Re: MPPE - (Microsoft PPP Encryption) with PPP reliable link

Hi Abiola

The problem here (if nothing else) is that you are using the wrong
authentication type.
You need to use: ppp authentication ms-chap.

This is a requirement for ppp encrypt mppe, and is mentioned as such in the
usage guidelines in the command ref:

http://www.cisco.com/en/US/docs/ios/dial/command/reference/dia_p1.html#wp1014364

On 7 May 2010 17:07, Abiola Jewoola <biola_y2k_at_yahoo.com> wrote:

> R1
>
>
> interface Serial0/0
> ip address 10.1.1.1 255.255.255.0
> encapsulation ppp
> clock rate 2000000
> ppp reliable-link
> ppp encrypt mppe auto
> ppp authentication chap
> ppp chap hostname R1
>
>
> R2
> interface Serial0/0
> ip address 10.1.1.2 255.255.255.0
> encapsulation ppp
> clock rate 2000000
> ppp reliable-link
> ppp encrypt mppe auto
> ppp authentication chap
> ppp chap hostname R2
>
>
> --- On Fri, 5/7/10, Joe Astorino <jastorino_at_ipexpert.com> wrote:
>
> From: Joe Astorino <jastorino_at_ipexpert.com>
> Subject: Re: MPPE - (Microsoft PPP Encryption) with PPP reliable link
> To: "Abiola Jewoola" <biola_y2k_at_yahoo.com>
> Cc: "Beefmo" <groupstudy_at_nyms.net>, "ccielab_at_groupstudy.com"
> <ccielab_at_groupstudy.com>, "Nathan Richie" <nathanr_at_boice.net>
> Date: Friday, May 7, 2010, 7:49 AM
>
> I have tested ppp reliable-link with PAP, CHAP, EAP, MS-CHAP, and
> MS-CHAP-v2. As usual, it appears the only thing broken is the one
> coming from MS : ) lol ... I believe this to be your problem -- It
> has nothing to do with MPPE it has to do with the fact that the
> authentication using MS-CHAP + ppp reliable-link appears to not work
> at all (running 12.4.24T1)
>
> On Fri, May 7, 2010 at 10:35 AM, Joe Astorino <jastorino_at_ipexpert.com>
> wrote:
> > Following up -- I don't believe this is an issue with MPPE. I believe
> > the issue you are seeing is a problem with PPP reliable-link working
> > with MS-CHAP. Even after removing the encryption portion, ppp
> > reliable-link will not work in conjunction with MS-CHAP, at least in
> > my lab testing.
> >
> > See the debug ppp negotiation below. The debug is the same with or
> > without MPPE configured. In either case, authentication does not
> > happen and after 10 timeouts line protocol will go down. Without
> > reliable link it authenticates immediately
> > If anybody else out there has another explanation for this behavior
> > I'd sure be interested!
> >
> > *Apr 7 07:22:07.832: %LINK-3-UPDOWN: Interface Serial0/2/0, changed
> state
> to up
> > *Apr 7 07:22:07.832: Se0/2/0 LCP: I CONFREQ [Closed] id 24 len 19
> > *Apr 7 07:22:07.832: Se0/2/0 LCP: AuthProto MS-CHAP (0x0305C22380)
> > *Apr 7 07:22:07.832: Se0/2/0 LCP: MagicNumber 0x1BF39EAE
> (0x05061BF39EAE)
> > *Apr 7 07:22:07.832: Se0/2/0 LCP: ReliableLink window 7 addr 1
> (0x0B040701)
> > *Apr 7 07:22:07.832: Se0/2/0 LCP LCP: Missed a Link-Up transition,
> starting
> PPP
> > *Apr 7 07:22:07.832: Se0/2/0 PPP: Using default call direction
> > *Apr 7 07:22:07.836: Se0/2/0 PPP: Treating connection as a dedicated
> line
> > *Apr 7 07:22:07.836: Se0/2/0 PPP: Session handle[10000129] Session
> id[486]
> > *Apr 7 07:22:07.836: Se0/2/0 PPP: Phase is ESTABLISHING, Active Open
> > *Apr 7 07:22:07.836: Se0/2/0 LCP: O CONFREQ [Closed] id 5 len 14
> > *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1CDFE5D5
> (0x05061CDFE5D5)
> > *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 3
> (0x0B040703)
> > *Apr 7 07:22:07.836: Se0/2/0 LCP: O CONFACK [REQsent] id 24 len 19
> > *Apr 7 07:22:07.836: Se0/2/0 LCP: AuthProto MS-CHAP (0x0305C22380)
> > *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1BF39EAE
> (0x05061BF39EAE)
> > *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 1
> (0x0B040701)
> > *Apr 7 07:22:07.836: Se0/2/0 LCP: I CONFACK [ACKsent] id 5 len 14
