[SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

agkbill · 2011-06-13 15:02:24

Hi,

Have just started with Archlinux and trying to set up a VPN tunnel using pptp.

I have been following the guide at:

https://wiki.archlinux.org/index.php/Mi … pptpclient

-------------------------------------------------------------------------------------
I want to connect to a service from www.ipredator.se

Info from them when connection to Windows XP are:

Enter company name "Ipredator". Click Next.
Enter "vpn.ipredator.se" as "Host name or IP address".

I have been given a <USERNAME> and <PASSWORD> from them.
-------------------------------------------------------------------------------------
I got the VPN tunnel up and running in Ubuntu with the settings.

Only enabled MSCHAPv2
use MPPE 128 bit
and allow data compression, BSD, Deflate and TCP header.
-------------------------------------------------------------------------------------

My configuration files:
options.pptp

##################################################
# $Id: options.pptp,v 1.3 2006/03/26 23:11:05 quozl Exp $
#
# Sample PPTP PPP options file /etc/ppp/options.pptp
# Options used by PPP when a connection is made by a PPTP client.
# This file can be referred to by an /etc/ppp/peers file for the tunnel.
# Changes are effective on the next connection.  See "man pppd".
#
# You are expected to change this file to suit your system.  As
# packaged, it requires PPP 2.4.2 or later from [url]http://ppp.samba.org[/url]/
# and the kernel MPPE module available from the CVS repository also on
# [url]http://ppp.samba.org[/url]/, which is packaged for DKMS as kernel_ppp_mppe.
###################################################

# Lock the port
lock

# Authentication
# We don't need the tunnel server to authenticate itself
noauth

# We won't do PAP, EAP, CHAP, or MSCHAP, but we will accept MSCHAP-V2
# (you may need to remove these refusals if the server is not using MPPE)
refuse-pap
refuse-eap
refuse-chap
refuse-mschap

# Compression
# Turn off compression protocols we know won't be used
nobsdcomp
nodeflate

# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.  Note that MPPE
# requires the use of MSCHAP-V2 during authentication)

# [url]http://ppp.samba.org[/url]/ the PPP project version of PPP by Paul Mackarras
# ppp-2.4.2 or later with MPPE only, kernel module ppp_mppe.o
# {{{
# Require MPPE 128-bit encryption
# require-mppe-128
# }}}

# [url]http://polbox.com/h/hs001/[/url] fork from PPP project by Jan Dubiec
# ppp-2.4.2 or later with MPPE and MPPC, kernel module ppp_mppe_mppc.o
# {{{
# Require MPPE 128-bit encryption
# mppe required,stateless
# }}}

chap-secrets

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
<USERNAME> pptpd <PASSWORD> *

I named my tunnel "ipredator"
/etc/ppp/peers/ipredator

pty "pptp vpn.ipredator.se --nolaunchpppd"
name <USERNAME>
remotename Ipredator
require-mppe-128
file /etc/ppp/options.pptp
ipparam ipredator

When I try to connect I get following:

[root@archlinux ppp]# pon $TUNNEL ipredator dump logfd 2 nodetach
pppd options in effect:
nodetach        # (from command line)
logfd 2        # (from command line)
dump        # (from command line)
noauth        # (from /etc/ppp/options.pptp)
refuse-pap        # (from /etc/ppp/options.pptp)
refuse-chap        # (from /etc/ppp/options.pptp)
refuse-mschap        # (from /etc/ppp/options.pptp)
refuse-eap        # (from /etc/ppp/options.pptp)
name <USERNAME>        # (from /etc/ppp/peers/ipredator)
remotename Ipredator        # (from /etc/ppp/peers/ipredator)
        # (from /etc/ppp/options.pptp)
pty pptp vpn.ipredator.se --nolaunchpppd        # (from /etc/ppp/peers/ipredator)
crtscts        # (from /etc/ppp/options)
        # (from /etc/ppp/options)
asyncmap 0        # (from /etc/ppp/options)
lcp-echo-failure 4        # (from /etc/ppp/options)
lcp-echo-interval 30        # (from /etc/ppp/options)
hide-password        # (from /etc/ppp/options)
ipparam ipredator        # (from /etc/ppp/peers/ipredator)
proxyarp        # (from /etc/ppp/options)
nobsdcomp        # (from /etc/ppp/options.pptp)
nodeflate        # (from /etc/ppp/options.pptp)
require-mppe-128        # (from /etc/ppp/peers/ipredator)
noipx        # (from /etc/ppp/options)
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
MPPE required, but MS-CHAP[v2] auth not performed.
Connection terminated.
[root@archlinux ppp]#

I have not managed to understand way MS-CHAP[v2] auth is not performed.

Any ideas on what I have missed during my configuration would be most appreciated!

use code tags instead of quote since they provide scrollers and keep the thread from becoming a mile long -- Inxsible

Thank you!
Regards,
/Christer

Last edited by agkbill (2011-06-14 15:23:15)

Inxsible · 2011-06-13 15:04:16

please use BBCode code tags when presenting code or output instead of adding too much whitespace. https://bbs.archlinux.org/help.php#bbcode

agkbill · 2011-06-13 15:17:31

Thank you for the link to the BBCode code tags, not used to them.

