MPD problems connecting to a Cisco 3000 concentrator

Joe Marcus Clarke marcus at marcuscom.com
Sat Nov 8 15:39:03 PST 2003 

I'm trying to establish an encrypted PPTP connection to a Cisco VPN
concentrator using mpd-3.14.  It works fine when I disable all
encryption, but with even 40-bit stateless, I get errors like:

[vpn] LCP: rec'd Protocol Reject #2 link 0 (Opened)
[vpn] LCP: protocol 0x32f7 was rejected
[vpn] LCP: rec'd Protocol Reject #10 link 0 (Opened)
[vpn] LCP: protocol 0xa785 was rejected
[vpn] LCP: rec'd Protocol Reject #11 link 0 (Opened)
[vpn] LCP: protocol 0x5a41 was rejected
[vpn] LCP: rec'd Protocol Reject #12 link 0 (Opened)
[vpn] LCP: protocol 0x5ceb was rejected

Note, each reject is a simple ping packet, but the protocol number is
different every time.  I've tried Archie's patch to ng_ppp.c from
November 2002, but it did not help.  Here is the relevant config:

ciscovpn:
 new -i ng0 ciscovpn vpn
 set bundle authname "marcus"
 set ipcp ranges 1.1.1.1/8 172.18.124.132/24
 set link keep-alive 0 0
 set ipcp yes vjcomp
 set link mtu 1460
 set link no pap
 set link disable pap chap
 set link yes acfcomp protocomp
 set bundle disable multilink
 set bundle enable compression
 set ccp yes mppc
 set ccp yes mpp-e40
 set ccp yes mpp-e128
 set bundle enable crypt-reqd
 set ccp yes mpp-stateless
 open

I've also tried setting vjcomp to no as well as acfcomp protocomp.  The
only config that successfully passes data is one without MPPE.  Note,
this config does work when connecting to another mpd server.  Here is a
little more of the connection startup:

