LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-15-2013, 04:51 AM   #1
geshuni
LQ Newbie
 
Registered: Dec 2010
Posts: 17

Rep: Reputation: 0
PPTPD not working MS-CHAP[v2] auth not performed


Greetings, I'm trying to run a pptp daemon on my server, however as you can see from the title I'm not working it out. Here are the configs and logs, hope someone will give me a hand with this.

pptpd.conf:
Code:
###############################################################################
# $Id: pptpd.conf 4255 2004-10-03 18:44:00Z rene $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################

# TAG: ppp
#       Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd

# TAG: option
#       Specifies the location of the PPP options file.
#       By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/pptpd-options

# TAG: debug
#       Turns on (more) debugging to syslog
#
#debug

# TAG: stimeout
#       Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10

# TAG: noipparam
#       Suppress the passing of the client's IP address to PPP, which is
#       done by default otherwise.
#
#noipparam

# TAG: logwtmp
#       Use wtmp(5) to record client connections and disconnections.
#
logwtmp

# TAG: bcrelay <if>
#       Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1

# TAG: localip
# TAG: remoteip
#       Specifies the local and remote IP address ranges.
#
#       Any addresses work as long as the local machine takes care of the
#       routing.  But if you want to use MS-Windows networking, you should
#       use IP addresses out of the LAN address space and use the proxyarp
#       option in the pppd options file, or run bcrelay.
#
#       You can specify single IP addresses seperated by commas or you can
#       specify ranges, or both. For example:
#
#               192.168.0.234,192.168.0.245-249,192.168.0.254
#
#       IMPORTANT RESTRICTIONS:
#
#       1. No spaces are permitted between commas or within addresses.
#
#       2. If you give more IP addresses than MAX_CONNECTIONS, it will
#          start at the beginning of the list and go until it gets
#          MAX_CONNECTIONS IPs. Others will be ignored.
#
#       3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
#          you must type 234-238 if you mean this.
#
#       4. If you give a single localIP, that's ok - all local IPs will
#          be set to the given one. You MUST still give at least one remote
#          IP for each simultaneous client.
#
# (Recommended)
#localip 192.168.0.1
#remoteip 192.168.0.234-238,192.168.0.245
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
localip 192.168.1.1
remoteip 192.168.1.100-200
pptp-options:
Code:
###############################################################################
# $Id: pptpd-options 4643 2006-11-06 18:42:43Z rene $
#
# Sample Poptop PPP options file /etc/ppp/pptpd-options
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection.  See "man pppd".
#
# You are expected to change this file to suit your system.  As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################


# Authentication

# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd

# Optional: domain name to use for authentication
# domain mydomain.net

# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain


# Encryption
# Debian: on systems with a kernel built with the package
# kernel-patch-mppe >= 2.4.2 and using ppp >= 2.4.2, ...
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}




# Network and Routing

# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients.  The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
# Attention! This information may not be taken into account by a Windows
# client. See KB311218 in Microsoft's knowledge base for more information.
#ms-dns 10.0.0.1
#ms-dns 10.0.0.2

# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients.  The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4

# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.  This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp

# Debian: do not replace the default route
nodefaultroute


# Logging

# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
#debug

# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump


# Miscellaneous

# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock

# Disable BSD-Compress compression
nobsdcomp

# extra
ms-dns 192.168.1.1
nobsdcomp
noipx
mtu 1490
mru 1490
noauth
syslog:
Code:
Jan 15 12:35:31 tinchev pptpd[14928]: CTRL: Client 2.121.242.48 control connection started
Jan 15 12:35:32 tinchev pptpd[14928]: CTRL: Starting call (launching pppd, opening GRE)
Jan 15 12:35:32 tinchev pppd[14929]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Jan 15 12:35:32 tinchev pppd[14929]: pppd 2.4.5 started by root, uid 0
Jan 15 12:35:32 tinchev pppd[14929]: Using interface ppp1
Jan 15 12:35:32 tinchev pppd[14929]: Connect: ppp1 <--> /dev/pts/3
Jan 15 12:35:32 tinchev pptpd[14928]: GRE: Bad checksum from pppd.
Jan 15 12:35:35 tinchev pptpd[14928]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Jan 15 12:35:35 tinchev pppd[14929]: MPPE required, but MS-CHAP[v2] auth not performed.
Jan 15 12:35:35 tinchev pppd[14929]: Connection terminated.
Jan 15 12:35:35 tinchev pptpd[14928]: CTRL: Reaping child PPP[14929]
Jan 15 12:35:35 tinchev pppd[14929]: Exit.
Jan 15 12:35:35 tinchev pptpd[14928]: CTRL: Client 2.121.242.48 control connection finished
P.S. If I comment out the require and refuse params in pptp-options.conf i managed to get pass this error, but bad checksum still appears.

P.S.2 Thank you for yor time!
 
Old 01-15-2013, 05:25 AM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 1,910

Rep: Reputation: Disabled
You have both require-mschap-v2 and noauth in ppp-options. It seems the latter then takes precedence over the former, and as a result MPPE (which requires authentication) cannot be used.

PS: You do know that PPTP provides no security due to protocol flaws?
 
1 members found this post helpful.
Old 01-15-2013, 05:34 AM   #3
geshuni
LQ Newbie
 
Registered: Dec 2010
Posts: 17

Original Poster
Rep: Reputation: 0
Thank you for the quick reply!
Yes I do know that, but cannot figure a better way to create a VPN connection.
After removing noauth I get this:

syslog:
Code:
Jan 15 13:27:03 tinchev pptpd[15088]: CTRL: Client 2.121.242.48 control connection started
Jan 15 13:27:03 tinchev pptpd[15088]: CTRL: Starting call (launching pppd, opening GRE)
Jan 15 13:27:03 tinchev pppd[15089]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Jan 15 13:27:03 tinchev pppd[15089]: The remote system is required to authenticate itself
Jan 15 13:27:03 tinchev pppd[15089]: but I couldn't find any suitable secret (password) for it to use to do so.
Jan 15 13:27:03 tinchev pppd[15089]: (None of the available passwords would let it use an IP address.)
Jan 15 13:27:03 tinchev pptpd[15088]: GRE: read(fd=6,buffer=8058640,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Jan 15 13:27:03 tinchev pptpd[15088]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Jan 15 13:27:03 tinchev pptpd[15088]: CTRL: Reaping child PPP[15089]
Jan 15 13:27:03 tinchev pptpd[15088]: CTRL: Client 2.121.242.48 control connection finished
 
Old 01-15-2013, 05:39 AM   #4
geshuni
LQ Newbie
 
Registered: Dec 2010
Posts: 17

Original Poster
Rep: Reputation: 0
I found where the problem is - in chap-secrets - you need to specify exactly that you want a current user to use pptpd. Thank you very much, everything is working now!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] squid ncsa auth not working netguy2000 Linux - Server 18 05-12-2013 08:11 AM
can't get postfix working with smtp auth Kropotkin Linux - Server 1 10-01-2009 08:25 AM
pptpd auth problem fandar Linux - Server 1 09-29-2009 07:11 AM
error: MPPE required, but MS-CHAP[v2] auth not performed. verdele_gruia Linux - Networking 1 06-05-2006 01:53 PM
Why this SMTP AUTH not working? Manuel-H Linux - General 1 04-28-2003 03:39 PM


All times are GMT -5. The time now is 12:32 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration