MPPE-encryption Bintec VPN25<=>sarge
Alohá all!
The following PPTP-tunnel-to-be-setup is in effect, still there's some
major quirks to it:
LAN1/DMZ<=>BinTec VPN25 appliance<=>INet<=>Debian sarge w/
MPPE/pptpclient (fixed IP)<=>LAN2
The problem is simply that the PPTP-tunnel works perfectly well without
encryption but as soon as I set 'require-mppe-128' in
/etc/ppp/peers/<peername> (and the corresponding setting on the other
side) the tunnel connects fine (output from 'pon <Tunnel> debug dump
logfd 2 nodetach'):
[snip]
sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
sent [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
MPPE 128-bit stateless compression enabled
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
rcvd [IPCP ConfReq id=0x1 <addr 192.168.121.63>]
sent [IPCP ConfAck id=0x1 <addr 192.168.121.63>]
rcvd [LCP EchoReq id=0x2 magic=0x22128882]
sent [LCP EchoRep id=0x2 magic=0x83185d0c]
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
rcvd [IPCP ConfReq id=0x2 <addr 192.168.121.63>]
sent [IPCP ConfAck id=0x2 <addr 192.168.121.63>]
rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
sent [IPCP ConfReq id=0x2 <addr 0.0.0.0>]
rcvd [IPCP ConfNak id=0x2 <addr 192.168.23.249>]
sent [IPCP ConfReq id=0x3 <addr 192.168.23.249>]
rcvd [IPCP ConfAck id=0x3 <addr 192.168.23.249>]
[snip]
but as soon as I try to send any data whatsoever I only get error
messages like:
rcvd [LCP ProtRej id=0x1 e8 f1 3a fa 4e 6c e9 a3 f2 af 1c 2f 74 15 5d 90
27 a2 a6 0b 18 bd 9d 4e 8b a4 ca 7c 08 0b ee 01 ...]
Protocol-Reject for unsupported protocol 0xe8f1
rcvd [LCP ProtRej id=0x2 94 4b ca 33 f7 e0 24 ce 81 08 90 8e 54 46 5b 57
37 80 32 7d 5b ec 0a c9 d0 94 e1 43 0c 57 49 9d ...]
Protocol-Reject for unsupported protocol 0x944b
rcvd [LCP ProtRej id=0x3 44 06 a8 aa f8 39 f3 f9 e7 19 04 75 fb b9 02 63
f5 fe 7e 3d af 99 62 f3 d9 d5 bb eb 53 3b 20 96 ...]
Protocol-Reject for unsupported protocol 0x4406
in this case for a ping message. This basically matches the error
message from
http://pptpclient.sourceforge.net/howto-diagnosis.phtml#lcp_protrej_1
but I simply cannot imagine the encryption strentgh being negotiated
erratically being the cause of the problem, especially since the output
states a proper MPPE encryption enabled. Now, the Bintec appliance (nice
name for a company btw :-) offers all kinds of MPPE-encryption versions
and strenghts, the one used in above example is MPPE-v2-128Bit according
to RFC 3079, all others fail as they should with error messages. The
available encryptions for the appliance are:
MPPE V2 56 (RFC 3078)
MPPE V1 56 only MPPE version 1 with 56-bit key
MPPE 128 MPPE version 1 and 2 with 128-bit key
MPPE V2 128
MPPE V2 128 (RFC 3078)
MPPE V1 128
MPPE V1 128 (MScompatible mode)
MPPE V2 128 (MScompatible mode)
Now after double- and triple-checking the options, package versions,
kernel support, GRE-flow and the like and getting a working tunnel w/o
encryption, here are my more or less obvious questions:
- RTFMed the documentation of pptpclient forwards and backwards
(http://pptpclient.sourceforge.net/howto-debian.phtml) but still I ask
myself: Which versions of MPPE does the pptp-client precisely support?
- what other MPPE-options besides 'require-mppe-128' does
/etc/ppp/peers/<peername> take? I've played around but can't seem to
guess the syntax properly (i.e. 'require-mppe-v2-128' is not recognized)
- Is there a way to increase the debug level in order to actually
witness the encryption negotiation?
- Could someone please explain the nature of the 'sent [IPCP ConfReq
id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]'-line?
- Has anyone made any experiences with the Bintec VPN Products?
If it's any help I can provide more files but since those a mainly misc
options (like the stuff from /etc/ppp/ip-up.d) I didn't include them
just yet.
best regards and Thank You all for Your time
Martin
Reply to: