Re: mpd VPN won't work after upgrade from 4.6-STABLE to 4.8-STABLE

From: Archie Cobbs (archie_at_dellroad.org)
Date: 06/27/03

  • Next message: Doug Lee: "Possible Solution (Re: mpd VPN won't work after upgrade from 4.6-STABLE to 4.8-STABLE)" 
    To: Doug Lee <dgl@dlee.org>
Date: Thu, 26 Jun 2003 20:24:39 -0500 (CDT)

    Doug Lee wrote:
    > > If you're getting protocol reject errors -- while trying to use
    > > Microsoft MPPE encryption? Then probably one side is generating
    > > the keys incorrectly. What is the other side? Also, let's see
    > > the log trace.
    >
    > Here is a trace consisting of link-up, responses to a set of five
    > pings, and link-terminate, all from the originating side, which is the
    >
    > ...
    >
    > One specific question, other than "Why won't this work?" :-) : What's
    > this line doing in here at the end of the successful CHAP negotiation:
    >
    > 17:35:00 MESG: S=181EBCAE417331F125BCDDB3991C14EF7B39750D

    This is Microsoft overloading the CHAP message string with
    their reverse authentication hash. It's normal with MS-CHAP.

    > The following mpd log entries were generated by a set of five pings
    > I attempted to send up the link:
    >
    > 17:35:15 [vpn] LCP: rec'd Protocol Reject #22 link 0 (Opened)
    > 17:35:15 [vpn] LCP: protocol 0x0023 was rejected
    > 17:35:16 [vpn] LCP: rec'd Protocol Reject #23 link 0 (Opened)
    > 17:35:16 [vpn] LCP: protocol 0x00e7 was rejected
    > 17:35:17 [vpn] LCP: rec'd Protocol Reject #24 link 0 (Opened)
    > 17:35:17 [vpn] LCP: protocol 0x0087 was rejected
    > 17:35:18 [vpn] LCP: rec'd Protocol Reject #25 link 0 (Opened)
    > 17:35:18 [vpn] LCP: protocol 0x006d was rejected
    > 17:35:19 [vpn] LCP: rec'd Protocol Reject #26 link 0 (Opened)
    > 17:35:19 [vpn] LCP: protocol 0x16a1 was rejected

    Again, what's on the other side of the link? Is it necessary
    to enable MS-CHAP in both directions? The other side is screwing
    up MPPE key generation. Note that with MS-CHAPv2, the server is
    authenticated as well anyway, so you really only need to authenticate
    in one direction.

    -Archie

    __________________________________________________________________________
    Archie Cobbs * Halloo Communications * http://www.halloo.com
    _______________________________________________
    freebsd-stable@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-stable
    To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"

  • Next message: Doug Lee: "Possible Solution (Re: mpd VPN won't work after upgrade from 4.6-STABLE to 4.8-STABLE)"

    Relevant Pages

    • IAS on a 2003 server wont authenticate a call through a Max using MS-CHAP
      ... Internet Authentication Service running on a Win 2003 server. ... that is not enabled on the matching remote access policy." ... available authentication protocols, PAP, CHAP,and MS-CHAP. ...
      (microsoft.public.windows.server.general)
    • Re: Routing and Remote Access - Authentication Failure
      ... Granted the article is referencing an IAS server, ... acting as a single point of contact to handle remote authentication. ... great work George and Ace! ... we overlooked that fact about MS-CHAP!! ...
      (microsoft.public.windows.server.networking)
    • Re: 802.1x Authentication
      ... IAS to authenticate the computer and the user to the domain. ... using PEAP with MS-CHAP v2 for authentication. ... Unfortunately neither PEAP nor EAP with any of the current authentication ...
      (microsoft.public.internet.radius)