement clause
My question is: could this be a mppe kernel module
issue, like not the latest version, etc ?
2. you're saying that "the peer apparently isn't
configured to use MPPE."
My question is: is there something to do on the client
side in order to ask for a mppe authentication ?
Sincerely,
Adrian
Vous manquez d’espace pour stocker vos mails ?
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/
Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: ppp 2.4.3 cvs authentication issue
2004-10-28 12:45 ppp 2.4.3 cvs authentication issue a b
` (4 preceding siblings ...)
2004-10-28 14:52 ` a b
@ 2004-10-28 15:00 ` carlsonj
2004-10-28 15:33 ` a b
` (7 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: carlsonj @ 2004-10-28 15:00 UTC (permalink / raw)
To: linux-ppp
a b writes:
> sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
You ask for MPPE.
> rcvd [CCP ConfReq id=0x1 <deflate 15> <deflate(old#)
> 15> <bsd v1 15>]
The peer asks for the usual suite of freely-available compression
algorithms, but does *NOT* ask for MPPE.
> MPPE required but peer negotiation failed
> sent [LCP TermReq id=0x2 "MPPE required but peer
> negotiation failed"]
Two problems: (1) what I consider to be a design bug in MPPE, as it
should not just shut down, but should try to negotiate first and (2)
peer that is either misconfigured or just doesn't support MPPE.
> 2. you're saying that "the peer apparently isn't
> configured to use MPPE."
Yes.
> My question is: is there something to do on the client
> side in order to ask for a mppe authentication ?
MPPE isn't authentication; it's encryption.
According to the pppd(8) man page:
nomppe
Disables MPPE (Microsoft Point to Point Encryption).
This is the default.
[...]
require-mppe
Require the use of MPPE (Microsoft Point to Point
Encryption). This option disables all other compres-
sion types. This option enables both 40-bit and
128-bit encryption. In order for MPPE to successfully
come up, you must have authenticated with either MS-
CHAP or MS-CHAPv2. This option is presently only sup-
ported under Linux, and only if your kernel has been
configured to include MPPE support.
In other words, I think the peer needs this configuration option as
well in order to use MPPE.
--
James Carlson <carlsonj@workingcode.com>
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: ppp 2.4.3 cvs authentication issue
2004-10-28 12:45 ppp 2.4.3 cvs authentication issue a b
` (5 preceding siblings ...)
2004-10-28 15:00 ` carlsonj
@ 2004-10-28 15:33 ` a b
2004-10-28 15:41 ` carlsonj
` (6 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: a b @ 2004-10-28 15:33 UTC (permalink / raw)
To: linux-ppp
You were right again,
I had, indeed, to add the require-mppe option on the
pptp-linux client side ... and it works.
You can see it for yourself:
pppd options in effect:
debug # (from /etc/ppp/options.poptop)
logfile /tmp/vpn.log # (from
/etc/ppp/options.poptop)
dump # (from /etc/ppp/options.poptop)
require-mschap-v2 # (from
/etc/ppp/options.poptop)
115200 # (from command line)
lock # (from /etc/ppp/options.poptop)
local # (from command line)
ipparam 192.168.100.124 # (from command line)
10.0.1.178:10.0.1.235 # (from command line)
require-mppe-128 # (from
/etc/ppp/options.poptop)
using channel 26
Using interface ppp0
Connect: ppp0 <--> /dev/pts/2
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0x88812f30> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic
0xc2fe6ced> <pcomp>
<accomp>]
sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic
0xc2fe6ced> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap
MS-v2> <magic 0x88812f30> <pcomp> <accomp>]
sent [CHAP Challenge id=0x98
<d87688dfdee2038f9e012988b3c3b88a>, name "mypptpdserver.mydomain.com"]
rcvd [CHAP Response id=0x98
<d3c4a65bd5ab8ea560fa35f593d6c1650000000000000000abfc36849407b02bdf268090e0ecae2598baf7ab05fcca1e00>,
