Re: MPPE - (Microsoft PPP Encryption) with PPP reliable link

Hi Guys

I tried it with the Authentication ms-chap

But the interface keep bouncing from up state to down

see my configs

interface Serial0/0
 ip address 10.1.1.1 255.255.255.0
 encapsulation ppp
 clock rate 20000
 ppp encrypt mppe auto
 ppp authentication ms-chap
end

I cant ping end to end

--- On Fri, 5/7/10, Joe Astorino <jastorino_at_ipexpert.com> wrote:

From: Joe Astorino <jastorino_at_ipexpert.com>
Subject: Re: MPPE - (Microsoft PPP Encryption) with PPP reliable link
To: "Roy Waterman" <roy.waterman_at_gmail.com>
Cc: "Abiola Jewoola" <biola_y2k_at_yahoo.com>, "Beefmo" <groupstudy_at_nyms.net>,
"ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>, "Nathan Richie"
<nathanr_at_boice.net>
Date: Friday, May 7, 2010, 10:17 AM

Yep -- You can't run encryption (MPPE) without MS-CHAP...

On Fri, May 7, 2010 at 12:25 PM, Roy Waterman <roy.waterman_at_gmail.com> wrote:
> Hi Abiola
>
> The problem here (if nothing else) is that you are using the wrong
> authentication type.
> You need to use: ppp authentication ms-chap.
>
> This is a requirement for ppp encrypt mppe, and is mentioned as such in the
> usage guidelines in the command ref:
>
>
http://www.cisco.com/en/US/docs/ios/dial/command/reference/dia_p1.html#wp1014
364
>
> On 7 May 2010 17:07, Abiola Jewoola <biola_y2k_at_yahoo.com> wrote:
>>
>> R1
>>
>>
>> interface Serial0/0
>> ip address 10.1.1.1 255.255.255.0
>> encapsulation ppp
>> clock rate 2000000
>> ppp reliable-link
>> ppp encrypt mppe auto
>> ppp authentication chap
>> ppp chap hostname R1
>>
>>
>> R2
>> interface Serial0/0
>> ip address 10.1.1.2 255.255.255.0
>> encapsulation ppp
>> clock rate 2000000
>> ppp reliable-link
>> ppp encrypt mppe auto
>> ppp authentication chap
>> ppp chap hostname R2
>>
>>
>> --- On Fri, 5/7/10, Joe Astorino <jastorino_at_ipexpert.com> wrote:
>>
>> From: Joe Astorino <jastorino_at_ipexpert.com>
>> Subject: Re: MPPE - (Microsoft PPP Encryption) with PPP reliable link
>> To: "Abiola Jewoola" <biola_y2k_at_yahoo.com>
>> Cc: "Beefmo" <groupstudy_at_nyms.net>, "ccielab_at_groupstudy.com"
>> <ccielab_at_groupstudy.com>, "Nathan Richie" <nathanr_at_boice.net>
>> Date: Friday, May 7, 2010, 7:49 AM
>>
>> I have tested ppp reliable-link with PAP, CHAP, EAP, MS-CHAP, and
>> MS-CHAP-v2. As usual, it appears the only thing broken is the one
>> coming from MS : ) lol ... I believe this to be your problem -- It
>> has nothing to do with MPPE it has to do with the fact that the
>> authentication using MS-CHAP + ppp reliable-link appears to not work
>> at all (running 12.4.24T1)
>>
>> On Fri, May 7, 2010 at 10:35 AM, Joe Astorino <jastorino_at_ipexpert.com>
>> wrote:
>> > Following up -- I don't believe this is an issue with MPPE. I believe
>> > the issue you are seeing is a problem with PPP reliable-link working
>> > with MS-CHAP. Even after removing the encryption portion, ppp
>> > reliable-link will not work in conjunction with MS-CHAP, at least in
>> > my lab testing.
>> >
>> > See the debug ppp negotiation below. The debug is the same with or
>> > without MPPE configured. In either case, authentication does not
>> > happen and after 10 timeouts line protocol will go down. Without
>> > reliable link it authenticates immediately
>> > If anybody else out there has another explanation for this behavior
>> > I'd sure be interested!
>> >
>> > *Apr 7 07:22:07.832: %LINK-3-UPDOWN: Interface Serial0/2/0, changed
>> > state
>> to up
>> > *Apr 7 07:22:07.832: Se0/2/0 LCP: I CONFREQ [Closed] id 24 len 19
