Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 10 Nov 2006 13:46:00 +0100
From:      Sebastiaan van Erk <sebster@sebster.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Problem setting up PPTP server
Message-ID:  <45547488.6000108@sebster.com>
In-Reply-To: <4553BEAD.70906@sebster.com>
References:  <4553BEAD.70906@sebster.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi,

I solved the problem, and I'll post the resolution for reference 
purposes. There were two configuration issues:

1) To enable MPPE encryption the encryption option on the bundle should 
be DISABLED, since MPPE lives in the compression layer and not the 
encryption layer; thus by commenting the "set bundle enable encryption" 
and "set bundle enable crypt-reqd" lines, this problem was solved.

2) Since the client (a linux ppp client) had the option 
"require-mppe-128" enabled, the server got a config request for 128 bit 
MPPE stateless, but then rejected it. The reason for this was the "set 
ccp enable mppc" line, which should have read "set ccp yes mppc" since 
otherwise the accept flag is disabled.

Finally, I have not found a way to force MPPE encryption on the *server* 
side. There seems to be no equivalent to "require-mppe-128" or "set 
bundle enable comp-reqd" or something like that in mpd. Does anybody 
know a way to require MPPE in mpd?

Regards,
Sebastiaan

Sebastiaan van Erk wrote:
> Hi,
>
> I'm trying to set up mpd (3.18) on a FreeBSD server to allow windows and
> linux clients to connect. Currently I've only been trying to make the
> linux connection succeed (Ubuntu with ppp-2.4.4), but I get the
> following output from linux pppd:
>
> CHAP authentication succeeded
> sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
> rcvd [IPCP ConfReq id=0x1 <addr 10.0.0.1> <compress VJ 0f 00>]
> sent [IPCP TermAck id=0x1]
> rcvd [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
> sent [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
> rcvd [CCP ConfRej id=0x1 <mppe +H -M +S -L -D -C>]
> MPPE required but peer refused
> sent [LCP TermReq id=0x2 "MPPE required but peer refused"]
> rcvd [LCP TermAck id=0x4]
> Connection terminated.
>
> I don't understand why the linux client sends a TermAck on IPCP without
> getting a TermReq first, but apart from that mpd seems to be failing to
> negotiate MPPE even though I configured both the linux client and mpd to
> allow ONLY mppe-128, i.e., in my mpd.conf I have the following:
>
>    # Microsoft Point to Point Encryption
>    set bundle enable compression
>    set ccp enable mppc
>    set ccp enable mpp-e128
>    set ccp yes mpp-stateless
>    set ccp no mpp-e40
>
> The linux client is requesting exactly that: MPPE 128 bit stateless as
> can been seen from the mpd log:
>
> [pptp0] CCP: rec'd Configure Request #1 link 0 (Req-Sent)
>   MPPC
>     0x01000040: MPPE, 128 bit, stateless
>
> Am I doing something obviously wrong? Does anybody know how to fix this
> problem? Any advice is welcome!
>
> Thanks in advance,
> Sebastiaan
>
> P.S.: I have attached the mpd.conf, mpd.links, mpd.log and ppp.log files
> for completeness.
>
>
> ------------------------------------------------------------------------
>
> startup:
>   
> default:
>   load client0
>
> client0:
>   new -i ng0 pptp0 pptp
>   set ipcp ranges 10.0.0.1/32 10.0.0.128/32
>   load pptp_common
>
> pptp_common:
>   set iface disable on-demand
>   set iface enable proxy-arp			
>   set iface idle 0
>   set iface enable tcpmssfix
>   set link yes acfcomp protocomp
>   set link disable pap
>   set link enable chap
>   set link no chap-md5
>   set link mtu 1460
>   set link keep-alive 10 60
>   set ipcp dns 192.168.1.10 192.168.1.1
>   set ipcp nbns 10.0.0.1
>
>   # Microsoft Point to Point Encryption
>   set bundle enable compression
>   set ccp enable mppc
>   set ccp enable mpp-e128
>   set ccp yes mpp-stateless
>   set ccp no mpp-e40
>
>   # Require encryption or drop connection
>   set bundle enable encryption
>   set bundle enable crypt-reqd
>
>
>   
> ------------------------------------------------------------------------
>
> pptp:
>         set link type pptp
>         set pptp self 192.168.1.10
>         set pptp enable incoming
>         set pptp disable originate
>
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45547488.6000108>