Modify

Opened 6 years ago

Closed 6 years ago

Last modified 4 years ago

#11570 closed defect (fixed)

Trunk - no pptp client MSCHAPV2 auth support

Reported by: anonymous Owned by: developers
Priority: response-needed Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: Cc:

Description

When creating a pptp interface via luci with the correct pptp server address, username and password, the pptp interface does not come up.

The problem appears to be related to openwrt not being able to authenticate via mschapv2.

/etc/ppp/options.pptp

debug
logfile /var/log/pptp-server.log
lock
noauth
nobsdcomp
nodeflate
idle 0
mppe required,no40,no56
maxfail 0

log:

using channel 462
Using interface pptp-test
Connect: pptp-test <--> /dev/pts/2
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xd0e6e3b9> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x287179e4>]
No auth is possible
sent [LCP ConfRej id=0x1 <auth chap MS-v2> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x287179e4>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xd0e6e3b9> <pcomp> <accomp>]
No auth is possible
sent [LCP ConfRej id=0x1 <auth chap MS-v2> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x287179e4>]
rcvd [LCP ConfReq id=0x2 <asyncmap 0x0> <magic 0xd0e6e3b9>]
sent [LCP ConfAck id=0x2 <asyncmap 0x0> <magic 0xd0e6e3b9>]
sent [LCP EchoReq id=0x0 magic=0x287179e4]
MPPE required, but MS-CHAP[v2] auth not performed.
sent [LCP TermReq id=0x2 "MPPE required but not available"]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x287179e4>]
rcvd [LCP EchoReq id=0x0 magic=0xd0e6e3b9]
rcvd [LCP TermReq id=0x3 "peer refused to authenticate"]
sent [LCP TermAck id=0x3]
rcvd [LCP TermAck id=0x2]
Connection terminated.

pptp Server is debian sarge and demands mschapv2

Attachments (0)

Change History (10)

comment:1 Changed 6 years ago by jow

  • Priority changed from normal to response-needed

Did you install kmod-mppe?

comment:2 Changed 6 years ago by anonymous

Yes, built into kernel ( not as a module ). It appears on lsmod.

comment:3 Changed 6 years ago by anonymous

now that I'm back home, here is the lsmod output:

