| View previous topic :: View next topic |
| Author |
Message |
jschweg
Tux's lil' helper
Joined: 21 Feb 2004
Posts: 85
|
 Posted: Sat May 19, 2007 4:50 am Post subject: MSVPN Help [Solved] |
 |
|
I'm going insane at this point. I haven't been able to get pptpclient to connect to my vpn at work for months. No matter how I switch the options around, the farthest I can get is this:
| Code: |
debug: [pppd] MPPE required, but MS-CHAP[v2] auth not performed.
debug: [pppd] sent [LCP TermReq id=0x2 "MPPE required but not available"]
|
mppe is properly built into my kernel and everything should be configured correctly on that end. I can provide more information obviously on request.
Last edited by jschweg on Sat May 26, 2007 3:32 pm; edited 1 time in total |
|
| Back to top |
|
 |
jschweg
Tux's lil' helper
Joined: 21 Feb 2004
Posts: 85
|
| Posted: Sun May 20, 2007 4:38 pm Post subject: |
|
|
| Bump. |
|
| Back to top |
|
|
Napalm Llama
Guru
Joined: 04 Jun 2005
Posts: 533
Location: Cardiff, UK
|
| Posted: Sun May 20, 2007 5:24 pm Post subject: |
|
|
Could you post the contents of your /etc/ppp/options.pptp file? That should be where most of the configuration is. (I set up PPTP a few months ago, so some of the finer details have escaped my mind)
_________________
Ryzen 5600x; Asus TUF Gaming B550-Plus; Geforce 1660 Super
Registered Linux User #381314
# killall humans |
|
| Back to top |
|
|
jschweg
Tux's lil' helper
Joined: 21 Feb 2004
Posts: 85
|
| Posted: Mon May 21, 2007 12:43 am Post subject: |
|
|
Sure.
| Code: |
lock
noauth
nobsdcomp
nodeflate
|
|
|
| Back to top |
|
|
Napalm Llama
Guru
Joined: 04 Jun 2005
Posts: 533
Location: Cardiff, UK
|
| Posted: Mon May 21, 2007 7:39 am Post subject: |
|
|
Try adding this to it:
| Code: | | mppe required,stateless |
Don't guarantee it'll work without additional tweaks, but at least it's a step in the right direction.
_________________
Ryzen 5600x; Asus TUF Gaming B550-Plus; Geforce 1660 Super
Registered Linux User #381314
# killall humans |
|
| Back to top |
|
|
jschweg
Tux's lil' helper
Joined: 21 Feb 2004
Posts: 85
|
| Posted: Tue May 22, 2007 2:42 am Post subject: |
|
|
No Dice. Sadly the same error:
| Code: |
MPPE required, but MS-CHAP[v2] auth not performed.
sent [LCP TermReq id=0x2 "MPPE required but not available"]
rcvd [LCP TermReq id=0x5 "peer refused to authenticate"]
|
|
|
| Back to top |
|
|
mrness
Retired Dev
Joined: 17 Feb 2004
Posts: 375
Location: bucharest.ro
|
| Posted: Tue May 22, 2007 5:08 am Post subject: |
|
|
As the error says, you are not using the right authentication, probably because the authentication info is not found in /etc/ppp/chap-secrets.
Post all the relevant information (entire LCP log, pppd command line, ...) if you want more help. |
|
| Back to top |
|
|
jschweg
Tux's lil' helper
Joined: 21 Feb 2004
Posts: 85
|
| Posted: Tue May 22, 2007 10:45 pm Post subject: |
|
|
Here is the complete log with command:
| Code: |
pppd call Test logfd 2 nodetach debug dump
pppd options in effect:
debug # (from command line)
nodetach # (from command line)
logfd 2 # (from command line)
dump # (from command line)
noauth # (from /etc/ppp/options.pptp)
name <domain\\user> # (from /etc/ppp/peers/Test)
remotename PPTP # (from /etc/ppp/peers/Test)
# (from /etc/ppp/options.pptp)
pty pptp <vpn gateway> --nolaunchpppd # (from /etc/ppp/peers/Test)
ipparam Test # (from /etc/ppp/peers/Test)
nobsdcomp # (from /etc/ppp/options.pptp)
nodeflate # (from /etc/ppp/options.pptp)
mppe xxx # [don't know how to print value] # (from /etc/ppp/options.pptp)
using channel 1
Using interface ppp0
Connect: ppp0 <--> /dev/pts/2
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x62799119> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x1717238> <pcomp> <accomp>]
No auth is possible
sent [LCP ConfRej id=0x1 <auth chap MS-v2>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x62799119> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x2 <asyncmap 0x0> <auth chap MS> <magic 0x1717238> <pcomp> <accomp>]
No auth is possible
sent [LCP ConfRej id=0x2 <auth chap MS>]
rcvd [LCP ConfReq id=0x3 <asyncmap 0x0> <auth chap MD5> <magic 0x1717238> <pcomp> <accomp>]
No auth is possible
sent [LCP ConfRej id=0x3 <auth chap MD5>]
rcvd [LCP ConfReq id=0x4 <asyncmap 0x0> <magic 0x1717238> <pcomp> <accomp>]
sent [LCP ConfAck id=0x4 <asyncmap 0x0> <magic 0x1717238> <pcomp> <accomp>]
MPPE required, but MS-CHAP[v2] auth not performed.
sent [LCP TermReq id=0x2 "MPPE required but not available"]
rcvd [LCP TermReq id=0x5 "peer refused to authenticate"]
sent [LCP TermAck id=0x5]
rcvd [LCP TermAck id=0x2]
Connection terminated.
