Re: MPPE - (Microsoft PPP Encryption) with PPP reliable link

Here is my output from debug ppp negotiations and debug lapb

After i did a shut, no shut!
      
                                 on R1

*Mar 1 06:22:17.046: Serial0/0: LAPB T1 SABMSENT 22937 1
*Mar 1 06:22:17.046: Serial0/0: LAPB O SABMSENT (2) SABM P.
*Mar 1 06:22:20.046: Serial0/0: LAPB T1 SABMSENT 22940 2
*Mar 1 06:22:20.046: Serial0/0: LAPB O SABMSENT (2) SABM P..
*Mar 1 06:22:23.046: Serial0/0: LAPB T1 SABMSENT 22943 0
*Mar 1 06:22:23.046: Serial0/0: LAPB O SABMSENT (2) SABM P.
*Mar 1 06:22:26.046: Serial0/0: LAPB T1 SABMSENT 22946 1
*Mar 1 06:22:26.046: Serial0/0: LAPB O SABMSENT (2) SABM P..
*Mar 1 06:22:29.046: Serial0/0: LAPB T1 SABMSENT 22949 2
*Mar 1 06:22:29.046: Serial0/0: LAPB O SABMSENT (2) SABM P.
*Mar 1 06:22:32.046: Serial0/0: LAPB T1 SABMSENT 22952 0
*Mar 1 06:22:32.046: Serial0/0: LAPB O SABMSENT (2) SABM P..
*Mar 1 06:22:35.046: Serial0/0: LAPB T1 SABMSENT 22955 1
*Mar 1 06:22:35.046: Serial0/0: LAPB O SABMSENT (2) SABM P.
*Mar 1 06:22:38.046: Serial0/0: LAPB T1 SABMSENT 22958 2
*Mar 1 06:22:38.046: Serial0/0: LAPB O SABMSENT (2) SABM P
*Mar 1 06:22:38.186: Serial0/0: LAPB I SABMSENT (23) UI BAD-ADDR.

*Mar 1 06:22:40.042: Serial0/0: LAPB I SABMSENT (23) UI BAD-ADDR.
*Mar 1 06:22:41.046: Serial0/0: LAPB T1 SABMSENT 22961 0
*Mar 1 06:22:41.050: Serial0/0: LAPB O SABMSENT (2) SABM P
*Mar 1 06:22:42.142: Serial0/0: LAPB I SABMSENT (23) UI BAD-ADDR.
*Mar 1 06:22:44.050: Serial0/0: LAPB T1 SABMSENT 22964 1
*Mar 1 06:22:44.050: Serial0/0: LAPB O SABMSENT (2) SABM P
*Mar 1 06:22:44.050: Serial0/0: LAPB I SABMSENT (23) UI BAD-ADDR