Module                  Size  Used by    Tainted: G
fuse                   51376  0
xt_LED                  1408  0
usb_storage            33104  0
ath79_wdt               2240  1
ohci_hcd               16240  0
ledtrig_usbdev          2064  0
ledtrig_netdev          3184  0
xt_TPROXY               2144  0
xt_socket               1632  0
nf_tproxy_core           656  1 xt_TPROXY,[permanent]
iptable_rawpost          480  0
xt_hashlimit            4592  0
nf_conntrack_netlink    11056  0
xt_set                  3056  0
ip_set_list_set         4848  0
ip_set_hash_netport    22400  0
ip_set_hash_netiface    23264  0
ip_set_hash_net        20528  0
ip_set_hash_ipportnet    23760  0
ip_set_hash_ipportip    18896  0
ip_set_hash_ipport     17872  0
ip_set_hash_ip         16528  0
ip_set_bitmap_port      4160  0
ip_set_bitmap_ipmac     4928  0
ip_set_bitmap_ip        4912  0
ip_set                 17776 12 xt_set,ip_set_list_set,ip_set_hash_netport,ip_set_hash_netiface,ip_set_hash_net,ip_set_hash_ipportnet,ip_set_hash_ipportip,ip_set_hash_ipport,ip_set_hash_ip,ip_set_bitmap_port,ip_set_bitmap_ipmac,ip_set_bitmap_ip
ebt_nflog                544  0
ebt_log                 1920  0
ebt_snat                 736  0
ebt_dnat                 704  0
ebt_arpreply             960  0
ebt_ip                  1152  0
ebt_arp                 1488  0
ebt_redirect             768  0
ebt_mark                 592  0
ebt_vlan                 832  0
ebt_stp                 1744  0
ebt_pkttype              448  0
ebt_mark_m               512  0
ebt_limit                816  0
ebt_among               2000  0
ebt_802_3                608  0
ebtable_nat              832  0
ebtable_filter           832  0
ebtable_broute           672  0
ebtables               14224  3 ebtable_nat,ebtable_filter,ebtable_broute
arptable_filter          496  0
arpt_mangle              800  0
arp_tables              7920  1 arptable_filter
nfnetlink_queue         5696  0
nfnetlink_log           5472  0
nfnetlink               1664  4 nf_conntrack_netlink,ip_set,nfnetlink_queue,nfnetlink_log
xt_CHAOS                1696  0
xt_TARPIT               2624  1
xt_SYSRQ                2624  0
xt_STEAL                 608  0
xt_RAWNAT               1520  0
xt_quota2               2032  0
xt_psd                 42688  0
nf_nat_rtsp             2864  0
nf_conntrack_rtsp       3744  1 nf_nat_rtsp
xt_LUA                116832  0
xt_lscan                1888  0
xt_LOGMARK              1584  0
xt_length2              1600  0
xt_ipv4options           560  0
xt_ipp2p                6896  0
xt_IPMARK                752  0
xt_iface                 816  0
xt_geoip                2608  0
xt_fuzzy                 944  0
xt_DNETMAP              5424  0
xt_DHCPMAC              1264  0
xt_DELUDE               1552  1
xt_condition            1568  0
ipt_ULOG                3728  0
xt_u32                   880  0
xt_TEE                  1344  0
ip_queue                3952  0
nf_nat_tftp              400  0
nf_conntrack_tftp       2384  1 nf_nat_tftp
nf_nat_sip              5136  0
nf_conntrack_sip       16208  1 nf_nat_sip
nf_nat_pptp             1328  0
nf_conntrack_pptp       3088  1 nf_nat_pptp
nf_nat_h323             4576  0
nf_conntrack_h323      33344  1 nf_nat_h323
nf_nat_proto_gre         784  1 nf_nat_pptp
nf_conntrack_proto_gre     2384  1 nf_conntrack_pptp
nf_nat_amanda            624  0
nf_conntrack_amanda     1552  1 nf_nat_amanda
nf_nat_irc               800  0
nf_conntrack_irc        2480  1 nf_nat_irc
nf_nat_ftp               992  0
nf_conntrack_ftp        4480  1 nf_nat_ftp
xt_esp                   672  0
ipt_ah                   592  0
xt_iprange               896  0
xt_HL                   1200  0
xt_hl                    720  0
xt_ecn                  1168  0
ipt_ECN                 1264  0
xt_CLASSIFY              496  0
xt_time                 1488  0
xt_tcpmss                912  0
xt_statistic             704  0
xt_mark                  592 26
xt_length                608  5
xt_DSCP                 1376  0
xt_dscp                  896  0
xt_string                688  0
xt_layer7               8992  0
xt_quota                 672  0
xt_pkttype               528  0
xt_physdev              1264  0
xt_owner                 608  0
xt_TRACE                 416  0
compat_xtables          1520 11 xt_CHAOS,xt_TARPIT,xt_SYSRQ,xt_STEAL,xt_RAWNAT,xt_LOGMARK,xt_ipp2p,xt_IPMARK,xt_DNETMAP,xt_DHCPMAC,xt_DELUDE
ipt_REDIRECT             592  0
ipt_NETMAP               608  0
ipt_MASQUERADE           992  2
iptable_nat             2128  1
nf_nat                 10272 14 nf_nat_rtsp,xt_DNETMAP,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_h323,nf_nat_proto_gre,nf_nat_amanda,nf_nat_irc,nf_nat_ftp,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,iptable_nat
