Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 7 Jan 2004 23:49:11 -0800
From:      Chris Jones <cjones@gruntle.org>
To:        freebsd-questions@freebsd.org
Subject:   mpd PPTP to Cisco 3000 VPN Concentrator routing problem
Message-ID:  <20040108074911.GC357@gruntle.org>

next in thread | raw e-mail | index | archive | help
Hi.  I've gone over list archives and seen this issue discussed before,
but the sugggested solutions aren't working for me.  I am using
mpd-3.15_1 on FreeBSD 4.9-STABLE to connect to a Cisco 3000 Series VPN
Concentrator.  I have negotiated CHAP and MPPE and the ng0 interface
comes up, but when I try to do anything I get this:

$ ping 10.10.58.7 
PING 10.10.58.7 (10.10.58.7): 56 data bytes       
ping: sendto: Resource deadlock avoided           
ping: sendto: No buffer space available           

A little investigation showed that this is a known routing issue and
that it is possible to work around by re-addressing the ng0 interface
with the VPN concentrator's private IP and set a default route to it.  I
did this, but I still have the same problem.  :(

Does anyone see what I am doing wrong here?  Below are my routing table
and ifconfig before running mpd, after running mpd, and after running
the "fix".  Below that is my mpd.conf and its output (verbose).

I appreciate any help on this, I've been going crazy trying to figure
out what I'm doing wrong.  I can get it to work using the OSX PPTP
client, but not mpd.


- Chris



VPN External IP: C.O.R.P
VPN Interal IP: 10.10.58.7


*** before running mpd

Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.131.254    UGS         0        0    de0
127.0.0.1          127.0.0.1          UH          0        0    lo0
192.168.131        link#1             UC          0        0    de0
192.168.131.254    00:00:0f:00:00:00  UHLW        1        0    de0     36


*** after running mpd

ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1494
	inet 10.10.58.156 --> C.O.R.P netmask 0xffffffff 
	inet6 fe80::203:ffff:fe73:504c%ng0 prefixlen 64 scopeid 0x3 

Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.131.254    UGS         0       30    de0
10.10.58.156       lo0                UHS         0        0    lo0
127.0.0.1          127.0.0.1          UH          0        0    lo0
192.168.131        link#1             UC          0        0    de0
192.168.131.254    00:00:0f:00:00:00  UHLW        1        0    de0      4
C.O.R.P            10.10.58.156       UH          0        0    ng0

*** run fix from iface up-script

ifconfig ng0 inet 10.10.58.156 10.10.58.7 netmask 0xffffffff
route delete default
route add default -interface ng0


*** after running fix

ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1494
	inet6 fe80::203:ffff:fe73:504c%ng0 prefixlen 64 scopeid 0x3 
	inet 10.10.58.156 --> 10.10.58.7 netmask 0xffffffff 

Destination        Gateway            Flags    Refs      Use  Netif Expire
default            ng0                US          0        0    ng0
10.10.58.7         10.10.58.156       UH          0        0    ng0
10.10.58.156       lo0                UHS         0        0    lo0
127.0.0.1          127.0.0.1          UH          0        0    lo0
192.168.131        link#1             UC          0        0    de0
192.168.131.254    00:00:0f:00:00:00  UHLW        0        0    de0


ciscovpn:
	new -i ng0 ciscovpn work
	set bundle authname "user"
	set bundle password "password"
	set ipcp ranges 10.10.58.0/23 C.O.R.P/32
	set link max-redial -1
	set link keep-alive 0 0
	set link disable acfcomp protocomp
	set bundle no crypt-reqd
	set bundle enable compression encryption
	set ccp yes mppc
	set ccp yes mpp-e128
	set ccp no mpp-e40
	set ccp yes mpp-stateless
	set link disable pap chap
	set link no chap-md5
	set link no chap-msv2
	set link no pap
	set link accept chap-msv1
	set iface idle 0
	set ipcp disable vjcomp
	set ipcp enable req-pri-dns req-sec-dns
	set iface up-script /usr/local/etc/mpd/ciscovpn-iface-up.sh
	open

*** mpd.links

work:
	set link type pptp
	set pptp peer C.O.R.P
	set pptp enable originate outcall


*** mpd output

# mpd
Multi-link PPP for FreeBSD, by Archie L. Cobbs.
Based on iij-ppp, by Toshiharu OHNO.
mpd: pid 1033, version 3.15 (root@mymachine 00:39  7-Jan-2004)
[ciscovpn] ppp node is "mpd1033-ciscovpn"
[ciscovpn] using interface ng0
[ciscovpn] IFACE: Open event
[ciscovpn] IPCP: Open event
[ciscovpn] IPCP: state change Initial --> Starting
[ciscovpn] IPCP: LayerStart
[ciscovpn:work] [ciscovpn] bundle: OPEN event in state CLOSED
[ciscovpn] opening link "work"...
[work] link: OPEN event
[work] LCP: Open event
[work] LCP: state change Initial --> Starting
[work] LCP: LayerStart
[work] device: OPEN event in state DOWN
pptp0: connecting to C.O.R.P:1723
[work] device is now in state OPENING
pptp0: connected to C.O.R.P:1723
pptp0: attached to connection with C.O.R.P:1723
pptp0-0: outgoing call connected at 10000000 bps
[work] PPTP call successful
[work] device: UP event in state OPENING
[work] device is now in state UP
[work] link: UP event
[work] link: origination is local
[work] LCP: Up event
[work] LCP: state change Starting --> Req-Sent
[work] LCP: phase shift DEAD --> ESTABLISH
[work] LCP: SendConfigReq #1
 MRU 1500
 MAGICNUM 3aa7e9cd
 MP MRRU 1600
 MP SHORTSEQ
 ENDPOINTDISC [802.1] 00 03 ff 73 50 4c
[work] LCP: SendConfigReq #2
 MRU 1500
 MAGICNUM 3aa7e9cd
 MP MRRU 1600
 MP SHORTSEQ
 ENDPOINTDISC [802.1] 00 03 ff 73 50 4c
[work] LCP: rec'd Configure Reject #2 link 0 (Req-Sent)
 MP MRRU 1600
 MP SHORTSEQ
 ENDPOINTDISC [802.1] 00 03 ff 73 50 4c
[work] LCP: SendConfigReq #3
 MRU 1500
 MAGICNUM 3aa7e9cd
[work] LCP: rec'd Configure Ack #3 link 0 (Req-Sent)
 MRU 1500
 MAGICNUM 3aa7e9cd
[work] LCP: state change Req-Sent --> Ack-Rcvd
[work] LCP: rec'd Configure Request #1 link 0 (Ack-Rcvd)
 AUTHPROTO CHAP MSOFT
[work] LCP: SendConfigAck #1
 AUTHPROTO CHAP MSOFT
[work] LCP: state change Ack-Rcvd --> Opened
[work] LCP: phase shift ESTABLISH --> AUTHENTICATE
[work] LCP: auth: peer wants CHAP, I want nothing
[work] LCP: LayerUp
[work] CHAP: rec'd CHALLENGE #1
 Name: ""
 Using authname "user"
[work] CHAP: sending RESPONSE
[work] CHAP: rec'd CHALLENGE #2
 Name: ""
 Using authname "user"
[work] CHAP: sending RESPONSE
[work] CHAP: rec'd SUCCESS #2
[work] LCP: authorization successful
[work] LCP: phase shift AUTHENTICATE --> NETWORK
[ciscovpn] setting interface ng0 MTU to 1500 bytes
[ciscovpn] up: 1 link, total bandwidth 64000 bps
[ciscovpn] IPCP: Up event
[ciscovpn] IPCP: state change Starting --> Req-Sent
[ciscovpn] IPCP: SendConfigReq #1
 IPADDR 10.10.58.0
 PRIDNS 0.0.0.0
 SECDNS 0.0.0.0
[ciscovpn] CCP: Open event
[ciscovpn] CCP: state change Initial --> Starting
[ciscovpn] CCP: LayerStart
[ciscovpn] CCP: Up event
[ciscovpn] CCP: state change Starting --> Req-Sent
[ciscovpn] CCP: SendConfigReq #1
[work] CCP: Checking wether 40 bits are enabled -> no
[work] CCP: Checking wether 56 bits are enabled -> no
[work] CCP: Checking wether 128 bits are enabled -> yes
 MPPC
   0x01000040: MPPE, 128 bit, stateless
[ciscovpn] ECP: Open event
[ciscovpn] ECP: state change Initial --> Starting
[ciscovpn] ECP: LayerStart
[ciscovpn] ECP: Up event
[ciscovpn] ECP: state change Starting --> Req-Sent
[ciscovpn] ECP: SendConfigReq #1
[ciscovpn] IPCP: rec'd Configure Request #0 link 0 (Req-Sent)
 IPADDR C.O.R.P
   C.O.R.P is OK
[ciscovpn] IPCP: SendConfigAck #0
 IPADDR C.O.R.P
[ciscovpn] IPCP: state change Req-Sent --> Ack-Sent
[ciscovpn] CCP: rec'd Configure Request #0 link 0 (Req-Sent)
 MPPC
   0x01000060: MPPE, 40 bit, 128 bit, stateless
[work] CCP: Checking wether 40 bits are acceptable -> no
[work] CCP: Checking wether 128 bits are acceptable -> yes
[ciscovpn] CCP: SendConfigNak #0
 MPPC
   0x01000040: MPPE, 128 bit, stateless
[ciscovpn] CCP: rec'd Configure Nak #1 link 0 (Req-Sent)
 MPPC
   0x01000040: MPPE, 128 bit, stateless
[ciscovpn] CCP: SendConfigReq #2
[work] CCP: Checking wether 40 bits are enabled -> no
[work] CCP: Checking wether 56 bits are enabled -> no
[work] CCP: Checking wether 128 bits are enabled -> yes
 MPPC
   0x01000040: MPPE, 128 bit, stateless
[work] LCP: rec'd Protocol Reject #2 link 0 (Opened)
[work] LCP: protocol ECP was rejected
[ciscovpn] ECP: protocol was rejected by peer
[ciscovpn] ECP: state change Req-Sent --> Stopped
[ciscovpn] ECP: LayerFinish
[ciscovpn] CCP: rec'd Configure Request #1 link 0 (Req-Sent)
 MPPC
   0x01000040: MPPE, 128 bit, stateless
[work] CCP: Checking wether 128 bits are acceptable -> yes
[ciscovpn] CCP: SendConfigAck #1
 MPPC
   0x01000040: MPPE, 128 bit, stateless
[ciscovpn] CCP: state change Req-Sent --> Ack-Sent
[ciscovpn] CCP: rec'd Configure Ack #2 link 0 (Ack-Sent)
 MPPC
   0x01000040: MPPE, 128 bit, stateless
[ciscovpn] CCP: state change Ack-Sent --> Opened
[ciscovpn] CCP: LayerUp
  Compress using: MPPE, 128 bit, stateless
Decompress using: MPPE, 128 bit, stateless
[ciscovpn] setting interface ng0 MTU to 1494 bytes
[ciscovpn] IPCP: SendConfigReq #2
 IPADDR 10.10.58.0
 PRIDNS 0.0.0.0
 SECDNS 0.0.0.0
[ciscovpn] IPCP: rec'd Configure Nak #2 link 0 (Ack-Sent)
 IPADDR 10.10.58.156
   10.10.58.156 is OK
 PRIDNS 10.10.10.100
 SECDNS 10.10.10.85
[ciscovpn] IPCP: SendConfigReq #3
 IPADDR 10.10.58.156
 PRIDNS 10.10.10.100
 SECDNS 10.10.10.85
[ciscovpn] IPCP: rec'd Configure Ack #3 link 0 (Ack-Sent)
 IPADDR 10.10.58.156
 PRIDNS 10.10.10.100
 SECDNS 10.10.10.85
[ciscovpn] IPCP: state change Ack-Sent --> Opened
[ciscovpn] IPCP: LayerUp
  10.10.58.156 -> C.O.R.P
[ciscovpn] IFACE: Up event
[ciscovpn] setting interface ng0 MTU to 1494 bytes
[ciscovpn] exec: /sbin/ifconfig ng0 10.10.58.156 C.O.R.P netmask 0xffffffff -link0
[ciscovpn] exec: /sbin/route add 10.10.58.156 -iface lo0
[ciscovpn] exec: /usr/local/etc/mpd/ciscovpn-iface-up.sh ng0 inet 10.10.58.156 C.O.R.P  dns1 10.10.10.100 dns2 10.10.10.85
[ciscovpn] IFACE: Up event


-- 
Chris



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040108074911.GC357>