[pptp-devel] MPPE required but peer negotiation failed

I have a similar problem with a Cisco Router that only supports 40 bit
mppe. I was told that ppp does not negotiate 40 bit encryption.
Is this true? Is there a work arround ?

Luis Sousa

Post by Arne Goetje
Hi list,
Please CC to me, I'm not subscribed.
I'm running Debian unstable and want to connect to a Nortel Conntivity
VPN device which uses 40-bit MPPE (doh!) and PPTP.
I patchd the kernel with the current patch and installed the pptp-linux
and ppp packages from Debian unstable.
Below is the debug log. I don't really know what else I can set to make
it work. Is there anywhere a full option list for PPTP?
(Security relevant information has been deleted.)
---------- cut -----------------------
debug # (from command line)
nodetach # (from command line)
logfd 2 # (from command line)
dump # (from command line)
noauth # (from /etc/ppp/options.pptp)
name xxxxx # (from /etc/ppp/peers/xxxxx)
remotename xxxxxx # (from /etc/ppp/peers/xxxxxx)
# (from /etc/ppp/options.pptp)
pty pptp xxx.xxx.xxx.xxx --nolaunchpppd # (from /etc/ppp/
peers/xxxxxx)
crtscts # (from /etc/ppp/options)
# (from /etc/ppp/options)
asyncmap 0 # (from /etc/ppp/options)
mru 1000 # (from /etc/ppp/options.pptp)
mtu 1000 # (from /etc/ppp/options.pptp)
lcp-echo-failure 4 # (from /etc/ppp/options)
lcp-echo-interval 30 # (from /etc/ppp/options)
hide-password # (from /etc/ppp/options)
ipparam tunnel # (from /etc/ppp/peers/xxxxxx)
proxyarp # (from /etc/ppp/options)
nobsdcomp # (from /etc/ppp/options.pptp)
nodeflate # (from /etc/ppp/options.pptp)
require-mppe-40 # (from /etc/ppp/options.pptp)
mppe-stateful # (from /etc/ppp/options.pptp)
noipx # (from /etc/ppp/options)
using channel 10
Using interface ppp0
Connect: ppp0 <--> /dev/pts/2
sent [LCP ConfReq id=0x1 <mru 1000> <asyncmap 0x0> <magic 0x68699bb0>
<pcomp> <accomp>]
rcvd [LCP ConfReq id=0xca <mru 1500> <asyncmap 0xa0000> <auth chap
MS-v2> <magic 0xf7e591a> <pcomp> <accomp>]
sent [LCP ConfAck id=0xca <mru 1500> <asyncmap 0xa0000> <auth chap
MS-v2> <magic 0xf7e591a> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <mru 1000> <asyncmap 0x0> <magic 0x68699bb0>
<pcomp> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x68699bb0]
rcvd [CHAP Challenge id=0x2 <752efeec9ce211983acacf9d3d9044b2>, name =
"172.31.1.252"]
sent [CHAP Response id=0x2
<xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>, name =
"xxxxxx"]
rcvd [LCP EchoRep id=0x0 magic=0xf7e591a 98 3a]
rcvd [CHAP Success id=0x2 "S=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"]
sent [CCP ConfReq id=0x1 <mppe +H -M -S +L -D -C>]
rcvd [IPCP ConfReq id=0x2e <addr 172.31.1.252> <compress VJ 07 00>]
sent [IPCP TermAck id=0x2e]
rcvd [CCP ConfNak id=0x1 <mppe -H -M -S +L -D +C>]
MPPE required but peer negotiation failed
sent [LCP TermReq id=0x2 "MPPE required but peer negotiation failed"]
rcvd [LCP TermAck id=0x2]
Connection terminated.
------------ cut ---------------------------------
Cheers
Arne

-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click

James Cameron

2003-12-21 22:06:00 UTC

Post by Arne Goetje
Please CC to me, I'm not subscribed.

You're welcome. Thanks for asking.

Post by Arne Goetje
I'm running Debian unstable and want to connect to a Nortel Conntivity
VPN device which uses 40-bit MPPE (doh!) and PPTP.

Yeah, Doh.

Post by Arne Goetje
I patchd the kernel with the current patch and installed the pptp-linux
and ppp packages from Debian unstable.

Okay, ppp from Debian unstable is 2.4.2 beta, and that is built without
40-bit MPPE support. That's the default as shipped from PPP CVS.

Post by Arne Goetje
Below is the debug log. I don't really know what else I can set to make
it work. Is there anywhere a full option list for PPTP?