xt_recent               5600  0
xt_helper                784  0
xt_connmark              960  2
xt_connbytes            1424  0
pptp                   13360  0
xt_conntrack            2032  6
xt_CT                   1232  0
xt_NOTRACK               448  0
iptable_raw              560  1
xt_state                 608  0
nf_conntrack_ipv4       4416 11 iptable_nat,nf_nat
nf_defrag_ipv4           656  3 xt_TPROXY,xt_socket,nf_conntrack_ipv4
nf_conntrack           38544 31 nf_conntrack_netlink,nf_nat_rtsp,nf_conntrack_rtsp,xt_TEE,nf_nat_tftp,nf_conntrack_tftp,nf_nat_sip,nf_conntrack_sip,nf_nat_pptp,nf_conntrack_pptp,nf_nat_h323,nf_conntrack_h323,nf_conntrack_proto_gre,nf_nat_amanda,nf_conntrack_amanda,nf_nat_irc,nf_conntrack_irc,nf_nat_ftp,nf_conntrack_ftp,xt_layer7,ipt_MASQUERADE,iptable_nat,nf_nat,xt_helper,xt_connmark,xt_connbytes,xt_conntrack,xt_CT,xt_NOTRACK,xt_state,nf_conntrack_ipv4
ehci_hcd               33232  0
sd_mod                 22416  0
l2tp_ppp               12928  0
pppoe                   7680  2
pppox                   1152  3 pptp,l2tp_ppp,pppoe
pppoatm                 2784  0
ppp_synctty             4736  0
ipt_REJECT              1808  3
xt_TCPMSS               1840  2
ipt_LOG                 6144  0
xt_comment               400  0
xt_multiport            1104  5
xt_mac                   528  0
xt_limit                 944  1
iptable_mangle           832  1
iptable_filter           592  1
ip_tables               9552  5 iptable_rawpost,iptable_nat,iptable_raw,iptable_mangle,iptable_filter
xt_tcpudp               1616 51
x_tables               10032 88 xt_LED,xt_TPROXY,xt_socket,xt_hashlimit,xt_set,ebt_nflog,ebt_log,ebt_snat,ebt_dnat,ebt_arpreply,ebt_ip,ebt_arp,ebt_redirect,ebt_mark,ebt_vlan,ebt_stp,ebt_pkttype,ebt_mark_m,ebt_limit,ebt_among,ebt_802_3,ebtables,arptable_filter,arpt_mangle,arp_tables,xt_CHAOS,xt_quota2,xt_psd,xt_LUA,xt_lscan,xt_length2,xt_ipv4options,xt_ipp2p,xt_iface,xt_geoip,xt_fuzzy,xt_DHCPMAC,xt_condition,ipt_ULOG,xt_u32,xt_TEE,xt_esp,ipt_ah,xt_iprange,xt_HL,xt_hl,xt_ecn,ipt_ECN,xt_CLASSIFY,xt_time,xt_tcpmss,xt_statistic,xt_mark,xt_length,xt_DSCP,xt_dscp,xt_string,xt_layer7,xt_quota,xt_pkttype,xt_physdev,xt_owner,xt_TRACE,compat_xtables,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,iptable_nat,xt_recent,xt_helper,xt_connmark,xt_connbytes,xt_conntrack,xt_CT,xt_NOTRACK,iptable_raw,xt_state,ipt_REJECT,xt_TCPMSS,ipt_LOG,xt_comment,xt_multiport,xt_mac,xt_limit,iptable_mangle,iptable_filter,ip_tables,xt_tcpudp
nfsd                   70192  0
nfs                   125536  0
msdos                   5712  0
ip_gre                 11424  0
gre                      912  2 pptp,ip_gre
ifb                     2496  0
l2tp_netlink            6768  1 l2tp_ppp
l2tp_core              12048  2 l2tp_ppp,l2tp_netlink
ppp_mppe                4768  0
tun                    10736  0
ppp_async               6048  0
ppp_generic            19088 12 pptp,l2tp_ppp,pppoe,pppox,pppoatm,ppp_synctty,ppp_mppe,ppp_async
slhc                    4352  1 ppp_generic
vfat                    7920  0
fat                    41968  2 msdos,vfat
lockd                  54896  2 nfsd,nfs
sunrpc                149152  4 nfsd,nfs,lockd
br2684                  5744  0
atm                    30144  2 pppoatm,br2684
ath9k                  58384  0
ath9k_common            1168  1 ath9k
ath9k_hw              320656  2 ath9k,ath9k_common
ath                    14224  3 ath9k,ath9k_common,ath9k_hw
nls_iso8859_15          3328  0
nls_iso8859_1           2816  0
nls_cp852               3584  0
nls_cp850               3584  0
mac80211              215424  1 ath9k
usbcore                99552  5 usb_storage,ohci_hcd,ledtrig_usbdev,ehci_hcd
usb_common               480  1 usbcore
scsi_mod               70288  2 usb_storage,sd_mod
nls_base                4704  7 vfat,fat,nls_iso8859_15,nls_iso8859_1,nls_cp852,nls_cp850,usbcore
ts_fsm                  2496  0
ts_bm                   1328  0
ts_kmp                  1264  5
crc_ccitt                944  1 ppp_async
exportfs                2560  1 nfsd
cfg80211              150304  3 ath9k,ath,mac80211
compat                   880  5 ath9k,ath9k_common,ath9k_hw,mac80211,cfg80211
sha1_generic            1376  2
ecb                     1248  0
arc4                     768  4
aes_generic            29808  8
crypto_blkcipher        9648  1 ecb
cryptomgr               1840  0
aead                    3952  1 cryptomgr
crypto_hash             7952  1 sha1_generic
crypto_algapi           9312  7 ecb,arc4,aes_generic,crypto_blkcipher,cryptomgr,aead,crypto_hash
ledtrig_timer           1072  0
ledtrig_default_on       416  0
leds_gpio               1584  0
gpio_button_hotplug     3168  0

