MPD problems connecting to a Cisco 3000 concentrator
Joe Marcus Clarke
marcus at marcuscom.com
Sat Nov 8 15:39:03 PST 2003
I'm trying to establish an encrypted PPTP connection to a Cisco VPN
concentrator using mpd-3.14. It works fine when I disable all
encryption, but with even 40-bit stateless, I get errors like:
[vpn] LCP: rec'd Protocol Reject #2 link 0 (Opened)
[vpn] LCP: protocol 0x32f7 was rejected
[vpn] LCP: rec'd Protocol Reject #10 link 0 (Opened)
[vpn] LCP: protocol 0xa785 was rejected
[vpn] LCP: rec'd Protocol Reject #11 link 0 (Opened)
[vpn] LCP: protocol 0x5a41 was rejected
[vpn] LCP: rec'd Protocol Reject #12 link 0 (Opened)
[vpn] LCP: protocol 0x5ceb was rejected
Note, each reject is a simple ping packet, but the protocol number is
different every time. I've tried Archie's patch to ng_ppp.c from
November 2002, but it did not help. Here is the relevant config:
ciscovpn:
new -i ng0 ciscovpn vpn
set bundle authname "marcus"
set ipcp ranges 1.1.1.1/8 172.18.124.132/24
set link keep-alive 0 0
set ipcp yes vjcomp
set link mtu 1460
set link no pap
set link disable pap chap
set link yes acfcomp protocomp
set bundle disable multilink
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set bundle enable crypt-reqd
set ccp yes mpp-stateless
open
I've also tried setting vjcomp to no as well as acfcomp protocomp. The
only config that successfully passes data is one without MPPE. Note,
this config does work when connecting to another mpd server. Here is a
little more of the connection startup:
[vpn] LCP: rec'd Configure Request #1 link 0 (Ack-Rcvd)
AUTHPROTO CHAP MSOFTv2
[vpn] LCP: SendConfigAck #1
AUTHPROTO CHAP MSOFTv2
[vpn] LCP: state change Ack-Rcvd --> Opened
[vpn] LCP: phase shift ESTABLISH --> AUTHENTICATE
[vpn] LCP: auth: peer wants CHAP, I want nothing
[vpn] LCP: LayerUp
[vpn] CHAP: rec'd CHALLENGE #1
Name: ""
Using authname "marcus"
[vpn] CHAP: sending RESPONSE
[vpn] CHAP: sending RESPONSE
[vpn] CHAP: sending RESPONSE
[vpn] CHAP: rec'd CHALLENGE #2
Name: ""
Using authname "marcus"
[vpn] CHAP: sending RESPONSE
[vpn] CHAP: rec'd SUCCESS #2
MESG: S=87F6D876968EC6AEF15CD4CF1777518CE9A4F108
[vpn] LCP: authorization successful
[vpn] LCP: phase shift AUTHENTICATE --> NETWORK
[ciscovpn] setting interface ng0 MTU to 1460 bytes
[ciscovpn] up: 1 link, total bandwidth 64000 bps
[ciscovpn] IPCP: Up event
[ciscovpn] IPCP: state change Starting --> Req-Sent
[ciscovpn] IPCP: SendConfigReq #1
IPADDR 1.1.1.1
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[ciscovpn] CCP: Open event
[ciscovpn] CCP: state change Initial --> Starting
[ciscovpn] CCP: LayerStart
[ciscovpn] CCP: Up event
[ciscovpn] CCP: state change Starting --> Req-Sent
[ciscovpn] CCP: SendConfigReq #1
[vpn] CCP: Checking wether 40 bits are enabled -> yes
[vpn] CCP: Checking wether 56 bits are enabled -> no
[vpn] CCP: Checking wether 128 bits are enabled -> yes
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[ciscovpn] IPCP: rec'd Configure Request #0 link 0 (Req-Sent)
IPADDR 172.18.124.132
172.18.124.132 is OK
[ciscovpn] IPCP: SendConfigAck #0
IPADDR 172.18.124.132
