mpd VPN won't work after upgrade from 4.6-STABLE to 4.8-STABLE
Archie Cobbs
archie at dellroad.org
Thu Jun 26 18:30:11 PDT 2003
Doug Lee wrote:
> > If you're getting protocol reject errors -- while trying to use
> > Microsoft MPPE encryption? Then probably one side is generating
> > the keys incorrectly. What is the other side? Also, let's see
> > the log trace.
>
> Here is a trace consisting of link-up, responses to a set of five
> pings, and link-terminate, all from the originating side, which is the
>
> ...
>
> One specific question, other than "Why won't this work?" :-) : What's
> this line doing in here at the end of the successful CHAP negotiation:
>
> 17:35:00 MESG: S=181EBCAE417331F125BCDDB3991C14EF7B39750D
This is Microsoft overloading the CHAP message string with
their reverse authentication hash. It's normal with MS-CHAP.
> The following mpd log entries were generated by a set of five pings
> I attempted to send up the link:
>
> 17:35:15 [vpn] LCP: rec'd Protocol Reject #22 link 0 (Opened)
> 17:35:15 [vpn] LCP: protocol 0x0023 was rejected
> 17:35:16 [vpn] LCP: rec'd Protocol Reject #23 link 0 (Opened)
> 17:35:16 [vpn] LCP: protocol 0x00e7 was rejected
> 17:35:17 [vpn] LCP: rec'd Protocol Reject #24 link 0 (Opened)
> 17:35:17 [vpn] LCP: protocol 0x0087 was rejected
> 17:35:18 [vpn] LCP: rec'd Protocol Reject #25 link 0 (Opened)
> 17:35:18 [vpn] LCP: protocol 0x006d was rejected
> 17:35:19 [vpn] LCP: rec'd Protocol Reject #26 link 0 (Opened)
> 17:35:19 [vpn] LCP: protocol 0x16a1 was rejected
Again, what's on the other side of the link? Is it necessary
to enable MS-CHAP in both directions? The other side is screwing
up MPPE key generation. Note that with MS-CHAPv2, the server is
authenticated as well anyway, so you really only need to authenticate
in one direction.
-Archie
__________________________________________________________________________
Archie Cobbs * Halloo Communications * http://www.halloo.com
More information about the freebsd-stable
mailing list