[Poptop-server] MPPE connection problems.

Discussion:

Gary Smith

2004-07-03 18:08:05 UTC

Hello,

We just put a new pptp sever in place and are having a multitude of
problems. The sever we replaced had RH 9 2.4.20-20.9. The new server
is RH 9 2.4.20-31.9. We have several of these servers currently in
production (running the 2.4.20-20.9 kernel) at different locations.
Each server is running poptop and pptpclient. We use these to connect
all of the remote office and setup a large WAN.

This server that we just replaced was used by a bunch of users running
Windows XP. We used the default settings for XP and it has always
worked fine. I know some time ago when we set it up we had a problem
but it's been a long time since then.

When the client workstations try to connect they receive an error "The
local computer does not support the required data encryption type". If
I uncheck "Require data encryption (disconnect if none)" then it all
works fine. This isn't necessarily a problem but the first thing we
noticed. The server log file contained "LCP terminated by peer
(^Y^XeM-*^@<M-Mt^@^@^BM-e)". When one of the remote servers tries to
establish the WAN bridge (which is running pptpclint) we get the error
"LCP terminated by peer (MPPE required but not available)" in the server
log. "modprobe ppp-compress-18" gives us no errors. Everything appears
to be working fine other than that.

Here are the modules that we have loaded:

-rw-r--r-- 1 root root 54872 Jun 30 09:59
dkms-1.12-1.noarch.rpm
-rw-r--r-- 1 root root 24876 Jun 30 08:20
kernel-mppe-2.4.20-31.9.i686.rpm <- from pptpclient.sourceforge.com
-rw-r--r-- 1 root root 59176 Jun 30 09:58
kernel_ppp_mppe-0.0.4-1dkms.noarch.rpm
-rw-r--r-- 1 root root 194948 Jun 30 08:20
ppp-2.4.2_cvs_20030610-1.i386.rpm <- from pptpclient.sourceforge.com
-rw-r--r-- 1 root root 78595 Jun 30 08:20
pptpd-1.1.4-b4.i386.rpm
-rw-r--r-- 1 root root 54532 Jun 30 08:20
pptp-linux-1.5.0-1.i386.rpm <- not sure where this is from

Our configuration:

lock
debug
name *
proxyarp
bsdcomp 0
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe
#added while reading some NG article
#require-mppe-128
#nomppe-40

Have we lost support for the default type of encryption on the XP box?
Is there something that I have missed?

Cedric Gavage

2004-07-04 09:16:03 UTC

Permalink

Hi,

I have exactly the same problem but with other configurations:
Debian sid and woody.
kernel-2.6.7+linux-2.6.7-mppe-mppc-1.0.patch
pppd-2.4.2+ppp-2.4.2-mppe-mppc-1.0.patch
pptpd-1.2.1

Patches from http://www.polbox.com/h/hs001/

Post by Gary Smith
Hello,
We just put a new pptp sever in place and are having a multitude of
problems. The sever we replaced had RH 9 2.4.20-20.9. The new server
is RH 9 2.4.20-31.9. We have several of these servers currently in
production (running the 2.4.20-20.9 kernel) at different locations.
Each server is running poptop and pptpclient. We use these to connect
all of the remote office and setup a large WAN.
This server that we just replaced was used by a bunch of users running
Windows XP. We used the default settings for XP and it has always
worked fine. I know some time ago when we set it up we had a problem
but it"s been a long time since then.
When the client workstations try to connect they receive an error "The
local computer does not support the required data encryption type". If
I uncheck "Require data encryption (disconnect if none)" then it all
works fine. This isn"t necessarily a problem but the first thing we
noticed. The server log file contained "LCP terminated by peer
establish the WAN bridge (which is running pptpclint) we get the error
"LCP terminated by peer (MPPE required but not available)" in the server
log. "modprobe ppp-compress-18" gives us no errors. Everything appears
to be working fine other than that.
-rw-r--r-- 1 root root 54872 Jun 30 09:59
dkms-1.12-1.noarch.rpm
-rw-r--r-- 1 root root 24876 Jun 30 08:20
kernel-mppe-2.4.20-31.9.i686.rpm <- from pptpclient.sourceforge.com
-rw-r--r-- 1 root root 59176 Jun 30 09:58
kernel_ppp_mppe-0.0.4-1dkms.noarch.rpm
-rw-r--r-- 1 root root 194948 Jun 30 08:20
ppp-2.4.2_cvs_20030610-1.i386.rpm <- from pptpclient.sourceforge.com
-rw-r--r-- 1 root root 78595 Jun 30 08:20
pptpd-1.1.4-b4.i386.rpm
-rw-r--r-- 1 root root 54532 Jun 30 08:20
pptp-linux-1.5.0-1.i386.rpm <- not sure where this is from
lock
debug
name *
proxyarp
bsdcomp 0
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe
#added while reading some NG article
#require-mppe-128
#nomppe-40
Have we lost support for the default type of encryption on the XP box?
Is there something that I have missed?

--
|- Cedric Gavage <***@unixtech.be>
|-- http://unixtech.be - http://gavage.com - OpenPGP: 0xED325C64
|--- "We are Penguin. Resistance is futile. You will be assimilated."

Gary Smith

2004-07-04 14:16:06 UTC

Permalink

I've put the old server back online. I have taken an indepth look into
the old one and haven't found anything different in the configuration
files.

I did notice a difference in the poptop versions.

-rw-r--r-- 1 root root 207968 Aug 30 2003
pptp-linux-1.3.1-1.i386.rpm

I wonder if I should try using the older versions of the software?

BTW, same clients connect to this with no problem and no LCP messages at
all in the messages log file.

Gary Wayne Smith

-----Original Message-----
From: poptop-server-***@lists.sourceforge.net
[mailto:poptop-server-***@lists.sourceforge.net] On Behalf Of Cedric
Gavage
Sent: Sunday, July 04, 2004 4:15 AM
To: poptop-***@lists.sourceforge.net
Subject: [Poptop-server] MPPE connection problems.

Hi,

I have exactly the same problem but with other configurations:
Debian sid and woody.
kernel-2.6.7+linux-2.6.7-mppe-mppc-1.0.patch
pppd-2.4.2+ppp-2.4.2-mppe-mppc-1.0.patch
pptpd-1.2.1

Patches from http://www.polbox.com/h/hs001/

Brian Bruns

2004-07-04 14:39:03 UTC

Permalink

Post by Gary Smith
I did notice a difference in the poptop versions.
-rw-r--r-- 1 root root 207968 Aug 30 2003
pptp-linux-1.3.1-1.i386.rpm
I wonder if I should try using the older versions of the software?
BTW, same clients connect to this with no problem and no LCP
messages at all in the messages log file.

pptp-linux is the client daemon/application, not the server.

Things I usually check when two servers using the same configuration
fail:

1. Firewall rules (even the slightest difference in firewalling rules
changes alot). Make sure that GRE traffic is allowed, make sure that
1723 TCP is allowed. I make sure that connection tracking is turned
on whenever I use firewalling rules (even if I dont use NAT).
connection tracking makes certain applications and protocols that
would break with normal firewalling rules work.

2. Make sure the same lines for pppd/pptp/mppe exist in the new
server's modules.conf and that you do a depmod -a to rebuild
dependancies

3. Do an lsmod to make sure that the ppp_* modules are loaded (on
mine, its ppp_generic, ppp_async, ppp_mppe_mppc)

--
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.sosdg.org

The Abusive Hosts Blocking List
http://www.ahbl.org

Gary Smith

2004-07-05 02:06:08 UTC

Permalink

Same firewall config and pptpd.options configurations (tarballed and copied after the install). We did a modprobe and modinfo and everything checked out fine. I'm thinking it might have something to do with the kernel_mppe patch on 2.4.20-31.9. I'm going to try to rebuild one of the boxes from scratch and see if I can get it to work again (maybe next weekend). The final configuration will be two boxes running poptop, pptpclient, iptables and linux-ha (our current config).

The current config works great. We might just go back to the 2.4.20-20.9 kernel version. The whole purpose of this is for a hardware upgrade (as the current production hardware was the proof of concept promoted to production).

Anyways if there are any other ideas out there I would appreciate any feedback.

One of the other questions is what order should I install these in? Should poptop go before pptpclient or vice versa? Also, there are two kernel mod's. Each one has their own. Could they be stepping on each other?

Gary

________________________________

From: Brian Bruns [mailto:***@2mbit.com]
Sent: Sun 7/4/2004 9:33 AM
To: Gary Smith; poptop-***@lists.sourceforge.net
Subject: Re: [Poptop-server] MPPE connection problems.

Gary Smith

2004-07-07 04:17:18 UTC

Permalink

Rebuild the server today and still cannot connect without change data
encryption requirements on workstations. I'm currently connected via
VPN to the existing server to get my email and the setting is set for
"Require data encryption".

My question for the crowd is what is the proper way to setup this server
to ensure that we don't have to reconfigure all of the clients and their
remote logins? What software should I install to make this happen?

Luckily we have lots of good backups of the existing configuration.

Gary Wayne Smith

________________________________

From: poptop-server-***@lists.sourceforge.net
[mailto:poptop-server-***@lists.sourceforge.net] On Behalf Of Gary
Smith
Sent: Saturday, July 03, 2004 1:07 PM
To: poptop-***@lists.sourceforge.net
Subject: [Poptop-server] MPPE connection problems.

Hello,

We just put a new pptp sever in place and are having a multitude of
problems. The sever we replaced had RH 9 2.4.20-20.9. The new server
is RH 9 2.4.20-31.9. We have several of these servers currently in
production (running the 2.4.20-20.9 kernel) at different locations.
Each server is running poptop and pptpclient. We use these to connect
all of the remote office and setup a large WAN.

This server that we just replaced was used by a bunch of users running
Windows XP. We used the default settings for XP and it has always
worked fine. I know some time ago when we set it up we had a problem
but it's been a long time since then.

When the client workstations try to connect they receive an error "The
local computer does not support the required data encryption type". If
I uncheck "Require data encryption (disconnect if none)" then it all
works fine. This isn't necessarily a problem but the first thing we
noticed. The server log file contained "LCP terminated by peer
(^Y^XeM-*^@<M-Mt^@^@^BM-e)". When one of the remote servers tries to
establish the WAN bridge (which is running pptpclint) we get the error
"LCP terminated by peer (MPPE required but not available)" in the server
log. "modprobe ppp-compress-18" gives us no errors. Everything appears
to be working fine other than that.

Here are the modules that we have loaded:

-rw-r--r-- 1 root root 54872 Jun 30 09:59
dkms-1.12-1.noarch.rpm

-rw-r--r-- 1 root root 24876 Jun 30 08:20
kernel-mppe-2.4.20-31.9.i686.rpm <- from pptpclient.sourceforge.com

-rw-r--r-- 1 root root 59176 Jun 30 09:58
kernel_ppp_mppe-0.0.4-1dkms.noarch.rpm

-rw-r--r-- 1 root root 194948 Jun 30 08:20
ppp-2.4.2_cvs_20030610-1.i386.rpm <- from pptpclient.sourceforge.com

-rw-r--r-- 1 root root 78595 Jun 30 08:20
pptpd-1.1.4-b4.i386.rpm

-rw-r--r-- 1 root root 54532 Jun 30 08:20
pptp-linux-1.5.0-1.i386.rpm <- not sure where this is from

Our configuration:

lock

debug

name *

proxyarp

bsdcomp 0

refuse-pap

refuse-chap

refuse-mschap

require-mschap-v2

require-mppe

#added while reading some NG article

#require-mppe-128

#nomppe-40

Have we lost support for the default type of encryption on the XP box?
Is there something that I have missed?

James Cameron

2004-07-07 04:56:02 UTC

Permalink

G'day Gary,

I'm afraid I haven't had much time to analyse your problem, but I'll
give you a few suggestions; apologies if you've already tried them.

The "LCP terminated by peer" message is ambiguous; there are multiple
known causes. If you enable debug logging and adjust syslog.conf
appropriately [1], you can see the LCP exchange that causes it. That may
give you more information that you can work with.

You find you need to uncheck "require data encryption" ... this
shows that the pppd on your server is either not configured to allow
MPPE, or is unable to use MPPE support provided by the kernel.

You find that the outgoing pptp-client call fails with "MPPE required
but not available" ... this usually corresponds to pppd finding that the
kernel has no support. Perhaps enabling debug logging in pppd for the
pptp-client connection may confirm that.

Use the pppd dump option to verify that the respective instances of pppd
are being run with the options that you have set.

Since it is pppd that is reporting the issues, try upgrading to a later
version. We've got ppp-2.4.3_cvs_2004* versions on the download list in
the poptop project [2].

Yes, a "modprobe ppp-compress-18" is the method we usually recommend to
test that MPPE support is loading. But we also know that this can
succeed and yet MPPE won't be detected by pppd. This has mostly
happened when ppp-mppe-2.4.1 code is mixed with ppp-2.4.2 code, but from
your download list that shouldn't be the cause this time.

The pppd options refuse-pap refuse-chap refuse-mschap are not correct to
use for the pppd running underneath the pptpd, but they won't hurt, and
they won't cause the problems you've seen. These options cause pppd to
refuse to use a particular authentication type when the peer is asking
the local pppd to authenticate itself to the peer; something which is
not normally done for pptpd.

References:
1. http://marc.theaimsgroup.com/?l=poptop-server&m=108689254220592&w=2
2. http://sourceforge.net/project/showfiles.php?group_id=44827&package_id=118989

--
James Cameron http://quozl.netrek.org/
HP Open Source, Volunteer http://opensource.hp.com/
PPTP Client Project, Release Engineer http://pptpclient.sourceforge.net/