                                on R2

*Mar 1 06:27:13.946: Se0/0 LCP: ReliableLink window 7 addr 1 (0x0B040701)
*Mar 1 06:27:15.958: Se0/0 LCP: Timeout: State REQsent
*Mar 1 06:27:15.970: Se0/0 LCP: State is Listen
*Mar 1 06:27:45.974: Se0/0 LCP: Timeout: State Listen
*Mar 1 06:27:45.974: Se0/0 PPP: Authorization required
*Mar 1 06:27:45.978: Se0/0 LCP: O CONFREQ [Listen] id 38 len 19
*Mar 1 06:27:45.978: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 06:27:45.978: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
*Mar 1 06:27:45.978: Se0/0 LCP: ReliableLink window 7 addr 1 (0x0B040701)
*Mar 1 06:27:47.990: Se0/0 LCP: Timeout: State REQsent
*Mar 1 06:27:47.990: Se0/0 LCP: O CONFREQ [REQsent] id 39 len 19
*Mar 1 06:27:47.990: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 06:27:47.994: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
*Mar 1 06:27:47.994: Se0/0 LCP: ReliableLink window 7 addr 1 (0x0B040701)
*Mar 1 06:27:50.006: Se0/0 LCP: Timeout: State REQsent
*Mar 1 06:27:50.006: Se0/0 LCP: O CONFREQ [REQsent] id 40 len 19
*Mar 1 06:27:50.006: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 06:27:50.010: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
*Mar 1 06:27:50.010: Se0/0 LCP: ReliableLink window 7 addr 1 (0x0B040701)
*Mar 1 06:27:52.022: Se0/0 LCP: Timeout: State REQsent
*Mar 1 06:27:52.022: Se0/0 LCP: O CONFREQ [REQsent] id 41 len 19
*Mar 1 06:27:52.022: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 06:27:52.026: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
*Mar 1 06:27:52.026: Se0/0 LCP: ReliableLink window 7 addr 1 (0x0B040701)
*Mar 1 06:27:54.038: Se0/0 LCP: Timeout: State REQsent
*Mar 1 06:27:54.038: Se0/0 LCP: O CONFREQ [REQsent] id 42 len 19
*Mar 1 06:27:54.038: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 06:27:54.042: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
*Mar 1 06:27:54.042: Se0/0 LCP: ReliableLink window 7 addr 1 (0x0B040701)
*Mar 1 06:27:56.054: Se0/0 LCP: Timeout: State REQsent
*Mar 1 06:27:56.054: Se0/0 LCP: O CONFREQ [REQsent] id 43 len 19
*Mar 1 06:27:56.054: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 06:27:56.058: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
*Mar 1 06:27:56.058: Se0/0 LCP: ReliableLink window 7 addr 1 (0x0B040701)
*Mar 1 06:27:58.070: Se0/0 LCP: Timeout: State REQsent
*Mar 1 06:27:58.070: Se0/0 LCP: O CONFREQ [REQsent] id 44 len 19
*Mar 1 06:27:58.074: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 06:27:58.074: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
*Mar 1 06:27:58.074: Se0/0 LCP: ReliableLink window 7 addr 1 (0x0B040701)
*Mar 1 06:28:00.086: Se0/0 LCP: Timeout: State REQsent
*Mar 1 06:28:00.086: Se0/0 LCP: O CONFREQ [REQsent] id 45 len 19
*Mar 1 06:28:00.086: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 06:28:00.090: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
*Mar 1 06:28:00.090: Se0/0 LCP: ReliableLink window 7 addr 1 (0x0B040701)
*Mar 1 06:28:02.102: Se0/0 LCP: Timeout: State REQsent
*Mar 1 06:28:02.102: Se0/0 LCP: O CONFREQ [REQsent] id 46 len 19
*Mar 1 06:28:02.102: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 06:28:02.106: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
*Mar 1 06:28:02.106: Se0/0 LCP: ReliableLink window 7 addr 1 (0x0B040701)
*Mar 1 06:28:04.118: Se0/0 LCP: Timeout: State REQsent
*Mar 1 06:28:04.118: Se0/0 LCP: O CONFREQ [REQsent] id 47 len 19
*Mar 1 06:28:04.118: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 06:28:04.122: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
*Mar 1 06:28:04.122: Se0/0 LCP: ReliableLink window 7 addr 1 (0x0B040701)
*Mar 1 06:28:06.134: Se0/0 LCP: Timeout: State REQsent
*Mar 1 06:28:06.146: Se0/0 LCP: State is Listen

--- On Fri, 5/7/10, Joe Astorino <jastorino_at_ipexpert.com> wrote:

From: Joe Astorino <jastorino_at_ipexpert.com>
Subject: Re: MPPE - (Microsoft PPP Encryption) with PPP reliable link
To: "Abiola Jewoola" <biola_y2k_at_yahoo.com>
Cc: "Beefmo" <groupstudy_at_nyms.net>, "ccielab_at_groupstudy.com"
<ccielab_at_groupstudy.com>, "Nathan Richie" <nathanr_at_boice.net>
Date: Friday, May 7, 2010, 7:35 AM

Following up -- I don't believe this is an issue with MPPE. I believe
the issue you are seeing is a problem with PPP reliable-link working
with MS-CHAP. Even after removing the encryption portion, ppp
reliable-link will not work in conjunction with MS-CHAP, at least in
my lab testing.

See the debug ppp negotiation below. The debug is the same with or
without MPPE configured. In either case, authentication does not
happen and after 10 timeouts line protocol will go down. Without
reliable link it authenticates immediately
If anybody else out there has another explanation for this behavior
I'd sure be interested!

