Date: 09 May 2002 12:55:30 -0700 From: Matthew Braithwaite <matt@braithwaite.net> To: Archie Cobbs <archie@dellroad.org> Cc: David Gilbert <dgilbert@velocet.ca>, freebsd-stable@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: mpd-netgraph problem. Message-ID: <86u1ph5c5p.fsf@limekiller.braithwaite.net> In-Reply-To: <200202022113.g12LDs771403@arch20m.dellroad.org> References: <200202022113.g12LDs771403@arch20m.dellroad.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 2 Feb 2002 13:13:53 -0800 (PST), Archie Cobbs <archie@dellroad.org> said:
>
> David Gilbert writes:
>
> > I'm using mpd-netgraph to attempt to connect an encrypted tunnel.
> > It appears to connect (according to the messages), but the
> > following is spit out for most packets I try to put down the
> > tunnel:
> >
> > [vpn] LCP: rec'd Protocol Reject #1 link 0 (Opened)
> > [vpn] LCP: protocol 0x0029 was rejected
> > [vpn] LCP: rec'd Protocol Reject #2 link 0 (Opened)
> > [vpn] LCP: protocol 0x00a1 was rejected
>
> This is usually because one side is sending encrypted traffic that
> the other is thinking is not encrypted... i.e., it's a side-effect
> of a negotiation problem.
>
> I've just heard from another person with this problem. Check your
> logs for something like ``"enable chap" required for MPPE'' on one
> side.
>
> As a workaround, if you are doing CHAP in both directions, try
> turning it off in one direction.
Archie,
Can you explain a little more about this? I have just the same
symptoms as this other guy, but I'm not having much luck with any of
the fixes.
Everything was working fine until recently, when the folks who run my
Windows-based VPN server decided to require that everybody use 128-bit
encryption. So I added the options:
set ccp yes mppc
set ccp yes mpp-e128
and although my connection comes up just fine, I'm now getting the
same protocol rejects described above.
I tried upgrading to mpd 3.8, as you suggested in another followup,
but that didn't help. I do *not* get any message like ``"enable chap"
required for MPPE''. The server authenticates me with CHAP, but I'm
not authenticating the server -- which sounds like the workaround you
suggest.
Any thoughts?
XXXvpn:
new -i ng0 XXX vpn
set log +pptp +pptp2 +pptp3 +lcp +auth
set iface route default
set iface disable on-demand
set bundle authname XXX
set bundle password "XXX"
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
set ipcp yes vjcomp
set link disable chap pap
set link accept chap pap
set link yes acfcomp protocomp
set iface route 10.0.0.0/8
set iface route 172.16.0.0/12
set iface route 192.168.0.0/16
set iface route XXX
set iface route XXX
set iface idle 0
set bundle disable multilink
set link enable no-orig-auth
set link keep-alive 10 75
set ipcp yes vjcomp
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e128
open iface
vpn:
set link type pptp
set pptp self 1.2.3.4
set pptp peer XXX
set pptp enable originate outcall
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86u1ph5c5p.fsf>