Re: MPPE - (Microsoft PPP Encryption) with PPP reliable link from Joe Astorino on 2010-05-08 (Ccielab archives 05/2010)

From: Joe Astorino <jastorino_at_ipexpert.com>
Date: Sat, 8 May 2010 22:07:55 +0000

Get rid of the MPPE and get MS-CHAP working by itself first. Make sure you have usernames/paswords set properly and that you are sending the right credentials.

Have a look at debug ppp auth and debug ppp neg and get the line up with auth first...once you get that then add on mppe encryption.

Sent from my Verizon Wireless BlackBerry

Regards,

Joe Astorino - CCIE #24347
Sr. Technical Instructor - IPexpert
Mailto: jastorino_at_ipexpert.com
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com

-----Original Message-----
From: Abiola Jewoola <biola_y2k_at_yahoo.com>
Date: Sat, 8 May 2010 13:58:19
To: Roy Waterman<roy.waterman_at_gmail.com>; Joe Astorino<jastorino_at_ipexpert.com>
Cc: Beefmo<groupstudy_at_nyms.net>; ccielab_at_groupstudy.com<ccielab_at_groupstudy.com>; Nathan Richie<nathanr_at_boice.net>
Subject: Re: MPPE - (Microsoft PPP Encryption) with PPP reliable link

Hi Guys

I tried it with the Authentication ms-chap

But the interface keep bouncing from up state to down

see my configs

interface Serial0/0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
clock rate 20000
ppp encrypt mppe auto
ppp authentication ms-chap
end

I cant ping end to end

--- On Fri, 5/7/10, Joe Astorino <jastorino_at_ipexpert.com> wrote:

From: Joe Astorino <jastorino_at_ipexpert.com>
Subject: Re: MPPE - (Microsoft PPP Encryption) with PPP reliable link
To: "Roy Waterman" <roy.waterman_at_gmail.com>
Cc: "Abiola Jewoola" <biola_y2k_at_yahoo.com>, "Beefmo" <groupstudy_at_nyms.net>, "ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>, "Nathan Richie" <nathanr_at_boice.net>
Date: Friday, May 7, 2010, 10:17 AM

Yep -- You can't run encryption (MPPE) without MS-CHAP...