> > *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1CDFE5D5
> (0x05061CDFE5D5)
> > *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 3
> (0x0B040703)
> > *Apr 7 07:22:07.836: Se0/2/0 LCP: State is Open
> > *Apr 7 07:22:07.840: Se0/2/0 PPP: Phase is AUTHENTICATING, by the peer
> > *Apr 7 07:22:13.488: Se0/2/0 PPP: Outbound cdp packet dropped
> > *Apr 7 07:22:14.488: Se0/2/0 PPP: Outbound cdp packet dropped
> > *Apr 7 07:22:17.844: Se0/2/0 AUTH: Timeout 1
> > *Apr 7 07:22:27.860: Se0/2/0 AUTH: Timeout 2
> > *Apr 7 07:22:36.536: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> > Serial0/2/0, changed state to up
> > *Apr 7 07:22:37.876: Se0/2/0 AUTH: Timeout 3
> > *Apr 7 07:22:47.892: Se0/2/0 AUTH: Timeout 4
> > *Apr 7 07:22:57.908: Se0/2/0 AUTH: Timeout 5
> > *Apr 7 07:23:07.924: Se0/2/0 AUTH: Timeout 6
> > *Apr 7 07:23:14.488: Se0/2/0 PPP: Outbound cdp packet dropped
> > *Apr 7 07:23:17.940: Se0/2/0 AUTH: Timeout 7
> > *Apr 7 07:23:27.955: Se0/2/0 AUTH: Timeout 8
> > *Apr 7 07:23:37.971: Se0/2/0 AUTH: Timeout 9
> > *Apr 7 07:23:47.987: Se0/2/0 AUTH: Timeout 10
> > *Apr 7 07:23:58.003: Se0/2/0 AUTH: Timeout 11
> > *Apr 7 07:23:58.003: Se0/2/0 PPP: Sending Acct Event[Down] id[1E6]
> > *Apr 7 07:23:58.003: Se0/2/0 PPP: Phase is TERMINATING
> >
> >
> >
> > On Fri, May 7, 2010 at 10:16 AM, Joe Astorino <jastorino_at_ipexpert.com>
> wrote:
> >> Check out this section from RFC 3078:
> >>
> >> 7.2. Stateful Mode Key Changes
> >>
> >> If stateful encryption has been negotiated, the sender MUST change
> >> its key before encrypting and transmitting any packet in which the
> >> low order octet of the coherency count equals 0xFF (the "flag"
> >> packet), and the receiver MUST change its key after receiving, but
> >> before decrypting, a "flag" packet (see "Synchronization", below).
> >>
> >>
> >> Section 3
> >>
> >> MPPE MAY be used over a reliable link, as described in "PPP
> >> Reliable Transmission" [6], but this typically just adds unnecessary
> >> overhead since only the coherency count is required.
> >>
> >> Why it is NOT working for you is anybody's guess.
> >>
> >>
> >>
> >>
> >> On Fri, May 7, 2010 at 6:46 AM, Abiola Jewoola <biola_y2k_at_yahoo.com>
> wrote:
> >>> Hi Guys,
> >>> Can someone please explain the following
> >>>
> >>> 1. some of the options in using the "ppp mppe encrypt" command such as
> >>> stateful,required and passive
> >>>
> >>> 2.Also how can i use this feature withe ppp reliable link.
> >>>
> >>> 3. Am presently doing a demo on Gns3. I have two point to point links
> set up
> >>> using PPP Chap authentication. I enable MPPE encrypt auto on both sides
> of
> the
> >>> link. Then enabled PPP reliable link on both sides. Everything looks
> fine
> >>> initailly . But after a while the line protocol went down.
> >>>
> >>> When i removed the ppp reliable link on one of the links the line
> protocol
> >>> came up. I dont understand why??
> >>>
> >>> Can someone pls explain??
> >>>
> >>> Regards,
> >>> Abiola
> >>>
> >>> --- On Thu, 5/6/10, Nathan Richie <nathanr_at_boice.net> wrote:
> >>>
> >>> From: Nathan Richie <nathanr_at_boice.net>
> >>> Subject: RE: MPPE - (Microsoft PPP Encryption) - anyone know how to
> implement
> >>> this on a serial link?
> >>> To: "Beefmo" <groupstudy_at_nyms.net>, "ccielab_at_groupstudy.com"
> >>> <ccielab_at_groupstudy.com>
> >>> Date: Thursday, May 6, 2010, 5:42 AM
> >>>
> >>> Beefmo,
> >>>
> >>> You can run PPP mppe on serial interfaces. However, the trick to it is
> that
> >>> you must use MS-chap authentication (makes sense since it was designed
> to
> >>> terminate Microsoft VPN tunnels). Since this is encryption, I would
> recommend
> >>> that you get your authentication working first on the PPP link and then
> enable
> >>> mppe. Certain things have to match on both ends such as strength
> (options
> are
> >>> 40 & 128) and whether encryption is required or not. Note that there
> are
> some
> >>> options such as auto for the key strength that you can use as well. I
> would
> >>> recommend that you look at the various settings for the command and
> then
> test
> >>> them out in a lab so you understand what settings work and what
> settings
> do
> >>> not work. The good news is that it is only 1 command :)
> >>>
> >>> HTH,
> >>>
> >>> Nathan
> >>>
> >>> -----Original Message-----
> >>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of
> >>> Beefmo
> >>> Sent: Thursday, May 06, 2010 6:17 AM
> >>> To: ccielab_at_groupstudy.com
> >>> Subject: MPPE - (Microsoft PPP Encryption) - anyone know how to
> implement
> this
> >>> on a serial link?
> >>>
> >>> Can anyone explain to me or point me to a link that shows how we'd
> implement
> >>> MPPE? (haha, everyone's like "wtf is mppe?")
> >>>
> >>> What I do know is that it's Microsoft Point-to-Point Encryption and is
> >>> supported by Cisco as a means of encrypting PPP or PPTP. This is where
> I
> get
> >>> lost, is it just another authentication method negotiated at LCP? Or is
> it
> >>> only valid inside a PPTP tunnel?
> >>>
> >>> What I can find of it on the Cisco site seems divided between using it
> with
> >>> PPP and using it with PPTP. It seems to be more of a tech to use in a
> >>> client/server VPN situation but I'd like to know how we can run it
> across
> a
> >>> serial link between two Cisco devices. I guess my understanding of PPTP
> is
> >>> lacking too. Any security guys help me out here?
> >>> Thanks in advance!
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >> --
> >> Regards,
> >>
> >>
> >>
> >> Joe Astorino - CCIE #24347
> >> Sr. Technical Instructor - IPexpert
> >> Mailto: jastorino_at_ipexpert.com
> >> Telephone: +1.810.326.1444
> >> Live Assistance, Please visit: www.ipexpert.com/chat
> >> eFax: +1.810.454.0130
> >>
> >> IPexpert is a premier provider of Self-Study Workbooks, Video on
> >> Demand, Audio Tools, Online Hardware Rental and Classroom Training for
> >> the Cisco CCIE (R&S, Voice, Security & Service Provider)
> >> certification(s) with training locations throughout the United States,
> >> Europe, South Asia and Australia. Be sure to visit our online
> >> communities at www.ipexpert.com/communities and our public website at
> >> www.ipexpert.com
> >>
> >
> >
> >
> > --
> > Regards,
> >
> >
> >
> > Joe Astorino - CCIE #24347
> > Sr. Technical Instructor - IPexpert
> > Mailto: jastorino_at_ipexpert.com
> > Telephone: +1.810.326.1444
> > Live Assistance, Please visit: www.ipexpert.com/chat
> > eFax: +1.810.454.0130
> >
> > IPexpert is a premier provider of Self-Study Workbooks, Video on
> > Demand, Audio Tools, Online Hardware Rental and Classroom Training for
> > the Cisco CCIE (R&S, Voice, Security & Service Provider)
> > certification(s) with training locations throughout the United States,
> > Europe, South Asia and Australia. Be sure to visit our online
> > communities at www.ipexpert.com/communities and our public website at
> > www.ipexpert.com
> >
>
>
>
> --
> Regards,
>
>
>
> Joe Astorino - CCIE #24347
> Sr. Technical Instructor - IPexpert
> Mailto: jastorino_at_ipexpert.com
> Telephone: +1.810.326.1444
> Live Assistance, Please visit: www.ipexpert.com/chat
> eFax: +1.810.454.0130
>
> IPexpert is a premier provider of Self-Study Workbooks, Video on
> Demand, Audio Tools, Online Hardware Rental and Classroom Training for
> the Cisco CCIE (R&S, Voice, Security & Service Provider)
> certification(s) with training locations throughout the United States,
> Europe, South Asia and Australia. Be sure to visit our online
> communities at www.ipexpert.com/communities and our public website at
> www.ipexpert.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Regards
Roy
Blogs and organic groups at http://www.ccie.net