name = "adrian"]
sent [CHAP Success id=0x98
"S^[317957BFF3AA169F7A84732A4A66D7DB08D792 M¬cess
granted"]
Couldn't set pass-filter in kernel: Invalid argument
sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
sent [CCP ConfNak id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
sent [CCP ConfAck id=0x2 <mppe +H -M +S -L -D -C>]
MPPE 128-bit stateless compression enabled
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr
10.0.1.178>]
rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr
10.0.0.124>]
sent [IPCP ConfNak id=0x1 <addr 10.0.1.235>]
rcvd [IPCP ConfAck id=0x1 <compress VJ 0f 01> <addr
10.0.0.178>]
rcvd [IPCP ConfReq id=0x2 <compress VJ 0f 01> <addr
10.0.1.235>]
sent [IPCP ConfAck id=0x2 <compress VJ 0f 01> <addr
10.0.1.235>]
local IP address 10.0.1.178
remote IP address 10.0.1.235
Script /etc/ppp/ip-up started (pid 8934)
Script /etc/ppp/ip-up finished (pid 8934), status 0x0
I still have questions, of course:
Next step will be to use pam because I saw that there
is a ppp pam module coming with the ppp package.
According to the man page I simply need to use the
"login" option and it will automatically look for the
local system auth ?
Then, I will probably have a look at the radius
plugin.
Any tricky option that I should be aware of ? :o)
Thanks alot,
Adrian
Vous manquez d’espace pour stocker vos mails ?
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/
Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: ppp 2.4.3 cvs authentication issue
2004-10-28 12:45 ppp 2.4.3 cvs authentication issue a b
` (6 preceding siblings ...)
2004-10-28 15:33 ` a b
@ 2004-10-28 15:41 ` carlsonj
2004-10-28 15:52 ` a b
` (5 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: carlsonj @ 2004-10-28 15:41 UTC (permalink / raw)
To: linux-ppp
a b writes:
> Next step will be to use pam because I saw that there
> is a ppp pam module coming with the ppp package.
>
> According to the man page I simply need to use the
> "login" option and it will automatically look for the
> local system auth ?
As far as I know, PAM works only with PAP authentication. This is
because all of the other authentication methods use cryptographic
hashes instead of simple passwords, and PAM expects to see the raw
password on the server (authenticator) side.
> Then, I will probably have a look at the radius
> plugin.
RADIUS ought to work with any of the authentication mechanisms, but I
haven't personally tried it. Perhaps someone else here has ...
--
James Carlson <carlsonj@workingcode.com>
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: ppp 2.4.3 cvs authentication issue
2004-10-28 12:45 ppp 2.4.3 cvs authentication issue a b
` (7 preceding siblings ...)
2004-10-28 15:41 ` carlsonj
@ 2004-10-28 15:52 ` a b
2004-10-28 15:57 ` carlsonj
` (4 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: a b @ 2004-10-28 15:52 UTC (permalink / raw)
To: linux-ppp
Thank you very much for your answers, Jason
have a nice day,
- Adrian
Vous manquez d’espace pour stocker vos mails ?
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/
Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: ppp 2.4.3 cvs authentication issue
2004-10-28 12:45 ppp 2.4.3 cvs authentication issue a b
` (8 preceding siblings ...)
2004-10-28 15:52 ` a b
@ 2004-10-28 15:57 ` carlsonj
2004-10-28 16:04 ` Bill Unruh
` (3 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: carlsonj @ 2004-10-28 15:57 UTC (permalink / raw)
To: linux-ppp
a b writes:
> Thank you very much for your answers, Jason
Who is Jason?
> have a nice day,
You, too. Glad to hear things are working.
--
James Carlson <carlsonj@workingcode.com>
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: ppp 2.4.3 cvs authentication issue
2004-10-28 12:45 ppp 2.4.3 cvs authentication issue a b
` (9 preceding siblings ...)
