VPN to windows ISA server

VPN to windows ISA server

[Diederik Hattingh]

[-- Attachment #1: Type: text/plain, Size: 2394 bytes --]

Hi
I am trying to use kvpnc to connect to my work VPN. The server is a
Windows ISA server. I have selected the "require MPPE" option.  At
connection time unfortunately, with debug, the log file says:

Nov 29 14:29:35 [pppd] sent [LCP ConfAck id=0x2 <asyncmap 0x0> <magic
0x15190f75> <accomp>]
Nov 29 14:29:35 [pppd] MPPE required, but MS-CHAP[v2] auth not performed.
Nov 29 14:29:35 [pppd] sent [LCP TermReq id=0x2 "MPPE required but not
available                         "]
Nov 29 14:29:36 [pppd] rcvd [LCP EchoReq id=0x0 magic=0x15190f75]
Nov 29 14:29:36 [pppd] rcvd [LCP TermReq id=0x3 "peer refused to authenticate"]

I added my CHAP "secret" with pptp-command.  Adding the secret does
not add the "*" for IP address coloum in the  "/etc/ppp/chap-secrets
file, is this normal?

Another question is the format of the domain\username.  In the secret
file for chap, the example was "domain\\username". Should this be the
same for the "user" value in the peer file?

I read online that the NT Domain part must be left blank, but the
domain added as prefix, as described above, to the username.  Is this
still valid?

The kernel module ppp_mppe loads fine, and the modinfo gives

filename:       /lib/modules/2.6.30-tuxonice-r4/kernel/drivers/net/ppp_mppe.ko
version:        1.0.2
alias:          ppp-compress-18
license:        Dual BSD/GPL
description:    Point-to-Point Protocol Microsoft Point-to-Point
Encryption support
author:         Frank Cusack <fcusack@fcusack.com>
srcversion:     75D9E5320BB61153D0F4AF5
depends:        ppp_generic
vermagic:       2.6.30-tuxonice-r4 SMP mod_unload modversions 686 4KSTACKS

pppd version is 2.4.4
pptp version is 1.7.2

# lsmod |grep ppp
ppp_deflate             4188  0
ppp_async               7496  0
crc_ccitt               1796  1 ppp_async
ppp_mppe                6088  0
ppp_generic            21568  4 ppp_deflate,bsd_comp,ppp_async,ppp_mppe
slhc                    5156  1 ppp_generic

The peer file is attached as kvpnc.txt, and the secrets file looks like this:
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
myworkdomain\\djh       myworkdomain    *****
myworkdomain    myworkdomain\\djh       *****


Notice that the connection server is called server.myworkdomain.co.za,
but the domain I specified as myworkdomain (without .co.za)

Any help will be much appreciated.
Thanks
Diederik

[-- Attachment #2: kvpnc.txt --]
[-- Type: text/plain, Size: 1089 bytes --]

# generated by kvpnc. Do not edit it.
# profile: myworkdomain.co.za


# name of tunnel, used to select lines in secrets files
remotename myworkdomain.co.za

# name of tunnel, used to name /var/run pid file
linkname kvpc.myworkdomain.co.za

# name of tunnel, passed to ip-up scripts
ipparam kvpnc.myworkdomain.co.za

# data stream for pppd to use
pty "/usr/sbin/pptp --loglevel 1 myworkdomain.co.za --nolaunchpppd"

# domain and username, used to select lines in secrets files
name "myworkdomain\myworkusername"

# use MPPE encryption
require-mppe
nomppe-stateful
require-mppe-128

# we do not require the peer to authenticate itself
noauth

# we want to see what happen
nodetach

# lock the device
lock

# Do not use BSD compression
nobsdcomp

# Do not use deflate method
nodeflate

# replace defaultroute
defaultroute

# default MTU
mtu 1500

# default MRU
mru 1500

# disable Microsoft Point-to-Point Compression (MPPC) (i.e. for compatibility with watchguard firebox)
nopcomp

# kernel level debug
kdebug 0
# refuse EAP
refuse-eap

Re: VPN to windows ISA server

[James Carlson]

Diederik Hattingh wrote:
> Nov 29 14:29:35 [pppd] sent [LCP ConfAck id=0x2 <asyncmap 0x0> <magic
> 0x15190f75> <accomp>]

It looks like you've trimmed away the beginning of the negotiation in
the debug information you posted.  That's unfortunate, as this likely
includes important details that will be needed to resolve the problem.

In the future, don't do that.

> Nov 29 14:29:35 [pppd] MPPE required, but MS-CHAP[v2] auth not performed.

That looks like the key problem here.  You need to do MS-CHAPv2 with the
peer in order to use MPPE.  Either your system is misconfigured such
that it doesn't do MS-CHAPv2, or the peer just refuses to allow that
authentication mechanism.

> I added my CHAP "secret" with pptp-command.  Adding the secret does
> not add the "*" for IP address coloum in the  "/etc/ppp/chap-secrets
> file, is this normal?

Only the authenticator ("server") side of the connection needs that
extra column in the chap-secrets file, so this part of the configuration
is normal.

> Another question is the format of the domain\username.  In the secret
> file for chap, the example was "domain\\username". Should this be the
> same for the "user" value in the peer file?

Yes.  pppd doesn't actually know anything about "domain" names or
anything like that.  It just passes the string along to the peer (the
Windows server system), and that's what will parse out the domain and
user name.  Thus, you have to use the same string everywhere.

> I read online that the NT Domain part must be left blank, but the
> domain added as prefix, as described above, to the username.  Is this
> still valid?

It depends on how the NT server is configured.  There's no way to know
without asking the administrator of that system.

> # Secrets for authentication using CHAP
> # client        server  secret                  IP addresses
> myworkdomain\\djh       myworkdomain    *****
> myworkdomain    myworkdomain\\djh       *****

The second of those looks bogus; you would never identify yourself to
the peer as though your name were just "myworkdomain".  I would have had
this for the first entry:

myworkdomain\\djh	*	"my secret here"

It shouldn't be necessary (or helpful) to specify the server's name in
the second column, particularly as Microsoft systems tend to refuse to
identify themselves.

As for the double line seen in your configuration file, it looks to me
like whoever (or whatever) added it this way was confused about how that
file actually works.

> Notice that the connection server is called server.myworkdomain.co.za,
> but the domain I specified as myworkdomain (without .co.za)

I don't believe that NT authentication domains have anything to do with
DNS domain names.  They're wholly unrelated concepts.  You can't just
lop off the trailing ".co.za" and expect it to work, unless the NT
authentication domain (part of Kerberos, I think) just happens to be the
same as that portion of the DNS name by coincidence.  You need to have
proper NT authentication credentials if you're going to use MS-CHAPv2.

-- 
James Carlson         42.703N 71.076W         <carlsonj@workingcode.com>