Discussion:
[pptp-devel] MPPE required/key length error
Church, Brian John (UMR-Student)
2005-06-07 15:34:15 UTC
Permalink
To whom it may concern,
I apologize if this is the wrong list, but I could not find a user mailing list. I am having problems connecting to a windows vpn server using the pptp client. I do not know the details of the server, but I can connect to it from my location using XP.

I followed the instructions at http://pptpclient.sourceforge.net/howto-gentoo.phtml. I also used the pptpconfig program. If I do not require mppe the connection fails. Also, unless I manually change the options.pptp file, replacing "require-mppe" with "mppe required", I get a unknown option error. Once I make that replacement, I get the dump listed below. I also tried "require-mppe-128", and I also get a unknown option error.

I am using gentoo kernel sources 2.6.11-r10 and ppp version 2.4.3.

Thanks in advance for any suggestions,
Brian Church

pptpconfig: debug information dump begins
WARNING: security sensitive information follows
pptpconfig 1.2 2004/06/19 08:57:15
# pppd --version
pppd version 2.4.3
# uname -a
Linux southfork 2.6.11-gentoo-r10 #1 Tue Jun 7 10:26:58 MDT 2005 i686 Intel(R) Pentium(R) 4 CPU 1700MHz GenuineIntel GNU/Linux
# grep mppe /proc/modules
ppp_mppe 13568 0 - Live 0xe1148000
# modinfo ppp_mppe
filename: /lib/modules/2.6.11-gentoo-r10/kernel/drivers/net/ppp_mppe.ko
license: BSD without advertisement clause
vermagic: 2.6.11-gentoo-r10 preempt PENTIUM4 gcc-3.3
depends:
Array
(
[name] => UMRIPSec
[server] => xxx.xxx.xxx.xxx
[domain] =>
[username] => username
[password] => (hidden by pptpconfig)
[pppd-options] =>
[pptp-options] =>
[resolv] =>
[dns-options] =>
[routing] => routing_client_to_lan
[usepeerdns] => 1
[require-mppe] => 1
[nomppe-40] =>
[nomppe-128] =>
[refuse-eap] =>
[mppe-stateful] =>
[autostart] =>
[iconify] =>
[persist] =>
[debug] => 1
[client-to-lan] =>
)
# route -n (before pppd)
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
pptpconfig: debug information dump ends, starting pppd
pppd options in effect:
debug # (from /etc/ppp/peers/TUNNEL)
updetach # (from command line)
logfd 1 # (from command line)
linkname TUNNEL # (from /etc/ppp/peers/TUNNEL)
dump # (from /etc/ppp/peers/TUNNEL)
noauth # (from /etc/ppp/options.pptp)
name username # (from /etc/ppp/peers/TUNNEL)
remotename TUNNEL # (from /etc/ppp/peers/TUNNEL)
# (from /etc/ppp/options.pptp)
pty pptp xxx.xxx.xxx.xxx --nolaunchpppd # (from /etc/ppp/peers/TUNNEL)
mru 1500 # (from /etc/ppp/options.pptp)
mtu 1500 # (from /etc/ppp/options.pptp)
lcp-echo-failure 10 # (from /etc/ppp/options.pptp)
lcp-echo-interval 10 # (from /etc/ppp/options.pptp)
ipparam TUNNEL # (from /etc/ppp/peers/TUNNEL)
usepeerdns # (from /etc/ppp/peers/TUNNEL)
nobsdcomp # (from /etc/ppp/options.pptp)
nodeflate # (from /etc/ppp/options.pptp)
mppe xxx # [don't know how to print value] # (from /etc/ppp/options.pptp)
using channel 4
Using interface ppp0
pptpconfig: monitoring interface ppp0
Connect: ppp0 <--> /dev/pts/6
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xe3b62100> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x0 <auth chap MS-v2>]
sent [LCP ConfAck id=0x0 <auth chap MS-v2>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xe3b62100> <pcomp> <accomp>]
sent [LCP EchoReq id=0x0 magic=0xe3b62100]
rcvd [CHAP Challenge id=0x1 <09cdcba8b12b990961dd60cd7a95cae1>, name = ""]
sent [CHAP Response id=0x1 <49407d7b43c29ac9bab4ba0889d3cddcefffbf190bedb7c1e2c32907dc27b13a70bbe5e70781249ff47a5b2e907d9087df>, name = "username"]
rcvd [LCP EchoRep id=0x0 magic=0x0]
rcvd [CHAP Challenge id=0x2 <a56c0b6c9ea8704f61dd60cd7a95cae1>, name = ""]
sent [CHAP Response id=0x2 <bc0670c61589155c9312f732a9632712efffbf190bedb7c1ce3a479dc41ee840814ce4f1c667a2ff4b2467c3fe6798cbdf>, name = "username"]
rcvd [CHAP Success id=0x2 "S=CDCCE63239EEB51D88DED167D9C56E50F6C3443F"]
sent [CCP ConfReq id=0x1 <mppe -H +M +S +L -D -C>]
rcvd [IPCP ConfReq id=0x0 <addr 131.151.60.1>]
sent [IPCP TermAck id=0x0]
rcvd [CCP ConfReq id=0x0 <mppe +H -M +S -L -D -C>]
sent [CCP ConfNak id=0x0 <mppe -H -M +S -L -D -C>]
rcvd [CCP ConfRej id=0x1 <mppe -H +M +S +L -D -C>]
sent [LCP TermReq id=0x2 "MPPE required but cannot negotiate MPPE key length"]
rcvd [LCP TermAck id=0x2 05 02 00 36 4d 50 50 45 20 72 65 71 75 69 72 65 64 20 62 75 74 20 63 61 6e 6e 6f 74 20 6e 65 67 ...]
Connection terminated.
Waiting for 1 child processes...
script pptp xxx.xxx.xxx.xxx --nolaunchpppd , pid 12098
sending SIGTERM to process 12098
# route -n (after pppd exit)
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
pptpconfig: pppd process terminated by signal 10 (failed)
pptpconfig: SIGUSR1
# route -n (after completion)
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
James Cameron
2005-06-07 23:10:20 UTC
Permalink
Post by Church, Brian John (UMR-Student)
I apologize if this is the wrong list, but I could not find a user
mailing list.
We're encouraging all activity onto the same list; it gives you better
access to developers.
Post by Church, Brian John (UMR-Student)
I followed the instructions at
http://pptpclient.sourceforge.net/howto-gentoo.phtml. I also used the
pptpconfig program. If I do not require mppe the connection fails.
Also, unless I manually change the options.pptp file, replacing
"require-mppe" with "mppe required", I get a unknown option error.
Once I make that replacement, I get the dump listed below. I also
tried "require-mppe-128", and I also get a unknown option error.
This shows that you are using Jan Dubiec's version of pppd that is not
directly supported by pptpconfig, since pptpconfig is coded for the
upstream version of pppd. Continue to not tick "require-mppe-128",
instead use "mppe required,128" in the pppd options field. It should
work that way; we've had reports that it does. You are right to adapt
your options.pptp file as well.
Post by Church, Brian John (UMR-Student)
I am using gentoo kernel sources 2.6.11-r10 and ppp version 2.4.3.
"ppp version 2.4.3" is insufficiently accurate. There's more than one.
Post by Church, Brian John (UMR-Student)
nodeflate # (from /etc/ppp/options.pptp)
mppe xxx # [don't know how to print value] # (from /etc/ppp/options.pptp)
(Jan, perhaps you can educate pppd to know how to print this value?)
Post by Church, Brian John (UMR-Student)
sent [CCP ConfReq id=0x1 <mppe -H +M +S +L -D -C>] {1}
rcvd [CCP ConfReq id=0x0 <mppe +H -M +S -L -D -C>] {2}
sent [CCP ConfNak id=0x0 <mppe -H -M +S -L -D -C>] {3}
rcvd [CCP ConfRej id=0x1 <mppe -H +M +S +L -D -C>] {4}
sent [LCP TermReq id=0x2 "MPPE required but cannot negotiate MPPE key length"]
Well, this is a new one on me, I've not seen it before. The problem has
occurred during Compression Control Protocol (CCP) negotiation. CCP is
used to negotiate encryption. I'll decode it for you using the process
we have; here are the events as logged above;