On Fri, May 7, 2010 at 12:25 PM, Roy Waterman <roy.waterman_at_gmail.com> wrote:
> Hi Abiola
>
> The problem here (if nothing else) is that you are using the wrong
> authentication type.
> You need to use: ppp authentication ms-chap.
>
> This is a requirement for ppp encrypt mppe, and is mentioned as such in the
> usage guidelines in the command ref:
>
> http://www.cisco.com/en/US/docs/ios/dial/command/reference/dia_p1.html#wp1014364
>
> On 7 May 2010 17:07, Abiola Jewoola <biola_y2k_at_yahoo.com> wrote:
>>
>> R1
>>
>>
>> interface Serial0/0
>> ip address 10.1.1.1 255.255.255.0
>> encapsulation ppp
>> clock rate 2000000
>> ppp reliable-link
>> ppp encrypt mppe auto
>> ppp authentication chap
>> ppp chap hostname R1
>>
>>
>> R2
>> interface Serial0/0
>> ip address 10.1.1.2 255.255.255.0
>> encapsulation ppp
>> clock rate 2000000
>> ppp reliable-link
>> ppp encrypt mppe auto
>> ppp authentication chap
>> ppp chap hostname R2
>>
>>
>> --- On Fri, 5/7/10, Joe Astorino <jastorino_at_ipexpert.com> wrote:
>>
>> From: Joe Astorino <jastorino_at_ipexpert.com>
>> Subject: Re: MPPE - (Microsoft PPP Encryption) with PPP reliable link
>> To: "Abiola Jewoola" <biola_y2k_at_yahoo.com>
>> Cc: "Beefmo" <groupstudy_at_nyms.net>, "ccielab_at_groupstudy.com"
>> <ccielab_at_groupstudy.com>, "Nathan Richie" <nathanr_at_boice.net>
>> Date: Friday, May 7, 2010, 7:49 AM
>>
>> I have tested ppp reliable-link with PAP, CHAP, EAP, MS-CHAP, and
>> MS-CHAP-v2. As usual, it appears the only thing broken is the one
>> coming from MS : ) lol ... I believe this to be your problem -- It
>> has nothing to do with MPPE it has to do with the fact that the
>> authentication using MS-CHAP + ppp reliable-link appears to not work
>> at all (running 12.4.24T1)
>>
>> On Fri, May 7, 2010 at 10:35 AM, Joe Astorino <jastorino_at_ipexpert.com>
>> wrote:
>> > Following up -- I don't believe this is an issue with MPPE. I believe
>> > the issue you are seeing is a problem with PPP reliable-link working
>> > with MS-CHAP. Even after removing the encryption portion, ppp
>> > reliable-link will not work in conjunction with MS-CHAP, at least in
>> > my lab testing.
>> >
>> > See the debug ppp negotiation below. The debug is the same with or
>> > without MPPE configured. In either case, authentication does not
>> > happen and after 10 timeouts line protocol will go down. Without
>> > reliable link it authenticates immediately
>> > If anybody else out there has another explanation for this behavior
>> > I'd sure be interested!
>> >
>> > *Apr 7 07:22:07.832: %LINK-3-UPDOWN: Interface Serial0/2/0, changed
>> > state
>> to up
>> > *Apr 7 07:22:07.832: Se0/2/0 LCP: I CONFREQ [Closed] id 24 len 19
>> > *Apr 7 07:22:07.832: Se0/2/0 LCP: AuthProto MS-CHAP (0x0305C22380)
>> > *Apr 7 07:22:07.832: Se0/2/0 LCP: MagicNumber 0x1BF39EAE
>> (0x05061BF39EAE)
>> > *Apr 7 07:22:07.832: Se0/2/0 LCP: ReliableLink window 7 addr 1
>> (0x0B040701)
>> > *Apr 7 07:22:07.832: Se0/2/0 LCP LCP: Missed a Link-Up transition,
>> > starting
>> PPP
>> > *Apr 7 07:22:07.832: Se0/2/0 PPP: Using default call direction
>> > *Apr 7 07:22:07.836: Se0/2/0 PPP: Treating connection as a dedicated
>> > line
>> > *Apr 7 07:22:07.836: Se0/2/0 PPP: Session handle[10000129] Session
>> > id[486]
>> > *Apr 7 07:22:07.836: Se0/2/0 PPP: Phase is ESTABLISHING, Active Open
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: O CONFREQ [Closed] id 5 len 14
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1CDFE5D5
>> (0x05061CDFE5D5)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 3
>> (0x0B040703)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: O CONFACK [REQsent] id 24 len 19
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: AuthProto MS-CHAP (0x0305C22380)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1BF39EAE
>> (0x05061BF39EAE)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 1
>> (0x0B040701)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: I CONFACK [ACKsent] id 5 len 14
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1CDFE5D5
>> (0x05061CDFE5D5)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 3
>> (0x0B040703)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: State is Open
>> > *Apr 7 07:22:07.840: Se0/2/0 PPP: Phase is AUTHENTICATING, by the peer
>> > *Apr 7 07:22:13.488: Se0/2/0 PPP: Outbound cdp packet dropped
>> > *Apr 7 07:22:14.488: Se0/2/0 PPP: Outbound cdp packet dropped
>> > *Apr 7 07:22:17.844: Se0/2/0 AUTH: Timeout 1
>> > *Apr 7 07:22:27.860: Se0/2/0 AUTH: Timeout 2
