From owner-freebsd-stable Thu May 9 16: 1: 7 2002 Delivered-To: freebsd-stable@freebsd.org Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by hub.freebsd.org (Postfix) with ESMTP id AB81C37B40F; Thu, 9 May 2002 16:00:42 -0700 (PDT) Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id PAA34574; Thu, 9 May 2002 15:51:11 -0700 (PDT) Received: (from archie@localhost) by arch20m.dellroad.org (8.11.6/8.11.6) id g49Mp9C04122; Thu, 9 May 2002 15:51:09 -0700 (PDT) (envelope-from archie) From: Archie Cobbs Message-Id: <200205092251.g49Mp9C04122@arch20m.dellroad.org> Subject: Re: mpd-netgraph problem. In-Reply-To: <86k7qd553q.fsf@limekiller.braithwaite.net> "from Matthew Braithwaite at May 9, 2002 03:27:53 pm" To: Matthew Braithwaite Date: Thu, 9 May 2002 15:51:09 -0700 (PDT) Cc: dgilbert@velocet.ca, freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL88 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [ note: removing -stable from the CC: list ] Matthew Braithwaite writes: > [vpn] LCP: rec'd Configure Request #250 link 0 (Ack-Rcvd) > MRU 1500 > ACCMAP 0x000a0000 > AUTHPROTO CHAP MSOFTv2 > MAGICNUM 43a911e1 > PROTOCOMP > ACFCOMP > [vpn] LCP: SendConfigAck #250 > MRU 1500 > ACCMAP 0x000a0000 > AUTHPROTO CHAP MSOFTv2 > MAGICNUM 43a911e1 > PROTOCOMP > ACFCOMP > [vpn] LCP: state change Ack-Rcvd --> Opened > [vpn] LCP: phase shift ESTABLISH --> AUTHENTICATE > [vpn] LCP: auth: peer wants CHAP, I want nothing > [vpn] LCP: LayerUp > [vpn] CHAP: rec'd CHALLENGE #173 > Name: "10.16.97.5" > Using authname "XXX" > [vpn] CHAP: sending RESPONSE > [vpn] LCP: rec'd Configure Request #172 link 0 (Opened) > MRU 1500 > ACCMAP 0x000a0000 > AUTHPROTO CHAP MSOFT > MAGICNUM 3ce7fe6d > PROTOCOMP > ACFCOMP > [vpn] LCP: LayerDown There is the problem... the machine you are talking to first asks you to authenticate via CHAP MSOFTv2, and then immediately after that asks you to authenticate via CHAP MSOFTv1. You don't even get a yes/no from the first authentication response. So that's screwey if you're doing MPPE encryption because which authentication do you use to generate the MPPE keys?? Apparently we are using the wrong one. In any case, we can't use the first one because we'd need the yes/no response to generate MPPE keys from CHAP MSOFTv2 authentication. And why is it authenticating you twice in the first place? -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message