*Apr 7 07:22:07.832: %LINK-3-UPDOWN: Interface Serial0/2/0, changed state to
up
*Apr 7 07:22:07.832: Se0/2/0 LCP: I CONFREQ [Closed] id 24 len 19
*Apr 7 07:22:07.832: Se0/2/0 LCP: AuthProto MS-CHAP (0x0305C22380)
*Apr 7 07:22:07.832: Se0/2/0 LCP: MagicNumber 0x1BF39EAE (0x05061BF39EAE)
*Apr 7 07:22:07.832: Se0/2/0 LCP: ReliableLink window 7 addr 1
(0x0B040701)
*Apr 7 07:22:07.832: Se0/2/0 LCP LCP: Missed a Link-Up transition, starting
PPP
*Apr 7 07:22:07.832: Se0/2/0 PPP: Using default call direction
*Apr 7 07:22:07.836: Se0/2/0 PPP: Treating connection as a dedicated line
*Apr 7 07:22:07.836: Se0/2/0 PPP: Session handle[10000129] Session id[486]
*Apr 7 07:22:07.836: Se0/2/0 PPP: Phase is ESTABLISHING, Active Open
*Apr 7 07:22:07.836: Se0/2/0 LCP: O CONFREQ [Closed] id 5 len 14
*Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1CDFE5D5 (0x05061CDFE5D5)
*Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 3
(0x0B040703)
*Apr 7 07:22:07.836: Se0/2/0 LCP: O CONFACK [REQsent] id 24 len 19
*Apr 7 07:22:07.836: Se0/2/0 LCP: AuthProto MS-CHAP (0x0305C22380)
*Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1BF39EAE (0x05061BF39EAE)
*Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 1
(0x0B040701)
*Apr 7 07:22:07.836: Se0/2/0 LCP: I CONFACK [ACKsent] id 5 len 14
*Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1CDFE5D5 (0x05061CDFE5D5)
*Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 3
(0x0B040703)
*Apr 7 07:22:07.836: Se0/2/0 LCP: State is Open
*Apr 7 07:22:07.840: Se0/2/0 PPP: Phase is AUTHENTICATING, by the peer
*Apr 7 07:22:13.488: Se0/2/0 PPP: Outbound cdp packet dropped
*Apr 7 07:22:14.488: Se0/2/0 PPP: Outbound cdp packet dropped
*Apr 7 07:22:17.844: Se0/2/0 AUTH: Timeout 1
*Apr 7 07:22:27.860: Se0/2/0 AUTH: Timeout 2
*Apr 7 07:22:36.536: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/2/0, changed state to up
*Apr 7 07:22:37.876: Se0/2/0 AUTH: Timeout 3
*Apr 7 07:22:47.892: Se0/2/0 AUTH: Timeout 4
*Apr 7 07:22:57.908: Se0/2/0 AUTH: Timeout 5
*Apr 7 07:23:07.924: Se0/2/0 AUTH: Timeout 6
*Apr 7 07:23:14.488: Se0/2/0 PPP: Outbound cdp packet dropped
*Apr 7 07:23:17.940: Se0/2/0 AUTH: Timeout 7
*Apr 7 07:23:27.955: Se0/2/0 AUTH: Timeout 8
*Apr 7 07:23:37.971: Se0/2/0 AUTH: Timeout 9
*Apr 7 07:23:47.987: Se0/2/0 AUTH: Timeout 10
*Apr 7 07:23:58.003: Se0/2/0 AUTH: Timeout 11
*Apr 7 07:23:58.003: Se0/2/0 PPP: Sending Acct Event[Down] id[1E6]
*Apr 7 07:23:58.003: Se0/2/0 PPP: Phase is TERMINATING