Script pptp <vpn gateway> --nolaunchpppd finished (pid 16335), status = 0x0
|
|
|
| Back to top |
|
|
mrness
Retired Dev
Joined: 17 Feb 2004
Posts: 375
Location: bucharest.ro
|
| Posted: Wed May 23, 2007 5:27 am Post subject: |
|
|
Do you have such line in your /etc/ppp/chap-secrets?
| Code: | | <domain\\user> PPTP "password" |
|
|
| Back to top |
|
|
jschweg
Tux's lil' helper
Joined: 21 Feb 2004
Posts: 85
|
| Posted: Wed May 23, 2007 1:55 pm Post subject: |
|
|
Indeed I do
domain\\me peer password * |
|
| Back to top |
|
|
mrness
Retired Dev
Joined: 17 Feb 2004
Posts: 375
Location: bucharest.ro
|
| Posted: Wed May 23, 2007 2:22 pm Post subject: |
|
|
| peer != PPTP |
|
| Back to top |
|
|
jschweg
Tux's lil' helper
Joined: 21 Feb 2004
Posts: 85
|
| Posted: Wed May 23, 2007 3:18 pm Post subject: |
|
|
That did the trick, I knew it was just something that I was doing wrong. Always is. I'm so happy now. I just need to add my route and I'm ready to rock.
Just a quick clean-up question. According to the wiki, if I did NOT use the mppe kernel patch, which I didn't since I'm on a 2.6 kernel with the support built in, I should NOT be building ppp with the mppe-mppc use flag correct? |
|
| Back to top |
|
|
mrness
Retired Dev
Joined: 17 Feb 2004
Posts: 375
Location: bucharest.ro
|
| Posted: Wed May 23, 2007 3:32 pm Post subject: |
|
|
| yes, that is correct. |
|
| Back to top |
|
|
jschweg
Tux's lil' helper
Joined: 21 Feb 2004
Posts: 85
|
| Posted: Wed May 23, 2007 11:09 pm Post subject: |
|
|
Ok, I'm getting there.
VPN now connects successfully and ppp0 is getting an IP from the vpn server. I added my route to the remote network via ppp0, but nothing. I can't ping anything on the remote network. |
|
| Back to top |
|
|
mrness
Retired Dev
Joined: 17 Feb 2004
Posts: 375
Location: bucharest.ro
|
| Posted: Thu May 24, 2007 4:47 am Post subject: |
|
|
| Some fiirewall (yours or the peer's) is probably to blame. |
|
| Back to top |
|
|
Napalm Llama
Guru
Joined: 04 Jun 2005
Posts: 533
Location: Cardiff, UK
|
| Posted: Thu May 24, 2007 11:04 am Post subject: |
|
|
Can you ping the PPP peer itself? (its IP is next to yours in ifconfig ppp0 )
I can ping that, but nothing else - apparently my University's network blocks ICMP traffic.
Also check your routes once everything is up and running - check that the default route is still there, and going through the PPP tunnel, and also check that the route to the VPN server is still through your hardware NIC. pppd plays with the routes, it seems, so I have various scripts that get run at different stages of the login process to revert the damage it causes.
_________________
Ryzen 5600x; Asus TUF Gaming B550-Plus; Geforce 1660 Super
Registered Linux User #381314
# killall humans |
|
| Back to top |
|
|
mrness
Retired Dev
Joined: 17 Feb 2004
Posts: 375
Location: bucharest.ro
|
| Posted: Thu May 24, 2007 11:36 am Post subject: |
|
|
pppd plays only with a host route to the PPP peer and optionally with default route through ppp interface (controlled by "defaultroute" option).
Other routes you might want should be set through /etc/ppp/{ip-up,ip-down} scripts. |
|
| Back to top |
|
|
Napalm Llama
Guru
Joined: 04 Jun 2005
Posts: 533
Location: Cardiff, UK
|
| Posted: Thu May 24, 2007 11:45 am Post subject: |
|
|
But it behaves annoyingly - it won't set a default route if one already exists (ie. it won't replace it). So you need to destroy the default route through your NIC, then if your VPN servers are referred to be domain name rather than IP, as mine are, add a route to your DNS servers, use that to lookup the IPs of the VPN servers, destroy the DNS route (because those servers work funnily unless you talk to them through the tunnel), set routes to the VPN servers, start pppd...
And then do the whole thing in reverse when you stop the tunnel. My point was that routing isn't simple with PPTP.