>> > *Apr 7 07:22:07.832: Se0/2/0 LCP: AuthProto MS-CHAP (0x0305C22380)
>> > *Apr 7 07:22:07.832: Se0/2/0 LCP: MagicNumber 0x1BF39EAE
>> (0x05061BF39EAE)
>> > *Apr 7 07:22:07.832: Se0/2/0 LCP: ReliableLink window 7 addr 1
>> (0x0B040701)
>> > *Apr 7 07:22:07.832: Se0/2/0 LCP LCP: Missed a Link-Up transition,
>> > starting
>> PPP
>> > *Apr 7 07:22:07.832: Se0/2/0 PPP: Using default call direction
>> > *Apr 7 07:22:07.836: Se0/2/0 PPP: Treating connection as a dedicated
>> > line
>> > *Apr 7 07:22:07.836: Se0/2/0 PPP: Session handle[10000129] Session
>> > id[486]
>> > *Apr 7 07:22:07.836: Se0/2/0 PPP: Phase is ESTABLISHING, Active Open
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: O CONFREQ [Closed] id 5 len 14
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1CDFE5D5
>> (0x05061CDFE5D5)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 3
>> (0x0B040703)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: O CONFACK [REQsent] id 24 len 19
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: AuthProto MS-CHAP (0x0305C22380)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1BF39EAE
>> (0x05061BF39EAE)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 1
>> (0x0B040701)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: I CONFACK [ACKsent] id 5 len 14
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1CDFE5D5
>> (0x05061CDFE5D5)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 3
>> (0x0B040703)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: State is Open
>> > *Apr 7 07:22:07.840: Se0/2/0 PPP: Phase is AUTHENTICATING, by the peer
>> > *Apr 7 07:22:13.488: Se0/2/0 PPP: Outbound cdp packet dropped
>> > *Apr 7 07:22:14.488: Se0/2/0 PPP: Outbound cdp packet dropped
>> > *Apr 7 07:22:17.844: Se0/2/0 AUTH: Timeout 1
>> > *Apr 7 07:22:27.860: Se0/2/0 AUTH: Timeout 2
>> > *Apr 7 07:22:36.536: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>> > Serial0/2/0, changed state to up
>> > *Apr 7 07:22:37.876: Se0/2/0 AUTH: Timeout 3
>> > *Apr 7 07:22:47.892: Se0/2/0 AUTH: Timeout 4
>> > *Apr 7 07:22:57.908: Se0/2/0 AUTH: Timeout 5
>> > *Apr 7 07:23:07.924: Se0/2/0 AUTH: Timeout 6
>> > *Apr 7 07:23:14.488: Se0/2/0 PPP: Outbound cdp packet dropped
>> > *Apr 7 07:23:17.940: Se0/2/0 AUTH: Timeout 7
>> > *Apr 7 07:23:27.955: Se0/2/0 AUTH: Timeout 8
>> > *Apr 7 07:23:37.971: Se0/2/0 AUTH: Timeout 9
>> > *Apr 7 07:23:47.987: Se0/2/0 AUTH: Timeout 10
>> > *Apr 7 07:23:58.003: Se0/2/0 AUTH: Timeout 11
>> > *Apr 7 07:23:58.003: Se0/2/0 PPP: Sending Acct Event[Down] id[1E6]
>> > *Apr 7 07:23:58.003: Se0/2/0 PPP: Phase is TERMINATING
>> >
>> >
>> >
>> > On Fri, May 7, 2010 at 10:16 AM, Joe Astorino <jastorino_at_ipexpert.com>
>> wrote:
>> >> Check out this section from RFC 3078:
>> >>
>> >> 7.2. Stateful Mode Key Changes
>> >>
>> >> If stateful encryption has been negotiated, the sender MUST change
>> >> its key before encrypting and transmitting any packet in which the
>> >> low order octet of the coherency count equals 0xFF (the "flag"
>> >> packet), and the receiver MUST change its key after receiving, but
>> >> before decrypting, a "flag" packet (see "Synchronization", below).
>> >>
>> >>
>> >> Section 3
>> >>
>> >> MPPE MAY be used over a reliable link, as described in "PPP
>> >> Reliable Transmission" [6], but this typically just adds unnecessary
>> >> overhead since only the coherency count is required.
>> >>
>> >> Why it is NOT working for you is anybody's guess.
>> >>
>> >>
>> >>
>> >>
>> >> On Fri, May 7, 2010 at 6:46 AM, Abiola Jewoola <biola_y2k_at_yahoo.com>
