Re: MPPE - (Microsoft PPP Encryption) with PPP reliable link from Joe Astorino on 2010-05-07 (Ccielab archives 05/2010)

From: Joe Astorino <jastorino_at_ipexpert.com>
Date: Fri, 7 May 2010 13:17:22 -0400

Yep -- You can't run encryption (MPPE) without MS-CHAP...

On Fri, May 7, 2010 at 12:25 PM, Roy Waterman <roy.waterman_at_gmail.com> wrote:
> Hi Abiola
>
> The problem here (if nothing else) is that you are using the wrong
> authentication type.
> You need to use: ppp authentication ms-chap.
>
> This is a requirement for ppp encrypt mppe, and is mentioned as such in the
> usage guidelines in the command ref:
>
> http://www.cisco.com/en/US/docs/ios/dial/command/reference/dia_p1.html#wp1014364
>
> On 7 May 2010 17:07, Abiola Jewoola <biola_y2k_at_yahoo.com> wrote:
>>
>> R1
>>
>>
>> interface Serial0/0
>> ip address 10.1.1.1 255.255.255.0
>> encapsulation ppp
>> clock rate 2000000
>> ppp reliable-link
>> ppp encrypt mppe auto
>> ppp authentication chap
>> ppp chap hostname R1
>>
>>
>> R2
>> interface Serial0/0
>> ip address 10.1.1.2 255.255.255.0
>> encapsulation ppp
>> clock rate 2000000
>> ppp reliable-link
>> ppp encrypt mppe auto
>> ppp authentication chap
>> ppp chap hostname R2
>>
>>
>> --- On Fri, 5/7/10, Joe Astorino <jastorino_at_ipexpert.com> wrote:
>>
>> From: Joe Astorino <jastorino_at_ipexpert.com>
>> Subject: Re: MPPE - (Microsoft PPP Encryption) with PPP reliable link
>> To: "Abiola Jewoola" <biola_y2k_at_yahoo.com>
>> Cc: "Beefmo" <groupstudy_at_nyms.net>, "ccielab_at_groupstudy.com"
>> <ccielab_at_groupstudy.com>, "Nathan Richie" <nathanr_at_boice.net>
>> Date: Friday, May 7, 2010, 7:49 AM
>>
>> I have tested ppp reliable-link with PAP, CHAP, EAP, MS-CHAP, and
>> MS-CHAP-v2. As usual, it appears the only thing broken is the one
>> coming from MS : ) lol ... I believe this to be your problem -- It
>> has nothing to do with MPPE it has to do with the fact that the
>> authentication using MS-CHAP + ppp reliable-link appears to not work
>> at all (running 12.4.24T1)
>>
>> On Fri, May 7, 2010 at 10:35 AM, Joe Astorino <jastorino_at_ipexpert.com>
>> wrote:
>> > Following up -- I don't believe this is an issue with MPPE. I believe
>> > the issue you are seeing is a problem with PPP reliable-link working
>> > with MS-CHAP. Even after removing the encryption portion, ppp
>> > reliable-link will not work in conjunction with MS-CHAP, at least in
>> > my lab testing.
>> >
>> > See the debug ppp negotiation below. The debug is the same with or
>> > without MPPE configured. In either case, authentication does not
>> > happen and after 10 timeouts line protocol will go down. Without
>> > reliable link it authenticates immediately
>> > If anybody else out there has another explanation for this behavior
>> > I'd sure be interested!
