Re: MPPE - (Microsoft PPP Encryption) with PPP reliable link from Joe Astorino on 2010-05-07 (Ccielab archives 05/2010)

From: Joe Astorino <jastorino_at_ipexpert.com>
Date: Fri, 7 May 2010 11:27:53 -0400

Post your s0/0 configurations on both routers

On Fri, May 7, 2010 at 11:01 AM, Abiola Jewoola <biola_y2k_at_yahoo.com> wrote:

> Here is my output from debug ppp negotiations and debug lapb
>
> After i did a shut, no shut!
>
> on R1
>
> *Mar 1 06:22:17.046: Serial0/0: LAPB T1 SABMSENT 22937 1
> *Mar 1 06:22:17.046: Serial0/0: LAPB O SABMSENT (2) SABM P.
> *Mar 1 06:22:20.046: Serial0/0: LAPB T1 SABMSENT 22940 2
> *Mar 1 06:22:20.046: Serial0/0: LAPB O SABMSENT (2) SABM P..
> *Mar 1 06:22:23.046: Serial0/0: LAPB T1 SABMSENT 22943 0
> *Mar 1 06:22:23.046: Serial0/0: LAPB O SABMSENT (2) SABM P.
> *Mar 1 06:22:26.046: Serial0/0: LAPB T1 SABMSENT 22946 1
> *Mar 1 06:22:26.046: Serial0/0: LAPB O SABMSENT (2) SABM P..
> *Mar 1 06:22:29.046: Serial0/0: LAPB T1 SABMSENT 22949 2
> *Mar 1 06:22:29.046: Serial0/0: LAPB O SABMSENT (2) SABM P.
> *Mar 1 06:22:32.046: Serial0/0: LAPB T1 SABMSENT 22952 0
> *Mar 1 06:22:32.046: Serial0/0: LAPB O SABMSENT (2) SABM P..
> *Mar 1 06:22:35.046: Serial0/0: LAPB T1 SABMSENT 22955 1
> *Mar 1 06:22:35.046: Serial0/0: LAPB O SABMSENT (2) SABM P.
> *Mar 1 06:22:38.046: Serial0/0: LAPB T1 SABMSENT 22958 2
> *Mar 1 06:22:38.046: Serial0/0: LAPB O SABMSENT (2) SABM P
> *Mar 1 06:22:38.186: Serial0/0: LAPB I SABMSENT (23) UI BAD-ADDR.
>
> *Mar 1 06:22:40.042: Serial0/0: LAPB I SABMSENT (23) UI BAD-ADDR.
> *Mar 1 06:22:41.046: Serial0/0: LAPB T1 SABMSENT 22961 0
> *Mar 1 06:22:41.050: Serial0/0: LAPB O SABMSENT (2) SABM P
> *Mar 1 06:22:42.142: Serial0/0: LAPB I SABMSENT (23) UI BAD-ADDR.
> *Mar 1 06:22:44.050: Serial0/0: LAPB T1 SABMSENT 22964 1
> *Mar 1 06:22:44.050: Serial0/0: LAPB O SABMSENT (2) SABM P
> *Mar 1 06:22:44.050: Serial0/0: LAPB I SABMSENT (23) UI BAD-ADDR
>
>
> on R2
>
> *Mar 1 06:27:13.946: Se0/0 LCP: ReliableLink window 7 addr 1
> (0x0B040701)
> *Mar 1 06:27:15.958: Se0/0 LCP: Timeout: State REQsent
> *Mar 1 06:27:15.970: Se0/0 LCP: State is Listen
> *Mar 1 06:27:45.974: Se0/0 LCP: Timeout: State Listen
> *Mar 1 06:27:45.974: Se0/0 PPP: Authorization required
> *Mar 1 06:27:45.978: Se0/0 LCP: O CONFREQ [Listen] id 38 len 19
> *Mar 1 06:27:45.978: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 1 06:27:45.978: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
> *Mar 1 06:27:45.978: Se0/0 LCP: ReliableLink window 7 addr 1
> (0x0B040701)
> *Mar 1 06:27:47.990: Se0/0 LCP: Timeout: State REQsent
> *Mar 1 06:27:47.990: Se0/0 LCP: O CONFREQ [REQsent] id 39 len 19
> *Mar 1 06:27:47.990: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 1 06:27:47.994: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
> *Mar 1 06:27:47.994: Se0/0 LCP: ReliableLink window 7 addr 1
> (0x0B040701)
> *Mar 1 06:27:50.006: Se0/0 LCP: Timeout: State REQsent
> *Mar 1 06:27:50.006: Se0/0 LCP: O CONFREQ [REQsent] id 40 len 19
> *Mar 1 06:27:50.006: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 1 06:27:50.010: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
> *Mar 1 06:27:50.010: Se0/0 LCP: ReliableLink window 7 addr 1
> (0x0B040701)
> *Mar 1 06:27:52.022: Se0/0 LCP: Timeout: State REQsent
> *Mar 1 06:27:52.022: Se0/0 LCP: O CONFREQ [REQsent] id 41 len 19
> *Mar 1 06:27:52.022: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 1 06:27:52.026: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
> *Mar 1 06:27:52.026: Se0/0 LCP: ReliableLink window 7 addr 1
> (0x0B040701)
> *Mar 1 06:27:54.038: Se0/0 LCP: Timeout: State REQsent
> *Mar 1 06:27:54.038: Se0/0 LCP: O CONFREQ [REQsent] id 42 len 19
> *Mar 1 06:27:54.038: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 1 06:27:54.042: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
> *Mar 1 06:27:54.042: Se0/0 LCP: ReliableLink window 7 addr 1
> (0x0B040701)
> *Mar 1 06:27:56.054: Se0/0 LCP: Timeout: State REQsent
> *Mar 1 06:27:56.054: Se0/0 LCP: O CONFREQ [REQsent] id 43 len 19
> *Mar 1 06:27:56.054: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 1 06:27:56.058: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
> *Mar 1 06:27:56.058: Se0/0 LCP: ReliableLink window 7 addr 1
> (0x0B040701)
> *Mar 1 06:27:58.070: Se0/0 LCP: Timeout: State REQsent
> *Mar 1 06:27:58.070: Se0/0 LCP: O CONFREQ [REQsent] id 44 len 19
> *Mar 1 06:27:58.074: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 1 06:27:58.074: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
> *Mar 1 06:27:58.074: Se0/0 LCP: ReliableLink window 7 addr 1
> (0x0B040701)
> *Mar 1 06:28:00.086: Se0/0 LCP: Timeout: State REQsent
> *Mar 1 06:28:00.086: Se0/0 LCP: O CONFREQ [REQsent] id 45 len 19
> *Mar 1 06:28:00.086: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 1 06:28:00.090: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
> *Mar 1 06:28:00.090: Se0/0 LCP: ReliableLink window 7 addr 1
> (0x0B040701)
> *Mar 1 06:28:02.102: Se0/0 LCP: Timeout: State REQsent
> *Mar 1 06:28:02.102: Se0/0 LCP: O CONFREQ [REQsent] id 46 len 19
> *Mar 1 06:28:02.102: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 1 06:28:02.106: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
> *Mar 1 06:28:02.106: Se0/0 LCP: ReliableLink window 7 addr 1
> (0x0B040701)
> *Mar 1 06:28:04.118: Se0/0 LCP: Timeout: State REQsent
> *Mar 1 06:28:04.118: Se0/0 LCP: O CONFREQ [REQsent] id 47 len 19
> *Mar 1 06:28:04.118: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
> *Mar 1 06:28:04.122: Se0/0 LCP: MagicNumber 0x0166C066 (0x05060166C066)
> *Mar 1 06:28:04.122: Se0/0 LCP: ReliableLink window 7 addr 1
> (0x0B040701)
> *Mar 1 06:28:06.134: Se0/0 LCP: Timeout: State REQsent
> *Mar 1 06:28:06.146: Se0/0 LCP: State is Listen
>
>
>
> --- On *Fri, 5/7/10, Joe Astorino <jastorino_at_ipexpert.com>* wrote:
>
>
> From: Joe Astorino <jastorino_at_ipexpert.com>
> Subject: Re: MPPE - (Microsoft PPP Encryption) with PPP reliable link
> To: "Abiola Jewoola" <biola_y2k_at_yahoo.com>
> Cc: "Beefmo" <groupstudy_at_nyms.net>, "ccielab_at_groupstudy.com" <
> ccielab_at_groupstudy.com>, "Nathan Richie" <nathanr_at_boice.net>
> Date: Friday, May 7, 2010, 7:35 AM
>
>
> Following up -- I don't believe this is an issue with MPPE. I believe
> the issue you are seeing is a problem with PPP reliable-link working
> with MS-CHAP. Even after removing the encryption portion, ppp
> reliable-link will not work in conjunction with MS-CHAP, at least in
> my lab testing.