On Fri, May 7, 2010 at 10:16 AM, Joe Astorino <jastorino_at_ipexpert.com> wrote:
> Check out this section from RFC 3078:
>
> 7.2. Stateful Mode Key Changes
>
> If stateful encryption has been negotiated, the sender MUST change
> its key before encrypting and transmitting any packet in which the
> low order octet of the coherency count equals 0xFF (the "flag"
> packet), and the receiver MUST change its key after receiving, but
> before decrypting, a "flag" packet (see "Synchronization", below).
>
>
> Section 3
>
> MPPE MAY be used over a reliable link, as described in "PPP
> Reliable Transmission" [6], but this typically just adds unnecessary
> overhead since only the coherency count is required.
>
> Why it is NOT working for you is anybody's guess.
>
>
>
>
> On Fri, May 7, 2010 at 6:46 AM, Abiola Jewoola <biola_y2k_at_yahoo.com> wrote:
>> Hi Guys,
>> Can someone please explain the following
>>
>> 1. some of the options in using the "ppp mppe encrypt" command such as
>> stateful,required and passive
>>
>> 2.Also how can i use this feature withe ppp reliable link.
>>
>> 3. Am presently doing a demo on Gns3. I have two point to point links set
up
>> using PPP Chap authentication. I enable MPPE encrypt auto on both sides of
the
>> link. Then enabled PPP reliable link on both sides. Everything looks fine
>> initailly . But after a while the line protocol went down.
>>
>> When i removed the ppp reliable link on one of the links the line protocol
>> came up. I dont understand why??
>>
>> Can someone pls explain??
>>
>> Regards,
>> Abiola
>>
>> --- On Thu, 5/6/10, Nathan Richie <nathanr_at_boice.net> wrote:
>>
>> From: Nathan Richie <nathanr_at_boice.net>
>> Subject: RE: MPPE - (Microsoft PPP Encryption) - anyone know how to
 implement
>> this on a serial link?
>> To: "Beefmo" <groupstudy_at_nyms.net>, "ccielab_at_groupstudy.com"
>> <ccielab_at_groupstudy.com>
>> Date: Thursday, May 6, 2010, 5:42 AM
>>
>> Beefmo,
>>
>> You can run PPP mppe on serial interfaces. However, the trick to it is
that
>> you must use MS-chap authentication (makes sense since it was designed to
>> terminate Microsoft VPN tunnels). Since this is encryption, I would
recommend
>> that you get your authentication working first on the PPP link and then
enable
>> mppe. Certain things have to match on both ends such as strength (options
are
>> 40 & 128) and whether encryption is required or not. Note that there are
some
>> options such as auto for the key strength that you can use as well. I
would
>> recommend that you look at the various settings for the command and then
test
>> them out in a lab so you understand what settings work and what settings
do
>> not work. The good news is that it is only 1 command :)
>>
>> HTH,
>>
>> Nathan
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Beefmo
>> Sent: Thursday, May 06, 2010 6:17 AM
>> To: ccielab_at_groupstudy.com
>> Subject: MPPE - (Microsoft PPP Encryption) - anyone know how to implement
this
>> on a serial link?
>>
>> Can anyone explain to me or point me to a link that shows how we'd
implement
>> MPPE? (haha, everyone's like "wtf is mppe?")
>>
>> What I do know is that it's Microsoft Point-to-Point Encryption and is
>> supported by Cisco as a means of encrypting PPP or PPTP. This is where I
get
>> lost, is it just another authentication method negotiated at LCP? Or is it
>> only valid inside a PPTP tunnel?
>>
>> What I can find of it on the Cisco site seems divided between using it
with
>> PPP and using it with PPTP. It seems to be more of a tech to use in a
>> client/server VPN situation but I'd like to know how we can run it across
a
>> serial link between two Cisco devices. I guess my understanding of PPTP is
>> lacking too. Any security guys help me out here?
>> Thanks in advance!
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
> --
> Regards,
>
>
>
> Joe Astorino - CCIE #24347
> Sr. Technical Instructor - IPexpert
> Mailto: jastorino_at_ipexpert.com
> Telephone: +1.810.326.1444
> Live Assistance, Please visit: www.ipexpert.com/chat
> eFax: +1.810.454.0130
>
> IPexpert is a premier provider of Self-Study Workbooks, Video on
> Demand, Audio Tools, Online Hardware Rental and Classroom Training for
> the Cisco CCIE (R&S, Voice, Security & Service Provider)
> certification(s) with training locations throughout the United States,
> Europe, South Asia and Australia. Be sure to visit our online
> communities at www.ipexpert.com/communities and our public website at
> www.ipexpert.com
>

--
Regards,
Joe Astorino - CCIE #24347
Sr. Technical Instructor - IPexpert
Mailto: jastorino_at_ipexpert.com
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on
Demand, Audio Tools, Online Hardware Rental and Classroom Training for
the Cisco CCIE (R&S, Voice, Security & Service Provider)
certification(s) with training locations throughout the United States,
Europe, South Asia and Australia. Be sure to visit our online
communities at www.ipexpert.com/communities and our public website at
www.ipexpert.com
Blogs and organic groups at http://www.ccie.net