[pptp-server] Re: Hi, I'm in trouble with the same config as you

Gord Belsey gord at amador.ca
Fri Jan 14 10:02:15 CST 2000


Hi:

Here's my two cents regarding CHAP.

First, in the PPP options file, if you add "auth", you're telling THIS
device to authenticate any remote machines.  When you add "+chap" or
"+ms-chap-v2" or sowething similar, you're telling THIS device to send it's
username/password to the other end for authentication.  If you add the same
option to the remote device, you're telling IT to authenticate anything
connecting to it.  The point is that CHAP is a two-way authentication when
both ends have it turned on (ie: each end authenticates the other end).

For this two way authentication to work, you need both devices and their
passwords in each chap-secrets file.

ie:
On device A, chap-secrets would be:
deviceA    *    passwordA    *
deviceB    *    passwordB    *

On device B, the chapsecrets file would be exactly the same.

Why?  Device A uses the device A entry to send a it's username and password
to device B.  Then it uses the Devide B entry to authenticate what device B
sends it.  Device B does exactly the same thing.  A note about
username/password: it has to be exactly the same in each chap-secrets file
(ie: if you use fully qualified domain name in one you have to use it in the
other).  The point here is that the username sent for chap authentication
comes from the chap-secrets file as apposed to using the devices hostname.

As I mentioned, this assumes that you have "auth" in the options file at
both ends.  If you only have it for one end, the authentication occurs only
on that device.  You still need +chap or similar in the remote end's option
file, so it knows to send username/password for authentication.

As for the * in the above chap-secrets example:

The first is for "servername".  * means any server.  You can also put in a
specific server name, to tighten up security.  The second * is for IP
address.  Again, * means anything, but you can put in a specific IP address
to tighten things up.  This (I think) really only applies to the entry for
the remote end.

I hope this makes sense, and helps you understand how CHAP works a little
better.  Let me know if I wasn't clear in my description, and of course,
anyone is welcome to correct me if I'm mistaken :o)

Gord Belsey
Amador Business Computers, Inc.
Edmonton, AB, Canada
----- Original Message -----
From: Seosamh D. Ó Riordáin <soriordain at asitatech.com>
To: yann.foissac <yann.foissac at prostgrandprix.fr>
Cc: <pptp-server at lists.schulte.org>
Sent: Friday, January 14, 2000 8:23 AM
Subject: [pptp-server] Re: Hi, I'm in trouble with the same config as you


> Hi Yann,
>
> I didn't manage to get the pptp-linux-1.0.2 client talking to
> PoPToP 1.0.0, (as yet), - it needs to be looked at further,
> and I may get time to do this in the next couple of weeks.
> It doesn't appear that anyone on the list has got this negotiating
> 40(or 128) bit MPPE to the PoPToP server. I've seen other
> messages asking about this also but they went unanswered.
> Microsoft clients(NT/W9[5|8]) do connect with 40(or 128) bit
> MPPE alright. This appears to be a negotiation problem between
> the linux client side and PoPToP, ie in PPPD. Logs show different
> messages being exchanged than when negotiating with the
> Microsoft clients.
>
> The pptp-linux client does connect to PPTP successfully, if
> you ensure the /etc/ppp/chap-secrets on both machines are
> similar, the options file and the pptp command are like the ones
> I had in my last mail to the list. However, with this setup, it will
> connect with MSCHAP-V2(seen in the log on the pptp server)
> but there will be no encryption.
> I'll let you know if I make any progress (when I get time) on the
> linux client side.
>
> Regards,
> Seosamh
>
> -----Original Message-----
> From: yann.foissac <yann.foissac at prostgrandprix.fr>
> To: soriordain at asitatech.com <soriordain at asitatech.com>
> Date: Friday, January 14, 2000 11:45 AM
> Subject: Hi, I'm in trouble with the same config as you
>
>
> I have a pptp linux client 1.0.2 and I want to connect on a PoPToP
> server
> Could you help me ?
> I just want to understant the chap-secret file and option file
>
> thanks
>
>
>
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulte.org!
>





More information about the pptp-server mailing list