1. the client proposes stateful 56-bit, 128-bit or 40-bit,

2. the server proposes stateless 128-bit, probably before it has seen
the client's initial proposal, (this hints that the server wants to do
stateless 128-bit)

3. the client counter-proposes that this {2} is unacceptable, and that
the acceptable value would be stateful 128-bit, (this hints that the
client wants to do stateful 128-bit, perhaps because you configured it
that way)

4. the server rejects the first client proposal (id=0x1), saying that
the parts it doesn't like are stateful 56-bit, 128-bit or 40-bit.

You may be able to fix this by using option "mppe stateless,128"

See
http://pptpclient.sourceforge.net/howto-diagnosis.phtml#mppe_bits
http://pptpclient.sourceforge.net/howto-diagnosis.phtml#confreqacknakrej
for more information on understanding the CCP negotiation.
--
James Cameron http://quozl.netrek.org/
HP Open Source, Volunteer http://opensource.hp.com/
PPTP Client Project, Release Engineer http://pptpclient.sourceforge.net/
Church, Brian John (UMR-Student)
2005-06-08 12:43:07 UTC
Permalink
James, Thank you for the previous information, however I have a couple more questions/comments.

pppd complains about the 128 in mppe require,128. I also tried mppe stateless,128 and it complained about the 128 there also.

As far as the ppp version, I am using portage and installed the version of ppp provided there. Also, I am using the kernel module ppp_mppe.

I had previously installed(before posting this message) the module ppp_mppe_mppc and patched the kernel following instructions at http://gentoo-wiki.com/HOWTO_PPTP_VPN_client_(Microsoft-compatible_with_mppe ), and had similar problems.