>> >
>> > *Apr 7 07:22:07.832: %LINK-3-UPDOWN: Interface Serial0/2/0, changed
>> > state
>> to up
>> > *Apr 7 07:22:07.832: Se0/2/0 LCP: I CONFREQ [Closed] id 24 len 19
>> > *Apr 7 07:22:07.832: Se0/2/0 LCP: AuthProto MS-CHAP (0x0305C22380)
>> > *Apr 7 07:22:07.832: Se0/2/0 LCP: MagicNumber 0x1BF39EAE
>> (0x05061BF39EAE)
>> > *Apr 7 07:22:07.832: Se0/2/0 LCP: ReliableLink window 7 addr 1
>> (0x0B040701)
>> > *Apr 7 07:22:07.832: Se0/2/0 LCP LCP: Missed a Link-Up transition,
>> > starting
>> PPP
>> > *Apr 7 07:22:07.832: Se0/2/0 PPP: Using default call direction
>> > *Apr 7 07:22:07.836: Se0/2/0 PPP: Treating connection as a dedicated
>> > line
>> > *Apr 7 07:22:07.836: Se0/2/0 PPP: Session handle[10000129] Session
>> > id[486]
>> > *Apr 7 07:22:07.836: Se0/2/0 PPP: Phase is ESTABLISHING, Active Open
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: O CONFREQ [Closed] id 5 len 14
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1CDFE5D5
>> (0x05061CDFE5D5)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 3
>> (0x0B040703)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: O CONFACK [REQsent] id 24 len 19
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: AuthProto MS-CHAP (0x0305C22380)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1BF39EAE
>> (0x05061BF39EAE)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 1
>> (0x0B040701)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: I CONFACK [ACKsent] id 5 len 14
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: MagicNumber 0x1CDFE5D5
>> (0x05061CDFE5D5)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: ReliableLink window 7 addr 3
>> (0x0B040703)
>> > *Apr 7 07:22:07.836: Se0/2/0 LCP: State is Open
>> > *Apr 7 07:22:07.840: Se0/2/0 PPP: Phase is AUTHENTICATING, by the peer
>> > *Apr 7 07:22:13.488: Se0/2/0 PPP: Outbound cdp packet dropped
>> > *Apr 7 07:22:14.488: Se0/2/0 PPP: Outbound cdp packet dropped
>> > *Apr 7 07:22:17.844: Se0/2/0 AUTH: Timeout 1
>> > *Apr 7 07:22:27.860: Se0/2/0 AUTH: Timeout 2
>> > *Apr 7 07:22:36.536: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>> > Serial0/2/0, changed state to up
>> > *Apr 7 07:22:37.876: Se0/2/0 AUTH: Timeout 3
>> > *Apr 7 07:22:47.892: Se0/2/0 AUTH: Timeout 4
>> > *Apr 7 07:22:57.908: Se0/2/0 AUTH: Timeout 5
>> > *Apr 7 07:23:07.924: Se0/2/0 AUTH: Timeout 6
>> > *Apr 7 07:23:14.488: Se0/2/0 PPP: Outbound cdp packet dropped
>> > *Apr 7 07:23:17.940: Se0/2/0 AUTH: Timeout 7
>> > *Apr 7 07:23:27.955: Se0/2/0 AUTH: Timeout 8
>> > *Apr 7 07:23:37.971: Se0/2/0 AUTH: Timeout 9
>> > *Apr 7 07:23:47.987: Se0/2/0 AUTH: Timeout 10
>> > *Apr 7 07:23:58.003: Se0/2/0 AUTH: Timeout 11
>> > *Apr 7 07:23:58.003: Se0/2/0 PPP: Sending Acct Event[Down] id[1E6]
>> > *Apr 7 07:23:58.003: Se0/2/0 PPP: Phase is TERMINATING
>> >
>> >
>> >
>> > On Fri, May 7, 2010 at 10:16 AM, Joe Astorino <jastorino_at_ipexpert.com>
>> wrote:
>> >> Check out this section from RFC 3078:
>> >>
>> >> 7.2. Stateful Mode Key Changes
>> >>
>> >> If stateful encryption has been negotiated, the sender MUST change
>> >> its key before encrypting and transmitting any packet in which the
>> >> low order octet of the coherency count equals 0xFF (the "flag"
>> >> packet), and the receiver MUST change its key after receiving, but
>> >> before decrypting, a "flag" packet (see "Synchronization", below).
>> >>
>> >>
>> >> Section 3
>> >>
>> >> MPPE MAY be used over a reliable link, as described in "PPP
>> >> Reliable Transmission" [6], but this typically just adds unnecessary
>> >> overhead since only the coherency count is required.
>> >>
>> >> Why it is NOT working for you is anybody's guess.
