Date: Thu, 26 Jun 2003 20:24:39 -0500 (CDT) From: Archie Cobbs <archie@dellroad.org> To: Doug Lee <dgl@dlee.org> Cc: Kris Kennaway <kris@obsecurity.org> Subject: Re: mpd VPN won't work after upgrade from 4.6-STABLE to 4.8-STABLE Message-ID: <200306270124.h5R1Oeb2008887@arch20m.dellroad.org> In-Reply-To: <20030625222534.GD478@kirk.dlee.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Doug Lee wrote: > > If you're getting protocol reject errors -- while trying to use > > Microsoft MPPE encryption? Then probably one side is generating > > the keys incorrectly. What is the other side? Also, let's see > > the log trace. > > Here is a trace consisting of link-up, responses to a set of five > pings, and link-terminate, all from the originating side, which is the > > ... > > One specific question, other than "Why won't this work?" :-) : What's > this line doing in here at the end of the successful CHAP negotiation: > > 17:35:00 MESG: S=181EBCAE417331F125BCDDB3991C14EF7B39750D This is Microsoft overloading the CHAP message string with their reverse authentication hash. It's normal with MS-CHAP. > The following mpd log entries were generated by a set of five pings > I attempted to send up the link: > > 17:35:15 [vpn] LCP: rec'd Protocol Reject #22 link 0 (Opened) > 17:35:15 [vpn] LCP: protocol 0x0023 was rejected > 17:35:16 [vpn] LCP: rec'd Protocol Reject #23 link 0 (Opened) > 17:35:16 [vpn] LCP: protocol 0x00e7 was rejected > 17:35:17 [vpn] LCP: rec'd Protocol Reject #24 link 0 (Opened) > 17:35:17 [vpn] LCP: protocol 0x0087 was rejected > 17:35:18 [vpn] LCP: rec'd Protocol Reject #25 link 0 (Opened) > 17:35:18 [vpn] LCP: protocol 0x006d was rejected > 17:35:19 [vpn] LCP: rec'd Protocol Reject #26 link 0 (Opened) > 17:35:19 [vpn] LCP: protocol 0x16a1 was rejected Again, what's on the other side of the link? Is it necessary to enable MS-CHAP in both directions? The other side is screwing up MPPE key generation. Note that with MS-CHAPv2, the server is authenticated as well anyway, so you really only need to authenticate in one direction. -Archie __________________________________________________________________________ Archie Cobbs * Halloo Communications * http://www.halloo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306270124.h5R1Oeb2008887>