[ciscovpn] IPCP: state change Req-Sent --> Ack-Sent
[ciscovpn] CCP: rec'd Configure Request #0 link 0 (Req-Sent)
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[vpn] CCP: Checking wether 40 bits are acceptable -> yes
[vpn] CCP: Checking wether 128 bits are acceptable -> yes
[ciscovpn] CCP: SendConfigNak #0
MPPC
0x01000040: MPPE, 128 bit, stateless
[ciscovpn] CCP: rec'd Configure Nak #1 link 0 (Req-Sent)
MPPC
0x01000040: MPPE, 128 bit, stateless
[ciscovpn] CCP: SendConfigReq #2
[vpn] CCP: Checking wether 40 bits are enabled -> no
[vpn] CCP: Checking wether 56 bits are enabled -> no
[vpn] CCP: Checking wether 128 bits are enabled -> yes
MPPC
0x01000040: MPPE, 128 bit, stateless
[ciscovpn] CCP: rec'd Configure Request #1 link 0 (Req-Sent)
MPPC
0x01000040: MPPE, 128 bit, stateless
[vpn] CCP: Checking wether 128 bits are acceptable -> yes
[ciscovpn] CCP: SendConfigAck #1
MPPC
0x01000040: MPPE, 128 bit, stateless
[ciscovpn] CCP: state change Req-Sent --> Ack-Sent
[ciscovpn] CCP: rec'd Configure Ack #2 link 0 (Ack-Sent)
MPPC
0x01000040: MPPE, 128 bit, stateless
[ciscovpn] CCP: state change Ack-Sent --> Opened
[ciscovpn] CCP: LayerUp
Compress using: MPPE, 128 bit, stateless
Decompress using: MPPE, 128 bit, stateless
[ciscovpn] setting interface ng0 MTU to 1456 bytes
[ciscovpn] IPCP: SendConfigReq #2
IPADDR 1.1.1.1
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[ciscovpn] IPCP: rec'd Configure Request #1 link 0 (Ack-Sent)
IPADDR 172.18.124.132
172.18.124.132 is OK
[ciscovpn] IPCP: SendConfigAck #1
IPADDR 172.18.124.132
[ciscovpn] IPCP: SendConfigReq #3
IPADDR 1.1.1.1
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[ciscovpn] IPCP: SendConfigReq #4
IPADDR 1.1.1.1
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[ciscovpn] IPCP: rec'd Configure Request #2 link 0 (Ack-Sent)
IPADDR 172.18.124.132
172.18.124.132 is OK
[ciscovpn] IPCP: SendConfigAck #2
IPADDR 172.18.124.132
[ciscovpn] IPCP: SendConfigReq #5
IPADDR 1.1.1.1
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[ciscovpn] IPCP: rec'd Configure Request #3 link 0 (Ack-Sent)
IPADDR 172.18.124.132
172.18.124.132 is OK
[ciscovpn] IPCP: SendConfigAck #3
IPADDR 172.18.124.132
[ciscovpn] IPCP: SendConfigReq #6
IPADDR 1.1.1.1
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[ciscovpn] IPCP: rec'd Configure Reject #6 link 0 (Ack-Sent)
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[ciscovpn] IPCP: SendConfigReq #7
IPADDR 1.1.1.1
[ciscovpn] IPCP: rec'd Configure Ack #7 link 0 (Ack-Sent)
IPADDR 1.1.1.1
[ciscovpn] IPCP: state change Ack-Sent --> Opened
[ciscovpn] IPCP: LayerUp
1.1.1.1 -> 172.18.124.132
[ciscovpn] IFACE: Up event
[ciscovpn] setting interface ng0 MTU to 1456 bytes
[ciscovpn] exec: /sbin/ifconfig ng0 1.1.1.1 172.18.124.132 netmask
0xffffffff -link0
[ciscovpn] exec: /sbin/route add 1.1.1.1 -iface lo0
[ciscovpn] IFACE: Up event
Thanks for any advice you may have.
Joe
--
PGP Key : http://www.marcuscom.com/pgp.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20031108/d296c886/attachment.bin
More information about the freebsd-questions
mailing list