2004-10-28 15:57 ` carlsonj
@ 2004-10-28 16:04 ` Bill Unruh
2004-10-28 16:07 ` Bill Unruh
` (2 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: Bill Unruh @ 2004-10-28 16:04 UTC (permalink / raw)
To: linux-ppp
On Thu, 28 Oct 2004, a b wrote:
> Hello,
>
> First sorry for my poor English.
>
> I'm trying to set up a pptpd server under Mandrake
> 10.0 and I think my problem is related to pppd and the
> authentication.
Probably.
>
> server: 10.0.0.178, client 10.0.0.124
> ppp-2.4.3-0.cvs_20040527.5mdk
> pptpd-server-1.2.1-1mdk
> kernel 2.6.3-19mdksecure
>
> server:
> cat /etc/pptpd.conf
> option /etc/ppp/options.poptop
> stimeout 10
> speed 115200
> localip 10.0.0.178
> remoteip 10.0.1.234-238
>
> cat /etc/ppp/options.poptop
> logfile /tmp/vpn.log
> dump
> debug
> refuse-pap
> refuse-eap
> refuse-chap
> refuse-mschap
> require-mschap-v2
Why in the world you would require mschap-v2 on a machine that runs pppd
is completely beyond me. It would be like demanding running boards on a
Ferrari. Remove these all. IF you are going to require anything make it
eap, but if you communicate with anything but a pppd client that will
not work. chap and pap are far better options.
> lock
>
> cat /etc/ppp/chap-secrets
> # Secrets for authentication using CHAP
> # client server secret IP
> addresses
> adrian * adrian *
>
>
> client:
>
> cat /etc/ppp/peers/pptp0
> logfile /tmp/vpn.log
> dump
> debug
> refuse-pap
> refuse-eap
> refuse-chap
> refuse-mschap
> require-mschap-v2
Now you are getting completely silly. This says that you are demanding
that the server authenticate itself to the client using mschapv2.
REmove all of these "refuse/require" entries. I think you are very
confused as to what they mean.
> lock
> pty "/usr/sbin/pptp 10.0.0.178 --nolaunchpppd"
> nodetach
>
> cat /etc/ppp/chap-secrets
> # Secrets for authentication using CHAP
> # client server secret IP
> addresses
> adrian * adrian *
>
> cat -A /etc/ppp/chap-secrets
> # Secrets for authentication using CHAP$
> # client^Iserver^Isecret^I^I^IIP addresses$
> adrian^I*^Iadrian^I*$
>
> logs on the server side:
> tail -f /tmp/vpn.log -n 100
>
> pppd options in effect:
> debug # (from /etc/ppp/options.poptop)
> logfile /tmp/vpn.log # (from
> /etc/ppp/options.poptop)
> dump # (from /etc/ppp/options.poptop)
> require-mschap-v2 # (from
> /etc/ppp/options.poptop)
> refuse-pap # (from
> etc/ppp/options.poptop)
> refuse-chap # (from
> /etc/ppp/options.poptop)
> refuse-mschap # (from
> /etc/ppp/options.poptop)
> refuse-eap # (from
> /etc/ppp/options.poptop)
> 115200 # (from command line)
> lock # (from /etc/ppp/options.poptop)
> local # (from command line)
> ipparam 10.0.0.124 # (from command line)
> 10.10.0.178:10.10.1.234 # (from command
> line)
> using channel 6
> Using interface ppp0
> Connect: ppp0 <--> /dev/pts/1
> sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap
> MS-v2> <magic 0x140228e> <pcomp> <accomp>]
> rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap
> MS-v2> <magic 0xc3c66f9d> <pcomp> <accomp>]
> No auth is possible
> sent [LCP ConfRej id=0x1 <auth chap MS-v2>]
> rcvd [LCP ConfRej id=0x1 <auth chap MS-v2>]
> sent [LCP ConfReq id=0x2 <asyncmap 0x0> <magic
> 0x140228e> <pcomp> <accomp>]
> rcvd [LCP ConfReq id=0x2 <asyncmap 0x0> <magic
> 0xc3c66f9d> <pcomp> <accomp>]
> sent [LCP ConfAck id=0x2 <asyncmap 0x0> <magic
> 0xc3c66f9d> <pcomp> <accomp>]
> rcvd [LCP ConfAck id=0x2 <asyncmap 0x0> <magic
> 0x140228e> <pcomp> <accomp>]
> peer refused to authenticate: terminating link
That should be pretty clear.