For PPP, man pppd, or the PPP sources, let *them* know if they missed any.
For PPTP, man pptp, or the PPTP sources, and if we missed any let us know!

Post by Arne Goetje
mppe-stateful # (from /etc/ppp/options.pptp)
sent [CCP ConfReq id=0x1 <mppe +H -M -S +L -D -C>]
rcvd [CCP ConfNak id=0x1 <mppe -H -M -S +L -D +C>]
sent [LCP TermReq id=0x2 "MPPE required but peer negotiation failed"]

http://pptpclient.sourceforge.net/howto-diagnosis.phtml#mppe_rbpnf
matches this. Please review that section (#31 as of this date), and try
especially the nomppe-stateful, nobsdcomp and novj options.

Decoding the log, the client suggests stateless 40-bit MPPE, but the
client refuses and counter-proposes stateful 40-bit MPPE with MPPC.
The local PPP decides it cannot continue. (Not sure why).

It's a PPP problem, not a PPTP problem, but hopefully someone has got it
working.

--
James Cameron http://quozl.netrek.org/
HP Open Source, Volunteer http://opensource.hp.com/
PPTP Client Project, Release Engineer http://pptpclient.sourceforge.net/

Arne Goetje

2003-12-22 00:17:02 UTC

Post by Arne Goetje
Please CC to me, I'm not subscribed.

You're welcome. Thanks for asking.

Ok, now I am subscribed... :)

Post by Arne Goetje
I'm running Debian unstable and want to connect to a Nortel
Conntivity VPN device which uses 40-bit MPPE (doh!) and PPTP.

Yeah, Doh.

That's the problem if you sit outside the US and have to deal with
hardware products from US companies... :(

Post by Arne Goetje
I patchd the kernel with the current patch and installed the
pptp-linux and ppp packages from Debian unstable.

Okay, ppp from Debian unstable is 2.4.2 beta, and that is built
without 40-bit MPPE support. That's the default as shipped from PPP
CVS.

hmm... which version does have MPPE-40 support?
Or should I switch back to 2.4.0 and the old kernel-patch?
Anyway, where is the version cut? Since when do I have to use the new
kernel patch and the new ppp version?

http://pptpclient.sourceforge.net/howto-diagnosis.phtml#mppe_rbpnf
matches this. Please review that section (#31 as of this date), and
try especially the nomppe-stateful, nobsdcomp and novj options.
Decoding the log, the client suggests stateless 40-bit MPPE, but the
client refuses and counter-proposes stateful 40-bit MPPE with MPPC.
The local PPP decides it cannot continue. (Not sure why).
It's a PPP problem, not a PPTP problem, but hopefully someone has got
it working.

Maybe because of the missing 40-bit option...

Cheers
Arne
- --
Arne Götje (高盛華) <***@gmx.net>
(Spam catcher. Address might change in future!)
PGP/GnuPG key: 1024D/685D1E8C
Fingerprint: 2056 F6B7 DEA8 B478 311F 1C34 6E9F D06E 685D 1E8C
Key available at wwwkeys.pgp.net. Encrypted e-mail preferred.

James Cameron

2003-12-22 00:33:01 UTC

Post by Arne Goetje
Please CC to me, I'm not subscribed.

You're welcome. Thanks for asking.

Ok, now I am subscribed... :)

Sure? This one bounced as not subscribed, and I had to approve it.

Post by Arne Goetje
I'm running Debian unstable and want to connect to a Nortel
Conntivity VPN device which uses 40-bit MPPE (doh!) and PPTP.

Yeah, Doh.

That's the problem if you sit outside the US and have to deal with
hardware products from US companies... :(

I know. I work in Australia for a US company.

Post by Arne Goetje
I patchd the kernel with the current patch and installed the
pptp-linux and ppp packages from Debian unstable.

Okay, ppp from Debian unstable is 2.4.2 beta, and that is built
without 40-bit MPPE support. That's the default as shipped from PPP
CVS.

hmm... which version does have MPPE-40 support?

2.4.2 has support, it is just that it is not enabled in the default
build. I think that's all the problem is, but I'm not sure.

Post by Arne Goetje
Or should I switch back to 2.4.0 and the old kernel-patch?

I wouldn't. We know it has unfixed bugs. It was a fork from PPP.

Post by Arne Goetje
Anyway, where is the version cut? Since when do I have to use the new
kernel patch and the new ppp version?

With 2.4.2 onwards. More explanation here:
http://pptpclient.sourceforge.net/howto-diagnosis.phtml#pppd_options