>
> See the debug ppp negotiation below. The debug is the same with or
> without MPPE configured. In either case, authentication does not
> happen and after 10 timeouts line protocol will go down. Without
> reliable link it authenticates immediately
> If anybody else out there has another explanation for this behavior
> I'd sure be interested!
>
> *Apr 7 07:22:07.832: %LINK-3-UPDOWN: Interface Serial0/2/0, changed state
> to up
> *Apr 7 07:22:07.832: Se0/2/0 LCP: I CONFREQ [Closed] id 24 len 19
> *Apr 7 07:22:07.832: Se0/2/0 LCP: AuthProto MS-CHAP (0x0305C22380)
> *Apr 7 07:22:07.832: Se0/2/0 LCP: MagicNumber 0x1BF39EAE
> (0x05061BF39EAE)
> *Apr 7 07:22:07.832: Se0/2/0 LCP: ReliableLink window 7 addr 1
> (0x0B040701)
> *Apr 7 07:22:07.832: Se0/2/0 LCP LCP: Missed a Link-Up transition,
> starting PPP
> *Apr 7 07:22:07.832: Se0/2/0 PPP: Using default call direction
> *Apr 7 07:22:07.836: Se0/2/0 PPP: Treating connection as a dedicated line
> *Apr 7 07:22:07.836: Se0/2/0 PPP: Session handle[10000129] Session id[486]
> *Apr 7 07:22:07.836: Se0/2/0 PPP: Phase is ESTABLISHING, Active Open
> *Apr 7 07:22:07.836: Se0/2/0 LCP: O CONFREQ [Closed] id 5 len 14
> *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1CDFE5D5
> (0x05061CDFE5D5)
> *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 3
> (0x0B040703)
> *Apr 7 07:22:07.836: Se0/2/0 LCP: O CONFACK [REQsent] id 24 len 19
> *Apr 7 07:22:07.836: Se0/2/0 LCP: AuthProto MS-CHAP (0x0305C22380)
> *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1BF39EAE
> (0x05061BF39EAE)
> *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 1
> (0x0B040701)
> *Apr 7 07:22:07.836: Se0/2/0 LCP: I CONFACK [ACKsent] id 5 len 14
> *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1CDFE5D5
> (0x05061CDFE5D5)
> *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 3
> (0x0B040703)
> *Apr 7 07:22:07.836: Se0/2/0 LCP: State is Open
> *Apr 7 07:22:07.840: Se0/2/0 PPP: Phase is AUTHENTICATING, by the peer
> *Apr 7 07:22:13.488: Se0/2/0 PPP: Outbound cdp packet dropped
> *Apr 7 07:22:14.488: Se0/2/0 PPP: Outbound cdp packet dropped
> *Apr 7 07:22:17.844: Se0/2/0 AUTH: Timeout 1
> *Apr 7 07:22:27.860: Se0/2/0 AUTH: Timeout 2
> *Apr 7 07:22:36.536: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> Serial0/2/0, changed state to up
> *Apr 7 07:22:37.876: Se0/2/0 AUTH: Timeout 3
> *Apr 7 07:22:47.892: Se0/2/0 AUTH: Timeout 4
> *Apr 7 07:22:57.908: Se0/2/0 AUTH: Timeout 5
> *Apr 7 07:23:07.924: Se0/2/0 AUTH: Timeout 6
