PPTP client - MPPE required but peer negotiation failed

Post new topic   Reply to topic    DD-WRT Forum Index -> Generic Questions
Author Message
Boobix
DD-WRT User


Joined: 07 Jun 2006
Posts: 222
Location: FRANCE - PARIS

PostPosted: Thu Jun 08, 2006 1:11    Post subject: PPTP client - MPPE required but peer negotiation failed Reply with quote
MPPE required but peer negotiation failed


Quote:
using channel 67
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <mru 1492> <asyncmap 0x0> <magic 0x702dbe31> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x6f138de> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x6f138de> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <mru 1492> <asyncmap 0x0> <magic 0x702dbe31> <pcomp> <accomp>]
sent [LCP EchoReq id=0x0 magic=***********]
rcvd [CHAP Challenge id=0xe7 <******************>, name = "pptpserv"]
sent [CHAP Response id=0xe7 <*******************>, name = "user"
rcvd [LCP EchoRep id=0x0 magic=0x6f138de]
rcvd [CHAP Success id=0xe7 "S=***************** M=Access granted"]
sent [CCP ConfReq id=0x1 <mppe -H +M +S +L -D +C>]
rcvd [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
sent [CCP ConfNak id=0x1 <mppe -H -M +S -L -D -C>]
rcvd [LCP TermReq id=0x2 "MPPE required but peer negotiation failed"]
LCP terminated by peer (MPPE required but peer negotiation failed)

sent [LCP TermAck id=0x2]
rcvd [CCP ConfRej id=0x1 <mppe -H +M +S +L -D +C>]
Discarded non-LCP packet when LCP not open
Terminating on signal 15
Connection terminated.
Modem hangup




Here you can find some infos

http://pptpclient.sourceforge.net/howto-diagnosis.phtml#mppe_rbpnf

Quote:
MPPE required but peer negotiation failed
Symptom: require-mppe-128 option is set, and debug logs contain this sequence:

sent [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
rcvd [CCP ConfReq id=0x4 <mppe +H -M -S -L -D +C>]
MPPE required but peer negotiation failed
sent [LCP TermReq id=0x4 "MPPE required but peer negotiation failed"]

with the essential component being the immediate termination by the local host on receipt of a CCP ConfReq that has the encryption bits turned off (-M -S -L).

Diagnosis: this is a defect of pppd on your system. It is terminating the connection on the basis that the peer started to suggest no encryption. Your pppd is not first negotiating to achieve encryption. The version of pppd you are using takes the require-mppe-128 option pedantically; refusing to connect if the peer is configured to allow no encryption, even if the peer may allow encryption after negotiation.


2005-01-19

Solution: you may fix this by (either);

using a later version of pppd that is not so pedantic, and will negotiate further to achieve encryption (a fix was made in revision 1.49 of file pppd/ccp.c in PPP CVS as the solution to closed Debian bug 294232 but is not yet released by the PPP project ... so you can upgrade to PPP CVS or apply the patch in the bug report), or

2006-03-09

removing the require-mppe-128 option from the file /etc/ppp/options.pptp and any other options given to pppd, if you are content with not using encryption (which can be risky),

configuring the peer to require encryption.
If the peer is a server is on the public internet, you may wish to warn the administrator that it is not set to require encryption, and so tunnels may be established in the clear, which is an information security risk. If they change the configuration to require encryption, this seems to fix this problem, because the initial negotiation attempt includes MPPE.


2005-01-19


(If the peer is Microsoft Windows 2000 acting as a server, check that the No Encryption option in Remote Access Policies is disabled. Rob Gamble provided us with instructions to fix this.)

2003-08-12


Symptom: debug logs contain this sequence:

Disabling 40-bit MPPE; MS-CHAP LM not supported
sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfNak id=0x1 <mppe -H -M -S +L -D +C>]
MPPE required but peer negotiation failed
sent [LCP TermReq id=0x3 "MPPE required but peer negotiation failed"]

Diagnosis: You have directed the local pppd to require MPPE, but the negotiation with the peer failed to find a compatible encryption level and method.

In the case above, the local pppd has proposed stateless 128-bit encryption and compression, but the peer has requested stateless 40-bit encryption and no compression. The local pppd was built without 40-bit MPPE support, or 40-bit MPPE was disabled, and so it decided it could not proceed.

Depending on the debug messages that appear prior to the "MPPE required but peer negotiation failed" message, there may be other causes. Please write to the mailing list if you've found one that we haven't documented, and include the debug messages.

Solution: Rebuild pppd for 40-bit MPPE support, enable 40-bit MPPE support, or change the peer to accept 128-bit MPPE.

(If the peer is Microsoft Windows XP acting as a client, change properties for the VPN connection, select the security tab, then the settings button next to advanced. Under Data encryption, select "Maximum strength encryption". Contributed by Bob Elzer.)


2003-06-16


(If the peer is Microsoft Windows 2000 acting as a server, try adding the pppd options nomppe-stateful, nobsdcomp and novj. Contributed by Andrew Cilia.)
Sponsor
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 7463
Location: Dresden, Germany

PostPosted: Thu Jun 08, 2006 1:19    Post subject: Reply with quote
yes but as already written, there is no offical release yet of pppd which fixes this
Boobix
DD-WRT User


Joined: 07 Jun 2006
Posts: 222
Location: FRANCE - PARIS

PostPosted: Thu Jun 08, 2006 1:25    Post subject: Reply with quote
arg it works on windows clients ... Sad

But having only 40 or 56 bits encryption it's too less... Better will be replacing pptp client/server by an open-vpn client/server in the standart rlz Cool

It'll be more secure Wink
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 7463
Location: Dresden, Germany

PostPosted: Thu Jun 08, 2006 1:27    Post subject: Reply with quote
i will look into the ppp cvs tomorrow. maybe i can add the fix as separate patch. i do not trust any cvs release
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Generic Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum