Re: MPPE - (Microsoft PPP Encryption) with PPP reliable link

I have tested ppp reliable-link with PAP, CHAP, EAP, MS-CHAP, and
MS-CHAP-v2. As usual, it appears the only thing broken is the one
coming from MS : ) lol ... I believe this to be your problem -- It
has nothing to do with MPPE it has to do with the fact that the
authentication using MS-CHAP + ppp reliable-link appears to not work
at all (running 12.4.24T1)

On Fri, May 7, 2010 at 10:35 AM, Joe Astorino <jastorino_at_ipexpert.com> wrote:
> Following up -- I don't believe this is an issue with MPPE. I believe
> the issue you are seeing is a problem with PPP reliable-link working
> with MS-CHAP. Even after removing the encryption portion, ppp
> reliable-link will not work in conjunction with MS-CHAP, at least in
> my lab testing.
>
> See the debug ppp negotiation below. The debug is the same with or
> without MPPE configured. In either case, authentication does not
> happen and after 10 timeouts line protocol will go down. Without
> reliable link it authenticates immediately
> If anybody else out there has another explanation for this behavior
> I'd sure be interested!
>
> *Apr 7 07:22:07.832: %LINK-3-UPDOWN: Interface Serial0/2/0, changed state to up
> *Apr 7 07:22:07.832: Se0/2/0 LCP: I CONFREQ [Closed] id 24 len 19
> *Apr 7 07:22:07.832: Se0/2/0 LCP: AuthProto MS-CHAP (0x0305C22380)
> *Apr 7 07:22:07.832: Se0/2/0 LCP: MagicNumber 0x1BF39EAE (0x05061BF39EAE)
> *Apr 7 07:22:07.832: Se0/2/0 LCP: ReliableLink window 7 addr 1 (0x0B040701)
> *Apr 7 07:22:07.832: Se0/2/0 LCP LCP: Missed a Link-Up transition, starting PPP
> *Apr 7 07:22:07.832: Se0/2/0 PPP: Using default call direction
> *Apr 7 07:22:07.836: Se0/2/0 PPP: Treating connection as a dedicated line
> *Apr 7 07:22:07.836: Se0/2/0 PPP: Session handle[10000129] Session id[486]
> *Apr 7 07:22:07.836: Se0/2/0 PPP: Phase is ESTABLISHING, Active Open
> *Apr 7 07:22:07.836: Se0/2/0 LCP: O CONFREQ [Closed] id 5 len 14
> *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1CDFE5D5 (0x05061CDFE5D5)
> *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 3 (0x0B040703)
> *Apr 7 07:22:07.836: Se0/2/0 LCP: O CONFACK [REQsent] id 24 len 19
> *Apr 7 07:22:07.836: Se0/2/0 LCP: AuthProto MS-CHAP (0x0305C22380)
> *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1BF39EAE (0x05061BF39EAE)
> *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 1 (0x0B040701)
> *Apr 7 07:22:07.836: Se0/2/0 LCP: I CONFACK [ACKsent] id 5 len 14
> *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1CDFE5D5 (0x05061CDFE5D5)
> *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 3 (0x0B040703)
> *Apr 7 07:22:07.836: Se0/2/0 LCP: State is Open
> *Apr 7 07:22:07.840: Se0/2/0 PPP: Phase is AUTHENTICATING, by the peer
> *Apr 7 07:22:13.488: Se0/2/0 PPP: Outbound cdp packet dropped
> *Apr 7 07:22:14.488: Se0/2/0 PPP: Outbound cdp packet dropped
> *Apr 7 07:22:17.844: Se0/2/0 AUTH: Timeout 1
> *Apr 7 07:22:27.860: Se0/2/0 AUTH: Timeout 2
> *Apr 7 07:22:36.536: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> Serial0/2/0, changed state to up
> *Apr 7 07:22:37.876: Se0/2/0 AUTH: Timeout 3
> *Apr 7 07:22:47.892: Se0/2/0 AUTH: Timeout 4
> *Apr 7 07:22:57.908: Se0/2/0 AUTH: Timeout 5
> *Apr 7 07:23:07.924: Se0/2/0 AUTH: Timeout 6
> *Apr 7 07:23:14.488: Se0/2/0 PPP: Outbound cdp packet dropped
> *Apr 7 07:23:17.940: Se0/2/0 AUTH: Timeout 7
> *Apr 7 07:23:27.955: Se0/2/0 AUTH: Timeout 8
> *Apr 7 07:23:37.971: Se0/2/0 AUTH: Timeout 9
> *Apr 7 07:23:47.987: Se0/2/0 AUTH: Timeout 10
> *Apr 7 07:23:58.003: Se0/2/0 AUTH: Timeout 11
> *Apr 7 07:23:58.003: Se0/2/0 PPP: Sending Acct Event[Down] id[1E6]
> *Apr 7 07:23:58.003: Se0/2/0 PPP: Phase is TERMINATING
>
>
>
> On Fri, May 7, 2010 at 10:16 AM, Joe Astorino <jastorino_at_ipexpert.com> wrote:
>> Check out this section from RFC 3078:
>>
>> 7.2. Stateful Mode Key Changes
>>
>> If stateful encryption has been negotiated, the sender MUST change
>> its key before encrypting and transmitting any packet in which the
>> low order octet of the coherency count equals 0xFF (the "flag"
>> packet), and the receiver MUST change its key after receiving, but
>> before decrypting, a "flag" packet (see "Synchronization", below).
>>
>>
>> Section 3
>>
>> MPPE MAY be used over a reliable link, as described in "PPP
>> Reliable Transmission" [6], but this typically just adds unnecessary
>> overhead since only the coherency count is required.
>>
>> Why it is NOT working for you is anybody's guess.
>>
>>
>>
>>
>> On Fri, May 7, 2010 at 6:46 AM, Abiola Jewoola <biola_y2k_at_yahoo.com> wrote:
>>> Hi Guys,
>>> Can someone please explain the following
>>>
>>> 1. some of the options in using the "ppp mppe encrypt" command such as
>>> stateful,required and passive
>>>
>>> 2.Also how can i use this feature withe ppp reliable link.
>>>
>>> 3. Am presently doing a demo on Gns3. I have two point to point links set up
>>> using PPP Chap authentication. I enable MPPE encrypt auto on both sides of the
>>> link. Then enabled PPP reliable link on both sides. Everything looks fine
>>> initailly . But after a while the line protocol went down.
>>>
>>> When i removed the ppp reliable link on one of the links the line protocol
>>> came up. I dont understand why??
>>>
>>> Can someone pls explain??
>>>
>>> Regards,
>>> Abiola
>>>
>>> --- On Thu, 5/6/10, Nathan Richie <nathanr_at_boice.net> wrote:
>>>
>>> From: Nathan Richie <nathanr_at_boice.net>
>>> Subject: RE: MPPE - (Microsoft PPP Encryption) - anyone know how to implement
>>> this on a serial link?
>>> To: "Beefmo" <groupstudy_at_nyms.net>, "ccielab_at_groupstudy.com"
>>> <ccielab_at_groupstudy.com>
>>> Date: Thursday, May 6, 2010, 5:42 AM
>>>
>>> Beefmo,
>>>
>>> You can run PPP mppe on serial interfaces. However, the trick to it is that
>>> you must use MS-chap authentication (makes sense since it was designed to
>>> terminate Microsoft VPN tunnels). Since this is encryption, I would recommend
>>> that you get your authentication working first on the PPP link and then enable
>>> mppe. Certain things have to match on both ends such as strength (options are
>>> 40 & 128) and whether encryption is required or not. Note that there are some
>>> options such as auto for the key strength that you can use as well. I would
>>> recommend that you look at the various settings for the command and then test
>>> them out in a lab so you understand what settings work and what settings do
>>> not work. The good news is that it is only 1 command :)
>>>
>>> HTH,
>>>
>>> Nathan
>>>
>>> -----Original Message-----
>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>>> Beefmo
>>> Sent: Thursday, May 06, 2010 6:17 AM
>>> To: ccielab_at_groupstudy.com
>>> Subject: MPPE - (Microsoft PPP Encryption) - anyone know how to implement this
>>> on a serial link?
>>>
>>> Can anyone explain to me or point me to a link that shows how we'd implement
>>> MPPE? (haha, everyone's like "wtf is mppe?")
>>>
>>> What I do know is that it's Microsoft Point-to-Point Encryption and is
>>> supported by Cisco as a means of encrypting PPP or PPTP. This is where I get
>>> lost, is it just another authentication method negotiated at LCP? Or is it
>>> only valid inside a PPTP tunnel?
>>>
>>> What I can find of it on the Cisco site seems divided between using it with
>>> PPP and using it with PPTP. It seems to be more of a tech to use in a
>>> client/server VPN situation but I'd like to know how we can run it across a
>>> serial link between two Cisco devices. I guess my understanding of PPTP is
>>> lacking too. Any security guys help me out here?
>>> Thanks in advance!
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>> --
>> Regards,
>>
>>
>>
>> Joe Astorino - CCIE #24347
>> Sr. Technical Instructor - IPexpert
>> Mailto: jastorino_at_ipexpert.com
>> Telephone: +1.810.326.1444
>> Live Assistance, Please visit: www.ipexpert.com/chat
>> eFax: +1.810.454.0130
>>
>> IPexpert is a premier provider of Self-Study Workbooks, Video on
>> Demand, Audio Tools, Online Hardware Rental and Classroom Training for
>> the Cisco CCIE (R&S, Voice, Security & Service Provider)
>> certification(s) with training locations throughout the United States,
>> Europe, South Asia and Australia. Be sure to visit our online
>> communities at www.ipexpert.com/communities and our public website at
>> www.ipexpert.com
>>
>
>
>
> --
> Regards,
>
>
>
> Joe Astorino - CCIE #24347
> Sr. Technical Instructor - IPexpert
> Mailto: jastorino_at_ipexpert.com
> Telephone: +1.810.326.1444
> Live Assistance, Please visit: www.ipexpert.com/chat
> eFax: +1.810.454.0130
>
> IPexpert is a premier provider of Self-Study Workbooks, Video on
> Demand, Audio Tools, Online Hardware Rental and Classroom Training for
> the Cisco CCIE (R&S, Voice, Security & Service Provider)
> certification(s) with training locations throughout the United States,
> Europe, South Asia and Australia. Be sure to visit our online
> communities at www.ipexpert.com/communities and our public website at
> www.ipexpert.com
>

-- 
Regards,
Joe Astorino - CCIE #24347
Sr. Technical Instructor - IPexpert
Mailto: jastorino_at_ipexpert.com
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on
Demand, Audio Tools, Online Hardware Rental and Classroom Training for
the Cisco CCIE (R&S, Voice, Security & Service Provider)
certification(s) with training locations throughout the United States,
Europe, South Asia and Australia. Be sure to visit our online
communities at www.ipexpert.com/communities and our public website at
www.ipexpert.com
Blogs and organic groups at http://www.ccie.net