From owner-freebsd-net  Thu May  9 16:46: 8 2002
Delivered-To: freebsd-net@freebsd.org
Received: from spontoon.braithwaite.net (spontoon.braithwaite.net [207.135.122.130])
	by hub.freebsd.org (Postfix) with ESMTP id A448037B401
	for <freebsd-net@FreeBSD.ORG>; Thu,  9 May 2002 16:46:05 -0700 (PDT)
Received: from dogberry.braithwaite.net (nat-236-141.cnet.com [64.124.236.141])
	(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
	(Client CN "dogberry.braithwaite.net", Issuer "Braithwaite's Certifying Authority" (verified OK))
	by spontoon.braithwaite.net (Postfix) with ESMTP
	id 5BC587DF05; Thu,  9 May 2002 16:45:59 -0700 (PDT)
Received: by dogberry.braithwaite.net (Postfix, from userid 1001)
	id 68C99924F; Thu,  9 May 2002 16:45:57 -0700 (PDT)
Date: Thu, 9 May 2002 16:45:57 -0700
From: Matthew Braithwaite <matt@braithwaite.net>
To: Archie Cobbs <archie@dellroad.org>
Cc: Matthew Braithwaite <matt@braithwaite.net>, dgilbert@velocet.ca,
	freebsd-net@FreeBSD.ORG
Subject: Re: mpd-netgraph problem.
Message-ID: <20020509164557.A28528@dogberry.braithwaite.net>
References: <86k7qd553q.fsf@limekiller.braithwaite.net> <200205092251.g49Mp9C04122@arch20m.dellroad.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <200205092251.g49Mp9C04122@arch20m.dellroad.org>; from archie@dellroad.org on Thu, May 09, 2002 at 03:51:09PM -0700
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Thu, May 09, 2002 at 03:51:09PM -0700, Archie Cobbs wrote:
> 
> So that's screwey if you're doing MPPE encryption because which
> authentication do you use to generate the MPPE keys?? Apparently
> we are using the wrong one. In any case, we can't use the first
> one because we'd need the yes/no response to generate MPPE keys
> from CHAP MSOFTv2 authentication.

Let me see if I understand: a key used in CHAP authentication is also
used for MPPE.  However, I authenticate twice, once using CHAP MSOFTv2
and once using CHAP MSOFTv2 -- and you think mpd is choosing the MPPE
key from the wrong one of these two authentications?

Is there a way to fix this in mpd?  According to the manual you *have*
to use CHAP MSOFTv2 to use MPPE, so I'd think it'd be okay to
categorically ignore -- for MPPE purposes -- any key obtained through
a CHAP MSOFTv1 authentication.

Can I force mpd to speak *only* CHAP MSOFTv2?  I don't find any such
option in the manual, unfortunately.

> And why is it authenticating you twice in the first place?

I don't know.  Any suggestions on how I can perturb this behavior?
I couldn't find any likely candidates in the manual.

I could also go ask the guys who run the VPN server, but I'm unlikely
to get a useful response, since It Works With Windows.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message