/Christer

falconindy · 2011-06-13 15:19:39

Sounds like the VPN I connect to at work... here's my config (options.pptp is untouched)

/etc/ppp/peers/foovpn

pty "pptp 1.2.3.4 --nolaunchpppd --loglevel 0"
lock
noauth
nobsdcomp
nodeflate
name user@domain.com
refuse-eap
refuse-pap
require-mppe
usepeerdns
remotename foovpn
ipparm foovpn

/etc/ppp/chap-secrets

user@domain.com    foovpn    "password"   *

And of course make sure you're actually using the ppp_mppe module.

Inxsible · 2011-06-13 15:35:58

agkbill, edited your posts to use code tags instead of quote tags since they provide scrollers and keep the thread from becoming a mile long

agkbill · 2011-06-13 16:14:56

Ok, I understand.

Thank you.

/Christer

agkbill · 2011-06-13 18:10:15

I just found this post: http://www.fedoraforum.org/forum/showth … p?t=229337

Applied it with my data.

 # Secrets for authentication using CHAP
# client        server  secret                  IP addresses
<USERNAME> iPred "<PASSWORD>"        vpn.ipredator.se

pty "pptp vpn.ipredator.se --nolaunchpppd --loglevel 0"
lock
noauth
nobsdcomp
nodeflate
name <USERNAME>
remotename ipred
ipparam iPred
require-mppe-128
refuse-eap
file /etc/ppp/options.pptp

But no luck. Same problem.

[root@archlinux ppp]# pon $TUNNEL iPred debug logfd 2 nodetach
using channel 18
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x56225fe7> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x9d43ef0a> <pcomp> <accomp>]
No auth is possible
sent [LCP ConfRej id=0x1 <auth chap MS-v2>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x56225fe7> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x2 <asyncmap 0x0> <magic 0x9d43ef0a> <pcomp> <accomp>]
sent [LCP ConfAck id=0x2 <asyncmap 0x0> <magic 0x9d43ef0a> <pcomp> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x56225fe7]
MPPE required, but MS-CHAP[v2] auth not performed.
sent [LCP TermReq id=0x2 "MPPE required but not available"]
rcvd [LCP EchoReq id=0x0 magic=0x9d43ef0a]
rcvd [LCP TermReq id=0x3 "peer refused to authenticate"]
sent [LCP TermAck id=0x3]
rcvd [LCP TermAck id=0x2]
Connection terminated.
Script pptp vpn.ipredator.se --nolaunchpppd --loglevel 0 finished (pid 1673), status = 0x0
[root@archlinux ppp]#

falconindy · 2011-06-13 19:26:11

You're requiring mppe-128 which isn't what the server wants. the 'require mppe' directive is universal and negotiation will be done to agree on a bit rate.

agkbill · 2011-06-13 20:30:18

Thank you falconindy,

I will do some testing tomorow.

/Christer

agkbill · 2011-06-14 10:41:48

To use "require-mppe" did not make any difference.

I have tried to figure out from working KVpnc settings how it should be. but no luck.

From KVpnc I could see:

- VPN gateway: vpn.ipredator.se
- Fix path mtu discovery problem: enabled
- Use NAT: enabled
- Require MPPE: enabled
- Refuse 40 bit encryption: enabled
- Do not use BSD compression: enabled
- Do not use deflate method: enabled
- Authorization method: MSCHAP

agkbill · 2011-06-14 11:08:01

I tried on another archlinux instalation, one that I am running in "virualbox"

With identical settings and in "options.pptp" I have # marked refuse-mschap, because in KVpnc I could se that authorization method was MSCHAP.

With this settings I do not get "MPPE required, but MS-CHAP[v2] auth not performed.".

But a timeout, for some reason.

Bebo · 2011-06-14 11:14:28

Try and remove the "refuse-xxx" line(s), while keeping the "require-mppe-128" line.

In your last posted conf (post #7) you include the options.pptp file with the line "file /etc/ppp/options.pptp"; this seems a bit unnecessary since you already have the necessary settings in the peers file. If you still want to include options.pptp while following my advice (remove the refuse-xxx lines), you'll have to do it in both the peers file and the options.pptp file.

agkbill · 2011-06-14 14:12:43

Thank you Bebo,

I changed my peers file into:

pty "pptp vpn.ipredator.se --nolaunchpppd"
lock
noauth
nobsdcomp
nodeflate
name <USERNAME>
remotename Ipredator
require-mppe-128
#file /etc/ppp/options.pptp
ipparam iPred

But not working I am afraid.