>> wrote:
>> >>> Hi Guys,
>> >>> Can someone please explain the following
>> >>>
>> >>> 1. some of the options in using the "ppp mppe encrypt" command such as
>> >>> stateful,required and passive
>> >>>
>> >>> 2.Also how can i use this feature withe ppp reliable link.
>> >>>
>> >>> 3. Am presently doing a demo on Gns3. I have two point to point
>> >>> links
>> set up
>> >>> using PPP Chap authentication. I enable MPPE encrypt auto on both
>> >>> sides of
>> the
>> >>> link. Then enabled PPP reliable link on both sides. Everything looks
>> >>> fine
>> >>> initailly . But after a while the line protocol went down.
>> >>>
>> >>> When i removed the ppp reliable link on one of the links the line
>> protocol
>> >>> came up. I dont understand why??
>> >>>
>> >>> Can someone pls explain??
>> >>>
>> >>> Regards,
>> >>> Abiola
>> >>>
>> >>> --- On Thu, 5/6/10, Nathan Richie <nathanr_at_boice.net> wrote:
>> >>>
>> >>> From: Nathan Richie <nathanr_at_boice.net>
>> >>> Subject: RE: MPPE - (Microsoft PPP Encryption) - anyone know how to
>> implement
>> >>> this on a serial link?
>> >>> To: "Beefmo" <groupstudy_at_nyms.net>, "ccielab_at_groupstudy.com"
>> >>> <ccielab_at_groupstudy.com>
>> >>> Date: Thursday, May 6, 2010, 5:42 AM
>> >>>
>> >>> Beefmo,
>> >>>
>> >>> You can run PPP mppe on serial interfaces. However, the trick to it
>> >>> is
>> that
>> >>> you must use MS-chap authentication (makes sense since it was designed
>> >>> to
>> >>> terminate Microsoft VPN tunnels). Since this is encryption, I would
>> recommend
>> >>> that you get your authentication working first on the PPP link and
>> >>> then
>> enable
>> >>> mppe. Certain things have to match on both ends such as strength
>> >>> (options
>> are
>> >>> 40 & 128) and whether encryption is required or not. Note that there
>> >>> are
>> some
>> >>> options such as auto for the key strength that you can use as well. I
>> would
>> >>> recommend that you look at the various settings for the command and
>> >>> then
>> test
>> >>> them out in a lab so you understand what settings work and what
>> >>> settings
>> do
>> >>> not work. The good news is that it is only 1 command :)
>> >>>
>> >>> HTH,
>> >>>
>> >>> Nathan
>> >>>
>> >>> -----Original Message-----
>> >>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>> >>> Of
>> >>> Beefmo
>> >>> Sent: Thursday, May 06, 2010 6:17 AM
>> >>> To: ccielab_at_groupstudy.com
>> >>> Subject: MPPE - (Microsoft PPP Encryption) - anyone know how to
>> >>> implement
>> this
>> >>> on a serial link?
>> >>>
>> >>> Can anyone explain to me or point me to a link that shows how we'd
>> implement
>> >>> MPPE? (haha, everyone's like "wtf is mppe?")
>> >>>
>> >>> What I do know is that it's Microsoft Point-to-Point Encryption and is
>> >>> supported by Cisco as a means of encrypting PPP or PPTP. This is where
>> >>> I
>> get
>> >>> lost, is it just another authentication method negotiated at LCP? Or
>> >>> is
>> it
>> >>> only valid inside a PPTP tunnel?
>> >>>
>> >>> What I can find of it on the Cisco site seems divided between using it
>> with
>> >>> PPP and using it with PPTP. It seems to be more of a tech to use in a
>> >>> client/server VPN situation but I'd like to know how we can run it
>> >>> across
>> a
>> >>> serial link between two Cisco devices. I guess my understanding of
>> >>> PPTP
>> is
>> >>> lacking too. Any security guys help me out here?
>> >>> Thanks in advance!
>> >>>
>> >>>
>> >>> Blogs and organic groups at http://www.ccie.net
>> >>>
>> >>>
>> >>>
Received on Sat May 08 2010 - 13:58:19 ART