From owner-freebsd-net Tue Jul 18 10:46:13 2000 Delivered-To: freebsd-net@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id 5C4B537B7FC for ; Tue, 18 Jul 2000 10:46:09 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.3/8.9.3) id KAA55411; Tue, 18 Jul 2000 10:45:59 -0700 (PDT) (envelope-from archie) From: Archie Cobbs Message-Id: <200007181745.KAA55411@bubba.whistle.com> Subject: Re: mpd-netgraph port vs Windows-2000 PPTP vpn In-Reply-To: <20000718231031.A16524@gurney.reilly.home> from Andrew Reilly at "Jul 18, 2000 11:10:31 pm" To: Andrew Reilly Date: Tue, 18 Jul 2000 10:45:59 -0700 (PDT) Cc: freebsd-net@freebsd.org X-Mailer: ELM [version 2.4ME+ PL68 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Andrew Reilly writes: > As a reference point, I can successfully connect to this VPN > with the dial-up-networking in my Windows-98 laptop, even > through my FreeBSD firewall box, thanks to a "-redirect_proto > gre" argument to natd... so I know my login name and password. > > Mpd seems like a wonderful system, and it seems to get much > further with the authentication stuff than ppp did, but still > not all the way. Any suggestions? I think ultimately mpd will need to support MS-CHAPv2... > mpd: [vpn] LCP: auth: peer wants CHAP, I want CHAP > mpd: [vpn] CHAP: sending CHALLENGE > mpd: [vpn] LCP: LayerUp > mpd: pptp0: CID 0xa525 in SetLinkInfo not found > mpd: [vpn] CHAP: rec'd CHALLENGE #0 > mpd: Name: "FIREWALL" > mpd: Using authname "andrew" > mpd: [vpn] CHAP: sending RESPONSE > mpd: [vpn] CHAP: rec'd FAILURE #0 > mpd: [vpn] LCP: authorization failed This is a bit weird.. the remote side claims to support CHAP MD5 but either doesn't really, or your password is wrong. But even if this were fixed, you need MS-CHAP to do MPPE encryption, so that would still be a problem. Just for fun, try the patch below and see if you get any further. > It seems possible, given the discussion in the mpd > documentation, that my office's Win2000 system might be using > the STACK and mppc bits. Is it possible to aquire these at all, > or is this something only available internally to Whistle? You can do the encryption without the compression part. We (Whistle) don't even have the compression code anymore because we chose not to license it (too expensive). I think there is a Linux implementation that somebody wrote, but it would take some work to port it. > Oh: documentation bug report: should the first command in > section 4.4 "IPCP layer commands" in the manual read "set ipcp > ranges ..." instead of "set iface ranges ..." as it currently > does? Thanks! I'll fix that. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com Index: lcp.c =================================================================== RCS file: /cvs/mod/whistle/ia/daemon/mpd/lcp.c,v retrieving revision 1.12.2.18 diff -u -r1.12.2.18 lcp.c --- lcp.c 2000/05/08 20:33:34 1.12.2.18 +++ lcp.c 2000/07/18 17:43:22 @@ -736,7 +736,11 @@ case TY_AUTHPROTO: /* authentication protocol */ { static const u_char chapcf[] = +#ifdef MICROSOFT_CHAP + { PROTO_CHAP >> 8, PROTO_CHAP & 0xff, CHAP_ALG_MSOFT }; +#else { PROTO_CHAP >> 8, PROTO_CHAP & 0xff, CHAP_ALG_MD5 }; +#endif static const struct fsmoption chapNak = { TY_AUTHPROTO, 2 + sizeof(chapcf), (u_char *) chapcf }; static const u_char papcf[] = To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message