From owner-freebsd-questions  Tue Dec  5 15:31:30 2000
From owner-freebsd-questions@FreeBSD.ORG  Tue Dec  5 15:31:25 2000
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from dnai.com (dnai.com [207.181.194.98])
	by hub.freebsd.org (Postfix) with ESMTP id 5AD7337B400
	for <freebsd-questions@freebsd.org>; Tue,  5 Dec 2000 15:31:25 -0800 (PST)
Received: from neptune.dnai.com (neptune.dnai.com [207.181.194.93])
	by dnai.com (8.9.3/8.9.3) with ESMTP id PAA08137
	for <freebsd-questions@freebsd.org>; Tue, 5 Dec 2000 15:31:25 -0800 (PST)
Received: from mini.chicago.com (dnai-216-15-39-222.cust.dnai.com [216.15.39.222])
	by neptune.dnai.com (8.9.3/8.9.3) with ESMTP id PAA72411
	for <freebsd-questions@freebsd.org>; Tue, 5 Dec 2000 15:31:24 -0800 (PST)
Received: (from andy@localhost)
	by mini.chicago.com (8.9.3/8.9.3) id PAA48532
	for freebsd-questions@freebsd.org; Tue, 5 Dec 2000 15:33:03 -0800 (PST)
	(envelope-from andy)
From: Andy Hogben <andy@mini.chicago.com>
Message-Id: <200012052333.PAA48532@mini.chicago.com>
Subject: mpd (as pptp server) and encryption
To: freebsd-questions@freebsd.org
Date: Tue, 5 Dec 2000 15:33:03 -0800 (PST)
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I'm trying to get working a generic pptp scenario - Win NT client
to FreeBSD server.  The example configs are great and work pretty
much out of the box.  However, in going through the log output to
make sure I'm really setting up a secure link, I'm not sure if
the link is as secure as it can be.  Most entries refer to 40 bit.

On the unix side I just have the pptp section from the sample in
mpd.conf and the corresponding section in mpd.links.  This includes the
appropriate mpd.conf commands to enable mpp-e40 and mpp-e128.  On the
windows side I created a DUN entry using RASPPTPM.  In the settings I
changed the security to be 'Accept only Microsoft encrypted authentication'
with only the 'Require data encryption' box checked.  Right now I'm
doing this only on the internal LAN so there's no firewall or anything
to worry about.

In the output produced during logon I see a few things that make me
believe things aren't right.  Hopefully someone can comment.  Because
of the size, I'll cut-n-paste rather than giving the whole log.  If
needed, I can post/send the whole thing.

My questions are:

1) Do I need to include the following in mpd.conf or is it implied
(or different than) mpp-eXXX?

      set bundle enable encryption

2) [pptp] LCP: state change Ack-Rcvd --> Opened
   [pptp] LCP: phase shift ESTABLISH --> AUTHENTICATE
   [pptp] LCP: auth: peer wants nothing, I want CHAP   [pptp] CHAP: sending CHALLENGE
   [pptp] LCP: LayerUp
   [pptp] LCP: rec'd Ident #2 link 0 (Opened)
    MESG: MSRASV4.00
   [pptp] LCP: rec'd Ident #3 link 0 (Opened)
    MESG: MSRAS-1-ELAN
   [pptp] CHAP: rec'd RESPONSE #1
    Name: "andy"
    Peer name: "andy"
    Response is valid
   [pptp] CHAP: sending SUCCESS
   [pptp] LCP: authorization successful
   [pptp] LCP: phase shift AUTHENTICATE --> NETWORK

Why does it say 'peer wants nothing'?  Shouldn't it always be wanting CHAP?

3) [pptp] CCP: SendConfigReq #4
    MPPC
      0x01000060: MPPE, 40 bit, 128 bit, stateless
   [pptp] CCP: rec'd Configure Request #4 link 0 (Req-Sent)
    MPPC
      0x00000031: MPPC MPPE, 40 bit
      Bits 0x00000010 not supported
   [pptp] CCP: SendConfigNak #4
    MPPC
      0x00000020: MPPE, 40 bit
   [pptp] IPCP: rec'd Configure Request #5 link 0 (Req-Sent)
    COMPPROTO VJCOMP, 16 comp. channels, allow comp-cid
. . .
   [pptp] CCP: rec'd Configure Nak #1 link 0 (Req-Sent)
    MPPC
      0x01000020: MPPE, 40 bit, stateless
   [pptp] CCP: SendConfigReq #2
    MPPC
      0x01000020: MPPE, 40 bit, stateless
   [pptp] CCP: rec'd Configure Request #6 link 0 (Req-Sent)
    MPPC
      0x00000020: MPPE, 40 bit
   [pptp] CCP: SendConfigAck #6
    MPPC
      0x00000020: MPPE, 40 bit
   [pptp] CCP: state change Req-Sent --> Ack-Sent
   [pptp] IPCP: rec'd Configure Request #7 link 0 (Ack-Rcvd)
    COMPPROTO VJCOMP, 16 comp. channels, allow comp-cid
    IPADDR 0.0.0.0
    NAKing with 192.168.100.55
    PRIDNS 0.0.0.0
    NAKing with 192.168.100.1
   [pptp] IPCP: SendConfigNak #7
    IPADDR 192.168.100.55
    PRIDNS 192.168.100.1
   [pptp] CCP: rec'd Configure Ack #2 link 0 (Ack-Sent)
    MPPC
    0x01000020: MPPE, 40 bit, stateless
   [pptp] CCP: state change Ack-Sent --> Opened
   [pptp] CCP: LayerUp
    Compress using: MPPE, 40 bit
    Decompress using: MPPE, 40 bit, stateless
   [pptp] IPCP: rec'd Configure Request #8 link 0 (Ack-Rcvd)

I was expecting to see everything referred to as MPPE, 128 bit but I
only see that in the 0x01000060 case, all the others are 40 bit.  Is
this correct?  Is that as secure as microsoft gets? :-)

4) [pptp] IFACE: Up event
   pptp0-0: ignoring SetLinkInfo
   [pptp] rec'd proto 0xee5d on MP link! (ignoring)
   [pptp] rec'd unexpected protocol 0x624d on link -1, rejecting
   [pptp] rec'd unexpected protocol 0x003b on link -1, rejecting

Is this normal behaviour for the case where I have to say 'OK' to the
connection having been made?

Any help would be appreciated.

Andy


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message