>> >>
>> >>
>> >>
>> >>
>> >> On Fri, May 7, 2010 at 6:46 AM, Abiola Jewoola <biola_y2k_at_yahoo.com>
>> wrote:
>> >>> Hi Guys,
>> >>> Can someone please explain the following
>> >>>
>> >>> 1. some of the options in using the "ppp mppe encrypt" command such as
>> >>> stateful,required and passive
>> >>>
>> >>> 2.Also how can i use this feature withe ppp reliable link.
>> >>>
>> >>> 3. Am presently doing a demo on Gns3. I have two point to point
>> >>> links
>> set up
>> >>> using PPP Chap authentication. I enable MPPE encrypt auto on both
>> >>> sides of
>> the
>> >>> link. Then enabled PPP reliable link on both sides. Everything looks
>> >>> fine
>> >>> initailly . But after a while the line protocol went down.
>> >>>
>> >>> When i removed the ppp reliable link on one of the links the line
>> protocol
>> >>> came up. I dont understand why??
>> >>>
>> >>> Can someone pls explain??
>> >>>
>> >>> Regards,
>> >>> Abiola
>> >>>
>> >>> --- On Thu, 5/6/10, Nathan Richie <nathanr_at_boice.net> wrote:
>> >>>
>> >>> From: Nathan Richie <nathanr_at_boice.net>
>> >>> Subject: RE: MPPE - (Microsoft PPP Encryption) - anyone know how to
>> implement
>> >>> this on a serial link?
>> >>> To: "Beefmo" <groupstudy_at_nyms.net>, "ccielab_at_groupstudy.com"
>> >>> <ccielab_at_groupstudy.com>
>> >>> Date: Thursday, May 6, 2010, 5:42 AM
>> >>>
>> >>> Beefmo,
>> >>>
>> >>> You can run PPP mppe on serial interfaces. However, the trick to it
>> >>> is
>> that
>> >>> you must use MS-chap authentication (makes sense since it was designed
>> >>> to
>> >>> terminate Microsoft VPN tunnels). Since this is encryption, I would
>> recommend
>> >>> that you get your authentication working first on the PPP link and
>> >>> then
>> enable
>> >>> mppe. Certain things have to match on both ends such as strength
>> >>> (options
>> are
>> >>> 40 & 128) and whether encryption is required or not. Note that there
>> >>> are
>> some
>> >>> options such as auto for the key strength that you can use as well. I
>> would
>> >>> recommend that you look at the various settings for the command and
>> >>> then
>> test
>> >>> them out in a lab so you understand what settings work and what
>> >>> settings
>> do
>> >>> not work. The good news is that it is only 1 command :)
>> >>>
>> >>> HTH,
>> >>>
>> >>> Nathan
>> >>>
>> >>> -----Original Message-----
>> >>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>> >>> Of
>> >>> Beefmo
>> >>> Sent: Thursday, May 06, 2010 6:17 AM
>> >>> To: ccielab_at_groupstudy.com
>> >>> Subject: MPPE - (Microsoft PPP Encryption) - anyone know how to
>> >>> implement
>> this
>> >>> on a serial link?
>> >>>
>> >>> Can anyone explain to me or point me to a link that shows how we'd
>> implement
>> >>> MPPE? (haha, everyone's like "wtf is mppe?")
>> >>>
>> >>> What I do know is that it's Microsoft Point-to-Point Encryption and is
>> >>> supported by Cisco as a means of encrypting PPP or PPTP. This is where
>> >>> I
>> get
>> >>> lost, is it just another authentication method negotiated at LCP? Or
>> >>> is
>> it
>> >>> only valid inside a PPTP tunnel?
>> >>>
>> >>> What I can find of it on the Cisco site seems divided between using it
>> with
>> >>> PPP and using it with PPTP. It seems to be more of a tech to use in a
>> >>> client/server VPN situation but I'd like to know how we can run it
>> >>> across
>> a
>> >>> serial link between two Cisco devices. I guess my understanding of
>> >>> PPTP
>> is
>> >>> lacking too. Any security guys help me out here?