So (prior to posting), I redownloaded the kernel source and patched it as stated below. (according to ttp://pptpclient.sourceforge.net/howto-gentoo.phtml) This is what I am still using.

So, I guess I'm confussed as to the available ppp versions? Which one is mainstream? Which one is going to make my life easier :-) ?

Thanks for the help!
Brian


Message: 2
Date: Wed, 8 Jun 2005 11:09:27 +1000
From: James Cameron <***@hp.com>
To: pptpclient-***@lists.sourceforge.net
Subject: Re: [pptp-devel] MPPE required/key length error
Organization: Netrek Vanilla Server Dictator
Post by Church, Brian John (UMR-Student)
I followed the instructions at
http://pptpclient.sourceforge.net/howto-gentoo.phtml. I also used the
pptpconfig program. If I do not require mppe the connection fails.
Also, unless I manually change the options.pptp file, replacing
"require-mppe" with "mppe required", I get a unknown option error.
Once I make that replacement, I get the dump listed below. I also
tried "require-mppe-128", and I also get a unknown option error.
This shows that you are using Jan Dubiec's version of pppd that is not
directly supported by pptpconfig, since pptpconfig is coded for the
upstream version of pppd. Continue to not tick "require-mppe-128",
instead use "mppe required,128" in the pppd options field. It should
work that way; we've had reports that it does. You are right to adapt
your options.pptp file as well.
Post by Church, Brian John (UMR-Student)
I am using gentoo kernel sources 2.6.11-r10 and ppp version 2.4.3.
"ppp version 2.4.3" is insufficiently accurate. There's more than one.
Post by Church, Brian John (UMR-Student)
nodeflate # (from /etc/ppp/options.pptp)
mppe xxx # [don't know how to print value] # (from /etc/ppp/options.pptp)
(Jan, perhaps you can educate pppd to know how to print this value?)
Post by Church, Brian John (UMR-Student)
...
You may be able to fix this by using option "mppe stateless,128"

See
http://pptpclient.sourceforge.net/howto-diagnosis.phtml#mppe_bits
http://pptpclient.sourceforge.net/howto-diagnosis.phtml#confreqacknakrej
for more information on understanding the CCP negotiation.
--
James Cameron http://quozl.netrek.org/
HP Open Source, Volunteer http://opensource.hp.com/
PPTP Client Project, Release Engineer http://pptpclient.sourceforge.net/



--__--__--

_______________________________________________
pptpclient-devel mailing list
pptpclient-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/pptpclient-devel


End of pptpclient-devel Digest
James Cameron
2005-06-08 23:00:07 UTC
Permalink
Post by Church, Brian John (UMR-Student)
pppd complains about the 128 in mppe require,128. I also tried mppe
stateless,128 and it complained about the 128 there also.
Okay, I was wrong. There's no "128" suboption. I'm not familiar with
that pppd because I'm not allowed to use it.

Did my recommendation to use "mppe stateless" have any effect on your
problem? Try that before worrying unduly about the remainder of this
mail ...
Post by Church, Brian John (UMR-Student)
As far as the ppp version, I am using portage and installed the
version of ppp provided there.
I'm not familiar with this portage of which you speak; it's up to you to
know or find out where the source comes from. Ask whoever created your
portage. Maybe they provided tools that do that.
Post by Church, Brian John (UMR-Student)
Also, I am using the kernel module ppp_mppe.
That would be mixing versions, I think. If you're using a version of
pppd that has an "mppe" option rather than "require-mppe", then it
sounds like it is Jan Dubiec's MPPE/MPPC pppd. But if you are using a
module ppp_mppe, then you're using a Frank Cusack MPPE pppd, which has
been merged into the main pppd by Paul Mackerras.

http://pptpclient.sourceforge.net/howto-diagnosis.phtml#pppd_options
Loading Image...
Post by Church, Brian John (UMR-Student)
So, I guess I'm confussed as to the available ppp versions?
The link above contains a PPP history graph, which should go a long way
to explain what you are up against. (If anyone has any corrections to
this graph, please let me know; e.g. as a patch against ppp.dotty)

You're using a "green" kernel module with a "blue" pppd.
Post by Church, Brian John (UMR-Student)
Which one is mainstream?
Judging by noise level, number of users, number of distributions
shipping it, or what? I don't know how to make a judgement on that.
The graph does show you who derived what from what.

Distributions that are very careful about patent issues would probably
avoid the "blue" fork. Those in jurisdictions without such patent
issues would want to use the "blue" fork.
Post by Church, Brian John (UMR-Student)
Which one is going to make my life easier :-) ?
Using the same version in both your kernel and your user space (pppd) is
a good start. Not mixing instructions from various sources too. ;-)
--
James Cameron http://quozl.netrek.org/
HP Open Source, Volunteer http://opensource.hp.com/
PPTP Client Project, Release Engineer http://pptpclient.sourceforge.net/
Loading...