[vpn] LCP: rec'd Configure Request #1 link 0 (Ack-Rcvd)
 AUTHPROTO CHAP MSOFTv2
[vpn] LCP: SendConfigAck #1
 AUTHPROTO CHAP MSOFTv2
[vpn] LCP: state change Ack-Rcvd --> Opened
[vpn] LCP: phase shift ESTABLISH --> AUTHENTICATE
[vpn] LCP: auth: peer wants CHAP, I want nothing
[vpn] LCP: LayerUp
[vpn] CHAP: rec'd CHALLENGE #1
 Name: ""
 Using authname "marcus"
[vpn] CHAP: sending RESPONSE
[vpn] CHAP: sending RESPONSE
[vpn] CHAP: sending RESPONSE
[vpn] CHAP: rec'd CHALLENGE #2
 Name: ""
 Using authname "marcus"
[vpn] CHAP: sending RESPONSE
[vpn] CHAP: rec'd SUCCESS #2
 MESG: S=87F6D876968EC6AEF15CD4CF1777518CE9A4F108
[vpn] LCP: authorization successful
[vpn] LCP: phase shift AUTHENTICATE --> NETWORK
[ciscovpn] setting interface ng0 MTU to 1460 bytes
[ciscovpn] up: 1 link, total bandwidth 64000 bps
[ciscovpn] IPCP: Up event
[ciscovpn] IPCP: state change Starting --> Req-Sent
[ciscovpn] IPCP: SendConfigReq #1
 IPADDR 1.1.1.1
 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[ciscovpn] CCP: Open event
[ciscovpn] CCP: state change Initial --> Starting
[ciscovpn] CCP: LayerStart
[ciscovpn] CCP: Up event
[ciscovpn] CCP: state change Starting --> Req-Sent
[ciscovpn] CCP: SendConfigReq #1
[vpn] CCP: Checking wether 40 bits are enabled -> yes
[vpn] CCP: Checking wether 56 bits are enabled -> no
[vpn] CCP: Checking wether 128 bits are enabled -> yes
 MPPC
   0x01000060: MPPE, 40 bit, 128 bit, stateless
[ciscovpn] IPCP: rec'd Configure Request #0 link 0 (Req-Sent)
 IPADDR 172.18.124.132
   172.18.124.132 is OK
[ciscovpn] IPCP: SendConfigAck #0
 IPADDR 172.18.124.132
[ciscovpn] IPCP: state change Req-Sent --> Ack-Sent
[ciscovpn] CCP: rec'd Configure Request #0 link 0 (Req-Sent)
 MPPC
   0x01000060: MPPE, 40 bit, 128 bit, stateless
[vpn] CCP: Checking wether 40 bits are acceptable -> yes
[vpn] CCP: Checking wether 128 bits are acceptable -> yes
[ciscovpn] CCP: SendConfigNak #0
 MPPC
   0x01000040: MPPE, 128 bit, stateless
[ciscovpn] CCP: rec'd Configure Nak #1 link 0 (Req-Sent)
 MPPC
   0x01000040: MPPE, 128 bit, stateless
[ciscovpn] CCP: SendConfigReq #2
[vpn] CCP: Checking wether 40 bits are enabled -> no
[vpn] CCP: Checking wether 56 bits are enabled -> no
[vpn] CCP: Checking wether 128 bits are enabled -> yes
 MPPC
   0x01000040: MPPE, 128 bit, stateless
[ciscovpn] CCP: rec'd Configure Request #1 link 0 (Req-Sent)
 MPPC
   0x01000040: MPPE, 128 bit, stateless
[vpn] CCP: Checking wether 128 bits are acceptable -> yes
[ciscovpn] CCP: SendConfigAck #1
 MPPC
   0x01000040: MPPE, 128 bit, stateless
[ciscovpn] CCP: state change Req-Sent --> Ack-Sent
[ciscovpn] CCP: rec'd Configure Ack #2 link 0 (Ack-Sent)
 MPPC
   0x01000040: MPPE, 128 bit, stateless
[ciscovpn] CCP: state change Ack-Sent --> Opened
[ciscovpn] CCP: LayerUp
  Compress using: MPPE, 128 bit, stateless
Decompress using: MPPE, 128 bit, stateless
[ciscovpn] setting interface ng0 MTU to 1456 bytes
[ciscovpn] IPCP: SendConfigReq #2
 IPADDR 1.1.1.1
 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[ciscovpn] IPCP: rec'd Configure Request #1 link 0 (Ack-Sent)
 IPADDR 172.18.124.132
   172.18.124.132 is OK
[ciscovpn] IPCP: SendConfigAck #1
 IPADDR 172.18.124.132
[ciscovpn] IPCP: SendConfigReq #3
 IPADDR 1.1.1.1
 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[ciscovpn] IPCP: SendConfigReq #4
 IPADDR 1.1.1.1
 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[ciscovpn] IPCP: rec'd Configure Request #2 link 0 (Ack-Sent)
 IPADDR 172.18.124.132
   172.18.124.132 is OK
[ciscovpn] IPCP: SendConfigAck #2
 IPADDR 172.18.124.132
[ciscovpn] IPCP: SendConfigReq #5
 IPADDR 1.1.1.1
 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[ciscovpn] IPCP: rec'd Configure Request #3 link 0 (Ack-Sent)
 IPADDR 172.18.124.132
   172.18.124.132 is OK
[ciscovpn] IPCP: SendConfigAck #3
 IPADDR 172.18.124.132
[ciscovpn] IPCP: SendConfigReq #6
 IPADDR 1.1.1.1
 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[ciscovpn] IPCP: rec'd Configure Reject #6 link 0 (Ack-Sent)
 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[ciscovpn] IPCP: SendConfigReq #7
 IPADDR 1.1.1.1
[ciscovpn] IPCP: rec'd Configure Ack #7 link 0 (Ack-Sent)
 IPADDR 1.1.1.1
[ciscovpn] IPCP: state change Ack-Sent --> Opened
[ciscovpn] IPCP: LayerUp
  1.1.1.1 -> 172.18.124.132
[ciscovpn] IFACE: Up event
[ciscovpn] setting interface ng0 MTU to 1456 bytes
[ciscovpn] exec: /sbin/ifconfig ng0 1.1.1.1 172.18.124.132 netmask
0xffffffff -link0
[ciscovpn] exec: /sbin/route add 1.1.1.1 -iface lo0
[ciscovpn] IFACE: Up event

Thanks for any advice you may have.

Joe

-- 
PGP Key : http://www.marcuscom.com/pgp.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20031108/d296c886/attachment.bin

More information about the freebsd-questions mailing list