[root@archlinux ppp]# pon ipredator debug logfd 2 nodetach
using channel 9
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x2f33d954> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x40e03e9b> <pcomp> <accomp>]
No auth is possible
sent [LCP ConfRej id=0x1 <auth chap MS-v2>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x2f33d954> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x2 <asyncmap 0x0> <magic 0x40e03e9b> <pcomp> <accomp>]
sent [LCP ConfAck id=0x2 <asyncmap 0x0> <magic 0x40e03e9b> <pcomp> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x2f33d954]
MPPE required, but MS-CHAP[v2] auth not performed.
sent [LCP TermReq id=0x2 "MPPE required but not available"]
rcvd [LCP EchoReq id=0x0 magic=0x40e03e9b]
rcvd [LCP TermReq id=0x3 "peer refused to authenticate"]
sent [LCP TermAck id=0x3]
rcvd [LCP TermAck id=0x2]
Connection terminated.
Script pptp vpn.ipredator.se --nolaunchpppd finished (pid 1614), status = 0x0
[root@archlinux ppp]#

I was looking at a working log, described at http://pptpclient.sourceforge.net/howto … .phtml#log

It have the lines:

# pon tunnel
Using interface ppp1
Connect: ppp1 <--> /dev/pts/1
Looking for secret in /etc/ppp/chap-secrets for client domain\username server PPTP
Got client domain\username
Got server PPTP
Got secret PPTP
Got client password

I can not se the "Looking for secret in /etc/ppp/chap-secrets for client domain\username server PPTP
Got client domain\username"

Does that mean that the line is never read in y case? If so any idea on what is wrong?

All input wellcome.

agkbill · 2011-06-14 15:22:36

The problem was that <PASSWORD> was never found.

What is written after "remotename" in peers file in the guide "PPTP" is used to find the password in chap-secreds.
But in the guide chap-secrets look like "<USERNAME> pptpd <PASSWORD> *".

Consecuently <PASSWORD> will never be found. It should have been "<USERNAME> PPTP <PASSWORD> *" then it would have worked OK.

The solution was to understand how password was found.

require-mppe-128 works fine as well.

Now it looks like this.

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
<USERNAME> PPTP <PASSWORD> *

pty "pptp vpn.ipredator.se --nolaunchpppd"
lock
noauth
nobsdcomp
nodeflate
name <USERNAME>
remotename PPTP
require-mppe-128
#file /etc/ppp/options.pptp
ipparam ipredator

Output:

[root@archlinux ppp]# pon ipredator debug logfd 2 nodetach
using channel 14
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7540313b> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xc615076a> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xc615076a> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x7540313b> <pcomp> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x7540313b]
rcvd [LCP EchoReq id=0x0 magic=0xc615076a]
sent [LCP EchoRep id=0x0 magic=0x7540313b]
rcvd [CHAP Challenge id=0x46 <be769cd654150cc3dc0fd20bc73c03>, name = "pptpd"]
sent [CHAP Response id=0x46 <6ce74a85ab09e4ae223bc85f679395f0000000000000000dbb8dc66e8950ab46831b62f5815e015b1e72de1e01a4d00>, name = "<USERNAME>"]
rcvd [LCP EchoRep id=0x0 magic=0xc616076a]
rcvd [CHAP Success id=0x46 "S=2694D1D727F2B8C8E402125EA401750011F24F20"]
CHAP authentication succeeded
sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
sent [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
MPPE 128-bit stateless compression enabled
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr x.x.x.x>]
sent [IPCP ConfAck id=0x1 <compress VJ 0f 01> <addr x.x.x.x>]
rcvd [IPCP ConfNak id=0x1 <addr 93.182.150.56>]
sent [IPCP ConfReq id=0x2 <compress VJ 0f 01> <addr x.x.x.x>]
rcvd [IPCP ConfAck id=0x2 <compress VJ 0f 01> <addr x.x.x.x>]
Cannot determine ethernet address for proxy ARP
local  IP address 
remote IP address x.x.x.x
Script /etc/ppp/ip-up started (pid 1778)
Script /etc/ppp/ip-up finished (pid 1778), status = 0x0

All the best!

/Christer

syed.jahanzaib · 2015-04-13 05:55:39

@agkbill / Christer

Although this post is quite old, but it really helped me specially the PPTP portion cheers

ewaller · 2015-04-13 15:27:02

Closing old thread

Arch Linux

#1 2011-06-13 15:02:24

[SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

#2 2011-06-13 15:04:16

Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

#3 2011-06-13 15:17:31

Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

#4 2011-06-13 15:19:39

Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

#5 2011-06-13 15:35:58

Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

#6 2011-06-13 16:14:56

Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

#7 2011-06-13 18:10:15

Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

#8 2011-06-13 19:26:11

Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

#9 2011-06-13 20:30:18

Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

#10 2011-06-14 10:41:48

Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

#11 2011-06-14 11:08:01

Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

#12 2011-06-14 11:14:28

Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

#13 2011-06-14 14:12:43

Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

#14 2011-06-14 15:22:36

Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

#15 2015-04-13 05:55:39

Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

#16 2015-04-13 15:27:02

Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

Board footer