From owner-freebsd-stable Thu May 9 12:55:51 2002 Delivered-To: freebsd-stable@freebsd.org Received: from spontoon.braithwaite.net (spontoon.braithwaite.net [207.135.122.130]) by hub.freebsd.org (Postfix) with ESMTP id 60F8437B40D; Thu, 9 May 2002 12:55:35 -0700 (PDT) Received: from dogberry.braithwaite.net (nat-236-141.cnet.com [64.124.236.141]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "dogberry.braithwaite.net", Issuer "Braithwaite's Certifying Authority" (verified OK)) by spontoon.braithwaite.net (Postfix) with ESMTP id 0096F7DF07; Thu, 9 May 2002 12:55:34 -0700 (PDT) Received: by dogberry.braithwaite.net (Postfix, from userid 1001) id 8B617924F; Thu, 9 May 2002 12:55:31 -0700 (PDT) From: Matthew Braithwaite To: Archie Cobbs Cc: David Gilbert , freebsd-stable@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: mpd-netgraph problem. References: <200202022113.g12LDs771403@arch20m.dellroad.org> Date: 09 May 2002 12:55:30 -0700 In-Reply-To: <200202022113.g12LDs771403@arch20m.dellroad.org> Message-ID: <86u1ph5c5p.fsf@limekiller.braithwaite.net> Lines: 82 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, 2 Feb 2002 13:13:53 -0800 (PST), Archie Cobbs said: > > David Gilbert writes: > > > I'm using mpd-netgraph to attempt to connect an encrypted tunnel. > > It appears to connect (according to the messages), but the > > following is spit out for most packets I try to put down the > > tunnel: > > > > [vpn] LCP: rec'd Protocol Reject #1 link 0 (Opened) > > [vpn] LCP: protocol 0x0029 was rejected > > [vpn] LCP: rec'd Protocol Reject #2 link 0 (Opened) > > [vpn] LCP: protocol 0x00a1 was rejected > > This is usually because one side is sending encrypted traffic that > the other is thinking is not encrypted... i.e., it's a side-effect > of a negotiation problem. > > I've just heard from another person with this problem. Check your > logs for something like ``"enable chap" required for MPPE'' on one > side. > > As a workaround, if you are doing CHAP in both directions, try > turning it off in one direction. Archie, Can you explain a little more about this? I have just the same symptoms as this other guy, but I'm not having much luck with any of the fixes. Everything was working fine until recently, when the folks who run my Windows-based VPN server decided to require that everybody use 128-bit encryption. So I added the options: set ccp yes mppc set ccp yes mpp-e128 and although my connection comes up just fine, I'm now getting the same protocol rejects described above. I tried upgrading to mpd 3.8, as you suggested in another followup, but that didn't help. I do *not* get any message like ``"enable chap" required for MPPE''. The server authenticates me with CHAP, but I'm not authenticating the server -- which sounds like the workaround you suggest. Any thoughts? XXXvpn: new -i ng0 XXX vpn set log +pptp +pptp2 +pptp3 +lcp +auth set iface route default set iface disable on-demand set bundle authname XXX set bundle password "XXX" set ipcp ranges 0.0.0.0/0 0.0.0.0/0 set ipcp yes vjcomp set link disable chap pap set link accept chap pap set link yes acfcomp protocomp set iface route 10.0.0.0/8 set iface route 172.16.0.0/12 set iface route 192.168.0.0/16 set iface route XXX set iface route XXX set iface idle 0 set bundle disable multilink set link enable no-orig-auth set link keep-alive 10 75 set ipcp yes vjcomp set bundle enable compression set ccp yes mppc set ccp yes mpp-e128 open iface vpn: set link type pptp set pptp self 1.2.3.4 set pptp peer XXX set pptp enable originate outcall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message