> sent [LCP TermReq id=0x3 "peer refused to
> authenticate"]
> rcvd [LCP TermReq id=0x3 "peer refused to
> authenticate"]
> sent [LCP TermAck id=0x3]
> rcvd [LCP TermAck id=0x3]
> Connection terminated.
>
> Please note that if I simply change two lines on both
> sides:
>
> add noauth and comment out require-mschap-v2 I get
Yes. YOu SHOULD have noauth on the client side, unless you really want
them to authenticate to each other.
You also it seems do not use the "user" option on the client side. You
have to do so.
man pppd
> any ideas ?
man pppd
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: ppp 2.4.3 cvs authentication issue
2004-10-28 12:45 ppp 2.4.3 cvs authentication issue a b
` (10 preceding siblings ...)
2004-10-28 16:04 ` Bill Unruh
@ 2004-10-28 16:07 ` Bill Unruh
2004-10-28 16:10 ` Bill Unruh
2004-10-28 17:01 ` a b
13 siblings, 0 replies; 15+ messages in thread
From: Bill Unruh @ 2004-10-28 16:07 UTC (permalink / raw)
To: linux-ppp
>
> server:
>
> logfile /tmp/vpn.log
> dump
> debug
> auth
> refuse-pap
> refuse-eap
> refuse-chap
> refuse-mschap
> require-mschap-v2
Again, why mschap? Get rid ofall the refuse lines. ALL of them. Put in
one line
require-chap
You seem to be under the impression that anything with bigger numbers or
a longer name is better. It is not.
> peer refused to authenticate: terminating link
AGain I think you forgot the user option on the client.
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: ppp 2.4.3 cvs authentication issue
2004-10-28 12:45 ppp 2.4.3 cvs authentication issue a b
` (11 preceding siblings ...)
2004-10-28 16:07 ` Bill Unruh
@ 2004-10-28 16:10 ` Bill Unruh
2004-10-28 17:01 ` a b
13 siblings, 0 replies; 15+ messages in thread
From: Bill Unruh @ 2004-10-28 16:10 UTC (permalink / raw)
To: linux-ppp
On Thu, 28 Oct 2004, a b wrote:
> Hi again,
>
> You were right: I was missing the "user" option ... it
> works now with mschap-v2, thank you ... but, next step
> is to use mppe, of course:
Why would you want to use mppe? Now you want to put a semitrailer air
deflector on top of your ferrari.
The only reason mppe should be in pppd is because of stupid MS machines
which demand it.
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: ppp 2.4.3 cvs authentication issue
2004-10-28 12:45 ppp 2.4.3 cvs authentication issue a b
` (12 preceding siblings ...)
2004-10-28 16:10 ` Bill Unruh
@ 2004-10-28 17:01 ` a b
13 siblings, 0 replies; 15+ messages in thread
From: a b @ 2004-10-28 17:01 UTC (permalink / raw)
To: linux-ppp
> Who is Jason?
ouups, I meant James, sorry
>
> > have a nice day,
>
> You, too. Glad to hear things are working.
They are, for now ... :o)
thanks again,
- Adrian
Vous manquez d’espace pour stocker vos mails ?
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/
Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com
^ permalink raw reply [flat|nested] 15+ messages in thread