>> > *Apr 7 07:22:36.536: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>> > Serial0/2/0, changed state to up
>> > *Apr 7 07:22:37.876: Se0/2/0 AUTH: Timeout 3
>> > *Apr 7 07:22:47.892: Se0/2/0 AUTH: Timeout 4
>> > *Apr 7 07:22:57.908: Se0/2/0 AUTH: Timeout 5
>> > *Apr 7 07:23:07.924: Se0/2/0 AUTH: Timeout 6
>> > *Apr 7 07:23:14.488: Se0/2/0 PPP: Outbound cdp packet dropped
>> > *Apr 7 07:23:17.940: Se0/2/0 AUTH: Timeout 7
>> > *Apr 7 07:23:27.955: Se0/2/0 AUTH: Timeout 8
>> > *Apr 7 07:23:37.971: Se0/2/0 AUTH: Timeout 9
>> > *Apr 7 07:23:47.987: Se0/2/0 AUTH: Timeout 10
>> > *Apr 7 07:23:58.003: Se0/2/0 AUTH: Timeout 11
>> > *Apr 7 07:23:58.003: Se0/2/0 PPP: Sending Acct Event[Down] id[1E6]
>> > *Apr 7 07:23:58.003: Se0/2/0 PPP: Phase is TERMINATING
>> >
>> >
>> >
>> > On Fri, May 7, 2010 at 10:16 AM, Joe Astorino <jastorino_at_ipexpert.com>
>> wrote:
>> >> Check out this section from RFC 3078:
>> >>
>> >> 7.2. Stateful Mode Key Changes
>> >>
>> >> If stateful encryption has been negotiated, the sender MUST change
>> >> its key before encrypting and transmitting any packet in which the
>> >> low order octet of the coherency count equals 0xFF (the "flag"
>> >> packet), and the receiver MUST change its key after receiving, but
>> >> before decrypting, a "flag" packet (see "Synchronization", below).
>> >>
>> >>
>> >> Section 3
>> >>
>> >> MPPE MAY be used over a reliable link, as described in "PPP
>> >> Reliable Transmission" [6], but this typically just adds unnecessary
>> >> overhead since only the coherency count is required.
>> >>
>> >> Why it is NOT working for you is anybody's guess.
>> >>
>> >>
>> >>
>> >>
>> >> On Fri, May 7, 2010 at 6:46 AM, Abiola Jewoola <biola_y2k_at_yahoo.com>
>> wrote:
>> >>> Hi Guys,
>> >>> Can someone please explain the following
>> >>>
>> >>> 1. some of the options in using the "ppp mppe encrypt" command such as
>> >>> stateful,required and passive
>> >>>
>> >>> 2.Also how can i use this feature withe ppp reliable link.
>> >>>
>> >>> 3. Am presently doing a demo on Gns3. I have two point to point
>> >>> links
>> set up
>> >>> using PPP Chap authentication. I enable MPPE encrypt auto on both
>> >>> sides of
>> the
>> >>> link. Then enabled PPP reliable link on both sides. Everything looks
>> >>> fine
>> >>> initailly . But after a while the line protocol went down.
>> >>>
>> >>> When i removed the ppp reliable link on one of the links the line
>> protocol
>> >>> came up. I dont understand why??
>> >>>
>> >>> Can someone pls explain??
>> >>>
>> >>> Regards,
>> >>> Abiola
>> >>>
>> >>> --- On Thu, 5/6/10, Nathan Richie <nathanr_at_boice.net> wrote:
>> >>>
>> >>> From: Nathan Richie <nathanr_at_boice.net>
>> >>> Subject: RE: MPPE - (Microsoft PPP Encryption) - anyone know how to
>> implement
>> >>> this on a serial link?
>> >>> To: "Beefmo" <groupstudy_at_nyms.net>, "ccielab_at_groupstudy.com"
>> >>> <ccielab_at_groupstudy.com>
>> >>> Date: Thursday, May 6, 2010, 5:42 AM
>> >>>
>> >>> Beefmo,
>> >>>
>> >>> You can run PPP mppe on serial interfaces. However, the trick to it
>> >>> is
>> that
>> >>> you must use MS-chap authentication (makes sense since it was designed
>> >>> to
>> >>> terminate Microsoft VPN tunnels). Since this is encryption, I would
>> recommend
>> >>> that you get your authentication working first on the PPP link and
>> >>> then
>> enable
>> >>> mppe. Certain things have to match on both ends such as strength
>> >>> (options
>> are
>> >>> 40 & 128) and whether encryption is required or not. Note that there
>> >>> are
>> some
>> >>> options such as auto for the key strength that you can use as well. I
>> would
>> >>> recommend that you look at the various settings for the command and
>> >>> then
>> test
>> >>> them out in a lab so you understand what settings work and what
>> >>> settings
>> do
>> >>> not work. The good news is that it is only 1 command :)
>> >>>
>> >>> HTH,
>> >>>
>> >>> Nathan
>> >>>
>> >>> -----Original Message-----
>> >>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>> >>> Of
>> >>> Beefmo
>> >>> Sent: Thursday, May 06, 2010 6:17 AM
>> >>> To: ccielab_at_groupstudy.com
>> >>> Subject: MPPE - (Microsoft PPP Encryption) - anyone know how to
>> >>> implement
>> this
>> >>> on a serial link?
>> >>>
>> >>> Can anyone explain to me or point me to a link that shows how we'd
>> implement
>> >>> MPPE? (haha, everyone's like "wtf is mppe?")
>> >>>
>> >>> What I do know is that it's Microsoft Point-to-Point Encryption and is
>> >>> supported by Cisco as a means of encrypting PPP or PPTP. This is where
>> >>> I
>> get
>> >>> lost, is it just another authentication method negotiated at LCP? Or
>> >>> is
>> it
>> >>> only valid inside a PPTP tunnel?
>> >>>
>> >>> What I can find of it on the Cisco site seems divided between using it
>> with
>> >>> PPP and using it with PPTP. It seems to be more of a tech to use in a
>> >>> client/server VPN situation but I'd like to know how we can run it
>> >>> across
>> a
>> >>> serial link between two Cisco devices. I guess my understanding of
>> >>> PPTP
>> is
>> >>> lacking too. Any security guys help me out here?
>> >>> Thanks in advance!
>> >>>
>> >>>
>> >>> Blogs and organic groups at http://www.ccie.net
>> >>>
>> >>>
>> >>>_______________________________________________________________________
>> >>> Subscription information may be found at:
>> >>> http://www.groupstudy.com/list/CCIELab.html
>> >>>
>> >>>
>> >>> Blogs and organic groups at http://www.ccie.net
>> >>>
>> >>>
>> >>>_______________________________________________________________________
>> >>> Subscription information may be found at:
>> >>> http://www.groupstudy.com/list/CCIELab.html
>> >>>
>> >>>
>> >>> Blogs and organic groups at http://www.ccie.net
>> >>>
>> >>>
>> >>>_______________________________________________________________________
>> >>> Subscription information may be found at:
>> >>> http://www.groupstudy.com/list/CCIELab.html
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> Regards,
>> >>
>> >>
>> >>
>> >> Joe Astorino - CCIE #24347
>> >> Sr. Technical Instructor - IPexpert
>> >> Mailto: jastorino_at_ipexpert.com
>> >> Telephone: +1.810.326.1444
>> >> Live Assistance, Please visit: www.ipexpert.com/chat
>> >> eFax: +1.810.454.0130
>> >>
>> >> IPexpert is a premier provider of Self-Study Workbooks, Video on
>> >> Demand, Audio Tools, Online Hardware Rental and Classroom Training for
>> >> the Cisco CCIE (R&S, Voice, Security & Service Provider)
>> >> certification(s) with training locations throughout the United States,
>> >> Europe, South Asia and Australia. Be sure to visit our online
>> >> communities at www.ipexpert.com/communities and our public website at
>> >> www.ipexpert.com
>> >>
>> >
>> >
>> >
>> > --
>> > Regards,
>> >
>> >
>> >
>> > Joe Astorino - CCIE #24347
>> > Sr. Technical Instructor - IPexpert
>> > Mailto: jastorino_at_ipexpert.com
>> > Telephone: +1.810.326.1444
>> > Live Assistance, Please visit: www.ipexpert.com/chat
>> > eFax: +1.810.454.0130
>> >
>> > IPexpert is a premier provider of Self-Study Workbooks, Video on
>> > Demand, Audio Tools, Online Hardware Rental and Classroom Training for
>> > the Cisco CCIE (R&S, Voice, Security & Service Provider)
>> > certification(s) with training locations throughout the United States,
>> > Europe, South Asia and Australia. Be sure to visit our online
>> > communities at www.ipexpert.com/communities and our public website at
>> > www.ipexpert.com
>> >
>>
>>
>>
>> --
>> Regards,
>>
>>
>>
>> Joe Astorino - CCIE #24347
>> Sr. Technical Instructor - IPexpert
>> Mailto: jastorino_at_ipexpert.com
>> Telephone: +1.810.326.1444
>> Live Assistance, Please visit: www.ipexpert.com/chat
>> eFax: +1.810.454.0130
>>
>> IPexpert is a premier provider of Self-Study Workbooks, Video on
>> Demand, Audio Tools, Online Hardware Rental and Classroom Training for
>> the Cisco CCIE (R&S, Voice, Security & Service Provider)
>> certification(s) with training locations throughout the United States,
>> Europe, South Asia and Australia. Be sure to visit our online
>> communities at www.ipexpert.com/communities and our public website at
>> www.ipexpert.com
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>>_______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>
>
>
> --
> Regards
> Roy
>

-- 
Regards,
Joe Astorino - CCIE #24347
Sr. Technical Instructor - IPexpert
Mailto: jastorino_at_ipexpert.com
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on
Demand, Audio Tools, Online Hardware Rental and Classroom Training for
the Cisco CCIE (R&S, Voice, Security & Service Provider)
certification(s) with training locations throughout the United States,
Europe, South Asia and Australia. Be sure to visit our online
communities at www.ipexpert.com/communities and our public website at
www.ipexpert.com
Blogs and organic groups at http://www.ccie.net

Received on Sat May 08 2010 - 22:07:55 ART

This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:52 ART