>> >>> Thanks in advance!
>> >>>
>> >>>
>> >>> Blogs and organic groups at http://www.ccie.net
>> >>>
>> >>>
>> >>> _______________________________________________________________________
>> >>> Subscription information may be found at:
>> >>> http://www.groupstudy.com/list/CCIELab.html
>> >>>
>> >>>
>> >>> Blogs and organic groups at http://www.ccie.net
>> >>>
>> >>>
>> >>> _______________________________________________________________________
>> >>> Subscription information may be found at:
>> >>> http://www.groupstudy.com/list/CCIELab.html
>> >>>
>> >>>
>> >>> Blogs and organic groups at http://www.ccie.net
>> >>>
>> >>>
>> >>> _______________________________________________________________________
>> >>> Subscription information may be found at:
>> >>> http://www.groupstudy.com/list/CCIELab.html
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> Regards,
>> >>
>> >>
>> >>
>> >> Joe Astorino - CCIE #24347
>> >> Sr. Technical Instructor - IPexpert
>> >> Mailto: jastorino_at_ipexpert.com
>> >> Telephone: +1.810.326.1444
>> >> Live Assistance, Please visit: www.ipexpert.com/chat
>> >> eFax: +1.810.454.0130
>> >>
>> >> IPexpert is a premier provider of Self-Study Workbooks, Video on
>> >> Demand, Audio Tools, Online Hardware Rental and Classroom Training for
>> >> the Cisco CCIE (R&S, Voice, Security & Service Provider)
>> >> certification(s) with training locations throughout the United States,
>> >> Europe, South Asia and Australia. Be sure to visit our online
>> >> communities at www.ipexpert.com/communities and our public website at
>> >> www.ipexpert.com
>> >>
>> >
>> >
>> >
>> > --
>> > Regards,
>> >
>> >
>> >
>> > Joe Astorino - CCIE #24347
>> > Sr. Technical Instructor - IPexpert
>> > Mailto: jastorino_at_ipexpert.com
>> > Telephone: +1.810.326.1444
>> > Live Assistance, Please visit: www.ipexpert.com/chat
>> > eFax: +1.810.454.0130
>> >
>> > IPexpert is a premier provider of Self-Study Workbooks, Video on
>> > Demand, Audio Tools, Online Hardware Rental and Classroom Training for
>> > the Cisco CCIE (R&S, Voice, Security & Service Provider)
>> > certification(s) with training locations throughout the United States,
>> > Europe, South Asia and Australia. Be sure to visit our online
>> > communities at www.ipexpert.com/communities and our public website at
>> > www.ipexpert.com
>> >
>>
>>
>>
>> --
>> Regards,
>>
>>
>>
>> Joe Astorino - CCIE #24347
>> Sr. Technical Instructor - IPexpert
>> Mailto: jastorino_at_ipexpert.com
>> Telephone: +1.810.326.1444
>> Live Assistance, Please visit: www.ipexpert.com/chat
>> eFax: +1.810.454.0130
>>
>> IPexpert is a premier provider of Self-Study Workbooks, Video on
>> Demand, Audio Tools, Online Hardware Rental and Classroom Training for
>> the Cisco CCIE (R&S, Voice, Security & Service Provider)
>> certification(s) with training locations throughout the United States,
>> Europe, South Asia and Australia. Be sure to visit our online
>> communities at www.ipexpert.com/communities and our public website at
>> www.ipexpert.com
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>
>
>
> --
> Regards
> Roy
>

-- 
Regards,
Joe Astorino - CCIE #24347
Sr. Technical Instructor - IPexpert
Mailto: jastorino_at_ipexpert.com
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on
Demand, Audio Tools, Online Hardware Rental and Classroom Training for
the Cisco CCIE (R&S, Voice, Security & Service Provider)
certification(s) with training locations throughout the United States,
Europe, South Asia and Australia. Be sure to visit our online
communities at www.ipexpert.com/communities and our public website at
www.ipexpert.com
Blogs and organic groups at http://www.ccie.net

Received on Fri May 07 2010 - 13:17:22 ART

This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:52 ART