By the way, jschweg - if you want to borrow my collection of scripts then I'll be more than happy to share 
_________________
Ryzen 5600x; Asus TUF Gaming B550-Plus; Geforce 1660 Super
Registered Linux User #381314
# killall humans |
|
| Back to top |
|
|
mrness
Retired Dev
Joined: 17 Feb 2004
Posts: 375
Location: bucharest.ro
|
| Posted: Thu May 24, 2007 11:52 am Post subject: |
|
|
You can't have 2 default routes with the same metric, but you can have 2 default routes with _different_ metrics.
You should set your primary default route with a metric > 1 (say 5), then pppd will be able to create the default route you want. |
|
| Back to top |
|
|
Napalm Llama
Guru
Joined: 04 Jun 2005
Posts: 533
Location: Cardiff, UK
|
| Posted: Thu May 24, 2007 12:15 pm Post subject: |
|
|
Now that is worth knowing. I should jump in and help with threads more often - never know what I might learn! 
_________________
Ryzen 5600x; Asus TUF Gaming B550-Plus; Geforce 1660 Super
Registered Linux User #381314
# killall humans |
|
| Back to top |
|
|
jschweg
Tux's lil' helper
Joined: 21 Feb 2004
Posts: 85
|
| Posted: Thu May 24, 2007 1:36 pm Post subject: |
|
|
I only semi-understood what you guys were saying Below is my routing table AFTER connecting to the VPN and adding the route to the remote internal network:
| Code: |
/etc/ppp/peers>route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
<vpnhost> * 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
<remotenet> * 255.255.255.0 U 0 0 0 ppp0
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
|
Sorry about the formatting, it's the best I could make it look.
<vpnhost> Hostname of VPN router
192.268.1.0 Internal network
<remotenet> remote vpn network
default internal gateway |
|
| Back to top |
|
|
Napalm Llama
Guru
Joined: 04 Jun 2005
Posts: 533
Location: Cardiff, UK
|
| Posted: Thu May 24, 2007 2:08 pm Post subject: |
|
|
Paste directly from the console into the code tags - don't try and correct fixed-width spacing in the variable-width font of phpBB's reply box | Code: | /etc/ppp/peers>route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
<vpnhost> * 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
<remotenet> * 255.255.255.0 U 0 0 0 ppp0
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.1.254 0.0.0.0 UG 0 0 0 eth0 |
Looks to me like you don't have a route going through your VPN server (just one going to it) - what exactly are you trying to do? Are you trying to connect to the internet via the VPN, or just access some remote network resources? In the former case, you want your default route to have the gateway given by the following command:
ifconfig ppp0 | grep P-t-P | sed 's/.*P-t-P:\([0-9.]*\).*/\1/'
(run that while the tunnel's up)
...and you won't need that <remotenet> entry. In the latter case, you just want <remotenet> to have that gateway, and your default route can stay the same - probably either your ISP or your router, depending on your setup.
_________________
Ryzen 5600x; Asus TUF Gaming B550-Plus; Geforce 1660 Super
Registered Linux User #381314
# killall humans
Last edited by Napalm Llama on Thu May 24, 2007 2:24 pm; edited 1 time in total |
|
| Back to top |
|
|
mrness
Retired Dev
Joined: 17 Feb 2004
Posts: 375
Location: bucharest.ro
|
| Posted: Thu May 24, 2007 2:24 pm Post subject: |
|
|
| Napalm Llama wrote: | | In the latter case, you want <remotenet> to have that gateway. |
PPP routes are not required to have a gateway (point-to-point links have only 2 ends; whatever you send is received by peer and whatever the peer sends is received by you).
In fact, the unmodified ppp-2.4.4 creates the default route without gateway, but I patched net-dialup/ppp to restore the behaviour of ppp-2.4.3, which used the peer address as gateway. I did that because openswan refused to work over ppp interfaces when the default route were gate less.
I can't see anything wrong in jschweg's routing table. What you should check is that local IP address (the one that has been configured on ppp0 interface) is within remotenet (packages sent by your host have the source IP address the other end expects).
A tcpdump at the other end might prove useful.
Last edited by mrness on Thu May 24, 2007 2:32 pm; edited 1 time in total |
|
| Back to top |
|
|
jschweg
Tux's lil' helper
Joined: 21 Feb 2004
Posts: 85
|
| Posted: Thu May 24, 2007 2:28 pm Post subject: |
|
|
I don't want the internet to go through the VPN, I just need access to the machines on that network. I added the <remotenet> entry myself with this:
route add -net x.x.x.0 netmask 255.255.255.0 dev ppp0
I added that with the intention of telling it to route anything destined for that remote network through ppp0. Am I doing that wrong? |
|
| Back to top |
|
|
jschweg
Tux's lil' helper
Joined: 21 Feb 2004
Posts: 85
|
| Posted: Thu May 24, 2007 2:34 pm Post subject: |
|
|
Of course the other detail is that even though it connects, it only seems to STAY connected for about a minute, then ppp0 drops. I looked that up on pptpclient's support site and it says that the remote server isn't adhering to some RFC. boo. It could be that the routes are fine, but the link is just spoo.
I never thought that this was going to be a problem considering the vpn router at work has a linux backend and is actually running the same old ppp. |
|
| Back to top |
|
|
|
Networking & Security