> *Apr 7 07:23:14.488: Se0/2/0 PPP: Outbound cdp packet dropped
> *Apr 7 07:23:17.940: Se0/2/0 AUTH: Timeout 7
> *Apr 7 07:23:27.955: Se0/2/0 AUTH: Timeout 8
> *Apr 7 07:23:37.971: Se0/2/0 AUTH: Timeout 9
> *Apr 7 07:23:47.987: Se0/2/0 AUTH: Timeout 10
> *Apr 7 07:23:58.003: Se0/2/0 AUTH: Timeout 11
> *Apr 7 07:23:58.003: Se0/2/0 PPP: Sending Acct Event[Down] id[1E6]
> *Apr 7 07:23:58.003: Se0/2/0 PPP: Phase is TERMINATING
>
>
>
> On Fri, May 7, 2010 at 10:16 AM, Joe Astorino <jastorino@ipexpert.com<http://mc/compose?to=jastorino@ipexpert.com>>
> wrote:
> > Check out this section from RFC 3078:
> >
> > 7.2. Stateful Mode Key Changes
> >
> > If stateful encryption has been negotiated, the sender MUST change
> > its key before encrypting and transmitting any packet in which the
> > low order octet of the coherency count equals 0xFF (the "flag"
> > packet), and the receiver MUST change its key after receiving, but
> > before decrypting, a "flag" packet (see "Synchronization", below).
> >
> >
> > Section 3
> >
> > MPPE MAY be used over a reliable link, as described in "PPP
> > Reliable Transmission" [6], but this typically just adds unnecessary
> > overhead since only the coherency count is required.
> >
> > Why it is NOT working for you is anybody's guess.
> >
> >
> >
> >
> > On Fri, May 7, 2010 at 6:46 AM, Abiola Jewoola <biola_y2k@yahoo.com<http://mc/compose?to=biola_y2k@yahoo.com>>
> wrote:
> >> Hi Guys,
> >> Can someone please explain the following
> >>
> >> 1. some of the options in using the "ppp mppe encrypt" command such as
> >> stateful,required and passive
> >>
> >> 2.Also how can i use this feature withe ppp reliable link.
> >>
> >> 3. Am presently doing a demo on Gns3. I have two point to point links
> set up
> >> using PPP Chap authentication. I enable MPPE encrypt auto on both sides
> of the
> >> link. Then enabled PPP reliable link on both sides. Everything looks
> fine
> >> initailly . But after a while the line protocol went down.
> >>
> >> When i removed the ppp reliable link on one of the links the line
> protocol
> >> came up. I dont understand why??
> >>
> >> Can someone pls explain??
> >>
> >> Regards,
> >> Abiola
> >>
> >> --- On Thu, 5/6/10, Nathan Richie <nathanr@boice.net<http://mc/compose?to=nathanr@boice.net>>
> wrote:
> >>
> >> From: Nathan Richie <nathanr@boice.net<http://mc/compose?to=nathanr@boice.net>
> >
> >> Subject: RE: MPPE - (Microsoft PPP Encryption) - anyone know how to
> implement
> >> this on a serial link?