comment:4 follow-up: Changed 6 years ago by anonymous

Is this related to #11046?

comment:5 in reply to: ↑ 4 Changed 6 years ago by anonymous

Replying to anonymous:

Is this related to #11046?

no, on 11046 the authentication succeds. I belive the problem is that pppd is being compiled without mschap-v2 support, as this is reason for the "no auth is possible" error message.
search the error in:
http://pptpclient.sourceforge.net/howto-diagnosis.phtml#mppe_bmanp

The other cause for that particular error is that the user/pass is not being passed correctly or the server is not being able to find it. from that web page I cannot understand what it refers to, but I have access to the pptpd server in cause and know that it is correcly configured ( I can connect to it using ubuntu or windows ) both configured with mschap-v2 and 128bit mppe.

comment:6 Changed 6 years ago by anonymous

so, I've been digging deeper into this, and the problem is not actually from mschap-v2. it is elsewere, probably the user/pass is not being sent.

I reconfigured the remote pptpd server to allow any type of auth ( pap, chap, eap, mschapv2 ) and to make mpped optional, I changed the options.pptp to disable the mppe enforcing ( I commented the line ) and on the logs I see that the autentication still fails. According to the pptpclient.sourceforge.net diagnosis page, this is because auth is wrong.

here is the log of a connection from the openwrt box to the ppptd server that accepts :

using channel 327
Using interface pptp-test
Connect: pptp-test <--> /dev/pts/1
rcvd [LCP ConfReq id=0x0 <auth chap MS-v2> <magic 0x1>]
sent [LCP ConfReq id=0x3 <asyncmap 0x0> <magic 0x13548287>]
No auth is possible
sent [LCP ConfRej id=0x0 <auth chap MS-v2>]
rcvd [LCP ConfRej id=0x3 <asyncmap 0x0>]
sent [LCP ConfReq id=0x4 <magic 0x13548287>]
rcvd [LCP ConfReq id=0x1 <auth chap MD5> <magic 0x1>]
No auth is possible
sent [LCP ConfRej id=0x1 <auth chap MD5>]
rcvd [LCP ConfAck id=0x4 <magic 0x13548287>]
rcvd [LCP ConfReq id=0x2 <auth pap> <magic 0x1>]
No auth is possible
sent [LCP ConfRej id=0x2 <auth pap>]
sent [LCP ConfReq id=0x4 <magic 0x13548287>]

so, it also fails with chap and pap.

comment:7 Changed 6 years ago by jow

Can you please attach the full command line as seen in "ps ww | grep pptp" ?

comment:8 Changed 6 years ago by anonymous

here it is:

root@gateway:~# ps ww|grep pptp
 1966 root       800 S    pptpd
17377 root      1592 S    /usr/sbin/pppd nodetach ipparam test ifname pptp-test nodefaultroute usepeerdns persist maxfail 1 ip-up-script /lib/netifd/ppp-up ipv6-up-script /lib/netifd/ppp-up ip-down-script /lib/netifd/ppp-down ipv6-down-script /lib/netifd/ppp-down pty /usr/sbin/pptp edited.someserver.com --loglevel 0 --nolaunchpppd  file /etc/ppp/options.pptp
17903 root       908 S    pptp: call manager for edited.ip.of.someserver.com                          0 --nolaunchpppd
17904 root      1720 S    sh -c /usr/sbin/pptp edited.someserver.com --loglevel 0 --nolaunchpppd
17907 root       908 S    {pptpgw} pptp: GRE-to-PPP gateway on /dev/ptmx                         0 --nolaunchpppd
18024 root      1712 S    grep pptp
root@gateway:~#

I edited the displayed fqn name and ip address. everything else is there.

comment:9 Changed 6 years ago by jow

  • Resolution set to fixed
  • Status changed from new to closed

Thank you. Fixed with r32035

comment:10 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.