> >> To: "Beefmo" <groupstudy@nyms.net<http://mc/compose?to=groupstudy@nyms.net>>,
> "ccielab@groupstudy.com <http://mc/compose?to=ccielab@groupstudy.com>"
> >> <ccielab@groupstudy.com <http://mc/compose?to=ccielab@groupstudy.com>>
> >> Date: Thursday, May 6, 2010, 5:42 AM
> >>
> >> Beefmo,
> >>
> >> You can run PPP mppe on serial interfaces. However, the trick to it is
> that
> >> you must use MS-chap authentication (makes sense since it was designed
> to
> >> terminate Microsoft VPN tunnels). Since this is encryption, I would
> recommend
> >> that you get your authentication working first on the PPP link and then
> enable
> >> mppe. Certain things have to match on both ends such as strength
> (options are
> >> 40 & 128) and whether encryption is required or not. Note that there
> are some
> >> options such as auto for the key strength that you can use as well. I
> would
> >> recommend that you look at the various settings for the command and then
> test
> >> them out in a lab so you understand what settings work and what settings
> do
> >> not work. The good news is that it is only 1 command :)
> >>
> >> HTH,
> >>
> >> Nathan
> >>
> >> -----Original Message-----
> >> From: nobody@groupstudy.com<http://mc/compose?to=nobody@groupstudy.com>[mailto:
> nobody@groupstudy.com <http://mc/compose?to=nobody@groupstudy.com>] On
> Behalf Of
> >> Beefmo
> >> Sent: Thursday, May 06, 2010 6:17 AM
> >> To: ccielab@groupstudy.com<http://mc/compose?to=ccielab@groupstudy.com>
> >> Subject: MPPE - (Microsoft PPP Encryption) - anyone know how to
> implement this
> >> on a serial link?
> >>
> >> Can anyone explain to me or point me to a link that shows how we'd
> implement
> >> MPPE? (haha, everyone's like "wtf is mppe?")
> >>
> >> What I do know is that it's Microsoft Point-to-Point Encryption and is
> >> supported by Cisco as a means of encrypting PPP or PPTP. This is where I
> get
> >> lost, is it just another authentication method negotiated at LCP? Or is
> it
> >> only valid inside a PPTP tunnel?
> >>
> >> What I can find of it on the Cisco site seems divided between using it
> with
> >> PPP and using it with PPTP. It seems to be more of a tech to use in a
> >> client/server VPN situation but I'd like to know how we can run it
> across a
> >> serial link between two Cisco devices. I guess my understanding of PPTP
> is
> >> lacking too. Any security guys help me out here?
> >> Thanks in advance!
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> > --
> > Regards,
> >
> >
> >
> > Joe Astorino - CCIE #24347
> > Sr. Technical Instructor - IPexpert
> > Mailto: jastorino@ipexpert.com<http://mc/compose?to=jastorino@ipexpert.com>
> > Telephone: +1.810.326.1444
> > Live Assistance, Please visit: www.ipexpert.com/chat
> > eFax: +1.810.454.0130
> >
> > IPexpert is a premier provider of Self-Study Workbooks, Video on
> > Demand, Audio Tools, Online Hardware Rental and Classroom Training for
> > the Cisco CCIE (R&S, Voice, Security & Service Provider)
> > certification(s) with training locations throughout the United States,
> > Europe, South Asia and Australia. Be sure to visit our online
> > communities at www.ipexpert.com/communities and our public website at
> > www.ipexpert.com
> >
>
>
>
> --
> Regards,
>
>
>
> Joe Astorino - CCIE #24347
> Sr. Technical Instructor - IPexpert
> Mailto: jastorino@ipexpert.com<http://mc/compose?to=jastorino@ipexpert.com>
> Telephone: +1.810.326.1444
> Live Assistance, Please visit: www.ipexpert.com/chat
> eFax: +1.810.454.0130
>
> IPexpert is a premier provider of Self-Study Workbooks, Video on
> Demand, Audio Tools, Online Hardware Rental and Classroom Training for
> the Cisco CCIE (R&S, Voice, Security & Service Provider)
> certification(s) with training locations throughout the United States,
> Europe, South Asia and Australia. Be sure to visit our online
> communities at www.ipexpert.com/communities and our public website at
> www.ipexpert.com
>
>
>

-- 
Regards,
Joe Astorino - CCIE #24347
Sr. Technical Instructor - IPexpert
Mailto: jastorino_at_ipexpert.com
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com
Blogs and organic groups at http://www.ccie.net

Received on Fri May 07 2010 - 11:27:53 ART

This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:52 ART